From a972357c56be2afd5bb1d5993d23b3bf620ea82f Mon Sep 17 00:00:00 2001 From: pradeepthangamuthu <9770876+pradeepthangamuthu@users.noreply.github.com> Date: Wed, 28 Dec 2022 09:17:08 +0530 Subject: [PATCH 01/14] [b/260020903] UDM Events primary key fix (#59) Co-authored-by: Pradeep Thangamuthu --- views/refinements/events.view.lkml | 2 +- views/refinements/udm_events.view.lkml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/views/refinements/events.view.lkml b/views/refinements/events.view.lkml index 147a89e..f48239d 100644 --- a/views/refinements/events.view.lkml +++ b/views/refinements/events.view.lkml @@ -5,7 +5,7 @@ view: +events { dimension: primary_key { primary_key: yes hidden: yes - sql: CONCAT(IFNULL(${TABLE}.metadata.product_log_id, ""), IFNULL(${TABLE}.metadata.event_timestamp.seconds,0), IFNULL(${TABLE}.metadata.event_timestamp.nanos,0), IFNULL(${TABLE}.metadata.event_type,0), IFNULL(${TABLE}.metadata.vendor_name,""), IFNULL(${TABLE}.metadata.product_name,""));; + sql: CONCAT(IFNULL(to_hex(${TABLE}.metadata.id), ""), IFNULL(${TABLE}.metadata.product_log_id, ""), IFNULL(${TABLE}.metadata.event_timestamp.seconds,0), IFNULL(${TABLE}.metadata.event_timestamp.nanos,0), IFNULL(${TABLE}.metadata.event_type,0), IFNULL(${TABLE}.metadata.vendor_name,""), IFNULL(${TABLE}.metadata.product_name,""));; } dimension_group: event_timestamp { diff --git a/views/refinements/udm_events.view.lkml b/views/refinements/udm_events.view.lkml index 16cd51c..f02b60b 100644 --- a/views/refinements/udm_events.view.lkml +++ b/views/refinements/udm_events.view.lkml @@ -5,7 +5,7 @@ view: +udm_events { dimension: primary_key { primary_key: yes hidden: yes - sql: CONCAT(IFNULL(${TABLE}.metadata.product_log_id, ""), IFNULL(${TABLE}.metadata.event_timestamp.seconds,0), IFNULL(${TABLE}.metadata.event_timestamp.nanos,0), IFNULL(${TABLE}.metadata.event_type,0), IFNULL(${TABLE}.metadata.vendor_name,""), IFNULL(${TABLE}.metadata.product_name,""));; + sql: CONCAT(IFNULL(to_hex(${TABLE}.metadata.id), ""), IFNULL(${TABLE}.metadata.product_log_id, ""), IFNULL(${TABLE}.metadata.event_timestamp.seconds,0), IFNULL(${TABLE}.metadata.event_timestamp.nanos,0), IFNULL(${TABLE}.metadata.event_type,0), IFNULL(${TABLE}.metadata.vendor_name,""), IFNULL(${TABLE}.metadata.product_name,""));; } dimension_group: event_timestamp { From 5f87485e537029b3eb7e4806cd8996c0b4c83bd1 Mon Sep 17 00:00:00 2001 From: Pradeep Thangamuthu <9770876+pradeepthangamuthu@users.noreply.github.com> Date: Tue, 14 Mar 2023 09:33:49 +0530 Subject: [PATCH 02/14] [b/272003201] Filters aggregate risk for only risk_score (#89) Co-authored-by: Pradeep Thangamuthu --- dashboards/context_aware_detections_risk.dashboard.lookml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dashboards/context_aware_detections_risk.dashboard.lookml b/dashboards/context_aware_detections_risk.dashboard.lookml index 8288b6a..f788002 100644 --- a/dashboards/context_aware_detections_risk.dashboard.lookml +++ b/dashboards/context_aware_detections_risk.dashboard.lookml @@ -9,7 +9,7 @@ name: Aggregate Risk explore: rule_detections type: looker_area - fields: [rule_detections.event_timestamp_date, sum_of_int64_val] + fields: [rule_detections.event_timestamp_date, sum_of_int64_val, rule_detections__detection__outcomes.name] fill_fields: [rule_detections.event_timestamp_date] sorts: [sum_of_int64_val] limit: 500 @@ -78,7 +78,9 @@ conditional_formatting_include_totals: false conditional_formatting_include_nulls: false defaults_version: 1 - hidden_fields: [] + hidden_fields: [rule_detections__detection__outcomes.name] + filters: + rule_detections__detection__outcomes.name: '"risk_score"' listen: Time: rule_detections.event_timestamp_time row: 2 From a40de32f5cac0b73d7d6f29dd313e2bb62a3d851 Mon Sep 17 00:00:00 2001 From: Pradeep Thangamuthu <9770876+pradeepthangamuthu@users.noreply.github.com> Date: Mon, 3 Apr 2023 14:24:51 +0530 Subject: [PATCH 03/14] [b/272003201] Adds risk_score filter for context aware detection dashboard. (#102) * [b/272003201] Filters aggregate risk for only risk_score * [b/272003201] Adds risk_score filter for detection results tile --------- Co-authored-by: Pradeep Thangamuthu --- dashboards/context_aware_detections_risk.dashboard.lookml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dashboards/context_aware_detections_risk.dashboard.lookml b/dashboards/context_aware_detections_risk.dashboard.lookml index f788002..ef1ed9c 100644 --- a/dashboards/context_aware_detections_risk.dashboard.lookml +++ b/dashboards/context_aware_detections_risk.dashboard.lookml @@ -9,7 +9,7 @@ name: Aggregate Risk explore: rule_detections type: looker_area - fields: [rule_detections.event_timestamp_date, sum_of_int64_val, rule_detections__detection__outcomes.name] + fields: [rule_detections.event_timestamp_date, sum_of_int64_val] fill_fields: [rule_detections.event_timestamp_date] sorts: [sum_of_int64_val] limit: 500 @@ -78,7 +78,6 @@ conditional_formatting_include_totals: false conditional_formatting_include_nulls: false defaults_version: 1 - hidden_fields: [rule_detections__detection__outcomes.name] filters: rule_detections__detection__outcomes.name: '"risk_score"' listen: @@ -369,6 +368,8 @@ series_types: {} listen: Time: rule_detections.event_timestamp_time + filters: + rule_detections__detection__outcomes.name: '"risk_score"' row: 8 col: 0 width: 24 From f99c42c107bae525cd0471c97093b9410a5383b3 Mon Sep 17 00:00:00 2001 From: Pradeep Thangamuthu Date: Thu, 15 Jun 2023 12:57:37 +0530 Subject: [PATCH 04/14] Adds proto2lkml --- proto2lkml/.gitkeep | 0 proto2lkml/entity_graph.lkml | 5563 ++++++++++ proto2lkml/events.lkml | 19328 ++++++++++++++++++++++++++++++++ proto2lkml/udm_events.lkml | 19329 +++++++++++++++++++++++++++++++++ 4 files changed, 44220 insertions(+) create mode 100644 proto2lkml/.gitkeep create mode 100644 proto2lkml/entity_graph.lkml create mode 100644 proto2lkml/events.lkml create mode 100644 proto2lkml/udm_events.lkml diff --git a/proto2lkml/.gitkeep b/proto2lkml/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/proto2lkml/entity_graph.lkml b/proto2lkml/entity_graph.lkml new file mode 100644 index 0000000..7f5f9ad --- /dev/null +++ b/proto2lkml/entity_graph.lkml @@ -0,0 +1,5563 @@ +# Copyright Google Inc 2023 and onwards. +# This file was generated by proto2lkml. Do not modify it. +# Source: googlex/security/malachite/proto/external/entity.proto +### BEGIN googlex/security/malachite/dashboards/lookml/entity_graph/entity_graph_preamble.lkml +include: "/chronicle_features.lkml" + +### END googlex/security/malachite/dashboards/lookml/entity_graph/entity_graph_preamble.lkml +view: entity_graph { + ### BEGIN googlex/security/malachite/dashboards/lookml/entity_graph/entity_graph_view_preamble.lkml + sql_table_name: `@{ENTITY_GRAPH}`;; + + dimension: primary_key { + primary_key: yes + hidden: yes + sql: CONCAT(IFNULL(to_hex(${TABLE}.metadata.product_entity_id), ""), + IFNULL(${TABLE}.metadata.creation_timestamp.seconds,0), + IFNULL(${TABLE}.metadata.creation_timestamp.nanos,0), + IFNULL(${TABLE}.metadata.entity_type,0), + IFNULL(${TABLE}.metadata.vendor_name,""), + IFNULL(${TABLE}.metadata.product_name,""));; + } + + measure: count { + description: "Count of entities; COUNT(DISTINCT ...) is used." + type: count + view_label: "Entity" + } + + measure: count_all { + description: "Count of all entities; COUNT(DISTINCT ...) is not used." + type: number + sql: count(*) ;; + label: "Count (all)" + view_label: "Entity" + } + + + filter: time_filter { + label: "metadata.collected_timestamp" + type: date_time + view_label: "Entity" + description: "Filter on collected_timestamp" + } + + ### END googlex/security/malachite/dashboards/lookml/entity_graph/entity_graph_view_preamble.lkml + dimension: additional { + hidden: yes + } # dimension additional + + dimension: additional__fields { + hidden: yes + } # dimension additional__fields + + dimension: entity { + hidden: yes + } # dimension entity + + dimension: entity__administrative_domain { + type: string + sql: ${TABLE}.entity.administrative_domain ;; + group_label: "entity" + label: "entity.administrative_domain" + view_label: "Entity" + description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." + } # dimension entity__administrative_domain + + dimension: entity__application { + type: string + sql: ${TABLE}.entity.application ;; + group_label: "entity" + label: "entity.application" + view_label: "Entity" + description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." + } # dimension entity__application + + dimension: entity__artifact { + hidden: yes + } # dimension entity__artifact + + dimension: entity__artifact__ip { + type: string + sql: ${TABLE}.entity.artifact.ip ;; + group_label: "entity" + label: "entity.artifact.ip" + view_label: "Entity" + description: "IP address of the artifact." + } # dimension entity__artifact__ip + + dimension: entity__artifact__network { + hidden: yes + } # dimension entity__artifact__network + + dimension: entity__artifact__network__email { + hidden: yes + } # dimension entity__artifact__network__email + + dimension: entity__artifact__network__email__to { + hidden: yes + } # dimension entity__artifact__network__email__to + + dimension: entity__artifact__prevalence { + hidden: yes + } # dimension entity__artifact__prevalence + + dimension: entity__artifact__prevalence__day_count { + type: number + sql: ${TABLE}.entity.artifact.prevalence.day_count ;; + group_label: "entity" + label: "entity.artifact.prevalence.day_count" + view_label: "Entity" + description: "The number of days over which rolling_max is calculated." + } # dimension entity__artifact__prevalence__day_count + + dimension: entity__artifact__prevalence__day_max { + type: number + sql: ${TABLE}.entity.artifact.prevalence.day_max ;; + group_label: "entity" + label: "entity.artifact.prevalence.day_max" + view_label: "Entity" + description: "The max prevalence score in a day interval window." + } # dimension entity__artifact__prevalence__day_max + + dimension: entity__artifact__prevalence__rolling_max { + type: number + sql: ${TABLE}.entity.artifact.prevalence.rolling_max ;; + group_label: "entity" + label: "entity.artifact.prevalence.rolling_max" + view_label: "Entity" + description: "The maximum number of assets per day accessing the resource over the trailing day_count days." + } # dimension entity__artifact__prevalence__rolling_max + + dimension: entity__artifact__prevalence__rolling_max_sub_domains { + type: number + sql: ${TABLE}.entity.artifact.prevalence.rolling_max_sub_domains ;; + group_label: "entity" + label: "entity.artifact.prevalence.rolling_max_sub_domains" + view_label: "Entity" + description: "The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains." + } # dimension entity__artifact__prevalence__rolling_max_sub_domains + + dimension: entity__asset { + hidden: yes + } # dimension entity__asset + + dimension: entity__asset__asset_id { + type: string + sql: ${TABLE}.entity.asset.asset_id ;; + group_label: "entity" + label: "entity.asset.asset_id" + view_label: "Entity" + description: "The asset ID." + } # dimension entity__asset__asset_id + + dimension: entity__asset__attribute { + hidden: yes + } # dimension entity__asset__attribute + + dimension: entity__asset__attribute__cloud { + hidden: yes + } # dimension entity__asset__attribute__cloud + + dimension: entity__asset__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.entity.asset.attribute.cloud.availability_zone ;; + group_label: "entity" + label: "entity.asset.attribute.cloud.availability_zone" + view_label: "Entity" + description: "The cloud environment availability zone (different from region which is location.name)." + } # dimension entity__asset__attribute__cloud__availability_zone + + dimension: entity__asset__attribute__cloud__environment { + type: number + sql: ${TABLE}.entity.asset.attribute.cloud.environment ;; + group_label: "entity" + label: "entity.asset.attribute.cloud.environment" + view_label: "Entity" + description: "The Cloud environment." + } # dimension entity__asset__attribute__cloud__environment + + dimension: entity__asset__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.entity.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "entity" + label: "entity.asset.attribute.cloud.environment_enum_name" + view_label: "Entity" + description: "The Cloud environment." + } # dimension entity__asset__attribute__cloud__environment_enum_name + + dimension: entity__asset__attribute__cloud__project { + hidden: yes + } # dimension entity__asset__attribute__cloud__project + + dimension: entity__asset__attribute__cloud__project__id { + type: string + sql: ${TABLE}.entity.asset.attribute.cloud.project.id ;; + group_label: "entity" + group_item_label: "entity.asset.attribute.cloud.project.id [D]" + label: "entity.asset.attribute.cloud.project.id" + view_label: "Entity" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__asset__attribute__cloud__project__id + + dimension: entity__asset__attribute__cloud__project__name { + type: string + sql: ${TABLE}.entity.asset.attribute.cloud.project.name ;; + group_label: "entity" + group_item_label: "entity.asset.attribute.cloud.project.name [D]" + label: "entity.asset.attribute.cloud.project.name" + view_label: "Entity" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__asset__attribute__cloud__project__name + + dimension: entity__asset__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.entity.asset.attribute.cloud.project.product_object_id ;; + group_label: "entity" + group_item_label: "entity.asset.attribute.cloud.project.product_object_id [D]" + label: "entity.asset.attribute.cloud.project.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__asset__attribute__cloud__project__product_object_id + + dimension: entity__asset__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.entity.asset.attribute.cloud.project.resource_type ;; + group_label: "entity" + group_item_label: "entity.asset.attribute.cloud.project.resource_type [D]" + label: "entity.asset.attribute.cloud.project.resource_type" + view_label: "Entity" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__asset__attribute__cloud__project__resource_type + + dimension: entity__asset__attribute__cloud__project__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.entity.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "entity" + group_item_label: "entity.asset.attribute.cloud.project.resource_type_enum_name [D]" + label: "entity.asset.attribute.cloud.project.resource_type_enum_name" + view_label: "Entity" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__asset__attribute__cloud__project__resource_type_enum_name + + dimension: entity__asset__attribute__cloud__vpc { + hidden: yes + } # dimension entity__asset__attribute__cloud__vpc + + dimension: entity__asset__attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.entity.asset.attribute.cloud.vpc.name ;; + group_label: "entity" + group_item_label: "entity.asset.attribute.cloud.vpc.name [D]" + label: "entity.asset.attribute.cloud.vpc.name" + view_label: "Entity" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__asset__attribute__cloud__vpc__name + + dimension: entity__asset__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.entity.asset.attribute.cloud.vpc.product_object_id ;; + group_label: "entity" + group_item_label: "entity.asset.attribute.cloud.vpc.product_object_id [D]" + label: "entity.asset.attribute.cloud.vpc.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__asset__attribute__cloud__vpc__product_object_id + + dimension: entity__asset__attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.entity.asset.attribute.cloud.vpc.resource_type ;; + group_label: "entity" + group_item_label: "entity.asset.attribute.cloud.vpc.resource_type [D]" + label: "entity.asset.attribute.cloud.vpc.resource_type" + view_label: "Entity" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__asset__attribute__cloud__vpc__resource_type + + dimension: entity__asset__attribute__cloud__vpc__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.entity.asset.attribute.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "entity" + group_item_label: "entity.asset.attribute.cloud.vpc.resource_type_enum_name [D]" + label: "entity.asset.attribute.cloud.vpc.resource_type_enum_name" + view_label: "Entity" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__asset__attribute__cloud__vpc__resource_type_enum_name + + dimension_group: entity__asset__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.asset.attribute.creation_time" + view_label: "Entity" + description: "Time the resource or entity was created or provisioned." + } # dimension entity__asset__attribute__creation_time + + dimension: entity__asset__attribute__labels { + hidden: yes + } # dimension entity__asset__attribute__labels + + dimension_group: entity__asset__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.asset.attribute.last_update_time" + view_label: "Entity" + description: "Time the resource or entity was last updated." + } # dimension entity__asset__attribute__last_update_time + + dimension: entity__asset__category { + type: string + sql: ${TABLE}.entity.asset.category ;; + group_label: "entity" + label: "entity.asset.category" + view_label: "Entity" + description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." + } # dimension entity__asset__category + + dimension_group: entity__asset__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + group_item_label: "entity.asset.creation_time [D]" + label: "entity.asset.creation_time" + view_label: "Entity" + description: "Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__asset__creation_time + + dimension: entity__asset__deployment_status { + type: number + sql: ${TABLE}.entity.asset.deployment_status ;; + group_label: "entity" + label: "entity.asset.deployment_status" + view_label: "Entity" + description: "The deployment status of the asset for device lifecycle purposes." + } # dimension entity__asset__deployment_status + + dimension: entity__asset__deployment_status_enum_name { + type: string + suggestions: ["ACTIVE", "DECOMISSIONED", "DEPLOYMENT_STATUS_UNSPECIFIED", "PENDING_DECOMISSION"] + sql: CASE ${TABLE}.entity.asset.deployment_status WHEN 0 THEN 'DEPLOYMENT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'PENDING_DECOMISSION' WHEN 3 THEN 'DECOMISSIONED' END ;; + group_label: "entity" + label: "entity.asset.deployment_status_enum_name" + view_label: "Entity" + description: "The deployment status of the asset for device lifecycle purposes." + } # dimension entity__asset__deployment_status_enum_name + + dimension_group: entity__asset__first_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.asset.first_discover_time" + view_label: "Entity" + description: "Time the asset was first discovered (by asset management/discoverability software)." + } # dimension entity__asset__first_discover_time + + dimension: entity__asset__hardware { + hidden: yes + } # dimension entity__asset__hardware + + dimension: entity__asset__hostname { + type: string + sql: ${TABLE}.entity.asset.hostname ;; + group_label: "entity" + label: "entity.asset.hostname" + view_label: "Entity" + description: "Asset hostname or domain name field." + } # dimension entity__asset__hostname + + dimension: entity__asset__ip { + hidden: yes + } # dimension entity__asset__ip + + dimension: entity__asset__labels { + hidden: yes + } # dimension entity__asset__labels + + dimension_group: entity__asset__last_boot_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.asset.last_boot_time" + view_label: "Entity" + description: "Time the asset was last boot started." + } # dimension entity__asset__last_boot_time + + dimension_group: entity__asset__last_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.last_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.last_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.asset.last_discover_time" + view_label: "Entity" + description: "Time the asset was last discovered (by asset management/discoverability software)." + } # dimension entity__asset__last_discover_time + + dimension: entity__asset__location { + hidden: yes + } # dimension entity__asset__location + + dimension: entity__asset__location__city { + type: string + sql: ${TABLE}.entity.asset.location.city ;; + group_label: "entity" + label: "entity.asset.location.city" + view_label: "Entity" + description: "The city." + } # dimension entity__asset__location__city + + dimension: entity__asset__location__country_or_region { + type: string + sql: ${TABLE}.entity.asset.location.country_or_region ;; + group_label: "entity" + label: "entity.asset.location.country_or_region" + view_label: "Entity" + description: "The country or region." + } # dimension entity__asset__location__country_or_region + + dimension: entity__asset__location__floor_name { + type: string + sql: ${TABLE}.entity.asset.location.floor_name ;; + group_label: "entity" + label: "entity.asset.location.floor_name" + view_label: "Entity" + description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." + } # dimension entity__asset__location__floor_name + + dimension: entity__asset__location__name { + type: string + sql: ${TABLE}.entity.asset.location.name ;; + group_label: "entity" + label: "entity.asset.location.name" + view_label: "Entity" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension entity__asset__location__name + + dimension: entity__asset__location__region_latitude { + type: number + sql: ${TABLE}.entity.asset.location.region_latitude ;; + group_label: "entity" + group_item_label: "entity.asset.location.region_latitude [D]" + label: "entity.asset.location.region_latitude" + view_label: "Entity" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__asset__location__region_latitude + + dimension: entity__asset__location__region_longitude { + type: number + sql: ${TABLE}.entity.asset.location.region_longitude ;; + group_label: "entity" + group_item_label: "entity.asset.location.region_longitude [D]" + label: "entity.asset.location.region_longitude" + view_label: "Entity" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__asset__location__region_longitude + + dimension: entity__asset__location__location { + type: location + sql_latitude: ${TABLE}.entity.asset.location.region_latitude ;; + sql_longitude: ${TABLE}.entity.asset.location.region_longitude ;; + group_label: "entity" + group_item_label: "entity.asset.location.location [D][L]" + label: "entity.asset.location.location" + view_label: "Entity" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension entity__asset__location__location + + dimension: entity__asset__location__state { + type: string + sql: ${TABLE}.entity.asset.location.state ;; + group_label: "entity" + label: "entity.asset.location.state" + view_label: "Entity" + description: "The state." + } # dimension entity__asset__location__state + + dimension: entity__asset__mac { + hidden: yes + } # dimension entity__asset__mac + + dimension: entity__asset__nat_ip { + hidden: yes + } # dimension entity__asset__nat_ip + + dimension: entity__asset__network_domain { + type: string + sql: ${TABLE}.entity.asset.network_domain ;; + group_label: "entity" + label: "entity.asset.network_domain" + view_label: "Entity" + description: "The network domain of the asset (e.g. \"corp.acme.com\")" + } # dimension entity__asset__network_domain + + dimension: entity__asset__platform_software { + hidden: yes + } # dimension entity__asset__platform_software + + dimension: entity__asset__platform_software__platform { + type: number + sql: ${TABLE}.entity.asset.platform_software.platform ;; + group_label: "entity" + label: "entity.asset.platform_software.platform" + view_label: "Entity" + description: "The platform operating system." + } # dimension entity__asset__platform_software__platform + + dimension: entity__asset__platform_software__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.entity.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "entity" + label: "entity.asset.platform_software.platform_enum_name" + view_label: "Entity" + description: "The platform operating system." + } # dimension entity__asset__platform_software__platform_enum_name + + dimension: entity__asset__platform_software__platform_patch_level { + type: string + sql: ${TABLE}.entity.asset.platform_software.platform_patch_level ;; + group_label: "entity" + label: "entity.asset.platform_software.platform_patch_level" + view_label: "Entity" + description: "The platform software patch level ( e.g. \"Build 17134.48\", \"SP1\")." + } # dimension entity__asset__platform_software__platform_patch_level + + dimension: entity__asset__platform_software__platform_version { + type: string + sql: ${TABLE}.entity.asset.platform_software.platform_version ;; + group_label: "entity" + label: "entity.asset.platform_software.platform_version" + view_label: "Entity" + description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." + } # dimension entity__asset__platform_software__platform_version + + dimension: entity__asset__product_object_id { + type: string + sql: ${TABLE}.entity.asset.product_object_id ;; + group_label: "entity" + label: "entity.asset.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension entity__asset__product_object_id + + dimension: entity__asset__software { + hidden: yes + } # dimension entity__asset__software + + dimension_group: entity__asset__system_last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.system_last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.system_last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.asset.system_last_update_time" + view_label: "Entity" + description: "Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time." + } # dimension entity__asset__system_last_update_time + + dimension: entity__asset__type { + type: number + sql: ${TABLE}.entity.asset.type ;; + group_label: "entity" + label: "entity.asset.type" + view_label: "Entity" + description: "The type of the asset (e.g. workstation or laptop or server)." + } # dimension entity__asset__type + + dimension: entity__asset__type_enum_name { + type: string + suggestions: ["IOT", "LAPTOP", "MOBILE", "NETWORK_ATTACHED_STORAGE", "PRINTER", "ROLE_UNSPECIFIED", "SCANNER", "SERVER", "TAPE_LIBRARY", "WORKSTATION"] + sql: CASE ${TABLE}.entity.asset.type WHEN 0 THEN 'ROLE_UNSPECIFIED' WHEN 1 THEN 'WORKSTATION' WHEN 2 THEN 'LAPTOP' WHEN 3 THEN 'IOT' WHEN 4 THEN 'NETWORK_ATTACHED_STORAGE' WHEN 5 THEN 'PRINTER' WHEN 6 THEN 'SCANNER' WHEN 7 THEN 'SERVER' WHEN 8 THEN 'TAPE_LIBRARY' WHEN 9 THEN 'MOBILE' END ;; + group_label: "entity" + label: "entity.asset.type_enum_name" + view_label: "Entity" + description: "The type of the asset (e.g. workstation or laptop or server)." + } # dimension entity__asset__type_enum_name + + dimension: entity__asset__vulnerabilities { + hidden: yes + } # dimension entity__asset__vulnerabilities + + dimension: entity__asset_id { + type: string + sql: ${TABLE}.entity.asset_id ;; + group_label: "entity" + label: "entity.asset_id" + view_label: "Entity" + description: "The asset ID." + } # dimension entity__asset_id + + dimension: entity__cloud { + hidden: yes + } # dimension entity__cloud + + dimension: entity__cloud__project { + hidden: yes + } # dimension entity__cloud__project + + dimension: entity__cloud__project__product_object_id { + type: string + sql: ${TABLE}.entity.cloud.project.product_object_id ;; + group_label: "entity" + group_item_label: "entity.cloud.project.product_object_id [D]" + label: "entity.cloud.project.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__cloud__project__product_object_id + + dimension: entity__cloud__vpc { + hidden: yes + } # dimension entity__cloud__vpc + + dimension: entity__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.entity.cloud.vpc.product_object_id ;; + group_label: "entity" + group_item_label: "entity.cloud.vpc.product_object_id [D]" + label: "entity.cloud.vpc.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__cloud__vpc__product_object_id + + dimension: entity__domain { + hidden: yes + } # dimension entity__domain + + dimension: entity__domain__admin { + hidden: yes + } # dimension entity__domain__admin + + dimension: entity__domain__admin__attribute { + hidden: yes + } # dimension entity__domain__admin__attribute + + dimension: entity__domain__admin__attribute__labels { + hidden: yes + } # dimension entity__domain__admin__attribute__labels + + dimension: entity__domain__admin__office_address { + hidden: yes + } # dimension entity__domain__admin__office_address + + dimension: entity__domain__admin__office_address__country_or_region { + type: string + sql: ${TABLE}.entity.domain.admin.office_address.country_or_region ;; + group_label: "entity" + label: "entity.domain.admin.office_address.country_or_region" + view_label: "Entity" + description: "The country or region." + } # dimension entity__domain__admin__office_address__country_or_region + + dimension_group: entity__domain__audit_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.domain.audit_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.domain.audit_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.domain.audit_update_time" + view_label: "Entity" + description: "Audit updated time." + } # dimension entity__domain__audit_update_time + + dimension: entity__domain__billing { + hidden: yes + } # dimension entity__domain__billing + + dimension: entity__domain__billing__attribute { + hidden: yes + } # dimension entity__domain__billing__attribute + + dimension: entity__domain__billing__attribute__labels { + hidden: yes + } # dimension entity__domain__billing__attribute__labels + + dimension: entity__domain__billing__office_address { + hidden: yes + } # dimension entity__domain__billing__office_address + + dimension: entity__domain__billing__office_address__country_or_region { + type: string + sql: ${TABLE}.entity.domain.billing.office_address.country_or_region ;; + group_label: "entity" + label: "entity.domain.billing.office_address.country_or_region" + view_label: "Entity" + description: "The country or region." + } # dimension entity__domain__billing__office_address__country_or_region + + dimension: entity__domain__contact_email { + type: string + sql: ${TABLE}.entity.domain.contact_email ;; + group_label: "entity" + label: "entity.domain.contact_email" + view_label: "Entity" + description: "Contact email address." + } # dimension entity__domain__contact_email + + dimension_group: entity__domain__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.domain.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.domain.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.domain.creation_time" + view_label: "Entity" + description: "Domain creation time." + } # dimension entity__domain__creation_time + + dimension_group: entity__domain__expiration_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.domain.expiration_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.domain.expiration_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.domain.expiration_time" + view_label: "Entity" + description: "Expiration time." + } # dimension entity__domain__expiration_time + + dimension_group: entity__domain__first_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.domain.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.domain.first_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.domain.first_seen_time" + view_label: "Entity" + description: "First seen timestamp of the domain in the customer's environment." + } # dimension entity__domain__first_seen_time + + dimension: entity__domain__name { + type: string + sql: ${TABLE}.entity.domain.name ;; + group_label: "entity" + label: "entity.domain.name" + view_label: "Entity" + description: "The domain name." + } # dimension entity__domain__name + + dimension: entity__domain__name_server { + hidden: yes + } # dimension entity__domain__name_server + + dimension: entity__domain__prevalence { + hidden: yes + } # dimension entity__domain__prevalence + + dimension: entity__domain__prevalence__day_count { + type: number + sql: ${TABLE}.entity.domain.prevalence.day_count ;; + group_label: "entity" + label: "entity.domain.prevalence.day_count" + view_label: "Entity" + description: "The number of days over which rolling_max is calculated." + } # dimension entity__domain__prevalence__day_count + + dimension: entity__domain__prevalence__day_max { + type: number + sql: ${TABLE}.entity.domain.prevalence.day_max ;; + group_label: "entity" + label: "entity.domain.prevalence.day_max" + view_label: "Entity" + description: "The max prevalence score in a day interval window." + } # dimension entity__domain__prevalence__day_max + + dimension: entity__domain__prevalence__day_max_sub_domains { + type: number + sql: ${TABLE}.entity.domain.prevalence.day_max_sub_domains ;; + group_label: "entity" + label: "entity.domain.prevalence.day_max_sub_domains" + view_label: "Entity" + description: "The max prevalence score in a day interval window across sub-domains. This field is only valid for domains." + } # dimension entity__domain__prevalence__day_max_sub_domains + + dimension: entity__domain__prevalence__rolling_max { + type: number + sql: ${TABLE}.entity.domain.prevalence.rolling_max ;; + group_label: "entity" + label: "entity.domain.prevalence.rolling_max" + view_label: "Entity" + description: "The maximum number of assets per day accessing the resource over the trailing day_count days." + } # dimension entity__domain__prevalence__rolling_max + + dimension: entity__domain__prevalence__rolling_max_sub_domains { + type: number + sql: ${TABLE}.entity.domain.prevalence.rolling_max_sub_domains ;; + group_label: "entity" + label: "entity.domain.prevalence.rolling_max_sub_domains" + view_label: "Entity" + description: "The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains." + } # dimension entity__domain__prevalence__rolling_max_sub_domains + + dimension: entity__domain__registrant { + hidden: yes + } # dimension entity__domain__registrant + + dimension: entity__domain__registrant__attribute { + hidden: yes + } # dimension entity__domain__registrant__attribute + + dimension: entity__domain__registrant__attribute__labels { + hidden: yes + } # dimension entity__domain__registrant__attribute__labels + + dimension: entity__domain__registrant__company_name { + type: string + sql: ${TABLE}.entity.domain.registrant.company_name ;; + group_label: "entity" + label: "entity.domain.registrant.company_name" + view_label: "Entity" + description: "User job company name." + } # dimension entity__domain__registrant__company_name + + dimension: entity__domain__registrant__email_addresses { + hidden: yes + } # dimension entity__domain__registrant__email_addresses + + dimension: entity__domain__registrant__office_address { + hidden: yes + } # dimension entity__domain__registrant__office_address + + dimension: entity__domain__registrant__office_address__country_or_region { + type: string + sql: ${TABLE}.entity.domain.registrant.office_address.country_or_region ;; + group_label: "entity" + label: "entity.domain.registrant.office_address.country_or_region" + view_label: "Entity" + description: "The country or region." + } # dimension entity__domain__registrant__office_address__country_or_region + + dimension: entity__domain__registrant__office_address__state { + type: string + sql: ${TABLE}.entity.domain.registrant.office_address.state ;; + group_label: "entity" + label: "entity.domain.registrant.office_address.state" + view_label: "Entity" + description: "The state." + } # dimension entity__domain__registrant__office_address__state + + dimension: entity__domain__registrant__user_display_name { + type: string + sql: ${TABLE}.entity.domain.registrant.user_display_name ;; + group_label: "entity" + label: "entity.domain.registrant.user_display_name" + view_label: "Entity" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension entity__domain__registrant__user_display_name + + dimension: entity__domain__registrar { + type: string + sql: ${TABLE}.entity.domain.registrar ;; + group_label: "entity" + label: "entity.domain.registrar" + view_label: "Entity" + description: "Registrar name - e.g. \"Wild West Domains, Inc. (R120-LROR)\", \"GoDaddy.com, LLC\", \"PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM\", etc." + } # dimension entity__domain__registrar + + dimension: entity__domain__registry_data_raw_text { + type: string + sql: ${TABLE}.entity.domain.registry_data_raw_text ;; + group_label: "entity" + label: "entity.domain.registry_data_raw_text" + view_label: "Entity" + description: "Registry Data raw text" + } # dimension entity__domain__registry_data_raw_text + + dimension: entity__domain__status { + type: string + sql: ${TABLE}.entity.domain.status ;; + group_label: "entity" + label: "entity.domain.status" + view_label: "Entity" + description: "Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values" + } # dimension entity__domain__status + + dimension: entity__domain__tech { + hidden: yes + } # dimension entity__domain__tech + + dimension: entity__domain__tech__attribute { + hidden: yes + } # dimension entity__domain__tech__attribute + + dimension: entity__domain__tech__attribute__labels { + hidden: yes + } # dimension entity__domain__tech__attribute__labels + + dimension: entity__domain__tech__office_address { + hidden: yes + } # dimension entity__domain__tech__office_address + + dimension: entity__domain__tech__office_address__country_or_region { + type: string + sql: ${TABLE}.entity.domain.tech.office_address.country_or_region ;; + group_label: "entity" + label: "entity.domain.tech.office_address.country_or_region" + view_label: "Entity" + description: "The country or region." + } # dimension entity__domain__tech__office_address__country_or_region + + dimension_group: entity__domain__update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.domain.update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.domain.update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.domain.update_time" + view_label: "Entity" + description: "Last updated time." + } # dimension entity__domain__update_time + + dimension: entity__domain__whois_record_raw_text { + type: string + sql: ${TABLE}.entity.domain.whois_record_raw_text ;; + group_label: "entity" + label: "entity.domain.whois_record_raw_text" + view_label: "Entity" + description: "unix epoch of the time when the domaintools first catches the record, or the time when domaintools catch the record changes. domaintools_time_ms is also used as the bigtable timestamp." + } # dimension entity__domain__whois_record_raw_text + + dimension: entity__domain__whois_server { + type: string + sql: ${TABLE}.entity.domain.whois_server ;; + group_label: "entity" + label: "entity.domain.whois_server" + view_label: "Entity" + description: "Whois server name." + } # dimension entity__domain__whois_server + + dimension: entity__email { + type: string + sql: ${TABLE}.entity.email ;; + group_label: "entity" + label: "entity.email" + view_label: "Entity" + description: "Email address. Only filled in for security_result.about" + } # dimension entity__email + + dimension: entity__file { + hidden: yes + } # dimension entity__file + + dimension: entity__file__full_path { + type: string + sql: ${TABLE}.entity.file.full_path ;; + group_label: "entity" + label: "entity.file.full_path" + view_label: "Entity" + description: "The full path identifying the location of the file on the system." + } # dimension entity__file__full_path + + dimension: entity__file__md5 { + type: string + sql: ${TABLE}.entity.file.md5 ;; + group_label: "entity" + label: "entity.file.md5" + view_label: "Entity" + description: "The MD5 hash of the file." + } # dimension entity__file__md5 + + dimension: entity__file__mime_type { + type: string + sql: ${TABLE}.entity.file.mime_type ;; + group_label: "entity" + label: "entity.file.mime_type" + view_label: "Entity" + description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." + } # dimension entity__file__mime_type + + dimension: entity__file__names { + hidden: yes + } # dimension entity__file__names + + dimension: entity__file__pe_file { + hidden: yes + } # dimension entity__file__pe_file + + dimension: entity__file__pe_file__resource { + hidden: yes + } # dimension entity__file__pe_file__resource + + dimension: entity__file__prevalence { + hidden: yes + } # dimension entity__file__prevalence + + dimension: entity__file__prevalence__day_count { + type: number + sql: ${TABLE}.entity.file.prevalence.day_count ;; + group_label: "entity" + label: "entity.file.prevalence.day_count" + view_label: "Entity" + description: "The number of days over which rolling_max is calculated." + } # dimension entity__file__prevalence__day_count + + dimension: entity__file__prevalence__day_max { + type: number + sql: ${TABLE}.entity.file.prevalence.day_max ;; + group_label: "entity" + label: "entity.file.prevalence.day_max" + view_label: "Entity" + description: "The max prevalence score in a day interval window." + } # dimension entity__file__prevalence__day_max + + dimension: entity__file__prevalence__rolling_max { + type: number + sql: ${TABLE}.entity.file.prevalence.rolling_max ;; + group_label: "entity" + label: "entity.file.prevalence.rolling_max" + view_label: "Entity" + description: "The maximum number of assets per day accessing the resource over the trailing day_count days." + } # dimension entity__file__prevalence__rolling_max + + dimension: entity__file__sha1 { + type: string + sql: ${TABLE}.entity.file.sha1 ;; + group_label: "entity" + label: "entity.file.sha1" + view_label: "Entity" + description: "The SHA1 hash of the file." + } # dimension entity__file__sha1 + + dimension: entity__file__sha256 { + type: string + sql: ${TABLE}.entity.file.sha256 ;; + group_label: "entity" + label: "entity.file.sha256" + view_label: "Entity" + description: "The SHA256 hash of the file." + } # dimension entity__file__sha256 + + dimension: entity__group { + hidden: yes + } # dimension entity__group + + dimension: entity__group__attribute { + hidden: yes + } # dimension entity__group__attribute + + dimension: entity__group__attribute__cloud { + hidden: yes + } # dimension entity__group__attribute__cloud + + dimension: entity__group__attribute__cloud__project { + hidden: yes + } # dimension entity__group__attribute__cloud__project + + dimension: entity__group__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.entity.group.attribute.cloud.project.product_object_id ;; + group_label: "entity" + group_item_label: "entity.group.attribute.cloud.project.product_object_id [D]" + label: "entity.group.attribute.cloud.project.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__group__attribute__cloud__project__product_object_id + + dimension: entity__group__attribute__cloud__vpc { + hidden: yes + } # dimension entity__group__attribute__cloud__vpc + + dimension: entity__group__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.entity.group.attribute.cloud.vpc.product_object_id ;; + group_label: "entity" + group_item_label: "entity.group.attribute.cloud.vpc.product_object_id [D]" + label: "entity.group.attribute.cloud.vpc.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__group__attribute__cloud__vpc__product_object_id + + dimension: entity__group__attribute__labels { + hidden: yes + } # dimension entity__group__attribute__labels + + dimension: entity__group__email_addresses { + hidden: yes + } # dimension entity__group__email_addresses + + dimension: entity__group__group_display_name { + type: string + sql: ${TABLE}.entity.group.group_display_name ;; + group_label: "entity" + label: "entity.group.group_display_name" + view_label: "Entity" + description: "Group display name. e.g. \"Finance\"." + } # dimension entity__group__group_display_name + + dimension: entity__group__product_object_id { + type: string + sql: ${TABLE}.entity.group.product_object_id ;; + group_label: "entity" + label: "entity.group.product_object_id" + view_label: "Entity" + description: "Product globally unique user object identifier, such as an LDAP Object Identifier." + } # dimension entity__group__product_object_id + + dimension: entity__hostname { + type: string + sql: ${TABLE}.entity.hostname ;; + group_label: "entity" + label: "entity.hostname" + view_label: "Entity" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension entity__hostname + + dimension: entity__ip { + hidden: yes + } # dimension entity__ip + + dimension: entity__ip_geo_artifact { + hidden: yes + } # dimension entity__ip_geo_artifact + + dimension: entity__labels { + hidden: yes + } # dimension entity__labels + + dimension: entity__location { + hidden: yes + } # dimension entity__location + + dimension: entity__location__city { + type: string + sql: ${TABLE}.entity.location.city ;; + group_label: "entity" + label: "entity.location.city" + view_label: "Entity" + description: "The city." + } # dimension entity__location__city + + dimension: entity__location__country_or_region { + type: string + sql: ${TABLE}.entity.location.country_or_region ;; + group_label: "entity" + label: "entity.location.country_or_region" + view_label: "Entity" + description: "The country or region." + } # dimension entity__location__country_or_region + + dimension: entity__location__desk_name { + type: string + sql: ${TABLE}.entity.location.desk_name ;; + group_label: "entity" + label: "entity.location.desk_name" + view_label: "Entity" + description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." + } # dimension entity__location__desk_name + + dimension: entity__location__name { + type: string + sql: ${TABLE}.entity.location.name ;; + group_label: "entity" + label: "entity.location.name" + view_label: "Entity" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension entity__location__name + + dimension: entity__location__region_latitude { + type: number + sql: ${TABLE}.entity.location.region_latitude ;; + group_label: "entity" + group_item_label: "entity.location.region_latitude [D]" + label: "entity.location.region_latitude" + view_label: "Entity" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__location__region_latitude + + dimension: entity__location__region_longitude { + type: number + sql: ${TABLE}.entity.location.region_longitude ;; + group_label: "entity" + group_item_label: "entity.location.region_longitude [D]" + label: "entity.location.region_longitude" + view_label: "Entity" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__location__region_longitude + + dimension: entity__location__location { + type: location + sql_latitude: ${TABLE}.entity.location.region_latitude ;; + sql_longitude: ${TABLE}.entity.location.region_longitude ;; + group_label: "entity" + group_item_label: "entity.location.location [D][L]" + label: "entity.location.location" + view_label: "Entity" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension entity__location__location + + dimension: entity__location__state { + type: string + sql: ${TABLE}.entity.location.state ;; + group_label: "entity" + label: "entity.location.state" + view_label: "Entity" + description: "The state." + } # dimension entity__location__state + + dimension: entity__mac { + hidden: yes + } # dimension entity__mac + + dimension: entity__namespace { + type: string + sql: ${TABLE}.entity.namespace ;; + group_label: "entity" + label: "entity.namespace" + view_label: "Entity" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension entity__namespace + + dimension: entity__object_reference { + hidden: yes + } # dimension entity__object_reference + + dimension: entity__object_reference__id { + type: string + sql: ${TABLE}.entity.object_reference.id ;; + group_label: "entity" + label: "entity.object_reference.id" + view_label: "Entity" + description: "Full raw ID." + } # dimension entity__object_reference__id + + dimension: entity__object_reference__namespace { + type: number + sql: ${TABLE}.entity.object_reference.namespace ;; + group_label: "entity" + label: "entity.object_reference.namespace" + view_label: "Entity" + description: "Namespace the id belongs to." + } # dimension entity__object_reference__namespace + + dimension: entity__object_reference__namespace_enum_name { + type: string + suggestions: ["MACHINE_INTELLIGENCE", "NORMALIZED_TELEMETRY", "RAW_TELEMETRY", "RULE_DETECTIONS", "SECURITY_COMMAND_CENTER", "SOAR_ALERT", "UNSPECIFIED", "UPPERCASE"] + sql: CASE ${TABLE}.entity.object_reference.namespace WHEN 0 THEN 'NORMALIZED_TELEMETRY' WHEN 1 THEN 'RAW_TELEMETRY' WHEN 2 THEN 'RULE_DETECTIONS' WHEN 3 THEN 'UPPERCASE' WHEN 4 THEN 'MACHINE_INTELLIGENCE' WHEN 5 THEN 'SECURITY_COMMAND_CENTER' WHEN 6 THEN 'UNSPECIFIED' WHEN 7 THEN 'SOAR_ALERT' END ;; + group_label: "entity" + label: "entity.object_reference.namespace_enum_name" + view_label: "Entity" + description: "Namespace the id belongs to." + } # dimension entity__object_reference__namespace_enum_name + + dimension: entity__platform { + type: number + sql: ${TABLE}.entity.platform ;; + group_label: "entity" + label: "entity.platform" + view_label: "Entity" + description: "Platform." + } # dimension entity__platform + + dimension: entity__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.entity.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "entity" + label: "entity.platform_enum_name" + view_label: "Entity" + description: "Platform." + } # dimension entity__platform_enum_name + + dimension: entity__platform_patch_level { + type: string + sql: ${TABLE}.entity.platform_patch_level ;; + group_label: "entity" + label: "entity.platform_patch_level" + view_label: "Entity" + description: "Platform patch level. For example, \"Build 17134.48\"" + } # dimension entity__platform_patch_level + + dimension: entity__platform_version { + type: string + sql: ${TABLE}.entity.platform_version ;; + group_label: "entity" + label: "entity.platform_version" + view_label: "Entity" + description: "Platform version. For example, \"Microsoft Windows 1803\"." + } # dimension entity__platform_version + + dimension: entity__port { + type: number + value_format: "#" + sql: ${TABLE}.entity.port ;; + group_label: "entity" + label: "entity.port" + view_label: "Entity" + description: "Source or destination network port number when a specific network connection is described within an event." + } # dimension entity__port + + dimension: entity__process { + hidden: yes + } # dimension entity__process + + dimension: entity__process__command_line { + type: string + sql: ${TABLE}.entity.process.command_line ;; + group_label: "entity" + label: "entity.process.command_line" + view_label: "Entity" + description: "The command line command that created the process." + } # dimension entity__process__command_line + + dimension: entity__registry { + hidden: yes + } # dimension entity__registry + + dimension: entity__registry__registry_key { + type: string + sql: ${TABLE}.entity.registry.registry_key ;; + group_label: "entity" + label: "entity.registry.registry_key" + view_label: "Entity" + description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." + } # dimension entity__registry__registry_key + + dimension: entity__resource { + hidden: yes + } # dimension entity__resource + + dimension: entity__resource__attribute { + hidden: yes + } # dimension entity__resource__attribute + + dimension: entity__resource__attribute__cloud { + hidden: yes + } # dimension entity__resource__attribute__cloud + + dimension: entity__resource__attribute__cloud__environment { + type: number + sql: ${TABLE}.entity.resource.attribute.cloud.environment ;; + group_label: "entity" + label: "entity.resource.attribute.cloud.environment" + view_label: "Entity" + description: "The Cloud environment." + } # dimension entity__resource__attribute__cloud__environment + + dimension: entity__resource__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.entity.resource.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "entity" + label: "entity.resource.attribute.cloud.environment_enum_name" + view_label: "Entity" + description: "The Cloud environment." + } # dimension entity__resource__attribute__cloud__environment_enum_name + + dimension: entity__resource__attribute__cloud__project { + hidden: yes + } # dimension entity__resource__attribute__cloud__project + + dimension: entity__resource__attribute__cloud__project__id { + type: string + sql: ${TABLE}.entity.resource.attribute.cloud.project.id ;; + group_label: "entity" + group_item_label: "entity.resource.attribute.cloud.project.id [D]" + label: "entity.resource.attribute.cloud.project.id" + view_label: "Entity" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__resource__attribute__cloud__project__id + + dimension: entity__resource__attribute__cloud__project__name { + type: string + sql: ${TABLE}.entity.resource.attribute.cloud.project.name ;; + group_label: "entity" + group_item_label: "entity.resource.attribute.cloud.project.name [D]" + label: "entity.resource.attribute.cloud.project.name" + view_label: "Entity" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__resource__attribute__cloud__project__name + + dimension: entity__resource__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.entity.resource.attribute.cloud.project.resource_type ;; + group_label: "entity" + group_item_label: "entity.resource.attribute.cloud.project.resource_type [D]" + label: "entity.resource.attribute.cloud.project.resource_type" + view_label: "Entity" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__resource__attribute__cloud__project__resource_type + + dimension: entity__resource__attribute__cloud__project__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.entity.resource.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "entity" + group_item_label: "entity.resource.attribute.cloud.project.resource_type_enum_name [D]" + label: "entity.resource.attribute.cloud.project.resource_type_enum_name" + view_label: "Entity" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__resource__attribute__cloud__project__resource_type_enum_name + + dimension_group: entity__resource__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.resource.attribute.creation_time" + view_label: "Entity" + description: "Time the resource or entity was created or provisioned." + } # dimension entity__resource__attribute__creation_time + + dimension: entity__resource__attribute__labels { + hidden: yes + } # dimension entity__resource__attribute__labels + + dimension_group: entity__resource__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.resource.attribute.last_update_time" + view_label: "Entity" + description: "Time the resource or entity was last updated." + } # dimension entity__resource__attribute__last_update_time + + dimension: entity__resource__name { + type: string + sql: ${TABLE}.entity.resource.name ;; + group_label: "entity" + label: "entity.resource.name" + view_label: "Entity" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension entity__resource__name + + dimension: entity__resource__parent { + type: string + sql: ${TABLE}.entity.resource.parent ;; + group_label: "entity" + group_item_label: "entity.resource.parent [D]" + label: "entity.resource.parent" + view_label: "Entity" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__resource__parent + + dimension: entity__resource__product_object_id { + type: string + sql: ${TABLE}.entity.resource.product_object_id ;; + group_label: "entity" + label: "entity.resource.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension entity__resource__product_object_id + + dimension: entity__resource__resource_subtype { + type: string + sql: ${TABLE}.entity.resource.resource_subtype ;; + group_label: "entity" + label: "entity.resource.resource_subtype" + view_label: "Entity" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension entity__resource__resource_subtype + + dimension: entity__resource__resource_type { + type: number + sql: ${TABLE}.entity.resource.resource_type ;; + group_label: "entity" + label: "entity.resource.resource_type" + view_label: "Entity" + description: "Resource type." + } # dimension entity__resource__resource_type + + dimension: entity__resource__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.entity.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "entity" + label: "entity.resource.resource_type_enum_name" + view_label: "Entity" + description: "Resource type." + } # dimension entity__resource__resource_type_enum_name + + dimension: entity__resource__type { + type: string + sql: ${TABLE}.entity.resource.type ;; + group_label: "entity" + group_item_label: "entity.resource.type [D]" + label: "entity.resource.type" + view_label: "Entity" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__resource__type + + dimension: entity__url { + type: string + sql: ${TABLE}.entity.url ;; + group_label: "entity" + label: "entity.url" + view_label: "Entity" + description: "The URL." + } # dimension entity__url + + dimension: entity__user { + hidden: yes + } # dimension entity__user + + dimension: entity__user__attribute { + hidden: yes + } # dimension entity__user__attribute + + dimension: entity__user__attribute__cloud { + hidden: yes + } # dimension entity__user__attribute__cloud + + dimension: entity__user__attribute__cloud__environment { + type: number + sql: ${TABLE}.entity.user.attribute.cloud.environment ;; + group_label: "entity" + label: "entity.user.attribute.cloud.environment" + view_label: "Entity" + description: "The Cloud environment." + } # dimension entity__user__attribute__cloud__environment + + dimension: entity__user__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.entity.user.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "entity" + label: "entity.user.attribute.cloud.environment_enum_name" + view_label: "Entity" + description: "The Cloud environment." + } # dimension entity__user__attribute__cloud__environment_enum_name + + dimension: entity__user__attribute__cloud__project { + hidden: yes + } # dimension entity__user__attribute__cloud__project + + dimension: entity__user__attribute__cloud__project__id { + type: string + sql: ${TABLE}.entity.user.attribute.cloud.project.id ;; + group_label: "entity" + group_item_label: "entity.user.attribute.cloud.project.id [D]" + label: "entity.user.attribute.cloud.project.id" + view_label: "Entity" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__user__attribute__cloud__project__id + + dimension: entity__user__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.entity.user.attribute.cloud.project.product_object_id ;; + group_label: "entity" + group_item_label: "entity.user.attribute.cloud.project.product_object_id [D]" + label: "entity.user.attribute.cloud.project.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__user__attribute__cloud__project__product_object_id + + dimension: entity__user__attribute__cloud__vpc { + hidden: yes + } # dimension entity__user__attribute__cloud__vpc + + dimension: entity__user__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.entity.user.attribute.cloud.vpc.product_object_id ;; + group_label: "entity" + group_item_label: "entity.user.attribute.cloud.vpc.product_object_id [D]" + label: "entity.user.attribute.cloud.vpc.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__user__attribute__cloud__vpc__product_object_id + + dimension_group: entity__user__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.user.attribute.creation_time" + view_label: "Entity" + description: "Time the resource or entity was created or provisioned." + } # dimension entity__user__attribute__creation_time + + dimension: entity__user__attribute__labels { + hidden: yes + } # dimension entity__user__attribute__labels + + dimension_group: entity__user__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.user.attribute.last_update_time" + view_label: "Entity" + description: "Time the resource or entity was last updated." + } # dimension entity__user__attribute__last_update_time + + dimension: entity__user__attribute__permissions { + hidden: yes + } # dimension entity__user__attribute__permissions + + dimension: entity__user__attribute__roles { + hidden: yes + } # dimension entity__user__attribute__roles + + dimension: entity__user__company_name { + type: string + sql: ${TABLE}.entity.user.company_name ;; + group_label: "entity" + label: "entity.user.company_name" + view_label: "Entity" + description: "User job company name." + } # dimension entity__user__company_name + + dimension: entity__user__department { + hidden: yes + } # dimension entity__user__department + + dimension: entity__user__email_addresses { + hidden: yes + } # dimension entity__user__email_addresses + + dimension: entity__user__employee_id { + type: string + sql: ${TABLE}.entity.user.employee_id ;; + group_label: "entity" + label: "entity.user.employee_id" + view_label: "Entity" + description: "Human capital management identifier." + } # dimension entity__user__employee_id + + dimension: entity__user__first_name { + type: string + sql: ${TABLE}.entity.user.first_name ;; + group_label: "entity" + label: "entity.user.first_name" + view_label: "Entity" + description: "First name of the user (e.g. \"John\")." + } # dimension entity__user__first_name + + dimension: entity__user__group_identifiers { + hidden: yes + } # dimension entity__user__group_identifiers + + dimension_group: entity__user__hire_date { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.user.hire_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.user.hire_date.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.user.hire_date" + view_label: "Entity" + description: "User job employment hire date." + } # dimension entity__user__hire_date + + dimension: entity__user__last_name { + type: string + sql: ${TABLE}.entity.user.last_name ;; + group_label: "entity" + label: "entity.user.last_name" + view_label: "Entity" + description: "Last name of the user (e.g. \"Locke\")." + } # dimension entity__user__last_name + + dimension: entity__user__managers { + hidden: yes + } # dimension entity__user__managers + + dimension: entity__user__middle_name { + type: string + sql: ${TABLE}.entity.user.middle_name ;; + group_label: "entity" + label: "entity.user.middle_name" + view_label: "Entity" + description: "Middle name of the user." + } # dimension entity__user__middle_name + + dimension: entity__user__office_address { + hidden: yes + } # dimension entity__user__office_address + + dimension: entity__user__office_address__city { + type: string + sql: ${TABLE}.entity.user.office_address.city ;; + group_label: "entity" + label: "entity.user.office_address.city" + view_label: "Entity" + description: "The city." + } # dimension entity__user__office_address__city + + dimension: entity__user__office_address__country_or_region { + type: string + sql: ${TABLE}.entity.user.office_address.country_or_region ;; + group_label: "entity" + label: "entity.user.office_address.country_or_region" + view_label: "Entity" + description: "The country or region." + } # dimension entity__user__office_address__country_or_region + + dimension: entity__user__office_address__floor_name { + type: string + sql: ${TABLE}.entity.user.office_address.floor_name ;; + group_label: "entity" + label: "entity.user.office_address.floor_name" + view_label: "Entity" + description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." + } # dimension entity__user__office_address__floor_name + + dimension: entity__user__office_address__name { + type: string + sql: ${TABLE}.entity.user.office_address.name ;; + group_label: "entity" + label: "entity.user.office_address.name" + view_label: "Entity" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension entity__user__office_address__name + + dimension: entity__user__office_address__state { + type: string + sql: ${TABLE}.entity.user.office_address.state ;; + group_label: "entity" + label: "entity.user.office_address.state" + view_label: "Entity" + description: "The state." + } # dimension entity__user__office_address__state + + dimension: entity__user__personal_address { + hidden: yes + } # dimension entity__user__personal_address + + dimension: entity__user__personal_address__city { + type: string + sql: ${TABLE}.entity.user.personal_address.city ;; + group_label: "entity" + label: "entity.user.personal_address.city" + view_label: "Entity" + description: "The city." + } # dimension entity__user__personal_address__city + + dimension: entity__user__personal_address__country_or_region { + type: string + sql: ${TABLE}.entity.user.personal_address.country_or_region ;; + group_label: "entity" + label: "entity.user.personal_address.country_or_region" + view_label: "Entity" + description: "The country or region." + } # dimension entity__user__personal_address__country_or_region + + dimension: entity__user__personal_address__name { + type: string + sql: ${TABLE}.entity.user.personal_address.name ;; + group_label: "entity" + label: "entity.user.personal_address.name" + view_label: "Entity" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension entity__user__personal_address__name + + dimension: entity__user__personal_address__state { + type: string + sql: ${TABLE}.entity.user.personal_address.state ;; + group_label: "entity" + label: "entity.user.personal_address.state" + view_label: "Entity" + description: "The state." + } # dimension entity__user__personal_address__state + + dimension: entity__user__phone_numbers { + hidden: yes + } # dimension entity__user__phone_numbers + + dimension: entity__user__product_object_id { + type: string + sql: ${TABLE}.entity.user.product_object_id ;; + group_label: "entity" + label: "entity.user.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension entity__user__product_object_id + + dimension: entity__user__role_description { + type: string + sql: ${TABLE}.entity.user.role_description ;; + group_label: "entity" + group_item_label: "entity.user.role_description [D]" + label: "entity.user.role_description" + view_label: "Entity" + description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__user__role_description + + dimension: entity__user__role_name { + type: string + sql: ${TABLE}.entity.user.role_name ;; + group_label: "entity" + group_item_label: "entity.user.role_name [D]" + label: "entity.user.role_name" + view_label: "Entity" + description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__user__role_name + + dimension_group: entity__user__termination_date { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.user.termination_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.user.termination_date.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.user.termination_date" + view_label: "Entity" + description: "User job employment termination date." + } # dimension entity__user__termination_date + + dimension: entity__user__time_off { + hidden: yes + } # dimension entity__user__time_off + + dimension: entity__user__title { + type: string + sql: ${TABLE}.entity.user.title ;; + group_label: "entity" + label: "entity.user.title" + view_label: "Entity" + description: "User job title." + } # dimension entity__user__title + + dimension: entity__user__user_authentication_status { + type: number + sql: ${TABLE}.entity.user.user_authentication_status ;; + group_label: "entity" + label: "entity.user.user_authentication_status" + view_label: "Entity" + description: "System authentication status for user." + } # dimension entity__user__user_authentication_status + + dimension: entity__user__user_authentication_status_enum_name { + type: string + suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] + sql: CASE ${TABLE}.entity.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; + group_label: "entity" + label: "entity.user.user_authentication_status_enum_name" + view_label: "Entity" + description: "System authentication status for user." + } # dimension entity__user__user_authentication_status_enum_name + + dimension: entity__user__user_display_name { + type: string + sql: ${TABLE}.entity.user.user_display_name ;; + group_label: "entity" + label: "entity.user.user_display_name" + view_label: "Entity" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension entity__user__user_display_name + + dimension: entity__user__user_role { + type: number + sql: ${TABLE}.entity.user.user_role ;; + group_label: "entity" + group_item_label: "entity.user.user_role [D]" + label: "entity.user.user_role" + view_label: "Entity" + description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__user__user_role + + dimension: entity__user__user_role_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "UNKNOWN_ROLE"] + sql: CASE ${TABLE}.entity.user.user_role WHEN 0 THEN 'UNKNOWN_ROLE' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "entity" + group_item_label: "entity.user.user_role_enum_name [D]" + label: "entity.user.user_role_enum_name" + view_label: "Entity" + description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__user__user_role_enum_name + + dimension: entity__user__userid { + type: string + sql: ${TABLE}.entity.user.userid ;; + group_label: "entity" + label: "entity.user.userid" + view_label: "Entity" + description: "The ID of the user." + } # dimension entity__user__userid + + dimension: entity__user__windows_sid { + type: string + sql: ${TABLE}.entity.user.windows_sid ;; + group_label: "entity" + label: "entity.user.windows_sid" + view_label: "Entity" + description: "The Microsoft Windows SID of the user." + } # dimension entity__user__windows_sid + + dimension: entity__user_management_chain { + hidden: yes + } # dimension entity__user_management_chain + + dimension: metadata { + hidden: yes + } # dimension metadata + + dimension_group: metadata__collected_timestamp { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.collected_timestamp.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.collected_timestamp.nanos, 0) / 1000) as INT64)) ;; + group_label: "metadata" + label: "metadata.collected_timestamp" + view_label: "Entity" + description: "GMT timestamp when the entity information was collected by the vendor's local collection infrastructure." + } # dimension metadata__collected_timestamp + + dimension_group: metadata__creation_timestamp { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.creation_timestamp.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.creation_timestamp.nanos, 0) / 1000) as INT64)) ;; + group_label: "metadata" + label: "metadata.creation_timestamp" + view_label: "Entity" + description: "GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected." + } # dimension metadata__creation_timestamp + + dimension: metadata__description { + type: string + sql: ${TABLE}.metadata.description ;; + group_label: "metadata" + label: "metadata.description" + view_label: "Entity" + description: "Human-readable description of the entity." + } # dimension metadata__description + + dimension: metadata__entity_type { + type: number + sql: ${TABLE}.metadata.entity_type ;; + group_label: "metadata" + label: "metadata.entity_type" + view_label: "Entity" + description: "Entity type. If an entity has multiple possible types, this specifies the most specific type." + } # dimension metadata__entity_type + + dimension: metadata__entity_type_enum_name { + type: string + suggestions: ["ASSET", "DOMAIN_NAME", "FILE", "GROUP", "IP_ADDRESS", "METRIC", "MUTEX", "RESOURCE", "UNKNOWN_ENTITYTYPE", "URL", "USER"] + sql: CASE ${TABLE}.metadata.entity_type WHEN 0 THEN 'UNKNOWN_ENTITYTYPE' WHEN 1 THEN 'ASSET' WHEN 10000 THEN 'USER' WHEN 10001 THEN 'GROUP' WHEN 2 THEN 'RESOURCE' WHEN 3 THEN 'IP_ADDRESS' WHEN 4 THEN 'FILE' WHEN 5 THEN 'DOMAIN_NAME' WHEN 6 THEN 'URL' WHEN 7 THEN 'MUTEX' WHEN 8 THEN 'METRIC' END ;; + group_label: "metadata" + label: "metadata.entity_type_enum_name" + view_label: "Entity" + description: "Entity type. If an entity has multiple possible types, this specifies the most specific type." + } # dimension metadata__entity_type_enum_name + + dimension: metadata__event_metadata { + hidden: yes + } # dimension metadata__event_metadata + + dimension: metadata__event_metadata__base_labels { + hidden: yes + } # dimension metadata__event_metadata__base_labels + + dimension: metadata__event_metadata__base_labels__log_types { + hidden: yes + } # dimension metadata__event_metadata__base_labels__log_types + + dimension: metadata__event_metadata__base_labels__namespaces { + hidden: yes + } # dimension metadata__event_metadata__base_labels__namespaces + + dimension_group: metadata__interval { + type: duration + intervals: [ second, minute, hour ] + sql_start: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.interval.start_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.interval.start_time.nanos,0) / 1000) as INT64)) ;; + sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.interval.end_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.interval.end_time.nanos,0) / 1000) as INT64)) ;; + group_label: "metadata" + label: "metadata.interval" + view_label: "Entity" + description: "Valid existence time range for the version of the entity represented by this entity data." + } # dimension metadata__interval + + dimension: metadata__product_entity_id { + type: string + sql: ${TABLE}.metadata.product_entity_id ;; + group_label: "metadata" + label: "metadata.product_entity_id" + view_label: "Entity" + description: "A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension metadata__product_entity_id + + dimension: metadata__product_name { + type: string + sql: ${TABLE}.metadata.product_name ;; + group_label: "metadata" + label: "metadata.product_name" + view_label: "Entity" + description: "Product name that produced the entity information." + } # dimension metadata__product_name + + dimension: metadata__product_version { + type: string + sql: ${TABLE}.metadata.product_version ;; + group_label: "metadata" + label: "metadata.product_version" + view_label: "Entity" + description: "Version of the product that produced the entity information." + } # dimension metadata__product_version + + dimension: metadata__source_labels { + hidden: yes + } # dimension metadata__source_labels + + dimension: metadata__source_type { + type: number + sql: ${TABLE}.metadata.source_type ;; + group_label: "metadata" + label: "metadata.source_type" + view_label: "Entity" + description: "The source of the entity." + } # dimension metadata__source_type + + dimension: metadata__source_type_enum_name { + type: string + suggestions: ["DERIVED_CONTEXT", "ENTITY_CONTEXT", "GLOBAL_CONTEXT", "SOURCE_TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.metadata.source_type WHEN 0 THEN 'SOURCE_TYPE_UNSPECIFIED' WHEN 1 THEN 'ENTITY_CONTEXT' WHEN 2 THEN 'DERIVED_CONTEXT' WHEN 3 THEN 'GLOBAL_CONTEXT' END ;; + group_label: "metadata" + label: "metadata.source_type_enum_name" + view_label: "Entity" + description: "The source of the entity." + } # dimension metadata__source_type_enum_name + + dimension: metadata__threat { + hidden: yes + } # dimension metadata__threat + + dimension: metadata__vendor_name { + type: string + sql: ${TABLE}.metadata.vendor_name ;; + group_label: "metadata" + label: "metadata.vendor_name" + view_label: "Entity" + description: "Vendor name of the product that produced the entity information." + } # dimension metadata__vendor_name + + dimension: relations { + hidden: yes + } # dimension relations + +} # view entity_graph + +view: entity_graph__additional__fields { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "additional" + label: "additional.fields.key" + view_label: "Entity" + } # dimension key + + dimension: value { + hidden: yes + } # dimension value + + dimension: value__number_value { + type: number + sql: ${TABLE}.value.number_value ;; + group_label: "additional" + label: "additional.fields.value.number_value" + view_label: "Entity" + } # dimension value__number_value + + dimension: value__string_value { + type: string + sql: ${TABLE}.value.string_value ;; + group_label: "additional" + label: "additional.fields.value.string_value" + view_label: "Entity" + } # dimension value__string_value + +} # view entity_graph__additional__fields + +view: entity_graph__entity__artifact__network__email__to { + dimension: entity_graph__entity__artifact__network__email__to { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.artifact.network.email.to" + view_label: "Entity" + description: "A list of 'to' addresses." + } # dimension entity_graph__entity__artifact__network__email__to +} # view entity_graph__entity__artifact__network__email__to + +view: entity_graph__entity__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "entity" + label: "entity.asset.attribute.labels.key" + view_label: "Entity" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "entity" + label: "entity.asset.attribute.labels.value" + view_label: "Entity" + description: "The value." + } # dimension value + +} # view entity_graph__entity__asset__attribute__labels + +view: entity_graph__entity__asset__hardware { + dimension: cpu_model { + type: string + sql: ${TABLE}.cpu_model ;; + group_label: "entity" + label: "entity.asset.hardware.cpu_model" + view_label: "Entity" + description: "Model description of the hardware CPU (e.g. \"2.8 GHz Quad-Core Intel Core i5\")." + } # dimension cpu_model + + dimension: cpu_platform { + type: string + sql: ${TABLE}.cpu_platform ;; + group_label: "entity" + label: "entity.asset.hardware.cpu_platform" + view_label: "Entity" + description: "Platform of the hardware CPU (e.g. \"Intel Broadwell\")." + } # dimension cpu_platform + + dimension: manufacturer { + type: string + sql: ${TABLE}.manufacturer ;; + group_label: "entity" + label: "entity.asset.hardware.manufacturer" + view_label: "Entity" + description: "Hardware manufacturer." + } # dimension manufacturer + + dimension: model { + type: string + sql: ${TABLE}.model ;; + group_label: "entity" + label: "entity.asset.hardware.model" + view_label: "Entity" + description: "Hardware model." + } # dimension model + + dimension: ram { + type: number + sql: ${TABLE}.ram ;; + group_label: "entity" + label: "entity.asset.hardware.ram" + view_label: "Entity" + description: "Amount of the hardware ramdom access memory (RAM) in Mb." + } # dimension ram + + dimension: serial_number { + type: string + sql: ${TABLE}.serial_number ;; + group_label: "entity" + label: "entity.asset.hardware.serial_number" + view_label: "Entity" + description: "Hardware serial number." + } # dimension serial_number + +} # view entity_graph__entity__asset__hardware + +view: entity_graph__entity__asset__ip { + dimension: entity_graph__entity__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.asset.ip" + view_label: "Entity" + description: "A list of IP addresses associated with an asset." + } # dimension entity_graph__entity__asset__ip +} # view entity_graph__entity__asset__ip + +view: entity_graph__entity__asset__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "entity" + group_item_label: "entity.asset.labels.key [D]" + label: "entity.asset.labels.key" + view_label: "Entity" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "entity" + group_item_label: "entity.asset.labels.value [D]" + label: "entity.asset.labels.value" + view_label: "Entity" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view entity_graph__entity__asset__labels + +view: entity_graph__entity__asset__mac { + dimension: entity_graph__entity__asset__mac { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.asset.mac" + view_label: "Entity" + description: "List of MAC addresses associated with an asset." + } # dimension entity_graph__entity__asset__mac +} # view entity_graph__entity__asset__mac + +view: entity_graph__entity__asset__nat_ip { + dimension: entity_graph__entity__asset__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.asset.nat_ip" + view_label: "Entity" + description: "List of NAT IP addresses associated with an asset." + } # dimension entity_graph__entity__asset__nat_ip +} # view entity_graph__entity__asset__nat_ip + +view: entity_graph__entity__asset__software__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "entity" + label: "entity.asset.software.permissions.description" + view_label: "Entity" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "entity" + label: "entity.asset.software.permissions.name" + view_label: "Entity" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view entity_graph__entity__asset__software__permissions + +view: entity_graph__entity__asset__software { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "entity" + label: "entity.asset.software.name" + view_label: "Entity" + description: "The name of the software." + } # dimension name + + dimension: permissions { + hidden: yes + } # dimension permissions + + dimension: version { + type: string + sql: ${TABLE}.version ;; + group_label: "entity" + label: "entity.asset.software.version" + view_label: "Entity" + description: "The version of the software." + } # dimension version + +} # view entity_graph__entity__asset__software + +view: entity_graph__entity__asset__vulnerabilities__about__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "entity" + group_item_label: "entity.asset.vulnerabilities.about.labels.key [D]" + label: "entity.asset.vulnerabilities.about.labels.key" + view_label: "Entity" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "entity" + group_item_label: "entity.asset.vulnerabilities.about.labels.value [D]" + label: "entity.asset.vulnerabilities.about.labels.value" + view_label: "Entity" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view entity_graph__entity__asset__vulnerabilities__about__labels + +view: entity_graph__entity__asset__vulnerabilities { + dimension: about { + hidden: yes + } # dimension about + + dimension: about__labels { + hidden: yes + } # dimension about__labels + + dimension: about__namespace { + type: string + sql: ${TABLE}.about.namespace ;; + group_label: "entity" + label: "entity.asset.vulnerabilities.about.namespace" + view_label: "Entity" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension about__namespace + + dimension: cve_description { + type: string + sql: ${TABLE}.cve_description ;; + group_label: "entity" + label: "entity.asset.vulnerabilities.cve_description" + view_label: "Entity" + description: "Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record" + } # dimension cve_description + + dimension: cve_id { + type: string + sql: ${TABLE}.cve_id ;; + group_label: "entity" + label: "entity.asset.vulnerabilities.cve_id" + view_label: "Entity" + description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" + } # dimension cve_id + + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + group_label: "entity" + label: "entity.asset.vulnerabilities.cvss_base_score" + view_label: "Entity" + description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." + } # dimension cvss_base_score + + dimension: cvss_vector { + type: string + sql: ${TABLE}.cvss_vector ;; + group_label: "entity" + label: "entity.asset.vulnerabilities.cvss_vector" + view_label: "Entity" + description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" + } # dimension cvss_vector + + dimension: cvss_version { + type: string + sql: ${TABLE}.cvss_version ;; + group_label: "entity" + label: "entity.asset.vulnerabilities.cvss_version" + view_label: "Entity" + description: "Version of CVSS Vector/Score." + } # dimension cvss_version + + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "entity" + label: "entity.asset.vulnerabilities.description" + view_label: "Entity" + description: "Description of the vulnerability." + } # dimension description + + dimension_group: entity__asset__vulnerabilities__first_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.asset.vulnerabilities.first_found" + view_label: "Entity" + description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." + } # dimension entity__asset__vulnerabilities__first_found + + dimension_group: entity__asset__vulnerabilities__last_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.asset.vulnerabilities.last_found" + view_label: "Entity" + description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." + } # dimension entity__asset__vulnerabilities__last_found + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "entity" + label: "entity.asset.vulnerabilities.name" + view_label: "Entity" + description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." + } # dimension name + + dimension_group: entity__asset__vulnerabilities__scan_end_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.asset.vulnerabilities.scan_end_time" + view_label: "Entity" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." + } # dimension entity__asset__vulnerabilities__scan_end_time + + dimension_group: entity__asset__vulnerabilities__scan_start_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.asset.vulnerabilities.scan_start_time" + view_label: "Entity" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." + } # dimension entity__asset__vulnerabilities__scan_start_time + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + group_label: "entity" + label: "entity.asset.vulnerabilities.severity" + view_label: "Entity" + description: "The severity of the vulnerability." + } # dimension severity + + dimension: severity_enum_name { + type: string + suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] + sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; + group_label: "entity" + label: "entity.asset.vulnerabilities.severity_enum_name" + view_label: "Entity" + description: "The severity of the vulnerability." + } # dimension severity_enum_name + + dimension: severity_details { + type: string + sql: ${TABLE}.severity_details ;; + group_label: "entity" + label: "entity.asset.vulnerabilities.severity_details" + view_label: "Entity" + description: "Vendor-specific severity" + } # dimension severity_details + + dimension: vendor { + type: string + sql: ${TABLE}.vendor ;; + group_label: "entity" + label: "entity.asset.vulnerabilities.vendor" + view_label: "Entity" + description: "Vendor of scan that discovered vulnerability." + } # dimension vendor + + dimension: vendor_knowledge_base_article_id { + type: string + sql: ${TABLE}.vendor_knowledge_base_article_id ;; + group_label: "entity" + label: "entity.asset.vulnerabilities.vendor_knowledge_base_article_id" + view_label: "Entity" + description: "Vendor specific knowledge base article (e.g. \"KBXXXXXX\" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase" + } # dimension vendor_knowledge_base_article_id + +} # view entity_graph__entity__asset__vulnerabilities + +view: entity_graph__entity__domain__admin__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "entity" + label: "entity.domain.admin.attribute.labels.key" + view_label: "Entity" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "entity" + label: "entity.domain.admin.attribute.labels.value" + view_label: "Entity" + description: "The value." + } # dimension value + +} # view entity_graph__entity__domain__admin__attribute__labels + +view: entity_graph__entity__domain__billing__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "entity" + label: "entity.domain.billing.attribute.labels.key" + view_label: "Entity" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "entity" + label: "entity.domain.billing.attribute.labels.value" + view_label: "Entity" + description: "The value." + } # dimension value + +} # view entity_graph__entity__domain__billing__attribute__labels + +view: entity_graph__entity__domain__name_server { + dimension: entity_graph__entity__domain__name_server { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.domain.name_server" + view_label: "Entity" + description: "Repeated list of name servers." + } # dimension entity_graph__entity__domain__name_server +} # view entity_graph__entity__domain__name_server + +view: entity_graph__entity__domain__registrant__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "entity" + label: "entity.domain.registrant.attribute.labels.key" + view_label: "Entity" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "entity" + label: "entity.domain.registrant.attribute.labels.value" + view_label: "Entity" + description: "The value." + } # dimension value + +} # view entity_graph__entity__domain__registrant__attribute__labels + +view: entity_graph__entity__domain__registrant__email_addresses { + dimension: entity_graph__entity__domain__registrant__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.domain.registrant.email_addresses" + view_label: "Entity" + description: "Email addresses of the user." + } # dimension entity_graph__entity__domain__registrant__email_addresses +} # view entity_graph__entity__domain__registrant__email_addresses + +view: entity_graph__entity__domain__tech__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "entity" + label: "entity.domain.tech.attribute.labels.key" + view_label: "Entity" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "entity" + label: "entity.domain.tech.attribute.labels.value" + view_label: "Entity" + description: "The value." + } # dimension value + +} # view entity_graph__entity__domain__tech__attribute__labels + +view: entity_graph__entity__file__names { + dimension: entity_graph__entity__file__names { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.file.names" + view_label: "Entity" + description: "Names fields." + } # dimension entity_graph__entity__file__names +} # view entity_graph__entity__file__names + +view: entity_graph__entity__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + group_label: "entity" + label: "entity.file.pe_file.resource.entropy" + view_label: "Entity" + description: "Entropy of the resource." + } # dimension entropy + +} # view entity_graph__entity__file__pe_file__resource + +view: entity_graph__entity__group__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "entity" + label: "entity.group.attribute.labels.key" + view_label: "Entity" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "entity" + label: "entity.group.attribute.labels.value" + view_label: "Entity" + description: "The value." + } # dimension value + +} # view entity_graph__entity__group__attribute__labels + +view: entity_graph__entity__group__email_addresses { + dimension: entity_graph__entity__group__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.group.email_addresses" + view_label: "Entity" + description: "Email addresses of the group." + } # dimension entity_graph__entity__group__email_addresses +} # view entity_graph__entity__group__email_addresses + +view: entity_graph__entity__ip { + dimension: entity_graph__entity__ip { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.ip" + view_label: "Entity" + description: "A list of IP addresses associated with a network connection." + } # dimension entity_graph__entity__ip +} # view entity_graph__entity__ip + +view: entity_graph__entity__ip_geo_artifact { + dimension: ip { + type: string + sql: ${TABLE}.ip ;; + group_label: "entity" + label: "entity.ip_geo_artifact.ip" + view_label: "Entity" + description: "IP address of the artifact." + } # dimension ip + + dimension: location { + hidden: yes + } # dimension location + + dimension: location__city { + type: string + sql: ${TABLE}.location.city ;; + group_label: "entity" + label: "entity.ip_geo_artifact.location.city" + view_label: "Entity" + description: "The city." + } # dimension location__city + + dimension: location__country_or_region { + type: string + sql: ${TABLE}.location.country_or_region ;; + group_label: "entity" + label: "entity.ip_geo_artifact.location.country_or_region" + view_label: "Entity" + description: "The country or region." + } # dimension location__country_or_region + + dimension: location__region_coordinates { + type: location + sql_latitude: ${TABLE}.location.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.location.region_coordinates.longitude ;; + group_label: "entity" + group_item_label: "entity.ip_geo_artifact.location.region_coordinates [L]" + label: "entity.ip_geo_artifact.location.region_coordinates" + view_label: "Entity" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." + } # dimension location__region_coordinates + + dimension: network { + hidden: yes + } # dimension network + + dimension: network__asn { + type: string + sql: ${TABLE}.network.asn ;; + group_label: "entity" + label: "entity.ip_geo_artifact.network.asn" + view_label: "Entity" + description: "Autonomous system number." + } # dimension network__asn + + dimension: network__organization_name { + type: string + sql: ${TABLE}.network.organization_name ;; + group_label: "entity" + label: "entity.ip_geo_artifact.network.organization_name" + view_label: "Entity" + description: "Organization name (e.g Google)." + } # dimension network__organization_name + +} # view entity_graph__entity__ip_geo_artifact + +view: entity_graph__entity__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "entity" + group_item_label: "entity.labels.key [D]" + label: "entity.labels.key" + view_label: "Entity" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "entity" + group_item_label: "entity.labels.value [D]" + label: "entity.labels.value" + view_label: "Entity" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view entity_graph__entity__labels + +view: entity_graph__entity__mac { + dimension: entity_graph__entity__mac { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.mac" + view_label: "Entity" + description: "List of MAC addresses associated with a device." + } # dimension entity_graph__entity__mac +} # view entity_graph__entity__mac + +view: entity_graph__entity__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "entity" + label: "entity.resource.attribute.labels.key" + view_label: "Entity" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "entity" + label: "entity.resource.attribute.labels.value" + view_label: "Entity" + description: "The value." + } # dimension value + +} # view entity_graph__entity__resource__attribute__labels + +view: entity_graph__entity__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "entity" + label: "entity.user.attribute.labels.key" + view_label: "Entity" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "entity" + label: "entity.user.attribute.labels.value" + view_label: "Entity" + description: "The value." + } # dimension value + +} # view entity_graph__entity__user__attribute__labels + +view: entity_graph__entity__user__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "entity" + label: "entity.user.attribute.permissions.description" + view_label: "Entity" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "entity" + label: "entity.user.attribute.permissions.name" + view_label: "Entity" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "entity" + label: "entity.user.attribute.permissions.type" + view_label: "Entity" + description: "Type of the permission." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; + group_label: "entity" + label: "entity.user.attribute.permissions.type_enum_name" + view_label: "Entity" + description: "Type of the permission." + } # dimension type_enum_name + +} # view entity_graph__entity__user__attribute__permissions + +view: entity_graph__entity__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "entity" + label: "entity.user.attribute.roles.description" + view_label: "Entity" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "entity" + label: "entity.user.attribute.roles.name" + view_label: "Entity" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "entity" + label: "entity.user.attribute.roles.type" + view_label: "Entity" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "entity" + label: "entity.user.attribute.roles.type_enum_name" + view_label: "Entity" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view entity_graph__entity__user__attribute__roles + +view: entity_graph__entity__user__department { + dimension: entity_graph__entity__user__department { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.user.department" + view_label: "Entity" + description: "User job department" + } # dimension entity_graph__entity__user__department +} # view entity_graph__entity__user__department + +view: entity_graph__entity__user__email_addresses { + dimension: entity_graph__entity__user__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.user.email_addresses" + view_label: "Entity" + description: "Email addresses of the user." + } # dimension entity_graph__entity__user__email_addresses +} # view entity_graph__entity__user__email_addresses + +view: entity_graph__entity__user__group_identifiers { + dimension: entity_graph__entity__user__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.user.group_identifiers" + view_label: "Entity" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension entity_graph__entity__user__group_identifiers +} # view entity_graph__entity__user__group_identifiers + +view: entity_graph__entity__user__managers__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "entity" + label: "entity.user.managers.attribute.labels.key" + view_label: "Entity" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "entity" + label: "entity.user.managers.attribute.labels.value" + view_label: "Entity" + description: "The value." + } # dimension value + +} # view entity_graph__entity__user__managers__attribute__labels + +view: entity_graph__entity__user__managers__attribute__roles { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "entity" + label: "entity.user.managers.attribute.roles.name" + view_label: "Entity" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "entity" + label: "entity.user.managers.attribute.roles.type" + view_label: "Entity" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "entity" + label: "entity.user.managers.attribute.roles.type_enum_name" + view_label: "Entity" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view entity_graph__entity__user__managers__attribute__roles + +view: entity_graph__entity__user__managers__department { + dimension: entity_graph__entity__user__managers__department { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.user.managers.department" + view_label: "Entity" + description: "User job department" + } # dimension entity_graph__entity__user__managers__department +} # view entity_graph__entity__user__managers__department + +view: entity_graph__entity__user__managers__email_addresses { + dimension: entity_graph__entity__user__managers__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.user.managers.email_addresses" + view_label: "Entity" + description: "Email addresses of the user." + } # dimension entity_graph__entity__user__managers__email_addresses +} # view entity_graph__entity__user__managers__email_addresses + +view: entity_graph__entity__user__managers__group_identifiers { + dimension: entity_graph__entity__user__managers__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.user.managers.group_identifiers" + view_label: "Entity" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension entity_graph__entity__user__managers__group_identifiers +} # view entity_graph__entity__user__managers__group_identifiers + +view: entity_graph__entity__user__managers__phone_numbers { + dimension: entity_graph__entity__user__managers__phone_numbers { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.user.managers.phone_numbers" + view_label: "Entity" + description: "Phone numbers for the user." + } # dimension entity_graph__entity__user__managers__phone_numbers +} # view entity_graph__entity__user__managers__phone_numbers + +view: entity_graph__entity__user__managers { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension: attribute__labels { + hidden: yes + } # dimension attribute__labels + + dimension: attribute__roles { + hidden: yes + } # dimension attribute__roles + + dimension: company_name { + type: string + sql: ${TABLE}.company_name ;; + group_label: "entity" + label: "entity.user.managers.company_name" + view_label: "Entity" + description: "User job company name." + } # dimension company_name + + dimension: department { + hidden: yes + } # dimension department + + dimension: email_addresses { + hidden: yes + } # dimension email_addresses + + dimension: employee_id { + type: string + sql: ${TABLE}.employee_id ;; + group_label: "entity" + label: "entity.user.managers.employee_id" + view_label: "Entity" + description: "Human capital management identifier." + } # dimension employee_id + + dimension: first_name { + type: string + sql: ${TABLE}.first_name ;; + group_label: "entity" + label: "entity.user.managers.first_name" + view_label: "Entity" + description: "First name of the user (e.g. \"John\")." + } # dimension first_name + + dimension: group_identifiers { + hidden: yes + } # dimension group_identifiers + + dimension: last_name { + type: string + sql: ${TABLE}.last_name ;; + group_label: "entity" + label: "entity.user.managers.last_name" + view_label: "Entity" + description: "Last name of the user (e.g. \"Locke\")." + } # dimension last_name + + dimension: personal_address { + hidden: yes + } # dimension personal_address + + dimension: personal_address__city { + type: string + sql: ${TABLE}.personal_address.city ;; + group_label: "entity" + label: "entity.user.managers.personal_address.city" + view_label: "Entity" + description: "The city." + } # dimension personal_address__city + + dimension: personal_address__country_or_region { + type: string + sql: ${TABLE}.personal_address.country_or_region ;; + group_label: "entity" + label: "entity.user.managers.personal_address.country_or_region" + view_label: "Entity" + description: "The country or region." + } # dimension personal_address__country_or_region + + dimension: personal_address__name { + type: string + sql: ${TABLE}.personal_address.name ;; + group_label: "entity" + label: "entity.user.managers.personal_address.name" + view_label: "Entity" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension personal_address__name + + dimension: personal_address__state { + type: string + sql: ${TABLE}.personal_address.state ;; + group_label: "entity" + label: "entity.user.managers.personal_address.state" + view_label: "Entity" + description: "The state." + } # dimension personal_address__state + + dimension: phone_numbers { + hidden: yes + } # dimension phone_numbers + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "entity" + label: "entity.user.managers.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension product_object_id + + dimension: title { + type: string + sql: ${TABLE}.title ;; + group_label: "entity" + label: "entity.user.managers.title" + view_label: "Entity" + description: "User job title." + } # dimension title + + dimension: user_display_name { + type: string + sql: ${TABLE}.user_display_name ;; + group_label: "entity" + label: "entity.user.managers.user_display_name" + view_label: "Entity" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension user_display_name + + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + group_label: "entity" + label: "entity.user.managers.userid" + view_label: "Entity" + description: "The ID of the user." + } # dimension userid + + dimension: windows_sid { + type: string + sql: ${TABLE}.windows_sid ;; + group_label: "entity" + label: "entity.user.managers.windows_sid" + view_label: "Entity" + description: "The Microsoft Windows SID of the user." + } # dimension windows_sid + +} # view entity_graph__entity__user__managers + +view: entity_graph__entity__user__phone_numbers { + dimension: entity_graph__entity__user__phone_numbers { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.user.phone_numbers" + view_label: "Entity" + description: "Phone numbers for the user." + } # dimension entity_graph__entity__user__phone_numbers +} # view entity_graph__entity__user__phone_numbers + +view: entity_graph__entity__user__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "entity" + label: "entity.user.time_off.description" + view_label: "Entity" + description: "Description of the leave if available (e.g. 'Vacation')." + } # dimension description + + dimension_group: entity__user__time_off__interval { + type: duration + intervals: [ second, minute, hour ] + sql_start: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.start_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.start_time.nanos,0) / 1000) as INT64)) ;; + sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.end_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.end_time.nanos,0) / 1000) as INT64)) ;; + group_label: "entity" + label: "entity.user.time_off.interval" + view_label: "Entity" + description: "Interval duration of the leave." + } # dimension entity__user__time_off__interval + +} # view entity_graph__entity__user__time_off + +view: entity_graph__entity__user_management_chain__department { + dimension: entity_graph__entity__user_management_chain__department { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.user_management_chain.department" + view_label: "Entity" + description: "User job department" + } # dimension entity_graph__entity__user_management_chain__department +} # view entity_graph__entity__user_management_chain__department + +view: entity_graph__entity__user_management_chain__email_addresses { + dimension: entity_graph__entity__user_management_chain__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "entity" + label: "entity.user_management_chain.email_addresses" + view_label: "Entity" + description: "Email addresses of the user." + } # dimension entity_graph__entity__user_management_chain__email_addresses +} # view entity_graph__entity__user_management_chain__email_addresses + +view: entity_graph__entity__user_management_chain { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension: attribute__cloud { + hidden: yes + } # dimension attribute__cloud + + dimension: attribute__cloud__project { + hidden: yes + } # dimension attribute__cloud__project + + dimension: attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.project.product_object_id ;; + group_label: "entity" + group_item_label: "entity.user_management_chain.attribute.cloud.project.product_object_id [D]" + label: "entity.user_management_chain.attribute.cloud.project.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension attribute__cloud__project__product_object_id + + dimension: attribute__cloud__vpc { + hidden: yes + } # dimension attribute__cloud__vpc + + dimension: attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; + group_label: "entity" + group_item_label: "entity.user_management_chain.attribute.cloud.vpc.product_object_id [D]" + label: "entity.user_management_chain.attribute.cloud.vpc.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension attribute__cloud__vpc__product_object_id + + dimension: department { + hidden: yes + } # dimension department + + dimension: email_addresses { + hidden: yes + } # dimension email_addresses + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "entity" + label: "entity.user_management_chain.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension product_object_id + + dimension: title { + type: string + sql: ${TABLE}.title ;; + group_label: "entity" + label: "entity.user_management_chain.title" + view_label: "Entity" + description: "User job title." + } # dimension title + + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + group_label: "entity" + label: "entity.user_management_chain.userid" + view_label: "Entity" + description: "The ID of the user." + } # dimension userid + +} # view entity_graph__entity__user_management_chain + +view: entity_graph__metadata__event_metadata__base_labels__log_types { + dimension: entity_graph__metadata__event_metadata__base_labels__log_types { + type: string + sql: ${TABLE} ;; + group_label: "metadata" + label: "metadata.event_metadata.base_labels.log_types" + view_label: "Entity" + description: "All the LogType labels. We use string to log types to avoid moving LogType proto, which contains customer info, to external." + } # dimension entity_graph__metadata__event_metadata__base_labels__log_types +} # view entity_graph__metadata__event_metadata__base_labels__log_types + +view: entity_graph__metadata__event_metadata__base_labels__namespaces { + dimension: entity_graph__metadata__event_metadata__base_labels__namespaces { + type: string + sql: ${TABLE} ;; + group_label: "metadata" + label: "metadata.event_metadata.base_labels.namespaces" + view_label: "Entity" + description: "All the namespaces." + } # dimension entity_graph__metadata__event_metadata__base_labels__namespaces +} # view entity_graph__metadata__event_metadata__base_labels__namespaces + +view: entity_graph__metadata__source_labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "metadata" + label: "metadata.source_labels.key" + view_label: "Entity" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "metadata" + label: "metadata.source_labels.value" + view_label: "Entity" + description: "The value." + } # dimension value + +} # view entity_graph__metadata__source_labels + +view: entity_graph__metadata__threat__about__ip { + dimension: entity_graph__metadata__threat__about__ip { + type: string + sql: ${TABLE} ;; + group_label: "metadata" + label: "metadata.threat.about.ip" + view_label: "Entity" + description: "A list of IP addresses associated with a network connection." + } # dimension entity_graph__metadata__threat__about__ip +} # view entity_graph__metadata__threat__about__ip + +view: entity_graph__metadata__threat__about__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "metadata" + group_item_label: "metadata.threat.about.labels.key [D]" + label: "metadata.threat.about.labels.key" + view_label: "Entity" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "metadata" + group_item_label: "metadata.threat.about.labels.value [D]" + label: "metadata.threat.about.labels.value" + view_label: "Entity" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view entity_graph__metadata__threat__about__labels + +view: entity_graph__metadata__threat__about__user__email_addresses { + dimension: entity_graph__metadata__threat__about__user__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "metadata" + label: "metadata.threat.about.user.email_addresses" + view_label: "Entity" + description: "Email addresses of the user." + } # dimension entity_graph__metadata__threat__about__user__email_addresses +} # view entity_graph__metadata__threat__about__user__email_addresses + +view: entity_graph__metadata__threat__about__user_management_chain { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension: attribute__cloud { + hidden: yes + } # dimension attribute__cloud + + dimension: attribute__cloud__project { + hidden: yes + } # dimension attribute__cloud__project + + dimension: attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.project.product_object_id ;; + group_label: "metadata" + group_item_label: "metadata.threat.about.user_management_chain.attribute.cloud.project.product_object_id [D]" + label: "metadata.threat.about.user_management_chain.attribute.cloud.project.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension attribute__cloud__project__product_object_id + + dimension: attribute__cloud__vpc { + hidden: yes + } # dimension attribute__cloud__vpc + + dimension: attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; + group_label: "metadata" + group_item_label: "metadata.threat.about.user_management_chain.attribute.cloud.vpc.product_object_id [D]" + label: "metadata.threat.about.user_management_chain.attribute.cloud.vpc.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension attribute__cloud__vpc__product_object_id + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "metadata" + label: "metadata.threat.about.user_management_chain.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension product_object_id + +} # view entity_graph__metadata__threat__about__user_management_chain + +view: entity_graph__metadata__threat__action { + dimension: entity_graph__metadata__threat__action { + type: number + sql: ${TABLE} ;; + group_label: "metadata" + label: "metadata.threat.action" + view_label: "Entity" + description: "Actions taken for this event." + } # dimension entity_graph__metadata__threat__action +} # view entity_graph__metadata__threat__action + +view: entity_graph__metadata__threat__action_enum_name { + dimension: entity_graph__metadata__threat__action_enum_name { + type: string + suggestions: ["ALLOW", "ALLOW_WITH_MODIFICATION", "BLOCK", "CHALLENGE", "FAIL", "QUARANTINE", "UNKNOWN_ACTION"] + sql: CASE ${TABLE} WHEN 0 THEN 'UNKNOWN_ACTION' WHEN 1 THEN 'ALLOW' WHEN 2 THEN 'BLOCK' WHEN 3 THEN 'ALLOW_WITH_MODIFICATION' WHEN 4 THEN 'QUARANTINE' WHEN 5 THEN 'FAIL' WHEN 6 THEN 'CHALLENGE' END ;; + group_label: "metadata" + label: "metadata.threat.action_enum_name" + view_label: "Entity" + description: "Actions taken for this event." + } # dimension entity_graph__metadata__threat__action_enum_name +} # view entity_graph__metadata__threat__action_enum_name + +view: entity_graph__metadata__threat__category { + dimension: entity_graph__metadata__threat__category { + type: number + sql: ${TABLE} ;; + group_label: "metadata" + label: "metadata.threat.category" + view_label: "Entity" + description: "The security category." + } # dimension entity_graph__metadata__threat__category +} # view entity_graph__metadata__threat__category + +view: entity_graph__metadata__threat__category_enum_name { + dimension: entity_graph__metadata__threat__category_enum_name { + type: string + suggestions: ["ACL_VIOLATION", "AUTH_VIOLATION", "DATA_AT_REST", "DATA_DESTRUCTION", "DATA_EXFILTRATION", "EXPLOIT", "MAIL_PHISHING", "MAIL_SPAM", "MAIL_SPOOFING", "NETWORK_CATEGORIZED_CONTENT", "NETWORK_COMMAND_AND_CONTROL", "NETWORK_DENIAL_OF_SERVICE", "NETWORK_MALICIOUS", "NETWORK_RECON", "NETWORK_SUSPICIOUS", "PHISHING", "POLICY_VIOLATION", "SOCIAL_ENGINEERING", "SOFTWARE_MALICIOUS", "SOFTWARE_PUA", "SOFTWARE_SUSPICIOUS", "TOR_EXIT_NODE", "UNKNOWN_CATEGORY"] + sql: CASE ${TABLE} WHEN 0 THEN 'UNKNOWN_CATEGORY' WHEN 10000 THEN 'SOFTWARE_MALICIOUS' WHEN 10100 THEN 'SOFTWARE_SUSPICIOUS' WHEN 10200 THEN 'SOFTWARE_PUA' WHEN 20000 THEN 'NETWORK_MALICIOUS' WHEN 20100 THEN 'NETWORK_SUSPICIOUS' WHEN 20200 THEN 'NETWORK_CATEGORIZED_CONTENT' WHEN 20300 THEN 'NETWORK_DENIAL_OF_SERVICE' WHEN 20400 THEN 'NETWORK_RECON' WHEN 20500 THEN 'NETWORK_COMMAND_AND_CONTROL' WHEN 30000 THEN 'ACL_VIOLATION' WHEN 40000 THEN 'AUTH_VIOLATION' WHEN 50000 THEN 'EXPLOIT' WHEN 60000 THEN 'DATA_EXFILTRATION' WHEN 60100 THEN 'DATA_AT_REST' WHEN 60200 THEN 'DATA_DESTRUCTION' WHEN 60300 THEN 'TOR_EXIT_NODE' WHEN 70000 THEN 'MAIL_SPAM' WHEN 70100 THEN 'MAIL_PHISHING' WHEN 70200 THEN 'MAIL_SPOOFING' WHEN 80000 THEN 'POLICY_VIOLATION' WHEN 90001 THEN 'SOCIAL_ENGINEERING' WHEN 90002 THEN 'PHISHING' END ;; + group_label: "metadata" + label: "metadata.threat.category_enum_name" + view_label: "Entity" + description: "The security category." + } # dimension entity_graph__metadata__threat__category_enum_name +} # view entity_graph__metadata__threat__category_enum_name + +view: entity_graph__metadata__threat__category_details { + dimension: entity_graph__metadata__threat__category_details { + type: string + sql: ${TABLE} ;; + group_label: "metadata" + label: "metadata.threat.category_details" + view_label: "Entity" + description: "For vendor-specific categories. For web categorization, put type in here such as \"gambling\", \"porn\", etc." + } # dimension entity_graph__metadata__threat__category_details +} # view entity_graph__metadata__threat__category_details + +view: entity_graph__metadata__threat__detection_fields { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "metadata" + label: "metadata.threat.detection_fields.key" + view_label: "Entity" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "metadata" + label: "metadata.threat.detection_fields.value" + view_label: "Entity" + description: "The value." + } # dimension value + +} # view entity_graph__metadata__threat__detection_fields + +view: entity_graph__metadata__threat__rule_labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "metadata" + label: "metadata.threat.rule_labels.key" + view_label: "Entity" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "metadata" + label: "metadata.threat.rule_labels.value" + view_label: "Entity" + description: "The value." + } # dimension value + +} # view entity_graph__metadata__threat__rule_labels + +view: entity_graph__metadata__threat { + dimension: about { + hidden: yes + } # dimension about + + dimension: about__asset { + hidden: yes + } # dimension about__asset + + dimension: about__asset__attribute { + hidden: yes + } # dimension about__asset__attribute + + dimension: about__asset__attribute__cloud { + hidden: yes + } # dimension about__asset__attribute__cloud + + dimension: about__asset__attribute__cloud__project { + hidden: yes + } # dimension about__asset__attribute__cloud__project + + dimension: about__asset__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.project.product_object_id ;; + group_label: "metadata" + group_item_label: "metadata.threat.about.asset.attribute.cloud.project.product_object_id [D]" + label: "metadata.threat.about.asset.attribute.cloud.project.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension about__asset__attribute__cloud__project__product_object_id + + dimension: about__asset__attribute__cloud__vpc { + hidden: yes + } # dimension about__asset__attribute__cloud__vpc + + dimension: about__asset__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.vpc.product_object_id ;; + group_label: "metadata" + group_item_label: "metadata.threat.about.asset.attribute.cloud.vpc.product_object_id [D]" + label: "metadata.threat.about.asset.attribute.cloud.vpc.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension about__asset__attribute__cloud__vpc__product_object_id + + dimension: about__asset__hostname { + type: string + sql: ${TABLE}.about.asset.hostname ;; + group_label: "metadata" + label: "metadata.threat.about.asset.hostname" + view_label: "Entity" + description: "Asset hostname or domain name field." + } # dimension about__asset__hostname + + dimension: about__asset__product_object_id { + type: string + sql: ${TABLE}.about.asset.product_object_id ;; + group_label: "metadata" + label: "metadata.threat.about.asset.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension about__asset__product_object_id + + dimension: about__cloud { + hidden: yes + } # dimension about__cloud + + dimension: about__cloud__project { + hidden: yes + } # dimension about__cloud__project + + dimension: about__cloud__project__product_object_id { + type: string + sql: ${TABLE}.about.cloud.project.product_object_id ;; + group_label: "metadata" + group_item_label: "metadata.threat.about.cloud.project.product_object_id [D]" + label: "metadata.threat.about.cloud.project.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__project__product_object_id + + dimension: about__cloud__vpc { + hidden: yes + } # dimension about__cloud__vpc + + dimension: about__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.about.cloud.vpc.product_object_id ;; + group_label: "metadata" + group_item_label: "metadata.threat.about.cloud.vpc.product_object_id [D]" + label: "metadata.threat.about.cloud.vpc.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__vpc__product_object_id + + dimension: about__file { + hidden: yes + } # dimension about__file + + dimension: about__file__md5 { + type: string + sql: ${TABLE}.about.file.md5 ;; + group_label: "metadata" + label: "metadata.threat.about.file.md5" + view_label: "Entity" + description: "The MD5 hash of the file." + } # dimension about__file__md5 + + dimension: about__file__sha1 { + type: string + sql: ${TABLE}.about.file.sha1 ;; + group_label: "metadata" + label: "metadata.threat.about.file.sha1" + view_label: "Entity" + description: "The SHA1 hash of the file." + } # dimension about__file__sha1 + + dimension: about__file__sha256 { + type: string + sql: ${TABLE}.about.file.sha256 ;; + group_label: "metadata" + label: "metadata.threat.about.file.sha256" + view_label: "Entity" + description: "The SHA256 hash of the file." + } # dimension about__file__sha256 + + dimension: about__group { + hidden: yes + } # dimension about__group + + dimension: about__group__attribute { + hidden: yes + } # dimension about__group__attribute + + dimension: about__group__attribute__cloud { + hidden: yes + } # dimension about__group__attribute__cloud + + dimension: about__group__attribute__cloud__project { + hidden: yes + } # dimension about__group__attribute__cloud__project + + dimension: about__group__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.about.group.attribute.cloud.project.product_object_id ;; + group_label: "metadata" + group_item_label: "metadata.threat.about.group.attribute.cloud.project.product_object_id [D]" + label: "metadata.threat.about.group.attribute.cloud.project.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension about__group__attribute__cloud__project__product_object_id + + dimension: about__group__attribute__cloud__vpc { + hidden: yes + } # dimension about__group__attribute__cloud__vpc + + dimension: about__group__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.about.group.attribute.cloud.vpc.product_object_id ;; + group_label: "metadata" + group_item_label: "metadata.threat.about.group.attribute.cloud.vpc.product_object_id [D]" + label: "metadata.threat.about.group.attribute.cloud.vpc.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension about__group__attribute__cloud__vpc__product_object_id + + dimension: about__group__product_object_id { + type: string + sql: ${TABLE}.about.group.product_object_id ;; + group_label: "metadata" + label: "metadata.threat.about.group.product_object_id" + view_label: "Entity" + description: "Product globally unique user object identifier, such as an LDAP Object Identifier." + } # dimension about__group__product_object_id + + dimension: about__hostname { + type: string + sql: ${TABLE}.about.hostname ;; + group_label: "metadata" + label: "metadata.threat.about.hostname" + view_label: "Entity" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension about__hostname + + dimension: about__ip { + hidden: yes + } # dimension about__ip + + dimension: about__labels { + hidden: yes + } # dimension about__labels + + dimension: about__namespace { + type: string + sql: ${TABLE}.about.namespace ;; + group_label: "metadata" + label: "metadata.threat.about.namespace" + view_label: "Entity" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension about__namespace + + dimension: about__object_reference { + hidden: yes + } # dimension about__object_reference + + dimension: about__object_reference__id { + type: string + sql: ${TABLE}.about.object_reference.id ;; + group_label: "metadata" + label: "metadata.threat.about.object_reference.id" + view_label: "Entity" + description: "Full raw ID." + } # dimension about__object_reference__id + + dimension: about__object_reference__namespace { + type: number + sql: ${TABLE}.about.object_reference.namespace ;; + group_label: "metadata" + label: "metadata.threat.about.object_reference.namespace" + view_label: "Entity" + description: "Namespace the id belongs to." + } # dimension about__object_reference__namespace + + dimension: about__object_reference__namespace_enum_name { + type: string + suggestions: ["MACHINE_INTELLIGENCE", "NORMALIZED_TELEMETRY", "RAW_TELEMETRY", "RULE_DETECTIONS", "SECURITY_COMMAND_CENTER", "SOAR_ALERT", "UNSPECIFIED", "UPPERCASE"] + sql: CASE ${TABLE}.about.object_reference.namespace WHEN 0 THEN 'NORMALIZED_TELEMETRY' WHEN 1 THEN 'RAW_TELEMETRY' WHEN 2 THEN 'RULE_DETECTIONS' WHEN 3 THEN 'UPPERCASE' WHEN 4 THEN 'MACHINE_INTELLIGENCE' WHEN 5 THEN 'SECURITY_COMMAND_CENTER' WHEN 6 THEN 'UNSPECIFIED' WHEN 7 THEN 'SOAR_ALERT' END ;; + group_label: "metadata" + label: "metadata.threat.about.object_reference.namespace_enum_name" + view_label: "Entity" + description: "Namespace the id belongs to." + } # dimension about__object_reference__namespace_enum_name + + dimension: about__resource { + hidden: yes + } # dimension about__resource + + dimension: about__resource__product_object_id { + type: string + sql: ${TABLE}.about.resource.product_object_id ;; + group_label: "metadata" + label: "metadata.threat.about.resource.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension about__resource__product_object_id + + dimension: about__url { + type: string + sql: ${TABLE}.about.url ;; + group_label: "metadata" + label: "metadata.threat.about.url" + view_label: "Entity" + description: "The URL." + } # dimension about__url + + dimension: about__user { + hidden: yes + } # dimension about__user + + dimension: about__user__attribute { + hidden: yes + } # dimension about__user__attribute + + dimension: about__user__attribute__cloud { + hidden: yes + } # dimension about__user__attribute__cloud + + dimension: about__user__attribute__cloud__project { + hidden: yes + } # dimension about__user__attribute__cloud__project + + dimension: about__user__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.about.user.attribute.cloud.project.product_object_id ;; + group_label: "metadata" + group_item_label: "metadata.threat.about.user.attribute.cloud.project.product_object_id [D]" + label: "metadata.threat.about.user.attribute.cloud.project.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension about__user__attribute__cloud__project__product_object_id + + dimension: about__user__attribute__cloud__vpc { + hidden: yes + } # dimension about__user__attribute__cloud__vpc + + dimension: about__user__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.about.user.attribute.cloud.vpc.product_object_id ;; + group_label: "metadata" + group_item_label: "metadata.threat.about.user.attribute.cloud.vpc.product_object_id [D]" + label: "metadata.threat.about.user.attribute.cloud.vpc.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension about__user__attribute__cloud__vpc__product_object_id + + dimension: about__user__email_addresses { + hidden: yes + } # dimension about__user__email_addresses + + dimension: about__user__product_object_id { + type: string + sql: ${TABLE}.about.user.product_object_id ;; + group_label: "metadata" + label: "metadata.threat.about.user.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension about__user__product_object_id + + dimension: about__user__user_display_name { + type: string + sql: ${TABLE}.about.user.user_display_name ;; + group_label: "metadata" + label: "metadata.threat.about.user.user_display_name" + view_label: "Entity" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension about__user__user_display_name + + dimension: about__user_management_chain { + hidden: yes + } # dimension about__user_management_chain + + dimension: action { + hidden: yes + } # dimension action + + dimension: action_enum_name { + hidden: yes + } # dimension action_enum_name + + dimension: action_details { + type: string + sql: ${TABLE}.action_details ;; + group_label: "metadata" + label: "metadata.threat.action_details" + view_label: "Entity" + description: "The detail of the action taken as provided by the vendor." + } # dimension action_details + + dimension: category { + hidden: yes + } # dimension category + + dimension: category_enum_name { + hidden: yes + } # dimension category_enum_name + + dimension: category_details { + hidden: yes + } # dimension category_details + + dimension: confidence { + type: number + sql: ${TABLE}.confidence ;; + group_label: "metadata" + label: "metadata.threat.confidence" + view_label: "Entity" + description: "The confidence level of the result as estimated by the product." + } # dimension confidence + + dimension: confidence_enum_name { + type: string + suggestions: ["HIGH_CONFIDENCE", "LOW_CONFIDENCE", "MEDIUM_CONFIDENCE", "UNKNOWN_CONFIDENCE"] + sql: CASE ${TABLE}.confidence WHEN 0 THEN 'UNKNOWN_CONFIDENCE' WHEN 200 THEN 'LOW_CONFIDENCE' WHEN 300 THEN 'MEDIUM_CONFIDENCE' WHEN 400 THEN 'HIGH_CONFIDENCE' END ;; + group_label: "metadata" + label: "metadata.threat.confidence_enum_name" + view_label: "Entity" + description: "The confidence level of the result as estimated by the product." + } # dimension confidence_enum_name + + dimension: confidence_details { + type: string + sql: ${TABLE}.confidence_details ;; + group_label: "metadata" + label: "metadata.threat.confidence_details" + view_label: "Entity" + description: "Additional detail with regards to the confidence of a security event as estimated by the product vendor." + } # dimension confidence_details + + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "metadata" + label: "metadata.threat.description" + view_label: "Entity" + description: "A human readable description (e.g. \"user password was wrong\")" + } # dimension description + + dimension: detection_fields { + hidden: yes + } # dimension detection_fields + + dimension: rule_id { + type: string + sql: ${TABLE}.rule_id ;; + group_label: "metadata" + label: "metadata.threat.rule_id" + view_label: "Entity" + description: "A vendor-specific ID and name for a rule, varying by observerer type (e.g. \"08123\", \"5d2b44d0-5ef6-40f5-a704-47d61d3babbe\")." + } # dimension rule_id + + dimension: rule_labels { + hidden: yes + } # dimension rule_labels + + dimension: rule_name { + type: string + sql: ${TABLE}.rule_name ;; + group_label: "metadata" + label: "metadata.threat.rule_name" + view_label: "Entity" + description: "Name of the security rule (e.g. \"BlockInboundToOracle\")." + } # dimension rule_name + + dimension: rule_type { + type: string + sql: ${TABLE}.rule_type ;; + group_label: "metadata" + label: "metadata.threat.rule_type" + view_label: "Entity" + description: "The type of security rule." + } # dimension rule_type + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + group_label: "metadata" + label: "metadata.threat.severity" + view_label: "Entity" + description: "The severity of the result." + } # dimension severity + + dimension: severity_enum_name { + type: string + suggestions: ["CRITICAL", "ERROR", "HIGH", "INFORMATIONAL", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] + sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 100 THEN 'INFORMATIONAL' WHEN 150 THEN 'ERROR' WHEN 200 THEN 'LOW' WHEN 300 THEN 'MEDIUM' WHEN 400 THEN 'HIGH' WHEN 500 THEN 'CRITICAL' END ;; + group_label: "metadata" + label: "metadata.threat.severity_enum_name" + view_label: "Entity" + description: "The severity of the result." + } # dimension severity_enum_name + + dimension: severity_details { + type: string + sql: ${TABLE}.severity_details ;; + group_label: "metadata" + label: "metadata.threat.severity_details" + view_label: "Entity" + description: "Vendor-specific severity." + } # dimension severity_details + + dimension: summary { + type: string + sql: ${TABLE}.summary ;; + group_label: "metadata" + label: "metadata.threat.summary" + view_label: "Entity" + description: "A human readable summary (e.g. \"failed login occurred\")" + } # dimension summary + + dimension: threat_feed_name { + type: string + sql: ${TABLE}.threat_feed_name ;; + group_label: "metadata" + label: "metadata.threat.threat_feed_name" + view_label: "Entity" + description: "Vendor feed name for a threat indicator feed." + } # dimension threat_feed_name + + dimension: threat_id { + type: string + sql: ${TABLE}.threat_id ;; + group_label: "metadata" + label: "metadata.threat.threat_id" + view_label: "Entity" + description: "Vendor-specific ID for a threat." + } # dimension threat_id + + dimension: threat_name { + type: string + sql: ${TABLE}.threat_name ;; + group_label: "metadata" + label: "metadata.threat.threat_name" + view_label: "Entity" + description: "A vendor-assigned classification common across multiple customers (e.g. \"W32/File-A\", \"Slammer\")." + } # dimension threat_name + + dimension: threat_status { + type: number + sql: ${TABLE}.threat_status ;; + group_label: "metadata" + label: "metadata.threat.threat_status" + view_label: "Entity" + description: "Current status of the threat" + } # dimension threat_status + + dimension: threat_status_enum_name { + type: string + suggestions: ["ACTIVE", "CLEARED", "FALSE_POSITIVE", "THREAT_STATUS_UNSPECIFIED"] + sql: CASE ${TABLE}.threat_status WHEN 0 THEN 'THREAT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'CLEARED' WHEN 3 THEN 'FALSE_POSITIVE' END ;; + group_label: "metadata" + label: "metadata.threat.threat_status_enum_name" + view_label: "Entity" + description: "Current status of the threat" + } # dimension threat_status_enum_name + + dimension: url_back_to_product { + type: string + sql: ${TABLE}.url_back_to_product ;; + group_label: "metadata" + label: "metadata.threat.url_back_to_product" + view_label: "Entity" + description: "URL that takes the user to the source product console for this event." + } # dimension url_back_to_product + +} # view entity_graph__metadata__threat + +view: entity_graph__relations__entity__asset__hardware { + dimension: cpu_clock_speed { + type: number + sql: ${TABLE}.cpu_clock_speed ;; + group_label: "relations" + label: "relations.entity.asset.hardware.cpu_clock_speed" + view_label: "Entity" + description: "Clock speed of the hardware CPU in MHz." + } # dimension cpu_clock_speed + + dimension: cpu_model { + type: string + sql: ${TABLE}.cpu_model ;; + group_label: "relations" + label: "relations.entity.asset.hardware.cpu_model" + view_label: "Entity" + description: "Model description of the hardware CPU (e.g. \"2.8 GHz Quad-Core Intel Core i5\")." + } # dimension cpu_model + + dimension: cpu_number_cores { + type: number + sql: ${TABLE}.cpu_number_cores ;; + group_label: "relations" + label: "relations.entity.asset.hardware.cpu_number_cores" + view_label: "Entity" + description: "Number of CPU cores." + } # dimension cpu_number_cores + + dimension: cpu_platform { + type: string + sql: ${TABLE}.cpu_platform ;; + group_label: "relations" + label: "relations.entity.asset.hardware.cpu_platform" + view_label: "Entity" + description: "Platform of the hardware CPU (e.g. \"Intel Broadwell\")." + } # dimension cpu_platform + + dimension: manufacturer { + type: string + sql: ${TABLE}.manufacturer ;; + group_label: "relations" + label: "relations.entity.asset.hardware.manufacturer" + view_label: "Entity" + description: "Hardware manufacturer." + } # dimension manufacturer + + dimension: model { + type: string + sql: ${TABLE}.model ;; + group_label: "relations" + label: "relations.entity.asset.hardware.model" + view_label: "Entity" + description: "Hardware model." + } # dimension model + + dimension: ram { + type: number + sql: ${TABLE}.ram ;; + group_label: "relations" + label: "relations.entity.asset.hardware.ram" + view_label: "Entity" + description: "Amount of the hardware ramdom access memory (RAM) in Mb." + } # dimension ram + + dimension: serial_number { + type: string + sql: ${TABLE}.serial_number ;; + group_label: "relations" + label: "relations.entity.asset.hardware.serial_number" + view_label: "Entity" + description: "Hardware serial number." + } # dimension serial_number + +} # view entity_graph__relations__entity__asset__hardware + +view: entity_graph__relations__entity__asset__ip { + dimension: entity_graph__relations__entity__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "relations" + label: "relations.entity.asset.ip" + view_label: "Entity" + description: "A list of IP addresses associated with an asset." + } # dimension entity_graph__relations__entity__asset__ip +} # view entity_graph__relations__entity__asset__ip + +view: entity_graph__relations__entity__asset__mac { + dimension: entity_graph__relations__entity__asset__mac { + type: string + sql: ${TABLE} ;; + group_label: "relations" + label: "relations.entity.asset.mac" + view_label: "Entity" + description: "List of MAC addresses associated with an asset." + } # dimension entity_graph__relations__entity__asset__mac +} # view entity_graph__relations__entity__asset__mac + +view: entity_graph__relations__entity__asset__software { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "relations" + label: "relations.entity.asset.software.name" + view_label: "Entity" + description: "The name of the software." + } # dimension name + +} # view entity_graph__relations__entity__asset__software + +view: entity_graph__relations__entity__ip { + dimension: entity_graph__relations__entity__ip { + type: string + sql: ${TABLE} ;; + group_label: "relations" + label: "relations.entity.ip" + view_label: "Entity" + description: "A list of IP addresses associated with a network connection." + } # dimension entity_graph__relations__entity__ip +} # view entity_graph__relations__entity__ip + +view: entity_graph__relations__entity__ip_geo_artifact { + dimension: location { + hidden: yes + } # dimension location + + dimension: location__country_or_region { + type: string + sql: ${TABLE}.location.country_or_region ;; + group_label: "relations" + label: "relations.entity.ip_geo_artifact.location.country_or_region" + view_label: "Entity" + description: "The country or region." + } # dimension location__country_or_region + +} # view entity_graph__relations__entity__ip_geo_artifact + +view: entity_graph__relations__entity__ip_location { + dimension: country_or_region { + type: string + sql: ${TABLE}.country_or_region ;; + group_label: "relations" + group_item_label: "relations.entity.ip_location.country_or_region [D]" + label: "relations.entity.ip_location.country_or_region" + view_label: "Entity" + description: "The country or region. [D]: This field is deprecated and will be removed in a future release" + } # dimension country_or_region + +} # view entity_graph__relations__entity__ip_location + +view: entity_graph__relations__entity__resource__attribute__permissions { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "relations" + label: "relations.entity.resource.attribute.permissions.name" + view_label: "Entity" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view entity_graph__relations__entity__resource__attribute__permissions + +view: entity_graph__relations__entity__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "relations" + label: "relations.entity.user.attribute.labels.key" + view_label: "Entity" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "relations" + label: "relations.entity.user.attribute.labels.value" + view_label: "Entity" + description: "The value." + } # dimension value + +} # view entity_graph__relations__entity__user__attribute__labels + +view: entity_graph__relations__entity__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "relations" + label: "relations.entity.user.attribute.roles.description" + view_label: "Entity" + description: "System role description for user." + } # dimension description + +} # view entity_graph__relations__entity__user__attribute__roles + +view: entity_graph__relations__entity__user__email_addresses { + dimension: entity_graph__relations__entity__user__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "relations" + label: "relations.entity.user.email_addresses" + view_label: "Entity" + description: "Email addresses of the user." + } # dimension entity_graph__relations__entity__user__email_addresses +} # view entity_graph__relations__entity__user__email_addresses + +view: entity_graph__relations__entity__user__phone_numbers { + dimension: entity_graph__relations__entity__user__phone_numbers { + type: string + sql: ${TABLE} ;; + group_label: "relations" + label: "relations.entity.user.phone_numbers" + view_label: "Entity" + description: "Phone numbers for the user." + } # dimension entity_graph__relations__entity__user__phone_numbers +} # view entity_graph__relations__entity__user__phone_numbers + +view: entity_graph__relations__entity__user_management_chain__department { + dimension: entity_graph__relations__entity__user_management_chain__department { + type: string + sql: ${TABLE} ;; + group_label: "relations" + label: "relations.entity.user_management_chain.department" + view_label: "Entity" + description: "User job department" + } # dimension entity_graph__relations__entity__user_management_chain__department +} # view entity_graph__relations__entity__user_management_chain__department + +view: entity_graph__relations__entity__user_management_chain { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension: attribute__cloud { + hidden: yes + } # dimension attribute__cloud + + dimension: attribute__cloud__project { + hidden: yes + } # dimension attribute__cloud__project + + dimension: attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.project.product_object_id ;; + group_label: "relations" + group_item_label: "relations.entity.user_management_chain.attribute.cloud.project.product_object_id [D]" + label: "relations.entity.user_management_chain.attribute.cloud.project.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension attribute__cloud__project__product_object_id + + dimension: attribute__cloud__vpc { + hidden: yes + } # dimension attribute__cloud__vpc + + dimension: attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; + group_label: "relations" + group_item_label: "relations.entity.user_management_chain.attribute.cloud.vpc.product_object_id [D]" + label: "relations.entity.user_management_chain.attribute.cloud.vpc.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension attribute__cloud__vpc__product_object_id + + dimension: department { + hidden: yes + } # dimension department + + dimension: office_address { + hidden: yes + } # dimension office_address + + dimension: office_address__country_or_region { + type: string + sql: ${TABLE}.office_address.country_or_region ;; + group_label: "relations" + label: "relations.entity.user_management_chain.office_address.country_or_region" + view_label: "Entity" + description: "The country or region." + } # dimension office_address__country_or_region + + dimension: personal_address { + hidden: yes + } # dimension personal_address + + dimension: personal_address__country_or_region { + type: string + sql: ${TABLE}.personal_address.country_or_region ;; + group_label: "relations" + label: "relations.entity.user_management_chain.personal_address.country_or_region" + view_label: "Entity" + description: "The country or region." + } # dimension personal_address__country_or_region + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "relations" + label: "relations.entity.user_management_chain.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension product_object_id + +} # view entity_graph__relations__entity__user_management_chain + +view: entity_graph__relations { + dimension: direction { + type: number + sql: ${TABLE}.direction ;; + group_label: "relations" + label: "relations.direction" + view_label: "Entity" + description: "Directionality of relationship between primary entity (a) and the related entity (b)." + } # dimension direction + + dimension: direction_enum_name { + type: string + suggestions: ["BIDIRECTIONAL", "DIRECTIONALITY_UNSPECIFIED", "UNIDIRECTIONAL"] + sql: CASE ${TABLE}.direction WHEN 0 THEN 'DIRECTIONALITY_UNSPECIFIED' WHEN 1 THEN 'BIDIRECTIONAL' WHEN 2 THEN 'UNIDIRECTIONAL' END ;; + group_label: "relations" + label: "relations.direction_enum_name" + view_label: "Entity" + description: "Directionality of relationship between primary entity (a) and the related entity (b)." + } # dimension direction_enum_name + + dimension: entity { + hidden: yes + } # dimension entity + + dimension: entity__asset { + hidden: yes + } # dimension entity__asset + + dimension: entity__asset__asset_id { + type: string + sql: ${TABLE}.entity.asset.asset_id ;; + group_label: "relations" + label: "relations.entity.asset.asset_id" + view_label: "Entity" + description: "The asset ID." + } # dimension entity__asset__asset_id + + dimension: entity__asset__attribute { + hidden: yes + } # dimension entity__asset__attribute + + dimension: entity__asset__attribute__cloud { + hidden: yes + } # dimension entity__asset__attribute__cloud + + dimension: entity__asset__attribute__cloud__project { + hidden: yes + } # dimension entity__asset__attribute__cloud__project + + dimension: entity__asset__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.entity.asset.attribute.cloud.project.product_object_id ;; + group_label: "relations" + group_item_label: "relations.entity.asset.attribute.cloud.project.product_object_id [D]" + label: "relations.entity.asset.attribute.cloud.project.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__asset__attribute__cloud__project__product_object_id + + dimension: entity__asset__attribute__cloud__vpc { + hidden: yes + } # dimension entity__asset__attribute__cloud__vpc + + dimension: entity__asset__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.entity.asset.attribute.cloud.vpc.product_object_id ;; + group_label: "relations" + group_item_label: "relations.entity.asset.attribute.cloud.vpc.product_object_id [D]" + label: "relations.entity.asset.attribute.cloud.vpc.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__asset__attribute__cloud__vpc__product_object_id + + dimension_group: relations__entity__asset__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "relations" + label: "relations.entity.asset.attribute.creation_time" + view_label: "Entity" + description: "Time the resource or entity was created or provisioned." + } # dimension relations__entity__asset__attribute__creation_time + + dimension: entity__asset__category { + type: string + sql: ${TABLE}.entity.asset.category ;; + group_label: "relations" + label: "relations.entity.asset.category" + view_label: "Entity" + description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." + } # dimension entity__asset__category + + dimension_group: relations__entity__asset__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "relations" + group_item_label: "relations.entity.asset.creation_time [D]" + label: "relations.entity.asset.creation_time" + view_label: "Entity" + description: "Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. [D]: This field is deprecated and will be removed in a future release" + } # dimension relations__entity__asset__creation_time + + dimension: entity__asset__deployment_status { + type: number + sql: ${TABLE}.entity.asset.deployment_status ;; + group_label: "relations" + label: "relations.entity.asset.deployment_status" + view_label: "Entity" + description: "The deployment status of the asset for device lifecycle purposes." + } # dimension entity__asset__deployment_status + + dimension: entity__asset__deployment_status_enum_name { + type: string + suggestions: ["ACTIVE", "DECOMISSIONED", "DEPLOYMENT_STATUS_UNSPECIFIED", "PENDING_DECOMISSION"] + sql: CASE ${TABLE}.entity.asset.deployment_status WHEN 0 THEN 'DEPLOYMENT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'PENDING_DECOMISSION' WHEN 3 THEN 'DECOMISSIONED' END ;; + group_label: "relations" + label: "relations.entity.asset.deployment_status_enum_name" + view_label: "Entity" + description: "The deployment status of the asset for device lifecycle purposes." + } # dimension entity__asset__deployment_status_enum_name + + dimension_group: relations__entity__asset__first_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "relations" + label: "relations.entity.asset.first_discover_time" + view_label: "Entity" + description: "Time the asset was first discovered (by asset management/discoverability software)." + } # dimension relations__entity__asset__first_discover_time + + dimension: entity__asset__hardware { + hidden: yes + } # dimension entity__asset__hardware + + dimension: entity__asset__hostname { + type: string + sql: ${TABLE}.entity.asset.hostname ;; + group_label: "relations" + label: "relations.entity.asset.hostname" + view_label: "Entity" + description: "Asset hostname or domain name field." + } # dimension entity__asset__hostname + + dimension: entity__asset__ip { + hidden: yes + } # dimension entity__asset__ip + + dimension_group: relations__entity__asset__last_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.last_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.last_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "relations" + label: "relations.entity.asset.last_discover_time" + view_label: "Entity" + description: "Time the asset was last discovered (by asset management/discoverability software)." + } # dimension relations__entity__asset__last_discover_time + + dimension: entity__asset__mac { + hidden: yes + } # dimension entity__asset__mac + + dimension: entity__asset__network_domain { + type: string + sql: ${TABLE}.entity.asset.network_domain ;; + group_label: "relations" + label: "relations.entity.asset.network_domain" + view_label: "Entity" + description: "The network domain of the asset (e.g. \"corp.acme.com\")" + } # dimension entity__asset__network_domain + + dimension: entity__asset__platform_software { + hidden: yes + } # dimension entity__asset__platform_software + + dimension: entity__asset__platform_software__platform { + type: number + sql: ${TABLE}.entity.asset.platform_software.platform ;; + group_label: "relations" + label: "relations.entity.asset.platform_software.platform" + view_label: "Entity" + description: "The platform operating system." + } # dimension entity__asset__platform_software__platform + + dimension: entity__asset__platform_software__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.entity.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "relations" + label: "relations.entity.asset.platform_software.platform_enum_name" + view_label: "Entity" + description: "The platform operating system." + } # dimension entity__asset__platform_software__platform_enum_name + + dimension: entity__asset__platform_software__platform_patch_level { + type: string + sql: ${TABLE}.entity.asset.platform_software.platform_patch_level ;; + group_label: "relations" + label: "relations.entity.asset.platform_software.platform_patch_level" + view_label: "Entity" + description: "The platform software patch level ( e.g. \"Build 17134.48\", \"SP1\")." + } # dimension entity__asset__platform_software__platform_patch_level + + dimension: entity__asset__platform_software__platform_version { + type: string + sql: ${TABLE}.entity.asset.platform_software.platform_version ;; + group_label: "relations" + label: "relations.entity.asset.platform_software.platform_version" + view_label: "Entity" + description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." + } # dimension entity__asset__platform_software__platform_version + + dimension: entity__asset__product_object_id { + type: string + sql: ${TABLE}.entity.asset.product_object_id ;; + group_label: "relations" + label: "relations.entity.asset.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension entity__asset__product_object_id + + dimension: entity__asset__software { + hidden: yes + } # dimension entity__asset__software + + dimension_group: relations__entity__asset__system_last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.system_last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.system_last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "relations" + label: "relations.entity.asset.system_last_update_time" + view_label: "Entity" + description: "Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time." + } # dimension relations__entity__asset__system_last_update_time + + dimension: entity__asset__type { + type: number + sql: ${TABLE}.entity.asset.type ;; + group_label: "relations" + label: "relations.entity.asset.type" + view_label: "Entity" + description: "The type of the asset (e.g. workstation or laptop or server)." + } # dimension entity__asset__type + + dimension: entity__asset__type_enum_name { + type: string + suggestions: ["IOT", "LAPTOP", "MOBILE", "NETWORK_ATTACHED_STORAGE", "PRINTER", "ROLE_UNSPECIFIED", "SCANNER", "SERVER", "TAPE_LIBRARY", "WORKSTATION"] + sql: CASE ${TABLE}.entity.asset.type WHEN 0 THEN 'ROLE_UNSPECIFIED' WHEN 1 THEN 'WORKSTATION' WHEN 2 THEN 'LAPTOP' WHEN 3 THEN 'IOT' WHEN 4 THEN 'NETWORK_ATTACHED_STORAGE' WHEN 5 THEN 'PRINTER' WHEN 6 THEN 'SCANNER' WHEN 7 THEN 'SERVER' WHEN 8 THEN 'TAPE_LIBRARY' WHEN 9 THEN 'MOBILE' END ;; + group_label: "relations" + label: "relations.entity.asset.type_enum_name" + view_label: "Entity" + description: "The type of the asset (e.g. workstation or laptop or server)." + } # dimension entity__asset__type_enum_name + + dimension: entity__cloud { + hidden: yes + } # dimension entity__cloud + + dimension: entity__cloud__project { + hidden: yes + } # dimension entity__cloud__project + + dimension: entity__cloud__project__product_object_id { + type: string + sql: ${TABLE}.entity.cloud.project.product_object_id ;; + group_label: "relations" + group_item_label: "relations.entity.cloud.project.product_object_id [D]" + label: "relations.entity.cloud.project.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__cloud__project__product_object_id + + dimension: entity__cloud__vpc { + hidden: yes + } # dimension entity__cloud__vpc + + dimension: entity__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.entity.cloud.vpc.product_object_id ;; + group_label: "relations" + group_item_label: "relations.entity.cloud.vpc.product_object_id [D]" + label: "relations.entity.cloud.vpc.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__cloud__vpc__product_object_id + + dimension: entity__group { + hidden: yes + } # dimension entity__group + + dimension: entity__group__attribute { + hidden: yes + } # dimension entity__group__attribute + + dimension: entity__group__attribute__cloud { + hidden: yes + } # dimension entity__group__attribute__cloud + + dimension: entity__group__attribute__cloud__project { + hidden: yes + } # dimension entity__group__attribute__cloud__project + + dimension: entity__group__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.entity.group.attribute.cloud.project.product_object_id ;; + group_label: "relations" + group_item_label: "relations.entity.group.attribute.cloud.project.product_object_id [D]" + label: "relations.entity.group.attribute.cloud.project.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__group__attribute__cloud__project__product_object_id + + dimension: entity__group__attribute__cloud__vpc { + hidden: yes + } # dimension entity__group__attribute__cloud__vpc + + dimension: entity__group__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.entity.group.attribute.cloud.vpc.product_object_id ;; + group_label: "relations" + group_item_label: "relations.entity.group.attribute.cloud.vpc.product_object_id [D]" + label: "relations.entity.group.attribute.cloud.vpc.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__group__attribute__cloud__vpc__product_object_id + + dimension: entity__group__group_display_name { + type: string + sql: ${TABLE}.entity.group.group_display_name ;; + group_label: "relations" + label: "relations.entity.group.group_display_name" + view_label: "Entity" + description: "Group display name. e.g. \"Finance\"." + } # dimension entity__group__group_display_name + + dimension: entity__group__product_object_id { + type: string + sql: ${TABLE}.entity.group.product_object_id ;; + group_label: "relations" + label: "relations.entity.group.product_object_id" + view_label: "Entity" + description: "Product globally unique user object identifier, such as an LDAP Object Identifier." + } # dimension entity__group__product_object_id + + dimension: entity__hostname { + type: string + sql: ${TABLE}.entity.hostname ;; + group_label: "relations" + label: "relations.entity.hostname" + view_label: "Entity" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension entity__hostname + + dimension: entity__ip { + hidden: yes + } # dimension entity__ip + + dimension: entity__ip_geo_artifact { + hidden: yes + } # dimension entity__ip_geo_artifact + + dimension: entity__ip_location { + hidden: yes + } # dimension entity__ip_location + + dimension: entity__location { + hidden: yes + } # dimension entity__location + + dimension: entity__location__name { + type: string + sql: ${TABLE}.entity.location.name ;; + group_label: "relations" + label: "relations.entity.location.name" + view_label: "Entity" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension entity__location__name + + dimension: entity__namespace { + type: string + sql: ${TABLE}.entity.namespace ;; + group_label: "relations" + label: "relations.entity.namespace" + view_label: "Entity" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension entity__namespace + + dimension: entity__object_reference { + hidden: yes + } # dimension entity__object_reference + + dimension: entity__object_reference__id { + type: string + sql: ${TABLE}.entity.object_reference.id ;; + group_label: "relations" + label: "relations.entity.object_reference.id" + view_label: "Entity" + description: "Full raw ID." + } # dimension entity__object_reference__id + + dimension: entity__object_reference__namespace { + type: number + sql: ${TABLE}.entity.object_reference.namespace ;; + group_label: "relations" + label: "relations.entity.object_reference.namespace" + view_label: "Entity" + description: "Namespace the id belongs to." + } # dimension entity__object_reference__namespace + + dimension: entity__object_reference__namespace_enum_name { + type: string + suggestions: ["MACHINE_INTELLIGENCE", "NORMALIZED_TELEMETRY", "RAW_TELEMETRY", "RULE_DETECTIONS", "SECURITY_COMMAND_CENTER", "SOAR_ALERT", "UNSPECIFIED", "UPPERCASE"] + sql: CASE ${TABLE}.entity.object_reference.namespace WHEN 0 THEN 'NORMALIZED_TELEMETRY' WHEN 1 THEN 'RAW_TELEMETRY' WHEN 2 THEN 'RULE_DETECTIONS' WHEN 3 THEN 'UPPERCASE' WHEN 4 THEN 'MACHINE_INTELLIGENCE' WHEN 5 THEN 'SECURITY_COMMAND_CENTER' WHEN 6 THEN 'UNSPECIFIED' WHEN 7 THEN 'SOAR_ALERT' END ;; + group_label: "relations" + label: "relations.entity.object_reference.namespace_enum_name" + view_label: "Entity" + description: "Namespace the id belongs to." + } # dimension entity__object_reference__namespace_enum_name + + dimension: entity__platform_patch_level { + type: string + sql: ${TABLE}.entity.platform_patch_level ;; + group_label: "relations" + label: "relations.entity.platform_patch_level" + view_label: "Entity" + description: "Platform patch level. For example, \"Build 17134.48\"" + } # dimension entity__platform_patch_level + + dimension: entity__platform_version { + type: string + sql: ${TABLE}.entity.platform_version ;; + group_label: "relations" + label: "relations.entity.platform_version" + view_label: "Entity" + description: "Platform version. For example, \"Microsoft Windows 1803\"." + } # dimension entity__platform_version + + dimension: entity__resource { + hidden: yes + } # dimension entity__resource + + dimension: entity__resource__attribute { + hidden: yes + } # dimension entity__resource__attribute + + dimension: entity__resource__attribute__cloud { + hidden: yes + } # dimension entity__resource__attribute__cloud + + dimension: entity__resource__attribute__cloud__environment { + type: number + sql: ${TABLE}.entity.resource.attribute.cloud.environment ;; + group_label: "relations" + label: "relations.entity.resource.attribute.cloud.environment" + view_label: "Entity" + description: "The Cloud environment." + } # dimension entity__resource__attribute__cloud__environment + + dimension: entity__resource__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.entity.resource.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "relations" + label: "relations.entity.resource.attribute.cloud.environment_enum_name" + view_label: "Entity" + description: "The Cloud environment." + } # dimension entity__resource__attribute__cloud__environment_enum_name + + dimension: entity__resource__attribute__permissions { + hidden: yes + } # dimension entity__resource__attribute__permissions + + dimension: entity__resource__name { + type: string + sql: ${TABLE}.entity.resource.name ;; + group_label: "relations" + label: "relations.entity.resource.name" + view_label: "Entity" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension entity__resource__name + + dimension: entity__resource__product_object_id { + type: string + sql: ${TABLE}.entity.resource.product_object_id ;; + group_label: "relations" + label: "relations.entity.resource.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension entity__resource__product_object_id + + dimension: entity__resource__resource_subtype { + type: string + sql: ${TABLE}.entity.resource.resource_subtype ;; + group_label: "relations" + label: "relations.entity.resource.resource_subtype" + view_label: "Entity" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension entity__resource__resource_subtype + + dimension: entity__resource__resource_type { + type: number + sql: ${TABLE}.entity.resource.resource_type ;; + group_label: "relations" + label: "relations.entity.resource.resource_type" + view_label: "Entity" + description: "Resource type." + } # dimension entity__resource__resource_type + + dimension: entity__resource__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.entity.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "relations" + label: "relations.entity.resource.resource_type_enum_name" + view_label: "Entity" + description: "Resource type." + } # dimension entity__resource__resource_type_enum_name + + dimension: entity__user { + hidden: yes + } # dimension entity__user + + dimension: entity__user__account_type { + type: number + sql: ${TABLE}.entity.user.account_type ;; + group_label: "relations" + label: "relations.entity.user.account_type" + view_label: "Entity" + description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" + } # dimension entity__user__account_type + + dimension: entity__user__account_type_enum_name { + type: string + suggestions: ["ACCOUNT_TYPE_UNSPECIFIED", "CLOUD_ACCOUNT_TYPE", "DEFAULT_ACCOUNT_TYPE", "DOMAIN_ACCOUNT_TYPE", "LOCAL_ACCOUNT_TYPE", "SERVICE_ACCOUNT_TYPE"] + sql: CASE ${TABLE}.entity.user.account_type WHEN 0 THEN 'ACCOUNT_TYPE_UNSPECIFIED' WHEN 1 THEN 'DOMAIN_ACCOUNT_TYPE' WHEN 2 THEN 'LOCAL_ACCOUNT_TYPE' WHEN 3 THEN 'CLOUD_ACCOUNT_TYPE' WHEN 4 THEN 'SERVICE_ACCOUNT_TYPE' WHEN 5 THEN 'DEFAULT_ACCOUNT_TYPE' END ;; + group_label: "relations" + label: "relations.entity.user.account_type_enum_name" + view_label: "Entity" + description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" + } # dimension entity__user__account_type_enum_name + + dimension: entity__user__attribute { + hidden: yes + } # dimension entity__user__attribute + + dimension: entity__user__attribute__cloud { + hidden: yes + } # dimension entity__user__attribute__cloud + + dimension: entity__user__attribute__cloud__environment { + type: number + sql: ${TABLE}.entity.user.attribute.cloud.environment ;; + group_label: "relations" + label: "relations.entity.user.attribute.cloud.environment" + view_label: "Entity" + description: "The Cloud environment." + } # dimension entity__user__attribute__cloud__environment + + dimension: entity__user__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.entity.user.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "relations" + label: "relations.entity.user.attribute.cloud.environment_enum_name" + view_label: "Entity" + description: "The Cloud environment." + } # dimension entity__user__attribute__cloud__environment_enum_name + + dimension: entity__user__attribute__cloud__project { + hidden: yes + } # dimension entity__user__attribute__cloud__project + + dimension: entity__user__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.entity.user.attribute.cloud.project.product_object_id ;; + group_label: "relations" + group_item_label: "relations.entity.user.attribute.cloud.project.product_object_id [D]" + label: "relations.entity.user.attribute.cloud.project.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__user__attribute__cloud__project__product_object_id + + dimension: entity__user__attribute__cloud__vpc { + hidden: yes + } # dimension entity__user__attribute__cloud__vpc + + dimension: entity__user__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.entity.user.attribute.cloud.vpc.product_object_id ;; + group_label: "relations" + group_item_label: "relations.entity.user.attribute.cloud.vpc.product_object_id [D]" + label: "relations.entity.user.attribute.cloud.vpc.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__user__attribute__cloud__vpc__product_object_id + + dimension: entity__user__attribute__labels { + hidden: yes + } # dimension entity__user__attribute__labels + + dimension: entity__user__attribute__roles { + hidden: yes + } # dimension entity__user__attribute__roles + + dimension: entity__user__company_name { + type: string + sql: ${TABLE}.entity.user.company_name ;; + group_label: "relations" + label: "relations.entity.user.company_name" + view_label: "Entity" + description: "User job company name." + } # dimension entity__user__company_name + + dimension: entity__user__email_addresses { + hidden: yes + } # dimension entity__user__email_addresses + + dimension: entity__user__first_name { + type: string + sql: ${TABLE}.entity.user.first_name ;; + group_label: "relations" + label: "relations.entity.user.first_name" + view_label: "Entity" + description: "First name of the user (e.g. \"John\")." + } # dimension entity__user__first_name + + dimension: entity__user__last_name { + type: string + sql: ${TABLE}.entity.user.last_name ;; + group_label: "relations" + label: "relations.entity.user.last_name" + view_label: "Entity" + description: "Last name of the user (e.g. \"Locke\")." + } # dimension entity__user__last_name + + dimension: entity__user__office_address { + hidden: yes + } # dimension entity__user__office_address + + dimension: entity__user__office_address__country_or_region { + type: string + sql: ${TABLE}.entity.user.office_address.country_or_region ;; + group_label: "relations" + label: "relations.entity.user.office_address.country_or_region" + view_label: "Entity" + description: "The country or region." + } # dimension entity__user__office_address__country_or_region + + dimension: entity__user__office_address__name { + type: string + sql: ${TABLE}.entity.user.office_address.name ;; + group_label: "relations" + label: "relations.entity.user.office_address.name" + view_label: "Entity" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension entity__user__office_address__name + + dimension: entity__user__office_address__state { + type: string + sql: ${TABLE}.entity.user.office_address.state ;; + group_label: "relations" + label: "relations.entity.user.office_address.state" + view_label: "Entity" + description: "The state." + } # dimension entity__user__office_address__state + + dimension: entity__user__phone_numbers { + hidden: yes + } # dimension entity__user__phone_numbers + + dimension: entity__user__product_object_id { + type: string + sql: ${TABLE}.entity.user.product_object_id ;; + group_label: "relations" + label: "relations.entity.user.product_object_id" + view_label: "Entity" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension entity__user__product_object_id + + dimension: entity__user__role_description { + type: string + sql: ${TABLE}.entity.user.role_description ;; + group_label: "relations" + group_item_label: "relations.entity.user.role_description [D]" + label: "relations.entity.user.role_description" + view_label: "Entity" + description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension entity__user__role_description + + dimension: entity__user__title { + type: string + sql: ${TABLE}.entity.user.title ;; + group_label: "relations" + label: "relations.entity.user.title" + view_label: "Entity" + description: "User job title." + } # dimension entity__user__title + + dimension: entity__user__user_authentication_status { + type: number + sql: ${TABLE}.entity.user.user_authentication_status ;; + group_label: "relations" + label: "relations.entity.user.user_authentication_status" + view_label: "Entity" + description: "System authentication status for user." + } # dimension entity__user__user_authentication_status + + dimension: entity__user__user_authentication_status_enum_name { + type: string + suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] + sql: CASE ${TABLE}.entity.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; + group_label: "relations" + label: "relations.entity.user.user_authentication_status_enum_name" + view_label: "Entity" + description: "System authentication status for user." + } # dimension entity__user__user_authentication_status_enum_name + + dimension: entity__user__user_display_name { + type: string + sql: ${TABLE}.entity.user.user_display_name ;; + group_label: "relations" + label: "relations.entity.user.user_display_name" + view_label: "Entity" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension entity__user__user_display_name + + dimension: entity__user__userid { + type: string + sql: ${TABLE}.entity.user.userid ;; + group_label: "relations" + label: "relations.entity.user.userid" + view_label: "Entity" + description: "The ID of the user." + } # dimension entity__user__userid + + dimension: entity__user__windows_sid { + type: string + sql: ${TABLE}.entity.user.windows_sid ;; + group_label: "relations" + label: "relations.entity.user.windows_sid" + view_label: "Entity" + description: "The Microsoft Windows SID of the user." + } # dimension entity__user__windows_sid + + dimension: entity__user_management_chain { + hidden: yes + } # dimension entity__user_management_chain + + dimension: entity_type { + type: number + sql: ${TABLE}.entity_type ;; + group_label: "relations" + label: "relations.entity_type" + view_label: "Entity" + description: "Type of the related entity (b) in this relationship." + } # dimension entity_type + + dimension: entity_type_enum_name { + type: string + suggestions: ["ASSET", "DOMAIN_NAME", "FILE", "GROUP", "IP_ADDRESS", "METRIC", "MUTEX", "RESOURCE", "UNKNOWN_ENTITYTYPE", "URL", "USER"] + sql: CASE ${TABLE}.entity_type WHEN 0 THEN 'UNKNOWN_ENTITYTYPE' WHEN 1 THEN 'ASSET' WHEN 10000 THEN 'USER' WHEN 10001 THEN 'GROUP' WHEN 2 THEN 'RESOURCE' WHEN 3 THEN 'IP_ADDRESS' WHEN 4 THEN 'FILE' WHEN 5 THEN 'DOMAIN_NAME' WHEN 6 THEN 'URL' WHEN 7 THEN 'MUTEX' WHEN 8 THEN 'METRIC' END ;; + group_label: "relations" + label: "relations.entity_type_enum_name" + view_label: "Entity" + description: "Type of the related entity (b) in this relationship." + } # dimension entity_type_enum_name + + dimension: relationship { + type: number + sql: ${TABLE}.relationship ;; + group_label: "relations" + label: "relations.relationship" + view_label: "Entity" + description: "Type of relationship." + } # dimension relationship + + dimension: relationship_enum_name { + type: string + suggestions: ["ADMINISTERS", "CONTACTS", "DOWNLOADED_FROM", "EXECUTES", "MEMBER", "OWNS", "RELATIONSHIP_UNSPECIFIED"] + sql: CASE ${TABLE}.relationship WHEN 0 THEN 'RELATIONSHIP_UNSPECIFIED' WHEN 1 THEN 'OWNS' WHEN 2 THEN 'ADMINISTERS' WHEN 3 THEN 'MEMBER' WHEN 4 THEN 'EXECUTES' WHEN 5 THEN 'DOWNLOADED_FROM' WHEN 6 THEN 'CONTACTS' END ;; + group_label: "relations" + label: "relations.relationship_enum_name" + view_label: "Entity" + description: "Type of relationship." + } # dimension relationship_enum_name + +} # view entity_graph__relations + +explore: entity_graph { + ### BEGIN googlex/security/malachite/dashboards/lookml/entity_graph/entity_graph_explore_preamble.lkml + label: "Entity Graph" + + required_access_grants: [ + has_chronicle_explores_enabled + ] + + conditionally_filter: { + filters: { + field: entity_graph.time_filter + value: "last 24 hours" + } + } + + fields: [ALL_FIELDS*,] + sql_always_where: {% condition entity_graph.time_filter %} _PARTITIONTIME {% endcondition %} + AND {% condition entity_graph.time_filter %} ${metadata__collected_timestamp_raw} {% endcondition %};; + + ### END googlex/security/malachite/dashboards/lookml/entity_graph/entity_graph_explore_preamble.lkml + join: entity_graph__additional__fields { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.additional}.fields) as entity_graph__additional__fields ;; + view_label: "Entity" + } # join entity_graph__additional__fields + + join: entity_graph__entity__artifact__network__email__to { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph.entity}.artifact.network.email.to) as entity_graph__entity__artifact__network__email__to ;; + view_label: "Entity" + } # join entity_graph__entity__artifact__network__email__to + + join: entity_graph__entity__asset__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.asset.attribute.labels) as entity_graph__entity__asset__attribute__labels ;; + view_label: "Entity" + } # join entity_graph__entity__asset__attribute__labels + + join: entity_graph__entity__asset__hardware { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.asset.hardware) as entity_graph__entity__asset__hardware ;; + view_label: "Entity" + } # join entity_graph__entity__asset__hardware + + join: entity_graph__entity__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph.entity}.asset.ip) as entity_graph__entity__asset__ip ;; + view_label: "Entity" + } # join entity_graph__entity__asset__ip + + join: entity_graph__entity__asset__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.asset.labels) as entity_graph__entity__asset__labels ;; + view_label: "Entity" + } # join entity_graph__entity__asset__labels + + join: entity_graph__entity__asset__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph.entity}.asset.mac) as entity_graph__entity__asset__mac ;; + view_label: "Entity" + } # join entity_graph__entity__asset__mac + + join: entity_graph__entity__asset__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph.entity}.asset.nat_ip) as entity_graph__entity__asset__nat_ip ;; + view_label: "Entity" + } # join entity_graph__entity__asset__nat_ip + + join: entity_graph__entity__asset__software { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.asset.software) as entity_graph__entity__asset__software ;; + view_label: "Entity" + } # join entity_graph__entity__asset__software + + join: entity_graph__entity__asset__software__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph__entity__asset__software.permissions}) as entity_graph__entity__asset__software__permissions ;; + view_label: "Entity" + } # join entity_graph__entity__asset__software__permissions + + join: entity_graph__entity__asset__vulnerabilities { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.asset.vulnerabilities) as entity_graph__entity__asset__vulnerabilities ;; + view_label: "Entity" + } # join entity_graph__entity__asset__vulnerabilities + + join: entity_graph__entity__asset__vulnerabilities__about__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph__entity__asset__vulnerabilities.about}.labels) as entity_graph__entity__asset__vulnerabilities__about__labels ;; + view_label: "Entity" + } # join entity_graph__entity__asset__vulnerabilities__about__labels + + join: entity_graph__entity__domain__admin__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.domain.admin.attribute.labels) as entity_graph__entity__domain__admin__attribute__labels ;; + view_label: "Entity" + } # join entity_graph__entity__domain__admin__attribute__labels + + join: entity_graph__entity__domain__billing__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.domain.billing.attribute.labels) as entity_graph__entity__domain__billing__attribute__labels ;; + view_label: "Entity" + } # join entity_graph__entity__domain__billing__attribute__labels + + join: entity_graph__entity__domain__name_server { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph.entity}.domain.name_server) as entity_graph__entity__domain__name_server ;; + view_label: "Entity" + } # join entity_graph__entity__domain__name_server + + join: entity_graph__entity__domain__registrant__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.domain.registrant.attribute.labels) as entity_graph__entity__domain__registrant__attribute__labels ;; + view_label: "Entity" + } # join entity_graph__entity__domain__registrant__attribute__labels + + join: entity_graph__entity__domain__registrant__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph.entity}.domain.registrant.email_addresses) as entity_graph__entity__domain__registrant__email_addresses ;; + view_label: "Entity" + } # join entity_graph__entity__domain__registrant__email_addresses + + join: entity_graph__entity__domain__tech__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.domain.tech.attribute.labels) as entity_graph__entity__domain__tech__attribute__labels ;; + view_label: "Entity" + } # join entity_graph__entity__domain__tech__attribute__labels + + join: entity_graph__entity__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph.entity}.file.names) as entity_graph__entity__file__names ;; + view_label: "Entity" + } # join entity_graph__entity__file__names + + join: entity_graph__entity__file__pe_file__resource { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.file.pe_file.resource) as entity_graph__entity__file__pe_file__resource ;; + view_label: "Entity" + } # join entity_graph__entity__file__pe_file__resource + + join: entity_graph__entity__group__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.group.attribute.labels) as entity_graph__entity__group__attribute__labels ;; + view_label: "Entity" + } # join entity_graph__entity__group__attribute__labels + + join: entity_graph__entity__group__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph.entity}.group.email_addresses) as entity_graph__entity__group__email_addresses ;; + view_label: "Entity" + } # join entity_graph__entity__group__email_addresses + + join: entity_graph__entity__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph.entity}.ip) as entity_graph__entity__ip ;; + view_label: "Entity" + } # join entity_graph__entity__ip + + join: entity_graph__entity__ip_geo_artifact { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.ip_geo_artifact) as entity_graph__entity__ip_geo_artifact ;; + view_label: "Entity" + } # join entity_graph__entity__ip_geo_artifact + + join: entity_graph__entity__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.labels) as entity_graph__entity__labels ;; + view_label: "Entity" + } # join entity_graph__entity__labels + + join: entity_graph__entity__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph.entity}.mac) as entity_graph__entity__mac ;; + view_label: "Entity" + } # join entity_graph__entity__mac + + join: entity_graph__entity__resource__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.resource.attribute.labels) as entity_graph__entity__resource__attribute__labels ;; + view_label: "Entity" + } # join entity_graph__entity__resource__attribute__labels + + join: entity_graph__entity__user__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.attribute.labels) as entity_graph__entity__user__attribute__labels ;; + view_label: "Entity" + } # join entity_graph__entity__user__attribute__labels + + join: entity_graph__entity__user__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.attribute.permissions) as entity_graph__entity__user__attribute__permissions ;; + view_label: "Entity" + } # join entity_graph__entity__user__attribute__permissions + + join: entity_graph__entity__user__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.attribute.roles) as entity_graph__entity__user__attribute__roles ;; + view_label: "Entity" + } # join entity_graph__entity__user__attribute__roles + + join: entity_graph__entity__user__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.department) as entity_graph__entity__user__department ;; + view_label: "Entity" + } # join entity_graph__entity__user__department + + join: entity_graph__entity__user__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.email_addresses) as entity_graph__entity__user__email_addresses ;; + view_label: "Entity" + } # join entity_graph__entity__user__email_addresses + + join: entity_graph__entity__user__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.group_identifiers) as entity_graph__entity__user__group_identifiers ;; + view_label: "Entity" + } # join entity_graph__entity__user__group_identifiers + + join: entity_graph__entity__user__managers { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.managers) as entity_graph__entity__user__managers ;; + view_label: "Entity" + } # join entity_graph__entity__user__managers + + join: entity_graph__entity__user__managers__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph__entity__user__managers.attribute}.labels) as entity_graph__entity__user__managers__attribute__labels ;; + view_label: "Entity" + } # join entity_graph__entity__user__managers__attribute__labels + + join: entity_graph__entity__user__managers__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph__entity__user__managers.attribute}.roles) as entity_graph__entity__user__managers__attribute__roles ;; + view_label: "Entity" + } # join entity_graph__entity__user__managers__attribute__roles + + join: entity_graph__entity__user__managers__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__entity__user__managers.department}) as entity_graph__entity__user__managers__department ;; + view_label: "Entity" + } # join entity_graph__entity__user__managers__department + + join: entity_graph__entity__user__managers__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__entity__user__managers.email_addresses}) as entity_graph__entity__user__managers__email_addresses ;; + view_label: "Entity" + } # join entity_graph__entity__user__managers__email_addresses + + join: entity_graph__entity__user__managers__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__entity__user__managers.group_identifiers}) as entity_graph__entity__user__managers__group_identifiers ;; + view_label: "Entity" + } # join entity_graph__entity__user__managers__group_identifiers + + join: entity_graph__entity__user__managers__phone_numbers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__entity__user__managers.phone_numbers}) as entity_graph__entity__user__managers__phone_numbers ;; + view_label: "Entity" + } # join entity_graph__entity__user__managers__phone_numbers + + join: entity_graph__entity__user__phone_numbers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.phone_numbers) as entity_graph__entity__user__phone_numbers ;; + view_label: "Entity" + } # join entity_graph__entity__user__phone_numbers + + join: entity_graph__entity__user__time_off { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.time_off) as entity_graph__entity__user__time_off ;; + view_label: "Entity" + } # join entity_graph__entity__user__time_off + + join: entity_graph__entity__user_management_chain { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.entity}.user_management_chain) as entity_graph__entity__user_management_chain ;; + view_label: "Entity" + } # join entity_graph__entity__user_management_chain + + join: entity_graph__entity__user_management_chain__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__entity__user_management_chain.department}) as entity_graph__entity__user_management_chain__department ;; + view_label: "Entity" + } # join entity_graph__entity__user_management_chain__department + + join: entity_graph__entity__user_management_chain__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__entity__user_management_chain.email_addresses}) as entity_graph__entity__user_management_chain__email_addresses ;; + view_label: "Entity" + } # join entity_graph__entity__user_management_chain__email_addresses + + join: entity_graph__metadata__event_metadata__base_labels__log_types { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph.metadata}.event_metadata.base_labels.log_types) as entity_graph__metadata__event_metadata__base_labels__log_types ;; + view_label: "Entity" + } # join entity_graph__metadata__event_metadata__base_labels__log_types + + join: entity_graph__metadata__event_metadata__base_labels__namespaces { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph.metadata}.event_metadata.base_labels.namespaces) as entity_graph__metadata__event_metadata__base_labels__namespaces ;; + view_label: "Entity" + } # join entity_graph__metadata__event_metadata__base_labels__namespaces + + join: entity_graph__metadata__source_labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.metadata}.source_labels) as entity_graph__metadata__source_labels ;; + view_label: "Entity" + } # join entity_graph__metadata__source_labels + + join: entity_graph__metadata__threat { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.metadata}.threat) as entity_graph__metadata__threat ;; + view_label: "Entity" + } # join entity_graph__metadata__threat + + join: entity_graph__metadata__threat__about__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.about}.ip) as entity_graph__metadata__threat__about__ip ;; + view_label: "Entity" + } # join entity_graph__metadata__threat__about__ip + + join: entity_graph__metadata__threat__about__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.about}.labels) as entity_graph__metadata__threat__about__labels ;; + view_label: "Entity" + } # join entity_graph__metadata__threat__about__labels + + join: entity_graph__metadata__threat__about__user__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.about}.user.email_addresses) as entity_graph__metadata__threat__about__user__email_addresses ;; + view_label: "Entity" + } # join entity_graph__metadata__threat__about__user__email_addresses + + join: entity_graph__metadata__threat__about__user_management_chain { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.about}.user_management_chain) as entity_graph__metadata__threat__about__user_management_chain ;; + view_label: "Entity" + } # join entity_graph__metadata__threat__about__user_management_chain + + join: entity_graph__metadata__threat__action { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.action}) as entity_graph__metadata__threat__action ;; + view_label: "Entity" + } # join entity_graph__metadata__threat__action + + join: entity_graph__metadata__threat__action_enum_name { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.action}) as entity_graph__metadata__threat__action_enum_name ;; + view_label: "Entity" + } # join entity_graph__metadata__threat__action_enum_name + + join: entity_graph__metadata__threat__category { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.category}) as entity_graph__metadata__threat__category ;; + view_label: "Entity" + } # join entity_graph__metadata__threat__category + + join: entity_graph__metadata__threat__category_enum_name { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.category}) as entity_graph__metadata__threat__category_enum_name ;; + view_label: "Entity" + } # join entity_graph__metadata__threat__category_enum_name + + join: entity_graph__metadata__threat__category_details { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.category_details}) as entity_graph__metadata__threat__category_details ;; + view_label: "Entity" + } # join entity_graph__metadata__threat__category_details + + join: entity_graph__metadata__threat__detection_fields { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.detection_fields}) as entity_graph__metadata__threat__detection_fields ;; + view_label: "Entity" + } # join entity_graph__metadata__threat__detection_fields + + join: entity_graph__metadata__threat__rule_labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.rule_labels}) as entity_graph__metadata__threat__rule_labels ;; + view_label: "Entity" + } # join entity_graph__metadata__threat__rule_labels + + join: entity_graph__relations { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph.relations}) as entity_graph__relations ;; + view_label: "Entity" + } # join entity_graph__relations + + join: entity_graph__relations__entity__asset__hardware { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.asset.hardware) as entity_graph__relations__entity__asset__hardware ;; + view_label: "Entity" + } # join entity_graph__relations__entity__asset__hardware + + join: entity_graph__relations__entity__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.asset.ip) as entity_graph__relations__entity__asset__ip ;; + view_label: "Entity" + } # join entity_graph__relations__entity__asset__ip + + join: entity_graph__relations__entity__asset__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.asset.mac) as entity_graph__relations__entity__asset__mac ;; + view_label: "Entity" + } # join entity_graph__relations__entity__asset__mac + + join: entity_graph__relations__entity__asset__software { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.asset.software) as entity_graph__relations__entity__asset__software ;; + view_label: "Entity" + } # join entity_graph__relations__entity__asset__software + + join: entity_graph__relations__entity__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.ip) as entity_graph__relations__entity__ip ;; + view_label: "Entity" + } # join entity_graph__relations__entity__ip + + join: entity_graph__relations__entity__ip_geo_artifact { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.ip_geo_artifact) as entity_graph__relations__entity__ip_geo_artifact ;; + view_label: "Entity" + } # join entity_graph__relations__entity__ip_geo_artifact + + join: entity_graph__relations__entity__ip_location { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.ip_location) as entity_graph__relations__entity__ip_location ;; + view_label: "Entity" + } # join entity_graph__relations__entity__ip_location + + join: entity_graph__relations__entity__resource__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.resource.attribute.permissions) as entity_graph__relations__entity__resource__attribute__permissions ;; + view_label: "Entity" + } # join entity_graph__relations__entity__resource__attribute__permissions + + join: entity_graph__relations__entity__user__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.user.attribute.labels) as entity_graph__relations__entity__user__attribute__labels ;; + view_label: "Entity" + } # join entity_graph__relations__entity__user__attribute__labels + + join: entity_graph__relations__entity__user__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.user.attribute.roles) as entity_graph__relations__entity__user__attribute__roles ;; + view_label: "Entity" + } # join entity_graph__relations__entity__user__attribute__roles + + join: entity_graph__relations__entity__user__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.user.email_addresses) as entity_graph__relations__entity__user__email_addresses ;; + view_label: "Entity" + } # join entity_graph__relations__entity__user__email_addresses + + join: entity_graph__relations__entity__user__phone_numbers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.user.phone_numbers) as entity_graph__relations__entity__user__phone_numbers ;; + view_label: "Entity" + } # join entity_graph__relations__entity__user__phone_numbers + + join: entity_graph__relations__entity__user_management_chain { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.user_management_chain) as entity_graph__relations__entity__user_management_chain ;; + view_label: "Entity" + } # join entity_graph__relations__entity__user_management_chain + + join: entity_graph__relations__entity__user_management_chain__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${entity_graph__relations__entity__user_management_chain.department}) as entity_graph__relations__entity__user_management_chain__department ;; + view_label: "Entity" + } # join entity_graph__relations__entity__user_management_chain__department + +} # explore entity_graph + diff --git a/proto2lkml/events.lkml b/proto2lkml/events.lkml new file mode 100644 index 0000000..5938600 --- /dev/null +++ b/proto2lkml/events.lkml @@ -0,0 +1,19328 @@ +# Copyright Google Inc 2023 and onwards. +# This file was generated by proto2lkml. Do not modify it. +# Source: googlex/security/malachite/proto/external/udm.proto +### BEGIN googlex/security/malachite/dashboards/lookml/udm/events_preamble.lkml +include: "/chronicle_features.lkml" + +### END googlex/security/malachite/dashboards/lookml/udm/events_preamble.lkml +view: events { + ### BEGIN googlex/security/malachite/dashboards/lookml/udm/udm_view_preamble.lkml + sql_table_name: `@{EVENTS}`;; + + dimension: primary_key { + primary_key: yes + hidden: yes + sql: CONCAT(IFNULL(to_hex(${TABLE}.metadata.id), ""), + IFNULL(${TABLE}.metadata.product_log_id, ""), + IFNULL(${TABLE}.metadata.event_timestamp.seconds,0), + IFNULL(${TABLE}.metadata.event_timestamp.nanos,0), + IFNULL(${TABLE}.metadata.event_type,0), + IFNULL(${TABLE}.metadata.vendor_name,""), + IFNULL(${TABLE}.metadata.product_name,""));; + } + + measure: count { + description: "Count of UDM events; COUNT(DISTINCT ...) is used." + type: count + view_label: "UDM" + } + + measure: count_all { + description: "Count of all UDM events; COUNT(DISTINCT ...) is not used." + type: number + sql: count(*) ;; + label: "Count (all)" + view_label: "UDM" + } + + filter: time_filter { + label: "metadata.event_timestamp" + type: date_time + view_label: "UDM" + description: "Filter on the metadata.event_timestamp" + } + + #------------------------------------------------------------------------------- + # The following dimensions are here for backwards compatibility. + # Do not remove because it might break some old dashbaords that depend on it. + dimension_group: event_timestamp { + hidden: yes + type: time + timeframes: [ + raw, + time, + date, + week, + month, + hour, + minute, + year + ] + datatype: epoch + sql: ${TABLE}.metadata.event_timestamp.seconds ;; + } + + dimension: period { + hidden: yes + type: string + description: "The reporting period as selected by the Period Filter. Values - 'This Period' and 'Previous Period'. + Apply Filter 'This Period' to get values from current period." + sql: + CASE + WHEN {% date_start period_filter %} is not null AND {% date_end period_filter %} is not null /* date ranges or in the past x days */ + THEN + CASE + WHEN ${event_timestamp_raw} >= UNIX_SECONDS({% date_start period_filter %}) + AND ${event_timestamp_raw} <= UNIX_SECONDS({% date_end period_filter %}) + THEN 'This Period' + WHEN ${event_timestamp_raw} >= UNIX_SECONDS(TIMESTAMP_ADD({% date_start period_filter %}, INTERVAL 1 * (TIMESTAMP_DIFF({% date_start period_filter %},{% date_end period_filter %}, DAY)) DAY)) + AND ${event_timestamp_raw} <= UNIX_SECONDS(TIMESTAMP_ADD({% date_start period_filter %}, INTERVAL -1 DAY)) + THEN 'Previous Period' + END + END ;; + } + + dimension: domain { + hidden: yes + type: string + sql: REGEXP_EXTRACT(COALESCE(${TABLE}.network.dns.questions[SAFE_OFFSET(0)].name, ${TABLE}.target.hostname), r"^(?:[a-zA-Z0-9-]+\.)*([a-zA-Z0-9-]+\.[a-zA-Z0-9-]*[a-zA-Z-][a-zA-Z0-9-]*)$");; + } + + dimension: asset { + hidden: yes + type: string + label: "Asset" + sql: COALESCE(${TABLE}.principal.hostname, ${TABLE}.principal.ip[SAFE_OFFSET(0)]) ;; + } + + dimension: full_domain { + hidden: yes + type: string + sql: COALESCE(${TABLE}.network.dns.questions[SAFE_OFFSET(0)].name, ${TABLE}.target.hostname);; + } + + # This does not even exist in BQ, maybe it used to exist. + dimension_group: _partitiondate { + hidden: yes + type: time + timeframes: [ + raw, + date, + week, + month, + quarter, + year + ] + convert_tz: no + datatype: date + sql: ${TABLE}.hour_time_bucket ;; + } + + dimension_group: _partitiontime { + hidden: yes + type: time + timeframes: [ + raw, + date, + week, + month, + quarter, + year + ] + convert_tz: no + datatype: date + sql: ${TABLE}.hour_time_bucket ;; + } + + dimension_group: hour_time_bucket { + hidden: yes + type: time + timeframes: [ + raw, + time, + date, + week, + month, + quarter, + year + ] + sql: ${TABLE}.hour_time_bucket ;; + } + + dimension: prevalence { + hidden: yes + type: number + sql: COALESCE(${TABLE}.principal.hostname}, ${TABLE}.principal.ip}) ;; + } + + #------------------------------------------------------------------------------- + + ### END googlex/security/malachite/dashboards/lookml/udm/udm_view_preamble.lkml + filter: ip_grouped_field_filter { + label: "ip" + group_label: "Grouped Fields" + view_label: "UDM" + description: "IP address fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${events__principal__ip.events__principal__ip} {%endcondition%} or +{%condition%}${events__src__ip.events__src__ip} {%endcondition%} or +{%condition%}${events__target__ip.events__target__ip} {%endcondition%} or +{%condition%}${events__observer__ip.events__observer__ip} {%endcondition%} or +{%condition%}${events__intermediary__ip.events__intermediary__ip} {%endcondition%} or +{%condition%}${events.principal__artifact__ip} {%endcondition%} or +{%condition%}${events.src__artifact__ip} {%endcondition%} or +{%condition%}${events.target__artifact__ip} {%endcondition%} or +{%condition%}${events__principal__asset__ip.events__principal__asset__ip} {%endcondition%} or +{%condition%}${events__src__asset__ip.events__src__asset__ip} {%endcondition%} or +{%condition%}${events__target__asset__ip.events__target__asset__ip} {%endcondition%} +;; + } # ip + + filter: domain_grouped_field_filter { + label: "domain" + group_label: "Grouped Fields" + view_label: "UDM" + description: "Domain fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${events.network__dns_domain} {%endcondition%} or +{%condition%}${events__network__dns__questions.name} {%endcondition%} or +{%condition%}${events.principal__administrative_domain} {%endcondition%} or +{%condition%}${events.target__administrative_domain} {%endcondition%} or +{%condition%}${events__about.administrative_domain} {%endcondition%} or +{%condition%}${events.target__hostname} {%endcondition%} or +{%condition%}${events.target__asset__hostname} {%endcondition%} or +{%condition%}${events.principal__asset__network_domain} {%endcondition%} or +{%condition%}${events.target__asset__network_domain} {%endcondition%} +;; + } # domain + + filter: hostname_grouped_field_filter { + label: "hostname" + group_label: "Grouped Fields" + view_label: "UDM" + description: "Hostname fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${events.principal__hostname} {%endcondition%} or +{%condition%}${events.src__hostname} {%endcondition%} or +{%condition%}${events.target__hostname} {%endcondition%} or +{%condition%}${events__intermediary.hostname} {%endcondition%} or +{%condition%}${events.observer__hostname} {%endcondition%} or +{%condition%}${events.principal__asset__hostname} {%endcondition%} or +{%condition%}${events.src__asset__hostname} {%endcondition%} or +{%condition%}${events.target__asset__hostname} {%endcondition%} +;; + } # hostname + + filter: user_grouped_field_filter { + label: "user" + group_label: "Grouped Fields" + view_label: "UDM" + description: "User ID fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${events.principal__user__userid} {%endcondition%} or +{%condition%}${events.src__user__userid} {%endcondition%} or +{%condition%}${events.target__user__userid} {%endcondition%} or +{%condition%}${events.observer__user__userid} {%endcondition%} or +{%condition%}${events__about.user__userid} {%endcondition%} or +{%condition%}${events.principal__user__windows_sid} {%endcondition%} or +{%condition%}${events.target__user__windows_sid} {%endcondition%} or +{%condition%}${events.principal__user__user_display_name} {%endcondition%} or +{%condition%}${events.target__user__user_display_name} {%endcondition%} +;; + } # user + + filter: email_grouped_field_filter { + label: "email" + group_label: "Grouped Fields" + view_label: "UDM" + description: "Email address fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${events__principal__user__email_addresses.events__principal__user__email_addresses} {%endcondition%} or +{%condition%}${events__target__user__email_addresses.events__target__user__email_addresses} {%endcondition%} or +{%condition%}${events__intermediary__user__email_addresses.events__intermediary__user__email_addresses} {%endcondition%} or +{%condition%}${events__security_result__about__user__email_addresses.events__security_result__about__user__email_addresses} {%endcondition%} or +{%condition%}${events.network__email__from} {%endcondition%} or +{%condition%}${events__network__email__to.events__network__email__to} {%endcondition%} +;; + } # email + + filter: file_path_grouped_field_filter { + label: "file_path" + group_label: "Grouped Fields" + view_label: "UDM" + description: "File path fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${events.principal__file__full_path} {%endcondition%} or +{%condition%}${events.target__file__full_path} {%endcondition%} or +{%condition%}${events.principal__process__file__full_path} {%endcondition%} or +{%condition%}${events.target__process__file__full_path} {%endcondition%} +;; + } # file_path + + filter: hash_grouped_field_filter { + label: "hash" + group_label: "Grouped Fields" + view_label: "UDM" + description: "File hash fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${events.principal__process__file__md5} {%endcondition%} or +{%condition%}${events.target__process__file__md5} {%endcondition%} or +{%condition%}${events.principal__process__file__sha1} {%endcondition%} or +{%condition%}${events.target__process__file__sha1} {%endcondition%} or +{%condition%}${events.principal__process__file__sha256} {%endcondition%} or +{%condition%}${events.target__process__file__sha256} {%endcondition%} or +{%condition%}${events.target__file__md5} {%endcondition%} or +{%condition%}${events.target__file__sha1} {%endcondition%} or +{%condition%}${events.target__file__sha256} {%endcondition%} or +{%condition%}${events__about.file__md5} {%endcondition%} or +{%condition%}${events__about.file__sha256} {%endcondition%} or +{%condition%}${events__about.file__sha1} {%endcondition%} or +{%condition%}${events__security_result.about__file__sha256} {%endcondition%} +;; + } # hash + + filter: process_id_grouped_field_filter { + label: "process_id" + group_label: "Grouped Fields" + view_label: "UDM" + description: "Process ID fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${events.principal__process__pid} {%endcondition%} or +{%condition%}${events.target__process__pid} {%endcondition%} or +{%condition%}${events.principal__process__product_specific_process_id} {%endcondition%} or +{%condition%}${events.target__process__product_specific_process_id} {%endcondition%} +;; + } # process_id + + filter: namespace_grouped_field_filter { + label: "namespace" + group_label: "Grouped Fields" + view_label: "UDM" + description: "Namespace fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${events.principal__namespace} {%endcondition%} or +{%condition%}${events.src__namespace} {%endcondition%} or +{%condition%}${events.target__namespace} {%endcondition%} +;; + } # namespace + + dimension: about { + hidden: yes + } # dimension about + + dimension: additional { + hidden: yes + } # dimension additional + + dimension: additional__fields { + hidden: yes + } # dimension additional__fields + + dimension: extensions { + hidden: yes + } # dimension extensions + + dimension: extensions__auth { + hidden: yes + } # dimension extensions__auth + + dimension: extensions__auth__auth_details { + type: string + sql: ${TABLE}.extensions.auth.auth_details ;; + group_label: "extensions" + label: "extensions.auth.auth_details" + view_label: "UDM" + description: "The vendor defined details of the authentication." + } # dimension extensions__auth__auth_details + + dimension: extensions__auth__mechanism { + hidden: yes + } # dimension extensions__auth__mechanism + + dimension: extensions__auth__mechanism_enum_name { + hidden: yes + } # dimension extensions__auth__mechanism_enum_name + + dimension: extensions__auth__type { + type: number + sql: ${TABLE}.extensions.auth.type ;; + group_label: "extensions" + label: "extensions.auth.type" + view_label: "UDM" + description: "The type of authentication." + } # dimension extensions__auth__type + + dimension: extensions__auth__type_enum_name { + type: string + suggestions: ["AUTHTYPE_UNSPECIFIED", "MACHINE", "PHYSICAL", "SSO", "TACACS", "VPN"] + sql: CASE ${TABLE}.extensions.auth.type WHEN 0 THEN 'AUTHTYPE_UNSPECIFIED' WHEN 1 THEN 'MACHINE' WHEN 2 THEN 'SSO' WHEN 3 THEN 'VPN' WHEN 4 THEN 'PHYSICAL' WHEN 5 THEN 'TACACS' END ;; + group_label: "extensions" + label: "extensions.auth.type_enum_name" + view_label: "UDM" + description: "The type of authentication." + } # dimension extensions__auth__type_enum_name + + dimension: extensions__vulns { + hidden: yes + } # dimension extensions__vulns + + dimension: extensions__vulns__vulnerabilities { + hidden: yes + } # dimension extensions__vulns__vulnerabilities + + dimension: intermediary { + hidden: yes + } # dimension intermediary + + dimension: metadata { + hidden: yes + } # dimension metadata + + dimension: metadata__base_labels { + hidden: yes + } # dimension metadata__base_labels + + dimension: metadata__base_labels__log_types { + hidden: yes + } # dimension metadata__base_labels__log_types + + dimension: metadata__base_labels__namespaces { + hidden: yes + } # dimension metadata__base_labels__namespaces + + dimension_group: metadata__collected_timestamp { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.collected_timestamp.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.collected_timestamp.nanos, 0) / 1000) as INT64)) ;; + group_label: "metadata" + label: "metadata.collected_timestamp" + view_label: "UDM" + description: "The GMT timestamp when the event was collected by the vendor's local collection infrastructure." + } # dimension metadata__collected_timestamp + + dimension: metadata__description { + type: string + sql: ${TABLE}.metadata.description ;; + group_label: "metadata" + label: "metadata.description" + view_label: "UDM" + description: "A human-readable unparsable description of the event." + } # dimension metadata__description + + dimension: metadata__enrichment_state { + type: number + sql: ${TABLE}.metadata.enrichment_state ;; + group_label: "metadata" + label: "metadata.enrichment_state" + view_label: "UDM" + description: "The enrichment state." + } # dimension metadata__enrichment_state + + dimension: metadata__enrichment_state_enum_name { + type: string + suggestions: ["ENRICHED", "ENRICHMENT_STATE_UNSPECIFIED", "UNENRICHED"] + sql: CASE ${TABLE}.metadata.enrichment_state WHEN 0 THEN 'ENRICHMENT_STATE_UNSPECIFIED' WHEN 1 THEN 'ENRICHED' WHEN 2 THEN 'UNENRICHED' END ;; + group_label: "metadata" + label: "metadata.enrichment_state_enum_name" + view_label: "UDM" + description: "The enrichment state." + } # dimension metadata__enrichment_state_enum_name + + dimension_group: metadata__event_timestamp { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.event_timestamp.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.event_timestamp.nanos, 0) / 1000) as INT64)) ;; + group_label: "metadata" + label: "metadata.event_timestamp" + view_label: "UDM" + description: "The GMT timestamp when the event was generated." + } # dimension metadata__event_timestamp + + dimension: metadata__event_type { + type: number + sql: ${TABLE}.metadata.event_type ;; + group_label: "metadata" + label: "metadata.event_type" + view_label: "UDM" + description: "The event type. If an event has multiple possible types, this specifies the most specific type." + } # dimension metadata__event_type + + dimension: metadata__event_type_enum_name { + type: string + suggestions: ["ANALYST_ADD_COMMENT", "ANALYST_UPDATE_PRIORITY", "ANALYST_UPDATE_REASON", "ANALYST_UPDATE_REPUTATION", "ANALYST_UPDATE_RISK_SCORE", "ANALYST_UPDATE_ROOT_CAUSE", "ANALYST_UPDATE_SEVERITY_SCORE", "ANALYST_UPDATE_STATUS", "ANALYST_UPDATE_VERDICT", "DEVICE_CONFIG_UPDATE", "DEVICE_FIRMWARE_UPDATE", "DEVICE_PROGRAM_DOWNLOAD", "DEVICE_PROGRAM_UPLOAD", "EMAIL_TRANSACTION", "EMAIL_UNCATEGORIZED", "EMAIL_URL_CLICK", "EVENTTYPE_UNSPECIFIED", "FILE_COPY", "FILE_CREATION", "FILE_DELETION", "FILE_MODIFICATION", "FILE_MOVE", "FILE_OPEN", "FILE_READ", "FILE_SYNC", "FILE_UNCATEGORIZED", "GENERIC_EVENT", "GROUP_CREATION", "GROUP_DELETION", "GROUP_MODIFICATION", "GROUP_UNCATEGORIZED", "MUTEX_CREATION", "MUTEX_UNCATEGORIZED", "NETWORK_CONNECTION", "NETWORK_DHCP", "NETWORK_DNS", "NETWORK_FLOW", "NETWORK_FTP", "NETWORK_HTTP", "NETWORK_SMTP", "NETWORK_UNCATEGORIZED", "PROCESS_INJECTION", "PROCESS_LAUNCH", "PROCESS_MODULE_LOAD", "PROCESS_OPEN", "PROCESS_PRIVILEGE_ESCALATION", "PROCESS_TERMINATION", "PROCESS_UNCATEGORIZED", "REGISTRY_CREATION", "REGISTRY_DELETION", "REGISTRY_MODIFICATION", "REGISTRY_UNCATEGORIZED", "RESOURCE_CREATION", "RESOURCE_DELETION", "RESOURCE_PERMISSIONS_CHANGE", "RESOURCE_READ", "RESOURCE_WRITTEN", "SCAN_FILE", "SCAN_HOST", "SCAN_NETWORK", "SCAN_PROCESS", "SCAN_PROCESS_BEHAVIORS", "SCAN_UNCATEGORIZED", "SCAN_VULN_HOST", "SCAN_VULN_NETWORK", "SCHEDULED_TASK_CREATION", "SCHEDULED_TASK_DELETION", "SCHEDULED_TASK_DISABLE", "SCHEDULED_TASK_ENABLE", "SCHEDULED_TASK_MODIFICATION", "SCHEDULED_TASK_UNCATEGORIZED", "SERVICE_CREATION", "SERVICE_DELETION", "SERVICE_MODIFICATION", "SERVICE_START", "SERVICE_STOP", "SERVICE_UNSPECIFIED", "SETTING_CREATION", "SETTING_DELETION", "SETTING_MODIFICATION", "SETTING_UNCATEGORIZED", "STATUS_HEARTBEAT", "STATUS_SHUTDOWN", "STATUS_STARTUP", "STATUS_UNCATEGORIZED", "STATUS_UPDATE", "SYSTEM_AUDIT_LOG_UNCATEGORIZED", "SYSTEM_AUDIT_LOG_WIPE", "USER_BADGE_IN", "USER_CHANGE_PASSWORD", "USER_CHANGE_PERMISSIONS", "USER_COMMUNICATION", "USER_CREATION", "USER_DELETION", "USER_LOGIN", "USER_LOGOUT", "USER_RESOURCE_ACCESS", "USER_RESOURCE_CREATION", "USER_RESOURCE_DELETION", "USER_RESOURCE_UPDATE_CONTENT", "USER_RESOURCE_UPDATE_PERMISSIONS", "USER_STATS", "USER_UNCATEGORIZED"] + sql: CASE ${TABLE}.metadata.event_type WHEN 0 THEN 'EVENTTYPE_UNSPECIFIED' WHEN 10000 THEN 'PROCESS_UNCATEGORIZED' WHEN 10001 THEN 'PROCESS_LAUNCH' WHEN 10002 THEN 'PROCESS_INJECTION' WHEN 10003 THEN 'PROCESS_PRIVILEGE_ESCALATION' WHEN 10004 THEN 'PROCESS_TERMINATION' WHEN 10005 THEN 'PROCESS_OPEN' WHEN 10006 THEN 'PROCESS_MODULE_LOAD' WHEN 11000 THEN 'REGISTRY_UNCATEGORIZED' WHEN 11001 THEN 'REGISTRY_CREATION' WHEN 11002 THEN 'REGISTRY_MODIFICATION' WHEN 11003 THEN 'REGISTRY_DELETION' WHEN 12000 THEN 'SETTING_UNCATEGORIZED' WHEN 12001 THEN 'SETTING_CREATION' WHEN 12002 THEN 'SETTING_MODIFICATION' WHEN 12003 THEN 'SETTING_DELETION' WHEN 13000 THEN 'MUTEX_UNCATEGORIZED' WHEN 13001 THEN 'MUTEX_CREATION' WHEN 14000 THEN 'FILE_UNCATEGORIZED' WHEN 14001 THEN 'FILE_CREATION' WHEN 14002 THEN 'FILE_DELETION' WHEN 14003 THEN 'FILE_MODIFICATION' WHEN 14004 THEN 'FILE_READ' WHEN 14005 THEN 'FILE_COPY' WHEN 14006 THEN 'FILE_OPEN' WHEN 14007 THEN 'FILE_MOVE' WHEN 14008 THEN 'FILE_SYNC' WHEN 15000 THEN 'USER_UNCATEGORIZED' WHEN 15001 THEN 'USER_LOGIN' WHEN 15002 THEN 'USER_LOGOUT' WHEN 15003 THEN 'USER_CREATION' WHEN 15004 THEN 'USER_CHANGE_PASSWORD' WHEN 15005 THEN 'USER_CHANGE_PERMISSIONS' WHEN 15006 THEN 'USER_STATS' WHEN 15007 THEN 'USER_BADGE_IN' WHEN 15008 THEN 'USER_DELETION' WHEN 15009 THEN 'USER_RESOURCE_CREATION' WHEN 15010 THEN 'USER_RESOURCE_UPDATE_CONTENT' WHEN 15011 THEN 'USER_RESOURCE_UPDATE_PERMISSIONS' WHEN 15012 THEN 'USER_COMMUNICATION' WHEN 15013 THEN 'USER_RESOURCE_ACCESS' WHEN 15014 THEN 'USER_RESOURCE_DELETION' WHEN 23000 THEN 'GROUP_UNCATEGORIZED' WHEN 23001 THEN 'GROUP_CREATION' WHEN 23002 THEN 'GROUP_DELETION' WHEN 23003 THEN 'GROUP_MODIFICATION' WHEN 19000 THEN 'EMAIL_UNCATEGORIZED' WHEN 19001 THEN 'EMAIL_TRANSACTION' WHEN 19002 THEN 'EMAIL_URL_CLICK' WHEN 16000 THEN 'NETWORK_UNCATEGORIZED' WHEN 16001 THEN 'NETWORK_FLOW' WHEN 16002 THEN 'NETWORK_CONNECTION' WHEN 16003 THEN 'NETWORK_FTP' WHEN 16004 THEN 'NETWORK_DHCP' WHEN 16005 THEN 'NETWORK_DNS' WHEN 16006 THEN 'NETWORK_HTTP' WHEN 16007 THEN 'NETWORK_SMTP' WHEN 17000 THEN 'STATUS_UNCATEGORIZED' WHEN 17001 THEN 'STATUS_HEARTBEAT' WHEN 17002 THEN 'STATUS_STARTUP' WHEN 17003 THEN 'STATUS_SHUTDOWN' WHEN 17004 THEN 'STATUS_UPDATE' WHEN 18000 THEN 'SCAN_UNCATEGORIZED' WHEN 18001 THEN 'SCAN_FILE' WHEN 18002 THEN 'SCAN_PROCESS_BEHAVIORS' WHEN 18003 THEN 'SCAN_PROCESS' WHEN 18004 THEN 'SCAN_HOST' WHEN 18005 THEN 'SCAN_VULN_HOST' WHEN 18006 THEN 'SCAN_VULN_NETWORK' WHEN 18007 THEN 'SCAN_NETWORK' WHEN 20000 THEN 'SCHEDULED_TASK_UNCATEGORIZED' WHEN 20001 THEN 'SCHEDULED_TASK_CREATION' WHEN 20002 THEN 'SCHEDULED_TASK_DELETION' WHEN 20003 THEN 'SCHEDULED_TASK_ENABLE' WHEN 20004 THEN 'SCHEDULED_TASK_DISABLE' WHEN 20005 THEN 'SCHEDULED_TASK_MODIFICATION' WHEN 21000 THEN 'SYSTEM_AUDIT_LOG_UNCATEGORIZED' WHEN 21001 THEN 'SYSTEM_AUDIT_LOG_WIPE' WHEN 22000 THEN 'SERVICE_UNSPECIFIED' WHEN 22001 THEN 'SERVICE_CREATION' WHEN 22002 THEN 'SERVICE_DELETION' WHEN 22003 THEN 'SERVICE_START' WHEN 22004 THEN 'SERVICE_STOP' WHEN 22005 THEN 'SERVICE_MODIFICATION' WHEN 100000 THEN 'GENERIC_EVENT' WHEN 1 THEN 'RESOURCE_CREATION' WHEN 2 THEN 'RESOURCE_DELETION' WHEN 3 THEN 'RESOURCE_PERMISSIONS_CHANGE' WHEN 4 THEN 'RESOURCE_READ' WHEN 5 THEN 'RESOURCE_WRITTEN' WHEN 25000 THEN 'DEVICE_FIRMWARE_UPDATE' WHEN 25001 THEN 'DEVICE_CONFIG_UPDATE' WHEN 25002 THEN 'DEVICE_PROGRAM_UPLOAD' WHEN 25003 THEN 'DEVICE_PROGRAM_DOWNLOAD' WHEN 24000 THEN 'ANALYST_UPDATE_VERDICT' WHEN 24001 THEN 'ANALYST_UPDATE_REPUTATION' WHEN 24002 THEN 'ANALYST_UPDATE_SEVERITY_SCORE' WHEN 24007 THEN 'ANALYST_UPDATE_STATUS' WHEN 24008 THEN 'ANALYST_ADD_COMMENT' WHEN 24009 THEN 'ANALYST_UPDATE_PRIORITY' WHEN 24010 THEN 'ANALYST_UPDATE_ROOT_CAUSE' WHEN 24011 THEN 'ANALYST_UPDATE_REASON' WHEN 24012 THEN 'ANALYST_UPDATE_RISK_SCORE' END ;; + group_label: "metadata" + label: "metadata.event_type_enum_name" + view_label: "UDM" + description: "The event type. If an event has multiple possible types, this specifies the most specific type." + } # dimension metadata__event_type_enum_name + + dimension: metadata__id { + type: string + sql: ${TABLE}.metadata.id ;; + group_label: "metadata" + label: "metadata.id" + view_label: "UDM" + description: "ID of the UDM event. Can be used for raw and normalized event retrieval." + } # dimension metadata__id + + dimension_group: metadata__ingested_timestamp { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.ingested_timestamp.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.ingested_timestamp.nanos, 0) / 1000) as INT64)) ;; + group_label: "metadata" + label: "metadata.ingested_timestamp" + view_label: "UDM" + description: "The GMT timestamp when the event was ingested (received) by Chronicle." + } # dimension metadata__ingested_timestamp + + dimension: metadata__ingestion_labels { + hidden: yes + } # dimension metadata__ingestion_labels + + dimension: metadata__log_type { + type: string + sql: ${TABLE}.metadata.log_type ;; + group_label: "metadata" + label: "metadata.log_type" + view_label: "UDM" + description: "The string value of log type." + } # dimension metadata__log_type + + dimension: metadata__product_deployment_id { + type: string + sql: ${TABLE}.metadata.product_deployment_id ;; + group_label: "metadata" + label: "metadata.product_deployment_id" + view_label: "UDM" + description: "The deployment identifier assigned by the vendor for a product deployment." + } # dimension metadata__product_deployment_id + + dimension: metadata__product_event_type { + type: string + sql: ${TABLE}.metadata.product_event_type ;; + group_label: "metadata" + label: "metadata.product_event_type" + view_label: "UDM" + description: "A short, descriptive, human-readable, product-specific event name or type (e.g. \"Scanned X\", \"User account created\", \"process_start\")." + } # dimension metadata__product_event_type + + dimension: metadata__product_log_id { + type: string + sql: ${TABLE}.metadata.product_log_id ;; + group_label: "metadata" + label: "metadata.product_log_id" + view_label: "UDM" + description: "A vendor-specific event identifier to uniquely identify the event (e.g. a GUID)." + } # dimension metadata__product_log_id + + dimension: metadata__product_name { + type: string + sql: ${TABLE}.metadata.product_name ;; + group_label: "metadata" + label: "metadata.product_name" + view_label: "UDM" + description: "The name of the product." + } # dimension metadata__product_name + + dimension: metadata__product_version { + type: string + sql: ${TABLE}.metadata.product_version ;; + group_label: "metadata" + label: "metadata.product_version" + view_label: "UDM" + description: "The version of the product." + } # dimension metadata__product_version + + dimension: metadata__tags { + hidden: yes + } # dimension metadata__tags + + dimension: metadata__tags__data_tap_config_name { + hidden: yes + } # dimension metadata__tags__data_tap_config_name + + dimension: metadata__tags__tenant_id { + hidden: yes + } # dimension metadata__tags__tenant_id + + dimension: metadata__url_back_to_product { + type: string + sql: ${TABLE}.metadata.url_back_to_product ;; + group_label: "metadata" + label: "metadata.url_back_to_product" + view_label: "UDM" + description: "A URL that takes the user to the source product console for this event." + } # dimension metadata__url_back_to_product + + dimension: metadata__vendor_name { + type: string + sql: ${TABLE}.metadata.vendor_name ;; + group_label: "metadata" + label: "metadata.vendor_name" + view_label: "UDM" + description: "The name of the product vendor." + } # dimension metadata__vendor_name + + dimension: network { + hidden: yes + } # dimension network + + dimension: network__application_protocol { + type: number + sql: ${TABLE}.network.application_protocol ;; + group_label: "network" + label: "network.application_protocol" + view_label: "UDM" + description: "The application protocol." + } # dimension network__application_protocol + + dimension: network__application_protocol_enum_name { + type: string + suggestions: ["AFP", "AMQP", "APPC", "ATOM", "BEEP", "BITCOIN", "BIT_TORRENT", "CFDP", "CIP", "COAP", "COTP", "DCERPC", "DDS", "DEVICE_NET", "DHCP", "DICOM", "DNP3", "DNS", "ENRP", "E_DONKEY", "FAST_TRACK", "FINGER", "FREENET", "FTAM", "GOOSE", "GOPHER", "H323", "HL7", "HTTP", "HTTPS", "IEC104", "IRCP", "KADEMLIA", "KRB5", "LDAP", "LPD", "MIME", "MMS", "MODBUS", "MQTT", "NETCONF", "NFS", "NIS", "NNTP", "NTCIP", "NTP", "OSCAR", "PNRP", "PTP", "QUIC", "RDP", "RELP", "RIP", "RLOGIN", "RPC", "RTMP", "RTP", "RTPS", "RTSP", "SAP", "SDP", "SIP", "SLP", "SMB", "SMTP", "SNMP", "SNTP", "SSH", "SSMS", "STYX", "SV", "TCAP", "TDS", "TOR", "TSP", "UNKNOWN_APPLICATION_PROTOCOL", "VTP", "WEB_DAV", "WHOIS", "X400", "X500", "XMPP"] + sql: CASE ${TABLE}.network.application_protocol WHEN 0 THEN 'UNKNOWN_APPLICATION_PROTOCOL' WHEN 1 THEN 'AFP' WHEN 2 THEN 'APPC' WHEN 3 THEN 'AMQP' WHEN 4 THEN 'ATOM' WHEN 5 THEN 'BEEP' WHEN 6 THEN 'BITCOIN' WHEN 7 THEN 'BIT_TORRENT' WHEN 8 THEN 'CFDP' WHEN 67 THEN 'CIP' WHEN 9 THEN 'COAP' WHEN 68 THEN 'COTP' WHEN 66 THEN 'DCERPC' WHEN 10 THEN 'DDS' WHEN 11 THEN 'DEVICE_NET' WHEN 4000 THEN 'DHCP' WHEN 69 THEN 'DICOM' WHEN 70 THEN 'DNP3' WHEN 3000 THEN 'DNS' WHEN 12 THEN 'E_DONKEY' WHEN 13 THEN 'ENRP' WHEN 14 THEN 'FAST_TRACK' WHEN 15 THEN 'FINGER' WHEN 16 THEN 'FREENET' WHEN 17 THEN 'FTAM' WHEN 71 THEN 'GOOSE' WHEN 18 THEN 'GOPHER' WHEN 19 THEN 'HL7' WHEN 20 THEN 'H323' WHEN 2000 THEN 'HTTP' WHEN 2001 THEN 'HTTPS' WHEN 72 THEN 'IEC104' WHEN 21 THEN 'IRCP' WHEN 22 THEN 'KADEMLIA' WHEN 65 THEN 'KRB5' WHEN 23 THEN 'LDAP' WHEN 24 THEN 'LPD' WHEN 25 THEN 'MIME' WHEN 73 THEN 'MMS' WHEN 26 THEN 'MODBUS' WHEN 27 THEN 'MQTT' WHEN 28 THEN 'NETCONF' WHEN 29 THEN 'NFS' WHEN 30 THEN 'NIS' WHEN 31 THEN 'NNTP' WHEN 32 THEN 'NTCIP' WHEN 33 THEN 'NTP' WHEN 34 THEN 'OSCAR' WHEN 35 THEN 'PNRP' WHEN 74 THEN 'PTP' WHEN 1000 THEN 'QUIC' WHEN 36 THEN 'RDP' WHEN 37 THEN 'RELP' WHEN 38 THEN 'RIP' WHEN 39 THEN 'RLOGIN' WHEN 40 THEN 'RPC' WHEN 41 THEN 'RTMP' WHEN 42 THEN 'RTP' WHEN 43 THEN 'RTPS' WHEN 44 THEN 'RTSP' WHEN 45 THEN 'SAP' WHEN 46 THEN 'SDP' WHEN 47 THEN 'SIP' WHEN 48 THEN 'SLP' WHEN 49 THEN 'SMB' WHEN 50 THEN 'SMTP' WHEN 75 THEN 'SNMP' WHEN 51 THEN 'SNTP' WHEN 52 THEN 'SSH' WHEN 53 THEN 'SSMS' WHEN 54 THEN 'STYX' WHEN 76 THEN 'SV' WHEN 55 THEN 'TCAP' WHEN 56 THEN 'TDS' WHEN 57 THEN 'TOR' WHEN 58 THEN 'TSP' WHEN 59 THEN 'VTP' WHEN 60 THEN 'WHOIS' WHEN 61 THEN 'WEB_DAV' WHEN 62 THEN 'X400' WHEN 63 THEN 'X500' WHEN 64 THEN 'XMPP' END ;; + group_label: "network" + label: "network.application_protocol_enum_name" + view_label: "UDM" + description: "The application protocol." + } # dimension network__application_protocol_enum_name + + dimension: network__application_protocol_version { + type: string + sql: ${TABLE}.network.application_protocol_version ;; + group_label: "network" + label: "network.application_protocol_version" + view_label: "UDM" + description: "The version of the application protocol. e.g. \"1.1, 2.0\"" + } # dimension network__application_protocol_version + + dimension: network__asn { + type: string + sql: ${TABLE}.network.asn ;; + group_label: "network" + label: "network.asn" + view_label: "UDM" + description: "Autonomous system number." + } # dimension network__asn + + dimension: network__carrier_name { + type: string + sql: ${TABLE}.network.carrier_name ;; + group_label: "network" + label: "network.carrier_name" + view_label: "UDM" + description: "Carrier identification." + } # dimension network__carrier_name + + dimension: network__community_id { + type: string + sql: ${TABLE}.network.community_id ;; + group_label: "network" + label: "network.community_id" + view_label: "UDM" + description: "Community ID network flow hash." + } # dimension network__community_id + + dimension: network__dhcp { + hidden: yes + } # dimension network__dhcp + + dimension: network__dhcp__chaddr { + type: string + sql: ${TABLE}.network.dhcp.chaddr ;; + group_label: "network" + label: "network.dhcp.chaddr" + view_label: "UDM" + description: "Client hardware address (chaddr)." + } # dimension network__dhcp__chaddr + + dimension: network__dhcp__ciaddr { + type: string + sql: ${TABLE}.network.dhcp.ciaddr ;; + group_label: "network" + label: "network.dhcp.ciaddr" + view_label: "UDM" + description: "Client IP address (ciaddr)." + } # dimension network__dhcp__ciaddr + + dimension: network__dhcp__client_hostname { + type: string + sql: ${TABLE}.network.dhcp.client_hostname ;; + group_label: "network" + label: "network.dhcp.client_hostname" + view_label: "UDM" + description: "Client hostname. See RFC2132, section 3.14." + } # dimension network__dhcp__client_hostname + + dimension: network__dhcp__client_identifier { + type: string + sql: ${TABLE}.network.dhcp.client_identifier ;; + group_label: "network" + label: "network.dhcp.client_identifier" + view_label: "UDM" + description: "Client identifier. See RFC2132, section 9.14." + } # dimension network__dhcp__client_identifier + + dimension: network__dhcp__file { + type: string + sql: ${TABLE}.network.dhcp.file ;; + group_label: "network" + label: "network.dhcp.file" + view_label: "UDM" + description: "Boot image filename." + } # dimension network__dhcp__file + + dimension: network__dhcp__flags { + type: number + sql: ${TABLE}.network.dhcp.flags ;; + group_label: "network" + label: "network.dhcp.flags" + view_label: "UDM" + description: "Flags." + } # dimension network__dhcp__flags + + dimension: network__dhcp__giaddr { + type: string + sql: ${TABLE}.network.dhcp.giaddr ;; + group_label: "network" + label: "network.dhcp.giaddr" + view_label: "UDM" + description: "Relay agent IP address (giaddr)." + } # dimension network__dhcp__giaddr + + dimension: network__dhcp__hlen { + type: number + sql: ${TABLE}.network.dhcp.hlen ;; + group_label: "network" + label: "network.dhcp.hlen" + view_label: "UDM" + description: "Hardware address length." + } # dimension network__dhcp__hlen + + dimension: network__dhcp__hops { + type: number + sql: ${TABLE}.network.dhcp.hops ;; + group_label: "network" + label: "network.dhcp.hops" + view_label: "UDM" + description: "Hardware ops." + } # dimension network__dhcp__hops + + dimension: network__dhcp__htype { + type: number + sql: ${TABLE}.network.dhcp.htype ;; + group_label: "network" + label: "network.dhcp.htype" + view_label: "UDM" + description: "Hardware address type." + } # dimension network__dhcp__htype + + dimension: network__dhcp__lease_time_seconds { + type: number + sql: ${TABLE}.network.dhcp.lease_time_seconds ;; + group_label: "network" + label: "network.dhcp.lease_time_seconds" + view_label: "UDM" + description: "Lease time in seconds. See RFC2132, section 9.2." + } # dimension network__dhcp__lease_time_seconds + + dimension: network__dhcp__opcode { + type: number + sql: ${TABLE}.network.dhcp.opcode ;; + group_label: "network" + label: "network.dhcp.opcode" + view_label: "UDM" + description: "The BOOTP op code." + } # dimension network__dhcp__opcode + + dimension: network__dhcp__opcode_enum_name { + type: string + suggestions: ["BOOTREPLY", "BOOTREQUEST", "UNKNOWN_OPCODE"] + sql: CASE ${TABLE}.network.dhcp.opcode WHEN 0 THEN 'UNKNOWN_OPCODE' WHEN 1 THEN 'BOOTREQUEST' WHEN 2 THEN 'BOOTREPLY' END ;; + group_label: "network" + label: "network.dhcp.opcode_enum_name" + view_label: "UDM" + description: "The BOOTP op code." + } # dimension network__dhcp__opcode_enum_name + + dimension: network__dhcp__options { + hidden: yes + } # dimension network__dhcp__options + + dimension: network__dhcp__requested_address { + type: string + sql: ${TABLE}.network.dhcp.requested_address ;; + group_label: "network" + label: "network.dhcp.requested_address" + view_label: "UDM" + description: "Requested IP address. See RFC2132, section 9.1." + } # dimension network__dhcp__requested_address + + dimension: network__dhcp__seconds { + type: number + sql: ${TABLE}.network.dhcp.seconds ;; + group_label: "network" + label: "network.dhcp.seconds" + view_label: "UDM" + description: "Seconds elapsed since client began address acquisition/renewal process." + } # dimension network__dhcp__seconds + + dimension: network__dhcp__siaddr { + type: string + sql: ${TABLE}.network.dhcp.siaddr ;; + group_label: "network" + label: "network.dhcp.siaddr" + view_label: "UDM" + description: "IP address of the next bootstrap server." + } # dimension network__dhcp__siaddr + + dimension: network__dhcp__sname { + type: string + sql: ${TABLE}.network.dhcp.sname ;; + group_label: "network" + label: "network.dhcp.sname" + view_label: "UDM" + description: "Server name that the client wishes to boot from." + } # dimension network__dhcp__sname + + dimension: network__dhcp__transaction_id { + type: number + sql: ${TABLE}.network.dhcp.transaction_id ;; + group_label: "network" + label: "network.dhcp.transaction_id" + view_label: "UDM" + description: "Transaction ID." + } # dimension network__dhcp__transaction_id + + dimension: network__dhcp__type { + type: number + sql: ${TABLE}.network.dhcp.type ;; + group_label: "network" + label: "network.dhcp.type" + view_label: "UDM" + description: "DHCP message type." + } # dimension network__dhcp__type + + dimension: network__dhcp__type_enum_name { + type: string + suggestions: ["ACK", "DECLINE", "DISCOVER", "INFORM", "NAK", "OFFER", "RELEASE", "REQUEST", "UNKNOWN_MESSAGE_TYPE", "WIN_DELETED", "WIN_EXPIRED"] + sql: CASE ${TABLE}.network.dhcp.type WHEN 0 THEN 'UNKNOWN_MESSAGE_TYPE' WHEN 1 THEN 'DISCOVER' WHEN 2 THEN 'OFFER' WHEN 3 THEN 'REQUEST' WHEN 4 THEN 'DECLINE' WHEN 5 THEN 'ACK' WHEN 6 THEN 'NAK' WHEN 7 THEN 'RELEASE' WHEN 8 THEN 'INFORM' WHEN 100 THEN 'WIN_DELETED' WHEN 101 THEN 'WIN_EXPIRED' END ;; + group_label: "network" + label: "network.dhcp.type_enum_name" + view_label: "UDM" + description: "DHCP message type." + } # dimension network__dhcp__type_enum_name + + dimension: network__dhcp__yiaddr { + type: string + sql: ${TABLE}.network.dhcp.yiaddr ;; + group_label: "network" + label: "network.dhcp.yiaddr" + view_label: "UDM" + description: "Your IP address (yiaddr)." + } # dimension network__dhcp__yiaddr + + dimension: network__direction { + type: number + sql: ${TABLE}.network.direction ;; + group_label: "network" + label: "network.direction" + view_label: "UDM" + description: "The direction of network traffic." + } # dimension network__direction + + dimension: network__direction_enum_name { + type: string + suggestions: ["BROADCAST", "INBOUND", "OUTBOUND", "UNKNOWN_DIRECTION"] + sql: CASE ${TABLE}.network.direction WHEN 0 THEN 'UNKNOWN_DIRECTION' WHEN 1 THEN 'INBOUND' WHEN 2 THEN 'OUTBOUND' WHEN 3 THEN 'BROADCAST' END ;; + group_label: "network" + label: "network.direction_enum_name" + view_label: "UDM" + description: "The direction of network traffic." + } # dimension network__direction_enum_name + + dimension: network__dns { + hidden: yes + } # dimension network__dns + + dimension: network__dns__additional { + hidden: yes + } # dimension network__dns__additional + + dimension: network__dns__answers { + hidden: yes + } # dimension network__dns__answers + + dimension: network__dns__authoritative { + type: yesno + sql: ${TABLE}.network.dns.authoritative ;; + group_label: "network" + label: "network.dns.authoritative" + view_label: "UDM" + description: "Other DNS header flags. See RFC1035, section 4.1.1." + } # dimension network__dns__authoritative + + dimension: network__dns__authority { + hidden: yes + } # dimension network__dns__authority + + dimension: network__dns__id { + type: number + sql: ${TABLE}.network.dns.id ;; + group_label: "network" + label: "network.dns.id" + view_label: "UDM" + description: "DNS query id." + } # dimension network__dns__id + + dimension: network__dns__opcode { + type: number + sql: ${TABLE}.network.dns.opcode ;; + group_label: "network" + label: "network.dns.opcode" + view_label: "UDM" + description: "The DNS OpCode used to specify the type of DNS query (e.g. QUERY, IQUERY, STATUS, etc.)." + } # dimension network__dns__opcode + + dimension: network__dns__questions { + hidden: yes + } # dimension network__dns__questions + + dimension: network__dns__recursion_available { + type: yesno + sql: ${TABLE}.network.dns.recursion_available ;; + group_label: "network" + label: "network.dns.recursion_available" + view_label: "UDM" + description: "Whether a recursive DNS lookup is available." + } # dimension network__dns__recursion_available + + dimension: network__dns__recursion_desired { + type: yesno + sql: ${TABLE}.network.dns.recursion_desired ;; + group_label: "network" + label: "network.dns.recursion_desired" + view_label: "UDM" + description: "Whether a recursive DNS lookup is desired." + } # dimension network__dns__recursion_desired + + dimension: network__dns__response { + type: yesno + sql: ${TABLE}.network.dns.response ;; + group_label: "network" + label: "network.dns.response" + view_label: "UDM" + description: "Set to true if the event is a DNS response. See QR field from RFC1035." + } # dimension network__dns__response + + dimension: network__dns__response_code { + type: number + sql: ${TABLE}.network.dns.response_code ;; + group_label: "network" + label: "network.dns.response_code" + view_label: "UDM" + description: "Response code. See RCODE from RFC1035." + } # dimension network__dns__response_code + + dimension: network__dns__truncated { + type: yesno + sql: ${TABLE}.network.dns.truncated ;; + group_label: "network" + label: "network.dns.truncated" + view_label: "UDM" + description: "Whether the DNS response was truncated." + } # dimension network__dns__truncated + + dimension: network__dns_domain { + type: string + sql: ${TABLE}.network.dns_domain ;; + group_label: "network" + label: "network.dns_domain" + view_label: "UDM" + description: "DNS domain name." + } # dimension network__dns_domain + + dimension: network__email { + hidden: yes + } # dimension network__email + + dimension: network__email__bcc { + hidden: yes + } # dimension network__email__bcc + + dimension: network__email__bounce_address { + type: string + sql: ${TABLE}.network.email.bounce_address ;; + group_label: "network" + label: "network.email.bounce_address" + view_label: "UDM" + description: "The envelope from address. https://en.wikipedia.org/wiki/Bounce_address" + } # dimension network__email__bounce_address + + dimension: network__email__cc { + hidden: yes + } # dimension network__email__cc + + dimension: network__email__from { + type: string + sql: ${TABLE}.network.email.from ;; + group_label: "network" + label: "network.email.from" + view_label: "UDM" + description: "The 'from' address." + } # dimension network__email__from + + dimension: network__email__mail_id { + type: string + sql: ${TABLE}.network.email.mail_id ;; + group_label: "network" + label: "network.email.mail_id" + view_label: "UDM" + description: "The mail (or message) ID." + } # dimension network__email__mail_id + + dimension: network__email__reply_to { + type: string + sql: ${TABLE}.network.email.reply_to ;; + group_label: "network" + label: "network.email.reply_to" + view_label: "UDM" + description: "The 'reply to' address." + } # dimension network__email__reply_to + + dimension: network__email__subject { + hidden: yes + } # dimension network__email__subject + + dimension: network__email__to { + hidden: yes + } # dimension network__email__to + + dimension: network__ftp { + hidden: yes + } # dimension network__ftp + + dimension: network__ftp__command { + type: string + sql: ${TABLE}.network.ftp.command ;; + group_label: "network" + label: "network.ftp.command" + view_label: "UDM" + description: "The FTP command." + } # dimension network__ftp__command + + dimension: network__http { + hidden: yes + } # dimension network__http + + dimension: network__http__method { + type: string + sql: ${TABLE}.network.http.method ;; + group_label: "network" + label: "network.http.method" + view_label: "UDM" + description: "The HTTP request method (e.g. \"GET\", \"POST\", \"PATCH\", \"DELETE\")." + } # dimension network__http__method + + dimension: network__http__parsed_user_agent { + hidden: yes + } # dimension network__http__parsed_user_agent + + dimension: network__http__parsed_user_agent__annotation { + hidden: yes + } # dimension network__http__parsed_user_agent__annotation + + dimension: network__http__parsed_user_agent__browser { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.browser ;; + group_label: "network" + label: "network.http.parsed_user_agent.browser" + view_label: "UDM" + description: "Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents." + } # dimension network__http__parsed_user_agent__browser + + dimension: network__http__parsed_user_agent__browser_engine_version { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.browser_engine_version ;; + group_label: "network" + label: "network.http.parsed_user_agent.browser_engine_version" + view_label: "UDM" + description: "Version of the rendering engine e.g. \"8.01\" for \"Opera/8.01\"" + } # dimension network__http__parsed_user_agent__browser_engine_version + + dimension: network__http__parsed_user_agent__browser_version { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.browser_version ;; + group_label: "network" + label: "network.http.parsed_user_agent.browser_version" + view_label: "UDM" + description: "Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." + } # dimension network__http__parsed_user_agent__browser_version + + dimension: network__http__parsed_user_agent__carrier { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.carrier ;; + group_label: "network" + label: "network.http.parsed_user_agent.carrier" + view_label: "UDM" + description: "Mobile specific: name of mobile carrier" + } # dimension network__http__parsed_user_agent__carrier + + dimension: network__http__parsed_user_agent__device { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.device ;; + group_label: "network" + label: "network.http.parsed_user_agent.device" + view_label: "UDM" + description: "(Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to \"K\" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." + } # dimension network__http__parsed_user_agent__device + + dimension: network__http__parsed_user_agent__device_version { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.device_version ;; + group_label: "network" + label: "network.http.parsed_user_agent.device_version" + view_label: "UDM" + description: "(Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." + } # dimension network__http__parsed_user_agent__device_version + + dimension: network__http__parsed_user_agent__family { + type: number + sql: ${TABLE}.network.http.parsed_user_agent.family ;; + group_label: "network" + label: "network.http.parsed_user_agent.family" + view_label: "UDM" + description: "User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.." + } # dimension network__http__parsed_user_agent__family + + dimension: network__http__parsed_user_agent__family_enum_name { + type: string + suggestions: ["APPLE", "APPLEWEBKIT", "BLACKBERRY", "CLIENT_HINTS", "DOCOMO", "GECKO", "GOOGLE", "KHTML", "KOREAN", "MICROSOFT", "MSIE", "NETFRONT", "NOKIA", "OBIGO", "OPENWAVE", "OPERA", "OTHER", "POLARIS", "SEMC", "SMIT", "TELECA", "USER_DEFINED"] + sql: CASE ${TABLE}.network.http.parsed_user_agent.family WHEN 0 THEN 'USER_DEFINED' WHEN 1 THEN 'MSIE' WHEN 2 THEN 'GECKO' WHEN 3 THEN 'APPLEWEBKIT' WHEN 4 THEN 'OPERA' WHEN 5 THEN 'KHTML' WHEN 10 THEN 'OTHER' WHEN 11 THEN 'APPLE' WHEN 12 THEN 'BLACKBERRY' WHEN 13 THEN 'DOCOMO' WHEN 14 THEN 'GOOGLE' WHEN 15 THEN 'OPENWAVE' WHEN 16 THEN 'POLARIS' WHEN 17 THEN 'OBIGO' WHEN 18 THEN 'TELECA' WHEN 19 THEN 'MICROSOFT' WHEN 20 THEN 'NOKIA' WHEN 21 THEN 'NETFRONT' WHEN 22 THEN 'SEMC' WHEN 23 THEN 'SMIT' WHEN 24 THEN 'KOREAN' WHEN 25 THEN 'CLIENT_HINTS' END ;; + group_label: "network" + label: "network.http.parsed_user_agent.family_enum_name" + view_label: "UDM" + description: "User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.." + } # dimension network__http__parsed_user_agent__family_enum_name + + dimension: network__http__parsed_user_agent__google_toolbar_version { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.google_toolbar_version ;; + group_label: "network" + label: "network.http.parsed_user_agent.google_toolbar_version" + view_label: "UDM" + description: "Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time." + } # dimension network__http__parsed_user_agent__google_toolbar_version + + dimension: network__http__parsed_user_agent__java_configuration { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.java_configuration ;; + group_label: "network" + label: "network.http.parsed_user_agent.java_configuration" + view_label: "UDM" + description: "Mobile specific: e.g. Configuration/CLDC-1.1" + } # dimension network__http__parsed_user_agent__java_configuration + + dimension: network__http__parsed_user_agent__java_configuration_version { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.java_configuration_version ;; + group_label: "network" + label: "network.http.parsed_user_agent.java_configuration_version" + view_label: "UDM" + } # dimension network__http__parsed_user_agent__java_configuration_version + + dimension: network__http__parsed_user_agent__java_profile { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.java_profile ;; + group_label: "network" + label: "network.http.parsed_user_agent.java_profile" + view_label: "UDM" + description: "Mobile specific: e.g. Profile/MIDP-2.0" + } # dimension network__http__parsed_user_agent__java_profile + + dimension: network__http__parsed_user_agent__java_profile_version { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.java_profile_version ;; + group_label: "network" + label: "network.http.parsed_user_agent.java_profile_version" + view_label: "UDM" + } # dimension network__http__parsed_user_agent__java_profile_version + + dimension: network__http__parsed_user_agent__locale { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.locale ;; + group_label: "network" + label: "network.http.parsed_user_agent.locale" + view_label: "UDM" + description: "Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." + } # dimension network__http__parsed_user_agent__locale + + dimension: network__http__parsed_user_agent__messaging { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.messaging ;; + group_label: "network" + label: "network.http.parsed_user_agent.messaging" + view_label: "UDM" + description: "Mobile specific: e.g. MMP/2.0" + } # dimension network__http__parsed_user_agent__messaging + + dimension: network__http__parsed_user_agent__messaging_version { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.messaging_version ;; + group_label: "network" + label: "network.http.parsed_user_agent.messaging_version" + view_label: "UDM" + } # dimension network__http__parsed_user_agent__messaging_version + + dimension: network__http__parsed_user_agent__os { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.os ;; + group_label: "network" + label: "network.http.parsed_user_agent.os" + view_label: "UDM" + description: "Full name of the operating system e.g. \"Darwin/9.7.0\", \"Android 1.5\", \"Windows 98\" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." + } # dimension network__http__parsed_user_agent__os + + dimension: network__http__parsed_user_agent__os_variant { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.os_variant ;; + group_label: "network" + label: "network.http.parsed_user_agent.os_variant" + view_label: "UDM" + description: "Extra qualifier for the OS e.g. \"(i386)\", \"Build/CUPCAKE\", \"PalmSource/Palm-D061\" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." + } # dimension network__http__parsed_user_agent__os_variant + + dimension: network__http__parsed_user_agent__platform { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.platform ;; + group_label: "network" + label: "network.http.parsed_user_agent.platform" + view_label: "UDM" + description: "The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm." + } # dimension network__http__parsed_user_agent__platform + + dimension: network__http__parsed_user_agent__security { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.security ;; + group_label: "network" + label: "network.http.parsed_user_agent.security" + view_label: "UDM" + description: "Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." + } # dimension network__http__parsed_user_agent__security + + dimension: network__http__parsed_user_agent__sub_family { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.sub_family ;; + group_label: "network" + label: "network.http.parsed_user_agent.sub_family" + view_label: "UDM" + description: "Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier." + } # dimension network__http__parsed_user_agent__sub_family + + dimension: network__http__referral_url { + type: string + sql: ${TABLE}.network.http.referral_url ;; + group_label: "network" + label: "network.http.referral_url" + view_label: "UDM" + description: "The URL for the HTTP referer." + } # dimension network__http__referral_url + + dimension: network__http__response_code { + type: number + sql: ${TABLE}.network.http.response_code ;; + group_label: "network" + label: "network.http.response_code" + view_label: "UDM" + description: "The response status code. e.g. 200, 302, 404, 500, etc." + } # dimension network__http__response_code + + dimension: network__http__user_agent { + type: string + sql: ${TABLE}.network.http.user_agent ;; + group_label: "network" + label: "network.http.user_agent" + view_label: "UDM" + description: "The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent." + } # dimension network__http__user_agent + + dimension: network__ip_protocol { + type: number + sql: ${TABLE}.network.ip_protocol ;; + group_label: "network" + label: "network.ip_protocol" + view_label: "UDM" + description: "The IP protocol." + } # dimension network__ip_protocol + + dimension: network__ip_protocol_enum_name { + type: string + suggestions: ["EIGRP", "ESP", "ETHERIP", "GRE", "ICMP", "ICMP6", "IGMP", "IP6IN4", "PIM", "SCTP", "TCP", "UDP", "UNKNOWN_IP_PROTOCOL", "VRRP"] + sql: CASE ${TABLE}.network.ip_protocol WHEN 0 THEN 'UNKNOWN_IP_PROTOCOL' WHEN 1 THEN 'ICMP' WHEN 2 THEN 'IGMP' WHEN 6 THEN 'TCP' WHEN 17 THEN 'UDP' WHEN 41 THEN 'IP6IN4' WHEN 47 THEN 'GRE' WHEN 50 THEN 'ESP' WHEN 58 THEN 'ICMP6' WHEN 88 THEN 'EIGRP' WHEN 97 THEN 'ETHERIP' WHEN 103 THEN 'PIM' WHEN 112 THEN 'VRRP' WHEN 132 THEN 'SCTP' END ;; + group_label: "network" + label: "network.ip_protocol_enum_name" + view_label: "UDM" + description: "The IP protocol." + } # dimension network__ip_protocol_enum_name + + dimension: network__organization_name { + type: string + sql: ${TABLE}.network.organization_name ;; + group_label: "network" + label: "network.organization_name" + view_label: "UDM" + description: "Organization name (e.g Google)." + } # dimension network__organization_name + + dimension: network__parent_session_id { + type: string + sql: ${TABLE}.network.parent_session_id ;; + group_label: "network" + label: "network.parent_session_id" + view_label: "UDM" + description: "The ID of the parent network session." + } # dimension network__parent_session_id + + dimension: network__received_bytes { + type: number + sql: ${TABLE}.network.received_bytes ;; + group_label: "network" + label: "network.received_bytes" + view_label: "UDM" + description: "The number of bytes received." + } # dimension network__received_bytes + + dimension: network__received_packets { + type: number + sql: ${TABLE}.network.received_packets ;; + group_label: "network" + label: "network.received_packets" + view_label: "UDM" + description: "The number of packets received." + } # dimension network__received_packets + + dimension: network__sent_bytes { + type: number + sql: ${TABLE}.network.sent_bytes ;; + group_label: "network" + label: "network.sent_bytes" + view_label: "UDM" + description: "The number of bytes sent." + } # dimension network__sent_bytes + + dimension: network__sent_packets { + type: number + sql: ${TABLE}.network.sent_packets ;; + group_label: "network" + label: "network.sent_packets" + view_label: "UDM" + description: "The number of packets sent." + } # dimension network__sent_packets + + dimension_group: network__session_duration { + type: duration + intervals: [ second, minute, hour ] + sql_start: TIMESTAMP_MICROS(0) ;; + sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.session_duration.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.session_duration.nanos, 0) / 1000) as INT64)) ;; + group_label: "network" + label: "network.session_duration" + view_label: "UDM" + description: "The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer." + } # dimension network__session_duration + + dimension: network__session_id { + type: string + sql: ${TABLE}.network.session_id ;; + group_label: "network" + label: "network.session_id" + view_label: "UDM" + description: "The ID of the network session." + } # dimension network__session_id + + dimension: network__smtp { + hidden: yes + } # dimension network__smtp + + dimension: network__smtp__helo { + type: string + sql: ${TABLE}.network.smtp.helo ;; + group_label: "network" + label: "network.smtp.helo" + view_label: "UDM" + description: "The client's 'HELO'/'EHLO' string." + } # dimension network__smtp__helo + + dimension: network__tls { + hidden: yes + } # dimension network__tls + + dimension: network__tls__cipher { + type: string + sql: ${TABLE}.network.tls.cipher ;; + group_label: "network" + label: "network.tls.cipher" + view_label: "UDM" + description: "Cipher used during the connection." + } # dimension network__tls__cipher + + dimension: network__tls__client { + hidden: yes + } # dimension network__tls__client + + dimension: network__tls__client__certificate { + hidden: yes + } # dimension network__tls__client__certificate + + dimension: network__tls__client__certificate__issuer { + type: string + sql: ${TABLE}.network.tls.client.certificate.issuer ;; + group_label: "network" + label: "network.tls.client.certificate.issuer" + view_label: "UDM" + description: "Issuer of the certificate." + } # dimension network__tls__client__certificate__issuer + + dimension_group: network__tls__client__certificate__not_after { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.tls.client.certificate.not_after.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.tls.client.certificate.not_after.nanos, 0) / 1000) as INT64)) ;; + group_label: "network" + label: "network.tls.client.certificate.not_after" + view_label: "UDM" + description: "Indicates when the certificate is no longer valid." + } # dimension network__tls__client__certificate__not_after + + dimension_group: network__tls__client__certificate__not_before { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.tls.client.certificate.not_before.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.tls.client.certificate.not_before.nanos, 0) / 1000) as INT64)) ;; + group_label: "network" + label: "network.tls.client.certificate.not_before" + view_label: "UDM" + description: "Indicates when the certificate is first valid." + } # dimension network__tls__client__certificate__not_before + + dimension: network__tls__client__certificate__serial { + type: string + sql: ${TABLE}.network.tls.client.certificate.serial ;; + group_label: "network" + label: "network.tls.client.certificate.serial" + view_label: "UDM" + description: "Certificate serial number." + } # dimension network__tls__client__certificate__serial + + dimension: network__tls__client__certificate__sha1 { + type: string + sql: ${TABLE}.network.tls.client.certificate.sha1 ;; + group_label: "network" + label: "network.tls.client.certificate.sha1" + view_label: "UDM" + description: "The SHA1 hash of the certificate." + } # dimension network__tls__client__certificate__sha1 + + dimension: network__tls__client__certificate__sha256 { + type: string + sql: ${TABLE}.network.tls.client.certificate.sha256 ;; + group_label: "network" + label: "network.tls.client.certificate.sha256" + view_label: "UDM" + description: "The SHA256 hash of the certificate." + } # dimension network__tls__client__certificate__sha256 + + dimension: network__tls__client__certificate__subject { + type: string + sql: ${TABLE}.network.tls.client.certificate.subject ;; + group_label: "network" + label: "network.tls.client.certificate.subject" + view_label: "UDM" + description: "Subject of the certificate." + } # dimension network__tls__client__certificate__subject + + dimension: network__tls__client__certificate__version { + type: string + sql: ${TABLE}.network.tls.client.certificate.version ;; + group_label: "network" + label: "network.tls.client.certificate.version" + view_label: "UDM" + description: "Certificate version." + } # dimension network__tls__client__certificate__version + + dimension: network__tls__client__ja3 { + type: string + sql: ${TABLE}.network.tls.client.ja3 ;; + group_label: "network" + label: "network.tls.client.ja3" + view_label: "UDM" + description: "JA3 hash from client hello." + } # dimension network__tls__client__ja3 + + dimension: network__tls__client__server_name { + type: string + sql: ${TABLE}.network.tls.client.server_name ;; + group_label: "network" + label: "network.tls.client.server_name" + view_label: "UDM" + description: "Host name of the server, that the client is connecting to." + } # dimension network__tls__client__server_name + + dimension: network__tls__client__supported_ciphers { + hidden: yes + } # dimension network__tls__client__supported_ciphers + + dimension: network__tls__curve { + type: string + sql: ${TABLE}.network.tls.curve ;; + group_label: "network" + label: "network.tls.curve" + view_label: "UDM" + description: "Elliptical curve used for a given cipher." + } # dimension network__tls__curve + + dimension: network__tls__established { + type: yesno + sql: ${TABLE}.network.tls.established ;; + group_label: "network" + label: "network.tls.established" + view_label: "UDM" + description: "Indicates whether the TLS negotiation was successful." + } # dimension network__tls__established + + dimension: network__tls__next_protocol { + type: string + sql: ${TABLE}.network.tls.next_protocol ;; + group_label: "network" + label: "network.tls.next_protocol" + view_label: "UDM" + description: "Protocol to be used for tunnel." + } # dimension network__tls__next_protocol + + dimension: network__tls__resumed { + type: yesno + sql: ${TABLE}.network.tls.resumed ;; + group_label: "network" + label: "network.tls.resumed" + view_label: "UDM" + description: "Indicates whether the TLS connection was resumed from a previous TLS negotiation." + } # dimension network__tls__resumed + + dimension: network__tls__server { + hidden: yes + } # dimension network__tls__server + + dimension: network__tls__server__certificate { + hidden: yes + } # dimension network__tls__server__certificate + + dimension: network__tls__server__certificate__issuer { + type: string + sql: ${TABLE}.network.tls.server.certificate.issuer ;; + group_label: "network" + label: "network.tls.server.certificate.issuer" + view_label: "UDM" + description: "Issuer of the certificate." + } # dimension network__tls__server__certificate__issuer + + dimension: network__tls__server__certificate__md5 { + type: string + sql: ${TABLE}.network.tls.server.certificate.md5 ;; + group_label: "network" + label: "network.tls.server.certificate.md5" + view_label: "UDM" + description: "The MD5 hash of the certificate." + } # dimension network__tls__server__certificate__md5 + + dimension_group: network__tls__server__certificate__not_after { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.tls.server.certificate.not_after.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.tls.server.certificate.not_after.nanos, 0) / 1000) as INT64)) ;; + group_label: "network" + label: "network.tls.server.certificate.not_after" + view_label: "UDM" + description: "Indicates when the certificate is no longer valid." + } # dimension network__tls__server__certificate__not_after + + dimension_group: network__tls__server__certificate__not_before { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.tls.server.certificate.not_before.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.tls.server.certificate.not_before.nanos, 0) / 1000) as INT64)) ;; + group_label: "network" + label: "network.tls.server.certificate.not_before" + view_label: "UDM" + description: "Indicates when the certificate is first valid." + } # dimension network__tls__server__certificate__not_before + + dimension: network__tls__server__certificate__serial { + type: string + sql: ${TABLE}.network.tls.server.certificate.serial ;; + group_label: "network" + label: "network.tls.server.certificate.serial" + view_label: "UDM" + description: "Certificate serial number." + } # dimension network__tls__server__certificate__serial + + dimension: network__tls__server__certificate__sha1 { + type: string + sql: ${TABLE}.network.tls.server.certificate.sha1 ;; + group_label: "network" + label: "network.tls.server.certificate.sha1" + view_label: "UDM" + description: "The SHA1 hash of the certificate." + } # dimension network__tls__server__certificate__sha1 + + dimension: network__tls__server__certificate__sha256 { + type: string + sql: ${TABLE}.network.tls.server.certificate.sha256 ;; + group_label: "network" + label: "network.tls.server.certificate.sha256" + view_label: "UDM" + description: "The SHA256 hash of the certificate." + } # dimension network__tls__server__certificate__sha256 + + dimension: network__tls__server__certificate__subject { + type: string + sql: ${TABLE}.network.tls.server.certificate.subject ;; + group_label: "network" + label: "network.tls.server.certificate.subject" + view_label: "UDM" + description: "Subject of the certificate." + } # dimension network__tls__server__certificate__subject + + dimension: network__tls__server__certificate__version { + type: string + sql: ${TABLE}.network.tls.server.certificate.version ;; + group_label: "network" + label: "network.tls.server.certificate.version" + view_label: "UDM" + description: "Certificate version." + } # dimension network__tls__server__certificate__version + + dimension: network__tls__server__ja3s { + type: string + sql: ${TABLE}.network.tls.server.ja3s ;; + group_label: "network" + label: "network.tls.server.ja3s" + view_label: "UDM" + description: "JA3 hash from server hello." + } # dimension network__tls__server__ja3s + + dimension: network__tls__version { + type: string + sql: ${TABLE}.network.tls.version ;; + group_label: "network" + label: "network.tls.version" + view_label: "UDM" + description: "TLS version." + } # dimension network__tls__version + + dimension: network__tls__version_protocol { + type: string + sql: ${TABLE}.network.tls.version_protocol ;; + group_label: "network" + label: "network.tls.version_protocol" + view_label: "UDM" + description: "Protocol." + } # dimension network__tls__version_protocol + + dimension: observer { + hidden: yes + } # dimension observer + + dimension: observer__administrative_domain { + type: string + sql: ${TABLE}.observer.administrative_domain ;; + group_label: "observer" + label: "observer.administrative_domain" + view_label: "UDM" + description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." + } # dimension observer__administrative_domain + + dimension: observer__application { + type: string + sql: ${TABLE}.observer.application ;; + group_label: "observer" + label: "observer.application" + view_label: "UDM" + description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." + } # dimension observer__application + + dimension: observer__artifact { + hidden: yes + } # dimension observer__artifact + + dimension: observer__artifact__location { + hidden: yes + } # dimension observer__artifact__location + + dimension: observer__artifact__location__name { + type: string + sql: ${TABLE}.observer.artifact.location.name ;; + group_label: "observer" + label: "observer.artifact.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension observer__artifact__location__name + + dimension: observer__artifact__location__state { + type: string + sql: ${TABLE}.observer.artifact.location.state ;; + group_label: "observer" + label: "observer.artifact.location.state" + view_label: "UDM" + description: "The state." + } # dimension observer__artifact__location__state + + dimension: observer__asset { + hidden: yes + } # dimension observer__asset + + dimension: observer__asset__attribute { + hidden: yes + } # dimension observer__asset__attribute + + dimension: observer__asset__attribute__labels { + hidden: yes + } # dimension observer__asset__attribute__labels + + dimension: observer__asset__category { + type: string + sql: ${TABLE}.observer.asset.category ;; + group_label: "observer" + label: "observer.asset.category" + view_label: "UDM" + description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." + } # dimension observer__asset__category + + dimension: observer__asset__hostname { + type: string + sql: ${TABLE}.observer.asset.hostname ;; + group_label: "observer" + label: "observer.asset.hostname" + view_label: "UDM" + description: "Asset hostname or domain name field." + } # dimension observer__asset__hostname + + dimension: observer__asset__ip { + hidden: yes + } # dimension observer__asset__ip + + dimension: observer__asset__location { + hidden: yes + } # dimension observer__asset__location + + dimension: observer__asset__location__name { + type: string + sql: ${TABLE}.observer.asset.location.name ;; + group_label: "observer" + label: "observer.asset.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension observer__asset__location__name + + dimension: observer__asset__network_domain { + type: string + sql: ${TABLE}.observer.asset.network_domain ;; + group_label: "observer" + label: "observer.asset.network_domain" + view_label: "UDM" + description: "The network domain of the asset (e.g. \"corp.acme.com\")" + } # dimension observer__asset__network_domain + + dimension: observer__asset__platform_software { + hidden: yes + } # dimension observer__asset__platform_software + + dimension: observer__asset__platform_software__platform_version { + type: string + sql: ${TABLE}.observer.asset.platform_software.platform_version ;; + group_label: "observer" + label: "observer.asset.platform_software.platform_version" + view_label: "UDM" + description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." + } # dimension observer__asset__platform_software__platform_version + + dimension: observer__asset__product_object_id { + type: string + sql: ${TABLE}.observer.asset.product_object_id ;; + group_label: "observer" + label: "observer.asset.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension observer__asset__product_object_id + + dimension: observer__asset__software { + hidden: yes + } # dimension observer__asset__software + + dimension: observer__asset__vulnerabilities { + hidden: yes + } # dimension observer__asset__vulnerabilities + + dimension: observer__asset_id { + type: string + sql: ${TABLE}.observer.asset_id ;; + group_label: "observer" + label: "observer.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension observer__asset_id + + dimension: observer__cloud { + hidden: yes + } # dimension observer__cloud + + dimension: observer__cloud__environment { + type: number + sql: ${TABLE}.observer.cloud.environment ;; + group_label: "observer" + group_item_label: "observer.cloud.environment [D]" + label: "observer.cloud.environment" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension observer__cloud__environment + + dimension: observer__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.observer.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "observer" + group_item_label: "observer.cloud.environment_enum_name [D]" + label: "observer.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension observer__cloud__environment_enum_name + + dimension: observer__cloud__project { + hidden: yes + } # dimension observer__cloud__project + + dimension: observer__cloud__project__id { + type: string + sql: ${TABLE}.observer.cloud.project.id ;; + group_label: "observer" + group_item_label: "observer.cloud.project.id [D]" + label: "observer.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension observer__cloud__project__id + + dimension: observer__cloud__project__name { + type: string + sql: ${TABLE}.observer.cloud.project.name ;; + group_label: "observer" + group_item_label: "observer.cloud.project.name [D]" + label: "observer.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension observer__cloud__project__name + + dimension: observer__domain { + hidden: yes + } # dimension observer__domain + + dimension: observer__domain__name { + type: string + sql: ${TABLE}.observer.domain.name ;; + group_label: "observer" + label: "observer.domain.name" + view_label: "UDM" + description: "The domain name." + } # dimension observer__domain__name + + dimension: observer__file { + hidden: yes + } # dimension observer__file + + dimension: observer__file__full_path { + type: string + sql: ${TABLE}.observer.file.full_path ;; + group_label: "observer" + label: "observer.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension observer__file__full_path + + dimension: observer__file__sha256 { + type: string + sql: ${TABLE}.observer.file.sha256 ;; + group_label: "observer" + label: "observer.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension observer__file__sha256 + + dimension: observer__group { + hidden: yes + } # dimension observer__group + + dimension: observer__group__group_display_name { + type: string + sql: ${TABLE}.observer.group.group_display_name ;; + group_label: "observer" + label: "observer.group.group_display_name" + view_label: "UDM" + description: "Group display name. e.g. \"Finance\"." + } # dimension observer__group__group_display_name + + dimension: observer__hostname { + type: string + sql: ${TABLE}.observer.hostname ;; + group_label: "observer" + label: "observer.hostname" + view_label: "UDM" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension observer__hostname + + dimension: observer__ip { + hidden: yes + } # dimension observer__ip + + dimension: observer__labels { + hidden: yes + } # dimension observer__labels + + dimension: observer__location { + hidden: yes + } # dimension observer__location + + dimension: observer__location__country_or_region { + type: string + sql: ${TABLE}.observer.location.country_or_region ;; + group_label: "observer" + label: "observer.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension observer__location__country_or_region + + dimension: observer__location__name { + type: string + sql: ${TABLE}.observer.location.name ;; + group_label: "observer" + label: "observer.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension observer__location__name + + dimension: observer__mac { + hidden: yes + } # dimension observer__mac + + dimension: observer__namespace { + type: string + sql: ${TABLE}.observer.namespace ;; + group_label: "observer" + label: "observer.namespace" + view_label: "UDM" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension observer__namespace + + dimension: observer__platform { + type: number + sql: ${TABLE}.observer.platform ;; + group_label: "observer" + label: "observer.platform" + view_label: "UDM" + description: "Platform." + } # dimension observer__platform + + dimension: observer__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.observer.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "observer" + label: "observer.platform_enum_name" + view_label: "UDM" + description: "Platform." + } # dimension observer__platform_enum_name + + dimension: observer__platform_version { + type: string + sql: ${TABLE}.observer.platform_version ;; + group_label: "observer" + label: "observer.platform_version" + view_label: "UDM" + description: "Platform version. For example, \"Microsoft Windows 1803\"." + } # dimension observer__platform_version + + dimension: observer__port { + type: number + value_format: "#" + sql: ${TABLE}.observer.port ;; + group_label: "observer" + label: "observer.port" + view_label: "UDM" + description: "Source or destination network port number when a specific network connection is described within an event." + } # dimension observer__port + + dimension: observer__process { + hidden: yes + } # dimension observer__process + + dimension: observer__process__file { + hidden: yes + } # dimension observer__process__file + + dimension: observer__process__file__full_path { + type: string + sql: ${TABLE}.observer.process.file.full_path ;; + group_label: "observer" + label: "observer.process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension observer__process__file__full_path + + dimension: observer__process__parent_pid { + type: string + sql: ${TABLE}.observer.process.parent_pid ;; + group_label: "observer" + group_item_label: "observer.process.parent_pid [D]" + label: "observer.process.parent_pid" + view_label: "UDM" + description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension observer__process__parent_pid + + dimension: observer__process__pid { + type: string + sql: ${TABLE}.observer.process.pid ;; + group_label: "observer" + label: "observer.process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension observer__process__pid + + dimension: observer__resource { + hidden: yes + } # dimension observer__resource + + dimension: observer__resource__attribute { + hidden: yes + } # dimension observer__resource__attribute + + dimension: observer__resource__attribute__cloud { + hidden: yes + } # dimension observer__resource__attribute__cloud + + dimension: observer__resource__attribute__cloud__environment { + type: number + sql: ${TABLE}.observer.resource.attribute.cloud.environment ;; + group_label: "observer" + label: "observer.resource.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension observer__resource__attribute__cloud__environment + + dimension: observer__resource__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.observer.resource.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "observer" + label: "observer.resource.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension observer__resource__attribute__cloud__environment_enum_name + + dimension: observer__resource__attribute__labels { + hidden: yes + } # dimension observer__resource__attribute__labels + + dimension: observer__resource__name { + type: string + sql: ${TABLE}.observer.resource.name ;; + group_label: "observer" + label: "observer.resource.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension observer__resource__name + + dimension: observer__resource__parent { + type: string + sql: ${TABLE}.observer.resource.parent ;; + group_label: "observer" + group_item_label: "observer.resource.parent [D]" + label: "observer.resource.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension observer__resource__parent + + dimension: observer__resource__product_object_id { + type: string + sql: ${TABLE}.observer.resource.product_object_id ;; + group_label: "observer" + label: "observer.resource.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension observer__resource__product_object_id + + dimension: observer__resource__resource_subtype { + type: string + sql: ${TABLE}.observer.resource.resource_subtype ;; + group_label: "observer" + label: "observer.resource.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension observer__resource__resource_subtype + + dimension: observer__resource__resource_type { + type: number + sql: ${TABLE}.observer.resource.resource_type ;; + group_label: "observer" + label: "observer.resource.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension observer__resource__resource_type + + dimension: observer__resource__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.observer.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "observer" + label: "observer.resource.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension observer__resource__resource_type_enum_name + + dimension: observer__resource__type { + type: string + sql: ${TABLE}.observer.resource.type ;; + group_label: "observer" + group_item_label: "observer.resource.type [D]" + label: "observer.resource.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension observer__resource__type + + dimension: observer__url { + type: string + sql: ${TABLE}.observer.url ;; + group_label: "observer" + label: "observer.url" + view_label: "UDM" + description: "The URL." + } # dimension observer__url + + dimension: observer__user { + hidden: yes + } # dimension observer__user + + dimension: observer__user__company_name { + type: string + sql: ${TABLE}.observer.user.company_name ;; + group_label: "observer" + label: "observer.user.company_name" + view_label: "UDM" + description: "User job company name." + } # dimension observer__user__company_name + + dimension: observer__user__email_addresses { + hidden: yes + } # dimension observer__user__email_addresses + + dimension: observer__user__group_identifiers { + hidden: yes + } # dimension observer__user__group_identifiers + + dimension: observer__user__product_object_id { + type: string + sql: ${TABLE}.observer.user.product_object_id ;; + group_label: "observer" + label: "observer.user.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension observer__user__product_object_id + + dimension: observer__user__user_display_name { + type: string + sql: ${TABLE}.observer.user.user_display_name ;; + group_label: "observer" + label: "observer.user.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension observer__user__user_display_name + + dimension: observer__user__userid { + type: string + sql: ${TABLE}.observer.user.userid ;; + group_label: "observer" + label: "observer.user.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension observer__user__userid + + dimension: principal { + hidden: yes + } # dimension principal + + dimension: principal__administrative_domain { + type: string + sql: ${TABLE}.principal.administrative_domain ;; + group_label: "principal" + label: "principal.administrative_domain" + view_label: "UDM" + description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." + } # dimension principal__administrative_domain + + dimension: principal__application { + type: string + sql: ${TABLE}.principal.application ;; + group_label: "principal" + label: "principal.application" + view_label: "UDM" + description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." + } # dimension principal__application + + dimension: principal__artifact { + hidden: yes + } # dimension principal__artifact + + dimension: principal__artifact__ip { + type: string + sql: ${TABLE}.principal.artifact.ip ;; + group_label: "principal" + label: "principal.artifact.ip" + view_label: "UDM" + description: "IP address of the artifact." + } # dimension principal__artifact__ip + + dimension: principal__artifact__network { + hidden: yes + } # dimension principal__artifact__network + + dimension: principal__artifact__network__dns { + hidden: yes + } # dimension principal__artifact__network__dns + + dimension: principal__artifact__network__dns__answers { + hidden: yes + } # dimension principal__artifact__network__dns__answers + + dimension: principal__artifact__network__http { + hidden: yes + } # dimension principal__artifact__network__http + + dimension: principal__artifact__network__http__method { + type: string + sql: ${TABLE}.principal.artifact.network.http.method ;; + group_label: "principal" + label: "principal.artifact.network.http.method" + view_label: "UDM" + description: "The HTTP request method (e.g. \"GET\", \"POST\", \"PATCH\", \"DELETE\")." + } # dimension principal__artifact__network__http__method + + dimension: principal__artifact__prevalence { + hidden: yes + } # dimension principal__artifact__prevalence + + dimension: principal__artifact__prevalence__day_count { + type: number + sql: ${TABLE}.principal.artifact.prevalence.day_count ;; + group_label: "principal" + label: "principal.artifact.prevalence.day_count" + view_label: "UDM" + description: "The number of days over which rolling_max is calculated." + } # dimension principal__artifact__prevalence__day_count + + dimension: principal__asset { + hidden: yes + } # dimension principal__asset + + dimension: principal__asset__asset_id { + type: string + sql: ${TABLE}.principal.asset.asset_id ;; + group_label: "principal" + label: "principal.asset.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension principal__asset__asset_id + + dimension: principal__asset__attribute { + hidden: yes + } # dimension principal__asset__attribute + + dimension: principal__asset__attribute__cloud { + hidden: yes + } # dimension principal__asset__attribute__cloud + + dimension: principal__asset__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.principal.asset.attribute.cloud.availability_zone ;; + group_label: "principal" + label: "principal.asset.attribute.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name)." + } # dimension principal__asset__attribute__cloud__availability_zone + + dimension: principal__asset__attribute__cloud__environment { + type: number + sql: ${TABLE}.principal.asset.attribute.cloud.environment ;; + group_label: "principal" + label: "principal.asset.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension principal__asset__attribute__cloud__environment + + dimension: principal__asset__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.principal.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "principal" + label: "principal.asset.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension principal__asset__attribute__cloud__environment_enum_name + + dimension: principal__asset__attribute__cloud__project { + hidden: yes + } # dimension principal__asset__attribute__cloud__project + + dimension: principal__asset__attribute__cloud__project__name { + type: string + sql: ${TABLE}.principal.asset.attribute.cloud.project.name ;; + group_label: "principal" + group_item_label: "principal.asset.attribute.cloud.project.name [D]" + label: "principal.asset.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__attribute__cloud__project__name + + dimension: principal__asset__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.principal.asset.attribute.cloud.project.resource_type ;; + group_label: "principal" + group_item_label: "principal.asset.attribute.cloud.project.resource_type [D]" + label: "principal.asset.attribute.cloud.project.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__attribute__cloud__project__resource_type + + dimension: principal__asset__attribute__cloud__project__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.principal.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "principal" + group_item_label: "principal.asset.attribute.cloud.project.resource_type_enum_name [D]" + label: "principal.asset.attribute.cloud.project.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__attribute__cloud__project__resource_type_enum_name + + dimension: principal__asset__attribute__cloud__vpc { + hidden: yes + } # dimension principal__asset__attribute__cloud__vpc + + dimension: principal__asset__attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.principal.asset.attribute.cloud.vpc.name ;; + group_label: "principal" + group_item_label: "principal.asset.attribute.cloud.vpc.name [D]" + label: "principal.asset.attribute.cloud.vpc.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__attribute__cloud__vpc__name + + dimension: principal__asset__attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.principal.asset.attribute.cloud.vpc.resource_type ;; + group_label: "principal" + group_item_label: "principal.asset.attribute.cloud.vpc.resource_type [D]" + label: "principal.asset.attribute.cloud.vpc.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__attribute__cloud__vpc__resource_type + + dimension: principal__asset__attribute__cloud__vpc__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.principal.asset.attribute.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "principal" + group_item_label: "principal.asset.attribute.cloud.vpc.resource_type_enum_name [D]" + label: "principal.asset.attribute.cloud.vpc.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__attribute__cloud__vpc__resource_type_enum_name + + dimension_group: principal__asset__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension principal__asset__attribute__creation_time + + dimension: principal__asset__attribute__labels { + hidden: yes + } # dimension principal__asset__attribute__labels + + dimension_group: principal__asset__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension principal__asset__attribute__last_update_time + + dimension: principal__asset__attribute__roles { + hidden: yes + } # dimension principal__asset__attribute__roles + + dimension: principal__asset__category { + type: string + sql: ${TABLE}.principal.asset.category ;; + group_label: "principal" + label: "principal.asset.category" + view_label: "UDM" + description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." + } # dimension principal__asset__category + + dimension_group: principal__asset__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + group_item_label: "principal.asset.creation_time [D]" + label: "principal.asset.creation_time" + view_label: "UDM" + description: "Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__creation_time + + dimension: principal__asset__deployment_status { + type: number + sql: ${TABLE}.principal.asset.deployment_status ;; + group_label: "principal" + label: "principal.asset.deployment_status" + view_label: "UDM" + description: "The deployment status of the asset for device lifecycle purposes." + } # dimension principal__asset__deployment_status + + dimension: principal__asset__deployment_status_enum_name { + type: string + suggestions: ["ACTIVE", "DECOMISSIONED", "DEPLOYMENT_STATUS_UNSPECIFIED", "PENDING_DECOMISSION"] + sql: CASE ${TABLE}.principal.asset.deployment_status WHEN 0 THEN 'DEPLOYMENT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'PENDING_DECOMISSION' WHEN 3 THEN 'DECOMISSIONED' END ;; + group_label: "principal" + label: "principal.asset.deployment_status_enum_name" + view_label: "UDM" + description: "The deployment status of the asset for device lifecycle purposes." + } # dimension principal__asset__deployment_status_enum_name + + dimension_group: principal__asset__first_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.first_discover_time" + view_label: "UDM" + description: "Time the asset was first discovered (by asset management/discoverability software)." + } # dimension principal__asset__first_discover_time + + dimension_group: principal__asset__first_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.first_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.first_seen_time" + view_label: "UDM" + description: "The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed." + } # dimension principal__asset__first_seen_time + + dimension: principal__asset__hardware { + hidden: yes + } # dimension principal__asset__hardware + + dimension: principal__asset__hostname { + type: string + sql: ${TABLE}.principal.asset.hostname ;; + group_label: "principal" + label: "principal.asset.hostname" + view_label: "UDM" + description: "Asset hostname or domain name field." + } # dimension principal__asset__hostname + + dimension: principal__asset__ip { + hidden: yes + } # dimension principal__asset__ip + + dimension: principal__asset__labels { + hidden: yes + } # dimension principal__asset__labels + + dimension_group: principal__asset__last_boot_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.last_boot_time" + view_label: "UDM" + description: "Time the asset was last boot started." + } # dimension principal__asset__last_boot_time + + dimension_group: principal__asset__last_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.last_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.last_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.last_discover_time" + view_label: "UDM" + description: "Time the asset was last discovered (by asset management/discoverability software)." + } # dimension principal__asset__last_discover_time + + dimension: principal__asset__location { + hidden: yes + } # dimension principal__asset__location + + dimension: principal__asset__location__city { + type: string + sql: ${TABLE}.principal.asset.location.city ;; + group_label: "principal" + label: "principal.asset.location.city" + view_label: "UDM" + description: "The city." + } # dimension principal__asset__location__city + + dimension: principal__asset__location__country_or_region { + type: string + sql: ${TABLE}.principal.asset.location.country_or_region ;; + group_label: "principal" + label: "principal.asset.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension principal__asset__location__country_or_region + + dimension: principal__asset__location__desk_name { + type: string + sql: ${TABLE}.principal.asset.location.desk_name ;; + group_label: "principal" + label: "principal.asset.location.desk_name" + view_label: "UDM" + description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." + } # dimension principal__asset__location__desk_name + + dimension: principal__asset__location__floor_name { + type: string + sql: ${TABLE}.principal.asset.location.floor_name ;; + group_label: "principal" + label: "principal.asset.location.floor_name" + view_label: "UDM" + description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." + } # dimension principal__asset__location__floor_name + + dimension: principal__asset__location__name { + type: string + sql: ${TABLE}.principal.asset.location.name ;; + group_label: "principal" + label: "principal.asset.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension principal__asset__location__name + + dimension: principal__asset__location__region_coordinates { + type: location + sql_latitude: ${TABLE}.principal.asset.location.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.principal.asset.location.region_coordinates.longitude ;; + group_label: "principal" + group_item_label: "principal.asset.location.region_coordinates [L]" + label: "principal.asset.location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." + } # dimension principal__asset__location__region_coordinates + + dimension: principal__asset__location__region_latitude { + type: number + sql: ${TABLE}.principal.asset.location.region_latitude ;; + group_label: "principal" + group_item_label: "principal.asset.location.region_latitude [D]" + label: "principal.asset.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__location__region_latitude + + dimension: principal__asset__location__region_longitude { + type: number + sql: ${TABLE}.principal.asset.location.region_longitude ;; + group_label: "principal" + group_item_label: "principal.asset.location.region_longitude [D]" + label: "principal.asset.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__location__region_longitude + + dimension: principal__asset__location__location { + type: location + sql_latitude: ${TABLE}.principal.asset.location.region_latitude ;; + sql_longitude: ${TABLE}.principal.asset.location.region_longitude ;; + group_label: "principal" + group_item_label: "principal.asset.location.location [D][L]" + label: "principal.asset.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension principal__asset__location__location + + dimension: principal__asset__location__state { + type: string + sql: ${TABLE}.principal.asset.location.state ;; + group_label: "principal" + label: "principal.asset.location.state" + view_label: "UDM" + description: "The state." + } # dimension principal__asset__location__state + + dimension: principal__asset__mac { + hidden: yes + } # dimension principal__asset__mac + + dimension: principal__asset__nat_ip { + hidden: yes + } # dimension principal__asset__nat_ip + + dimension: principal__asset__network_domain { + type: string + sql: ${TABLE}.principal.asset.network_domain ;; + group_label: "principal" + label: "principal.asset.network_domain" + view_label: "UDM" + description: "The network domain of the asset (e.g. \"corp.acme.com\")" + } # dimension principal__asset__network_domain + + dimension: principal__asset__platform_software { + hidden: yes + } # dimension principal__asset__platform_software + + dimension: principal__asset__platform_software__platform { + type: number + sql: ${TABLE}.principal.asset.platform_software.platform ;; + group_label: "principal" + label: "principal.asset.platform_software.platform" + view_label: "UDM" + description: "The platform operating system." + } # dimension principal__asset__platform_software__platform + + dimension: principal__asset__platform_software__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.principal.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "principal" + label: "principal.asset.platform_software.platform_enum_name" + view_label: "UDM" + description: "The platform operating system." + } # dimension principal__asset__platform_software__platform_enum_name + + dimension: principal__asset__platform_software__platform_patch_level { + type: string + sql: ${TABLE}.principal.asset.platform_software.platform_patch_level ;; + group_label: "principal" + label: "principal.asset.platform_software.platform_patch_level" + view_label: "UDM" + description: "The platform software patch level ( e.g. \"Build 17134.48\", \"SP1\")." + } # dimension principal__asset__platform_software__platform_patch_level + + dimension: principal__asset__platform_software__platform_version { + type: string + sql: ${TABLE}.principal.asset.platform_software.platform_version ;; + group_label: "principal" + label: "principal.asset.platform_software.platform_version" + view_label: "UDM" + description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." + } # dimension principal__asset__platform_software__platform_version + + dimension: principal__asset__product_object_id { + type: string + sql: ${TABLE}.principal.asset.product_object_id ;; + group_label: "principal" + label: "principal.asset.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension principal__asset__product_object_id + + dimension: principal__asset__software { + hidden: yes + } # dimension principal__asset__software + + dimension_group: principal__asset__system_last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.system_last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.system_last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.system_last_update_time" + view_label: "UDM" + description: "Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time." + } # dimension principal__asset__system_last_update_time + + dimension: principal__asset__type { + type: number + sql: ${TABLE}.principal.asset.type ;; + group_label: "principal" + label: "principal.asset.type" + view_label: "UDM" + description: "The type of the asset (e.g. workstation or laptop or server)." + } # dimension principal__asset__type + + dimension: principal__asset__type_enum_name { + type: string + suggestions: ["IOT", "LAPTOP", "MOBILE", "NETWORK_ATTACHED_STORAGE", "PRINTER", "ROLE_UNSPECIFIED", "SCANNER", "SERVER", "TAPE_LIBRARY", "WORKSTATION"] + sql: CASE ${TABLE}.principal.asset.type WHEN 0 THEN 'ROLE_UNSPECIFIED' WHEN 1 THEN 'WORKSTATION' WHEN 2 THEN 'LAPTOP' WHEN 3 THEN 'IOT' WHEN 4 THEN 'NETWORK_ATTACHED_STORAGE' WHEN 5 THEN 'PRINTER' WHEN 6 THEN 'SCANNER' WHEN 7 THEN 'SERVER' WHEN 8 THEN 'TAPE_LIBRARY' WHEN 9 THEN 'MOBILE' END ;; + group_label: "principal" + label: "principal.asset.type_enum_name" + view_label: "UDM" + description: "The type of the asset (e.g. workstation or laptop or server)." + } # dimension principal__asset__type_enum_name + + dimension: principal__asset__vulnerabilities { + hidden: yes + } # dimension principal__asset__vulnerabilities + + dimension: principal__asset_id { + type: string + sql: ${TABLE}.principal.asset_id ;; + group_label: "principal" + label: "principal.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension principal__asset_id + + dimension: principal__cloud { + hidden: yes + } # dimension principal__cloud + + dimension: principal__cloud__availability_zone { + type: string + sql: ${TABLE}.principal.cloud.availability_zone ;; + group_label: "principal" + group_item_label: "principal.cloud.availability_zone [D]" + label: "principal.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__availability_zone + + dimension: principal__cloud__environment { + type: number + sql: ${TABLE}.principal.cloud.environment ;; + group_label: "principal" + group_item_label: "principal.cloud.environment [D]" + label: "principal.cloud.environment" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__environment + + dimension: principal__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.principal.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "principal" + group_item_label: "principal.cloud.environment_enum_name [D]" + label: "principal.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__environment_enum_name + + dimension: principal__cloud__project { + hidden: yes + } # dimension principal__cloud__project + + dimension: principal__cloud__project__id { + type: string + sql: ${TABLE}.principal.cloud.project.id ;; + group_label: "principal" + group_item_label: "principal.cloud.project.id [D]" + label: "principal.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__project__id + + dimension: principal__cloud__project__name { + type: string + sql: ${TABLE}.principal.cloud.project.name ;; + group_label: "principal" + group_item_label: "principal.cloud.project.name [D]" + label: "principal.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__project__name + + dimension: principal__cloud__project__parent { + type: string + sql: ${TABLE}.principal.cloud.project.parent ;; + group_label: "principal" + group_item_label: "principal.cloud.project.parent [D]" + label: "principal.cloud.project.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__project__parent + + dimension: principal__cloud__project__product_object_id { + type: string + sql: ${TABLE}.principal.cloud.project.product_object_id ;; + group_label: "principal" + group_item_label: "principal.cloud.project.product_object_id [D]" + label: "principal.cloud.project.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__project__product_object_id + + dimension: principal__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.principal.cloud.project.resource_subtype ;; + group_label: "principal" + group_item_label: "principal.cloud.project.resource_subtype [D]" + label: "principal.cloud.project.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__project__resource_subtype + + dimension: principal__cloud__project__type { + type: string + sql: ${TABLE}.principal.cloud.project.type ;; + group_label: "principal" + group_item_label: "principal.cloud.project.type [D]" + label: "principal.cloud.project.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__project__type + + dimension: principal__cloud__vpc { + hidden: yes + } # dimension principal__cloud__vpc + + dimension: principal__cloud__vpc__id { + type: string + sql: ${TABLE}.principal.cloud.vpc.id ;; + group_label: "principal" + group_item_label: "principal.cloud.vpc.id [D]" + label: "principal.cloud.vpc.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__vpc__id + + dimension: principal__cloud__vpc__name { + type: string + sql: ${TABLE}.principal.cloud.vpc.name ;; + group_label: "principal" + group_item_label: "principal.cloud.vpc.name [D]" + label: "principal.cloud.vpc.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__vpc__name + + dimension: principal__cloud__vpc__parent { + type: string + sql: ${TABLE}.principal.cloud.vpc.parent ;; + group_label: "principal" + group_item_label: "principal.cloud.vpc.parent [D]" + label: "principal.cloud.vpc.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__vpc__parent + + dimension: principal__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.principal.cloud.vpc.product_object_id ;; + group_label: "principal" + group_item_label: "principal.cloud.vpc.product_object_id [D]" + label: "principal.cloud.vpc.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__vpc__product_object_id + + dimension: principal__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.principal.cloud.vpc.resource_subtype ;; + group_label: "principal" + group_item_label: "principal.cloud.vpc.resource_subtype [D]" + label: "principal.cloud.vpc.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__vpc__resource_subtype + + dimension: principal__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.principal.cloud.vpc.resource_type ;; + group_label: "principal" + group_item_label: "principal.cloud.vpc.resource_type [D]" + label: "principal.cloud.vpc.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__vpc__resource_type + + dimension: principal__cloud__vpc__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.principal.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "principal" + group_item_label: "principal.cloud.vpc.resource_type_enum_name [D]" + label: "principal.cloud.vpc.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__vpc__resource_type_enum_name + + dimension: principal__cloud__vpc__type { + type: string + sql: ${TABLE}.principal.cloud.vpc.type ;; + group_label: "principal" + group_item_label: "principal.cloud.vpc.type [D]" + label: "principal.cloud.vpc.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__vpc__type + + dimension: principal__domain { + hidden: yes + } # dimension principal__domain + + dimension: principal__domain__admin { + hidden: yes + } # dimension principal__domain__admin + + dimension: principal__domain__admin__userid { + type: string + sql: ${TABLE}.principal.domain.admin.userid ;; + group_label: "principal" + label: "principal.domain.admin.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension principal__domain__admin__userid + + dimension: principal__domain__billing { + hidden: yes + } # dimension principal__domain__billing + + dimension: principal__domain__billing__userid { + type: string + sql: ${TABLE}.principal.domain.billing.userid ;; + group_label: "principal" + label: "principal.domain.billing.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension principal__domain__billing__userid + + dimension_group: principal__domain__first_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.domain.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.domain.first_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.domain.first_seen_time" + view_label: "UDM" + description: "First seen timestamp of the domain in the customer's environment." + } # dimension principal__domain__first_seen_time + + dimension_group: principal__domain__last_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.domain.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.domain.last_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.domain.last_seen_time" + view_label: "UDM" + description: "Last seen timestamp of the domain in the customer's environment." + } # dimension principal__domain__last_seen_time + + dimension: principal__domain__name { + type: string + sql: ${TABLE}.principal.domain.name ;; + group_label: "principal" + label: "principal.domain.name" + view_label: "UDM" + description: "The domain name." + } # dimension principal__domain__name + + dimension: principal__domain__name_server { + hidden: yes + } # dimension principal__domain__name_server + + dimension: principal__domain__prevalence { + hidden: yes + } # dimension principal__domain__prevalence + + dimension: principal__domain__prevalence__day_count { + type: number + sql: ${TABLE}.principal.domain.prevalence.day_count ;; + group_label: "principal" + label: "principal.domain.prevalence.day_count" + view_label: "UDM" + description: "The number of days over which rolling_max is calculated." + } # dimension principal__domain__prevalence__day_count + + dimension: principal__domain__prevalence__rolling_max { + type: number + sql: ${TABLE}.principal.domain.prevalence.rolling_max ;; + group_label: "principal" + label: "principal.domain.prevalence.rolling_max" + view_label: "UDM" + description: "The maximum number of assets per day accessing the resource over the trailing day_count days." + } # dimension principal__domain__prevalence__rolling_max + + dimension: principal__domain__tech { + hidden: yes + } # dimension principal__domain__tech + + dimension: principal__domain__tech__group_identifiers { + hidden: yes + } # dimension principal__domain__tech__group_identifiers + + dimension: principal__domain__tech__product_object_id { + type: string + sql: ${TABLE}.principal.domain.tech.product_object_id ;; + group_label: "principal" + label: "principal.domain.tech.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension principal__domain__tech__product_object_id + + dimension: principal__domain__whois_server { + type: string + sql: ${TABLE}.principal.domain.whois_server ;; + group_label: "principal" + label: "principal.domain.whois_server" + view_label: "UDM" + description: "Whois server name." + } # dimension principal__domain__whois_server + + dimension: principal__email { + type: string + sql: ${TABLE}.principal.email ;; + group_label: "principal" + label: "principal.email" + view_label: "UDM" + description: "Email address. Only filled in for security_result.about" + } # dimension principal__email + + dimension: principal__file { + hidden: yes + } # dimension principal__file + + dimension: principal__file__authentihash { + type: string + sql: ${TABLE}.principal.file.authentihash ;; + group_label: "principal" + label: "principal.file.authentihash" + view_label: "UDM" + description: "Authentihash of the file." + } # dimension principal__file__authentihash + + dimension: principal__file__full_path { + type: string + sql: ${TABLE}.principal.file.full_path ;; + group_label: "principal" + label: "principal.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension principal__file__full_path + + dimension: principal__file__md5 { + type: string + sql: ${TABLE}.principal.file.md5 ;; + group_label: "principal" + label: "principal.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension principal__file__md5 + + dimension: principal__file__names { + hidden: yes + } # dimension principal__file__names + + dimension: principal__file__sha1 { + type: string + sql: ${TABLE}.principal.file.sha1 ;; + group_label: "principal" + label: "principal.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension principal__file__sha1 + + dimension: principal__file__sha256 { + type: string + sql: ${TABLE}.principal.file.sha256 ;; + group_label: "principal" + label: "principal.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension principal__file__sha256 + + dimension: principal__file__size { + type: number + sql: ${TABLE}.principal.file.size ;; + group_label: "principal" + label: "principal.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension principal__file__size + + dimension: principal__group { + hidden: yes + } # dimension principal__group + + dimension: principal__group__attribute { + hidden: yes + } # dimension principal__group__attribute + + dimension: principal__group__attribute__labels { + hidden: yes + } # dimension principal__group__attribute__labels + + dimension: principal__group__attribute__roles { + hidden: yes + } # dimension principal__group__attribute__roles + + dimension: principal__group__email_addresses { + hidden: yes + } # dimension principal__group__email_addresses + + dimension: principal__group__group_display_name { + type: string + sql: ${TABLE}.principal.group.group_display_name ;; + group_label: "principal" + label: "principal.group.group_display_name" + view_label: "UDM" + description: "Group display name. e.g. \"Finance\"." + } # dimension principal__group__group_display_name + + dimension: principal__group__product_object_id { + type: string + sql: ${TABLE}.principal.group.product_object_id ;; + group_label: "principal" + label: "principal.group.product_object_id" + view_label: "UDM" + description: "Product globally unique user object identifier, such as an LDAP Object Identifier." + } # dimension principal__group__product_object_id + + dimension: principal__group__windows_sid { + type: string + sql: ${TABLE}.principal.group.windows_sid ;; + group_label: "principal" + label: "principal.group.windows_sid" + view_label: "UDM" + description: "Microsoft Windows SID of the group." + } # dimension principal__group__windows_sid + + dimension: principal__hostname { + type: string + sql: ${TABLE}.principal.hostname ;; + group_label: "principal" + label: "principal.hostname" + view_label: "UDM" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension principal__hostname + + dimension: principal__investigation { + hidden: yes + } # dimension principal__investigation + + dimension: principal__investigation__comments { + hidden: yes + } # dimension principal__investigation__comments + + dimension: principal__investigation__risk_score { + type: number + sql: ${TABLE}.principal.investigation.risk_score ;; + group_label: "principal" + label: "principal.investigation.risk_score" + view_label: "UDM" + description: "Risk score for a finding set by an analyst." + } # dimension principal__investigation__risk_score + + dimension: principal__investigation__root_cause { + type: string + sql: ${TABLE}.principal.investigation.root_cause ;; + group_label: "principal" + label: "principal.investigation.root_cause" + view_label: "UDM" + description: "Root cause of the Alert or Finding set by analyst." + } # dimension principal__investigation__root_cause + + dimension: principal__investigation__status { + type: number + sql: ${TABLE}.principal.investigation.status ;; + group_label: "principal" + label: "principal.investigation.status" + view_label: "UDM" + description: "Describes the workflow status of a finding." + } # dimension principal__investigation__status + + dimension: principal__investigation__status_enum_name { + type: string + suggestions: ["CLOSED", "NEW", "OPEN", "REVIEWED", "STATUS_UNSPECIFIED"] + sql: CASE ${TABLE}.principal.investigation.status WHEN 0 THEN 'STATUS_UNSPECIFIED' WHEN 1 THEN 'NEW' WHEN 2 THEN 'REVIEWED' WHEN 3 THEN 'CLOSED' WHEN 4 THEN 'OPEN' END ;; + group_label: "principal" + label: "principal.investigation.status_enum_name" + view_label: "UDM" + description: "Describes the workflow status of a finding." + } # dimension principal__investigation__status_enum_name + + dimension: principal__investigation__verdict { + type: number + sql: ${TABLE}.principal.investigation.verdict ;; + group_label: "principal" + label: "principal.investigation.verdict" + view_label: "UDM" + description: "Describes reason a finding investigation was resolved." + } # dimension principal__investigation__verdict + + dimension: principal__investigation__verdict_enum_name { + type: string + suggestions: ["FALSE_POSITIVE", "TRUE_POSITIVE", "VERDICT_UNSPECIFIED"] + sql: CASE ${TABLE}.principal.investigation.verdict WHEN 0 THEN 'VERDICT_UNSPECIFIED' WHEN 1 THEN 'TRUE_POSITIVE' WHEN 2 THEN 'FALSE_POSITIVE' END ;; + group_label: "principal" + label: "principal.investigation.verdict_enum_name" + view_label: "UDM" + description: "Describes reason a finding investigation was resolved." + } # dimension principal__investigation__verdict_enum_name + + dimension: principal__ip { + hidden: yes + } # dimension principal__ip + + dimension: principal__ip_geo_artifact { + hidden: yes + } # dimension principal__ip_geo_artifact + + dimension: principal__ip_location { + hidden: yes + } # dimension principal__ip_location + + dimension: principal__labels { + hidden: yes + } # dimension principal__labels + + dimension: principal__location { + hidden: yes + } # dimension principal__location + + dimension: principal__location__city { + type: string + sql: ${TABLE}.principal.location.city ;; + group_label: "principal" + label: "principal.location.city" + view_label: "UDM" + description: "The city." + } # dimension principal__location__city + + dimension: principal__location__country_or_region { + type: string + sql: ${TABLE}.principal.location.country_or_region ;; + group_label: "principal" + label: "principal.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension principal__location__country_or_region + + dimension: principal__location__floor_name { + type: string + sql: ${TABLE}.principal.location.floor_name ;; + group_label: "principal" + label: "principal.location.floor_name" + view_label: "UDM" + description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." + } # dimension principal__location__floor_name + + dimension: principal__location__name { + type: string + sql: ${TABLE}.principal.location.name ;; + group_label: "principal" + label: "principal.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension principal__location__name + + dimension: principal__location__region_coordinates { + type: location + sql_latitude: ${TABLE}.principal.location.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.principal.location.region_coordinates.longitude ;; + group_label: "principal" + group_item_label: "principal.location.region_coordinates [L]" + label: "principal.location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." + } # dimension principal__location__region_coordinates + + dimension: principal__location__region_latitude { + type: number + sql: ${TABLE}.principal.location.region_latitude ;; + group_label: "principal" + group_item_label: "principal.location.region_latitude [D]" + label: "principal.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__location__region_latitude + + dimension: principal__location__region_longitude { + type: number + sql: ${TABLE}.principal.location.region_longitude ;; + group_label: "principal" + group_item_label: "principal.location.region_longitude [D]" + label: "principal.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__location__region_longitude + + dimension: principal__location__location { + type: location + sql_latitude: ${TABLE}.principal.location.region_latitude ;; + sql_longitude: ${TABLE}.principal.location.region_longitude ;; + group_label: "principal" + group_item_label: "principal.location.location [D][L]" + label: "principal.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension principal__location__location + + dimension: principal__location__state { + type: string + sql: ${TABLE}.principal.location.state ;; + group_label: "principal" + label: "principal.location.state" + view_label: "UDM" + description: "The state." + } # dimension principal__location__state + + dimension: principal__mac { + hidden: yes + } # dimension principal__mac + + dimension: principal__namespace { + type: string + sql: ${TABLE}.principal.namespace ;; + group_label: "principal" + label: "principal.namespace" + view_label: "UDM" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension principal__namespace + + dimension: principal__nat_ip { + hidden: yes + } # dimension principal__nat_ip + + dimension: principal__nat_port { + type: number + value_format: "#" + sql: ${TABLE}.principal.nat_port ;; + group_label: "principal" + label: "principal.nat_port" + view_label: "UDM" + description: "NAT external network port number when a specific network connection is described within an event." + } # dimension principal__nat_port + + dimension: principal__network { + hidden: yes + } # dimension principal__network + + dimension: principal__platform { + type: number + sql: ${TABLE}.principal.platform ;; + group_label: "principal" + label: "principal.platform" + view_label: "UDM" + description: "Platform." + } # dimension principal__platform + + dimension: principal__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.principal.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "principal" + label: "principal.platform_enum_name" + view_label: "UDM" + description: "Platform." + } # dimension principal__platform_enum_name + + dimension: principal__platform_patch_level { + type: string + sql: ${TABLE}.principal.platform_patch_level ;; + group_label: "principal" + label: "principal.platform_patch_level" + view_label: "UDM" + description: "Platform patch level. For example, \"Build 17134.48\"" + } # dimension principal__platform_patch_level + + dimension: principal__platform_version { + type: string + sql: ${TABLE}.principal.platform_version ;; + group_label: "principal" + label: "principal.platform_version" + view_label: "UDM" + description: "Platform version. For example, \"Microsoft Windows 1803\"." + } # dimension principal__platform_version + + dimension: principal__port { + type: number + value_format: "#" + sql: ${TABLE}.principal.port ;; + group_label: "principal" + label: "principal.port" + view_label: "UDM" + description: "Source or destination network port number when a specific network connection is described within an event." + } # dimension principal__port + + dimension: principal__process { + hidden: yes + } # dimension principal__process + + dimension: principal__process__access_mask { + type: number + sql: ${TABLE}.principal.process.access_mask ;; + group_label: "principal" + label: "principal.process.access_mask" + view_label: "UDM" + description: "A bit mask representing the level of access." + } # dimension principal__process__access_mask + + dimension: principal__process__command_line { + type: string + sql: ${TABLE}.principal.process.command_line ;; + group_label: "principal" + label: "principal.process.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension principal__process__command_line + + dimension: principal__process__command_line_history { + hidden: yes + } # dimension principal__process__command_line_history + + dimension: principal__process__file { + hidden: yes + } # dimension principal__process__file + + dimension: principal__process__file__capabilities_tags { + hidden: yes + } # dimension principal__process__file__capabilities_tags + + dimension: principal__process__file__file_metadata { + hidden: yes + } # dimension principal__process__file__file_metadata + + dimension: principal__process__file__file_metadata__pe { + hidden: yes + } # dimension principal__process__file__file_metadata__pe + + dimension: principal__process__file__file_metadata__pe__import_hash { + type: string + sql: ${TABLE}.principal.process.file.file_metadata.pe.import_hash ;; + group_label: "principal" + group_item_label: "principal.process.file.file_metadata.pe.import_hash [D]" + label: "principal.process.file.file_metadata.pe.import_hash" + view_label: "UDM" + description: "Hash of PE imports. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__process__file__file_metadata__pe__import_hash + + dimension: principal__process__file__file_type { + type: number + sql: ${TABLE}.principal.process.file.file_type ;; + group_label: "principal" + label: "principal.process.file.file_type" + view_label: "UDM" + description: "FileType field." + } # dimension principal__process__file__file_type + + dimension: principal__process__file__file_type_enum_name { + type: string + suggestions: ["FILE_TYPE_ACE", "FILE_TYPE_ANDROID", "FILE_TYPE_APPLE", "FILE_TYPE_APPLEDOUBLE", "FILE_TYPE_APPLESCRIPT", "FILE_TYPE_APPLESCRIPT_COMPILED", "FILE_TYPE_APPLESINGLE", "FILE_TYPE_APPLE_PLIST", "FILE_TYPE_ARC", "FILE_TYPE_ARJ", "FILE_TYPE_ASD", "FILE_TYPE_ASF", "FILE_TYPE_AVI", "FILE_TYPE_AWK", "FILE_TYPE_BLACKHOLE", "FILE_TYPE_BMP", "FILE_TYPE_BZIP", "FILE_TYPE_C", "FILE_TYPE_CAB", "FILE_TYPE_CAP", "FILE_TYPE_CHM", "FILE_TYPE_COFF", "FILE_TYPE_COOKIE", "FILE_TYPE_CPP", "FILE_TYPE_CRX", "FILE_TYPE_DEB", "FILE_TYPE_DIB", "FILE_TYPE_DIVX", "FILE_TYPE_DMG", "FILE_TYPE_DOC", "FILE_TYPE_DOCX", "FILE_TYPE_DOS_COM", "FILE_TYPE_DOS_EXE", "FILE_TYPE_DYALOG", "FILE_TYPE_DZIP", "FILE_TYPE_EBOOK", "FILE_TYPE_ELF", "FILE_TYPE_EMAIL_TYPE", "FILE_TYPE_EMF", "FILE_TYPE_EOT", "FILE_TYPE_EPS", "FILE_TYPE_FLA", "FILE_TYPE_FLAC", "FILE_TYPE_FLC", "FILE_TYPE_FLI", "FILE_TYPE_FLV", "FILE_TYPE_FORTRAN", "FILE_TYPE_FPX", "FILE_TYPE_GIF", "FILE_TYPE_GIMP", "FILE_TYPE_GUL", "FILE_TYPE_GZIP", "FILE_TYPE_HTML", "FILE_TYPE_HWP", "FILE_TYPE_ICO", "FILE_TYPE_IN_DESIGN", "FILE_TYPE_IPHONE", "FILE_TYPE_ISOIMAGE", "FILE_TYPE_JAR", "FILE_TYPE_JAVA", "FILE_TYPE_JAVASCRIPT", "FILE_TYPE_JAVA_BYTECODE", "FILE_TYPE_JNG", "FILE_TYPE_JPEG", "FILE_TYPE_KGB", "FILE_TYPE_LATEX", "FILE_TYPE_LINUX", "FILE_TYPE_LINUX_KERNEL", "FILE_TYPE_LNK", "FILE_TYPE_MACH_O", "FILE_TYPE_MACINTOSH", "FILE_TYPE_MACINTOSH_HFS", "FILE_TYPE_MACINTOSH_LIB", "FILE_TYPE_MIDI", "FILE_TYPE_MOV", "FILE_TYPE_MP3", "FILE_TYPE_MP4", "FILE_TYPE_MPEG", "FILE_TYPE_MSCOMPRESS", "FILE_TYPE_MSI", "FILE_TYPE_NE_DLL", "FILE_TYPE_NE_EXE", "FILE_TYPE_ODF", "FILE_TYPE_ODG", "FILE_TYPE_ODP", "FILE_TYPE_ODS", "FILE_TYPE_ODT", "FILE_TYPE_OGG", "FILE_TYPE_OUTLOOK", "FILE_TYPE_PALMOS", "FILE_TYPE_PASCAL", "FILE_TYPE_PDF", "FILE_TYPE_PERL", "FILE_TYPE_PE_DLL", "FILE_TYPE_PE_EXE", "FILE_TYPE_PHP", "FILE_TYPE_PKG", "FILE_TYPE_PNG", "FILE_TYPE_POWERSHELL", "FILE_TYPE_PPSX", "FILE_TYPE_PPT", "FILE_TYPE_PPTX", "FILE_TYPE_PS", "FILE_TYPE_PSD", "FILE_TYPE_PYTHON", "FILE_TYPE_QUICKTIME", "FILE_TYPE_RAR", "FILE_TYPE_RM", "FILE_TYPE_ROM", "FILE_TYPE_RPM", "FILE_TYPE_RTF", "FILE_TYPE_RUBY", "FILE_TYPE_RZIP", "FILE_TYPE_SCRIPT", "FILE_TYPE_SEVENZIP", "FILE_TYPE_SHELLSCRIPT", "FILE_TYPE_SVG", "FILE_TYPE_SWF", "FILE_TYPE_SYMBIAN", "FILE_TYPE_T3GP", "FILE_TYPE_TAR", "FILE_TYPE_TARGA", "FILE_TYPE_TEXT", "FILE_TYPE_TIFF", "FILE_TYPE_TORRENT", "FILE_TYPE_TTF", "FILE_TYPE_UNSPECIFIED", "FILE_TYPE_VBA", "FILE_TYPE_WAV", "FILE_TYPE_WEBP", "FILE_TYPE_WINCE", "FILE_TYPE_WMA", "FILE_TYPE_WMV", "FILE_TYPE_WOFF", "FILE_TYPE_XLS", "FILE_TYPE_XLSX", "FILE_TYPE_XML", "FILE_TYPE_XPI", "FILE_TYPE_XWD", "FILE_TYPE_ZIP", "FILE_TYPE_ZLIB"] + sql: CASE ${TABLE}.principal.process.file.file_type WHEN 0 THEN 'FILE_TYPE_UNSPECIFIED' WHEN 1 THEN 'FILE_TYPE_PE_EXE' WHEN 2 THEN 'FILE_TYPE_PE_DLL' WHEN 3 THEN 'FILE_TYPE_MSI' WHEN 10 THEN 'FILE_TYPE_NE_EXE' WHEN 11 THEN 'FILE_TYPE_NE_DLL' WHEN 20 THEN 'FILE_TYPE_DOS_EXE' WHEN 21 THEN 'FILE_TYPE_DOS_COM' WHEN 30 THEN 'FILE_TYPE_COFF' WHEN 31 THEN 'FILE_TYPE_ELF' WHEN 32 THEN 'FILE_TYPE_LINUX_KERNEL' WHEN 33 THEN 'FILE_TYPE_RPM' WHEN 34 THEN 'FILE_TYPE_LINUX' WHEN 35 THEN 'FILE_TYPE_MACH_O' WHEN 36 THEN 'FILE_TYPE_JAVA_BYTECODE' WHEN 37 THEN 'FILE_TYPE_DMG' WHEN 38 THEN 'FILE_TYPE_DEB' WHEN 39 THEN 'FILE_TYPE_PKG' WHEN 50 THEN 'FILE_TYPE_LNK' WHEN 100 THEN 'FILE_TYPE_JPEG' WHEN 101 THEN 'FILE_TYPE_TIFF' WHEN 102 THEN 'FILE_TYPE_GIF' WHEN 103 THEN 'FILE_TYPE_PNG' WHEN 104 THEN 'FILE_TYPE_BMP' WHEN 105 THEN 'FILE_TYPE_GIMP' WHEN 106 THEN 'FILE_TYPE_IN_DESIGN' WHEN 107 THEN 'FILE_TYPE_PSD' WHEN 108 THEN 'FILE_TYPE_TARGA' WHEN 109 THEN 'FILE_TYPE_XWD' WHEN 110 THEN 'FILE_TYPE_DIB' WHEN 111 THEN 'FILE_TYPE_JNG' WHEN 112 THEN 'FILE_TYPE_ICO' WHEN 113 THEN 'FILE_TYPE_FPX' WHEN 114 THEN 'FILE_TYPE_EPS' WHEN 115 THEN 'FILE_TYPE_SVG' WHEN 116 THEN 'FILE_TYPE_EMF' WHEN 117 THEN 'FILE_TYPE_WEBP' WHEN 150 THEN 'FILE_TYPE_OGG' WHEN 151 THEN 'FILE_TYPE_FLC' WHEN 152 THEN 'FILE_TYPE_FLI' WHEN 153 THEN 'FILE_TYPE_MP3' WHEN 154 THEN 'FILE_TYPE_FLAC' WHEN 155 THEN 'FILE_TYPE_WAV' WHEN 156 THEN 'FILE_TYPE_MIDI' WHEN 157 THEN 'FILE_TYPE_AVI' WHEN 158 THEN 'FILE_TYPE_MPEG' WHEN 159 THEN 'FILE_TYPE_QUICKTIME' WHEN 160 THEN 'FILE_TYPE_ASF' WHEN 161 THEN 'FILE_TYPE_DIVX' WHEN 162 THEN 'FILE_TYPE_FLV' WHEN 163 THEN 'FILE_TYPE_WMA' WHEN 164 THEN 'FILE_TYPE_WMV' WHEN 165 THEN 'FILE_TYPE_RM' WHEN 166 THEN 'FILE_TYPE_MOV' WHEN 167 THEN 'FILE_TYPE_MP4' WHEN 168 THEN 'FILE_TYPE_T3GP' WHEN 200 THEN 'FILE_TYPE_PDF' WHEN 201 THEN 'FILE_TYPE_PS' WHEN 202 THEN 'FILE_TYPE_DOC' WHEN 203 THEN 'FILE_TYPE_DOCX' WHEN 204 THEN 'FILE_TYPE_PPT' WHEN 205 THEN 'FILE_TYPE_PPTX' WHEN 209 THEN 'FILE_TYPE_PPSX' WHEN 206 THEN 'FILE_TYPE_XLS' WHEN 207 THEN 'FILE_TYPE_XLSX' WHEN 208 THEN 'FILE_TYPE_RTF' WHEN 250 THEN 'FILE_TYPE_ODP' WHEN 251 THEN 'FILE_TYPE_ODS' WHEN 252 THEN 'FILE_TYPE_ODT' WHEN 253 THEN 'FILE_TYPE_HWP' WHEN 254 THEN 'FILE_TYPE_GUL' WHEN 255 THEN 'FILE_TYPE_ODF' WHEN 256 THEN 'FILE_TYPE_ODG' WHEN 260 THEN 'FILE_TYPE_EBOOK' WHEN 261 THEN 'FILE_TYPE_LATEX' WHEN 262 THEN 'FILE_TYPE_TTF' WHEN 263 THEN 'FILE_TYPE_EOT' WHEN 264 THEN 'FILE_TYPE_WOFF' WHEN 265 THEN 'FILE_TYPE_CHM' WHEN 300 THEN 'FILE_TYPE_ZIP' WHEN 301 THEN 'FILE_TYPE_GZIP' WHEN 302 THEN 'FILE_TYPE_BZIP' WHEN 303 THEN 'FILE_TYPE_RZIP' WHEN 304 THEN 'FILE_TYPE_DZIP' WHEN 305 THEN 'FILE_TYPE_SEVENZIP' WHEN 306 THEN 'FILE_TYPE_CAB' WHEN 307 THEN 'FILE_TYPE_JAR' WHEN 308 THEN 'FILE_TYPE_RAR' WHEN 309 THEN 'FILE_TYPE_MSCOMPRESS' WHEN 310 THEN 'FILE_TYPE_ACE' WHEN 311 THEN 'FILE_TYPE_ARC' WHEN 312 THEN 'FILE_TYPE_ARJ' WHEN 313 THEN 'FILE_TYPE_ASD' WHEN 314 THEN 'FILE_TYPE_BLACKHOLE' WHEN 315 THEN 'FILE_TYPE_KGB' WHEN 316 THEN 'FILE_TYPE_ZLIB' WHEN 317 THEN 'FILE_TYPE_TAR' WHEN 400 THEN 'FILE_TYPE_TEXT' WHEN 401 THEN 'FILE_TYPE_SCRIPT' WHEN 402 THEN 'FILE_TYPE_PHP' WHEN 403 THEN 'FILE_TYPE_PYTHON' WHEN 404 THEN 'FILE_TYPE_PERL' WHEN 405 THEN 'FILE_TYPE_RUBY' WHEN 406 THEN 'FILE_TYPE_C' WHEN 407 THEN 'FILE_TYPE_CPP' WHEN 408 THEN 'FILE_TYPE_JAVA' WHEN 409 THEN 'FILE_TYPE_SHELLSCRIPT' WHEN 410 THEN 'FILE_TYPE_PASCAL' WHEN 411 THEN 'FILE_TYPE_AWK' WHEN 412 THEN 'FILE_TYPE_DYALOG' WHEN 413 THEN 'FILE_TYPE_FORTRAN' WHEN 414 THEN 'FILE_TYPE_JAVASCRIPT' WHEN 415 THEN 'FILE_TYPE_POWERSHELL' WHEN 416 THEN 'FILE_TYPE_VBA' WHEN 500 THEN 'FILE_TYPE_SYMBIAN' WHEN 501 THEN 'FILE_TYPE_PALMOS' WHEN 502 THEN 'FILE_TYPE_WINCE' WHEN 503 THEN 'FILE_TYPE_ANDROID' WHEN 504 THEN 'FILE_TYPE_IPHONE' WHEN 600 THEN 'FILE_TYPE_HTML' WHEN 601 THEN 'FILE_TYPE_XML' WHEN 602 THEN 'FILE_TYPE_SWF' WHEN 603 THEN 'FILE_TYPE_FLA' WHEN 604 THEN 'FILE_TYPE_COOKIE' WHEN 605 THEN 'FILE_TYPE_TORRENT' WHEN 606 THEN 'FILE_TYPE_EMAIL_TYPE' WHEN 607 THEN 'FILE_TYPE_OUTLOOK' WHEN 700 THEN 'FILE_TYPE_CAP' WHEN 800 THEN 'FILE_TYPE_ISOIMAGE' WHEN 1000 THEN 'FILE_TYPE_APPLE' WHEN 1001 THEN 'FILE_TYPE_MACINTOSH' WHEN 1002 THEN 'FILE_TYPE_APPLESINGLE' WHEN 1003 THEN 'FILE_TYPE_APPLEDOUBLE' WHEN 1004 THEN 'FILE_TYPE_MACINTOSH_HFS' WHEN 1005 THEN 'FILE_TYPE_APPLE_PLIST' WHEN 1006 THEN 'FILE_TYPE_MACINTOSH_LIB' WHEN 1007 THEN 'FILE_TYPE_APPLESCRIPT' WHEN 1008 THEN 'FILE_TYPE_APPLESCRIPT_COMPILED' WHEN 1100 THEN 'FILE_TYPE_CRX' WHEN 1101 THEN 'FILE_TYPE_XPI' WHEN 1200 THEN 'FILE_TYPE_ROM' END ;; + group_label: "principal" + label: "principal.process.file.file_type_enum_name" + view_label: "UDM" + description: "FileType field." + } # dimension principal__process__file__file_type_enum_name + + dimension: principal__process__file__full_path { + type: string + sql: ${TABLE}.principal.process.file.full_path ;; + group_label: "principal" + label: "principal.process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension principal__process__file__full_path + + dimension: principal__process__file__md5 { + type: string + sql: ${TABLE}.principal.process.file.md5 ;; + group_label: "principal" + label: "principal.process.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension principal__process__file__md5 + + dimension: principal__process__file__mime_type { + type: string + sql: ${TABLE}.principal.process.file.mime_type ;; + group_label: "principal" + label: "principal.process.file.mime_type" + view_label: "UDM" + description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." + } # dimension principal__process__file__mime_type + + dimension: principal__process__file__names { + hidden: yes + } # dimension principal__process__file__names + + dimension: principal__process__file__pe_file { + hidden: yes + } # dimension principal__process__file__pe_file + + dimension: principal__process__file__pe_file__signature_info { + hidden: yes + } # dimension principal__process__file__pe_file__signature_info + + dimension: principal__process__file__pe_file__signature_info__verification_message { + type: string + sql: ${TABLE}.principal.process.file.pe_file.signature_info.verification_message ;; + group_label: "principal" + group_item_label: "principal.process.file.pe_file.signature_info.verification_message [D]" + label: "principal.process.file.pe_file.signature_info.verification_message" + view_label: "UDM" + description: "Status of the certificate. Valid values are \"Signed\", \"Unsigned\" or a description of the certificate anomaly, if found. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__process__file__pe_file__signature_info__verification_message + + dimension: principal__process__file__sha1 { + type: string + sql: ${TABLE}.principal.process.file.sha1 ;; + group_label: "principal" + label: "principal.process.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension principal__process__file__sha1 + + dimension: principal__process__file__sha256 { + type: string + sql: ${TABLE}.principal.process.file.sha256 ;; + group_label: "principal" + label: "principal.process.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension principal__process__file__sha256 + + dimension: principal__process__file__size { + type: number + sql: ${TABLE}.principal.process.file.size ;; + group_label: "principal" + label: "principal.process.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension principal__process__file__size + + dimension: principal__process__parent_pid { + type: string + sql: ${TABLE}.principal.process.parent_pid ;; + group_label: "principal" + group_item_label: "principal.process.parent_pid [D]" + label: "principal.process.parent_pid" + view_label: "UDM" + description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__process__parent_pid + + dimension: principal__process__parent_process { + hidden: yes + } # dimension principal__process__parent_process + + dimension: principal__process__parent_process__command_line { + type: string + sql: ${TABLE}.principal.process.parent_process.command_line ;; + group_label: "principal" + label: "principal.process.parent_process.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension principal__process__parent_process__command_line + + dimension: principal__process__parent_process__file { + hidden: yes + } # dimension principal__process__parent_process__file + + dimension: principal__process__parent_process__file__file_metadata { + hidden: yes + } # dimension principal__process__parent_process__file__file_metadata + + dimension: principal__process__parent_process__file__file_metadata__pe { + hidden: yes + } # dimension principal__process__parent_process__file__file_metadata__pe + + dimension: principal__process__parent_process__file__file_metadata__pe__import_hash { + type: string + sql: ${TABLE}.principal.process.parent_process.file.file_metadata.pe.import_hash ;; + group_label: "principal" + group_item_label: "principal.process.parent_process.file.file_metadata.pe.import_hash [D]" + label: "principal.process.parent_process.file.file_metadata.pe.import_hash" + view_label: "UDM" + description: "Hash of PE imports. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__process__parent_process__file__file_metadata__pe__import_hash + + dimension: principal__process__parent_process__file__full_path { + type: string + sql: ${TABLE}.principal.process.parent_process.file.full_path ;; + group_label: "principal" + label: "principal.process.parent_process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension principal__process__parent_process__file__full_path + + dimension: principal__process__parent_process__file__md5 { + type: string + sql: ${TABLE}.principal.process.parent_process.file.md5 ;; + group_label: "principal" + label: "principal.process.parent_process.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension principal__process__parent_process__file__md5 + + dimension: principal__process__parent_process__file__mime_type { + type: string + sql: ${TABLE}.principal.process.parent_process.file.mime_type ;; + group_label: "principal" + label: "principal.process.parent_process.file.mime_type" + view_label: "UDM" + description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." + } # dimension principal__process__parent_process__file__mime_type + + dimension: principal__process__parent_process__file__sha1 { + type: string + sql: ${TABLE}.principal.process.parent_process.file.sha1 ;; + group_label: "principal" + label: "principal.process.parent_process.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension principal__process__parent_process__file__sha1 + + dimension: principal__process__parent_process__file__sha256 { + type: string + sql: ${TABLE}.principal.process.parent_process.file.sha256 ;; + group_label: "principal" + label: "principal.process.parent_process.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension principal__process__parent_process__file__sha256 + + dimension: principal__process__parent_process__file__size { + type: number + sql: ${TABLE}.principal.process.parent_process.file.size ;; + group_label: "principal" + label: "principal.process.parent_process.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension principal__process__parent_process__file__size + + dimension: principal__process__parent_process__parent_pid { + type: string + sql: ${TABLE}.principal.process.parent_process.parent_pid ;; + group_label: "principal" + group_item_label: "principal.process.parent_process.parent_pid [D]" + label: "principal.process.parent_process.parent_pid" + view_label: "UDM" + description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__process__parent_process__parent_pid + + dimension: principal__process__parent_process__pid { + type: string + sql: ${TABLE}.principal.process.parent_process.pid ;; + group_label: "principal" + label: "principal.process.parent_process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension principal__process__parent_process__pid + + dimension: principal__process__parent_process__product_specific_process_id { + type: string + sql: ${TABLE}.principal.process.parent_process.product_specific_process_id ;; + group_label: "principal" + label: "principal.process.parent_process.product_specific_process_id" + view_label: "UDM" + description: "A product specific process id." + } # dimension principal__process__parent_process__product_specific_process_id + + dimension: principal__process__pid { + type: string + sql: ${TABLE}.principal.process.pid ;; + group_label: "principal" + label: "principal.process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension principal__process__pid + + dimension: principal__process__product_specific_parent_process_id { + type: string + sql: ${TABLE}.principal.process.product_specific_parent_process_id ;; + group_label: "principal" + group_item_label: "principal.process.product_specific_parent_process_id [D]" + label: "principal.process.product_specific_parent_process_id" + view_label: "UDM" + description: "A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__process__product_specific_parent_process_id + + dimension: principal__process__product_specific_process_id { + type: string + sql: ${TABLE}.principal.process.product_specific_process_id ;; + group_label: "principal" + label: "principal.process.product_specific_process_id" + view_label: "UDM" + description: "A product specific process id." + } # dimension principal__process__product_specific_process_id + + dimension: principal__process_ancestors { + hidden: yes + } # dimension principal__process_ancestors + + dimension: principal__registry { + hidden: yes + } # dimension principal__registry + + dimension: principal__registry__registry_key { + type: string + sql: ${TABLE}.principal.registry.registry_key ;; + group_label: "principal" + label: "principal.registry.registry_key" + view_label: "UDM" + description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." + } # dimension principal__registry__registry_key + + dimension: principal__registry__registry_value_data { + type: string + sql: ${TABLE}.principal.registry.registry_value_data ;; + group_label: "principal" + label: "principal.registry.registry_value_data" + view_label: "UDM" + description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." + } # dimension principal__registry__registry_value_data + + dimension: principal__registry__registry_value_name { + type: string + sql: ${TABLE}.principal.registry.registry_value_name ;; + group_label: "principal" + label: "principal.registry.registry_value_name" + view_label: "UDM" + description: "Name of the registry value associated with an application or system component (e.g. TEMP)." + } # dimension principal__registry__registry_value_name + + dimension: principal__resource { + hidden: yes + } # dimension principal__resource + + dimension: principal__resource__attribute { + hidden: yes + } # dimension principal__resource__attribute + + dimension: principal__resource__attribute__cloud { + hidden: yes + } # dimension principal__resource__attribute__cloud + + dimension: principal__resource__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.principal.resource.attribute.cloud.availability_zone ;; + group_label: "principal" + label: "principal.resource.attribute.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name)." + } # dimension principal__resource__attribute__cloud__availability_zone + + dimension: principal__resource__attribute__cloud__environment { + type: number + sql: ${TABLE}.principal.resource.attribute.cloud.environment ;; + group_label: "principal" + label: "principal.resource.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension principal__resource__attribute__cloud__environment + + dimension: principal__resource__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.principal.resource.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "principal" + label: "principal.resource.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension principal__resource__attribute__cloud__environment_enum_name + + dimension: principal__resource__attribute__cloud__project { + hidden: yes + } # dimension principal__resource__attribute__cloud__project + + dimension: principal__resource__attribute__cloud__project__name { + type: string + sql: ${TABLE}.principal.resource.attribute.cloud.project.name ;; + group_label: "principal" + group_item_label: "principal.resource.attribute.cloud.project.name [D]" + label: "principal.resource.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__resource__attribute__cloud__project__name + + dimension: principal__resource__attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.principal.resource.attribute.cloud.project.resource_subtype ;; + group_label: "principal" + group_item_label: "principal.resource.attribute.cloud.project.resource_subtype [D]" + label: "principal.resource.attribute.cloud.project.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__resource__attribute__cloud__project__resource_subtype + + dimension_group: principal__resource__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.resource.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension principal__resource__attribute__creation_time + + dimension: principal__resource__attribute__labels { + hidden: yes + } # dimension principal__resource__attribute__labels + + dimension_group: principal__resource__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.resource.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension principal__resource__attribute__last_update_time + + dimension: principal__resource__attribute__permissions { + hidden: yes + } # dimension principal__resource__attribute__permissions + + dimension: principal__resource__attribute__roles { + hidden: yes + } # dimension principal__resource__attribute__roles + + dimension: principal__resource__id { + type: string + sql: ${TABLE}.principal.resource.id ;; + group_label: "principal" + group_item_label: "principal.resource.id [D]" + label: "principal.resource.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__resource__id + + dimension: principal__resource__name { + type: string + sql: ${TABLE}.principal.resource.name ;; + group_label: "principal" + label: "principal.resource.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension principal__resource__name + + dimension: principal__resource__parent { + type: string + sql: ${TABLE}.principal.resource.parent ;; + group_label: "principal" + group_item_label: "principal.resource.parent [D]" + label: "principal.resource.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__resource__parent + + dimension: principal__resource__product_object_id { + type: string + sql: ${TABLE}.principal.resource.product_object_id ;; + group_label: "principal" + label: "principal.resource.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension principal__resource__product_object_id + + dimension: principal__resource__resource_subtype { + type: string + sql: ${TABLE}.principal.resource.resource_subtype ;; + group_label: "principal" + label: "principal.resource.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension principal__resource__resource_subtype + + dimension: principal__resource__resource_type { + type: number + sql: ${TABLE}.principal.resource.resource_type ;; + group_label: "principal" + label: "principal.resource.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension principal__resource__resource_type + + dimension: principal__resource__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.principal.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "principal" + label: "principal.resource.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension principal__resource__resource_type_enum_name + + dimension: principal__resource__type { + type: string + sql: ${TABLE}.principal.resource.type ;; + group_label: "principal" + group_item_label: "principal.resource.type [D]" + label: "principal.resource.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__resource__type + + dimension: principal__resource_ancestors { + hidden: yes + } # dimension principal__resource_ancestors + + dimension: principal__url { + type: string + sql: ${TABLE}.principal.url ;; + group_label: "principal" + label: "principal.url" + view_label: "UDM" + description: "The URL." + } # dimension principal__url + + dimension: principal__user { + hidden: yes + } # dimension principal__user + + dimension: principal__user__account_type { + type: number + sql: ${TABLE}.principal.user.account_type ;; + group_label: "principal" + label: "principal.user.account_type" + view_label: "UDM" + description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" + } # dimension principal__user__account_type + + dimension: principal__user__account_type_enum_name { + type: string + suggestions: ["ACCOUNT_TYPE_UNSPECIFIED", "CLOUD_ACCOUNT_TYPE", "DEFAULT_ACCOUNT_TYPE", "DOMAIN_ACCOUNT_TYPE", "LOCAL_ACCOUNT_TYPE", "SERVICE_ACCOUNT_TYPE"] + sql: CASE ${TABLE}.principal.user.account_type WHEN 0 THEN 'ACCOUNT_TYPE_UNSPECIFIED' WHEN 1 THEN 'DOMAIN_ACCOUNT_TYPE' WHEN 2 THEN 'LOCAL_ACCOUNT_TYPE' WHEN 3 THEN 'CLOUD_ACCOUNT_TYPE' WHEN 4 THEN 'SERVICE_ACCOUNT_TYPE' WHEN 5 THEN 'DEFAULT_ACCOUNT_TYPE' END ;; + group_label: "principal" + label: "principal.user.account_type_enum_name" + view_label: "UDM" + description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" + } # dimension principal__user__account_type_enum_name + + dimension: principal__user__attribute { + hidden: yes + } # dimension principal__user__attribute + + dimension: principal__user__attribute__cloud { + hidden: yes + } # dimension principal__user__attribute__cloud + + dimension: principal__user__attribute__cloud__environment { + type: number + sql: ${TABLE}.principal.user.attribute.cloud.environment ;; + group_label: "principal" + label: "principal.user.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension principal__user__attribute__cloud__environment + + dimension: principal__user__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.principal.user.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "principal" + label: "principal.user.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension principal__user__attribute__cloud__environment_enum_name + + dimension: principal__user__attribute__cloud__project { + hidden: yes + } # dimension principal__user__attribute__cloud__project + + dimension: principal__user__attribute__cloud__project__id { + type: string + sql: ${TABLE}.principal.user.attribute.cloud.project.id ;; + group_label: "principal" + group_item_label: "principal.user.attribute.cloud.project.id [D]" + label: "principal.user.attribute.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__user__attribute__cloud__project__id + + dimension_group: principal__user__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.user.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension principal__user__attribute__creation_time + + dimension: principal__user__attribute__labels { + hidden: yes + } # dimension principal__user__attribute__labels + + dimension_group: principal__user__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.user.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension principal__user__attribute__last_update_time + + dimension: principal__user__attribute__permissions { + hidden: yes + } # dimension principal__user__attribute__permissions + + dimension: principal__user__attribute__roles { + hidden: yes + } # dimension principal__user__attribute__roles + + dimension: principal__user__company_name { + type: string + sql: ${TABLE}.principal.user.company_name ;; + group_label: "principal" + label: "principal.user.company_name" + view_label: "UDM" + description: "User job company name." + } # dimension principal__user__company_name + + dimension: principal__user__department { + hidden: yes + } # dimension principal__user__department + + dimension: principal__user__email_addresses { + hidden: yes + } # dimension principal__user__email_addresses + + dimension: principal__user__employee_id { + type: string + sql: ${TABLE}.principal.user.employee_id ;; + group_label: "principal" + label: "principal.user.employee_id" + view_label: "UDM" + description: "Human capital management identifier." + } # dimension principal__user__employee_id + + dimension: principal__user__first_name { + type: string + sql: ${TABLE}.principal.user.first_name ;; + group_label: "principal" + label: "principal.user.first_name" + view_label: "UDM" + description: "First name of the user (e.g. \"John\")." + } # dimension principal__user__first_name + + dimension: principal__user__group_identifiers { + hidden: yes + } # dimension principal__user__group_identifiers + + dimension: principal__user__groupid { + type: string + sql: ${TABLE}.principal.user.groupid ;; + group_label: "principal" + group_item_label: "principal.user.groupid [D]" + label: "principal.user.groupid" + view_label: "UDM" + description: "The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__user__groupid + + dimension_group: principal__user__hire_date { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.user.hire_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.user.hire_date.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.user.hire_date" + view_label: "UDM" + description: "User job employment hire date." + } # dimension principal__user__hire_date + + dimension: principal__user__last_name { + type: string + sql: ${TABLE}.principal.user.last_name ;; + group_label: "principal" + label: "principal.user.last_name" + view_label: "UDM" + description: "Last name of the user (e.g. \"Locke\")." + } # dimension principal__user__last_name + + dimension: principal__user__managers { + hidden: yes + } # dimension principal__user__managers + + dimension: principal__user__office_address { + hidden: yes + } # dimension principal__user__office_address + + dimension: principal__user__office_address__city { + type: string + sql: ${TABLE}.principal.user.office_address.city ;; + group_label: "principal" + label: "principal.user.office_address.city" + view_label: "UDM" + description: "The city." + } # dimension principal__user__office_address__city + + dimension: principal__user__office_address__country_or_region { + type: string + sql: ${TABLE}.principal.user.office_address.country_or_region ;; + group_label: "principal" + label: "principal.user.office_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension principal__user__office_address__country_or_region + + dimension: principal__user__office_address__desk_name { + type: string + sql: ${TABLE}.principal.user.office_address.desk_name ;; + group_label: "principal" + label: "principal.user.office_address.desk_name" + view_label: "UDM" + description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." + } # dimension principal__user__office_address__desk_name + + dimension: principal__user__office_address__floor_name { + type: string + sql: ${TABLE}.principal.user.office_address.floor_name ;; + group_label: "principal" + label: "principal.user.office_address.floor_name" + view_label: "UDM" + description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." + } # dimension principal__user__office_address__floor_name + + dimension: principal__user__office_address__name { + type: string + sql: ${TABLE}.principal.user.office_address.name ;; + group_label: "principal" + label: "principal.user.office_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension principal__user__office_address__name + + dimension: principal__user__office_address__state { + type: string + sql: ${TABLE}.principal.user.office_address.state ;; + group_label: "principal" + label: "principal.user.office_address.state" + view_label: "UDM" + description: "The state." + } # dimension principal__user__office_address__state + + dimension: principal__user__personal_address { + hidden: yes + } # dimension principal__user__personal_address + + dimension: principal__user__personal_address__city { + type: string + sql: ${TABLE}.principal.user.personal_address.city ;; + group_label: "principal" + label: "principal.user.personal_address.city" + view_label: "UDM" + description: "The city." + } # dimension principal__user__personal_address__city + + dimension: principal__user__personal_address__country_or_region { + type: string + sql: ${TABLE}.principal.user.personal_address.country_or_region ;; + group_label: "principal" + label: "principal.user.personal_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension principal__user__personal_address__country_or_region + + dimension: principal__user__personal_address__name { + type: string + sql: ${TABLE}.principal.user.personal_address.name ;; + group_label: "principal" + label: "principal.user.personal_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension principal__user__personal_address__name + + dimension: principal__user__personal_address__state { + type: string + sql: ${TABLE}.principal.user.personal_address.state ;; + group_label: "principal" + label: "principal.user.personal_address.state" + view_label: "UDM" + description: "The state." + } # dimension principal__user__personal_address__state + + dimension: principal__user__phone_numbers { + hidden: yes + } # dimension principal__user__phone_numbers + + dimension: principal__user__product_object_id { + type: string + sql: ${TABLE}.principal.user.product_object_id ;; + group_label: "principal" + label: "principal.user.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension principal__user__product_object_id + + dimension: principal__user__role_description { + type: string + sql: ${TABLE}.principal.user.role_description ;; + group_label: "principal" + group_item_label: "principal.user.role_description [D]" + label: "principal.user.role_description" + view_label: "UDM" + description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__user__role_description + + dimension: principal__user__role_name { + type: string + sql: ${TABLE}.principal.user.role_name ;; + group_label: "principal" + group_item_label: "principal.user.role_name [D]" + label: "principal.user.role_name" + view_label: "UDM" + description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__user__role_name + + dimension_group: principal__user__termination_date { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.user.termination_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.user.termination_date.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.user.termination_date" + view_label: "UDM" + description: "User job employment termination date." + } # dimension principal__user__termination_date + + dimension: principal__user__time_off { + hidden: yes + } # dimension principal__user__time_off + + dimension: principal__user__title { + type: string + sql: ${TABLE}.principal.user.title ;; + group_label: "principal" + label: "principal.user.title" + view_label: "UDM" + description: "User job title." + } # dimension principal__user__title + + dimension: principal__user__user_authentication_status { + type: number + sql: ${TABLE}.principal.user.user_authentication_status ;; + group_label: "principal" + label: "principal.user.user_authentication_status" + view_label: "UDM" + description: "System authentication status for user." + } # dimension principal__user__user_authentication_status + + dimension: principal__user__user_authentication_status_enum_name { + type: string + suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] + sql: CASE ${TABLE}.principal.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; + group_label: "principal" + label: "principal.user.user_authentication_status_enum_name" + view_label: "UDM" + description: "System authentication status for user." + } # dimension principal__user__user_authentication_status_enum_name + + dimension: principal__user__user_display_name { + type: string + sql: ${TABLE}.principal.user.user_display_name ;; + group_label: "principal" + label: "principal.user.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension principal__user__user_display_name + + dimension: principal__user__user_role { + type: number + sql: ${TABLE}.principal.user.user_role ;; + group_label: "principal" + group_item_label: "principal.user.user_role [D]" + label: "principal.user.user_role" + view_label: "UDM" + description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__user__user_role + + dimension: principal__user__user_role_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "UNKNOWN_ROLE"] + sql: CASE ${TABLE}.principal.user.user_role WHEN 0 THEN 'UNKNOWN_ROLE' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "principal" + group_item_label: "principal.user.user_role_enum_name [D]" + label: "principal.user.user_role_enum_name" + view_label: "UDM" + description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__user__user_role_enum_name + + dimension: principal__user__userid { + type: string + sql: ${TABLE}.principal.user.userid ;; + group_label: "principal" + label: "principal.user.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension principal__user__userid + + dimension: principal__user__windows_sid { + type: string + sql: ${TABLE}.principal.user.windows_sid ;; + group_label: "principal" + label: "principal.user.windows_sid" + view_label: "UDM" + description: "The Microsoft Windows SID of the user." + } # dimension principal__user__windows_sid + + dimension: security_result { + hidden: yes + } # dimension security_result + + dimension: src { + hidden: yes + } # dimension src + + dimension: src__administrative_domain { + type: string + sql: ${TABLE}.src.administrative_domain ;; + group_label: "src" + label: "src.administrative_domain" + view_label: "UDM" + description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." + } # dimension src__administrative_domain + + dimension: src__application { + type: string + sql: ${TABLE}.src.application ;; + group_label: "src" + label: "src.application" + view_label: "UDM" + description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." + } # dimension src__application + + dimension: src__artifact { + hidden: yes + } # dimension src__artifact + + dimension: src__artifact__ip { + type: string + sql: ${TABLE}.src.artifact.ip ;; + group_label: "src" + label: "src.artifact.ip" + view_label: "UDM" + description: "IP address of the artifact." + } # dimension src__artifact__ip + + dimension: src__artifact__network { + hidden: yes + } # dimension src__artifact__network + + dimension: src__artifact__network__dns { + hidden: yes + } # dimension src__artifact__network__dns + + dimension: src__artifact__network__dns__questions { + hidden: yes + } # dimension src__artifact__network__dns__questions + + dimension: src__artifact__network__http { + hidden: yes + } # dimension src__artifact__network__http + + dimension: src__artifact__network__http__parsed_user_agent { + hidden: yes + } # dimension src__artifact__network__http__parsed_user_agent + + dimension: src__artifact__network__http__parsed_user_agent__browser { + type: string + sql: ${TABLE}.src.artifact.network.http.parsed_user_agent.browser ;; + group_label: "src" + label: "src.artifact.network.http.parsed_user_agent.browser" + view_label: "UDM" + description: "Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents." + } # dimension src__artifact__network__http__parsed_user_agent__browser + + dimension: src__asset { + hidden: yes + } # dimension src__asset + + dimension: src__asset__asset_id { + type: string + sql: ${TABLE}.src.asset.asset_id ;; + group_label: "src" + label: "src.asset.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension src__asset__asset_id + + dimension: src__asset__attribute { + hidden: yes + } # dimension src__asset__attribute + + dimension: src__asset__attribute__cloud { + hidden: yes + } # dimension src__asset__attribute__cloud + + dimension: src__asset__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.src.asset.attribute.cloud.availability_zone ;; + group_label: "src" + label: "src.asset.attribute.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name)." + } # dimension src__asset__attribute__cloud__availability_zone + + dimension: src__asset__attribute__cloud__environment { + type: number + sql: ${TABLE}.src.asset.attribute.cloud.environment ;; + group_label: "src" + label: "src.asset.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension src__asset__attribute__cloud__environment + + dimension: src__asset__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.src.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "src" + label: "src.asset.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension src__asset__attribute__cloud__environment_enum_name + + dimension: src__asset__attribute__cloud__project { + hidden: yes + } # dimension src__asset__attribute__cloud__project + + dimension: src__asset__attribute__cloud__project__name { + type: string + sql: ${TABLE}.src.asset.attribute.cloud.project.name ;; + group_label: "src" + group_item_label: "src.asset.attribute.cloud.project.name [D]" + label: "src.asset.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__asset__attribute__cloud__project__name + + dimension: src__asset__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.src.asset.attribute.cloud.project.resource_type ;; + group_label: "src" + group_item_label: "src.asset.attribute.cloud.project.resource_type [D]" + label: "src.asset.attribute.cloud.project.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__asset__attribute__cloud__project__resource_type + + dimension: src__asset__attribute__cloud__project__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.src.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "src" + group_item_label: "src.asset.attribute.cloud.project.resource_type_enum_name [D]" + label: "src.asset.attribute.cloud.project.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__asset__attribute__cloud__project__resource_type_enum_name + + dimension: src__asset__attribute__cloud__vpc { + hidden: yes + } # dimension src__asset__attribute__cloud__vpc + + dimension: src__asset__attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.src.asset.attribute.cloud.vpc.name ;; + group_label: "src" + group_item_label: "src.asset.attribute.cloud.vpc.name [D]" + label: "src.asset.attribute.cloud.vpc.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__asset__attribute__cloud__vpc__name + + dimension: src__asset__attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.src.asset.attribute.cloud.vpc.resource_type ;; + group_label: "src" + group_item_label: "src.asset.attribute.cloud.vpc.resource_type [D]" + label: "src.asset.attribute.cloud.vpc.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__asset__attribute__cloud__vpc__resource_type + + dimension: src__asset__attribute__cloud__vpc__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.src.asset.attribute.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "src" + group_item_label: "src.asset.attribute.cloud.vpc.resource_type_enum_name [D]" + label: "src.asset.attribute.cloud.vpc.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__asset__attribute__cloud__vpc__resource_type_enum_name + + dimension_group: src__asset__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension src__asset__attribute__creation_time + + dimension: src__asset__attribute__labels { + hidden: yes + } # dimension src__asset__attribute__labels + + dimension_group: src__asset__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension src__asset__attribute__last_update_time + + dimension: src__asset__category { + type: string + sql: ${TABLE}.src.asset.category ;; + group_label: "src" + label: "src.asset.category" + view_label: "UDM" + description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." + } # dimension src__asset__category + + dimension: src__asset__deployment_status { + type: number + sql: ${TABLE}.src.asset.deployment_status ;; + group_label: "src" + label: "src.asset.deployment_status" + view_label: "UDM" + description: "The deployment status of the asset for device lifecycle purposes." + } # dimension src__asset__deployment_status + + dimension: src__asset__deployment_status_enum_name { + type: string + suggestions: ["ACTIVE", "DECOMISSIONED", "DEPLOYMENT_STATUS_UNSPECIFIED", "PENDING_DECOMISSION"] + sql: CASE ${TABLE}.src.asset.deployment_status WHEN 0 THEN 'DEPLOYMENT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'PENDING_DECOMISSION' WHEN 3 THEN 'DECOMISSIONED' END ;; + group_label: "src" + label: "src.asset.deployment_status_enum_name" + view_label: "UDM" + description: "The deployment status of the asset for device lifecycle purposes." + } # dimension src__asset__deployment_status_enum_name + + dimension_group: src__asset__first_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.first_discover_time" + view_label: "UDM" + description: "Time the asset was first discovered (by asset management/discoverability software)." + } # dimension src__asset__first_discover_time + + dimension_group: src__asset__first_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.first_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.first_seen_time" + view_label: "UDM" + description: "The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed." + } # dimension src__asset__first_seen_time + + dimension: src__asset__hardware { + hidden: yes + } # dimension src__asset__hardware + + dimension: src__asset__hostname { + type: string + sql: ${TABLE}.src.asset.hostname ;; + group_label: "src" + label: "src.asset.hostname" + view_label: "UDM" + description: "Asset hostname or domain name field." + } # dimension src__asset__hostname + + dimension: src__asset__ip { + hidden: yes + } # dimension src__asset__ip + + dimension: src__asset__labels { + hidden: yes + } # dimension src__asset__labels + + dimension_group: src__asset__last_boot_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.last_boot_time" + view_label: "UDM" + description: "Time the asset was last boot started." + } # dimension src__asset__last_boot_time + + dimension_group: src__asset__last_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.last_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.last_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.last_discover_time" + view_label: "UDM" + description: "Time the asset was last discovered (by asset management/discoverability software)." + } # dimension src__asset__last_discover_time + + dimension: src__asset__location { + hidden: yes + } # dimension src__asset__location + + dimension: src__asset__location__city { + type: string + sql: ${TABLE}.src.asset.location.city ;; + group_label: "src" + label: "src.asset.location.city" + view_label: "UDM" + description: "The city." + } # dimension src__asset__location__city + + dimension: src__asset__location__country_or_region { + type: string + sql: ${TABLE}.src.asset.location.country_or_region ;; + group_label: "src" + label: "src.asset.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension src__asset__location__country_or_region + + dimension: src__asset__location__floor_name { + type: string + sql: ${TABLE}.src.asset.location.floor_name ;; + group_label: "src" + label: "src.asset.location.floor_name" + view_label: "UDM" + description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." + } # dimension src__asset__location__floor_name + + dimension: src__asset__location__name { + type: string + sql: ${TABLE}.src.asset.location.name ;; + group_label: "src" + label: "src.asset.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension src__asset__location__name + + dimension: src__asset__location__region_latitude { + type: number + sql: ${TABLE}.src.asset.location.region_latitude ;; + group_label: "src" + group_item_label: "src.asset.location.region_latitude [D]" + label: "src.asset.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__asset__location__region_latitude + + dimension: src__asset__location__region_longitude { + type: number + sql: ${TABLE}.src.asset.location.region_longitude ;; + group_label: "src" + group_item_label: "src.asset.location.region_longitude [D]" + label: "src.asset.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__asset__location__region_longitude + + dimension: src__asset__location__location { + type: location + sql_latitude: ${TABLE}.src.asset.location.region_latitude ;; + sql_longitude: ${TABLE}.src.asset.location.region_longitude ;; + group_label: "src" + group_item_label: "src.asset.location.location [D][L]" + label: "src.asset.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension src__asset__location__location + + dimension: src__asset__location__state { + type: string + sql: ${TABLE}.src.asset.location.state ;; + group_label: "src" + label: "src.asset.location.state" + view_label: "UDM" + description: "The state." + } # dimension src__asset__location__state + + dimension: src__asset__mac { + hidden: yes + } # dimension src__asset__mac + + dimension: src__asset__nat_ip { + hidden: yes + } # dimension src__asset__nat_ip + + dimension: src__asset__network_domain { + type: string + sql: ${TABLE}.src.asset.network_domain ;; + group_label: "src" + label: "src.asset.network_domain" + view_label: "UDM" + description: "The network domain of the asset (e.g. \"corp.acme.com\")" + } # dimension src__asset__network_domain + + dimension: src__asset__platform_software { + hidden: yes + } # dimension src__asset__platform_software + + dimension: src__asset__platform_software__platform { + type: number + sql: ${TABLE}.src.asset.platform_software.platform ;; + group_label: "src" + label: "src.asset.platform_software.platform" + view_label: "UDM" + description: "The platform operating system." + } # dimension src__asset__platform_software__platform + + dimension: src__asset__platform_software__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.src.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "src" + label: "src.asset.platform_software.platform_enum_name" + view_label: "UDM" + description: "The platform operating system." + } # dimension src__asset__platform_software__platform_enum_name + + dimension: src__asset__platform_software__platform_patch_level { + type: string + sql: ${TABLE}.src.asset.platform_software.platform_patch_level ;; + group_label: "src" + label: "src.asset.platform_software.platform_patch_level" + view_label: "UDM" + description: "The platform software patch level ( e.g. \"Build 17134.48\", \"SP1\")." + } # dimension src__asset__platform_software__platform_patch_level + + dimension: src__asset__platform_software__platform_version { + type: string + sql: ${TABLE}.src.asset.platform_software.platform_version ;; + group_label: "src" + label: "src.asset.platform_software.platform_version" + view_label: "UDM" + description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." + } # dimension src__asset__platform_software__platform_version + + dimension: src__asset__product_object_id { + type: string + sql: ${TABLE}.src.asset.product_object_id ;; + group_label: "src" + label: "src.asset.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension src__asset__product_object_id + + dimension: src__asset__software { + hidden: yes + } # dimension src__asset__software + + dimension_group: src__asset__system_last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.system_last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.system_last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.system_last_update_time" + view_label: "UDM" + description: "Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time." + } # dimension src__asset__system_last_update_time + + dimension: src__asset__type { + type: number + sql: ${TABLE}.src.asset.type ;; + group_label: "src" + label: "src.asset.type" + view_label: "UDM" + description: "The type of the asset (e.g. workstation or laptop or server)." + } # dimension src__asset__type + + dimension: src__asset__type_enum_name { + type: string + suggestions: ["IOT", "LAPTOP", "MOBILE", "NETWORK_ATTACHED_STORAGE", "PRINTER", "ROLE_UNSPECIFIED", "SCANNER", "SERVER", "TAPE_LIBRARY", "WORKSTATION"] + sql: CASE ${TABLE}.src.asset.type WHEN 0 THEN 'ROLE_UNSPECIFIED' WHEN 1 THEN 'WORKSTATION' WHEN 2 THEN 'LAPTOP' WHEN 3 THEN 'IOT' WHEN 4 THEN 'NETWORK_ATTACHED_STORAGE' WHEN 5 THEN 'PRINTER' WHEN 6 THEN 'SCANNER' WHEN 7 THEN 'SERVER' WHEN 8 THEN 'TAPE_LIBRARY' WHEN 9 THEN 'MOBILE' END ;; + group_label: "src" + label: "src.asset.type_enum_name" + view_label: "UDM" + description: "The type of the asset (e.g. workstation or laptop or server)." + } # dimension src__asset__type_enum_name + + dimension: src__asset__vulnerabilities { + hidden: yes + } # dimension src__asset__vulnerabilities + + dimension: src__asset_id { + type: string + sql: ${TABLE}.src.asset_id ;; + group_label: "src" + label: "src.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension src__asset_id + + dimension: src__cloud { + hidden: yes + } # dimension src__cloud + + dimension: src__cloud__availability_zone { + type: string + sql: ${TABLE}.src.cloud.availability_zone ;; + group_label: "src" + group_item_label: "src.cloud.availability_zone [D]" + label: "src.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" + } # dimension src__cloud__availability_zone + + dimension: src__cloud__project { + hidden: yes + } # dimension src__cloud__project + + dimension: src__cloud__project__id { + type: string + sql: ${TABLE}.src.cloud.project.id ;; + group_label: "src" + group_item_label: "src.cloud.project.id [D]" + label: "src.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__cloud__project__id + + dimension: src__domain { + hidden: yes + } # dimension src__domain + + dimension: src__domain__name { + type: string + sql: ${TABLE}.src.domain.name ;; + group_label: "src" + label: "src.domain.name" + view_label: "UDM" + description: "The domain name." + } # dimension src__domain__name + + dimension: src__domain__status { + type: string + sql: ${TABLE}.src.domain.status ;; + group_label: "src" + label: "src.domain.status" + view_label: "UDM" + description: "Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values" + } # dimension src__domain__status + + dimension: src__email { + type: string + sql: ${TABLE}.src.email ;; + group_label: "src" + label: "src.email" + view_label: "UDM" + description: "Email address. Only filled in for security_result.about" + } # dimension src__email + + dimension: src__file { + hidden: yes + } # dimension src__file + + dimension: src__file__ahash { + type: string + sql: ${TABLE}.src.file.ahash ;; + group_label: "src" + group_item_label: "src.file.ahash [D]" + label: "src.file.ahash" + view_label: "UDM" + description: "Deprecated. Use authentihash instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__file__ahash + + dimension: src__file__capabilities_tags { + hidden: yes + } # dimension src__file__capabilities_tags + + dimension: src__file__embedded_domains { + hidden: yes + } # dimension src__file__embedded_domains + + dimension: src__file__embedded_ips { + hidden: yes + } # dimension src__file__embedded_ips + + dimension: src__file__embedded_urls { + hidden: yes + } # dimension src__file__embedded_urls + + dimension: src__file__file_type { + type: number + sql: ${TABLE}.src.file.file_type ;; + group_label: "src" + label: "src.file.file_type" + view_label: "UDM" + description: "FileType field." + } # dimension src__file__file_type + + dimension: src__file__file_type_enum_name { + type: string + suggestions: ["FILE_TYPE_ACE", "FILE_TYPE_ANDROID", "FILE_TYPE_APPLE", "FILE_TYPE_APPLEDOUBLE", "FILE_TYPE_APPLESCRIPT", "FILE_TYPE_APPLESCRIPT_COMPILED", "FILE_TYPE_APPLESINGLE", "FILE_TYPE_APPLE_PLIST", "FILE_TYPE_ARC", "FILE_TYPE_ARJ", "FILE_TYPE_ASD", "FILE_TYPE_ASF", "FILE_TYPE_AVI", "FILE_TYPE_AWK", "FILE_TYPE_BLACKHOLE", "FILE_TYPE_BMP", "FILE_TYPE_BZIP", "FILE_TYPE_C", "FILE_TYPE_CAB", "FILE_TYPE_CAP", "FILE_TYPE_CHM", "FILE_TYPE_COFF", "FILE_TYPE_COOKIE", "FILE_TYPE_CPP", "FILE_TYPE_CRX", "FILE_TYPE_DEB", "FILE_TYPE_DIB", "FILE_TYPE_DIVX", "FILE_TYPE_DMG", "FILE_TYPE_DOC", "FILE_TYPE_DOCX", "FILE_TYPE_DOS_COM", "FILE_TYPE_DOS_EXE", "FILE_TYPE_DYALOG", "FILE_TYPE_DZIP", "FILE_TYPE_EBOOK", "FILE_TYPE_ELF", "FILE_TYPE_EMAIL_TYPE", "FILE_TYPE_EMF", "FILE_TYPE_EOT", "FILE_TYPE_EPS", "FILE_TYPE_FLA", "FILE_TYPE_FLAC", "FILE_TYPE_FLC", "FILE_TYPE_FLI", "FILE_TYPE_FLV", "FILE_TYPE_FORTRAN", "FILE_TYPE_FPX", "FILE_TYPE_GIF", "FILE_TYPE_GIMP", "FILE_TYPE_GUL", "FILE_TYPE_GZIP", "FILE_TYPE_HTML", "FILE_TYPE_HWP", "FILE_TYPE_ICO", "FILE_TYPE_IN_DESIGN", "FILE_TYPE_IPHONE", "FILE_TYPE_ISOIMAGE", "FILE_TYPE_JAR", "FILE_TYPE_JAVA", "FILE_TYPE_JAVASCRIPT", "FILE_TYPE_JAVA_BYTECODE", "FILE_TYPE_JNG", "FILE_TYPE_JPEG", "FILE_TYPE_KGB", "FILE_TYPE_LATEX", "FILE_TYPE_LINUX", "FILE_TYPE_LINUX_KERNEL", "FILE_TYPE_LNK", "FILE_TYPE_MACH_O", "FILE_TYPE_MACINTOSH", "FILE_TYPE_MACINTOSH_HFS", "FILE_TYPE_MACINTOSH_LIB", "FILE_TYPE_MIDI", "FILE_TYPE_MOV", "FILE_TYPE_MP3", "FILE_TYPE_MP4", "FILE_TYPE_MPEG", "FILE_TYPE_MSCOMPRESS", "FILE_TYPE_MSI", "FILE_TYPE_NE_DLL", "FILE_TYPE_NE_EXE", "FILE_TYPE_ODF", "FILE_TYPE_ODG", "FILE_TYPE_ODP", "FILE_TYPE_ODS", "FILE_TYPE_ODT", "FILE_TYPE_OGG", "FILE_TYPE_OUTLOOK", "FILE_TYPE_PALMOS", "FILE_TYPE_PASCAL", "FILE_TYPE_PDF", "FILE_TYPE_PERL", "FILE_TYPE_PE_DLL", "FILE_TYPE_PE_EXE", "FILE_TYPE_PHP", "FILE_TYPE_PKG", "FILE_TYPE_PNG", "FILE_TYPE_POWERSHELL", "FILE_TYPE_PPSX", "FILE_TYPE_PPT", "FILE_TYPE_PPTX", "FILE_TYPE_PS", "FILE_TYPE_PSD", "FILE_TYPE_PYTHON", "FILE_TYPE_QUICKTIME", "FILE_TYPE_RAR", "FILE_TYPE_RM", "FILE_TYPE_ROM", "FILE_TYPE_RPM", "FILE_TYPE_RTF", "FILE_TYPE_RUBY", "FILE_TYPE_RZIP", "FILE_TYPE_SCRIPT", "FILE_TYPE_SEVENZIP", "FILE_TYPE_SHELLSCRIPT", "FILE_TYPE_SVG", "FILE_TYPE_SWF", "FILE_TYPE_SYMBIAN", "FILE_TYPE_T3GP", "FILE_TYPE_TAR", "FILE_TYPE_TARGA", "FILE_TYPE_TEXT", "FILE_TYPE_TIFF", "FILE_TYPE_TORRENT", "FILE_TYPE_TTF", "FILE_TYPE_UNSPECIFIED", "FILE_TYPE_VBA", "FILE_TYPE_WAV", "FILE_TYPE_WEBP", "FILE_TYPE_WINCE", "FILE_TYPE_WMA", "FILE_TYPE_WMV", "FILE_TYPE_WOFF", "FILE_TYPE_XLS", "FILE_TYPE_XLSX", "FILE_TYPE_XML", "FILE_TYPE_XPI", "FILE_TYPE_XWD", "FILE_TYPE_ZIP", "FILE_TYPE_ZLIB"] + sql: CASE ${TABLE}.src.file.file_type WHEN 0 THEN 'FILE_TYPE_UNSPECIFIED' WHEN 1 THEN 'FILE_TYPE_PE_EXE' WHEN 2 THEN 'FILE_TYPE_PE_DLL' WHEN 3 THEN 'FILE_TYPE_MSI' WHEN 10 THEN 'FILE_TYPE_NE_EXE' WHEN 11 THEN 'FILE_TYPE_NE_DLL' WHEN 20 THEN 'FILE_TYPE_DOS_EXE' WHEN 21 THEN 'FILE_TYPE_DOS_COM' WHEN 30 THEN 'FILE_TYPE_COFF' WHEN 31 THEN 'FILE_TYPE_ELF' WHEN 32 THEN 'FILE_TYPE_LINUX_KERNEL' WHEN 33 THEN 'FILE_TYPE_RPM' WHEN 34 THEN 'FILE_TYPE_LINUX' WHEN 35 THEN 'FILE_TYPE_MACH_O' WHEN 36 THEN 'FILE_TYPE_JAVA_BYTECODE' WHEN 37 THEN 'FILE_TYPE_DMG' WHEN 38 THEN 'FILE_TYPE_DEB' WHEN 39 THEN 'FILE_TYPE_PKG' WHEN 50 THEN 'FILE_TYPE_LNK' WHEN 100 THEN 'FILE_TYPE_JPEG' WHEN 101 THEN 'FILE_TYPE_TIFF' WHEN 102 THEN 'FILE_TYPE_GIF' WHEN 103 THEN 'FILE_TYPE_PNG' WHEN 104 THEN 'FILE_TYPE_BMP' WHEN 105 THEN 'FILE_TYPE_GIMP' WHEN 106 THEN 'FILE_TYPE_IN_DESIGN' WHEN 107 THEN 'FILE_TYPE_PSD' WHEN 108 THEN 'FILE_TYPE_TARGA' WHEN 109 THEN 'FILE_TYPE_XWD' WHEN 110 THEN 'FILE_TYPE_DIB' WHEN 111 THEN 'FILE_TYPE_JNG' WHEN 112 THEN 'FILE_TYPE_ICO' WHEN 113 THEN 'FILE_TYPE_FPX' WHEN 114 THEN 'FILE_TYPE_EPS' WHEN 115 THEN 'FILE_TYPE_SVG' WHEN 116 THEN 'FILE_TYPE_EMF' WHEN 117 THEN 'FILE_TYPE_WEBP' WHEN 150 THEN 'FILE_TYPE_OGG' WHEN 151 THEN 'FILE_TYPE_FLC' WHEN 152 THEN 'FILE_TYPE_FLI' WHEN 153 THEN 'FILE_TYPE_MP3' WHEN 154 THEN 'FILE_TYPE_FLAC' WHEN 155 THEN 'FILE_TYPE_WAV' WHEN 156 THEN 'FILE_TYPE_MIDI' WHEN 157 THEN 'FILE_TYPE_AVI' WHEN 158 THEN 'FILE_TYPE_MPEG' WHEN 159 THEN 'FILE_TYPE_QUICKTIME' WHEN 160 THEN 'FILE_TYPE_ASF' WHEN 161 THEN 'FILE_TYPE_DIVX' WHEN 162 THEN 'FILE_TYPE_FLV' WHEN 163 THEN 'FILE_TYPE_WMA' WHEN 164 THEN 'FILE_TYPE_WMV' WHEN 165 THEN 'FILE_TYPE_RM' WHEN 166 THEN 'FILE_TYPE_MOV' WHEN 167 THEN 'FILE_TYPE_MP4' WHEN 168 THEN 'FILE_TYPE_T3GP' WHEN 200 THEN 'FILE_TYPE_PDF' WHEN 201 THEN 'FILE_TYPE_PS' WHEN 202 THEN 'FILE_TYPE_DOC' WHEN 203 THEN 'FILE_TYPE_DOCX' WHEN 204 THEN 'FILE_TYPE_PPT' WHEN 205 THEN 'FILE_TYPE_PPTX' WHEN 209 THEN 'FILE_TYPE_PPSX' WHEN 206 THEN 'FILE_TYPE_XLS' WHEN 207 THEN 'FILE_TYPE_XLSX' WHEN 208 THEN 'FILE_TYPE_RTF' WHEN 250 THEN 'FILE_TYPE_ODP' WHEN 251 THEN 'FILE_TYPE_ODS' WHEN 252 THEN 'FILE_TYPE_ODT' WHEN 253 THEN 'FILE_TYPE_HWP' WHEN 254 THEN 'FILE_TYPE_GUL' WHEN 255 THEN 'FILE_TYPE_ODF' WHEN 256 THEN 'FILE_TYPE_ODG' WHEN 260 THEN 'FILE_TYPE_EBOOK' WHEN 261 THEN 'FILE_TYPE_LATEX' WHEN 262 THEN 'FILE_TYPE_TTF' WHEN 263 THEN 'FILE_TYPE_EOT' WHEN 264 THEN 'FILE_TYPE_WOFF' WHEN 265 THEN 'FILE_TYPE_CHM' WHEN 300 THEN 'FILE_TYPE_ZIP' WHEN 301 THEN 'FILE_TYPE_GZIP' WHEN 302 THEN 'FILE_TYPE_BZIP' WHEN 303 THEN 'FILE_TYPE_RZIP' WHEN 304 THEN 'FILE_TYPE_DZIP' WHEN 305 THEN 'FILE_TYPE_SEVENZIP' WHEN 306 THEN 'FILE_TYPE_CAB' WHEN 307 THEN 'FILE_TYPE_JAR' WHEN 308 THEN 'FILE_TYPE_RAR' WHEN 309 THEN 'FILE_TYPE_MSCOMPRESS' WHEN 310 THEN 'FILE_TYPE_ACE' WHEN 311 THEN 'FILE_TYPE_ARC' WHEN 312 THEN 'FILE_TYPE_ARJ' WHEN 313 THEN 'FILE_TYPE_ASD' WHEN 314 THEN 'FILE_TYPE_BLACKHOLE' WHEN 315 THEN 'FILE_TYPE_KGB' WHEN 316 THEN 'FILE_TYPE_ZLIB' WHEN 317 THEN 'FILE_TYPE_TAR' WHEN 400 THEN 'FILE_TYPE_TEXT' WHEN 401 THEN 'FILE_TYPE_SCRIPT' WHEN 402 THEN 'FILE_TYPE_PHP' WHEN 403 THEN 'FILE_TYPE_PYTHON' WHEN 404 THEN 'FILE_TYPE_PERL' WHEN 405 THEN 'FILE_TYPE_RUBY' WHEN 406 THEN 'FILE_TYPE_C' WHEN 407 THEN 'FILE_TYPE_CPP' WHEN 408 THEN 'FILE_TYPE_JAVA' WHEN 409 THEN 'FILE_TYPE_SHELLSCRIPT' WHEN 410 THEN 'FILE_TYPE_PASCAL' WHEN 411 THEN 'FILE_TYPE_AWK' WHEN 412 THEN 'FILE_TYPE_DYALOG' WHEN 413 THEN 'FILE_TYPE_FORTRAN' WHEN 414 THEN 'FILE_TYPE_JAVASCRIPT' WHEN 415 THEN 'FILE_TYPE_POWERSHELL' WHEN 416 THEN 'FILE_TYPE_VBA' WHEN 500 THEN 'FILE_TYPE_SYMBIAN' WHEN 501 THEN 'FILE_TYPE_PALMOS' WHEN 502 THEN 'FILE_TYPE_WINCE' WHEN 503 THEN 'FILE_TYPE_ANDROID' WHEN 504 THEN 'FILE_TYPE_IPHONE' WHEN 600 THEN 'FILE_TYPE_HTML' WHEN 601 THEN 'FILE_TYPE_XML' WHEN 602 THEN 'FILE_TYPE_SWF' WHEN 603 THEN 'FILE_TYPE_FLA' WHEN 604 THEN 'FILE_TYPE_COOKIE' WHEN 605 THEN 'FILE_TYPE_TORRENT' WHEN 606 THEN 'FILE_TYPE_EMAIL_TYPE' WHEN 607 THEN 'FILE_TYPE_OUTLOOK' WHEN 700 THEN 'FILE_TYPE_CAP' WHEN 800 THEN 'FILE_TYPE_ISOIMAGE' WHEN 1000 THEN 'FILE_TYPE_APPLE' WHEN 1001 THEN 'FILE_TYPE_MACINTOSH' WHEN 1002 THEN 'FILE_TYPE_APPLESINGLE' WHEN 1003 THEN 'FILE_TYPE_APPLEDOUBLE' WHEN 1004 THEN 'FILE_TYPE_MACINTOSH_HFS' WHEN 1005 THEN 'FILE_TYPE_APPLE_PLIST' WHEN 1006 THEN 'FILE_TYPE_MACINTOSH_LIB' WHEN 1007 THEN 'FILE_TYPE_APPLESCRIPT' WHEN 1008 THEN 'FILE_TYPE_APPLESCRIPT_COMPILED' WHEN 1100 THEN 'FILE_TYPE_CRX' WHEN 1101 THEN 'FILE_TYPE_XPI' WHEN 1200 THEN 'FILE_TYPE_ROM' END ;; + group_label: "src" + label: "src.file.file_type_enum_name" + view_label: "UDM" + description: "FileType field." + } # dimension src__file__file_type_enum_name + + dimension_group: src__file__first_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.first_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.file.first_seen_time" + view_label: "UDM" + description: "Timestamp the file was first seen in the customer's environment." + } # dimension src__file__first_seen_time + + dimension: src__file__full_path { + type: string + sql: ${TABLE}.src.file.full_path ;; + group_label: "src" + label: "src.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension src__file__full_path + + dimension_group: src__file__last_analysis_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.last_analysis_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.last_analysis_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.file.last_analysis_time" + view_label: "UDM" + description: "Timestamp the file was last analysed." + } # dimension src__file__last_analysis_time + + dimension_group: src__file__last_modification_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.last_modification_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.last_modification_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.file.last_modification_time" + view_label: "UDM" + description: "Timestamp when the file was last updated." + } # dimension src__file__last_modification_time + + dimension_group: src__file__last_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.last_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.file.last_seen_time" + view_label: "UDM" + description: "Timestamp the file was last seen in the customer's environment." + } # dimension src__file__last_seen_time + + dimension: src__file__md5 { + type: string + sql: ${TABLE}.src.file.md5 ;; + group_label: "src" + label: "src.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension src__file__md5 + + dimension: src__file__mime_type { + type: string + sql: ${TABLE}.src.file.mime_type ;; + group_label: "src" + label: "src.file.mime_type" + view_label: "UDM" + description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." + } # dimension src__file__mime_type + + dimension: src__file__names { + hidden: yes + } # dimension src__file__names + + dimension: src__file__sha1 { + type: string + sql: ${TABLE}.src.file.sha1 ;; + group_label: "src" + label: "src.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension src__file__sha1 + + dimension: src__file__sha256 { + type: string + sql: ${TABLE}.src.file.sha256 ;; + group_label: "src" + label: "src.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension src__file__sha256 + + dimension: src__file__signature_info { + hidden: yes + } # dimension src__file__signature_info + + dimension: src__file__signature_info__codesign { + hidden: yes + } # dimension src__file__signature_info__codesign + + dimension_group: src__file__signature_info__codesign__compilation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.signature_info.codesign.compilation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.signature_info.codesign.compilation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.file.signature_info.codesign.compilation_time" + view_label: "UDM" + description: "Code sign timestamp" + } # dimension src__file__signature_info__codesign__compilation_time + + dimension: src__file__signature_info__codesign__format { + type: string + sql: ${TABLE}.src.file.signature_info.codesign.format ;; + group_label: "src" + label: "src.file.signature_info.codesign.format" + view_label: "UDM" + description: "Code sign format." + } # dimension src__file__signature_info__codesign__format + + dimension: src__file__signature_info__codesign__id { + type: string + sql: ${TABLE}.src.file.signature_info.codesign.id ;; + group_label: "src" + label: "src.file.signature_info.codesign.id" + view_label: "UDM" + description: "Code sign identifier." + } # dimension src__file__signature_info__codesign__id + + dimension: src__file__signature_info__sigcheck { + hidden: yes + } # dimension src__file__signature_info__sigcheck + + dimension: src__file__signature_info__sigcheck__signers { + hidden: yes + } # dimension src__file__signature_info__sigcheck__signers + + dimension: src__file__signature_info__sigcheck__verification_message { + type: string + sql: ${TABLE}.src.file.signature_info.sigcheck.verification_message ;; + group_label: "src" + label: "src.file.signature_info.sigcheck.verification_message" + view_label: "UDM" + description: "Status of the certificate. Valid values are \"Signed\", \"Unsigned\" or a description of the certificate anomaly, if found." + } # dimension src__file__signature_info__sigcheck__verification_message + + dimension: src__file__signature_info__sigcheck__verified { + type: yesno + sql: ${TABLE}.src.file.signature_info.sigcheck.verified ;; + group_label: "src" + label: "src.file.signature_info.sigcheck.verified" + view_label: "UDM" + description: "True iff verification_message == \"Signed\"" + } # dimension src__file__signature_info__sigcheck__verified + + dimension: src__file__size { + type: number + sql: ${TABLE}.src.file.size ;; + group_label: "src" + label: "src.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension src__file__size + + dimension: src__file__ssdeep { + type: string + sql: ${TABLE}.src.file.ssdeep ;; + group_label: "src" + label: "src.file.ssdeep" + view_label: "UDM" + description: "Ssdeep of the file" + } # dimension src__file__ssdeep + + dimension: src__file__tags { + hidden: yes + } # dimension src__file__tags + + dimension: src__file__vhash { + type: string + sql: ${TABLE}.src.file.vhash ;; + group_label: "src" + label: "src.file.vhash" + view_label: "UDM" + description: "Vhash of the file." + } # dimension src__file__vhash + + dimension: src__group { + hidden: yes + } # dimension src__group + + dimension: src__group__group_display_name { + type: string + sql: ${TABLE}.src.group.group_display_name ;; + group_label: "src" + label: "src.group.group_display_name" + view_label: "UDM" + description: "Group display name. e.g. \"Finance\"." + } # dimension src__group__group_display_name + + dimension: src__group__product_object_id { + type: string + sql: ${TABLE}.src.group.product_object_id ;; + group_label: "src" + label: "src.group.product_object_id" + view_label: "UDM" + description: "Product globally unique user object identifier, such as an LDAP Object Identifier." + } # dimension src__group__product_object_id + + dimension: src__hostname { + type: string + sql: ${TABLE}.src.hostname ;; + group_label: "src" + label: "src.hostname" + view_label: "UDM" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension src__hostname + + dimension: src__investigation { + hidden: yes + } # dimension src__investigation + + dimension: src__investigation__risk_score { + type: number + sql: ${TABLE}.src.investigation.risk_score ;; + group_label: "src" + label: "src.investigation.risk_score" + view_label: "UDM" + description: "Risk score for a finding set by an analyst." + } # dimension src__investigation__risk_score + + dimension: src__ip { + hidden: yes + } # dimension src__ip + + dimension: src__ip_geo_artifact { + hidden: yes + } # dimension src__ip_geo_artifact + + dimension: src__ip_location { + hidden: yes + } # dimension src__ip_location + + dimension: src__labels { + hidden: yes + } # dimension src__labels + + dimension: src__location { + hidden: yes + } # dimension src__location + + dimension: src__location__city { + type: string + sql: ${TABLE}.src.location.city ;; + group_label: "src" + label: "src.location.city" + view_label: "UDM" + description: "The city." + } # dimension src__location__city + + dimension: src__location__country_or_region { + type: string + sql: ${TABLE}.src.location.country_or_region ;; + group_label: "src" + label: "src.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension src__location__country_or_region + + dimension: src__location__name { + type: string + sql: ${TABLE}.src.location.name ;; + group_label: "src" + label: "src.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension src__location__name + + dimension: src__location__region_coordinates { + type: location + sql_latitude: ${TABLE}.src.location.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.src.location.region_coordinates.longitude ;; + group_label: "src" + group_item_label: "src.location.region_coordinates [L]" + label: "src.location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." + } # dimension src__location__region_coordinates + + dimension: src__location__region_latitude { + type: number + sql: ${TABLE}.src.location.region_latitude ;; + group_label: "src" + group_item_label: "src.location.region_latitude [D]" + label: "src.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__location__region_latitude + + dimension: src__location__region_longitude { + type: number + sql: ${TABLE}.src.location.region_longitude ;; + group_label: "src" + group_item_label: "src.location.region_longitude [D]" + label: "src.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__location__region_longitude + + dimension: src__location__location { + type: location + sql_latitude: ${TABLE}.src.location.region_latitude ;; + sql_longitude: ${TABLE}.src.location.region_longitude ;; + group_label: "src" + group_item_label: "src.location.location [D][L]" + label: "src.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension src__location__location + + dimension: src__location__state { + type: string + sql: ${TABLE}.src.location.state ;; + group_label: "src" + label: "src.location.state" + view_label: "UDM" + description: "The state." + } # dimension src__location__state + + dimension: src__mac { + hidden: yes + } # dimension src__mac + + dimension: src__namespace { + type: string + sql: ${TABLE}.src.namespace ;; + group_label: "src" + label: "src.namespace" + view_label: "UDM" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension src__namespace + + dimension: src__nat_ip { + hidden: yes + } # dimension src__nat_ip + + dimension: src__network { + hidden: yes + } # dimension src__network + + dimension: src__network__application_protocol_version { + type: string + sql: ${TABLE}.src.network.application_protocol_version ;; + group_label: "src" + label: "src.network.application_protocol_version" + view_label: "UDM" + description: "The version of the application protocol. e.g. \"1.1, 2.0\"" + } # dimension src__network__application_protocol_version + + dimension: src__platform_version { + type: string + sql: ${TABLE}.src.platform_version ;; + group_label: "src" + label: "src.platform_version" + view_label: "UDM" + description: "Platform version. For example, \"Microsoft Windows 1803\"." + } # dimension src__platform_version + + dimension: src__port { + type: number + value_format: "#" + sql: ${TABLE}.src.port ;; + group_label: "src" + label: "src.port" + view_label: "UDM" + description: "Source or destination network port number when a specific network connection is described within an event." + } # dimension src__port + + dimension: src__process { + hidden: yes + } # dimension src__process + + dimension: src__process__command_line { + type: string + sql: ${TABLE}.src.process.command_line ;; + group_label: "src" + label: "src.process.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension src__process__command_line + + dimension: src__process__file { + hidden: yes + } # dimension src__process__file + + dimension: src__process__file__full_path { + type: string + sql: ${TABLE}.src.process.file.full_path ;; + group_label: "src" + label: "src.process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension src__process__file__full_path + + dimension: src__process__file__md5 { + type: string + sql: ${TABLE}.src.process.file.md5 ;; + group_label: "src" + label: "src.process.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension src__process__file__md5 + + dimension: src__process__file__names { + hidden: yes + } # dimension src__process__file__names + + dimension: src__process__file__sha1 { + type: string + sql: ${TABLE}.src.process.file.sha1 ;; + group_label: "src" + label: "src.process.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension src__process__file__sha1 + + dimension: src__process__file__sha256 { + type: string + sql: ${TABLE}.src.process.file.sha256 ;; + group_label: "src" + label: "src.process.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension src__process__file__sha256 + + dimension: src__process__file__size { + type: number + sql: ${TABLE}.src.process.file.size ;; + group_label: "src" + label: "src.process.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension src__process__file__size + + dimension: src__process__parent_process { + hidden: yes + } # dimension src__process__parent_process + + dimension: src__process__parent_process__file { + hidden: yes + } # dimension src__process__parent_process__file + + dimension: src__process__parent_process__file__full_path { + type: string + sql: ${TABLE}.src.process.parent_process.file.full_path ;; + group_label: "src" + label: "src.process.parent_process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension src__process__parent_process__file__full_path + + dimension: src__process__pid { + type: string + sql: ${TABLE}.src.process.pid ;; + group_label: "src" + label: "src.process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension src__process__pid + + dimension: src__process_ancestors { + hidden: yes + } # dimension src__process_ancestors + + dimension: src__registry { + hidden: yes + } # dimension src__registry + + dimension: src__registry__registry_key { + type: string + sql: ${TABLE}.src.registry.registry_key ;; + group_label: "src" + label: "src.registry.registry_key" + view_label: "UDM" + description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." + } # dimension src__registry__registry_key + + dimension: src__registry__registry_value_data { + type: string + sql: ${TABLE}.src.registry.registry_value_data ;; + group_label: "src" + label: "src.registry.registry_value_data" + view_label: "UDM" + description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." + } # dimension src__registry__registry_value_data + + dimension: src__registry__registry_value_name { + type: string + sql: ${TABLE}.src.registry.registry_value_name ;; + group_label: "src" + label: "src.registry.registry_value_name" + view_label: "UDM" + description: "Name of the registry value associated with an application or system component (e.g. TEMP)." + } # dimension src__registry__registry_value_name + + dimension: src__resource { + hidden: yes + } # dimension src__resource + + dimension: src__resource__attribute { + hidden: yes + } # dimension src__resource__attribute + + dimension_group: src__resource__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.resource.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension src__resource__attribute__creation_time + + dimension: src__resource__attribute__labels { + hidden: yes + } # dimension src__resource__attribute__labels + + dimension_group: src__resource__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.resource.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension src__resource__attribute__last_update_time + + dimension: src__resource__attribute__permissions { + hidden: yes + } # dimension src__resource__attribute__permissions + + dimension: src__resource__id { + type: string + sql: ${TABLE}.src.resource.id ;; + group_label: "src" + group_item_label: "src.resource.id [D]" + label: "src.resource.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__resource__id + + dimension: src__resource__name { + type: string + sql: ${TABLE}.src.resource.name ;; + group_label: "src" + label: "src.resource.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension src__resource__name + + dimension: src__resource__parent { + type: string + sql: ${TABLE}.src.resource.parent ;; + group_label: "src" + group_item_label: "src.resource.parent [D]" + label: "src.resource.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__resource__parent + + dimension: src__resource__product_object_id { + type: string + sql: ${TABLE}.src.resource.product_object_id ;; + group_label: "src" + label: "src.resource.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension src__resource__product_object_id + + dimension: src__resource__resource_subtype { + type: string + sql: ${TABLE}.src.resource.resource_subtype ;; + group_label: "src" + label: "src.resource.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension src__resource__resource_subtype + + dimension: src__resource__resource_type { + type: number + sql: ${TABLE}.src.resource.resource_type ;; + group_label: "src" + label: "src.resource.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension src__resource__resource_type + + dimension: src__resource__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.src.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "src" + label: "src.resource.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension src__resource__resource_type_enum_name + + dimension: src__resource__type { + type: string + sql: ${TABLE}.src.resource.type ;; + group_label: "src" + group_item_label: "src.resource.type [D]" + label: "src.resource.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__resource__type + + dimension: src__resource_ancestors { + hidden: yes + } # dimension src__resource_ancestors + + dimension: src__url { + type: string + sql: ${TABLE}.src.url ;; + group_label: "src" + label: "src.url" + view_label: "UDM" + description: "The URL." + } # dimension src__url + + dimension: src__user { + hidden: yes + } # dimension src__user + + dimension: src__user__account_type { + type: number + sql: ${TABLE}.src.user.account_type ;; + group_label: "src" + label: "src.user.account_type" + view_label: "UDM" + description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" + } # dimension src__user__account_type + + dimension: src__user__account_type_enum_name { + type: string + suggestions: ["ACCOUNT_TYPE_UNSPECIFIED", "CLOUD_ACCOUNT_TYPE", "DEFAULT_ACCOUNT_TYPE", "DOMAIN_ACCOUNT_TYPE", "LOCAL_ACCOUNT_TYPE", "SERVICE_ACCOUNT_TYPE"] + sql: CASE ${TABLE}.src.user.account_type WHEN 0 THEN 'ACCOUNT_TYPE_UNSPECIFIED' WHEN 1 THEN 'DOMAIN_ACCOUNT_TYPE' WHEN 2 THEN 'LOCAL_ACCOUNT_TYPE' WHEN 3 THEN 'CLOUD_ACCOUNT_TYPE' WHEN 4 THEN 'SERVICE_ACCOUNT_TYPE' WHEN 5 THEN 'DEFAULT_ACCOUNT_TYPE' END ;; + group_label: "src" + label: "src.user.account_type_enum_name" + view_label: "UDM" + description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" + } # dimension src__user__account_type_enum_name + + dimension: src__user__attribute { + hidden: yes + } # dimension src__user__attribute + + dimension: src__user__attribute__cloud { + hidden: yes + } # dimension src__user__attribute__cloud + + dimension: src__user__attribute__cloud__project { + hidden: yes + } # dimension src__user__attribute__cloud__project + + dimension: src__user__attribute__cloud__project__name { + type: string + sql: ${TABLE}.src.user.attribute.cloud.project.name ;; + group_label: "src" + group_item_label: "src.user.attribute.cloud.project.name [D]" + label: "src.user.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__user__attribute__cloud__project__name + + dimension_group: src__user__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.user.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension src__user__attribute__creation_time + + dimension: src__user__attribute__labels { + hidden: yes + } # dimension src__user__attribute__labels + + dimension_group: src__user__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.user.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension src__user__attribute__last_update_time + + dimension: src__user__attribute__roles { + hidden: yes + } # dimension src__user__attribute__roles + + dimension: src__user__company_name { + type: string + sql: ${TABLE}.src.user.company_name ;; + group_label: "src" + label: "src.user.company_name" + view_label: "UDM" + description: "User job company name." + } # dimension src__user__company_name + + dimension: src__user__department { + hidden: yes + } # dimension src__user__department + + dimension: src__user__email_addresses { + hidden: yes + } # dimension src__user__email_addresses + + dimension: src__user__employee_id { + type: string + sql: ${TABLE}.src.user.employee_id ;; + group_label: "src" + label: "src.user.employee_id" + view_label: "UDM" + description: "Human capital management identifier." + } # dimension src__user__employee_id + + dimension: src__user__first_name { + type: string + sql: ${TABLE}.src.user.first_name ;; + group_label: "src" + label: "src.user.first_name" + view_label: "UDM" + description: "First name of the user (e.g. \"John\")." + } # dimension src__user__first_name + + dimension: src__user__group_identifiers { + hidden: yes + } # dimension src__user__group_identifiers + + dimension: src__user__groupid { + type: string + sql: ${TABLE}.src.user.groupid ;; + group_label: "src" + group_item_label: "src.user.groupid [D]" + label: "src.user.groupid" + view_label: "UDM" + description: "The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__user__groupid + + dimension_group: src__user__hire_date { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.user.hire_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.user.hire_date.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.user.hire_date" + view_label: "UDM" + description: "User job employment hire date." + } # dimension src__user__hire_date + + dimension: src__user__last_name { + type: string + sql: ${TABLE}.src.user.last_name ;; + group_label: "src" + label: "src.user.last_name" + view_label: "UDM" + description: "Last name of the user (e.g. \"Locke\")." + } # dimension src__user__last_name + + dimension: src__user__managers { + hidden: yes + } # dimension src__user__managers + + dimension: src__user__middle_name { + type: string + sql: ${TABLE}.src.user.middle_name ;; + group_label: "src" + label: "src.user.middle_name" + view_label: "UDM" + description: "Middle name of the user." + } # dimension src__user__middle_name + + dimension: src__user__office_address { + hidden: yes + } # dimension src__user__office_address + + dimension: src__user__office_address__city { + type: string + sql: ${TABLE}.src.user.office_address.city ;; + group_label: "src" + label: "src.user.office_address.city" + view_label: "UDM" + description: "The city." + } # dimension src__user__office_address__city + + dimension: src__user__office_address__country_or_region { + type: string + sql: ${TABLE}.src.user.office_address.country_or_region ;; + group_label: "src" + label: "src.user.office_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension src__user__office_address__country_or_region + + dimension: src__user__office_address__desk_name { + type: string + sql: ${TABLE}.src.user.office_address.desk_name ;; + group_label: "src" + label: "src.user.office_address.desk_name" + view_label: "UDM" + description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." + } # dimension src__user__office_address__desk_name + + dimension: src__user__office_address__floor_name { + type: string + sql: ${TABLE}.src.user.office_address.floor_name ;; + group_label: "src" + label: "src.user.office_address.floor_name" + view_label: "UDM" + description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." + } # dimension src__user__office_address__floor_name + + dimension: src__user__office_address__name { + type: string + sql: ${TABLE}.src.user.office_address.name ;; + group_label: "src" + label: "src.user.office_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension src__user__office_address__name + + dimension: src__user__office_address__state { + type: string + sql: ${TABLE}.src.user.office_address.state ;; + group_label: "src" + label: "src.user.office_address.state" + view_label: "UDM" + description: "The state." + } # dimension src__user__office_address__state + + dimension: src__user__personal_address { + hidden: yes + } # dimension src__user__personal_address + + dimension: src__user__personal_address__city { + type: string + sql: ${TABLE}.src.user.personal_address.city ;; + group_label: "src" + label: "src.user.personal_address.city" + view_label: "UDM" + description: "The city." + } # dimension src__user__personal_address__city + + dimension: src__user__personal_address__country_or_region { + type: string + sql: ${TABLE}.src.user.personal_address.country_or_region ;; + group_label: "src" + label: "src.user.personal_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension src__user__personal_address__country_or_region + + dimension: src__user__personal_address__name { + type: string + sql: ${TABLE}.src.user.personal_address.name ;; + group_label: "src" + label: "src.user.personal_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension src__user__personal_address__name + + dimension: src__user__personal_address__state { + type: string + sql: ${TABLE}.src.user.personal_address.state ;; + group_label: "src" + label: "src.user.personal_address.state" + view_label: "UDM" + description: "The state." + } # dimension src__user__personal_address__state + + dimension: src__user__phone_numbers { + hidden: yes + } # dimension src__user__phone_numbers + + dimension: src__user__product_object_id { + type: string + sql: ${TABLE}.src.user.product_object_id ;; + group_label: "src" + label: "src.user.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension src__user__product_object_id + + dimension: src__user__role_name { + type: string + sql: ${TABLE}.src.user.role_name ;; + group_label: "src" + group_item_label: "src.user.role_name [D]" + label: "src.user.role_name" + view_label: "UDM" + description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__user__role_name + + dimension_group: src__user__termination_date { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.user.termination_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.user.termination_date.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.user.termination_date" + view_label: "UDM" + description: "User job employment termination date." + } # dimension src__user__termination_date + + dimension: src__user__time_off { + hidden: yes + } # dimension src__user__time_off + + dimension: src__user__title { + type: string + sql: ${TABLE}.src.user.title ;; + group_label: "src" + label: "src.user.title" + view_label: "UDM" + description: "User job title." + } # dimension src__user__title + + dimension: src__user__user_authentication_status { + type: number + sql: ${TABLE}.src.user.user_authentication_status ;; + group_label: "src" + label: "src.user.user_authentication_status" + view_label: "UDM" + description: "System authentication status for user." + } # dimension src__user__user_authentication_status + + dimension: src__user__user_authentication_status_enum_name { + type: string + suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] + sql: CASE ${TABLE}.src.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; + group_label: "src" + label: "src.user.user_authentication_status_enum_name" + view_label: "UDM" + description: "System authentication status for user." + } # dimension src__user__user_authentication_status_enum_name + + dimension: src__user__user_display_name { + type: string + sql: ${TABLE}.src.user.user_display_name ;; + group_label: "src" + label: "src.user.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension src__user__user_display_name + + dimension: src__user__userid { + type: string + sql: ${TABLE}.src.user.userid ;; + group_label: "src" + label: "src.user.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension src__user__userid + + dimension: src__user__windows_sid { + type: string + sql: ${TABLE}.src.user.windows_sid ;; + group_label: "src" + label: "src.user.windows_sid" + view_label: "UDM" + description: "The Microsoft Windows SID of the user." + } # dimension src__user__windows_sid + + dimension: target { + hidden: yes + } # dimension target + + dimension: target__administrative_domain { + type: string + sql: ${TABLE}.target.administrative_domain ;; + group_label: "target" + label: "target.administrative_domain" + view_label: "UDM" + description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." + } # dimension target__administrative_domain + + dimension: target__application { + type: string + sql: ${TABLE}.target.application ;; + group_label: "target" + label: "target.application" + view_label: "UDM" + description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." + } # dimension target__application + + dimension: target__artifact { + hidden: yes + } # dimension target__artifact + + dimension: target__artifact__ip { + type: string + sql: ${TABLE}.target.artifact.ip ;; + group_label: "target" + label: "target.artifact.ip" + view_label: "UDM" + description: "IP address of the artifact." + } # dimension target__artifact__ip + + dimension: target__artifact__network { + hidden: yes + } # dimension target__artifact__network + + dimension: target__artifact__network__email { + hidden: yes + } # dimension target__artifact__network__email + + dimension: target__artifact__network__email__subject { + hidden: yes + } # dimension target__artifact__network__email__subject + + dimension: target__artifact__network__sent_bytes { + type: number + sql: ${TABLE}.target.artifact.network.sent_bytes ;; + group_label: "target" + label: "target.artifact.network.sent_bytes" + view_label: "UDM" + description: "The number of bytes sent." + } # dimension target__artifact__network__sent_bytes + + dimension: target__asset { + hidden: yes + } # dimension target__asset + + dimension: target__asset__asset_id { + type: string + sql: ${TABLE}.target.asset.asset_id ;; + group_label: "target" + label: "target.asset.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension target__asset__asset_id + + dimension: target__asset__attribute { + hidden: yes + } # dimension target__asset__attribute + + dimension: target__asset__attribute__cloud { + hidden: yes + } # dimension target__asset__attribute__cloud + + dimension: target__asset__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.target.asset.attribute.cloud.availability_zone ;; + group_label: "target" + label: "target.asset.attribute.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name)." + } # dimension target__asset__attribute__cloud__availability_zone + + dimension: target__asset__attribute__cloud__environment { + type: number + sql: ${TABLE}.target.asset.attribute.cloud.environment ;; + group_label: "target" + label: "target.asset.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension target__asset__attribute__cloud__environment + + dimension: target__asset__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.target.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "target" + label: "target.asset.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension target__asset__attribute__cloud__environment_enum_name + + dimension: target__asset__attribute__cloud__project { + hidden: yes + } # dimension target__asset__attribute__cloud__project + + dimension: target__asset__attribute__cloud__project__id { + type: string + sql: ${TABLE}.target.asset.attribute.cloud.project.id ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.project.id [D]" + label: "target.asset.attribute.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__project__id + + dimension: target__asset__attribute__cloud__project__name { + type: string + sql: ${TABLE}.target.asset.attribute.cloud.project.name ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.project.name [D]" + label: "target.asset.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__project__name + + dimension: target__asset__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.target.asset.attribute.cloud.project.product_object_id ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.project.product_object_id [D]" + label: "target.asset.attribute.cloud.project.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__project__product_object_id + + dimension: target__asset__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.target.asset.attribute.cloud.project.resource_type ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.project.resource_type [D]" + label: "target.asset.attribute.cloud.project.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__project__resource_type + + dimension: target__asset__attribute__cloud__project__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.target.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.project.resource_type_enum_name [D]" + label: "target.asset.attribute.cloud.project.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__project__resource_type_enum_name + + dimension: target__asset__attribute__cloud__project__type { + type: string + sql: ${TABLE}.target.asset.attribute.cloud.project.type ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.project.type [D]" + label: "target.asset.attribute.cloud.project.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__project__type + + dimension: target__asset__attribute__cloud__vpc { + hidden: yes + } # dimension target__asset__attribute__cloud__vpc + + dimension: target__asset__attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.target.asset.attribute.cloud.vpc.id ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.vpc.id [D]" + label: "target.asset.attribute.cloud.vpc.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__vpc__id + + dimension: target__asset__attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.target.asset.attribute.cloud.vpc.name ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.vpc.name [D]" + label: "target.asset.attribute.cloud.vpc.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__vpc__name + + dimension: target__asset__attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.target.asset.attribute.cloud.vpc.resource_type ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.vpc.resource_type [D]" + label: "target.asset.attribute.cloud.vpc.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__vpc__resource_type + + dimension: target__asset__attribute__cloud__vpc__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.target.asset.attribute.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.vpc.resource_type_enum_name [D]" + label: "target.asset.attribute.cloud.vpc.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__vpc__resource_type_enum_name + + dimension_group: target__asset__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension target__asset__attribute__creation_time + + dimension: target__asset__attribute__labels { + hidden: yes + } # dimension target__asset__attribute__labels + + dimension_group: target__asset__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension target__asset__attribute__last_update_time + + dimension: target__asset__attribute__permissions { + hidden: yes + } # dimension target__asset__attribute__permissions + + dimension: target__asset__attribute__roles { + hidden: yes + } # dimension target__asset__attribute__roles + + dimension: target__asset__category { + type: string + sql: ${TABLE}.target.asset.category ;; + group_label: "target" + label: "target.asset.category" + view_label: "UDM" + description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." + } # dimension target__asset__category + + dimension_group: target__asset__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + group_item_label: "target.asset.creation_time [D]" + label: "target.asset.creation_time" + view_label: "UDM" + description: "Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__creation_time + + dimension: target__asset__deployment_status { + type: number + sql: ${TABLE}.target.asset.deployment_status ;; + group_label: "target" + label: "target.asset.deployment_status" + view_label: "UDM" + description: "The deployment status of the asset for device lifecycle purposes." + } # dimension target__asset__deployment_status + + dimension: target__asset__deployment_status_enum_name { + type: string + suggestions: ["ACTIVE", "DECOMISSIONED", "DEPLOYMENT_STATUS_UNSPECIFIED", "PENDING_DECOMISSION"] + sql: CASE ${TABLE}.target.asset.deployment_status WHEN 0 THEN 'DEPLOYMENT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'PENDING_DECOMISSION' WHEN 3 THEN 'DECOMISSIONED' END ;; + group_label: "target" + label: "target.asset.deployment_status_enum_name" + view_label: "UDM" + description: "The deployment status of the asset for device lifecycle purposes." + } # dimension target__asset__deployment_status_enum_name + + dimension_group: target__asset__first_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.first_discover_time" + view_label: "UDM" + description: "Time the asset was first discovered (by asset management/discoverability software)." + } # dimension target__asset__first_discover_time + + dimension_group: target__asset__first_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.first_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.first_seen_time" + view_label: "UDM" + description: "The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed." + } # dimension target__asset__first_seen_time + + dimension: target__asset__hardware { + hidden: yes + } # dimension target__asset__hardware + + dimension: target__asset__hostname { + type: string + sql: ${TABLE}.target.asset.hostname ;; + group_label: "target" + label: "target.asset.hostname" + view_label: "UDM" + description: "Asset hostname or domain name field." + } # dimension target__asset__hostname + + dimension: target__asset__ip { + hidden: yes + } # dimension target__asset__ip + + dimension: target__asset__labels { + hidden: yes + } # dimension target__asset__labels + + dimension_group: target__asset__last_boot_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.last_boot_time" + view_label: "UDM" + description: "Time the asset was last boot started." + } # dimension target__asset__last_boot_time + + dimension_group: target__asset__last_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.last_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.last_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.last_discover_time" + view_label: "UDM" + description: "Time the asset was last discovered (by asset management/discoverability software)." + } # dimension target__asset__last_discover_time + + dimension: target__asset__location { + hidden: yes + } # dimension target__asset__location + + dimension: target__asset__location__city { + type: string + sql: ${TABLE}.target.asset.location.city ;; + group_label: "target" + label: "target.asset.location.city" + view_label: "UDM" + description: "The city." + } # dimension target__asset__location__city + + dimension: target__asset__location__country_or_region { + type: string + sql: ${TABLE}.target.asset.location.country_or_region ;; + group_label: "target" + label: "target.asset.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension target__asset__location__country_or_region + + dimension: target__asset__location__floor_name { + type: string + sql: ${TABLE}.target.asset.location.floor_name ;; + group_label: "target" + label: "target.asset.location.floor_name" + view_label: "UDM" + description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." + } # dimension target__asset__location__floor_name + + dimension: target__asset__location__name { + type: string + sql: ${TABLE}.target.asset.location.name ;; + group_label: "target" + label: "target.asset.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension target__asset__location__name + + dimension: target__asset__location__region_latitude { + type: number + sql: ${TABLE}.target.asset.location.region_latitude ;; + group_label: "target" + group_item_label: "target.asset.location.region_latitude [D]" + label: "target.asset.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__location__region_latitude + + dimension: target__asset__location__region_longitude { + type: number + sql: ${TABLE}.target.asset.location.region_longitude ;; + group_label: "target" + group_item_label: "target.asset.location.region_longitude [D]" + label: "target.asset.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__location__region_longitude + + dimension: target__asset__location__location { + type: location + sql_latitude: ${TABLE}.target.asset.location.region_latitude ;; + sql_longitude: ${TABLE}.target.asset.location.region_longitude ;; + group_label: "target" + group_item_label: "target.asset.location.location [D][L]" + label: "target.asset.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension target__asset__location__location + + dimension: target__asset__location__state { + type: string + sql: ${TABLE}.target.asset.location.state ;; + group_label: "target" + label: "target.asset.location.state" + view_label: "UDM" + description: "The state." + } # dimension target__asset__location__state + + dimension: target__asset__mac { + hidden: yes + } # dimension target__asset__mac + + dimension: target__asset__nat_ip { + hidden: yes + } # dimension target__asset__nat_ip + + dimension: target__asset__network_domain { + type: string + sql: ${TABLE}.target.asset.network_domain ;; + group_label: "target" + label: "target.asset.network_domain" + view_label: "UDM" + description: "The network domain of the asset (e.g. \"corp.acme.com\")" + } # dimension target__asset__network_domain + + dimension: target__asset__platform_software { + hidden: yes + } # dimension target__asset__platform_software + + dimension: target__asset__platform_software__platform { + type: number + sql: ${TABLE}.target.asset.platform_software.platform ;; + group_label: "target" + label: "target.asset.platform_software.platform" + view_label: "UDM" + description: "The platform operating system." + } # dimension target__asset__platform_software__platform + + dimension: target__asset__platform_software__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.target.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "target" + label: "target.asset.platform_software.platform_enum_name" + view_label: "UDM" + description: "The platform operating system." + } # dimension target__asset__platform_software__platform_enum_name + + dimension: target__asset__platform_software__platform_patch_level { + type: string + sql: ${TABLE}.target.asset.platform_software.platform_patch_level ;; + group_label: "target" + label: "target.asset.platform_software.platform_patch_level" + view_label: "UDM" + description: "The platform software patch level ( e.g. \"Build 17134.48\", \"SP1\")." + } # dimension target__asset__platform_software__platform_patch_level + + dimension: target__asset__platform_software__platform_version { + type: string + sql: ${TABLE}.target.asset.platform_software.platform_version ;; + group_label: "target" + label: "target.asset.platform_software.platform_version" + view_label: "UDM" + description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." + } # dimension target__asset__platform_software__platform_version + + dimension: target__asset__product_object_id { + type: string + sql: ${TABLE}.target.asset.product_object_id ;; + group_label: "target" + label: "target.asset.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension target__asset__product_object_id + + dimension: target__asset__software { + hidden: yes + } # dimension target__asset__software + + dimension_group: target__asset__system_last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.system_last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.system_last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.system_last_update_time" + view_label: "UDM" + description: "Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time." + } # dimension target__asset__system_last_update_time + + dimension: target__asset__type { + type: number + sql: ${TABLE}.target.asset.type ;; + group_label: "target" + label: "target.asset.type" + view_label: "UDM" + description: "The type of the asset (e.g. workstation or laptop or server)." + } # dimension target__asset__type + + dimension: target__asset__type_enum_name { + type: string + suggestions: ["IOT", "LAPTOP", "MOBILE", "NETWORK_ATTACHED_STORAGE", "PRINTER", "ROLE_UNSPECIFIED", "SCANNER", "SERVER", "TAPE_LIBRARY", "WORKSTATION"] + sql: CASE ${TABLE}.target.asset.type WHEN 0 THEN 'ROLE_UNSPECIFIED' WHEN 1 THEN 'WORKSTATION' WHEN 2 THEN 'LAPTOP' WHEN 3 THEN 'IOT' WHEN 4 THEN 'NETWORK_ATTACHED_STORAGE' WHEN 5 THEN 'PRINTER' WHEN 6 THEN 'SCANNER' WHEN 7 THEN 'SERVER' WHEN 8 THEN 'TAPE_LIBRARY' WHEN 9 THEN 'MOBILE' END ;; + group_label: "target" + label: "target.asset.type_enum_name" + view_label: "UDM" + description: "The type of the asset (e.g. workstation or laptop or server)." + } # dimension target__asset__type_enum_name + + dimension: target__asset__vulnerabilities { + hidden: yes + } # dimension target__asset__vulnerabilities + + dimension: target__asset_id { + type: string + sql: ${TABLE}.target.asset_id ;; + group_label: "target" + label: "target.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension target__asset_id + + dimension: target__cloud { + hidden: yes + } # dimension target__cloud + + dimension: target__cloud__availability_zone { + type: string + sql: ${TABLE}.target.cloud.availability_zone ;; + group_label: "target" + group_item_label: "target.cloud.availability_zone [D]" + label: "target.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__availability_zone + + dimension: target__cloud__environment { + type: number + sql: ${TABLE}.target.cloud.environment ;; + group_label: "target" + group_item_label: "target.cloud.environment [D]" + label: "target.cloud.environment" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__environment + + dimension: target__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.target.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "target" + group_item_label: "target.cloud.environment_enum_name [D]" + label: "target.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__environment_enum_name + + dimension: target__cloud__project { + hidden: yes + } # dimension target__cloud__project + + dimension: target__cloud__project__attribute { + hidden: yes + } # dimension target__cloud__project__attribute + + dimension: target__cloud__project__attribute__labels { + hidden: yes + } # dimension target__cloud__project__attribute__labels + + dimension: target__cloud__project__id { + type: string + sql: ${TABLE}.target.cloud.project.id ;; + group_label: "target" + group_item_label: "target.cloud.project.id [D]" + label: "target.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__project__id + + dimension: target__cloud__project__name { + type: string + sql: ${TABLE}.target.cloud.project.name ;; + group_label: "target" + group_item_label: "target.cloud.project.name [D]" + label: "target.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__project__name + + dimension: target__cloud__project__product_object_id { + type: string + sql: ${TABLE}.target.cloud.project.product_object_id ;; + group_label: "target" + group_item_label: "target.cloud.project.product_object_id [D]" + label: "target.cloud.project.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__project__product_object_id + + dimension: target__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.target.cloud.project.resource_subtype ;; + group_label: "target" + group_item_label: "target.cloud.project.resource_subtype [D]" + label: "target.cloud.project.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__project__resource_subtype + + dimension: target__cloud__project__type { + type: string + sql: ${TABLE}.target.cloud.project.type ;; + group_label: "target" + group_item_label: "target.cloud.project.type [D]" + label: "target.cloud.project.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__project__type + + dimension: target__cloud__vpc { + hidden: yes + } # dimension target__cloud__vpc + + dimension: target__cloud__vpc__id { + type: string + sql: ${TABLE}.target.cloud.vpc.id ;; + group_label: "target" + group_item_label: "target.cloud.vpc.id [D]" + label: "target.cloud.vpc.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__vpc__id + + dimension: target__cloud__vpc__name { + type: string + sql: ${TABLE}.target.cloud.vpc.name ;; + group_label: "target" + group_item_label: "target.cloud.vpc.name [D]" + label: "target.cloud.vpc.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__vpc__name + + dimension: target__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.target.cloud.vpc.product_object_id ;; + group_label: "target" + group_item_label: "target.cloud.vpc.product_object_id [D]" + label: "target.cloud.vpc.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__vpc__product_object_id + + dimension: target__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.target.cloud.vpc.resource_subtype ;; + group_label: "target" + group_item_label: "target.cloud.vpc.resource_subtype [D]" + label: "target.cloud.vpc.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__vpc__resource_subtype + + dimension: target__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.target.cloud.vpc.resource_type ;; + group_label: "target" + group_item_label: "target.cloud.vpc.resource_type [D]" + label: "target.cloud.vpc.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__vpc__resource_type + + dimension: target__cloud__vpc__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.target.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "target" + group_item_label: "target.cloud.vpc.resource_type_enum_name [D]" + label: "target.cloud.vpc.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__vpc__resource_type_enum_name + + dimension: target__domain { + hidden: yes + } # dimension target__domain + + dimension: target__domain__contact_email { + type: string + sql: ${TABLE}.target.domain.contact_email ;; + group_label: "target" + label: "target.domain.contact_email" + view_label: "UDM" + description: "Contact email address." + } # dimension target__domain__contact_email + + dimension_group: target__domain__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.domain.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.domain.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.domain.creation_time" + view_label: "UDM" + description: "Domain creation time." + } # dimension target__domain__creation_time + + dimension_group: target__domain__expiration_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.domain.expiration_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.domain.expiration_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.domain.expiration_time" + view_label: "UDM" + description: "Expiration time." + } # dimension target__domain__expiration_time + + dimension_group: target__domain__last_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.domain.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.domain.last_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.domain.last_seen_time" + view_label: "UDM" + description: "Last seen timestamp of the domain in the customer's environment." + } # dimension target__domain__last_seen_time + + dimension: target__domain__name { + type: string + sql: ${TABLE}.target.domain.name ;; + group_label: "target" + label: "target.domain.name" + view_label: "UDM" + description: "The domain name." + } # dimension target__domain__name + + dimension: target__domain__name_server { + hidden: yes + } # dimension target__domain__name_server + + dimension: target__domain__prevalence { + hidden: yes + } # dimension target__domain__prevalence + + dimension: target__domain__prevalence__day_count { + type: number + sql: ${TABLE}.target.domain.prevalence.day_count ;; + group_label: "target" + label: "target.domain.prevalence.day_count" + view_label: "UDM" + description: "The number of days over which rolling_max is calculated." + } # dimension target__domain__prevalence__day_count + + dimension: target__domain__prevalence__rolling_max { + type: number + sql: ${TABLE}.target.domain.prevalence.rolling_max ;; + group_label: "target" + label: "target.domain.prevalence.rolling_max" + view_label: "UDM" + description: "The maximum number of assets per day accessing the resource over the trailing day_count days." + } # dimension target__domain__prevalence__rolling_max + + dimension: target__domain__private_registration { + type: yesno + sql: ${TABLE}.target.domain.private_registration ;; + group_label: "target" + label: "target.domain.private_registration" + view_label: "UDM" + description: "Indicates whether the domain appears to be using a private registration service to mask the owner's contact information." + } # dimension target__domain__private_registration + + dimension: target__domain__registrar { + type: string + sql: ${TABLE}.target.domain.registrar ;; + group_label: "target" + label: "target.domain.registrar" + view_label: "UDM" + description: "Registrar name - e.g. \"Wild West Domains, Inc. (R120-LROR)\", \"GoDaddy.com, LLC\", \"PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM\", etc." + } # dimension target__domain__registrar + + dimension: target__domain__status { + type: string + sql: ${TABLE}.target.domain.status ;; + group_label: "target" + label: "target.domain.status" + view_label: "UDM" + description: "Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values" + } # dimension target__domain__status + + dimension: target__domain__tech { + hidden: yes + } # dimension target__domain__tech + + dimension: target__domain__tech__company_name { + type: string + sql: ${TABLE}.target.domain.tech.company_name ;; + group_label: "target" + label: "target.domain.tech.company_name" + view_label: "UDM" + description: "User job company name." + } # dimension target__domain__tech__company_name + + dimension_group: target__domain__update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.domain.update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.domain.update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.domain.update_time" + view_label: "UDM" + description: "Last updated time." + } # dimension target__domain__update_time + + dimension: target__domain__whois_server { + type: string + sql: ${TABLE}.target.domain.whois_server ;; + group_label: "target" + label: "target.domain.whois_server" + view_label: "UDM" + description: "Whois server name." + } # dimension target__domain__whois_server + + dimension: target__email { + type: string + sql: ${TABLE}.target.email ;; + group_label: "target" + label: "target.email" + view_label: "UDM" + description: "Email address. Only filled in for security_result.about" + } # dimension target__email + + dimension: target__file { + hidden: yes + } # dimension target__file + + dimension: target__file__authentihash { + type: string + sql: ${TABLE}.target.file.authentihash ;; + group_label: "target" + label: "target.file.authentihash" + view_label: "UDM" + description: "Authentihash of the file." + } # dimension target__file__authentihash + + dimension: target__file__capabilities_tags { + hidden: yes + } # dimension target__file__capabilities_tags + + dimension: target__file__embedded_domains { + hidden: yes + } # dimension target__file__embedded_domains + + dimension: target__file__embedded_ips { + hidden: yes + } # dimension target__file__embedded_ips + + dimension: target__file__embedded_urls { + hidden: yes + } # dimension target__file__embedded_urls + + dimension: target__file__exif_info { + hidden: yes + } # dimension target__file__exif_info + + dimension: target__file__exif_info__company { + type: string + sql: ${TABLE}.target.file.exif_info.company ;; + group_label: "target" + label: "target.file.exif_info.company" + view_label: "UDM" + description: "company name." + } # dimension target__file__exif_info__company + + dimension_group: target__file__exif_info__compilation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.exif_info.compilation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.exif_info.compilation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.file.exif_info.compilation_time" + view_label: "UDM" + description: "Compilation time." + } # dimension target__file__exif_info__compilation_time + + dimension: target__file__exif_info__entry_point { + type: number + sql: ${TABLE}.target.file.exif_info.entry_point ;; + group_label: "target" + label: "target.file.exif_info.entry_point" + view_label: "UDM" + description: "entry point." + } # dimension target__file__exif_info__entry_point + + dimension: target__file__exif_info__file_description { + type: string + sql: ${TABLE}.target.file.exif_info.file_description ;; + group_label: "target" + label: "target.file.exif_info.file_description" + view_label: "UDM" + description: "description of a file." + } # dimension target__file__exif_info__file_description + + dimension: target__file__exif_info__original_file { + type: string + sql: ${TABLE}.target.file.exif_info.original_file ;; + group_label: "target" + label: "target.file.exif_info.original_file" + view_label: "UDM" + description: "original file name." + } # dimension target__file__exif_info__original_file + + dimension: target__file__exif_info__product { + type: string + sql: ${TABLE}.target.file.exif_info.product ;; + group_label: "target" + label: "target.file.exif_info.product" + view_label: "UDM" + description: "product name." + } # dimension target__file__exif_info__product + + dimension: target__file__file_metadata { + hidden: yes + } # dimension target__file__file_metadata + + dimension: target__file__file_metadata__pe { + hidden: yes + } # dimension target__file__file_metadata__pe + + dimension: target__file__file_metadata__pe__import_hash { + type: string + sql: ${TABLE}.target.file.file_metadata.pe.import_hash ;; + group_label: "target" + group_item_label: "target.file.file_metadata.pe.import_hash [D]" + label: "target.file.file_metadata.pe.import_hash" + view_label: "UDM" + description: "Hash of PE imports. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__file__file_metadata__pe__import_hash + + dimension: target__file__file_type { + type: number + sql: ${TABLE}.target.file.file_type ;; + group_label: "target" + label: "target.file.file_type" + view_label: "UDM" + description: "FileType field." + } # dimension target__file__file_type + + dimension: target__file__file_type_enum_name { + type: string + suggestions: ["FILE_TYPE_ACE", "FILE_TYPE_ANDROID", "FILE_TYPE_APPLE", "FILE_TYPE_APPLEDOUBLE", "FILE_TYPE_APPLESCRIPT", "FILE_TYPE_APPLESCRIPT_COMPILED", "FILE_TYPE_APPLESINGLE", "FILE_TYPE_APPLE_PLIST", "FILE_TYPE_ARC", "FILE_TYPE_ARJ", "FILE_TYPE_ASD", "FILE_TYPE_ASF", "FILE_TYPE_AVI", "FILE_TYPE_AWK", "FILE_TYPE_BLACKHOLE", "FILE_TYPE_BMP", "FILE_TYPE_BZIP", "FILE_TYPE_C", "FILE_TYPE_CAB", "FILE_TYPE_CAP", "FILE_TYPE_CHM", "FILE_TYPE_COFF", "FILE_TYPE_COOKIE", "FILE_TYPE_CPP", "FILE_TYPE_CRX", "FILE_TYPE_DEB", "FILE_TYPE_DIB", "FILE_TYPE_DIVX", "FILE_TYPE_DMG", "FILE_TYPE_DOC", "FILE_TYPE_DOCX", "FILE_TYPE_DOS_COM", "FILE_TYPE_DOS_EXE", "FILE_TYPE_DYALOG", "FILE_TYPE_DZIP", "FILE_TYPE_EBOOK", "FILE_TYPE_ELF", "FILE_TYPE_EMAIL_TYPE", "FILE_TYPE_EMF", "FILE_TYPE_EOT", "FILE_TYPE_EPS", "FILE_TYPE_FLA", "FILE_TYPE_FLAC", "FILE_TYPE_FLC", "FILE_TYPE_FLI", "FILE_TYPE_FLV", "FILE_TYPE_FORTRAN", "FILE_TYPE_FPX", "FILE_TYPE_GIF", "FILE_TYPE_GIMP", "FILE_TYPE_GUL", "FILE_TYPE_GZIP", "FILE_TYPE_HTML", "FILE_TYPE_HWP", "FILE_TYPE_ICO", "FILE_TYPE_IN_DESIGN", "FILE_TYPE_IPHONE", "FILE_TYPE_ISOIMAGE", "FILE_TYPE_JAR", "FILE_TYPE_JAVA", "FILE_TYPE_JAVASCRIPT", "FILE_TYPE_JAVA_BYTECODE", "FILE_TYPE_JNG", "FILE_TYPE_JPEG", "FILE_TYPE_KGB", "FILE_TYPE_LATEX", "FILE_TYPE_LINUX", "FILE_TYPE_LINUX_KERNEL", "FILE_TYPE_LNK", "FILE_TYPE_MACH_O", "FILE_TYPE_MACINTOSH", "FILE_TYPE_MACINTOSH_HFS", "FILE_TYPE_MACINTOSH_LIB", "FILE_TYPE_MIDI", "FILE_TYPE_MOV", "FILE_TYPE_MP3", "FILE_TYPE_MP4", "FILE_TYPE_MPEG", "FILE_TYPE_MSCOMPRESS", "FILE_TYPE_MSI", "FILE_TYPE_NE_DLL", "FILE_TYPE_NE_EXE", "FILE_TYPE_ODF", "FILE_TYPE_ODG", "FILE_TYPE_ODP", "FILE_TYPE_ODS", "FILE_TYPE_ODT", "FILE_TYPE_OGG", "FILE_TYPE_OUTLOOK", "FILE_TYPE_PALMOS", "FILE_TYPE_PASCAL", "FILE_TYPE_PDF", "FILE_TYPE_PERL", "FILE_TYPE_PE_DLL", "FILE_TYPE_PE_EXE", "FILE_TYPE_PHP", "FILE_TYPE_PKG", "FILE_TYPE_PNG", "FILE_TYPE_POWERSHELL", "FILE_TYPE_PPSX", "FILE_TYPE_PPT", "FILE_TYPE_PPTX", "FILE_TYPE_PS", "FILE_TYPE_PSD", "FILE_TYPE_PYTHON", "FILE_TYPE_QUICKTIME", "FILE_TYPE_RAR", "FILE_TYPE_RM", "FILE_TYPE_ROM", "FILE_TYPE_RPM", "FILE_TYPE_RTF", "FILE_TYPE_RUBY", "FILE_TYPE_RZIP", "FILE_TYPE_SCRIPT", "FILE_TYPE_SEVENZIP", "FILE_TYPE_SHELLSCRIPT", "FILE_TYPE_SVG", "FILE_TYPE_SWF", "FILE_TYPE_SYMBIAN", "FILE_TYPE_T3GP", "FILE_TYPE_TAR", "FILE_TYPE_TARGA", "FILE_TYPE_TEXT", "FILE_TYPE_TIFF", "FILE_TYPE_TORRENT", "FILE_TYPE_TTF", "FILE_TYPE_UNSPECIFIED", "FILE_TYPE_VBA", "FILE_TYPE_WAV", "FILE_TYPE_WEBP", "FILE_TYPE_WINCE", "FILE_TYPE_WMA", "FILE_TYPE_WMV", "FILE_TYPE_WOFF", "FILE_TYPE_XLS", "FILE_TYPE_XLSX", "FILE_TYPE_XML", "FILE_TYPE_XPI", "FILE_TYPE_XWD", "FILE_TYPE_ZIP", "FILE_TYPE_ZLIB"] + sql: CASE ${TABLE}.target.file.file_type WHEN 0 THEN 'FILE_TYPE_UNSPECIFIED' WHEN 1 THEN 'FILE_TYPE_PE_EXE' WHEN 2 THEN 'FILE_TYPE_PE_DLL' WHEN 3 THEN 'FILE_TYPE_MSI' WHEN 10 THEN 'FILE_TYPE_NE_EXE' WHEN 11 THEN 'FILE_TYPE_NE_DLL' WHEN 20 THEN 'FILE_TYPE_DOS_EXE' WHEN 21 THEN 'FILE_TYPE_DOS_COM' WHEN 30 THEN 'FILE_TYPE_COFF' WHEN 31 THEN 'FILE_TYPE_ELF' WHEN 32 THEN 'FILE_TYPE_LINUX_KERNEL' WHEN 33 THEN 'FILE_TYPE_RPM' WHEN 34 THEN 'FILE_TYPE_LINUX' WHEN 35 THEN 'FILE_TYPE_MACH_O' WHEN 36 THEN 'FILE_TYPE_JAVA_BYTECODE' WHEN 37 THEN 'FILE_TYPE_DMG' WHEN 38 THEN 'FILE_TYPE_DEB' WHEN 39 THEN 'FILE_TYPE_PKG' WHEN 50 THEN 'FILE_TYPE_LNK' WHEN 100 THEN 'FILE_TYPE_JPEG' WHEN 101 THEN 'FILE_TYPE_TIFF' WHEN 102 THEN 'FILE_TYPE_GIF' WHEN 103 THEN 'FILE_TYPE_PNG' WHEN 104 THEN 'FILE_TYPE_BMP' WHEN 105 THEN 'FILE_TYPE_GIMP' WHEN 106 THEN 'FILE_TYPE_IN_DESIGN' WHEN 107 THEN 'FILE_TYPE_PSD' WHEN 108 THEN 'FILE_TYPE_TARGA' WHEN 109 THEN 'FILE_TYPE_XWD' WHEN 110 THEN 'FILE_TYPE_DIB' WHEN 111 THEN 'FILE_TYPE_JNG' WHEN 112 THEN 'FILE_TYPE_ICO' WHEN 113 THEN 'FILE_TYPE_FPX' WHEN 114 THEN 'FILE_TYPE_EPS' WHEN 115 THEN 'FILE_TYPE_SVG' WHEN 116 THEN 'FILE_TYPE_EMF' WHEN 117 THEN 'FILE_TYPE_WEBP' WHEN 150 THEN 'FILE_TYPE_OGG' WHEN 151 THEN 'FILE_TYPE_FLC' WHEN 152 THEN 'FILE_TYPE_FLI' WHEN 153 THEN 'FILE_TYPE_MP3' WHEN 154 THEN 'FILE_TYPE_FLAC' WHEN 155 THEN 'FILE_TYPE_WAV' WHEN 156 THEN 'FILE_TYPE_MIDI' WHEN 157 THEN 'FILE_TYPE_AVI' WHEN 158 THEN 'FILE_TYPE_MPEG' WHEN 159 THEN 'FILE_TYPE_QUICKTIME' WHEN 160 THEN 'FILE_TYPE_ASF' WHEN 161 THEN 'FILE_TYPE_DIVX' WHEN 162 THEN 'FILE_TYPE_FLV' WHEN 163 THEN 'FILE_TYPE_WMA' WHEN 164 THEN 'FILE_TYPE_WMV' WHEN 165 THEN 'FILE_TYPE_RM' WHEN 166 THEN 'FILE_TYPE_MOV' WHEN 167 THEN 'FILE_TYPE_MP4' WHEN 168 THEN 'FILE_TYPE_T3GP' WHEN 200 THEN 'FILE_TYPE_PDF' WHEN 201 THEN 'FILE_TYPE_PS' WHEN 202 THEN 'FILE_TYPE_DOC' WHEN 203 THEN 'FILE_TYPE_DOCX' WHEN 204 THEN 'FILE_TYPE_PPT' WHEN 205 THEN 'FILE_TYPE_PPTX' WHEN 209 THEN 'FILE_TYPE_PPSX' WHEN 206 THEN 'FILE_TYPE_XLS' WHEN 207 THEN 'FILE_TYPE_XLSX' WHEN 208 THEN 'FILE_TYPE_RTF' WHEN 250 THEN 'FILE_TYPE_ODP' WHEN 251 THEN 'FILE_TYPE_ODS' WHEN 252 THEN 'FILE_TYPE_ODT' WHEN 253 THEN 'FILE_TYPE_HWP' WHEN 254 THEN 'FILE_TYPE_GUL' WHEN 255 THEN 'FILE_TYPE_ODF' WHEN 256 THEN 'FILE_TYPE_ODG' WHEN 260 THEN 'FILE_TYPE_EBOOK' WHEN 261 THEN 'FILE_TYPE_LATEX' WHEN 262 THEN 'FILE_TYPE_TTF' WHEN 263 THEN 'FILE_TYPE_EOT' WHEN 264 THEN 'FILE_TYPE_WOFF' WHEN 265 THEN 'FILE_TYPE_CHM' WHEN 300 THEN 'FILE_TYPE_ZIP' WHEN 301 THEN 'FILE_TYPE_GZIP' WHEN 302 THEN 'FILE_TYPE_BZIP' WHEN 303 THEN 'FILE_TYPE_RZIP' WHEN 304 THEN 'FILE_TYPE_DZIP' WHEN 305 THEN 'FILE_TYPE_SEVENZIP' WHEN 306 THEN 'FILE_TYPE_CAB' WHEN 307 THEN 'FILE_TYPE_JAR' WHEN 308 THEN 'FILE_TYPE_RAR' WHEN 309 THEN 'FILE_TYPE_MSCOMPRESS' WHEN 310 THEN 'FILE_TYPE_ACE' WHEN 311 THEN 'FILE_TYPE_ARC' WHEN 312 THEN 'FILE_TYPE_ARJ' WHEN 313 THEN 'FILE_TYPE_ASD' WHEN 314 THEN 'FILE_TYPE_BLACKHOLE' WHEN 315 THEN 'FILE_TYPE_KGB' WHEN 316 THEN 'FILE_TYPE_ZLIB' WHEN 317 THEN 'FILE_TYPE_TAR' WHEN 400 THEN 'FILE_TYPE_TEXT' WHEN 401 THEN 'FILE_TYPE_SCRIPT' WHEN 402 THEN 'FILE_TYPE_PHP' WHEN 403 THEN 'FILE_TYPE_PYTHON' WHEN 404 THEN 'FILE_TYPE_PERL' WHEN 405 THEN 'FILE_TYPE_RUBY' WHEN 406 THEN 'FILE_TYPE_C' WHEN 407 THEN 'FILE_TYPE_CPP' WHEN 408 THEN 'FILE_TYPE_JAVA' WHEN 409 THEN 'FILE_TYPE_SHELLSCRIPT' WHEN 410 THEN 'FILE_TYPE_PASCAL' WHEN 411 THEN 'FILE_TYPE_AWK' WHEN 412 THEN 'FILE_TYPE_DYALOG' WHEN 413 THEN 'FILE_TYPE_FORTRAN' WHEN 414 THEN 'FILE_TYPE_JAVASCRIPT' WHEN 415 THEN 'FILE_TYPE_POWERSHELL' WHEN 416 THEN 'FILE_TYPE_VBA' WHEN 500 THEN 'FILE_TYPE_SYMBIAN' WHEN 501 THEN 'FILE_TYPE_PALMOS' WHEN 502 THEN 'FILE_TYPE_WINCE' WHEN 503 THEN 'FILE_TYPE_ANDROID' WHEN 504 THEN 'FILE_TYPE_IPHONE' WHEN 600 THEN 'FILE_TYPE_HTML' WHEN 601 THEN 'FILE_TYPE_XML' WHEN 602 THEN 'FILE_TYPE_SWF' WHEN 603 THEN 'FILE_TYPE_FLA' WHEN 604 THEN 'FILE_TYPE_COOKIE' WHEN 605 THEN 'FILE_TYPE_TORRENT' WHEN 606 THEN 'FILE_TYPE_EMAIL_TYPE' WHEN 607 THEN 'FILE_TYPE_OUTLOOK' WHEN 700 THEN 'FILE_TYPE_CAP' WHEN 800 THEN 'FILE_TYPE_ISOIMAGE' WHEN 1000 THEN 'FILE_TYPE_APPLE' WHEN 1001 THEN 'FILE_TYPE_MACINTOSH' WHEN 1002 THEN 'FILE_TYPE_APPLESINGLE' WHEN 1003 THEN 'FILE_TYPE_APPLEDOUBLE' WHEN 1004 THEN 'FILE_TYPE_MACINTOSH_HFS' WHEN 1005 THEN 'FILE_TYPE_APPLE_PLIST' WHEN 1006 THEN 'FILE_TYPE_MACINTOSH_LIB' WHEN 1007 THEN 'FILE_TYPE_APPLESCRIPT' WHEN 1008 THEN 'FILE_TYPE_APPLESCRIPT_COMPILED' WHEN 1100 THEN 'FILE_TYPE_CRX' WHEN 1101 THEN 'FILE_TYPE_XPI' WHEN 1200 THEN 'FILE_TYPE_ROM' END ;; + group_label: "target" + label: "target.file.file_type_enum_name" + view_label: "UDM" + description: "FileType field." + } # dimension target__file__file_type_enum_name + + dimension_group: target__file__first_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.first_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.file.first_seen_time" + view_label: "UDM" + description: "Timestamp the file was first seen in the customer's environment." + } # dimension target__file__first_seen_time + + dimension: target__file__full_path { + type: string + sql: ${TABLE}.target.file.full_path ;; + group_label: "target" + label: "target.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension target__file__full_path + + dimension_group: target__file__last_analysis_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.last_analysis_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.last_analysis_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.file.last_analysis_time" + view_label: "UDM" + description: "Timestamp the file was last analysed." + } # dimension target__file__last_analysis_time + + dimension_group: target__file__last_modification_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.last_modification_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.last_modification_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.file.last_modification_time" + view_label: "UDM" + description: "Timestamp when the file was last updated." + } # dimension target__file__last_modification_time + + dimension_group: target__file__last_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.last_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.file.last_seen_time" + view_label: "UDM" + description: "Timestamp the file was last seen in the customer's environment." + } # dimension target__file__last_seen_time + + dimension: target__file__md5 { + type: string + sql: ${TABLE}.target.file.md5 ;; + group_label: "target" + label: "target.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension target__file__md5 + + dimension: target__file__mime_type { + type: string + sql: ${TABLE}.target.file.mime_type ;; + group_label: "target" + label: "target.file.mime_type" + view_label: "UDM" + description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." + } # dimension target__file__mime_type + + dimension: target__file__names { + hidden: yes + } # dimension target__file__names + + dimension: target__file__pe_file { + hidden: yes + } # dimension target__file__pe_file + + dimension_group: target__file__pe_file__compilation_exiftool_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.pe_file.compilation_exiftool_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.pe_file.compilation_exiftool_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.file.pe_file.compilation_exiftool_time" + view_label: "UDM" + description: "info.exiftool.TimeStamp." + } # dimension target__file__pe_file__compilation_exiftool_time + + dimension_group: target__file__pe_file__compilation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.pe_file.compilation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.pe_file.compilation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.file.pe_file.compilation_time" + view_label: "UDM" + description: "info.pe-timestamp." + } # dimension target__file__pe_file__compilation_time + + dimension: target__file__pe_file__entry_point { + type: number + sql: ${TABLE}.target.file.pe_file.entry_point ;; + group_label: "target" + label: "target.file.pe_file.entry_point" + view_label: "UDM" + description: "info.pe-entry-point." + } # dimension target__file__pe_file__entry_point + + dimension: target__file__pe_file__entry_point_exiftool { + type: number + sql: ${TABLE}.target.file.pe_file.entry_point_exiftool ;; + group_label: "target" + label: "target.file.pe_file.entry_point_exiftool" + view_label: "UDM" + description: "info.exiftool.EntryPoint." + } # dimension target__file__pe_file__entry_point_exiftool + + dimension: target__file__pe_file__imphash { + type: string + sql: ${TABLE}.target.file.pe_file.imphash ;; + group_label: "target" + label: "target.file.pe_file.imphash" + view_label: "UDM" + description: "Imphash of the file." + } # dimension target__file__pe_file__imphash + + dimension: target__file__pe_file__imports { + hidden: yes + } # dimension target__file__pe_file__imports + + dimension: target__file__pe_file__resource { + hidden: yes + } # dimension target__file__pe_file__resource + + dimension: target__file__pe_file__resources_language_count_str { + hidden: yes + } # dimension target__file__pe_file__resources_language_count_str + + dimension: target__file__pe_file__resources_type_count_str { + hidden: yes + } # dimension target__file__pe_file__resources_type_count_str + + dimension: target__file__pe_file__section { + hidden: yes + } # dimension target__file__pe_file__section + + dimension: target__file__sha1 { + type: string + sql: ${TABLE}.target.file.sha1 ;; + group_label: "target" + label: "target.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension target__file__sha1 + + dimension: target__file__sha256 { + type: string + sql: ${TABLE}.target.file.sha256 ;; + group_label: "target" + label: "target.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension target__file__sha256 + + dimension: target__file__signature_info { + hidden: yes + } # dimension target__file__signature_info + + dimension: target__file__signature_info__codesign { + hidden: yes + } # dimension target__file__signature_info__codesign + + dimension_group: target__file__signature_info__codesign__compilation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.signature_info.codesign.compilation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.signature_info.codesign.compilation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.file.signature_info.codesign.compilation_time" + view_label: "UDM" + description: "Code sign timestamp" + } # dimension target__file__signature_info__codesign__compilation_time + + dimension: target__file__signature_info__codesign__format { + type: string + sql: ${TABLE}.target.file.signature_info.codesign.format ;; + group_label: "target" + label: "target.file.signature_info.codesign.format" + view_label: "UDM" + description: "Code sign format." + } # dimension target__file__signature_info__codesign__format + + dimension: target__file__signature_info__codesign__id { + type: string + sql: ${TABLE}.target.file.signature_info.codesign.id ;; + group_label: "target" + label: "target.file.signature_info.codesign.id" + view_label: "UDM" + description: "Code sign identifier." + } # dimension target__file__signature_info__codesign__id + + dimension: target__file__signature_info__sigcheck { + hidden: yes + } # dimension target__file__signature_info__sigcheck + + dimension: target__file__signature_info__sigcheck__signers { + hidden: yes + } # dimension target__file__signature_info__sigcheck__signers + + dimension: target__file__signature_info__sigcheck__verification_message { + type: string + sql: ${TABLE}.target.file.signature_info.sigcheck.verification_message ;; + group_label: "target" + label: "target.file.signature_info.sigcheck.verification_message" + view_label: "UDM" + description: "Status of the certificate. Valid values are \"Signed\", \"Unsigned\" or a description of the certificate anomaly, if found." + } # dimension target__file__signature_info__sigcheck__verification_message + + dimension: target__file__signature_info__sigcheck__verified { + type: yesno + sql: ${TABLE}.target.file.signature_info.sigcheck.verified ;; + group_label: "target" + label: "target.file.signature_info.sigcheck.verified" + view_label: "UDM" + description: "True iff verification_message == \"Signed\"" + } # dimension target__file__signature_info__sigcheck__verified + + dimension: target__file__signature_info__sigcheck__x509 { + hidden: yes + } # dimension target__file__signature_info__sigcheck__x509 + + dimension: target__file__size { + type: number + sql: ${TABLE}.target.file.size ;; + group_label: "target" + label: "target.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension target__file__size + + dimension: target__file__ssdeep { + type: string + sql: ${TABLE}.target.file.ssdeep ;; + group_label: "target" + label: "target.file.ssdeep" + view_label: "UDM" + description: "Ssdeep of the file" + } # dimension target__file__ssdeep + + dimension: target__file__tags { + hidden: yes + } # dimension target__file__tags + + dimension: target__file__vhash { + type: string + sql: ${TABLE}.target.file.vhash ;; + group_label: "target" + label: "target.file.vhash" + view_label: "UDM" + description: "Vhash of the file." + } # dimension target__file__vhash + + dimension: target__group { + hidden: yes + } # dimension target__group + + dimension: target__group__attribute { + hidden: yes + } # dimension target__group__attribute + + dimension: target__group__attribute__labels { + hidden: yes + } # dimension target__group__attribute__labels + + dimension: target__group__attribute__permissions { + hidden: yes + } # dimension target__group__attribute__permissions + + dimension: target__group__attribute__roles { + hidden: yes + } # dimension target__group__attribute__roles + + dimension_group: target__group__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.group.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.group.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + group_item_label: "target.group.creation_time [D]" + label: "target.group.creation_time" + view_label: "UDM" + description: "Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__group__creation_time + + dimension: target__group__email_addresses { + hidden: yes + } # dimension target__group__email_addresses + + dimension: target__group__group_display_name { + type: string + sql: ${TABLE}.target.group.group_display_name ;; + group_label: "target" + label: "target.group.group_display_name" + view_label: "UDM" + description: "Group display name. e.g. \"Finance\"." + } # dimension target__group__group_display_name + + dimension: target__group__product_object_id { + type: string + sql: ${TABLE}.target.group.product_object_id ;; + group_label: "target" + label: "target.group.product_object_id" + view_label: "UDM" + description: "Product globally unique user object identifier, such as an LDAP Object Identifier." + } # dimension target__group__product_object_id + + dimension: target__group__windows_sid { + type: string + sql: ${TABLE}.target.group.windows_sid ;; + group_label: "target" + label: "target.group.windows_sid" + view_label: "UDM" + description: "Microsoft Windows SID of the group." + } # dimension target__group__windows_sid + + dimension: target__hostname { + type: string + sql: ${TABLE}.target.hostname ;; + group_label: "target" + label: "target.hostname" + view_label: "UDM" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension target__hostname + + dimension: target__investigation { + hidden: yes + } # dimension target__investigation + + dimension: target__investigation__comments { + hidden: yes + } # dimension target__investigation__comments + + dimension: target__investigation__severity_score { + type: number + sql: ${TABLE}.target.investigation.severity_score ;; + group_label: "target" + label: "target.investigation.severity_score" + view_label: "UDM" + description: "Severity score for a finding set by an analyst." + } # dimension target__investigation__severity_score + + dimension: target__ip { + hidden: yes + } # dimension target__ip + + dimension: target__ip_geo_artifact { + hidden: yes + } # dimension target__ip_geo_artifact + + dimension: target__ip_location { + hidden: yes + } # dimension target__ip_location + + dimension: target__labels { + hidden: yes + } # dimension target__labels + + dimension: target__location { + hidden: yes + } # dimension target__location + + dimension: target__location__city { + type: string + sql: ${TABLE}.target.location.city ;; + group_label: "target" + label: "target.location.city" + view_label: "UDM" + description: "The city." + } # dimension target__location__city + + dimension: target__location__country_or_region { + type: string + sql: ${TABLE}.target.location.country_or_region ;; + group_label: "target" + label: "target.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension target__location__country_or_region + + dimension: target__location__name { + type: string + sql: ${TABLE}.target.location.name ;; + group_label: "target" + label: "target.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension target__location__name + + dimension: target__location__region_coordinates { + type: location + sql_latitude: ${TABLE}.target.location.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.target.location.region_coordinates.longitude ;; + group_label: "target" + group_item_label: "target.location.region_coordinates [L]" + label: "target.location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." + } # dimension target__location__region_coordinates + + dimension: target__location__region_latitude { + type: number + sql: ${TABLE}.target.location.region_latitude ;; + group_label: "target" + group_item_label: "target.location.region_latitude [D]" + label: "target.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__location__region_latitude + + dimension: target__location__region_longitude { + type: number + sql: ${TABLE}.target.location.region_longitude ;; + group_label: "target" + group_item_label: "target.location.region_longitude [D]" + label: "target.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__location__region_longitude + + dimension: target__location__location { + type: location + sql_latitude: ${TABLE}.target.location.region_latitude ;; + sql_longitude: ${TABLE}.target.location.region_longitude ;; + group_label: "target" + group_item_label: "target.location.location [D][L]" + label: "target.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension target__location__location + + dimension: target__location__state { + type: string + sql: ${TABLE}.target.location.state ;; + group_label: "target" + label: "target.location.state" + view_label: "UDM" + description: "The state." + } # dimension target__location__state + + dimension: target__mac { + hidden: yes + } # dimension target__mac + + dimension: target__namespace { + type: string + sql: ${TABLE}.target.namespace ;; + group_label: "target" + label: "target.namespace" + view_label: "UDM" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension target__namespace + + dimension: target__nat_ip { + hidden: yes + } # dimension target__nat_ip + + dimension: target__nat_port { + type: number + value_format: "#" + sql: ${TABLE}.target.nat_port ;; + group_label: "target" + label: "target.nat_port" + view_label: "UDM" + description: "NAT external network port number when a specific network connection is described within an event." + } # dimension target__nat_port + + dimension: target__network { + hidden: yes + } # dimension target__network + + dimension: target__network__http { + hidden: yes + } # dimension target__network__http + + dimension: target__network__http__method { + type: string + sql: ${TABLE}.target.network.http.method ;; + group_label: "target" + label: "target.network.http.method" + view_label: "UDM" + description: "The HTTP request method (e.g. \"GET\", \"POST\", \"PATCH\", \"DELETE\")." + } # dimension target__network__http__method + + dimension: target__network__http__referral_url { + type: string + sql: ${TABLE}.target.network.http.referral_url ;; + group_label: "target" + label: "target.network.http.referral_url" + view_label: "UDM" + description: "The URL for the HTTP referer." + } # dimension target__network__http__referral_url + + dimension: target__platform { + type: number + sql: ${TABLE}.target.platform ;; + group_label: "target" + label: "target.platform" + view_label: "UDM" + description: "Platform." + } # dimension target__platform + + dimension: target__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.target.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "target" + label: "target.platform_enum_name" + view_label: "UDM" + description: "Platform." + } # dimension target__platform_enum_name + + dimension: target__platform_patch_level { + type: string + sql: ${TABLE}.target.platform_patch_level ;; + group_label: "target" + label: "target.platform_patch_level" + view_label: "UDM" + description: "Platform patch level. For example, \"Build 17134.48\"" + } # dimension target__platform_patch_level + + dimension: target__platform_version { + type: string + sql: ${TABLE}.target.platform_version ;; + group_label: "target" + label: "target.platform_version" + view_label: "UDM" + description: "Platform version. For example, \"Microsoft Windows 1803\"." + } # dimension target__platform_version + + dimension: target__port { + type: number + value_format: "#" + sql: ${TABLE}.target.port ;; + group_label: "target" + label: "target.port" + view_label: "UDM" + description: "Source or destination network port number when a specific network connection is described within an event." + } # dimension target__port + + dimension: target__process { + hidden: yes + } # dimension target__process + + dimension: target__process__access_mask { + type: number + sql: ${TABLE}.target.process.access_mask ;; + group_label: "target" + label: "target.process.access_mask" + view_label: "UDM" + description: "A bit mask representing the level of access." + } # dimension target__process__access_mask + + dimension: target__process__command_line { + type: string + sql: ${TABLE}.target.process.command_line ;; + group_label: "target" + label: "target.process.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension target__process__command_line + + dimension: target__process__command_line_history { + hidden: yes + } # dimension target__process__command_line_history + + dimension: target__process__file { + hidden: yes + } # dimension target__process__file + + dimension: target__process__file__capabilities_tags { + hidden: yes + } # dimension target__process__file__capabilities_tags + + dimension: target__process__file__file_metadata { + hidden: yes + } # dimension target__process__file__file_metadata + + dimension: target__process__file__file_metadata__pe { + hidden: yes + } # dimension target__process__file__file_metadata__pe + + dimension: target__process__file__file_metadata__pe__import_hash { + type: string + sql: ${TABLE}.target.process.file.file_metadata.pe.import_hash ;; + group_label: "target" + group_item_label: "target.process.file.file_metadata.pe.import_hash [D]" + label: "target.process.file.file_metadata.pe.import_hash" + view_label: "UDM" + description: "Hash of PE imports. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__process__file__file_metadata__pe__import_hash + + dimension: target__process__file__file_type { + type: number + sql: ${TABLE}.target.process.file.file_type ;; + group_label: "target" + label: "target.process.file.file_type" + view_label: "UDM" + description: "FileType field." + } # dimension target__process__file__file_type + + dimension: target__process__file__file_type_enum_name { + type: string + suggestions: ["FILE_TYPE_ACE", "FILE_TYPE_ANDROID", "FILE_TYPE_APPLE", "FILE_TYPE_APPLEDOUBLE", "FILE_TYPE_APPLESCRIPT", "FILE_TYPE_APPLESCRIPT_COMPILED", "FILE_TYPE_APPLESINGLE", "FILE_TYPE_APPLE_PLIST", "FILE_TYPE_ARC", "FILE_TYPE_ARJ", "FILE_TYPE_ASD", "FILE_TYPE_ASF", "FILE_TYPE_AVI", "FILE_TYPE_AWK", "FILE_TYPE_BLACKHOLE", "FILE_TYPE_BMP", "FILE_TYPE_BZIP", "FILE_TYPE_C", "FILE_TYPE_CAB", "FILE_TYPE_CAP", "FILE_TYPE_CHM", "FILE_TYPE_COFF", "FILE_TYPE_COOKIE", "FILE_TYPE_CPP", "FILE_TYPE_CRX", "FILE_TYPE_DEB", "FILE_TYPE_DIB", "FILE_TYPE_DIVX", "FILE_TYPE_DMG", "FILE_TYPE_DOC", "FILE_TYPE_DOCX", "FILE_TYPE_DOS_COM", "FILE_TYPE_DOS_EXE", "FILE_TYPE_DYALOG", "FILE_TYPE_DZIP", "FILE_TYPE_EBOOK", "FILE_TYPE_ELF", "FILE_TYPE_EMAIL_TYPE", "FILE_TYPE_EMF", "FILE_TYPE_EOT", "FILE_TYPE_EPS", "FILE_TYPE_FLA", "FILE_TYPE_FLAC", "FILE_TYPE_FLC", "FILE_TYPE_FLI", "FILE_TYPE_FLV", "FILE_TYPE_FORTRAN", "FILE_TYPE_FPX", "FILE_TYPE_GIF", "FILE_TYPE_GIMP", "FILE_TYPE_GUL", "FILE_TYPE_GZIP", "FILE_TYPE_HTML", "FILE_TYPE_HWP", "FILE_TYPE_ICO", "FILE_TYPE_IN_DESIGN", "FILE_TYPE_IPHONE", "FILE_TYPE_ISOIMAGE", "FILE_TYPE_JAR", "FILE_TYPE_JAVA", "FILE_TYPE_JAVASCRIPT", "FILE_TYPE_JAVA_BYTECODE", "FILE_TYPE_JNG", "FILE_TYPE_JPEG", "FILE_TYPE_KGB", "FILE_TYPE_LATEX", "FILE_TYPE_LINUX", "FILE_TYPE_LINUX_KERNEL", "FILE_TYPE_LNK", "FILE_TYPE_MACH_O", "FILE_TYPE_MACINTOSH", "FILE_TYPE_MACINTOSH_HFS", "FILE_TYPE_MACINTOSH_LIB", "FILE_TYPE_MIDI", "FILE_TYPE_MOV", "FILE_TYPE_MP3", "FILE_TYPE_MP4", "FILE_TYPE_MPEG", "FILE_TYPE_MSCOMPRESS", "FILE_TYPE_MSI", "FILE_TYPE_NE_DLL", "FILE_TYPE_NE_EXE", "FILE_TYPE_ODF", "FILE_TYPE_ODG", "FILE_TYPE_ODP", "FILE_TYPE_ODS", "FILE_TYPE_ODT", "FILE_TYPE_OGG", "FILE_TYPE_OUTLOOK", "FILE_TYPE_PALMOS", "FILE_TYPE_PASCAL", "FILE_TYPE_PDF", "FILE_TYPE_PERL", "FILE_TYPE_PE_DLL", "FILE_TYPE_PE_EXE", "FILE_TYPE_PHP", "FILE_TYPE_PKG", "FILE_TYPE_PNG", "FILE_TYPE_POWERSHELL", "FILE_TYPE_PPSX", "FILE_TYPE_PPT", "FILE_TYPE_PPTX", "FILE_TYPE_PS", "FILE_TYPE_PSD", "FILE_TYPE_PYTHON", "FILE_TYPE_QUICKTIME", "FILE_TYPE_RAR", "FILE_TYPE_RM", "FILE_TYPE_ROM", "FILE_TYPE_RPM", "FILE_TYPE_RTF", "FILE_TYPE_RUBY", "FILE_TYPE_RZIP", "FILE_TYPE_SCRIPT", "FILE_TYPE_SEVENZIP", "FILE_TYPE_SHELLSCRIPT", "FILE_TYPE_SVG", "FILE_TYPE_SWF", "FILE_TYPE_SYMBIAN", "FILE_TYPE_T3GP", "FILE_TYPE_TAR", "FILE_TYPE_TARGA", "FILE_TYPE_TEXT", "FILE_TYPE_TIFF", "FILE_TYPE_TORRENT", "FILE_TYPE_TTF", "FILE_TYPE_UNSPECIFIED", "FILE_TYPE_VBA", "FILE_TYPE_WAV", "FILE_TYPE_WEBP", "FILE_TYPE_WINCE", "FILE_TYPE_WMA", "FILE_TYPE_WMV", "FILE_TYPE_WOFF", "FILE_TYPE_XLS", "FILE_TYPE_XLSX", "FILE_TYPE_XML", "FILE_TYPE_XPI", "FILE_TYPE_XWD", "FILE_TYPE_ZIP", "FILE_TYPE_ZLIB"] + sql: CASE ${TABLE}.target.process.file.file_type WHEN 0 THEN 'FILE_TYPE_UNSPECIFIED' WHEN 1 THEN 'FILE_TYPE_PE_EXE' WHEN 2 THEN 'FILE_TYPE_PE_DLL' WHEN 3 THEN 'FILE_TYPE_MSI' WHEN 10 THEN 'FILE_TYPE_NE_EXE' WHEN 11 THEN 'FILE_TYPE_NE_DLL' WHEN 20 THEN 'FILE_TYPE_DOS_EXE' WHEN 21 THEN 'FILE_TYPE_DOS_COM' WHEN 30 THEN 'FILE_TYPE_COFF' WHEN 31 THEN 'FILE_TYPE_ELF' WHEN 32 THEN 'FILE_TYPE_LINUX_KERNEL' WHEN 33 THEN 'FILE_TYPE_RPM' WHEN 34 THEN 'FILE_TYPE_LINUX' WHEN 35 THEN 'FILE_TYPE_MACH_O' WHEN 36 THEN 'FILE_TYPE_JAVA_BYTECODE' WHEN 37 THEN 'FILE_TYPE_DMG' WHEN 38 THEN 'FILE_TYPE_DEB' WHEN 39 THEN 'FILE_TYPE_PKG' WHEN 50 THEN 'FILE_TYPE_LNK' WHEN 100 THEN 'FILE_TYPE_JPEG' WHEN 101 THEN 'FILE_TYPE_TIFF' WHEN 102 THEN 'FILE_TYPE_GIF' WHEN 103 THEN 'FILE_TYPE_PNG' WHEN 104 THEN 'FILE_TYPE_BMP' WHEN 105 THEN 'FILE_TYPE_GIMP' WHEN 106 THEN 'FILE_TYPE_IN_DESIGN' WHEN 107 THEN 'FILE_TYPE_PSD' WHEN 108 THEN 'FILE_TYPE_TARGA' WHEN 109 THEN 'FILE_TYPE_XWD' WHEN 110 THEN 'FILE_TYPE_DIB' WHEN 111 THEN 'FILE_TYPE_JNG' WHEN 112 THEN 'FILE_TYPE_ICO' WHEN 113 THEN 'FILE_TYPE_FPX' WHEN 114 THEN 'FILE_TYPE_EPS' WHEN 115 THEN 'FILE_TYPE_SVG' WHEN 116 THEN 'FILE_TYPE_EMF' WHEN 117 THEN 'FILE_TYPE_WEBP' WHEN 150 THEN 'FILE_TYPE_OGG' WHEN 151 THEN 'FILE_TYPE_FLC' WHEN 152 THEN 'FILE_TYPE_FLI' WHEN 153 THEN 'FILE_TYPE_MP3' WHEN 154 THEN 'FILE_TYPE_FLAC' WHEN 155 THEN 'FILE_TYPE_WAV' WHEN 156 THEN 'FILE_TYPE_MIDI' WHEN 157 THEN 'FILE_TYPE_AVI' WHEN 158 THEN 'FILE_TYPE_MPEG' WHEN 159 THEN 'FILE_TYPE_QUICKTIME' WHEN 160 THEN 'FILE_TYPE_ASF' WHEN 161 THEN 'FILE_TYPE_DIVX' WHEN 162 THEN 'FILE_TYPE_FLV' WHEN 163 THEN 'FILE_TYPE_WMA' WHEN 164 THEN 'FILE_TYPE_WMV' WHEN 165 THEN 'FILE_TYPE_RM' WHEN 166 THEN 'FILE_TYPE_MOV' WHEN 167 THEN 'FILE_TYPE_MP4' WHEN 168 THEN 'FILE_TYPE_T3GP' WHEN 200 THEN 'FILE_TYPE_PDF' WHEN 201 THEN 'FILE_TYPE_PS' WHEN 202 THEN 'FILE_TYPE_DOC' WHEN 203 THEN 'FILE_TYPE_DOCX' WHEN 204 THEN 'FILE_TYPE_PPT' WHEN 205 THEN 'FILE_TYPE_PPTX' WHEN 209 THEN 'FILE_TYPE_PPSX' WHEN 206 THEN 'FILE_TYPE_XLS' WHEN 207 THEN 'FILE_TYPE_XLSX' WHEN 208 THEN 'FILE_TYPE_RTF' WHEN 250 THEN 'FILE_TYPE_ODP' WHEN 251 THEN 'FILE_TYPE_ODS' WHEN 252 THEN 'FILE_TYPE_ODT' WHEN 253 THEN 'FILE_TYPE_HWP' WHEN 254 THEN 'FILE_TYPE_GUL' WHEN 255 THEN 'FILE_TYPE_ODF' WHEN 256 THEN 'FILE_TYPE_ODG' WHEN 260 THEN 'FILE_TYPE_EBOOK' WHEN 261 THEN 'FILE_TYPE_LATEX' WHEN 262 THEN 'FILE_TYPE_TTF' WHEN 263 THEN 'FILE_TYPE_EOT' WHEN 264 THEN 'FILE_TYPE_WOFF' WHEN 265 THEN 'FILE_TYPE_CHM' WHEN 300 THEN 'FILE_TYPE_ZIP' WHEN 301 THEN 'FILE_TYPE_GZIP' WHEN 302 THEN 'FILE_TYPE_BZIP' WHEN 303 THEN 'FILE_TYPE_RZIP' WHEN 304 THEN 'FILE_TYPE_DZIP' WHEN 305 THEN 'FILE_TYPE_SEVENZIP' WHEN 306 THEN 'FILE_TYPE_CAB' WHEN 307 THEN 'FILE_TYPE_JAR' WHEN 308 THEN 'FILE_TYPE_RAR' WHEN 309 THEN 'FILE_TYPE_MSCOMPRESS' WHEN 310 THEN 'FILE_TYPE_ACE' WHEN 311 THEN 'FILE_TYPE_ARC' WHEN 312 THEN 'FILE_TYPE_ARJ' WHEN 313 THEN 'FILE_TYPE_ASD' WHEN 314 THEN 'FILE_TYPE_BLACKHOLE' WHEN 315 THEN 'FILE_TYPE_KGB' WHEN 316 THEN 'FILE_TYPE_ZLIB' WHEN 317 THEN 'FILE_TYPE_TAR' WHEN 400 THEN 'FILE_TYPE_TEXT' WHEN 401 THEN 'FILE_TYPE_SCRIPT' WHEN 402 THEN 'FILE_TYPE_PHP' WHEN 403 THEN 'FILE_TYPE_PYTHON' WHEN 404 THEN 'FILE_TYPE_PERL' WHEN 405 THEN 'FILE_TYPE_RUBY' WHEN 406 THEN 'FILE_TYPE_C' WHEN 407 THEN 'FILE_TYPE_CPP' WHEN 408 THEN 'FILE_TYPE_JAVA' WHEN 409 THEN 'FILE_TYPE_SHELLSCRIPT' WHEN 410 THEN 'FILE_TYPE_PASCAL' WHEN 411 THEN 'FILE_TYPE_AWK' WHEN 412 THEN 'FILE_TYPE_DYALOG' WHEN 413 THEN 'FILE_TYPE_FORTRAN' WHEN 414 THEN 'FILE_TYPE_JAVASCRIPT' WHEN 415 THEN 'FILE_TYPE_POWERSHELL' WHEN 416 THEN 'FILE_TYPE_VBA' WHEN 500 THEN 'FILE_TYPE_SYMBIAN' WHEN 501 THEN 'FILE_TYPE_PALMOS' WHEN 502 THEN 'FILE_TYPE_WINCE' WHEN 503 THEN 'FILE_TYPE_ANDROID' WHEN 504 THEN 'FILE_TYPE_IPHONE' WHEN 600 THEN 'FILE_TYPE_HTML' WHEN 601 THEN 'FILE_TYPE_XML' WHEN 602 THEN 'FILE_TYPE_SWF' WHEN 603 THEN 'FILE_TYPE_FLA' WHEN 604 THEN 'FILE_TYPE_COOKIE' WHEN 605 THEN 'FILE_TYPE_TORRENT' WHEN 606 THEN 'FILE_TYPE_EMAIL_TYPE' WHEN 607 THEN 'FILE_TYPE_OUTLOOK' WHEN 700 THEN 'FILE_TYPE_CAP' WHEN 800 THEN 'FILE_TYPE_ISOIMAGE' WHEN 1000 THEN 'FILE_TYPE_APPLE' WHEN 1001 THEN 'FILE_TYPE_MACINTOSH' WHEN 1002 THEN 'FILE_TYPE_APPLESINGLE' WHEN 1003 THEN 'FILE_TYPE_APPLEDOUBLE' WHEN 1004 THEN 'FILE_TYPE_MACINTOSH_HFS' WHEN 1005 THEN 'FILE_TYPE_APPLE_PLIST' WHEN 1006 THEN 'FILE_TYPE_MACINTOSH_LIB' WHEN 1007 THEN 'FILE_TYPE_APPLESCRIPT' WHEN 1008 THEN 'FILE_TYPE_APPLESCRIPT_COMPILED' WHEN 1100 THEN 'FILE_TYPE_CRX' WHEN 1101 THEN 'FILE_TYPE_XPI' WHEN 1200 THEN 'FILE_TYPE_ROM' END ;; + group_label: "target" + label: "target.process.file.file_type_enum_name" + view_label: "UDM" + description: "FileType field." + } # dimension target__process__file__file_type_enum_name + + dimension: target__process__file__full_path { + type: string + sql: ${TABLE}.target.process.file.full_path ;; + group_label: "target" + label: "target.process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension target__process__file__full_path + + dimension: target__process__file__md5 { + type: string + sql: ${TABLE}.target.process.file.md5 ;; + group_label: "target" + label: "target.process.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension target__process__file__md5 + + dimension: target__process__file__mime_type { + type: string + sql: ${TABLE}.target.process.file.mime_type ;; + group_label: "target" + label: "target.process.file.mime_type" + view_label: "UDM" + description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." + } # dimension target__process__file__mime_type + + dimension: target__process__file__names { + hidden: yes + } # dimension target__process__file__names + + dimension: target__process__file__pe_file { + hidden: yes + } # dimension target__process__file__pe_file + + dimension: target__process__file__pe_file__signature_info { + hidden: yes + } # dimension target__process__file__pe_file__signature_info + + dimension: target__process__file__pe_file__signature_info__signer { + hidden: yes + } # dimension target__process__file__pe_file__signature_info__signer + + dimension: target__process__file__pe_file__signature_info__verification_message { + type: string + sql: ${TABLE}.target.process.file.pe_file.signature_info.verification_message ;; + group_label: "target" + group_item_label: "target.process.file.pe_file.signature_info.verification_message [D]" + label: "target.process.file.pe_file.signature_info.verification_message" + view_label: "UDM" + description: "Status of the certificate. Valid values are \"Signed\", \"Unsigned\" or a description of the certificate anomaly, if found. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__process__file__pe_file__signature_info__verification_message + + dimension: target__process__file__sha1 { + type: string + sql: ${TABLE}.target.process.file.sha1 ;; + group_label: "target" + label: "target.process.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension target__process__file__sha1 + + dimension: target__process__file__sha256 { + type: string + sql: ${TABLE}.target.process.file.sha256 ;; + group_label: "target" + label: "target.process.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension target__process__file__sha256 + + dimension: target__process__file__size { + type: number + sql: ${TABLE}.target.process.file.size ;; + group_label: "target" + label: "target.process.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension target__process__file__size + + dimension: target__process__parent_pid { + type: string + sql: ${TABLE}.target.process.parent_pid ;; + group_label: "target" + group_item_label: "target.process.parent_pid [D]" + label: "target.process.parent_pid" + view_label: "UDM" + description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__process__parent_pid + + dimension: target__process__parent_process { + hidden: yes + } # dimension target__process__parent_process + + dimension: target__process__parent_process__command_line { + type: string + sql: ${TABLE}.target.process.parent_process.command_line ;; + group_label: "target" + label: "target.process.parent_process.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension target__process__parent_process__command_line + + dimension: target__process__parent_process__file { + hidden: yes + } # dimension target__process__parent_process__file + + dimension: target__process__parent_process__file__capabilities_tags { + hidden: yes + } # dimension target__process__parent_process__file__capabilities_tags + + dimension: target__process__parent_process__file__full_path { + type: string + sql: ${TABLE}.target.process.parent_process.file.full_path ;; + group_label: "target" + label: "target.process.parent_process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension target__process__parent_process__file__full_path + + dimension: target__process__parent_process__file__md5 { + type: string + sql: ${TABLE}.target.process.parent_process.file.md5 ;; + group_label: "target" + label: "target.process.parent_process.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension target__process__parent_process__file__md5 + + dimension: target__process__parent_process__file__names { + hidden: yes + } # dimension target__process__parent_process__file__names + + dimension: target__process__parent_process__file__sha1 { + type: string + sql: ${TABLE}.target.process.parent_process.file.sha1 ;; + group_label: "target" + label: "target.process.parent_process.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension target__process__parent_process__file__sha1 + + dimension: target__process__parent_process__file__sha256 { + type: string + sql: ${TABLE}.target.process.parent_process.file.sha256 ;; + group_label: "target" + label: "target.process.parent_process.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension target__process__parent_process__file__sha256 + + dimension: target__process__parent_process__parent_pid { + type: string + sql: ${TABLE}.target.process.parent_process.parent_pid ;; + group_label: "target" + group_item_label: "target.process.parent_process.parent_pid [D]" + label: "target.process.parent_process.parent_pid" + view_label: "UDM" + description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__process__parent_process__parent_pid + + dimension: target__process__parent_process__pid { + type: string + sql: ${TABLE}.target.process.parent_process.pid ;; + group_label: "target" + label: "target.process.parent_process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension target__process__parent_process__pid + + dimension: target__process__parent_process__product_specific_process_id { + type: string + sql: ${TABLE}.target.process.parent_process.product_specific_process_id ;; + group_label: "target" + label: "target.process.parent_process.product_specific_process_id" + view_label: "UDM" + description: "A product specific process id." + } # dimension target__process__parent_process__product_specific_process_id + + dimension: target__process__pid { + type: string + sql: ${TABLE}.target.process.pid ;; + group_label: "target" + label: "target.process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension target__process__pid + + dimension: target__process__product_specific_parent_process_id { + type: string + sql: ${TABLE}.target.process.product_specific_parent_process_id ;; + group_label: "target" + group_item_label: "target.process.product_specific_parent_process_id [D]" + label: "target.process.product_specific_parent_process_id" + view_label: "UDM" + description: "A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__process__product_specific_parent_process_id + + dimension: target__process__product_specific_process_id { + type: string + sql: ${TABLE}.target.process.product_specific_process_id ;; + group_label: "target" + label: "target.process.product_specific_process_id" + view_label: "UDM" + description: "A product specific process id." + } # dimension target__process__product_specific_process_id + + dimension: target__process_ancestors { + hidden: yes + } # dimension target__process_ancestors + + dimension: target__registry { + hidden: yes + } # dimension target__registry + + dimension: target__registry__registry_key { + type: string + sql: ${TABLE}.target.registry.registry_key ;; + group_label: "target" + label: "target.registry.registry_key" + view_label: "UDM" + description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." + } # dimension target__registry__registry_key + + dimension: target__registry__registry_value_data { + type: string + sql: ${TABLE}.target.registry.registry_value_data ;; + group_label: "target" + label: "target.registry.registry_value_data" + view_label: "UDM" + description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." + } # dimension target__registry__registry_value_data + + dimension: target__registry__registry_value_name { + type: string + sql: ${TABLE}.target.registry.registry_value_name ;; + group_label: "target" + label: "target.registry.registry_value_name" + view_label: "UDM" + description: "Name of the registry value associated with an application or system component (e.g. TEMP)." + } # dimension target__registry__registry_value_name + + dimension: target__resource { + hidden: yes + } # dimension target__resource + + dimension: target__resource__attribute { + hidden: yes + } # dimension target__resource__attribute + + dimension: target__resource__attribute__cloud { + hidden: yes + } # dimension target__resource__attribute__cloud + + dimension: target__resource__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.target.resource.attribute.cloud.availability_zone ;; + group_label: "target" + label: "target.resource.attribute.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name)." + } # dimension target__resource__attribute__cloud__availability_zone + + dimension: target__resource__attribute__cloud__environment { + type: number + sql: ${TABLE}.target.resource.attribute.cloud.environment ;; + group_label: "target" + label: "target.resource.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension target__resource__attribute__cloud__environment + + dimension: target__resource__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.target.resource.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "target" + label: "target.resource.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension target__resource__attribute__cloud__environment_enum_name + + dimension: target__resource__attribute__cloud__project { + hidden: yes + } # dimension target__resource__attribute__cloud__project + + dimension: target__resource__attribute__cloud__project__id { + type: string + sql: ${TABLE}.target.resource.attribute.cloud.project.id ;; + group_label: "target" + group_item_label: "target.resource.attribute.cloud.project.id [D]" + label: "target.resource.attribute.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__resource__attribute__cloud__project__id + + dimension: target__resource__attribute__cloud__project__name { + type: string + sql: ${TABLE}.target.resource.attribute.cloud.project.name ;; + group_label: "target" + group_item_label: "target.resource.attribute.cloud.project.name [D]" + label: "target.resource.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__resource__attribute__cloud__project__name + + dimension_group: target__resource__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.resource.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension target__resource__attribute__creation_time + + dimension: target__resource__attribute__labels { + hidden: yes + } # dimension target__resource__attribute__labels + + dimension_group: target__resource__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.resource.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension target__resource__attribute__last_update_time + + dimension: target__resource__attribute__permissions { + hidden: yes + } # dimension target__resource__attribute__permissions + + dimension: target__resource__attribute__roles { + hidden: yes + } # dimension target__resource__attribute__roles + + dimension: target__resource__id { + type: string + sql: ${TABLE}.target.resource.id ;; + group_label: "target" + group_item_label: "target.resource.id [D]" + label: "target.resource.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__resource__id + + dimension: target__resource__name { + type: string + sql: ${TABLE}.target.resource.name ;; + group_label: "target" + label: "target.resource.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension target__resource__name + + dimension: target__resource__parent { + type: string + sql: ${TABLE}.target.resource.parent ;; + group_label: "target" + group_item_label: "target.resource.parent [D]" + label: "target.resource.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__resource__parent + + dimension: target__resource__product_object_id { + type: string + sql: ${TABLE}.target.resource.product_object_id ;; + group_label: "target" + label: "target.resource.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension target__resource__product_object_id + + dimension: target__resource__resource_subtype { + type: string + sql: ${TABLE}.target.resource.resource_subtype ;; + group_label: "target" + label: "target.resource.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension target__resource__resource_subtype + + dimension: target__resource__resource_type { + type: number + sql: ${TABLE}.target.resource.resource_type ;; + group_label: "target" + label: "target.resource.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension target__resource__resource_type + + dimension: target__resource__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.target.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "target" + label: "target.resource.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension target__resource__resource_type_enum_name + + dimension: target__resource__type { + type: string + sql: ${TABLE}.target.resource.type ;; + group_label: "target" + group_item_label: "target.resource.type [D]" + label: "target.resource.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__resource__type + + dimension: target__resource_ancestors { + hidden: yes + } # dimension target__resource_ancestors + + dimension: target__url { + type: string + sql: ${TABLE}.target.url ;; + group_label: "target" + label: "target.url" + view_label: "UDM" + description: "The URL." + } # dimension target__url + + dimension: target__user { + hidden: yes + } # dimension target__user + + dimension: target__user__account_type { + type: number + sql: ${TABLE}.target.user.account_type ;; + group_label: "target" + label: "target.user.account_type" + view_label: "UDM" + description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" + } # dimension target__user__account_type + + dimension: target__user__account_type_enum_name { + type: string + suggestions: ["ACCOUNT_TYPE_UNSPECIFIED", "CLOUD_ACCOUNT_TYPE", "DEFAULT_ACCOUNT_TYPE", "DOMAIN_ACCOUNT_TYPE", "LOCAL_ACCOUNT_TYPE", "SERVICE_ACCOUNT_TYPE"] + sql: CASE ${TABLE}.target.user.account_type WHEN 0 THEN 'ACCOUNT_TYPE_UNSPECIFIED' WHEN 1 THEN 'DOMAIN_ACCOUNT_TYPE' WHEN 2 THEN 'LOCAL_ACCOUNT_TYPE' WHEN 3 THEN 'CLOUD_ACCOUNT_TYPE' WHEN 4 THEN 'SERVICE_ACCOUNT_TYPE' WHEN 5 THEN 'DEFAULT_ACCOUNT_TYPE' END ;; + group_label: "target" + label: "target.user.account_type_enum_name" + view_label: "UDM" + description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" + } # dimension target__user__account_type_enum_name + + dimension: target__user__attribute { + hidden: yes + } # dimension target__user__attribute + + dimension: target__user__attribute__cloud { + hidden: yes + } # dimension target__user__attribute__cloud + + dimension: target__user__attribute__cloud__environment { + type: number + sql: ${TABLE}.target.user.attribute.cloud.environment ;; + group_label: "target" + label: "target.user.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension target__user__attribute__cloud__environment + + dimension: target__user__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.target.user.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "target" + label: "target.user.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension target__user__attribute__cloud__environment_enum_name + + dimension: target__user__attribute__cloud__project { + hidden: yes + } # dimension target__user__attribute__cloud__project + + dimension: target__user__attribute__cloud__project__id { + type: string + sql: ${TABLE}.target.user.attribute.cloud.project.id ;; + group_label: "target" + group_item_label: "target.user.attribute.cloud.project.id [D]" + label: "target.user.attribute.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__attribute__cloud__project__id + + dimension: target__user__attribute__cloud__vpc { + hidden: yes + } # dimension target__user__attribute__cloud__vpc + + dimension: target__user__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.target.user.attribute.cloud.vpc.product_object_id ;; + group_label: "target" + group_item_label: "target.user.attribute.cloud.vpc.product_object_id [D]" + label: "target.user.attribute.cloud.vpc.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__attribute__cloud__vpc__product_object_id + + dimension_group: target__user__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.user.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension target__user__attribute__creation_time + + dimension: target__user__attribute__labels { + hidden: yes + } # dimension target__user__attribute__labels + + dimension_group: target__user__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.user.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension target__user__attribute__last_update_time + + dimension: target__user__attribute__permissions { + hidden: yes + } # dimension target__user__attribute__permissions + + dimension: target__user__attribute__roles { + hidden: yes + } # dimension target__user__attribute__roles + + dimension: target__user__company_name { + type: string + sql: ${TABLE}.target.user.company_name ;; + group_label: "target" + label: "target.user.company_name" + view_label: "UDM" + description: "User job company name." + } # dimension target__user__company_name + + dimension: target__user__department { + hidden: yes + } # dimension target__user__department + + dimension: target__user__email_addresses { + hidden: yes + } # dimension target__user__email_addresses + + dimension: target__user__employee_id { + type: string + sql: ${TABLE}.target.user.employee_id ;; + group_label: "target" + label: "target.user.employee_id" + view_label: "UDM" + description: "Human capital management identifier." + } # dimension target__user__employee_id + + dimension: target__user__first_name { + type: string + sql: ${TABLE}.target.user.first_name ;; + group_label: "target" + label: "target.user.first_name" + view_label: "UDM" + description: "First name of the user (e.g. \"John\")." + } # dimension target__user__first_name + + dimension: target__user__group_identifiers { + hidden: yes + } # dimension target__user__group_identifiers + + dimension: target__user__groupid { + type: string + sql: ${TABLE}.target.user.groupid ;; + group_label: "target" + group_item_label: "target.user.groupid [D]" + label: "target.user.groupid" + view_label: "UDM" + description: "The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__groupid + + dimension_group: target__user__hire_date { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.user.hire_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.user.hire_date.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.user.hire_date" + view_label: "UDM" + description: "User job employment hire date." + } # dimension target__user__hire_date + + dimension: target__user__last_name { + type: string + sql: ${TABLE}.target.user.last_name ;; + group_label: "target" + label: "target.user.last_name" + view_label: "UDM" + description: "Last name of the user (e.g. \"Locke\")." + } # dimension target__user__last_name + + dimension: target__user__managers { + hidden: yes + } # dimension target__user__managers + + dimension: target__user__middle_name { + type: string + sql: ${TABLE}.target.user.middle_name ;; + group_label: "target" + label: "target.user.middle_name" + view_label: "UDM" + description: "Middle name of the user." + } # dimension target__user__middle_name + + dimension: target__user__office_address { + hidden: yes + } # dimension target__user__office_address + + dimension: target__user__office_address__city { + type: string + sql: ${TABLE}.target.user.office_address.city ;; + group_label: "target" + label: "target.user.office_address.city" + view_label: "UDM" + description: "The city." + } # dimension target__user__office_address__city + + dimension: target__user__office_address__country_or_region { + type: string + sql: ${TABLE}.target.user.office_address.country_or_region ;; + group_label: "target" + label: "target.user.office_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension target__user__office_address__country_or_region + + dimension: target__user__office_address__desk_name { + type: string + sql: ${TABLE}.target.user.office_address.desk_name ;; + group_label: "target" + label: "target.user.office_address.desk_name" + view_label: "UDM" + description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." + } # dimension target__user__office_address__desk_name + + dimension: target__user__office_address__floor_name { + type: string + sql: ${TABLE}.target.user.office_address.floor_name ;; + group_label: "target" + label: "target.user.office_address.floor_name" + view_label: "UDM" + description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." + } # dimension target__user__office_address__floor_name + + dimension: target__user__office_address__name { + type: string + sql: ${TABLE}.target.user.office_address.name ;; + group_label: "target" + label: "target.user.office_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension target__user__office_address__name + + dimension: target__user__office_address__state { + type: string + sql: ${TABLE}.target.user.office_address.state ;; + group_label: "target" + label: "target.user.office_address.state" + view_label: "UDM" + description: "The state." + } # dimension target__user__office_address__state + + dimension: target__user__personal_address { + hidden: yes + } # dimension target__user__personal_address + + dimension: target__user__personal_address__city { + type: string + sql: ${TABLE}.target.user.personal_address.city ;; + group_label: "target" + label: "target.user.personal_address.city" + view_label: "UDM" + description: "The city." + } # dimension target__user__personal_address__city + + dimension: target__user__personal_address__country_or_region { + type: string + sql: ${TABLE}.target.user.personal_address.country_or_region ;; + group_label: "target" + label: "target.user.personal_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension target__user__personal_address__country_or_region + + dimension: target__user__personal_address__name { + type: string + sql: ${TABLE}.target.user.personal_address.name ;; + group_label: "target" + label: "target.user.personal_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension target__user__personal_address__name + + dimension: target__user__personal_address__region_latitude { + type: number + sql: ${TABLE}.target.user.personal_address.region_latitude ;; + group_label: "target" + group_item_label: "target.user.personal_address.region_latitude [D]" + label: "target.user.personal_address.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__personal_address__region_latitude + + dimension: target__user__personal_address__region_longitude { + type: number + sql: ${TABLE}.target.user.personal_address.region_longitude ;; + group_label: "target" + group_item_label: "target.user.personal_address.region_longitude [D]" + label: "target.user.personal_address.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__personal_address__region_longitude + + dimension: target__user__personal_address__location { + type: location + sql_latitude: ${TABLE}.target.user.personal_address.region_latitude ;; + sql_longitude: ${TABLE}.target.user.personal_address.region_longitude ;; + group_label: "target" + group_item_label: "target.user.personal_address.location [D][L]" + label: "target.user.personal_address.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension target__user__personal_address__location + + dimension: target__user__personal_address__state { + type: string + sql: ${TABLE}.target.user.personal_address.state ;; + group_label: "target" + label: "target.user.personal_address.state" + view_label: "UDM" + description: "The state." + } # dimension target__user__personal_address__state + + dimension: target__user__phone_numbers { + hidden: yes + } # dimension target__user__phone_numbers + + dimension: target__user__product_object_id { + type: string + sql: ${TABLE}.target.user.product_object_id ;; + group_label: "target" + label: "target.user.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension target__user__product_object_id + + dimension: target__user__role_description { + type: string + sql: ${TABLE}.target.user.role_description ;; + group_label: "target" + group_item_label: "target.user.role_description [D]" + label: "target.user.role_description" + view_label: "UDM" + description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__role_description + + dimension: target__user__role_name { + type: string + sql: ${TABLE}.target.user.role_name ;; + group_label: "target" + group_item_label: "target.user.role_name [D]" + label: "target.user.role_name" + view_label: "UDM" + description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__role_name + + dimension_group: target__user__termination_date { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.user.termination_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.user.termination_date.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.user.termination_date" + view_label: "UDM" + description: "User job employment termination date." + } # dimension target__user__termination_date + + dimension: target__user__time_off { + hidden: yes + } # dimension target__user__time_off + + dimension: target__user__title { + type: string + sql: ${TABLE}.target.user.title ;; + group_label: "target" + label: "target.user.title" + view_label: "UDM" + description: "User job title." + } # dimension target__user__title + + dimension: target__user__user_authentication_status { + type: number + sql: ${TABLE}.target.user.user_authentication_status ;; + group_label: "target" + label: "target.user.user_authentication_status" + view_label: "UDM" + description: "System authentication status for user." + } # dimension target__user__user_authentication_status + + dimension: target__user__user_authentication_status_enum_name { + type: string + suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] + sql: CASE ${TABLE}.target.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; + group_label: "target" + label: "target.user.user_authentication_status_enum_name" + view_label: "UDM" + description: "System authentication status for user." + } # dimension target__user__user_authentication_status_enum_name + + dimension: target__user__user_display_name { + type: string + sql: ${TABLE}.target.user.user_display_name ;; + group_label: "target" + label: "target.user.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension target__user__user_display_name + + dimension: target__user__user_role { + type: number + sql: ${TABLE}.target.user.user_role ;; + group_label: "target" + group_item_label: "target.user.user_role [D]" + label: "target.user.user_role" + view_label: "UDM" + description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__user_role + + dimension: target__user__user_role_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "UNKNOWN_ROLE"] + sql: CASE ${TABLE}.target.user.user_role WHEN 0 THEN 'UNKNOWN_ROLE' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "target" + group_item_label: "target.user.user_role_enum_name [D]" + label: "target.user.user_role_enum_name" + view_label: "UDM" + description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__user_role_enum_name + + dimension: target__user__userid { + type: string + sql: ${TABLE}.target.user.userid ;; + group_label: "target" + label: "target.user.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension target__user__userid + + dimension: target__user__windows_sid { + type: string + sql: ${TABLE}.target.user.windows_sid ;; + group_label: "target" + label: "target.user.windows_sid" + view_label: "UDM" + description: "The Microsoft Windows SID of the user." + } # dimension target__user__windows_sid + + dimension: target__user_management_chain { + hidden: yes + } # dimension target__user_management_chain + +} # view events + +view: events__about__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "about" + label: "about.asset.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "about" + label: "about.asset.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__about__asset__attribute__labels + +view: events__about__asset__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "about" + label: "about.asset.attribute.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + +} # view events__about__asset__attribute__permissions + +view: events__about__asset__hardware { + dimension: manufacturer { + type: string + sql: ${TABLE}.manufacturer ;; + group_label: "about" + label: "about.asset.hardware.manufacturer" + view_label: "UDM" + description: "Hardware manufacturer." + } # dimension manufacturer + + dimension: model { + type: string + sql: ${TABLE}.model ;; + group_label: "about" + label: "about.asset.hardware.model" + view_label: "UDM" + description: "Hardware model." + } # dimension model + + dimension: serial_number { + type: string + sql: ${TABLE}.serial_number ;; + group_label: "about" + label: "about.asset.hardware.serial_number" + view_label: "UDM" + description: "Hardware serial number." + } # dimension serial_number + +} # view events__about__asset__hardware + +view: events__about__asset__ip { + dimension: events__about__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.asset.ip" + view_label: "UDM" + description: "A list of IP addresses associated with an asset." + } # dimension events__about__asset__ip +} # view events__about__asset__ip + +view: events__about__asset__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "about" + group_item_label: "about.asset.labels.key [D]" + label: "about.asset.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "about" + group_item_label: "about.asset.labels.value [D]" + label: "about.asset.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view events__about__asset__labels + +view: events__about__asset__vulnerabilities { + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + group_label: "about" + label: "about.asset.vulnerabilities.severity" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity + + dimension: severity_enum_name { + type: string + suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] + sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; + group_label: "about" + label: "about.asset.vulnerabilities.severity_enum_name" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity_enum_name + +} # view events__about__asset__vulnerabilities + +view: events__about__file__capabilities_tags { + dimension: events__about__file__capabilities_tags { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.file.capabilities_tags" + view_label: "UDM" + description: "Capabilities tags." + } # dimension events__about__file__capabilities_tags +} # view events__about__file__capabilities_tags + +view: events__about__file__names { + dimension: events__about__file__names { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension events__about__file__names +} # view events__about__file__names + +view: events__about__investigation__comments { + dimension: events__about__investigation__comments { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.investigation.comments" + view_label: "UDM" + description: "Comment added by the Analyst." + } # dimension events__about__investigation__comments +} # view events__about__investigation__comments + +view: events__about__ip { + dimension: events__about__ip { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.ip" + view_label: "UDM" + description: "A list of IP addresses associated with a network connection." + } # dimension events__about__ip +} # view events__about__ip + +view: events__about__ip_location { + dimension: country_or_region { + type: string + sql: ${TABLE}.country_or_region ;; + group_label: "about" + group_item_label: "about.ip_location.country_or_region [D]" + label: "about.ip_location.country_or_region" + view_label: "UDM" + description: "The country or region. [D]: This field is deprecated and will be removed in a future release" + } # dimension country_or_region + +} # view events__about__ip_location + +view: events__about__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "about" + group_item_label: "about.labels.key [D]" + label: "about.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "about" + group_item_label: "about.labels.value [D]" + label: "about.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view events__about__labels + +view: events__about__mac { + dimension: events__about__mac { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.mac" + view_label: "UDM" + description: "List of MAC addresses associated with a device." + } # dimension events__about__mac +} # view events__about__mac + +view: events__about__nat_ip { + dimension: events__about__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.nat_ip" + view_label: "UDM" + description: "A list of NAT translated IP addresses associated with a network connection." + } # dimension events__about__nat_ip +} # view events__about__nat_ip + +view: events__about__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "about" + label: "about.resource.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "about" + label: "about.resource.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__about__resource__attribute__labels + +view: events__about__resource__attribute__permissions { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "about" + label: "about.resource.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view events__about__resource__attribute__permissions + +view: events__about__resource_ancestors__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "about" + label: "about.resource_ancestors.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "about" + label: "about.resource_ancestors.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__about__resource_ancestors__attribute__labels + +view: events__about__resource_ancestors { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension_group: about__resource_ancestors__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "about" + label: "about.resource_ancestors.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension about__resource_ancestors__attribute__creation_time + + dimension: attribute__labels { + hidden: yes + } # dimension attribute__labels + + dimension_group: about__resource_ancestors__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "about" + label: "about.resource_ancestors.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension about__resource_ancestors__attribute__last_update_time + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "about" + label: "about.resource_ancestors.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension name + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "about" + label: "about.resource_ancestors.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension product_object_id + +} # view events__about__resource_ancestors + +view: events__about__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "about" + label: "about.user.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "about" + label: "about.user.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__about__user__attribute__labels + +view: events__about__user__attribute__permissions { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "about" + label: "about.user.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view events__about__user__attribute__permissions + +view: events__about__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "about" + label: "about.user.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "about" + label: "about.user.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + +} # view events__about__user__attribute__roles + +view: events__about__user__department { + dimension: events__about__user__department { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.user.department" + view_label: "UDM" + description: "User job department" + } # dimension events__about__user__department +} # view events__about__user__department + +view: events__about__user__email_addresses { + dimension: events__about__user__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.user.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension events__about__user__email_addresses +} # view events__about__user__email_addresses + +view: events__about__user__group_identifiers { + dimension: events__about__user__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.user.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension events__about__user__group_identifiers +} # view events__about__user__group_identifiers + +view: events__about { + dimension: administrative_domain { + type: string + sql: ${TABLE}.administrative_domain ;; + group_label: "about" + label: "about.administrative_domain" + view_label: "UDM" + description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." + } # dimension administrative_domain + + dimension: application { + type: string + sql: ${TABLE}.application ;; + group_label: "about" + label: "about.application" + view_label: "UDM" + description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." + } # dimension application + + dimension: artifact { + hidden: yes + } # dimension artifact + + dimension: artifact__prevalence { + hidden: yes + } # dimension artifact__prevalence + + dimension: artifact__prevalence__day_count { + type: number + sql: ${TABLE}.artifact.prevalence.day_count ;; + group_label: "about" + label: "about.artifact.prevalence.day_count" + view_label: "UDM" + description: "The number of days over which rolling_max is calculated." + } # dimension artifact__prevalence__day_count + + dimension: artifact__prevalence__day_max { + type: number + sql: ${TABLE}.artifact.prevalence.day_max ;; + group_label: "about" + label: "about.artifact.prevalence.day_max" + view_label: "UDM" + description: "The max prevalence score in a day interval window." + } # dimension artifact__prevalence__day_max + + dimension: asset { + hidden: yes + } # dimension asset + + dimension: asset__asset_id { + type: string + sql: ${TABLE}.asset.asset_id ;; + group_label: "about" + label: "about.asset.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension asset__asset_id + + dimension: asset__attribute { + hidden: yes + } # dimension asset__attribute + + dimension: asset__attribute__labels { + hidden: yes + } # dimension asset__attribute__labels + + dimension: asset__attribute__permissions { + hidden: yes + } # dimension asset__attribute__permissions + + dimension: asset__category { + type: string + sql: ${TABLE}.asset.category ;; + group_label: "about" + label: "about.asset.category" + view_label: "UDM" + description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." + } # dimension asset__category + + dimension_group: about__asset__first_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "about" + label: "about.asset.first_discover_time" + view_label: "UDM" + description: "Time the asset was first discovered (by asset management/discoverability software)." + } # dimension about__asset__first_discover_time + + dimension: asset__hardware { + hidden: yes + } # dimension asset__hardware + + dimension: asset__hostname { + type: string + sql: ${TABLE}.asset.hostname ;; + group_label: "about" + label: "about.asset.hostname" + view_label: "UDM" + description: "Asset hostname or domain name field." + } # dimension asset__hostname + + dimension: asset__ip { + hidden: yes + } # dimension asset__ip + + dimension: asset__labels { + hidden: yes + } # dimension asset__labels + + dimension_group: about__asset__last_boot_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "about" + label: "about.asset.last_boot_time" + view_label: "UDM" + description: "Time the asset was last boot started." + } # dimension about__asset__last_boot_time + + dimension: asset__location { + hidden: yes + } # dimension asset__location + + dimension: asset__location__name { + type: string + sql: ${TABLE}.asset.location.name ;; + group_label: "about" + label: "about.asset.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension asset__location__name + + dimension: asset__product_object_id { + type: string + sql: ${TABLE}.asset.product_object_id ;; + group_label: "about" + label: "about.asset.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension asset__product_object_id + + dimension: asset__vulnerabilities { + hidden: yes + } # dimension asset__vulnerabilities + + dimension: asset_id { + type: string + sql: ${TABLE}.asset_id ;; + group_label: "about" + label: "about.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension asset_id + + dimension: cloud { + hidden: yes + } # dimension cloud + + dimension: cloud__vpc { + hidden: yes + } # dimension cloud__vpc + + dimension: cloud__vpc__id { + type: string + sql: ${TABLE}.cloud.vpc.id ;; + group_label: "about" + group_item_label: "about.cloud.vpc.id [D]" + label: "about.cloud.vpc.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension cloud__vpc__id + + dimension: domain { + hidden: yes + } # dimension domain + + dimension: domain__billing { + hidden: yes + } # dimension domain__billing + + dimension: domain__billing__title { + type: string + sql: ${TABLE}.domain.billing.title ;; + group_label: "about" + label: "about.domain.billing.title" + view_label: "UDM" + description: "User job title." + } # dimension domain__billing__title + + dimension: domain__name { + type: string + sql: ${TABLE}.domain.name ;; + group_label: "about" + label: "about.domain.name" + view_label: "UDM" + description: "The domain name." + } # dimension domain__name + + dimension: email { + type: string + sql: ${TABLE}.email ;; + group_label: "about" + label: "about.email" + view_label: "UDM" + description: "Email address. Only filled in for security_result.about" + } # dimension email + + dimension: file { + hidden: yes + } # dimension file + + dimension: file__capabilities_tags { + hidden: yes + } # dimension file__capabilities_tags + + dimension: file__full_path { + type: string + sql: ${TABLE}.file.full_path ;; + group_label: "about" + label: "about.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension file__full_path + + dimension_group: about__file__last_modification_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.file.last_modification_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.file.last_modification_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "about" + label: "about.file.last_modification_time" + view_label: "UDM" + description: "Timestamp when the file was last updated." + } # dimension about__file__last_modification_time + + dimension: file__md5 { + type: string + sql: ${TABLE}.file.md5 ;; + group_label: "about" + label: "about.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension file__md5 + + dimension: file__mime_type { + type: string + sql: ${TABLE}.file.mime_type ;; + group_label: "about" + label: "about.file.mime_type" + view_label: "UDM" + description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." + } # dimension file__mime_type + + dimension: file__names { + hidden: yes + } # dimension file__names + + dimension: file__sha1 { + type: string + sql: ${TABLE}.file.sha1 ;; + group_label: "about" + label: "about.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension file__sha1 + + dimension: file__sha256 { + type: string + sql: ${TABLE}.file.sha256 ;; + group_label: "about" + label: "about.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension file__sha256 + + dimension: file__size { + type: number + sql: ${TABLE}.file.size ;; + group_label: "about" + label: "about.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension file__size + + dimension: group { + hidden: yes + } # dimension group + + dimension: group__group_display_name { + type: string + sql: ${TABLE}.group.group_display_name ;; + group_label: "about" + label: "about.group.group_display_name" + view_label: "UDM" + description: "Group display name. e.g. \"Finance\"." + } # dimension group__group_display_name + + dimension: group__product_object_id { + type: string + sql: ${TABLE}.group.product_object_id ;; + group_label: "about" + label: "about.group.product_object_id" + view_label: "UDM" + description: "Product globally unique user object identifier, such as an LDAP Object Identifier." + } # dimension group__product_object_id + + dimension: hostname { + type: string + sql: ${TABLE}.hostname ;; + group_label: "about" + label: "about.hostname" + view_label: "UDM" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension hostname + + dimension: investigation { + hidden: yes + } # dimension investigation + + dimension: investigation__comments { + hidden: yes + } # dimension investigation__comments + + dimension: investigation__root_cause { + type: string + sql: ${TABLE}.investigation.root_cause ;; + group_label: "about" + label: "about.investigation.root_cause" + view_label: "UDM" + description: "Root cause of the Alert or Finding set by analyst." + } # dimension investigation__root_cause + + dimension: ip { + hidden: yes + } # dimension ip + + dimension: ip_location { + hidden: yes + } # dimension ip_location + + dimension: labels { + hidden: yes + } # dimension labels + + dimension: location { + hidden: yes + } # dimension location + + dimension: location__city { + type: string + sql: ${TABLE}.location.city ;; + group_label: "about" + label: "about.location.city" + view_label: "UDM" + description: "The city." + } # dimension location__city + + dimension: location__country_or_region { + type: string + sql: ${TABLE}.location.country_or_region ;; + group_label: "about" + label: "about.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension location__country_or_region + + dimension: location__state { + type: string + sql: ${TABLE}.location.state ;; + group_label: "about" + label: "about.location.state" + view_label: "UDM" + description: "The state." + } # dimension location__state + + dimension: mac { + hidden: yes + } # dimension mac + + dimension: namespace { + type: string + sql: ${TABLE}.namespace ;; + group_label: "about" + label: "about.namespace" + view_label: "UDM" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension namespace + + dimension: nat_ip { + hidden: yes + } # dimension nat_ip + + dimension: platform_patch_level { + type: string + sql: ${TABLE}.platform_patch_level ;; + group_label: "about" + label: "about.platform_patch_level" + view_label: "UDM" + description: "Platform patch level. For example, \"Build 17134.48\"" + } # dimension platform_patch_level + + dimension: platform_version { + type: string + sql: ${TABLE}.platform_version ;; + group_label: "about" + label: "about.platform_version" + view_label: "UDM" + description: "Platform version. For example, \"Microsoft Windows 1803\"." + } # dimension platform_version + + dimension: port { + type: number + value_format: "#" + sql: ${TABLE}.port ;; + group_label: "about" + label: "about.port" + view_label: "UDM" + description: "Source or destination network port number when a specific network connection is described within an event." + } # dimension port + + dimension: process { + hidden: yes + } # dimension process + + dimension: process__access_mask { + type: number + sql: ${TABLE}.process.access_mask ;; + group_label: "about" + label: "about.process.access_mask" + view_label: "UDM" + description: "A bit mask representing the level of access." + } # dimension process__access_mask + + dimension: process__command_line { + type: string + sql: ${TABLE}.process.command_line ;; + group_label: "about" + label: "about.process.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension process__command_line + + dimension: process__file { + hidden: yes + } # dimension process__file + + dimension: process__file__full_path { + type: string + sql: ${TABLE}.process.file.full_path ;; + group_label: "about" + label: "about.process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension process__file__full_path + + dimension: process__parent_pid { + type: string + sql: ${TABLE}.process.parent_pid ;; + group_label: "about" + group_item_label: "about.process.parent_pid [D]" + label: "about.process.parent_pid" + view_label: "UDM" + description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension process__parent_pid + + dimension: process__pid { + type: string + sql: ${TABLE}.process.pid ;; + group_label: "about" + label: "about.process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension process__pid + + dimension: registry { + hidden: yes + } # dimension registry + + dimension: registry__registry_key { + type: string + sql: ${TABLE}.registry.registry_key ;; + group_label: "about" + label: "about.registry.registry_key" + view_label: "UDM" + description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." + } # dimension registry__registry_key + + dimension: resource { + hidden: yes + } # dimension resource + + dimension: resource__attribute { + hidden: yes + } # dimension resource__attribute + + dimension: resource__attribute__cloud { + hidden: yes + } # dimension resource__attribute__cloud + + dimension: resource__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.resource.attribute.cloud.availability_zone ;; + group_label: "about" + label: "about.resource.attribute.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name)." + } # dimension resource__attribute__cloud__availability_zone + + dimension_group: about__resource__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "about" + label: "about.resource.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension about__resource__attribute__creation_time + + dimension: resource__attribute__labels { + hidden: yes + } # dimension resource__attribute__labels + + dimension_group: about__resource__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "about" + label: "about.resource.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension about__resource__attribute__last_update_time + + dimension: resource__attribute__permissions { + hidden: yes + } # dimension resource__attribute__permissions + + dimension: resource__id { + type: string + sql: ${TABLE}.resource.id ;; + group_label: "about" + group_item_label: "about.resource.id [D]" + label: "about.resource.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension resource__id + + dimension: resource__name { + type: string + sql: ${TABLE}.resource.name ;; + group_label: "about" + label: "about.resource.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension resource__name + + dimension: resource__parent { + type: string + sql: ${TABLE}.resource.parent ;; + group_label: "about" + group_item_label: "about.resource.parent [D]" + label: "about.resource.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension resource__parent + + dimension: resource__product_object_id { + type: string + sql: ${TABLE}.resource.product_object_id ;; + group_label: "about" + label: "about.resource.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension resource__product_object_id + + dimension: resource__resource_subtype { + type: string + sql: ${TABLE}.resource.resource_subtype ;; + group_label: "about" + label: "about.resource.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension resource__resource_subtype + + dimension: resource__resource_type { + type: number + sql: ${TABLE}.resource.resource_type ;; + group_label: "about" + label: "about.resource.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension resource__resource_type + + dimension: resource__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "about" + label: "about.resource.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension resource__resource_type_enum_name + + dimension: resource__type { + type: string + sql: ${TABLE}.resource.type ;; + group_label: "about" + group_item_label: "about.resource.type [D]" + label: "about.resource.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension resource__type + + dimension: resource_ancestors { + hidden: yes + } # dimension resource_ancestors + + dimension: url { + type: string + sql: ${TABLE}.url ;; + group_label: "about" + label: "about.url" + view_label: "UDM" + description: "The URL." + } # dimension url + + dimension: user { + hidden: yes + } # dimension user + + dimension: user__attribute { + hidden: yes + } # dimension user__attribute + + dimension: user__attribute__labels { + hidden: yes + } # dimension user__attribute__labels + + dimension: user__attribute__permissions { + hidden: yes + } # dimension user__attribute__permissions + + dimension: user__attribute__roles { + hidden: yes + } # dimension user__attribute__roles + + dimension: user__department { + hidden: yes + } # dimension user__department + + dimension: user__email_addresses { + hidden: yes + } # dimension user__email_addresses + + dimension: user__group_identifiers { + hidden: yes + } # dimension user__group_identifiers + + dimension: user__groupid { + type: string + sql: ${TABLE}.user.groupid ;; + group_label: "about" + group_item_label: "about.user.groupid [D]" + label: "about.user.groupid" + view_label: "UDM" + description: "The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. [D]: This field is deprecated and will be removed in a future release" + } # dimension user__groupid + + dimension: user__product_object_id { + type: string + sql: ${TABLE}.user.product_object_id ;; + group_label: "about" + label: "about.user.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension user__product_object_id + + dimension: user__role_description { + type: string + sql: ${TABLE}.user.role_description ;; + group_label: "about" + group_item_label: "about.user.role_description [D]" + label: "about.user.role_description" + view_label: "UDM" + description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension user__role_description + + dimension: user__role_name { + type: string + sql: ${TABLE}.user.role_name ;; + group_label: "about" + group_item_label: "about.user.role_name [D]" + label: "about.user.role_name" + view_label: "UDM" + description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension user__role_name + + dimension: user__user_authentication_status { + type: number + sql: ${TABLE}.user.user_authentication_status ;; + group_label: "about" + label: "about.user.user_authentication_status" + view_label: "UDM" + description: "System authentication status for user." + } # dimension user__user_authentication_status + + dimension: user__user_authentication_status_enum_name { + type: string + suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] + sql: CASE ${TABLE}.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; + group_label: "about" + label: "about.user.user_authentication_status_enum_name" + view_label: "UDM" + description: "System authentication status for user." + } # dimension user__user_authentication_status_enum_name + + dimension: user__user_display_name { + type: string + sql: ${TABLE}.user.user_display_name ;; + group_label: "about" + label: "about.user.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension user__user_display_name + + dimension: user__userid { + type: string + sql: ${TABLE}.user.userid ;; + group_label: "about" + label: "about.user.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension user__userid + + dimension: user__windows_sid { + type: string + sql: ${TABLE}.user.windows_sid ;; + group_label: "about" + label: "about.user.windows_sid" + view_label: "UDM" + description: "The Microsoft Windows SID of the user." + } # dimension user__windows_sid + +} # view events__about + +view: events__additional__fields__value__list_value__values__struct_value__fields { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "additional" + label: "additional.fields.value.list_value.values.struct_value.fields.key" + view_label: "UDM" + } # dimension key + +} # view events__additional__fields__value__list_value__values__struct_value__fields + +view: events__additional__fields__value__list_value__values { + dimension: string_value { + type: string + sql: ${TABLE}.string_value ;; + group_label: "additional" + label: "additional.fields.value.list_value.values.string_value" + view_label: "UDM" + } # dimension string_value + + dimension: struct_value { + hidden: yes + } # dimension struct_value + + dimension: struct_value__fields { + hidden: yes + } # dimension struct_value__fields + +} # view events__additional__fields__value__list_value__values + +view: events__additional__fields__value__struct_value__fields { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "additional" + label: "additional.fields.value.struct_value.fields.key" + view_label: "UDM" + } # dimension key + +} # view events__additional__fields__value__struct_value__fields + +view: events__additional__fields { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "additional" + label: "additional.fields.key" + view_label: "UDM" + } # dimension key + + dimension: value { + hidden: yes + } # dimension value + + dimension: value__bool_value { + type: yesno + sql: ${TABLE}.value.bool_value ;; + group_label: "additional" + label: "additional.fields.value.bool_value" + view_label: "UDM" + } # dimension value__bool_value + + dimension: value__list_value { + hidden: yes + } # dimension value__list_value + + dimension: value__list_value__values { + hidden: yes + } # dimension value__list_value__values + + dimension: value__null_value { + type: number + sql: ${TABLE}.value.null_value ;; + group_label: "additional" + label: "additional.fields.value.null_value" + view_label: "UDM" + } # dimension value__null_value + + dimension: value__null_value_enum_name { + type: string + suggestions: ["NULL_VALUE"] + sql: CASE ${TABLE}.value.null_value WHEN 0 THEN 'NULL_VALUE' END ;; + group_label: "additional" + label: "additional.fields.value.null_value_enum_name" + view_label: "UDM" + } # dimension value__null_value_enum_name + + dimension: value__number_value { + type: number + sql: ${TABLE}.value.number_value ;; + group_label: "additional" + label: "additional.fields.value.number_value" + view_label: "UDM" + } # dimension value__number_value + + dimension: value__string_value { + type: string + sql: ${TABLE}.value.string_value ;; + group_label: "additional" + label: "additional.fields.value.string_value" + view_label: "UDM" + } # dimension value__string_value + + dimension: value__struct_value { + hidden: yes + } # dimension value__struct_value + + dimension: value__struct_value__fields { + hidden: yes + } # dimension value__struct_value__fields + +} # view events__additional__fields + +view: events__extensions__auth__mechanism { + dimension: events__extensions__auth__mechanism { + type: number + sql: ${TABLE} ;; + group_label: "extensions" + label: "extensions.auth.mechanism" + view_label: "UDM" + description: "The authentication mechanism." + } # dimension events__extensions__auth__mechanism +} # view events__extensions__auth__mechanism + +view: events__extensions__auth__mechanism_enum_name { + dimension: events__extensions__auth__mechanism_enum_name { + type: string + suggestions: ["BADGE_READER", "BATCH", "CACHED_INTERACTIVE", "CACHED_REMOTE_INTERACTIVE", "CACHED_UNLOCK", "HARDWARE_KEY", "INTERACTIVE", "LOCAL", "MECHANISM_OTHER", "MECHANISM_UNSPECIFIED", "NETWORK", "NETWORK_CLEAR_TEXT", "NEW_CREDENTIALS", "OTP", "REMOTE", "REMOTE_INTERACTIVE", "SERVICE", "UNLOCK", "USERNAME_PASSWORD"] + sql: CASE ${TABLE} WHEN 0 THEN 'MECHANISM_UNSPECIFIED' WHEN 1 THEN 'USERNAME_PASSWORD' WHEN 2 THEN 'OTP' WHEN 3 THEN 'HARDWARE_KEY' WHEN 4 THEN 'LOCAL' WHEN 5 THEN 'REMOTE' WHEN 6 THEN 'REMOTE_INTERACTIVE' WHEN 7 THEN 'MECHANISM_OTHER' WHEN 8 THEN 'BADGE_READER' WHEN 9 THEN 'NETWORK' WHEN 10 THEN 'BATCH' WHEN 11 THEN 'SERVICE' WHEN 12 THEN 'UNLOCK' WHEN 13 THEN 'NETWORK_CLEAR_TEXT' WHEN 14 THEN 'NEW_CREDENTIALS' WHEN 15 THEN 'INTERACTIVE' WHEN 16 THEN 'CACHED_INTERACTIVE' WHEN 17 THEN 'CACHED_REMOTE_INTERACTIVE' WHEN 18 THEN 'CACHED_UNLOCK' END ;; + group_label: "extensions" + label: "extensions.auth.mechanism_enum_name" + view_label: "UDM" + description: "The authentication mechanism." + } # dimension events__extensions__auth__mechanism_enum_name +} # view events__extensions__auth__mechanism_enum_name + +view: events__extensions__vulns__vulnerabilities__about__asset__ip { + dimension: events__extensions__vulns__vulnerabilities__about__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.asset.ip" + view_label: "UDM" + description: "A list of IP addresses associated with an asset." + } # dimension events__extensions__vulns__vulnerabilities__about__asset__ip +} # view events__extensions__vulns__vulnerabilities__about__asset__ip + +view: events__extensions__vulns__vulnerabilities__about__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "extensions" + group_item_label: "extensions.vulns.vulnerabilities.about.labels.key [D]" + label: "extensions.vulns.vulnerabilities.about.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "extensions" + group_item_label: "extensions.vulns.vulnerabilities.about.labels.value [D]" + label: "extensions.vulns.vulnerabilities.about.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view events__extensions__vulns__vulnerabilities__about__labels + +view: events__extensions__vulns__vulnerabilities__about__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.resource.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.resource.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__extensions__vulns__vulnerabilities__about__resource__attribute__labels + +view: events__extensions__vulns__vulnerabilities { + dimension: about { + hidden: yes + } # dimension about + + dimension: about__asset { + hidden: yes + } # dimension about__asset + + dimension: about__asset__hostname { + type: string + sql: ${TABLE}.about.asset.hostname ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.asset.hostname" + view_label: "UDM" + description: "Asset hostname or domain name field." + } # dimension about__asset__hostname + + dimension: about__asset__ip { + hidden: yes + } # dimension about__asset__ip + + dimension: about__asset__platform_software { + hidden: yes + } # dimension about__asset__platform_software + + dimension: about__asset__platform_software__platform { + type: number + sql: ${TABLE}.about.asset.platform_software.platform ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.asset.platform_software.platform" + view_label: "UDM" + description: "The platform operating system." + } # dimension about__asset__platform_software__platform + + dimension: about__asset__platform_software__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.about.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.asset.platform_software.platform_enum_name" + view_label: "UDM" + description: "The platform operating system." + } # dimension about__asset__platform_software__platform_enum_name + + dimension: about__asset__product_object_id { + type: string + sql: ${TABLE}.about.asset.product_object_id ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.asset.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension about__asset__product_object_id + + dimension: about__cloud { + hidden: yes + } # dimension about__cloud + + dimension: about__cloud__availability_zone { + type: string + sql: ${TABLE}.about.cloud.availability_zone ;; + group_label: "extensions" + group_item_label: "extensions.vulns.vulnerabilities.about.cloud.availability_zone [D]" + label: "extensions.vulns.vulnerabilities.about.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__availability_zone + + dimension: about__cloud__environment { + type: number + sql: ${TABLE}.about.cloud.environment ;; + group_label: "extensions" + group_item_label: "extensions.vulns.vulnerabilities.about.cloud.environment [D]" + label: "extensions.vulns.vulnerabilities.about.cloud.environment" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__environment + + dimension: about__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.about.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "extensions" + group_item_label: "extensions.vulns.vulnerabilities.about.cloud.environment_enum_name [D]" + label: "extensions.vulns.vulnerabilities.about.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__environment_enum_name + + dimension: about__cloud__project { + hidden: yes + } # dimension about__cloud__project + + dimension: about__cloud__project__name { + type: string + sql: ${TABLE}.about.cloud.project.name ;; + group_label: "extensions" + group_item_label: "extensions.vulns.vulnerabilities.about.cloud.project.name [D]" + label: "extensions.vulns.vulnerabilities.about.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__project__name + + dimension: about__group { + hidden: yes + } # dimension about__group + + dimension: about__group__attribute { + hidden: yes + } # dimension about__group__attribute + + dimension: about__group__attribute__cloud { + hidden: yes + } # dimension about__group__attribute__cloud + + dimension: about__group__attribute__cloud__project { + hidden: yes + } # dimension about__group__attribute__cloud__project + + dimension: about__group__attribute__cloud__project__name { + type: string + sql: ${TABLE}.about.group.attribute.cloud.project.name ;; + group_label: "extensions" + group_item_label: "extensions.vulns.vulnerabilities.about.group.attribute.cloud.project.name [D]" + label: "extensions.vulns.vulnerabilities.about.group.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__group__attribute__cloud__project__name + + dimension: about__hostname { + type: string + sql: ${TABLE}.about.hostname ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.hostname" + view_label: "UDM" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension about__hostname + + dimension: about__labels { + hidden: yes + } # dimension about__labels + + dimension: about__namespace { + type: string + sql: ${TABLE}.about.namespace ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.namespace" + view_label: "UDM" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension about__namespace + + dimension: about__platform { + type: number + sql: ${TABLE}.about.platform ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.platform" + view_label: "UDM" + description: "Platform." + } # dimension about__platform + + dimension: about__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.about.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.platform_enum_name" + view_label: "UDM" + description: "Platform." + } # dimension about__platform_enum_name + + dimension: about__resource { + hidden: yes + } # dimension about__resource + + dimension: about__resource__attribute { + hidden: yes + } # dimension about__resource__attribute + + dimension: about__resource__attribute__labels { + hidden: yes + } # dimension about__resource__attribute__labels + + dimension: about__resource__product_object_id { + type: string + sql: ${TABLE}.about.resource.product_object_id ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.resource.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension about__resource__product_object_id + + dimension: cve_description { + type: string + sql: ${TABLE}.cve_description ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.cve_description" + view_label: "UDM" + description: "Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record" + } # dimension cve_description + + dimension: cve_id { + type: string + sql: ${TABLE}.cve_id ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.cve_id" + view_label: "UDM" + description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" + } # dimension cve_id + + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.cvss_base_score" + view_label: "UDM" + description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." + } # dimension cvss_base_score + + dimension: cvss_vector { + type: string + sql: ${TABLE}.cvss_vector ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.cvss_vector" + view_label: "UDM" + description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" + } # dimension cvss_vector + + dimension: cvss_version { + type: string + sql: ${TABLE}.cvss_version ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.cvss_version" + view_label: "UDM" + description: "Version of CVSS Vector/Score." + } # dimension cvss_version + + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.description" + view_label: "UDM" + description: "Description of the vulnerability." + } # dimension description + + dimension_group: extensions__vulns__vulnerabilities__first_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.first_found" + view_label: "UDM" + description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." + } # dimension extensions__vulns__vulnerabilities__first_found + + dimension_group: extensions__vulns__vulnerabilities__last_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.last_found" + view_label: "UDM" + description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." + } # dimension extensions__vulns__vulnerabilities__last_found + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.name" + view_label: "UDM" + description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." + } # dimension name + + dimension_group: extensions__vulns__vulnerabilities__scan_end_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.scan_end_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." + } # dimension extensions__vulns__vulnerabilities__scan_end_time + + dimension_group: extensions__vulns__vulnerabilities__scan_start_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.scan_start_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." + } # dimension extensions__vulns__vulnerabilities__scan_start_time + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.severity" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity + + dimension: severity_enum_name { + type: string + suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] + sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.severity_enum_name" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity_enum_name + + dimension: severity_details { + type: string + sql: ${TABLE}.severity_details ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.severity_details" + view_label: "UDM" + description: "Vendor-specific severity" + } # dimension severity_details + + dimension: vendor { + type: string + sql: ${TABLE}.vendor ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.vendor" + view_label: "UDM" + description: "Vendor of scan that discovered vulnerability." + } # dimension vendor + + dimension: vendor_knowledge_base_article_id { + type: string + sql: ${TABLE}.vendor_knowledge_base_article_id ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.vendor_knowledge_base_article_id" + view_label: "UDM" + description: "Vendor specific knowledge base article (e.g. \"KBXXXXXX\" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase" + } # dimension vendor_knowledge_base_article_id + + dimension: vendor_vulnerability_id { + type: string + sql: ${TABLE}.vendor_vulnerability_id ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.vendor_vulnerability_id" + view_label: "UDM" + description: "Vendor specific vulnerability id (e.g. Microsoft security bulletin id)." + } # dimension vendor_vulnerability_id + +} # view events__extensions__vulns__vulnerabilities + +view: events__intermediary__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "intermediary" + label: "intermediary.asset.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "intermediary" + label: "intermediary.asset.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__intermediary__asset__attribute__labels + +view: events__intermediary__asset__hardware { + dimension: model { + type: string + sql: ${TABLE}.model ;; + group_label: "intermediary" + label: "intermediary.asset.hardware.model" + view_label: "UDM" + description: "Hardware model." + } # dimension model + + dimension: serial_number { + type: string + sql: ${TABLE}.serial_number ;; + group_label: "intermediary" + label: "intermediary.asset.hardware.serial_number" + view_label: "UDM" + description: "Hardware serial number." + } # dimension serial_number + +} # view events__intermediary__asset__hardware + +view: events__intermediary__asset__ip { + dimension: events__intermediary__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "intermediary" + label: "intermediary.asset.ip" + view_label: "UDM" + description: "A list of IP addresses associated with an asset." + } # dimension events__intermediary__asset__ip +} # view events__intermediary__asset__ip + +view: events__intermediary__asset__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "intermediary" + group_item_label: "intermediary.asset.labels.key [D]" + label: "intermediary.asset.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "intermediary" + group_item_label: "intermediary.asset.labels.value [D]" + label: "intermediary.asset.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view events__intermediary__asset__labels + +view: events__intermediary__asset__mac { + dimension: events__intermediary__asset__mac { + type: string + sql: ${TABLE} ;; + group_label: "intermediary" + label: "intermediary.asset.mac" + view_label: "UDM" + description: "List of MAC addresses associated with an asset." + } # dimension events__intermediary__asset__mac +} # view events__intermediary__asset__mac + +view: events__intermediary__asset__software { + dimension: version { + type: string + sql: ${TABLE}.version ;; + group_label: "intermediary" + label: "intermediary.asset.software.version" + view_label: "UDM" + description: "The version of the software." + } # dimension version + +} # view events__intermediary__asset__software + +view: events__intermediary__ip { + dimension: events__intermediary__ip { + type: string + sql: ${TABLE} ;; + group_label: "intermediary" + label: "intermediary.ip" + view_label: "UDM" + description: "A list of IP addresses associated with a network connection." + } # dimension events__intermediary__ip +} # view events__intermediary__ip + +view: events__intermediary__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "intermediary" + group_item_label: "intermediary.labels.key [D]" + label: "intermediary.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "intermediary" + group_item_label: "intermediary.labels.value [D]" + label: "intermediary.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view events__intermediary__labels + +view: events__intermediary__mac { + dimension: events__intermediary__mac { + type: string + sql: ${TABLE} ;; + group_label: "intermediary" + label: "intermediary.mac" + view_label: "UDM" + description: "List of MAC addresses associated with a device." + } # dimension events__intermediary__mac +} # view events__intermediary__mac + +view: events__intermediary__nat_ip { + dimension: events__intermediary__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "intermediary" + label: "intermediary.nat_ip" + view_label: "UDM" + description: "A list of NAT translated IP addresses associated with a network connection." + } # dimension events__intermediary__nat_ip +} # view events__intermediary__nat_ip + +view: events__intermediary__process__file__names { + dimension: events__intermediary__process__file__names { + type: string + sql: ${TABLE} ;; + group_label: "intermediary" + label: "intermediary.process.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension events__intermediary__process__file__names +} # view events__intermediary__process__file__names + +view: events__intermediary__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "intermediary" + label: "intermediary.resource.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "intermediary" + label: "intermediary.resource.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__intermediary__resource__attribute__labels + +view: events__intermediary__user__email_addresses { + dimension: events__intermediary__user__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "intermediary" + label: "intermediary.user.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension events__intermediary__user__email_addresses +} # view events__intermediary__user__email_addresses + +view: events__intermediary__user__group_identifiers { + dimension: events__intermediary__user__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "intermediary" + label: "intermediary.user.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension events__intermediary__user__group_identifiers +} # view events__intermediary__user__group_identifiers + +view: events__intermediary { + dimension: administrative_domain { + type: string + sql: ${TABLE}.administrative_domain ;; + group_label: "intermediary" + label: "intermediary.administrative_domain" + view_label: "UDM" + description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." + } # dimension administrative_domain + + dimension: application { + type: string + sql: ${TABLE}.application ;; + group_label: "intermediary" + label: "intermediary.application" + view_label: "UDM" + description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." + } # dimension application + + dimension: asset { + hidden: yes + } # dimension asset + + dimension: asset__asset_id { + type: string + sql: ${TABLE}.asset.asset_id ;; + group_label: "intermediary" + label: "intermediary.asset.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension asset__asset_id + + dimension: asset__attribute { + hidden: yes + } # dimension asset__attribute + + dimension: asset__attribute__labels { + hidden: yes + } # dimension asset__attribute__labels + + dimension: asset__category { + type: string + sql: ${TABLE}.asset.category ;; + group_label: "intermediary" + label: "intermediary.asset.category" + view_label: "UDM" + description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." + } # dimension asset__category + + dimension: asset__hardware { + hidden: yes + } # dimension asset__hardware + + dimension: asset__hostname { + type: string + sql: ${TABLE}.asset.hostname ;; + group_label: "intermediary" + label: "intermediary.asset.hostname" + view_label: "UDM" + description: "Asset hostname or domain name field." + } # dimension asset__hostname + + dimension: asset__ip { + hidden: yes + } # dimension asset__ip + + dimension: asset__labels { + hidden: yes + } # dimension asset__labels + + dimension: asset__location { + hidden: yes + } # dimension asset__location + + dimension: asset__location__country_or_region { + type: string + sql: ${TABLE}.asset.location.country_or_region ;; + group_label: "intermediary" + label: "intermediary.asset.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension asset__location__country_or_region + + dimension: asset__mac { + hidden: yes + } # dimension asset__mac + + dimension: asset__network_domain { + type: string + sql: ${TABLE}.asset.network_domain ;; + group_label: "intermediary" + label: "intermediary.asset.network_domain" + view_label: "UDM" + description: "The network domain of the asset (e.g. \"corp.acme.com\")" + } # dimension asset__network_domain + + dimension: asset__platform_software { + hidden: yes + } # dimension asset__platform_software + + dimension: asset__platform_software__platform_version { + type: string + sql: ${TABLE}.asset.platform_software.platform_version ;; + group_label: "intermediary" + label: "intermediary.asset.platform_software.platform_version" + view_label: "UDM" + description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." + } # dimension asset__platform_software__platform_version + + dimension: asset__product_object_id { + type: string + sql: ${TABLE}.asset.product_object_id ;; + group_label: "intermediary" + label: "intermediary.asset.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension asset__product_object_id + + dimension: asset__software { + hidden: yes + } # dimension asset__software + + dimension: asset_id { + type: string + sql: ${TABLE}.asset_id ;; + group_label: "intermediary" + label: "intermediary.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension asset_id + + dimension: cloud { + hidden: yes + } # dimension cloud + + dimension: cloud__environment { + type: number + sql: ${TABLE}.cloud.environment ;; + group_label: "intermediary" + group_item_label: "intermediary.cloud.environment [D]" + label: "intermediary.cloud.environment" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension cloud__environment + + dimension: cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "intermediary" + group_item_label: "intermediary.cloud.environment_enum_name [D]" + label: "intermediary.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension cloud__environment_enum_name + + dimension: domain { + hidden: yes + } # dimension domain + + dimension: domain__name { + type: string + sql: ${TABLE}.domain.name ;; + group_label: "intermediary" + label: "intermediary.domain.name" + view_label: "UDM" + description: "The domain name." + } # dimension domain__name + + dimension: email { + type: string + sql: ${TABLE}.email ;; + group_label: "intermediary" + label: "intermediary.email" + view_label: "UDM" + description: "Email address. Only filled in for security_result.about" + } # dimension email + + dimension: file { + hidden: yes + } # dimension file + + dimension: file__full_path { + type: string + sql: ${TABLE}.file.full_path ;; + group_label: "intermediary" + label: "intermediary.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension file__full_path + + dimension: file__md5 { + type: string + sql: ${TABLE}.file.md5 ;; + group_label: "intermediary" + label: "intermediary.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension file__md5 + + dimension: file__mime_type { + type: string + sql: ${TABLE}.file.mime_type ;; + group_label: "intermediary" + label: "intermediary.file.mime_type" + view_label: "UDM" + description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." + } # dimension file__mime_type + + dimension: file__sha1 { + type: string + sql: ${TABLE}.file.sha1 ;; + group_label: "intermediary" + label: "intermediary.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension file__sha1 + + dimension: file__sha256 { + type: string + sql: ${TABLE}.file.sha256 ;; + group_label: "intermediary" + label: "intermediary.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension file__sha256 + + dimension: file__size { + type: number + sql: ${TABLE}.file.size ;; + group_label: "intermediary" + label: "intermediary.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension file__size + + dimension: group { + hidden: yes + } # dimension group + + dimension: group__group_display_name { + type: string + sql: ${TABLE}.group.group_display_name ;; + group_label: "intermediary" + label: "intermediary.group.group_display_name" + view_label: "UDM" + description: "Group display name. e.g. \"Finance\"." + } # dimension group__group_display_name + + dimension: group__product_object_id { + type: string + sql: ${TABLE}.group.product_object_id ;; + group_label: "intermediary" + label: "intermediary.group.product_object_id" + view_label: "UDM" + description: "Product globally unique user object identifier, such as an LDAP Object Identifier." + } # dimension group__product_object_id + + dimension: hostname { + type: string + sql: ${TABLE}.hostname ;; + group_label: "intermediary" + label: "intermediary.hostname" + view_label: "UDM" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension hostname + + dimension: ip { + hidden: yes + } # dimension ip + + dimension: labels { + hidden: yes + } # dimension labels + + dimension: location { + hidden: yes + } # dimension location + + dimension: location__city { + type: string + sql: ${TABLE}.location.city ;; + group_label: "intermediary" + label: "intermediary.location.city" + view_label: "UDM" + description: "The city." + } # dimension location__city + + dimension: location__country_or_region { + type: string + sql: ${TABLE}.location.country_or_region ;; + group_label: "intermediary" + label: "intermediary.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension location__country_or_region + + dimension: location__name { + type: string + sql: ${TABLE}.location.name ;; + group_label: "intermediary" + label: "intermediary.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension location__name + + dimension: location__region_latitude { + type: number + sql: ${TABLE}.location.region_latitude ;; + group_label: "intermediary" + group_item_label: "intermediary.location.region_latitude [D]" + label: "intermediary.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension location__region_latitude + + dimension: location__region_longitude { + type: number + sql: ${TABLE}.location.region_longitude ;; + group_label: "intermediary" + group_item_label: "intermediary.location.region_longitude [D]" + label: "intermediary.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension location__region_longitude + + dimension: location__location { + type: location + sql_latitude: ${TABLE}.location.region_latitude ;; + sql_longitude: ${TABLE}.location.region_longitude ;; + group_label: "intermediary" + group_item_label: "intermediary.location.location [D][L]" + label: "intermediary.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension location__location + + dimension: location__state { + type: string + sql: ${TABLE}.location.state ;; + group_label: "intermediary" + label: "intermediary.location.state" + view_label: "UDM" + description: "The state." + } # dimension location__state + + dimension: mac { + hidden: yes + } # dimension mac + + dimension: namespace { + type: string + sql: ${TABLE}.namespace ;; + group_label: "intermediary" + label: "intermediary.namespace" + view_label: "UDM" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension namespace + + dimension: nat_ip { + hidden: yes + } # dimension nat_ip + + dimension: platform { + type: number + sql: ${TABLE}.platform ;; + group_label: "intermediary" + label: "intermediary.platform" + view_label: "UDM" + description: "Platform." + } # dimension platform + + dimension: platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "intermediary" + label: "intermediary.platform_enum_name" + view_label: "UDM" + description: "Platform." + } # dimension platform_enum_name + + dimension: platform_version { + type: string + sql: ${TABLE}.platform_version ;; + group_label: "intermediary" + label: "intermediary.platform_version" + view_label: "UDM" + description: "Platform version. For example, \"Microsoft Windows 1803\"." + } # dimension platform_version + + dimension: port { + type: number + value_format: "#" + sql: ${TABLE}.port ;; + group_label: "intermediary" + label: "intermediary.port" + view_label: "UDM" + description: "Source or destination network port number when a specific network connection is described within an event." + } # dimension port + + dimension: process { + hidden: yes + } # dimension process + + dimension: process__command_line { + type: string + sql: ${TABLE}.process.command_line ;; + group_label: "intermediary" + label: "intermediary.process.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension process__command_line + + dimension: process__file { + hidden: yes + } # dimension process__file + + dimension: process__file__full_path { + type: string + sql: ${TABLE}.process.file.full_path ;; + group_label: "intermediary" + label: "intermediary.process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension process__file__full_path + + dimension: process__file__names { + hidden: yes + } # dimension process__file__names + + dimension: process__file__sha1 { + type: string + sql: ${TABLE}.process.file.sha1 ;; + group_label: "intermediary" + label: "intermediary.process.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension process__file__sha1 + + dimension: process__file__sha256 { + type: string + sql: ${TABLE}.process.file.sha256 ;; + group_label: "intermediary" + label: "intermediary.process.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension process__file__sha256 + + dimension: process__file__size { + type: number + sql: ${TABLE}.process.file.size ;; + group_label: "intermediary" + label: "intermediary.process.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension process__file__size + + dimension: process__parent_process { + hidden: yes + } # dimension process__parent_process + + dimension: process__parent_process__file { + hidden: yes + } # dimension process__parent_process__file + + dimension: process__parent_process__file__full_path { + type: string + sql: ${TABLE}.process.parent_process.file.full_path ;; + group_label: "intermediary" + label: "intermediary.process.parent_process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension process__parent_process__file__full_path + + dimension: process__parent_process__file__size { + type: number + sql: ${TABLE}.process.parent_process.file.size ;; + group_label: "intermediary" + label: "intermediary.process.parent_process.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension process__parent_process__file__size + + dimension: process__parent_process__pid { + type: string + sql: ${TABLE}.process.parent_process.pid ;; + group_label: "intermediary" + label: "intermediary.process.parent_process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension process__parent_process__pid + + dimension: process__pid { + type: string + sql: ${TABLE}.process.pid ;; + group_label: "intermediary" + label: "intermediary.process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension process__pid + + dimension: registry { + hidden: yes + } # dimension registry + + dimension: registry__registry_key { + type: string + sql: ${TABLE}.registry.registry_key ;; + group_label: "intermediary" + label: "intermediary.registry.registry_key" + view_label: "UDM" + description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." + } # dimension registry__registry_key + + dimension: registry__registry_value_data { + type: string + sql: ${TABLE}.registry.registry_value_data ;; + group_label: "intermediary" + label: "intermediary.registry.registry_value_data" + view_label: "UDM" + description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." + } # dimension registry__registry_value_data + + dimension: registry__registry_value_name { + type: string + sql: ${TABLE}.registry.registry_value_name ;; + group_label: "intermediary" + label: "intermediary.registry.registry_value_name" + view_label: "UDM" + description: "Name of the registry value associated with an application or system component (e.g. TEMP)." + } # dimension registry__registry_value_name + + dimension: resource { + hidden: yes + } # dimension resource + + dimension: resource__attribute { + hidden: yes + } # dimension resource__attribute + + dimension: resource__attribute__labels { + hidden: yes + } # dimension resource__attribute__labels + + dimension: resource__id { + type: string + sql: ${TABLE}.resource.id ;; + group_label: "intermediary" + group_item_label: "intermediary.resource.id [D]" + label: "intermediary.resource.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension resource__id + + dimension: resource__name { + type: string + sql: ${TABLE}.resource.name ;; + group_label: "intermediary" + label: "intermediary.resource.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension resource__name + + dimension: resource__parent { + type: string + sql: ${TABLE}.resource.parent ;; + group_label: "intermediary" + group_item_label: "intermediary.resource.parent [D]" + label: "intermediary.resource.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension resource__parent + + dimension: resource__product_object_id { + type: string + sql: ${TABLE}.resource.product_object_id ;; + group_label: "intermediary" + label: "intermediary.resource.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension resource__product_object_id + + dimension: resource__resource_subtype { + type: string + sql: ${TABLE}.resource.resource_subtype ;; + group_label: "intermediary" + label: "intermediary.resource.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension resource__resource_subtype + + dimension: resource__resource_type { + type: number + sql: ${TABLE}.resource.resource_type ;; + group_label: "intermediary" + label: "intermediary.resource.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension resource__resource_type + + dimension: resource__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "intermediary" + label: "intermediary.resource.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension resource__resource_type_enum_name + + dimension: resource__type { + type: string + sql: ${TABLE}.resource.type ;; + group_label: "intermediary" + group_item_label: "intermediary.resource.type [D]" + label: "intermediary.resource.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension resource__type + + dimension: url { + type: string + sql: ${TABLE}.url ;; + group_label: "intermediary" + label: "intermediary.url" + view_label: "UDM" + description: "The URL." + } # dimension url + + dimension: user { + hidden: yes + } # dimension user + + dimension: user__email_addresses { + hidden: yes + } # dimension user__email_addresses + + dimension: user__group_identifiers { + hidden: yes + } # dimension user__group_identifiers + + dimension: user__product_object_id { + type: string + sql: ${TABLE}.user.product_object_id ;; + group_label: "intermediary" + label: "intermediary.user.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension user__product_object_id + + dimension: user__user_display_name { + type: string + sql: ${TABLE}.user.user_display_name ;; + group_label: "intermediary" + label: "intermediary.user.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension user__user_display_name + + dimension: user__userid { + type: string + sql: ${TABLE}.user.userid ;; + group_label: "intermediary" + label: "intermediary.user.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension user__userid + + dimension: user__windows_sid { + type: string + sql: ${TABLE}.user.windows_sid ;; + group_label: "intermediary" + label: "intermediary.user.windows_sid" + view_label: "UDM" + description: "The Microsoft Windows SID of the user." + } # dimension user__windows_sid + +} # view events__intermediary + +view: events__metadata__base_labels__log_types { + dimension: events__metadata__base_labels__log_types { + type: string + sql: ${TABLE} ;; + group_label: "metadata" + label: "metadata.base_labels.log_types" + view_label: "UDM" + description: "All the LogType labels. We use string to log types to avoid moving LogType proto, which contains customer info, to external." + } # dimension events__metadata__base_labels__log_types +} # view events__metadata__base_labels__log_types + +view: events__metadata__base_labels__namespaces { + dimension: events__metadata__base_labels__namespaces { + type: string + sql: ${TABLE} ;; + group_label: "metadata" + label: "metadata.base_labels.namespaces" + view_label: "UDM" + description: "All the namespaces." + } # dimension events__metadata__base_labels__namespaces +} # view events__metadata__base_labels__namespaces + +view: events__metadata__ingestion_labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "metadata" + label: "metadata.ingestion_labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: source { + type: string + sql: ${TABLE}.source ;; + group_label: "metadata" + label: "metadata.ingestion_labels.source" + view_label: "UDM" + description: "@hide_from_doc" + } # dimension source + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "metadata" + label: "metadata.ingestion_labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__metadata__ingestion_labels + +view: events__metadata__tags__data_tap_config_name { + dimension: events__metadata__tags__data_tap_config_name { + type: string + sql: ${TABLE} ;; + group_label: "metadata" + label: "metadata.tags.data_tap_config_name" + view_label: "UDM" + description: "A list of sink name values defined in DataTap configurations." + } # dimension events__metadata__tags__data_tap_config_name +} # view events__metadata__tags__data_tap_config_name + +view: events__metadata__tags__tenant_id { + dimension: events__metadata__tags__tenant_id { + type: string + sql: ${TABLE} ;; + group_label: "metadata" + label: "metadata.tags.tenant_id" + view_label: "UDM" + description: "A list of subtenant ids that this event belongs to." + } # dimension events__metadata__tags__tenant_id +} # view events__metadata__tags__tenant_id + +view: events__network__dhcp__options { + dimension: code { + type: number + sql: ${TABLE}.code ;; + group_label: "network" + label: "network.dhcp.options.code" + view_label: "UDM" + description: "Code. See RFC1533." + } # dimension code + +} # view events__network__dhcp__options + +view: events__network__dns__additional { + dimension: class { + type: number + sql: ${TABLE}.class ;; + group_label: "network" + label: "network.dns.additional.class" + view_label: "UDM" + description: "The code specifying the class of the resource record." + } # dimension class + + dimension: data { + type: string + sql: ${TABLE}.data ;; + group_label: "network" + label: "network.dns.additional.data" + view_label: "UDM" + description: "The payload or response to the DNS question for all responses encoded in UTF-8 format" + } # dimension data + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "network" + label: "network.dns.additional.name" + view_label: "UDM" + description: "The name of the owner of the resource record." + } # dimension name + + dimension: ttl { + type: number + sql: ${TABLE}.ttl ;; + group_label: "network" + label: "network.dns.additional.ttl" + view_label: "UDM" + description: "The time interval for which the resource record can be cached before the source of the information should again be queried." + } # dimension ttl + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "network" + label: "network.dns.additional.type" + view_label: "UDM" + description: "The code specifying the type of the resource record." + } # dimension type + +} # view events__network__dns__additional + +view: events__network__dns__answers { + dimension: binary_data { + type: string + sql: ${TABLE}.binary_data ;; + group_label: "network" + label: "network.dns.answers.binary_data" + view_label: "UDM" + description: "The raw bytes of any non-UTF8 strings that might be included as part of a DNS response." + } # dimension binary_data + + dimension: class { + type: number + sql: ${TABLE}.class ;; + group_label: "network" + label: "network.dns.answers.class" + view_label: "UDM" + description: "The code specifying the class of the resource record." + } # dimension class + + dimension: data { + type: string + sql: ${TABLE}.data ;; + group_label: "network" + label: "network.dns.answers.data" + view_label: "UDM" + description: "The payload or response to the DNS question for all responses encoded in UTF-8 format" + } # dimension data + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "network" + label: "network.dns.answers.name" + view_label: "UDM" + description: "The name of the owner of the resource record." + } # dimension name + + dimension: ttl { + type: number + sql: ${TABLE}.ttl ;; + group_label: "network" + label: "network.dns.answers.ttl" + view_label: "UDM" + description: "The time interval for which the resource record can be cached before the source of the information should again be queried." + } # dimension ttl + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "network" + label: "network.dns.answers.type" + view_label: "UDM" + description: "The code specifying the type of the resource record." + } # dimension type + +} # view events__network__dns__answers + +view: events__network__dns__authority { + dimension: class { + type: number + sql: ${TABLE}.class ;; + group_label: "network" + label: "network.dns.authority.class" + view_label: "UDM" + description: "The code specifying the class of the resource record." + } # dimension class + + dimension: data { + type: string + sql: ${TABLE}.data ;; + group_label: "network" + label: "network.dns.authority.data" + view_label: "UDM" + description: "The payload or response to the DNS question for all responses encoded in UTF-8 format" + } # dimension data + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "network" + label: "network.dns.authority.name" + view_label: "UDM" + description: "The name of the owner of the resource record." + } # dimension name + + dimension: ttl { + type: number + sql: ${TABLE}.ttl ;; + group_label: "network" + label: "network.dns.authority.ttl" + view_label: "UDM" + description: "The time interval for which the resource record can be cached before the source of the information should again be queried." + } # dimension ttl + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "network" + label: "network.dns.authority.type" + view_label: "UDM" + description: "The code specifying the type of the resource record." + } # dimension type + +} # view events__network__dns__authority + +view: events__network__dns__questions { + dimension: class { + type: number + sql: ${TABLE}.class ;; + group_label: "network" + label: "network.dns.questions.class" + view_label: "UDM" + description: "The code specifying the class of the query." + } # dimension class + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "network" + label: "network.dns.questions.name" + view_label: "UDM" + description: "The domain name." + } # dimension name + + dimension: prevalence { + hidden: yes + } # dimension prevalence + + dimension: prevalence__day_count { + type: number + sql: ${TABLE}.prevalence.day_count ;; + group_label: "network" + label: "network.dns.questions.prevalence.day_count" + view_label: "UDM" + description: "The number of days over which rolling_max is calculated." + } # dimension prevalence__day_count + + dimension: prevalence__rolling_max { + type: number + sql: ${TABLE}.prevalence.rolling_max ;; + group_label: "network" + label: "network.dns.questions.prevalence.rolling_max" + view_label: "UDM" + description: "The maximum number of assets per day accessing the resource over the trailing day_count days." + } # dimension prevalence__rolling_max + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "network" + label: "network.dns.questions.type" + view_label: "UDM" + description: "The code specifying the type of the query." + } # dimension type + +} # view events__network__dns__questions + +view: events__network__email__bcc { + dimension: events__network__email__bcc { + type: string + sql: ${TABLE} ;; + group_label: "network" + label: "network.email.bcc" + view_label: "UDM" + description: "A list of 'bcc' addresses." + } # dimension events__network__email__bcc +} # view events__network__email__bcc + +view: events__network__email__cc { + dimension: events__network__email__cc { + type: string + sql: ${TABLE} ;; + group_label: "network" + label: "network.email.cc" + view_label: "UDM" + description: "A list of 'cc' addresses." + } # dimension events__network__email__cc +} # view events__network__email__cc + +view: events__network__email__subject { + dimension: events__network__email__subject { + type: string + sql: ${TABLE} ;; + group_label: "network" + label: "network.email.subject" + view_label: "UDM" + description: "The subject line(s) of the email." + } # dimension events__network__email__subject +} # view events__network__email__subject + +view: events__network__email__to { + dimension: events__network__email__to { + type: string + sql: ${TABLE} ;; + group_label: "network" + label: "network.email.to" + view_label: "UDM" + description: "A list of 'to' addresses." + } # dimension events__network__email__to +} # view events__network__email__to + +view: events__network__http__parsed_user_agent__annotation { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "network" + label: "network.http.parsed_user_agent.annotation.key" + view_label: "UDM" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "network" + label: "network.http.parsed_user_agent.annotation.value" + view_label: "UDM" + } # dimension value + +} # view events__network__http__parsed_user_agent__annotation + +view: events__network__tls__client__supported_ciphers { + dimension: events__network__tls__client__supported_ciphers { + type: string + sql: ${TABLE} ;; + group_label: "network" + label: "network.tls.client.supported_ciphers" + view_label: "UDM" + description: "Ciphers supported by the client during client hello." + } # dimension events__network__tls__client__supported_ciphers +} # view events__network__tls__client__supported_ciphers + +view: events__observer__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "observer" + label: "observer.asset.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "observer" + label: "observer.asset.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__observer__asset__attribute__labels + +view: events__observer__asset__ip { + dimension: events__observer__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "observer" + label: "observer.asset.ip" + view_label: "UDM" + description: "A list of IP addresses associated with an asset." + } # dimension events__observer__asset__ip +} # view events__observer__asset__ip + +view: events__observer__asset__software { + dimension: version { + type: string + sql: ${TABLE}.version ;; + group_label: "observer" + label: "observer.asset.software.version" + view_label: "UDM" + description: "The version of the software." + } # dimension version + +} # view events__observer__asset__software + +view: events__observer__asset__vulnerabilities { + dimension_group: observer__asset__vulnerabilities__scan_start_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "observer" + label: "observer.asset.vulnerabilities.scan_start_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." + } # dimension observer__asset__vulnerabilities__scan_start_time + +} # view events__observer__asset__vulnerabilities + +view: events__observer__ip { + dimension: events__observer__ip { + type: string + sql: ${TABLE} ;; + group_label: "observer" + label: "observer.ip" + view_label: "UDM" + description: "A list of IP addresses associated with a network connection." + } # dimension events__observer__ip +} # view events__observer__ip + +view: events__observer__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "observer" + group_item_label: "observer.labels.key [D]" + label: "observer.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "observer" + group_item_label: "observer.labels.value [D]" + label: "observer.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view events__observer__labels + +view: events__observer__mac { + dimension: events__observer__mac { + type: string + sql: ${TABLE} ;; + group_label: "observer" + label: "observer.mac" + view_label: "UDM" + description: "List of MAC addresses associated with a device." + } # dimension events__observer__mac +} # view events__observer__mac + +view: events__observer__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "observer" + label: "observer.resource.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "observer" + label: "observer.resource.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__observer__resource__attribute__labels + +view: events__observer__user__email_addresses { + dimension: events__observer__user__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "observer" + label: "observer.user.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension events__observer__user__email_addresses +} # view events__observer__user__email_addresses + +view: events__observer__user__group_identifiers { + dimension: events__observer__user__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "observer" + label: "observer.user.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension events__observer__user__group_identifiers +} # view events__observer__user__group_identifiers + +view: events__principal__artifact__network__dns__answers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.artifact.network.dns.answers.name" + view_label: "UDM" + description: "The name of the owner of the resource record." + } # dimension name + +} # view events__principal__artifact__network__dns__answers + +view: events__principal__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "principal" + label: "principal.asset.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "principal" + label: "principal.asset.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__principal__asset__attribute__labels + +view: events__principal__asset__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.asset.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.asset.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "principal" + label: "principal.asset.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "principal" + label: "principal.asset.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view events__principal__asset__attribute__roles + +view: events__principal__asset__hardware { + dimension: cpu_model { + type: string + sql: ${TABLE}.cpu_model ;; + group_label: "principal" + label: "principal.asset.hardware.cpu_model" + view_label: "UDM" + description: "Model description of the hardware CPU (e.g. \"2.8 GHz Quad-Core Intel Core i5\")." + } # dimension cpu_model + + dimension: cpu_platform { + type: string + sql: ${TABLE}.cpu_platform ;; + group_label: "principal" + label: "principal.asset.hardware.cpu_platform" + view_label: "UDM" + description: "Platform of the hardware CPU (e.g. \"Intel Broadwell\")." + } # dimension cpu_platform + + dimension: manufacturer { + type: string + sql: ${TABLE}.manufacturer ;; + group_label: "principal" + label: "principal.asset.hardware.manufacturer" + view_label: "UDM" + description: "Hardware manufacturer." + } # dimension manufacturer + + dimension: model { + type: string + sql: ${TABLE}.model ;; + group_label: "principal" + label: "principal.asset.hardware.model" + view_label: "UDM" + description: "Hardware model." + } # dimension model + + dimension: ram { + type: number + sql: ${TABLE}.ram ;; + group_label: "principal" + label: "principal.asset.hardware.ram" + view_label: "UDM" + description: "Amount of the hardware ramdom access memory (RAM) in Mb." + } # dimension ram + + dimension: serial_number { + type: string + sql: ${TABLE}.serial_number ;; + group_label: "principal" + label: "principal.asset.hardware.serial_number" + view_label: "UDM" + description: "Hardware serial number." + } # dimension serial_number + +} # view events__principal__asset__hardware + +view: events__principal__asset__ip { + dimension: events__principal__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.asset.ip" + view_label: "UDM" + description: "A list of IP addresses associated with an asset." + } # dimension events__principal__asset__ip +} # view events__principal__asset__ip + +view: events__principal__asset__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "principal" + group_item_label: "principal.asset.labels.key [D]" + label: "principal.asset.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "principal" + group_item_label: "principal.asset.labels.value [D]" + label: "principal.asset.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view events__principal__asset__labels + +view: events__principal__asset__mac { + dimension: events__principal__asset__mac { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.asset.mac" + view_label: "UDM" + description: "List of MAC addresses associated with an asset." + } # dimension events__principal__asset__mac +} # view events__principal__asset__mac + +view: events__principal__asset__nat_ip { + dimension: events__principal__asset__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.asset.nat_ip" + view_label: "UDM" + description: "List of NAT IP addresses associated with an asset." + } # dimension events__principal__asset__nat_ip +} # view events__principal__asset__nat_ip + +view: events__principal__asset__software__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.asset.software.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.asset.software.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view events__principal__asset__software__permissions + +view: events__principal__asset__software { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.asset.software.description" + view_label: "UDM" + description: "The description of the software." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.asset.software.name" + view_label: "UDM" + description: "The name of the software." + } # dimension name + + dimension: permissions { + hidden: yes + } # dimension permissions + + dimension: vendor_name { + type: string + sql: ${TABLE}.vendor_name ;; + group_label: "principal" + label: "principal.asset.software.vendor_name" + view_label: "UDM" + description: "The name of the software vendor." + } # dimension vendor_name + + dimension: version { + type: string + sql: ${TABLE}.version ;; + group_label: "principal" + label: "principal.asset.software.version" + view_label: "UDM" + description: "The version of the software." + } # dimension version + +} # view events__principal__asset__software + +view: events__principal__asset__vulnerabilities { + dimension: cve_description { + type: string + sql: ${TABLE}.cve_description ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.cve_description" + view_label: "UDM" + description: "Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record" + } # dimension cve_description + + dimension: cve_id { + type: string + sql: ${TABLE}.cve_id ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.cve_id" + view_label: "UDM" + description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" + } # dimension cve_id + + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.cvss_base_score" + view_label: "UDM" + description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." + } # dimension cvss_base_score + + dimension: cvss_vector { + type: string + sql: ${TABLE}.cvss_vector ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.cvss_vector" + view_label: "UDM" + description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" + } # dimension cvss_vector + + dimension: cvss_version { + type: string + sql: ${TABLE}.cvss_version ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.cvss_version" + view_label: "UDM" + description: "Version of CVSS Vector/Score." + } # dimension cvss_version + + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.description" + view_label: "UDM" + description: "Description of the vulnerability." + } # dimension description + + dimension_group: principal__asset__vulnerabilities__first_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.first_found" + view_label: "UDM" + description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." + } # dimension principal__asset__vulnerabilities__first_found + + dimension_group: principal__asset__vulnerabilities__last_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.last_found" + view_label: "UDM" + description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." + } # dimension principal__asset__vulnerabilities__last_found + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.name" + view_label: "UDM" + description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." + } # dimension name + + dimension_group: principal__asset__vulnerabilities__scan_end_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.scan_end_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." + } # dimension principal__asset__vulnerabilities__scan_end_time + + dimension_group: principal__asset__vulnerabilities__scan_start_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.scan_start_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." + } # dimension principal__asset__vulnerabilities__scan_start_time + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.severity" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity + + dimension: severity_enum_name { + type: string + suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] + sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.severity_enum_name" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity_enum_name + + dimension: severity_details { + type: string + sql: ${TABLE}.severity_details ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.severity_details" + view_label: "UDM" + description: "Vendor-specific severity" + } # dimension severity_details + + dimension: vendor { + type: string + sql: ${TABLE}.vendor ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.vendor" + view_label: "UDM" + description: "Vendor of scan that discovered vulnerability." + } # dimension vendor + + dimension: vendor_knowledge_base_article_id { + type: string + sql: ${TABLE}.vendor_knowledge_base_article_id ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.vendor_knowledge_base_article_id" + view_label: "UDM" + description: "Vendor specific knowledge base article (e.g. \"KBXXXXXX\" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase" + } # dimension vendor_knowledge_base_article_id + + dimension: vendor_vulnerability_id { + type: string + sql: ${TABLE}.vendor_vulnerability_id ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.vendor_vulnerability_id" + view_label: "UDM" + description: "Vendor specific vulnerability id (e.g. Microsoft security bulletin id)." + } # dimension vendor_vulnerability_id + +} # view events__principal__asset__vulnerabilities + +view: events__principal__domain__name_server { + dimension: events__principal__domain__name_server { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.domain.name_server" + view_label: "UDM" + description: "Repeated list of name servers." + } # dimension events__principal__domain__name_server +} # view events__principal__domain__name_server + +view: events__principal__domain__tech__group_identifiers { + dimension: events__principal__domain__tech__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.domain.tech.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension events__principal__domain__tech__group_identifiers +} # view events__principal__domain__tech__group_identifiers + +view: events__principal__file__names { + dimension: events__principal__file__names { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension events__principal__file__names +} # view events__principal__file__names + +view: events__principal__group__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "principal" + label: "principal.group.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "principal" + label: "principal.group.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__principal__group__attribute__labels + +view: events__principal__group__attribute__roles { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.group.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + +} # view events__principal__group__attribute__roles + +view: events__principal__group__email_addresses { + dimension: events__principal__group__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.group.email_addresses" + view_label: "UDM" + description: "Email addresses of the group." + } # dimension events__principal__group__email_addresses +} # view events__principal__group__email_addresses + +view: events__principal__investigation__comments { + dimension: events__principal__investigation__comments { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.investigation.comments" + view_label: "UDM" + description: "Comment added by the Analyst." + } # dimension events__principal__investigation__comments +} # view events__principal__investigation__comments + +view: events__principal__ip { + dimension: events__principal__ip { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.ip" + view_label: "UDM" + description: "A list of IP addresses associated with a network connection." + } # dimension events__principal__ip +} # view events__principal__ip + +view: events__principal__ip_geo_artifact { + dimension: ip { + type: string + sql: ${TABLE}.ip ;; + group_label: "principal" + label: "principal.ip_geo_artifact.ip" + view_label: "UDM" + description: "IP address of the artifact." + } # dimension ip + + dimension: location { + hidden: yes + } # dimension location + + dimension: location__country_or_region { + type: string + sql: ${TABLE}.location.country_or_region ;; + group_label: "principal" + label: "principal.ip_geo_artifact.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension location__country_or_region + + dimension: location__region_coordinates { + type: location + sql_latitude: ${TABLE}.location.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.location.region_coordinates.longitude ;; + group_label: "principal" + group_item_label: "principal.ip_geo_artifact.location.region_coordinates [L]" + label: "principal.ip_geo_artifact.location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." + } # dimension location__region_coordinates + + dimension: location__region_latitude { + type: number + sql: ${TABLE}.location.region_latitude ;; + group_label: "principal" + group_item_label: "principal.ip_geo_artifact.location.region_latitude [D]" + label: "principal.ip_geo_artifact.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension location__region_latitude + + dimension: location__region_longitude { + type: number + sql: ${TABLE}.location.region_longitude ;; + group_label: "principal" + group_item_label: "principal.ip_geo_artifact.location.region_longitude [D]" + label: "principal.ip_geo_artifact.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension location__region_longitude + + dimension: location__location { + type: location + sql_latitude: ${TABLE}.location.region_latitude ;; + sql_longitude: ${TABLE}.location.region_longitude ;; + group_label: "principal" + group_item_label: "principal.ip_geo_artifact.location.location [D][L]" + label: "principal.ip_geo_artifact.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension location__location + + dimension: location__state { + type: string + sql: ${TABLE}.location.state ;; + group_label: "principal" + label: "principal.ip_geo_artifact.location.state" + view_label: "UDM" + description: "The state." + } # dimension location__state + + dimension: network { + hidden: yes + } # dimension network + + dimension: network__asn { + type: string + sql: ${TABLE}.network.asn ;; + group_label: "principal" + label: "principal.ip_geo_artifact.network.asn" + view_label: "UDM" + description: "Autonomous system number." + } # dimension network__asn + + dimension: network__carrier_name { + type: string + sql: ${TABLE}.network.carrier_name ;; + group_label: "principal" + label: "principal.ip_geo_artifact.network.carrier_name" + view_label: "UDM" + description: "Carrier identification." + } # dimension network__carrier_name + + dimension: network__dns_domain { + type: string + sql: ${TABLE}.network.dns_domain ;; + group_label: "principal" + label: "principal.ip_geo_artifact.network.dns_domain" + view_label: "UDM" + description: "DNS domain name." + } # dimension network__dns_domain + + dimension: network__organization_name { + type: string + sql: ${TABLE}.network.organization_name ;; + group_label: "principal" + label: "principal.ip_geo_artifact.network.organization_name" + view_label: "UDM" + description: "Organization name (e.g Google)." + } # dimension network__organization_name + +} # view events__principal__ip_geo_artifact + +view: events__principal__ip_location { + dimension: city { + type: string + sql: ${TABLE}.city ;; + group_label: "principal" + group_item_label: "principal.ip_location.city [D]" + label: "principal.ip_location.city" + view_label: "UDM" + description: "The city. [D]: This field is deprecated and will be removed in a future release" + } # dimension city + + dimension: country_or_region { + type: string + sql: ${TABLE}.country_or_region ;; + group_label: "principal" + group_item_label: "principal.ip_location.country_or_region [D]" + label: "principal.ip_location.country_or_region" + view_label: "UDM" + description: "The country or region. [D]: This field is deprecated and will be removed in a future release" + } # dimension country_or_region + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + group_item_label: "principal.ip_location.name [D]" + label: "principal.ip_location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\"). [D]: This field is deprecated and will be removed in a future release" + } # dimension name + + dimension: region_coordinates { + type: location + sql_latitude: ${TABLE}.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.region_coordinates.longitude ;; + group_label: "principal" + group_item_label: "principal.ip_location.region_coordinates [D][L]" + label: "principal.ip_location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension region_coordinates + + dimension: region_latitude { + type: number + sql: ${TABLE}.region_latitude ;; + group_label: "principal" + group_item_label: "principal.ip_location.region_latitude [D]" + label: "principal.ip_location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension region_latitude + + dimension: region_longitude { + type: number + sql: ${TABLE}.region_longitude ;; + group_label: "principal" + group_item_label: "principal.ip_location.region_longitude [D]" + label: "principal.ip_location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension region_longitude + + dimension: location { + type: location + sql_latitude: ${TABLE}.region_latitude ;; + sql_longitude: ${TABLE}.region_longitude ;; + group_label: "principal" + group_item_label: "principal.ip_location.location [D][L]" + label: "principal.ip_location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension location + + dimension: state { + type: string + sql: ${TABLE}.state ;; + group_label: "principal" + group_item_label: "principal.ip_location.state [D]" + label: "principal.ip_location.state" + view_label: "UDM" + description: "The state. [D]: This field is deprecated and will be removed in a future release" + } # dimension state + +} # view events__principal__ip_location + +view: events__principal__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "principal" + group_item_label: "principal.labels.key [D]" + label: "principal.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "principal" + group_item_label: "principal.labels.value [D]" + label: "principal.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view events__principal__labels + +view: events__principal__mac { + dimension: events__principal__mac { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.mac" + view_label: "UDM" + description: "List of MAC addresses associated with a device." + } # dimension events__principal__mac +} # view events__principal__mac + +view: events__principal__nat_ip { + dimension: events__principal__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.nat_ip" + view_label: "UDM" + description: "A list of NAT translated IP addresses associated with a network connection." + } # dimension events__principal__nat_ip +} # view events__principal__nat_ip + +view: events__principal__process__command_line_history { + dimension: events__principal__process__command_line_history { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.process.command_line_history" + view_label: "UDM" + description: "The command line history of the process." + } # dimension events__principal__process__command_line_history +} # view events__principal__process__command_line_history + +view: events__principal__process__file__capabilities_tags { + dimension: events__principal__process__file__capabilities_tags { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.process.file.capabilities_tags" + view_label: "UDM" + description: "Capabilities tags." + } # dimension events__principal__process__file__capabilities_tags +} # view events__principal__process__file__capabilities_tags + +view: events__principal__process__file__names { + dimension: events__principal__process__file__names { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.process.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension events__principal__process__file__names +} # view events__principal__process__file__names + +view: events__principal__process_ancestors { + dimension: file { + hidden: yes + } # dimension file + + dimension: file__full_path { + type: string + sql: ${TABLE}.file.full_path ;; + group_label: "principal" + label: "principal.process_ancestors.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension file__full_path + + dimension: pid { + type: string + sql: ${TABLE}.pid ;; + group_label: "principal" + label: "principal.process_ancestors.pid" + view_label: "UDM" + description: "The process ID." + } # dimension pid + +} # view events__principal__process_ancestors + +view: events__principal__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "principal" + label: "principal.resource.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "principal" + label: "principal.resource.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__principal__resource__attribute__labels + +view: events__principal__resource__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.resource.attribute.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.resource.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "principal" + label: "principal.resource.attribute.permissions.type" + view_label: "UDM" + description: "Type of the permission." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; + group_label: "principal" + label: "principal.resource.attribute.permissions.type_enum_name" + view_label: "UDM" + description: "Type of the permission." + } # dimension type_enum_name + +} # view events__principal__resource__attribute__permissions + +view: events__principal__resource__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.resource.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.resource.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "principal" + label: "principal.resource.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "principal" + label: "principal.resource.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view events__principal__resource__attribute__roles + +view: events__principal__resource_ancestors__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "principal" + label: "principal.resource_ancestors.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "principal" + label: "principal.resource_ancestors.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__principal__resource_ancestors__attribute__labels + +view: events__principal__resource_ancestors { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension: attribute__labels { + hidden: yes + } # dimension attribute__labels + + dimension: id { + type: string + sql: ${TABLE}.id ;; + group_label: "principal" + group_item_label: "principal.resource_ancestors.id [D]" + label: "principal.resource_ancestors.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension id + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.resource_ancestors.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension name + + dimension: parent { + type: string + sql: ${TABLE}.parent ;; + group_label: "principal" + group_item_label: "principal.resource_ancestors.parent [D]" + label: "principal.resource_ancestors.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension parent + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "principal" + label: "principal.resource_ancestors.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension product_object_id + + dimension: resource_type { + type: number + sql: ${TABLE}.resource_type ;; + group_label: "principal" + label: "principal.resource_ancestors.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension resource_type + + dimension: resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "principal" + label: "principal.resource_ancestors.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension resource_type_enum_name + +} # view events__principal__resource_ancestors + +view: events__principal__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "principal" + label: "principal.user.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "principal" + label: "principal.user.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__principal__user__attribute__labels + +view: events__principal__user__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.user.attribute.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.user.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "principal" + label: "principal.user.attribute.permissions.type" + view_label: "UDM" + description: "Type of the permission." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; + group_label: "principal" + label: "principal.user.attribute.permissions.type_enum_name" + view_label: "UDM" + description: "Type of the permission." + } # dimension type_enum_name + +} # view events__principal__user__attribute__permissions + +view: events__principal__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.user.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.user.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "principal" + label: "principal.user.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "principal" + label: "principal.user.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view events__principal__user__attribute__roles + +view: events__principal__user__department { + dimension: events__principal__user__department { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.user.department" + view_label: "UDM" + description: "User job department" + } # dimension events__principal__user__department +} # view events__principal__user__department + +view: events__principal__user__email_addresses { + dimension: events__principal__user__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.user.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension events__principal__user__email_addresses +} # view events__principal__user__email_addresses + +view: events__principal__user__group_identifiers { + dimension: events__principal__user__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.user.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension events__principal__user__group_identifiers +} # view events__principal__user__group_identifiers + +view: events__principal__user__managers__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "principal" + label: "principal.user.managers.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "principal" + label: "principal.user.managers.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__principal__user__managers__attribute__labels + +view: events__principal__user__managers__attribute__roles { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.user.managers.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "principal" + label: "principal.user.managers.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "principal" + label: "principal.user.managers.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view events__principal__user__managers__attribute__roles + +view: events__principal__user__managers__department { + dimension: events__principal__user__managers__department { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.user.managers.department" + view_label: "UDM" + description: "User job department" + } # dimension events__principal__user__managers__department +} # view events__principal__user__managers__department + +view: events__principal__user__managers__email_addresses { + dimension: events__principal__user__managers__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.user.managers.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension events__principal__user__managers__email_addresses +} # view events__principal__user__managers__email_addresses + +view: events__principal__user__managers__group_identifiers { + dimension: events__principal__user__managers__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.user.managers.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension events__principal__user__managers__group_identifiers +} # view events__principal__user__managers__group_identifiers + +view: events__principal__user__managers__phone_numbers { + dimension: events__principal__user__managers__phone_numbers { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.user.managers.phone_numbers" + view_label: "UDM" + description: "Phone numbers for the user." + } # dimension events__principal__user__managers__phone_numbers +} # view events__principal__user__managers__phone_numbers + +view: events__principal__user__managers { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension: attribute__labels { + hidden: yes + } # dimension attribute__labels + + dimension: attribute__roles { + hidden: yes + } # dimension attribute__roles + + dimension: company_name { + type: string + sql: ${TABLE}.company_name ;; + group_label: "principal" + label: "principal.user.managers.company_name" + view_label: "UDM" + description: "User job company name." + } # dimension company_name + + dimension: department { + hidden: yes + } # dimension department + + dimension: email_addresses { + hidden: yes + } # dimension email_addresses + + dimension: employee_id { + type: string + sql: ${TABLE}.employee_id ;; + group_label: "principal" + label: "principal.user.managers.employee_id" + view_label: "UDM" + description: "Human capital management identifier." + } # dimension employee_id + + dimension: first_name { + type: string + sql: ${TABLE}.first_name ;; + group_label: "principal" + label: "principal.user.managers.first_name" + view_label: "UDM" + description: "First name of the user (e.g. \"John\")." + } # dimension first_name + + dimension: group_identifiers { + hidden: yes + } # dimension group_identifiers + + dimension: last_name { + type: string + sql: ${TABLE}.last_name ;; + group_label: "principal" + label: "principal.user.managers.last_name" + view_label: "UDM" + description: "Last name of the user (e.g. \"Locke\")." + } # dimension last_name + + dimension: personal_address { + hidden: yes + } # dimension personal_address + + dimension: personal_address__city { + type: string + sql: ${TABLE}.personal_address.city ;; + group_label: "principal" + label: "principal.user.managers.personal_address.city" + view_label: "UDM" + description: "The city." + } # dimension personal_address__city + + dimension: personal_address__country_or_region { + type: string + sql: ${TABLE}.personal_address.country_or_region ;; + group_label: "principal" + label: "principal.user.managers.personal_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension personal_address__country_or_region + + dimension: personal_address__name { + type: string + sql: ${TABLE}.personal_address.name ;; + group_label: "principal" + label: "principal.user.managers.personal_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension personal_address__name + + dimension: personal_address__state { + type: string + sql: ${TABLE}.personal_address.state ;; + group_label: "principal" + label: "principal.user.managers.personal_address.state" + view_label: "UDM" + description: "The state." + } # dimension personal_address__state + + dimension: phone_numbers { + hidden: yes + } # dimension phone_numbers + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "principal" + label: "principal.user.managers.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension product_object_id + + dimension: title { + type: string + sql: ${TABLE}.title ;; + group_label: "principal" + label: "principal.user.managers.title" + view_label: "UDM" + description: "User job title." + } # dimension title + + dimension: user_display_name { + type: string + sql: ${TABLE}.user_display_name ;; + group_label: "principal" + label: "principal.user.managers.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension user_display_name + + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + group_label: "principal" + label: "principal.user.managers.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension userid + + dimension: windows_sid { + type: string + sql: ${TABLE}.windows_sid ;; + group_label: "principal" + label: "principal.user.managers.windows_sid" + view_label: "UDM" + description: "The Microsoft Windows SID of the user." + } # dimension windows_sid + +} # view events__principal__user__managers + +view: events__principal__user__phone_numbers { + dimension: events__principal__user__phone_numbers { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.user.phone_numbers" + view_label: "UDM" + description: "Phone numbers for the user." + } # dimension events__principal__user__phone_numbers +} # view events__principal__user__phone_numbers + +view: events__principal__user__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.user.time_off.description" + view_label: "UDM" + description: "Description of the leave if available (e.g. 'Vacation')." + } # dimension description + + dimension_group: principal__user__time_off__interval { + type: duration + intervals: [ second, minute, hour ] + sql_start: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.start_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.start_time.nanos,0) / 1000) as INT64)) ;; + sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.end_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.end_time.nanos,0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.user.time_off.interval" + view_label: "UDM" + description: "Interval duration of the leave." + } # dimension principal__user__time_off__interval + +} # view events__principal__user__time_off + +view: events__security_result__about__asset__attribute__permissions { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "security_result" + label: "security_result.about.asset.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view events__security_result__about__asset__attribute__permissions + +view: events__security_result__about__asset__ip { + dimension: events__security_result__about__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.asset.ip" + view_label: "UDM" + description: "A list of IP addresses associated with an asset." + } # dimension events__security_result__about__asset__ip +} # view events__security_result__about__asset__ip + +view: events__security_result__about__asset__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "security_result" + group_item_label: "security_result.about.asset.labels.key [D]" + label: "security_result.about.asset.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "security_result" + group_item_label: "security_result.about.asset.labels.value [D]" + label: "security_result.about.asset.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view events__security_result__about__asset__labels + +view: events__security_result__about__asset__mac { + dimension: events__security_result__about__asset__mac { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.asset.mac" + view_label: "UDM" + description: "List of MAC addresses associated with an asset." + } # dimension events__security_result__about__asset__mac +} # view events__security_result__about__asset__mac + +view: events__security_result__about__asset__software__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "security_result" + label: "security_result.about.asset.software.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "security_result" + label: "security_result.about.asset.software.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view events__security_result__about__asset__software__permissions + +view: events__security_result__about__asset__software { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "security_result" + label: "security_result.about.asset.software.name" + view_label: "UDM" + description: "The name of the software." + } # dimension name + + dimension: permissions { + hidden: yes + } # dimension permissions + + dimension: version { + type: string + sql: ${TABLE}.version ;; + group_label: "security_result" + label: "security_result.about.asset.software.version" + view_label: "UDM" + description: "The version of the software." + } # dimension version + +} # view events__security_result__about__asset__software + +view: events__security_result__about__asset__vulnerabilities { + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + group_label: "security_result" + label: "security_result.about.asset.vulnerabilities.cvss_base_score" + view_label: "UDM" + description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." + } # dimension cvss_base_score + +} # view events__security_result__about__asset__vulnerabilities + +view: events__security_result__about__domain__tech__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "security_result" + label: "security_result.about.domain.tech.attribute.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + +} # view events__security_result__about__domain__tech__attribute__permissions + +view: events__security_result__about__file__capabilities_tags { + dimension: events__security_result__about__file__capabilities_tags { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.file.capabilities_tags" + view_label: "UDM" + description: "Capabilities tags." + } # dimension events__security_result__about__file__capabilities_tags +} # view events__security_result__about__file__capabilities_tags + +view: events__security_result__about__file__names { + dimension: events__security_result__about__file__names { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension events__security_result__about__file__names +} # view events__security_result__about__file__names + +view: events__security_result__about__investigation__comments { + dimension: events__security_result__about__investigation__comments { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.investigation.comments" + view_label: "UDM" + description: "Comment added by the Analyst." + } # dimension events__security_result__about__investigation__comments +} # view events__security_result__about__investigation__comments + +view: events__security_result__about__ip { + dimension: events__security_result__about__ip { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.ip" + view_label: "UDM" + description: "A list of IP addresses associated with a network connection." + } # dimension events__security_result__about__ip +} # view events__security_result__about__ip + +view: events__security_result__about__ip_location { + dimension: country_or_region { + type: string + sql: ${TABLE}.country_or_region ;; + group_label: "security_result" + group_item_label: "security_result.about.ip_location.country_or_region [D]" + label: "security_result.about.ip_location.country_or_region" + view_label: "UDM" + description: "The country or region. [D]: This field is deprecated and will be removed in a future release" + } # dimension country_or_region + +} # view events__security_result__about__ip_location + +view: events__security_result__about__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "security_result" + group_item_label: "security_result.about.labels.key [D]" + label: "security_result.about.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "security_result" + group_item_label: "security_result.about.labels.value [D]" + label: "security_result.about.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view events__security_result__about__labels + +view: events__security_result__about__mac { + dimension: events__security_result__about__mac { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.mac" + view_label: "UDM" + description: "List of MAC addresses associated with a device." + } # dimension events__security_result__about__mac +} # view events__security_result__about__mac + +view: events__security_result__about__nat_ip { + dimension: events__security_result__about__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.nat_ip" + view_label: "UDM" + description: "A list of NAT translated IP addresses associated with a network connection." + } # dimension events__security_result__about__nat_ip +} # view events__security_result__about__nat_ip + +view: events__security_result__about__process__command_line_history { + dimension: events__security_result__about__process__command_line_history { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.process.command_line_history" + view_label: "UDM" + description: "The command line history of the process." + } # dimension events__security_result__about__process__command_line_history +} # view events__security_result__about__process__command_line_history + +view: events__security_result__about__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "security_result" + label: "security_result.about.resource.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "security_result" + label: "security_result.about.resource.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__security_result__about__resource__attribute__labels + +view: events__security_result__about__resource_ancestors { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "security_result" + label: "security_result.about.resource_ancestors.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension name + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "security_result" + label: "security_result.about.resource_ancestors.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension product_object_id + + dimension: resource_type { + type: number + sql: ${TABLE}.resource_type ;; + group_label: "security_result" + label: "security_result.about.resource_ancestors.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension resource_type + + dimension: resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "security_result" + label: "security_result.about.resource_ancestors.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension resource_type_enum_name + +} # view events__security_result__about__resource_ancestors + +view: events__security_result__about__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "security_result" + label: "security_result.about.user.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "security_result" + label: "security_result.about.user.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__security_result__about__user__attribute__labels + +view: events__security_result__about__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "security_result" + label: "security_result.about.user.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "security_result" + label: "security_result.about.user.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + +} # view events__security_result__about__user__attribute__roles + +view: events__security_result__about__user__email_addresses { + dimension: events__security_result__about__user__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.user.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension events__security_result__about__user__email_addresses +} # view events__security_result__about__user__email_addresses + +view: events__security_result__about__user__group_identifiers { + dimension: events__security_result__about__user__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.user.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension events__security_result__about__user__group_identifiers +} # view events__security_result__about__user__group_identifiers + +view: events__security_result__about__user_management_chain { + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + group_label: "security_result" + label: "security_result.about.user_management_chain.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension userid + +} # view events__security_result__about__user_management_chain + +view: events__security_result__action { + dimension: events__security_result__action { + type: number + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.action" + view_label: "UDM" + description: "Actions taken for this event." + } # dimension events__security_result__action +} # view events__security_result__action + +view: events__security_result__action_enum_name { + dimension: events__security_result__action_enum_name { + type: string + suggestions: ["ALLOW", "ALLOW_WITH_MODIFICATION", "BLOCK", "CHALLENGE", "FAIL", "QUARANTINE", "UNKNOWN_ACTION"] + sql: CASE ${TABLE} WHEN 0 THEN 'UNKNOWN_ACTION' WHEN 1 THEN 'ALLOW' WHEN 2 THEN 'BLOCK' WHEN 3 THEN 'ALLOW_WITH_MODIFICATION' WHEN 4 THEN 'QUARANTINE' WHEN 5 THEN 'FAIL' WHEN 6 THEN 'CHALLENGE' END ;; + group_label: "security_result" + label: "security_result.action_enum_name" + view_label: "UDM" + description: "Actions taken for this event." + } # dimension events__security_result__action_enum_name +} # view events__security_result__action_enum_name + +view: events__security_result__attack_details__tactics { + dimension: id { + type: string + sql: ${TABLE}.id ;; + group_label: "security_result" + label: "security_result.attack_details.tactics.id" + view_label: "UDM" + description: "Tactic ID (e.g. \"TA0043\")." + } # dimension id + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "security_result" + label: "security_result.attack_details.tactics.name" + view_label: "UDM" + description: "Tactic Name (e.g. \"Reconnaissance\")" + } # dimension name + +} # view events__security_result__attack_details__tactics + +view: events__security_result__attack_details__techniques { + dimension: id { + type: string + sql: ${TABLE}.id ;; + group_label: "security_result" + label: "security_result.attack_details.techniques.id" + view_label: "UDM" + description: "Technique ID (e.g. \"T1595\")." + } # dimension id + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "security_result" + label: "security_result.attack_details.techniques.name" + view_label: "UDM" + description: "Technique Name (e.g. \"Active Scanning\")." + } # dimension name + + dimension: subtechnique_id { + type: string + sql: ${TABLE}.subtechnique_id ;; + group_label: "security_result" + label: "security_result.attack_details.techniques.subtechnique_id" + view_label: "UDM" + description: "Subtechnique ID (e.g. \"T1595.001\")." + } # dimension subtechnique_id + + dimension: subtechnique_name { + type: string + sql: ${TABLE}.subtechnique_name ;; + group_label: "security_result" + label: "security_result.attack_details.techniques.subtechnique_name" + view_label: "UDM" + description: "Subtechnique Name (e.g. \"Scanning IP Blocks\")." + } # dimension subtechnique_name + +} # view events__security_result__attack_details__techniques + +view: events__security_result__category { + dimension: events__security_result__category { + type: number + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.category" + view_label: "UDM" + description: "The security category." + } # dimension events__security_result__category +} # view events__security_result__category + +view: events__security_result__category_enum_name { + dimension: events__security_result__category_enum_name { + type: string + suggestions: ["ACL_VIOLATION", "AUTH_VIOLATION", "DATA_AT_REST", "DATA_DESTRUCTION", "DATA_EXFILTRATION", "EXPLOIT", "MAIL_PHISHING", "MAIL_SPAM", "MAIL_SPOOFING", "NETWORK_CATEGORIZED_CONTENT", "NETWORK_COMMAND_AND_CONTROL", "NETWORK_DENIAL_OF_SERVICE", "NETWORK_MALICIOUS", "NETWORK_RECON", "NETWORK_SUSPICIOUS", "PHISHING", "POLICY_VIOLATION", "SOCIAL_ENGINEERING", "SOFTWARE_MALICIOUS", "SOFTWARE_PUA", "SOFTWARE_SUSPICIOUS", "TOR_EXIT_NODE", "UNKNOWN_CATEGORY"] + sql: CASE ${TABLE} WHEN 0 THEN 'UNKNOWN_CATEGORY' WHEN 10000 THEN 'SOFTWARE_MALICIOUS' WHEN 10100 THEN 'SOFTWARE_SUSPICIOUS' WHEN 10200 THEN 'SOFTWARE_PUA' WHEN 20000 THEN 'NETWORK_MALICIOUS' WHEN 20100 THEN 'NETWORK_SUSPICIOUS' WHEN 20200 THEN 'NETWORK_CATEGORIZED_CONTENT' WHEN 20300 THEN 'NETWORK_DENIAL_OF_SERVICE' WHEN 20400 THEN 'NETWORK_RECON' WHEN 20500 THEN 'NETWORK_COMMAND_AND_CONTROL' WHEN 30000 THEN 'ACL_VIOLATION' WHEN 40000 THEN 'AUTH_VIOLATION' WHEN 50000 THEN 'EXPLOIT' WHEN 60000 THEN 'DATA_EXFILTRATION' WHEN 60100 THEN 'DATA_AT_REST' WHEN 60200 THEN 'DATA_DESTRUCTION' WHEN 60300 THEN 'TOR_EXIT_NODE' WHEN 70000 THEN 'MAIL_SPAM' WHEN 70100 THEN 'MAIL_PHISHING' WHEN 70200 THEN 'MAIL_SPOOFING' WHEN 80000 THEN 'POLICY_VIOLATION' WHEN 90001 THEN 'SOCIAL_ENGINEERING' WHEN 90002 THEN 'PHISHING' END ;; + group_label: "security_result" + label: "security_result.category_enum_name" + view_label: "UDM" + description: "The security category." + } # dimension events__security_result__category_enum_name +} # view events__security_result__category_enum_name + +view: events__security_result__category_details { + dimension: events__security_result__category_details { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.category_details" + view_label: "UDM" + description: "For vendor-specific categories. For web categorization, put type in here such as \"gambling\", \"porn\", etc." + } # dimension events__security_result__category_details +} # view events__security_result__category_details + +view: events__security_result__detection_fields { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "security_result" + label: "security_result.detection_fields.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: source { + type: string + sql: ${TABLE}.source ;; + group_label: "security_result" + label: "security_result.detection_fields.source" + view_label: "UDM" + description: "@hide_from_doc" + } # dimension source + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "security_result" + label: "security_result.detection_fields.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__security_result__detection_fields + +view: events__security_result__outcomes { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "security_result" + label: "security_result.outcomes.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "security_result" + label: "security_result.outcomes.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__security_result__outcomes + +view: events__security_result__rule_labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "security_result" + label: "security_result.rule_labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "security_result" + label: "security_result.rule_labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__security_result__rule_labels + +view: events__security_result { + dimension: about { + hidden: yes + } # dimension about + + dimension: about__administrative_domain { + type: string + sql: ${TABLE}.about.administrative_domain ;; + group_label: "security_result" + label: "security_result.about.administrative_domain" + view_label: "UDM" + description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." + } # dimension about__administrative_domain + + dimension: about__application { + type: string + sql: ${TABLE}.about.application ;; + group_label: "security_result" + label: "security_result.about.application" + view_label: "UDM" + description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." + } # dimension about__application + + dimension: about__artifact { + hidden: yes + } # dimension about__artifact + + dimension_group: security_result__about__artifact__first_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.artifact.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.artifact.first_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.artifact.first_seen_time" + view_label: "UDM" + description: "First seen timestamp of the IP in the customer's environment." + } # dimension security_result__about__artifact__first_seen_time + + dimension_group: security_result__about__artifact__last_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.artifact.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.artifact.last_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.artifact.last_seen_time" + view_label: "UDM" + description: "Last seen timestamp of the IP address in the customer's environment." + } # dimension security_result__about__artifact__last_seen_time + + dimension: about__asset { + hidden: yes + } # dimension about__asset + + dimension: about__asset__asset_id { + type: string + sql: ${TABLE}.about.asset.asset_id ;; + group_label: "security_result" + label: "security_result.about.asset.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension about__asset__asset_id + + dimension: about__asset__attribute { + hidden: yes + } # dimension about__asset__attribute + + dimension: about__asset__attribute__cloud { + hidden: yes + } # dimension about__asset__attribute__cloud + + dimension: about__asset__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.availability_zone ;; + group_label: "security_result" + label: "security_result.about.asset.attribute.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name)." + } # dimension about__asset__attribute__cloud__availability_zone + + dimension: about__asset__attribute__cloud__environment { + type: number + sql: ${TABLE}.about.asset.attribute.cloud.environment ;; + group_label: "security_result" + label: "security_result.about.asset.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension about__asset__attribute__cloud__environment + + dimension: about__asset__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.about.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "security_result" + label: "security_result.about.asset.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension about__asset__attribute__cloud__environment_enum_name + + dimension: about__asset__attribute__cloud__project { + hidden: yes + } # dimension about__asset__attribute__cloud__project + + dimension: about__asset__attribute__cloud__project__id { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.project.id ;; + group_label: "security_result" + group_item_label: "security_result.about.asset.attribute.cloud.project.id [D]" + label: "security_result.about.asset.attribute.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__asset__attribute__cloud__project__id + + dimension: about__asset__attribute__cloud__project__name { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.project.name ;; + group_label: "security_result" + group_item_label: "security_result.about.asset.attribute.cloud.project.name [D]" + label: "security_result.about.asset.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__asset__attribute__cloud__project__name + + dimension: about__asset__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.project.product_object_id ;; + group_label: "security_result" + group_item_label: "security_result.about.asset.attribute.cloud.project.product_object_id [D]" + label: "security_result.about.asset.attribute.cloud.project.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension about__asset__attribute__cloud__project__product_object_id + + dimension: about__asset__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.about.asset.attribute.cloud.project.resource_type ;; + group_label: "security_result" + group_item_label: "security_result.about.asset.attribute.cloud.project.resource_type [D]" + label: "security_result.about.asset.attribute.cloud.project.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__asset__attribute__cloud__project__resource_type + + dimension: about__asset__attribute__cloud__project__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.about.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "security_result" + group_item_label: "security_result.about.asset.attribute.cloud.project.resource_type_enum_name [D]" + label: "security_result.about.asset.attribute.cloud.project.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__asset__attribute__cloud__project__resource_type_enum_name + + dimension_group: security_result__about__asset__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.asset.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension security_result__about__asset__attribute__creation_time + + dimension_group: security_result__about__asset__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.asset.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension security_result__about__asset__attribute__last_update_time + + dimension: about__asset__attribute__permissions { + hidden: yes + } # dimension about__asset__attribute__permissions + + dimension: about__asset__category { + type: string + sql: ${TABLE}.about.asset.category ;; + group_label: "security_result" + label: "security_result.about.asset.category" + view_label: "UDM" + description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." + } # dimension about__asset__category + + dimension: about__asset__hostname { + type: string + sql: ${TABLE}.about.asset.hostname ;; + group_label: "security_result" + label: "security_result.about.asset.hostname" + view_label: "UDM" + description: "Asset hostname or domain name field." + } # dimension about__asset__hostname + + dimension: about__asset__ip { + hidden: yes + } # dimension about__asset__ip + + dimension: about__asset__labels { + hidden: yes + } # dimension about__asset__labels + + dimension: about__asset__location { + hidden: yes + } # dimension about__asset__location + + dimension: about__asset__location__city { + type: string + sql: ${TABLE}.about.asset.location.city ;; + group_label: "security_result" + label: "security_result.about.asset.location.city" + view_label: "UDM" + description: "The city." + } # dimension about__asset__location__city + + dimension: about__asset__location__country_or_region { + type: string + sql: ${TABLE}.about.asset.location.country_or_region ;; + group_label: "security_result" + label: "security_result.about.asset.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension about__asset__location__country_or_region + + dimension: about__asset__location__state { + type: string + sql: ${TABLE}.about.asset.location.state ;; + group_label: "security_result" + label: "security_result.about.asset.location.state" + view_label: "UDM" + description: "The state." + } # dimension about__asset__location__state + + dimension: about__asset__mac { + hidden: yes + } # dimension about__asset__mac + + dimension: about__asset__product_object_id { + type: string + sql: ${TABLE}.about.asset.product_object_id ;; + group_label: "security_result" + label: "security_result.about.asset.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension about__asset__product_object_id + + dimension: about__asset__software { + hidden: yes + } # dimension about__asset__software + + dimension: about__asset__vulnerabilities { + hidden: yes + } # dimension about__asset__vulnerabilities + + dimension: about__asset_id { + type: string + sql: ${TABLE}.about.asset_id ;; + group_label: "security_result" + label: "security_result.about.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension about__asset_id + + dimension: about__cloud { + hidden: yes + } # dimension about__cloud + + dimension: about__cloud__availability_zone { + type: string + sql: ${TABLE}.about.cloud.availability_zone ;; + group_label: "security_result" + group_item_label: "security_result.about.cloud.availability_zone [D]" + label: "security_result.about.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__availability_zone + + dimension: about__cloud__project { + hidden: yes + } # dimension about__cloud__project + + dimension: about__cloud__project__id { + type: string + sql: ${TABLE}.about.cloud.project.id ;; + group_label: "security_result" + group_item_label: "security_result.about.cloud.project.id [D]" + label: "security_result.about.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__project__id + + dimension: about__cloud__project__name { + type: string + sql: ${TABLE}.about.cloud.project.name ;; + group_label: "security_result" + group_item_label: "security_result.about.cloud.project.name [D]" + label: "security_result.about.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__project__name + + dimension: about__cloud__project__parent { + type: string + sql: ${TABLE}.about.cloud.project.parent ;; + group_label: "security_result" + group_item_label: "security_result.about.cloud.project.parent [D]" + label: "security_result.about.cloud.project.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__project__parent + + dimension: about__cloud__project__product_object_id { + type: string + sql: ${TABLE}.about.cloud.project.product_object_id ;; + group_label: "security_result" + group_item_label: "security_result.about.cloud.project.product_object_id [D]" + label: "security_result.about.cloud.project.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__project__product_object_id + + dimension: about__domain { + hidden: yes + } # dimension about__domain + + dimension: about__domain__admin { + hidden: yes + } # dimension about__domain__admin + + dimension: about__domain__admin__userid { + type: string + sql: ${TABLE}.about.domain.admin.userid ;; + group_label: "security_result" + label: "security_result.about.domain.admin.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension about__domain__admin__userid + + dimension: about__domain__registrant { + hidden: yes + } # dimension about__domain__registrant + + dimension: about__domain__registrant__role_description { + type: string + sql: ${TABLE}.about.domain.registrant.role_description ;; + group_label: "security_result" + group_item_label: "security_result.about.domain.registrant.role_description [D]" + label: "security_result.about.domain.registrant.role_description" + view_label: "UDM" + description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__domain__registrant__role_description + + dimension: about__domain__tech { + hidden: yes + } # dimension about__domain__tech + + dimension: about__domain__tech__attribute { + hidden: yes + } # dimension about__domain__tech__attribute + + dimension: about__domain__tech__attribute__permissions { + hidden: yes + } # dimension about__domain__tech__attribute__permissions + + dimension: about__email { + type: string + sql: ${TABLE}.about.email ;; + group_label: "security_result" + label: "security_result.about.email" + view_label: "UDM" + description: "Email address. Only filled in for security_result.about" + } # dimension about__email + + dimension: about__file { + hidden: yes + } # dimension about__file + + dimension: about__file__ahash { + type: string + sql: ${TABLE}.about.file.ahash ;; + group_label: "security_result" + group_item_label: "security_result.about.file.ahash [D]" + label: "security_result.about.file.ahash" + view_label: "UDM" + description: "Deprecated. Use authentihash instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__file__ahash + + dimension: about__file__capabilities_tags { + hidden: yes + } # dimension about__file__capabilities_tags + + dimension: about__file__full_path { + type: string + sql: ${TABLE}.about.file.full_path ;; + group_label: "security_result" + label: "security_result.about.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension about__file__full_path + + dimension_group: security_result__about__file__last_modification_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.file.last_modification_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.file.last_modification_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.file.last_modification_time" + view_label: "UDM" + description: "Timestamp when the file was last updated." + } # dimension security_result__about__file__last_modification_time + + dimension: about__file__md5 { + type: string + sql: ${TABLE}.about.file.md5 ;; + group_label: "security_result" + label: "security_result.about.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension about__file__md5 + + dimension: about__file__mime_type { + type: string + sql: ${TABLE}.about.file.mime_type ;; + group_label: "security_result" + label: "security_result.about.file.mime_type" + view_label: "UDM" + description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." + } # dimension about__file__mime_type + + dimension: about__file__names { + hidden: yes + } # dimension about__file__names + + dimension: about__file__sha1 { + type: string + sql: ${TABLE}.about.file.sha1 ;; + group_label: "security_result" + label: "security_result.about.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension about__file__sha1 + + dimension: about__file__sha256 { + type: string + sql: ${TABLE}.about.file.sha256 ;; + group_label: "security_result" + label: "security_result.about.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension about__file__sha256 + + dimension: about__file__size { + type: number + sql: ${TABLE}.about.file.size ;; + group_label: "security_result" + label: "security_result.about.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension about__file__size + + dimension: about__file__ssdeep { + type: string + sql: ${TABLE}.about.file.ssdeep ;; + group_label: "security_result" + label: "security_result.about.file.ssdeep" + view_label: "UDM" + description: "Ssdeep of the file" + } # dimension about__file__ssdeep + + dimension: about__group { + hidden: yes + } # dimension about__group + + dimension: about__group__group_display_name { + type: string + sql: ${TABLE}.about.group.group_display_name ;; + group_label: "security_result" + label: "security_result.about.group.group_display_name" + view_label: "UDM" + description: "Group display name. e.g. \"Finance\"." + } # dimension about__group__group_display_name + + dimension: about__group__product_object_id { + type: string + sql: ${TABLE}.about.group.product_object_id ;; + group_label: "security_result" + label: "security_result.about.group.product_object_id" + view_label: "UDM" + description: "Product globally unique user object identifier, such as an LDAP Object Identifier." + } # dimension about__group__product_object_id + + dimension: about__hostname { + type: string + sql: ${TABLE}.about.hostname ;; + group_label: "security_result" + label: "security_result.about.hostname" + view_label: "UDM" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension about__hostname + + dimension: about__investigation { + hidden: yes + } # dimension about__investigation + + dimension: about__investigation__comments { + hidden: yes + } # dimension about__investigation__comments + + dimension: about__investigation__risk_score { + type: number + sql: ${TABLE}.about.investigation.risk_score ;; + group_label: "security_result" + label: "security_result.about.investigation.risk_score" + view_label: "UDM" + description: "Risk score for a finding set by an analyst." + } # dimension about__investigation__risk_score + + dimension: about__investigation__root_cause { + type: string + sql: ${TABLE}.about.investigation.root_cause ;; + group_label: "security_result" + label: "security_result.about.investigation.root_cause" + view_label: "UDM" + description: "Root cause of the Alert or Finding set by analyst." + } # dimension about__investigation__root_cause + + dimension: about__investigation__severity_score { + type: number + sql: ${TABLE}.about.investigation.severity_score ;; + group_label: "security_result" + label: "security_result.about.investigation.severity_score" + view_label: "UDM" + description: "Severity score for a finding set by an analyst." + } # dimension about__investigation__severity_score + + dimension: about__investigation__status { + type: number + sql: ${TABLE}.about.investigation.status ;; + group_label: "security_result" + label: "security_result.about.investigation.status" + view_label: "UDM" + description: "Describes the workflow status of a finding." + } # dimension about__investigation__status + + dimension: about__investigation__status_enum_name { + type: string + suggestions: ["CLOSED", "NEW", "OPEN", "REVIEWED", "STATUS_UNSPECIFIED"] + sql: CASE ${TABLE}.about.investigation.status WHEN 0 THEN 'STATUS_UNSPECIFIED' WHEN 1 THEN 'NEW' WHEN 2 THEN 'REVIEWED' WHEN 3 THEN 'CLOSED' WHEN 4 THEN 'OPEN' END ;; + group_label: "security_result" + label: "security_result.about.investigation.status_enum_name" + view_label: "UDM" + description: "Describes the workflow status of a finding." + } # dimension about__investigation__status_enum_name + + dimension: about__investigation__verdict { + type: number + sql: ${TABLE}.about.investigation.verdict ;; + group_label: "security_result" + label: "security_result.about.investigation.verdict" + view_label: "UDM" + description: "Describes reason a finding investigation was resolved." + } # dimension about__investigation__verdict + + dimension: about__investigation__verdict_enum_name { + type: string + suggestions: ["FALSE_POSITIVE", "TRUE_POSITIVE", "VERDICT_UNSPECIFIED"] + sql: CASE ${TABLE}.about.investigation.verdict WHEN 0 THEN 'VERDICT_UNSPECIFIED' WHEN 1 THEN 'TRUE_POSITIVE' WHEN 2 THEN 'FALSE_POSITIVE' END ;; + group_label: "security_result" + label: "security_result.about.investigation.verdict_enum_name" + view_label: "UDM" + description: "Describes reason a finding investigation was resolved." + } # dimension about__investigation__verdict_enum_name + + dimension: about__ip { + hidden: yes + } # dimension about__ip + + dimension: about__ip_location { + hidden: yes + } # dimension about__ip_location + + dimension: about__labels { + hidden: yes + } # dimension about__labels + + dimension: about__location { + hidden: yes + } # dimension about__location + + dimension: about__location__city { + type: string + sql: ${TABLE}.about.location.city ;; + group_label: "security_result" + label: "security_result.about.location.city" + view_label: "UDM" + description: "The city." + } # dimension about__location__city + + dimension: about__location__country_or_region { + type: string + sql: ${TABLE}.about.location.country_or_region ;; + group_label: "security_result" + label: "security_result.about.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension about__location__country_or_region + + dimension: about__location__name { + type: string + sql: ${TABLE}.about.location.name ;; + group_label: "security_result" + label: "security_result.about.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension about__location__name + + dimension: about__location__state { + type: string + sql: ${TABLE}.about.location.state ;; + group_label: "security_result" + label: "security_result.about.location.state" + view_label: "UDM" + description: "The state." + } # dimension about__location__state + + dimension: about__mac { + hidden: yes + } # dimension about__mac + + dimension: about__namespace { + type: string + sql: ${TABLE}.about.namespace ;; + group_label: "security_result" + label: "security_result.about.namespace" + view_label: "UDM" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension about__namespace + + dimension: about__nat_ip { + hidden: yes + } # dimension about__nat_ip + + dimension: about__object_reference { + hidden: yes + } # dimension about__object_reference + + dimension: about__object_reference__id { + type: string + sql: ${TABLE}.about.object_reference.id ;; + group_label: "security_result" + label: "security_result.about.object_reference.id" + view_label: "UDM" + description: "Full raw ID." + } # dimension about__object_reference__id + + dimension: about__platform { + type: number + sql: ${TABLE}.about.platform ;; + group_label: "security_result" + label: "security_result.about.platform" + view_label: "UDM" + description: "Platform." + } # dimension about__platform + + dimension: about__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.about.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "security_result" + label: "security_result.about.platform_enum_name" + view_label: "UDM" + description: "Platform." + } # dimension about__platform_enum_name + + dimension: about__platform_version { + type: string + sql: ${TABLE}.about.platform_version ;; + group_label: "security_result" + label: "security_result.about.platform_version" + view_label: "UDM" + description: "Platform version. For example, \"Microsoft Windows 1803\"." + } # dimension about__platform_version + + dimension: about__port { + type: number + value_format: "#" + sql: ${TABLE}.about.port ;; + group_label: "security_result" + label: "security_result.about.port" + view_label: "UDM" + description: "Source or destination network port number when a specific network connection is described within an event." + } # dimension about__port + + dimension: about__process { + hidden: yes + } # dimension about__process + + dimension: about__process__command_line { + type: string + sql: ${TABLE}.about.process.command_line ;; + group_label: "security_result" + label: "security_result.about.process.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension about__process__command_line + + dimension: about__process__command_line_history { + hidden: yes + } # dimension about__process__command_line_history + + dimension: about__process__file { + hidden: yes + } # dimension about__process__file + + dimension: about__process__file__full_path { + type: string + sql: ${TABLE}.about.process.file.full_path ;; + group_label: "security_result" + label: "security_result.about.process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension about__process__file__full_path + + dimension: about__process__file__md5 { + type: string + sql: ${TABLE}.about.process.file.md5 ;; + group_label: "security_result" + label: "security_result.about.process.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension about__process__file__md5 + + dimension: about__process__file__sha256 { + type: string + sql: ${TABLE}.about.process.file.sha256 ;; + group_label: "security_result" + label: "security_result.about.process.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension about__process__file__sha256 + + dimension: about__process__parent_pid { + type: string + sql: ${TABLE}.about.process.parent_pid ;; + group_label: "security_result" + group_item_label: "security_result.about.process.parent_pid [D]" + label: "security_result.about.process.parent_pid" + view_label: "UDM" + description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__process__parent_pid + + dimension: about__process__parent_process { + hidden: yes + } # dimension about__process__parent_process + + dimension: about__process__parent_process__pid { + type: string + sql: ${TABLE}.about.process.parent_process.pid ;; + group_label: "security_result" + label: "security_result.about.process.parent_process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension about__process__parent_process__pid + + dimension: about__process__pid { + type: string + sql: ${TABLE}.about.process.pid ;; + group_label: "security_result" + label: "security_result.about.process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension about__process__pid + + dimension: about__process__product_specific_process_id { + type: string + sql: ${TABLE}.about.process.product_specific_process_id ;; + group_label: "security_result" + label: "security_result.about.process.product_specific_process_id" + view_label: "UDM" + description: "A product specific process id." + } # dimension about__process__product_specific_process_id + + dimension: about__registry { + hidden: yes + } # dimension about__registry + + dimension: about__registry__registry_key { + type: string + sql: ${TABLE}.about.registry.registry_key ;; + group_label: "security_result" + label: "security_result.about.registry.registry_key" + view_label: "UDM" + description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." + } # dimension about__registry__registry_key + + dimension: about__registry__registry_value_data { + type: string + sql: ${TABLE}.about.registry.registry_value_data ;; + group_label: "security_result" + label: "security_result.about.registry.registry_value_data" + view_label: "UDM" + description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." + } # dimension about__registry__registry_value_data + + dimension: about__resource { + hidden: yes + } # dimension about__resource + + dimension: about__resource__attribute { + hidden: yes + } # dimension about__resource__attribute + + dimension_group: security_result__about__resource__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.resource.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension security_result__about__resource__attribute__creation_time + + dimension: about__resource__attribute__labels { + hidden: yes + } # dimension about__resource__attribute__labels + + dimension_group: security_result__about__resource__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.resource.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension security_result__about__resource__attribute__last_update_time + + dimension: about__resource__id { + type: string + sql: ${TABLE}.about.resource.id ;; + group_label: "security_result" + group_item_label: "security_result.about.resource.id [D]" + label: "security_result.about.resource.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__resource__id + + dimension: about__resource__name { + type: string + sql: ${TABLE}.about.resource.name ;; + group_label: "security_result" + label: "security_result.about.resource.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension about__resource__name + + dimension: about__resource__parent { + type: string + sql: ${TABLE}.about.resource.parent ;; + group_label: "security_result" + group_item_label: "security_result.about.resource.parent [D]" + label: "security_result.about.resource.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__resource__parent + + dimension: about__resource__product_object_id { + type: string + sql: ${TABLE}.about.resource.product_object_id ;; + group_label: "security_result" + label: "security_result.about.resource.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension about__resource__product_object_id + + dimension: about__resource__resource_subtype { + type: string + sql: ${TABLE}.about.resource.resource_subtype ;; + group_label: "security_result" + label: "security_result.about.resource.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension about__resource__resource_subtype + + dimension: about__resource__resource_type { + type: number + sql: ${TABLE}.about.resource.resource_type ;; + group_label: "security_result" + label: "security_result.about.resource.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension about__resource__resource_type + + dimension: about__resource__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.about.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "security_result" + label: "security_result.about.resource.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension about__resource__resource_type_enum_name + + dimension: about__resource__type { + type: string + sql: ${TABLE}.about.resource.type ;; + group_label: "security_result" + group_item_label: "security_result.about.resource.type [D]" + label: "security_result.about.resource.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__resource__type + + dimension: about__resource_ancestors { + hidden: yes + } # dimension about__resource_ancestors + + dimension: about__url { + type: string + sql: ${TABLE}.about.url ;; + group_label: "security_result" + label: "security_result.about.url" + view_label: "UDM" + description: "The URL." + } # dimension about__url + + dimension: about__user { + hidden: yes + } # dimension about__user + + dimension: about__user__attribute { + hidden: yes + } # dimension about__user__attribute + + dimension: about__user__attribute__cloud { + hidden: yes + } # dimension about__user__attribute__cloud + + dimension: about__user__attribute__cloud__environment { + type: number + sql: ${TABLE}.about.user.attribute.cloud.environment ;; + group_label: "security_result" + label: "security_result.about.user.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension about__user__attribute__cloud__environment + + dimension: about__user__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.about.user.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "security_result" + label: "security_result.about.user.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension about__user__attribute__cloud__environment_enum_name + + dimension: about__user__attribute__cloud__project { + hidden: yes + } # dimension about__user__attribute__cloud__project + + dimension: about__user__attribute__cloud__project__id { + type: string + sql: ${TABLE}.about.user.attribute.cloud.project.id ;; + group_label: "security_result" + group_item_label: "security_result.about.user.attribute.cloud.project.id [D]" + label: "security_result.about.user.attribute.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__user__attribute__cloud__project__id + + dimension: about__user__attribute__cloud__project__name { + type: string + sql: ${TABLE}.about.user.attribute.cloud.project.name ;; + group_label: "security_result" + group_item_label: "security_result.about.user.attribute.cloud.project.name [D]" + label: "security_result.about.user.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__user__attribute__cloud__project__name + + dimension: about__user__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.about.user.attribute.cloud.project.resource_type ;; + group_label: "security_result" + group_item_label: "security_result.about.user.attribute.cloud.project.resource_type [D]" + label: "security_result.about.user.attribute.cloud.project.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__user__attribute__cloud__project__resource_type + + dimension: about__user__attribute__cloud__project__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.about.user.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "security_result" + group_item_label: "security_result.about.user.attribute.cloud.project.resource_type_enum_name [D]" + label: "security_result.about.user.attribute.cloud.project.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__user__attribute__cloud__project__resource_type_enum_name + + dimension_group: security_result__about__user__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.user.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension security_result__about__user__attribute__creation_time + + dimension: about__user__attribute__labels { + hidden: yes + } # dimension about__user__attribute__labels + + dimension_group: security_result__about__user__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.user.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension security_result__about__user__attribute__last_update_time + + dimension: about__user__attribute__roles { + hidden: yes + } # dimension about__user__attribute__roles + + dimension: about__user__email_addresses { + hidden: yes + } # dimension about__user__email_addresses + + dimension: about__user__group_identifiers { + hidden: yes + } # dimension about__user__group_identifiers + + dimension: about__user__product_object_id { + type: string + sql: ${TABLE}.about.user.product_object_id ;; + group_label: "security_result" + label: "security_result.about.user.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension about__user__product_object_id + + dimension: about__user__role_description { + type: string + sql: ${TABLE}.about.user.role_description ;; + group_label: "security_result" + group_item_label: "security_result.about.user.role_description [D]" + label: "security_result.about.user.role_description" + view_label: "UDM" + description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__user__role_description + + dimension: about__user__user_authentication_status { + type: number + sql: ${TABLE}.about.user.user_authentication_status ;; + group_label: "security_result" + label: "security_result.about.user.user_authentication_status" + view_label: "UDM" + description: "System authentication status for user." + } # dimension about__user__user_authentication_status + + dimension: about__user__user_authentication_status_enum_name { + type: string + suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] + sql: CASE ${TABLE}.about.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; + group_label: "security_result" + label: "security_result.about.user.user_authentication_status_enum_name" + view_label: "UDM" + description: "System authentication status for user." + } # dimension about__user__user_authentication_status_enum_name + + dimension: about__user__user_display_name { + type: string + sql: ${TABLE}.about.user.user_display_name ;; + group_label: "security_result" + label: "security_result.about.user.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension about__user__user_display_name + + dimension: about__user__userid { + type: string + sql: ${TABLE}.about.user.userid ;; + group_label: "security_result" + label: "security_result.about.user.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension about__user__userid + + dimension: about__user_management_chain { + hidden: yes + } # dimension about__user_management_chain + + dimension: action { + hidden: yes + } # dimension action + + dimension: action_enum_name { + hidden: yes + } # dimension action_enum_name + + dimension: action_details { + type: string + sql: ${TABLE}.action_details ;; + group_label: "security_result" + label: "security_result.action_details" + view_label: "UDM" + description: "The detail of the action taken as provided by the vendor." + } # dimension action_details + + dimension: alert_state { + type: number + sql: ${TABLE}.alert_state ;; + group_label: "security_result" + label: "security_result.alert_state" + view_label: "UDM" + description: "The alerting types of this security result." + } # dimension alert_state + + dimension: alert_state_enum_name { + type: string + suggestions: ["ALERTING", "NOT_ALERTING", "UNSPECIFIED"] + sql: CASE ${TABLE}.alert_state WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'NOT_ALERTING' WHEN 2 THEN 'ALERTING' END ;; + group_label: "security_result" + label: "security_result.alert_state_enum_name" + view_label: "UDM" + description: "The alerting types of this security result." + } # dimension alert_state_enum_name + + dimension: attack_details { + hidden: yes + } # dimension attack_details + + dimension: attack_details__tactics { + hidden: yes + } # dimension attack_details__tactics + + dimension: attack_details__techniques { + hidden: yes + } # dimension attack_details__techniques + + dimension: attack_details__version { + type: string + sql: ${TABLE}.attack_details.version ;; + group_label: "security_result" + label: "security_result.attack_details.version" + view_label: "UDM" + description: "ATT&CK version (e.g. 12.1)." + } # dimension attack_details__version + + dimension: category { + hidden: yes + } # dimension category + + dimension: category_enum_name { + hidden: yes + } # dimension category_enum_name + + dimension: category_details { + hidden: yes + } # dimension category_details + + dimension: confidence { + type: number + sql: ${TABLE}.confidence ;; + group_label: "security_result" + label: "security_result.confidence" + view_label: "UDM" + description: "The confidence level of the result as estimated by the product." + } # dimension confidence + + dimension: confidence_enum_name { + type: string + suggestions: ["HIGH_CONFIDENCE", "LOW_CONFIDENCE", "MEDIUM_CONFIDENCE", "UNKNOWN_CONFIDENCE"] + sql: CASE ${TABLE}.confidence WHEN 0 THEN 'UNKNOWN_CONFIDENCE' WHEN 200 THEN 'LOW_CONFIDENCE' WHEN 300 THEN 'MEDIUM_CONFIDENCE' WHEN 400 THEN 'HIGH_CONFIDENCE' END ;; + group_label: "security_result" + label: "security_result.confidence_enum_name" + view_label: "UDM" + description: "The confidence level of the result as estimated by the product." + } # dimension confidence_enum_name + + dimension: confidence_details { + type: string + sql: ${TABLE}.confidence_details ;; + group_label: "security_result" + label: "security_result.confidence_details" + view_label: "UDM" + description: "Additional detail with regards to the confidence of a security event as estimated by the product vendor." + } # dimension confidence_details + + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "security_result" + label: "security_result.description" + view_label: "UDM" + description: "A human readable description (e.g. \"user password was wrong\")" + } # dimension description + + dimension: detection_fields { + hidden: yes + } # dimension detection_fields + + dimension: outcomes { + hidden: yes + } # dimension outcomes + + dimension: priority { + type: number + sql: ${TABLE}.priority ;; + group_label: "security_result" + label: "security_result.priority" + view_label: "UDM" + description: "The priority of the result." + } # dimension priority + + dimension: priority_enum_name { + type: string + suggestions: ["HIGH_PRIORITY", "LOW_PRIORITY", "MEDIUM_PRIORITY", "UNKNOWN_PRIORITY"] + sql: CASE ${TABLE}.priority WHEN 0 THEN 'UNKNOWN_PRIORITY' WHEN 200 THEN 'LOW_PRIORITY' WHEN 300 THEN 'MEDIUM_PRIORITY' WHEN 400 THEN 'HIGH_PRIORITY' END ;; + group_label: "security_result" + label: "security_result.priority_enum_name" + view_label: "UDM" + description: "The priority of the result." + } # dimension priority_enum_name + + dimension: priority_details { + type: string + sql: ${TABLE}.priority_details ;; + group_label: "security_result" + label: "security_result.priority_details" + view_label: "UDM" + description: "Vendor-specific information about the security result priority." + } # dimension priority_details + + dimension: rule_author { + type: string + sql: ${TABLE}.rule_author ;; + group_label: "security_result" + label: "security_result.rule_author" + view_label: "UDM" + description: "Author of the security rule." + } # dimension rule_author + + dimension: rule_id { + type: string + sql: ${TABLE}.rule_id ;; + group_label: "security_result" + label: "security_result.rule_id" + view_label: "UDM" + description: "A vendor-specific ID and name for a rule, varying by observerer type (e.g. \"08123\", \"5d2b44d0-5ef6-40f5-a704-47d61d3babbe\")." + } # dimension rule_id + + dimension: rule_labels { + hidden: yes + } # dimension rule_labels + + dimension: rule_name { + type: string + sql: ${TABLE}.rule_name ;; + group_label: "security_result" + label: "security_result.rule_name" + view_label: "UDM" + description: "Name of the security rule (e.g. \"BlockInboundToOracle\")." + } # dimension rule_name + + dimension: rule_set { + type: string + sql: ${TABLE}.rule_set ;; + group_label: "security_result" + label: "security_result.rule_set" + view_label: "UDM" + description: "The result's rule set identifier. (e.g. \"windows-threats\")" + } # dimension rule_set + + dimension: rule_set_display_name { + type: string + sql: ${TABLE}.rule_set_display_name ;; + group_label: "security_result" + label: "security_result.rule_set_display_name" + view_label: "UDM" + description: "The result's rule set display name. (e.g. \"Windows Threats\")" + } # dimension rule_set_display_name + + dimension: rule_type { + type: string + sql: ${TABLE}.rule_type ;; + group_label: "security_result" + label: "security_result.rule_type" + view_label: "UDM" + description: "The type of security rule." + } # dimension rule_type + + dimension: rule_version { + type: string + sql: ${TABLE}.rule_version ;; + group_label: "security_result" + label: "security_result.rule_version" + view_label: "UDM" + description: "Version of the security rule. (e.g. \"v1.1\", \"00001\", \"1604709794\", \"2020-11-16T23:04:19+00:00\"). Note that rule versions are source-dependant and lexical ordering should not be assumed." + } # dimension rule_version + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + group_label: "security_result" + label: "security_result.severity" + view_label: "UDM" + description: "The severity of the result." + } # dimension severity + + dimension: severity_enum_name { + type: string + suggestions: ["CRITICAL", "ERROR", "HIGH", "INFORMATIONAL", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] + sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 100 THEN 'INFORMATIONAL' WHEN 150 THEN 'ERROR' WHEN 200 THEN 'LOW' WHEN 300 THEN 'MEDIUM' WHEN 400 THEN 'HIGH' WHEN 500 THEN 'CRITICAL' END ;; + group_label: "security_result" + label: "security_result.severity_enum_name" + view_label: "UDM" + description: "The severity of the result." + } # dimension severity_enum_name + + dimension: severity_details { + type: string + sql: ${TABLE}.severity_details ;; + group_label: "security_result" + label: "security_result.severity_details" + view_label: "UDM" + description: "Vendor-specific severity." + } # dimension severity_details + + dimension: summary { + type: string + sql: ${TABLE}.summary ;; + group_label: "security_result" + label: "security_result.summary" + view_label: "UDM" + description: "A human readable summary (e.g. \"failed login occurred\")" + } # dimension summary + + dimension: threat_feed_name { + type: string + sql: ${TABLE}.threat_feed_name ;; + group_label: "security_result" + label: "security_result.threat_feed_name" + view_label: "UDM" + description: "Vendor feed name for a threat indicator feed." + } # dimension threat_feed_name + + dimension: threat_id { + type: string + sql: ${TABLE}.threat_id ;; + group_label: "security_result" + label: "security_result.threat_id" + view_label: "UDM" + description: "Vendor-specific ID for a threat." + } # dimension threat_id + + dimension: threat_id_namespace { + type: number + sql: ${TABLE}.threat_id_namespace ;; + group_label: "security_result" + label: "security_result.threat_id_namespace" + view_label: "UDM" + description: "The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id." + } # dimension threat_id_namespace + + dimension: threat_id_namespace_enum_name { + type: string + suggestions: ["MACHINE_INTELLIGENCE", "NORMALIZED_TELEMETRY", "RAW_TELEMETRY", "RULE_DETECTIONS", "SECURITY_COMMAND_CENTER", "SOAR_ALERT", "UNSPECIFIED", "UPPERCASE"] + sql: CASE ${TABLE}.threat_id_namespace WHEN 0 THEN 'NORMALIZED_TELEMETRY' WHEN 1 THEN 'RAW_TELEMETRY' WHEN 2 THEN 'RULE_DETECTIONS' WHEN 3 THEN 'UPPERCASE' WHEN 4 THEN 'MACHINE_INTELLIGENCE' WHEN 5 THEN 'SECURITY_COMMAND_CENTER' WHEN 6 THEN 'UNSPECIFIED' WHEN 7 THEN 'SOAR_ALERT' END ;; + group_label: "security_result" + label: "security_result.threat_id_namespace_enum_name" + view_label: "UDM" + description: "The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id." + } # dimension threat_id_namespace_enum_name + + dimension: threat_name { + type: string + sql: ${TABLE}.threat_name ;; + group_label: "security_result" + label: "security_result.threat_name" + view_label: "UDM" + description: "A vendor-assigned classification common across multiple customers (e.g. \"W32/File-A\", \"Slammer\")." + } # dimension threat_name + + dimension: threat_status { + type: number + sql: ${TABLE}.threat_status ;; + group_label: "security_result" + label: "security_result.threat_status" + view_label: "UDM" + description: "Current status of the threat" + } # dimension threat_status + + dimension: threat_status_enum_name { + type: string + suggestions: ["ACTIVE", "CLEARED", "FALSE_POSITIVE", "THREAT_STATUS_UNSPECIFIED"] + sql: CASE ${TABLE}.threat_status WHEN 0 THEN 'THREAT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'CLEARED' WHEN 3 THEN 'FALSE_POSITIVE' END ;; + group_label: "security_result" + label: "security_result.threat_status_enum_name" + view_label: "UDM" + description: "Current status of the threat" + } # dimension threat_status_enum_name + + dimension: url_back_to_product { + type: string + sql: ${TABLE}.url_back_to_product ;; + group_label: "security_result" + label: "security_result.url_back_to_product" + view_label: "UDM" + description: "URL that takes the user to the source product console for this event." + } # dimension url_back_to_product + +} # view events__security_result + +view: events__src__artifact__network__dns__questions { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.artifact.network.dns.questions.name" + view_label: "UDM" + description: "The domain name." + } # dimension name + +} # view events__src__artifact__network__dns__questions + +view: events__src__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "src" + label: "src.asset.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "src" + label: "src.asset.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__src__asset__attribute__labels + +view: events__src__asset__hardware { + dimension: cpu_model { + type: string + sql: ${TABLE}.cpu_model ;; + group_label: "src" + label: "src.asset.hardware.cpu_model" + view_label: "UDM" + description: "Model description of the hardware CPU (e.g. \"2.8 GHz Quad-Core Intel Core i5\")." + } # dimension cpu_model + + dimension: cpu_platform { + type: string + sql: ${TABLE}.cpu_platform ;; + group_label: "src" + label: "src.asset.hardware.cpu_platform" + view_label: "UDM" + description: "Platform of the hardware CPU (e.g. \"Intel Broadwell\")." + } # dimension cpu_platform + + dimension: manufacturer { + type: string + sql: ${TABLE}.manufacturer ;; + group_label: "src" + label: "src.asset.hardware.manufacturer" + view_label: "UDM" + description: "Hardware manufacturer." + } # dimension manufacturer + + dimension: model { + type: string + sql: ${TABLE}.model ;; + group_label: "src" + label: "src.asset.hardware.model" + view_label: "UDM" + description: "Hardware model." + } # dimension model + + dimension: ram { + type: number + sql: ${TABLE}.ram ;; + group_label: "src" + label: "src.asset.hardware.ram" + view_label: "UDM" + description: "Amount of the hardware ramdom access memory (RAM) in Mb." + } # dimension ram + + dimension: serial_number { + type: string + sql: ${TABLE}.serial_number ;; + group_label: "src" + label: "src.asset.hardware.serial_number" + view_label: "UDM" + description: "Hardware serial number." + } # dimension serial_number + +} # view events__src__asset__hardware + +view: events__src__asset__ip { + dimension: events__src__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.asset.ip" + view_label: "UDM" + description: "A list of IP addresses associated with an asset." + } # dimension events__src__asset__ip +} # view events__src__asset__ip + +view: events__src__asset__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "src" + group_item_label: "src.asset.labels.key [D]" + label: "src.asset.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "src" + group_item_label: "src.asset.labels.value [D]" + label: "src.asset.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view events__src__asset__labels + +view: events__src__asset__mac { + dimension: events__src__asset__mac { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.asset.mac" + view_label: "UDM" + description: "List of MAC addresses associated with an asset." + } # dimension events__src__asset__mac +} # view events__src__asset__mac + +view: events__src__asset__nat_ip { + dimension: events__src__asset__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.asset.nat_ip" + view_label: "UDM" + description: "List of NAT IP addresses associated with an asset." + } # dimension events__src__asset__nat_ip +} # view events__src__asset__nat_ip + +view: events__src__asset__software__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "src" + label: "src.asset.software.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.asset.software.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view events__src__asset__software__permissions + +view: events__src__asset__software { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.asset.software.name" + view_label: "UDM" + description: "The name of the software." + } # dimension name + + dimension: permissions { + hidden: yes + } # dimension permissions + + dimension: version { + type: string + sql: ${TABLE}.version ;; + group_label: "src" + label: "src.asset.software.version" + view_label: "UDM" + description: "The version of the software." + } # dimension version + +} # view events__src__asset__software + +view: events__src__asset__vulnerabilities { + dimension: cve_id { + type: string + sql: ${TABLE}.cve_id ;; + group_label: "src" + label: "src.asset.vulnerabilities.cve_id" + view_label: "UDM" + description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" + } # dimension cve_id + + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + group_label: "src" + label: "src.asset.vulnerabilities.cvss_base_score" + view_label: "UDM" + description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." + } # dimension cvss_base_score + + dimension: cvss_vector { + type: string + sql: ${TABLE}.cvss_vector ;; + group_label: "src" + label: "src.asset.vulnerabilities.cvss_vector" + view_label: "UDM" + description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" + } # dimension cvss_vector + + dimension: cvss_version { + type: string + sql: ${TABLE}.cvss_version ;; + group_label: "src" + label: "src.asset.vulnerabilities.cvss_version" + view_label: "UDM" + description: "Version of CVSS Vector/Score." + } # dimension cvss_version + + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "src" + label: "src.asset.vulnerabilities.description" + view_label: "UDM" + description: "Description of the vulnerability." + } # dimension description + + dimension_group: src__asset__vulnerabilities__first_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.vulnerabilities.first_found" + view_label: "UDM" + description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." + } # dimension src__asset__vulnerabilities__first_found + + dimension_group: src__asset__vulnerabilities__last_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.vulnerabilities.last_found" + view_label: "UDM" + description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." + } # dimension src__asset__vulnerabilities__last_found + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.asset.vulnerabilities.name" + view_label: "UDM" + description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." + } # dimension name + + dimension_group: src__asset__vulnerabilities__scan_end_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.vulnerabilities.scan_end_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." + } # dimension src__asset__vulnerabilities__scan_end_time + + dimension_group: src__asset__vulnerabilities__scan_start_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.vulnerabilities.scan_start_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." + } # dimension src__asset__vulnerabilities__scan_start_time + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + group_label: "src" + label: "src.asset.vulnerabilities.severity" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity + + dimension: severity_enum_name { + type: string + suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] + sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; + group_label: "src" + label: "src.asset.vulnerabilities.severity_enum_name" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity_enum_name + +} # view events__src__asset__vulnerabilities + +view: events__src__file__capabilities_tags { + dimension: events__src__file__capabilities_tags { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.file.capabilities_tags" + view_label: "UDM" + description: "Capabilities tags." + } # dimension events__src__file__capabilities_tags +} # view events__src__file__capabilities_tags + +view: events__src__file__embedded_domains { + dimension: events__src__file__embedded_domains { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.file.embedded_domains" + view_label: "UDM" + description: "Embedded domains found in the file." + } # dimension events__src__file__embedded_domains +} # view events__src__file__embedded_domains + +view: events__src__file__embedded_ips { + dimension: events__src__file__embedded_ips { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.file.embedded_ips" + view_label: "UDM" + description: "Embedded IP addresses found in the file." + } # dimension events__src__file__embedded_ips +} # view events__src__file__embedded_ips + +view: events__src__file__embedded_urls { + dimension: events__src__file__embedded_urls { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.file.embedded_urls" + view_label: "UDM" + description: "Embedded urls found in the file." + } # dimension events__src__file__embedded_urls +} # view events__src__file__embedded_urls + +view: events__src__file__names { + dimension: events__src__file__names { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension events__src__file__names +} # view events__src__file__names + +view: events__src__file__signature_info__sigcheck__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.file.signature_info.sigcheck.signers.name" + view_label: "UDM" + description: "Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority." + } # dimension name + +} # view events__src__file__signature_info__sigcheck__signers + +view: events__src__file__tags { + dimension: events__src__file__tags { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.file.tags" + view_label: "UDM" + description: "Tags for the file." + } # dimension events__src__file__tags +} # view events__src__file__tags + +view: events__src__ip { + dimension: events__src__ip { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.ip" + view_label: "UDM" + description: "A list of IP addresses associated with a network connection." + } # dimension events__src__ip +} # view events__src__ip + +view: events__src__ip_geo_artifact { + dimension: ip { + type: string + sql: ${TABLE}.ip ;; + group_label: "src" + label: "src.ip_geo_artifact.ip" + view_label: "UDM" + description: "IP address of the artifact." + } # dimension ip + + dimension: location { + hidden: yes + } # dimension location + + dimension: location__country_or_region { + type: string + sql: ${TABLE}.location.country_or_region ;; + group_label: "src" + label: "src.ip_geo_artifact.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension location__country_or_region + + dimension: location__region_coordinates { + type: location + sql_latitude: ${TABLE}.location.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.location.region_coordinates.longitude ;; + group_label: "src" + group_item_label: "src.ip_geo_artifact.location.region_coordinates [L]" + label: "src.ip_geo_artifact.location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." + } # dimension location__region_coordinates + + dimension: location__region_latitude { + type: number + sql: ${TABLE}.location.region_latitude ;; + group_label: "src" + group_item_label: "src.ip_geo_artifact.location.region_latitude [D]" + label: "src.ip_geo_artifact.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension location__region_latitude + + dimension: location__region_longitude { + type: number + sql: ${TABLE}.location.region_longitude ;; + group_label: "src" + group_item_label: "src.ip_geo_artifact.location.region_longitude [D]" + label: "src.ip_geo_artifact.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension location__region_longitude + + dimension: location__location { + type: location + sql_latitude: ${TABLE}.location.region_latitude ;; + sql_longitude: ${TABLE}.location.region_longitude ;; + group_label: "src" + group_item_label: "src.ip_geo_artifact.location.location [D][L]" + label: "src.ip_geo_artifact.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension location__location + + dimension: location__state { + type: string + sql: ${TABLE}.location.state ;; + group_label: "src" + label: "src.ip_geo_artifact.location.state" + view_label: "UDM" + description: "The state." + } # dimension location__state + + dimension: network { + hidden: yes + } # dimension network + + dimension: network__asn { + type: string + sql: ${TABLE}.network.asn ;; + group_label: "src" + label: "src.ip_geo_artifact.network.asn" + view_label: "UDM" + description: "Autonomous system number." + } # dimension network__asn + + dimension: network__carrier_name { + type: string + sql: ${TABLE}.network.carrier_name ;; + group_label: "src" + label: "src.ip_geo_artifact.network.carrier_name" + view_label: "UDM" + description: "Carrier identification." + } # dimension network__carrier_name + + dimension: network__dns_domain { + type: string + sql: ${TABLE}.network.dns_domain ;; + group_label: "src" + label: "src.ip_geo_artifact.network.dns_domain" + view_label: "UDM" + description: "DNS domain name." + } # dimension network__dns_domain + + dimension: network__organization_name { + type: string + sql: ${TABLE}.network.organization_name ;; + group_label: "src" + label: "src.ip_geo_artifact.network.organization_name" + view_label: "UDM" + description: "Organization name (e.g Google)." + } # dimension network__organization_name + +} # view events__src__ip_geo_artifact + +view: events__src__ip_location { + dimension: country_or_region { + type: string + sql: ${TABLE}.country_or_region ;; + group_label: "src" + group_item_label: "src.ip_location.country_or_region [D]" + label: "src.ip_location.country_or_region" + view_label: "UDM" + description: "The country or region. [D]: This field is deprecated and will be removed in a future release" + } # dimension country_or_region + + dimension: region_coordinates { + type: location + sql_latitude: ${TABLE}.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.region_coordinates.longitude ;; + group_label: "src" + group_item_label: "src.ip_location.region_coordinates [D][L]" + label: "src.ip_location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension region_coordinates + + dimension: region_latitude { + type: number + sql: ${TABLE}.region_latitude ;; + group_label: "src" + group_item_label: "src.ip_location.region_latitude [D]" + label: "src.ip_location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension region_latitude + + dimension: region_longitude { + type: number + sql: ${TABLE}.region_longitude ;; + group_label: "src" + group_item_label: "src.ip_location.region_longitude [D]" + label: "src.ip_location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension region_longitude + + dimension: location { + type: location + sql_latitude: ${TABLE}.region_latitude ;; + sql_longitude: ${TABLE}.region_longitude ;; + group_label: "src" + group_item_label: "src.ip_location.location [D][L]" + label: "src.ip_location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension location + + dimension: state { + type: string + sql: ${TABLE}.state ;; + group_label: "src" + group_item_label: "src.ip_location.state [D]" + label: "src.ip_location.state" + view_label: "UDM" + description: "The state. [D]: This field is deprecated and will be removed in a future release" + } # dimension state + +} # view events__src__ip_location + +view: events__src__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "src" + group_item_label: "src.labels.key [D]" + label: "src.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "src" + group_item_label: "src.labels.value [D]" + label: "src.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view events__src__labels + +view: events__src__mac { + dimension: events__src__mac { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.mac" + view_label: "UDM" + description: "List of MAC addresses associated with a device." + } # dimension events__src__mac +} # view events__src__mac + +view: events__src__nat_ip { + dimension: events__src__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.nat_ip" + view_label: "UDM" + description: "A list of NAT translated IP addresses associated with a network connection." + } # dimension events__src__nat_ip +} # view events__src__nat_ip + +view: events__src__process__file__names { + dimension: events__src__process__file__names { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.process.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension events__src__process__file__names +} # view events__src__process__file__names + +view: events__src__process_ancestors { + dimension: file { + hidden: yes + } # dimension file + + dimension: file__full_path { + type: string + sql: ${TABLE}.file.full_path ;; + group_label: "src" + label: "src.process_ancestors.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension file__full_path + +} # view events__src__process_ancestors + +view: events__src__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "src" + label: "src.resource.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: source { + type: string + sql: ${TABLE}.source ;; + group_label: "src" + label: "src.resource.attribute.labels.source" + view_label: "UDM" + description: "@hide_from_doc" + } # dimension source + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "src" + label: "src.resource.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__src__resource__attribute__labels + +view: events__src__resource__attribute__permissions { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.resource.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view events__src__resource__attribute__permissions + +view: events__src__resource_ancestors__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "src" + label: "src.resource_ancestors.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "src" + label: "src.resource_ancestors.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__src__resource_ancestors__attribute__labels + +view: events__src__resource_ancestors { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension: attribute__labels { + hidden: yes + } # dimension attribute__labels + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.resource_ancestors.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension name + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "src" + label: "src.resource_ancestors.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension product_object_id + + dimension: resource_type { + type: number + sql: ${TABLE}.resource_type ;; + group_label: "src" + label: "src.resource_ancestors.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension resource_type + + dimension: resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "src" + label: "src.resource_ancestors.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension resource_type_enum_name + +} # view events__src__resource_ancestors + +view: events__src__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "src" + label: "src.user.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "src" + label: "src.user.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__src__user__attribute__labels + +view: events__src__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "src" + label: "src.user.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.user.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "src" + label: "src.user.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "src" + label: "src.user.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view events__src__user__attribute__roles + +view: events__src__user__department { + dimension: events__src__user__department { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.user.department" + view_label: "UDM" + description: "User job department" + } # dimension events__src__user__department +} # view events__src__user__department + +view: events__src__user__email_addresses { + dimension: events__src__user__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.user.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension events__src__user__email_addresses +} # view events__src__user__email_addresses + +view: events__src__user__group_identifiers { + dimension: events__src__user__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.user.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension events__src__user__group_identifiers +} # view events__src__user__group_identifiers + +view: events__src__user__managers__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "src" + label: "src.user.managers.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "src" + label: "src.user.managers.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__src__user__managers__attribute__labels + +view: events__src__user__managers__attribute__roles { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.user.managers.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "src" + label: "src.user.managers.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "src" + label: "src.user.managers.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view events__src__user__managers__attribute__roles + +view: events__src__user__managers__department { + dimension: events__src__user__managers__department { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.user.managers.department" + view_label: "UDM" + description: "User job department" + } # dimension events__src__user__managers__department +} # view events__src__user__managers__department + +view: events__src__user__managers__email_addresses { + dimension: events__src__user__managers__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.user.managers.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension events__src__user__managers__email_addresses +} # view events__src__user__managers__email_addresses + +view: events__src__user__managers__group_identifiers { + dimension: events__src__user__managers__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.user.managers.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension events__src__user__managers__group_identifiers +} # view events__src__user__managers__group_identifiers + +view: events__src__user__managers__phone_numbers { + dimension: events__src__user__managers__phone_numbers { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.user.managers.phone_numbers" + view_label: "UDM" + description: "Phone numbers for the user." + } # dimension events__src__user__managers__phone_numbers +} # view events__src__user__managers__phone_numbers + +view: events__src__user__managers { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension: attribute__labels { + hidden: yes + } # dimension attribute__labels + + dimension: attribute__roles { + hidden: yes + } # dimension attribute__roles + + dimension: company_name { + type: string + sql: ${TABLE}.company_name ;; + group_label: "src" + label: "src.user.managers.company_name" + view_label: "UDM" + description: "User job company name." + } # dimension company_name + + dimension: department { + hidden: yes + } # dimension department + + dimension: email_addresses { + hidden: yes + } # dimension email_addresses + + dimension: employee_id { + type: string + sql: ${TABLE}.employee_id ;; + group_label: "src" + label: "src.user.managers.employee_id" + view_label: "UDM" + description: "Human capital management identifier." + } # dimension employee_id + + dimension: first_name { + type: string + sql: ${TABLE}.first_name ;; + group_label: "src" + label: "src.user.managers.first_name" + view_label: "UDM" + description: "First name of the user (e.g. \"John\")." + } # dimension first_name + + dimension: group_identifiers { + hidden: yes + } # dimension group_identifiers + + dimension: last_name { + type: string + sql: ${TABLE}.last_name ;; + group_label: "src" + label: "src.user.managers.last_name" + view_label: "UDM" + description: "Last name of the user (e.g. \"Locke\")." + } # dimension last_name + + dimension: personal_address { + hidden: yes + } # dimension personal_address + + dimension: personal_address__city { + type: string + sql: ${TABLE}.personal_address.city ;; + group_label: "src" + label: "src.user.managers.personal_address.city" + view_label: "UDM" + description: "The city." + } # dimension personal_address__city + + dimension: personal_address__country_or_region { + type: string + sql: ${TABLE}.personal_address.country_or_region ;; + group_label: "src" + label: "src.user.managers.personal_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension personal_address__country_or_region + + dimension: personal_address__name { + type: string + sql: ${TABLE}.personal_address.name ;; + group_label: "src" + label: "src.user.managers.personal_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension personal_address__name + + dimension: personal_address__state { + type: string + sql: ${TABLE}.personal_address.state ;; + group_label: "src" + label: "src.user.managers.personal_address.state" + view_label: "UDM" + description: "The state." + } # dimension personal_address__state + + dimension: phone_numbers { + hidden: yes + } # dimension phone_numbers + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "src" + label: "src.user.managers.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension product_object_id + + dimension: title { + type: string + sql: ${TABLE}.title ;; + group_label: "src" + label: "src.user.managers.title" + view_label: "UDM" + description: "User job title." + } # dimension title + + dimension: user_display_name { + type: string + sql: ${TABLE}.user_display_name ;; + group_label: "src" + label: "src.user.managers.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension user_display_name + + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + group_label: "src" + label: "src.user.managers.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension userid + + dimension: windows_sid { + type: string + sql: ${TABLE}.windows_sid ;; + group_label: "src" + label: "src.user.managers.windows_sid" + view_label: "UDM" + description: "The Microsoft Windows SID of the user." + } # dimension windows_sid + +} # view events__src__user__managers + +view: events__src__user__phone_numbers { + dimension: events__src__user__phone_numbers { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.user.phone_numbers" + view_label: "UDM" + description: "Phone numbers for the user." + } # dimension events__src__user__phone_numbers +} # view events__src__user__phone_numbers + +view: events__src__user__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "src" + label: "src.user.time_off.description" + view_label: "UDM" + description: "Description of the leave if available (e.g. 'Vacation')." + } # dimension description + + dimension_group: src__user__time_off__interval { + type: duration + intervals: [ second, minute, hour ] + sql_start: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.start_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.start_time.nanos,0) / 1000) as INT64)) ;; + sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.end_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.end_time.nanos,0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.user.time_off.interval" + view_label: "UDM" + description: "Interval duration of the leave." + } # dimension src__user__time_off__interval + +} # view events__src__user__time_off + +view: events__target__artifact__network__email__subject { + dimension: events__target__artifact__network__email__subject { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.artifact.network.email.subject" + view_label: "UDM" + description: "The subject line(s) of the email." + } # dimension events__target__artifact__network__email__subject +} # view events__target__artifact__network__email__subject + +view: events__target__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + label: "target.asset.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + label: "target.asset.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__target__asset__attribute__labels + +view: events__target__asset__attribute__permissions { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.asset.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view events__target__asset__attribute__permissions + +view: events__target__asset__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.asset.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.asset.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + +} # view events__target__asset__attribute__roles + +view: events__target__asset__hardware { + dimension: cpu_model { + type: string + sql: ${TABLE}.cpu_model ;; + group_label: "target" + label: "target.asset.hardware.cpu_model" + view_label: "UDM" + description: "Model description of the hardware CPU (e.g. \"2.8 GHz Quad-Core Intel Core i5\")." + } # dimension cpu_model + + dimension: cpu_number_cores { + type: number + sql: ${TABLE}.cpu_number_cores ;; + group_label: "target" + label: "target.asset.hardware.cpu_number_cores" + view_label: "UDM" + description: "Number of CPU cores." + } # dimension cpu_number_cores + + dimension: cpu_platform { + type: string + sql: ${TABLE}.cpu_platform ;; + group_label: "target" + label: "target.asset.hardware.cpu_platform" + view_label: "UDM" + description: "Platform of the hardware CPU (e.g. \"Intel Broadwell\")." + } # dimension cpu_platform + + dimension: manufacturer { + type: string + sql: ${TABLE}.manufacturer ;; + group_label: "target" + label: "target.asset.hardware.manufacturer" + view_label: "UDM" + description: "Hardware manufacturer." + } # dimension manufacturer + + dimension: model { + type: string + sql: ${TABLE}.model ;; + group_label: "target" + label: "target.asset.hardware.model" + view_label: "UDM" + description: "Hardware model." + } # dimension model + + dimension: ram { + type: number + sql: ${TABLE}.ram ;; + group_label: "target" + label: "target.asset.hardware.ram" + view_label: "UDM" + description: "Amount of the hardware ramdom access memory (RAM) in Mb." + } # dimension ram + + dimension: serial_number { + type: string + sql: ${TABLE}.serial_number ;; + group_label: "target" + label: "target.asset.hardware.serial_number" + view_label: "UDM" + description: "Hardware serial number." + } # dimension serial_number + +} # view events__target__asset__hardware + +view: events__target__asset__ip { + dimension: events__target__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.asset.ip" + view_label: "UDM" + description: "A list of IP addresses associated with an asset." + } # dimension events__target__asset__ip +} # view events__target__asset__ip + +view: events__target__asset__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + group_item_label: "target.asset.labels.key [D]" + label: "target.asset.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + group_item_label: "target.asset.labels.value [D]" + label: "target.asset.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view events__target__asset__labels + +view: events__target__asset__mac { + dimension: events__target__asset__mac { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.asset.mac" + view_label: "UDM" + description: "List of MAC addresses associated with an asset." + } # dimension events__target__asset__mac +} # view events__target__asset__mac + +view: events__target__asset__nat_ip { + dimension: events__target__asset__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.asset.nat_ip" + view_label: "UDM" + description: "List of NAT IP addresses associated with an asset." + } # dimension events__target__asset__nat_ip +} # view events__target__asset__nat_ip + +view: events__target__asset__software__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.asset.software.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.asset.software.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view events__target__asset__software__permissions + +view: events__target__asset__software { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.asset.software.name" + view_label: "UDM" + description: "The name of the software." + } # dimension name + + dimension: permissions { + hidden: yes + } # dimension permissions + + dimension: version { + type: string + sql: ${TABLE}.version ;; + group_label: "target" + label: "target.asset.software.version" + view_label: "UDM" + description: "The version of the software." + } # dimension version + +} # view events__target__asset__software + +view: events__target__asset__vulnerabilities { + dimension: cve_id { + type: string + sql: ${TABLE}.cve_id ;; + group_label: "target" + label: "target.asset.vulnerabilities.cve_id" + view_label: "UDM" + description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" + } # dimension cve_id + + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + group_label: "target" + label: "target.asset.vulnerabilities.cvss_base_score" + view_label: "UDM" + description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." + } # dimension cvss_base_score + + dimension: cvss_vector { + type: string + sql: ${TABLE}.cvss_vector ;; + group_label: "target" + label: "target.asset.vulnerabilities.cvss_vector" + view_label: "UDM" + description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" + } # dimension cvss_vector + + dimension: cvss_version { + type: string + sql: ${TABLE}.cvss_version ;; + group_label: "target" + label: "target.asset.vulnerabilities.cvss_version" + view_label: "UDM" + description: "Version of CVSS Vector/Score." + } # dimension cvss_version + + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.asset.vulnerabilities.description" + view_label: "UDM" + description: "Description of the vulnerability." + } # dimension description + + dimension_group: target__asset__vulnerabilities__first_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.vulnerabilities.first_found" + view_label: "UDM" + description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." + } # dimension target__asset__vulnerabilities__first_found + + dimension_group: target__asset__vulnerabilities__last_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.vulnerabilities.last_found" + view_label: "UDM" + description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." + } # dimension target__asset__vulnerabilities__last_found + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.asset.vulnerabilities.name" + view_label: "UDM" + description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." + } # dimension name + + dimension_group: target__asset__vulnerabilities__scan_end_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.vulnerabilities.scan_end_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." + } # dimension target__asset__vulnerabilities__scan_end_time + + dimension_group: target__asset__vulnerabilities__scan_start_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.vulnerabilities.scan_start_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." + } # dimension target__asset__vulnerabilities__scan_start_time + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + group_label: "target" + label: "target.asset.vulnerabilities.severity" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity + + dimension: severity_enum_name { + type: string + suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] + sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; + group_label: "target" + label: "target.asset.vulnerabilities.severity_enum_name" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity_enum_name + +} # view events__target__asset__vulnerabilities + +view: events__target__cloud__project__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + group_item_label: "target.cloud.project.attribute.labels.key [D]" + label: "target.cloud.project.attribute.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + group_item_label: "target.cloud.project.attribute.labels.value [D]" + label: "target.cloud.project.attribute.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view events__target__cloud__project__attribute__labels + +view: events__target__domain__name_server { + dimension: events__target__domain__name_server { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.domain.name_server" + view_label: "UDM" + description: "Repeated list of name servers." + } # dimension events__target__domain__name_server +} # view events__target__domain__name_server + +view: events__target__file__capabilities_tags { + dimension: events__target__file__capabilities_tags { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.file.capabilities_tags" + view_label: "UDM" + description: "Capabilities tags." + } # dimension events__target__file__capabilities_tags +} # view events__target__file__capabilities_tags + +view: events__target__file__embedded_domains { + dimension: events__target__file__embedded_domains { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.file.embedded_domains" + view_label: "UDM" + description: "Embedded domains found in the file." + } # dimension events__target__file__embedded_domains +} # view events__target__file__embedded_domains + +view: events__target__file__embedded_ips { + dimension: events__target__file__embedded_ips { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.file.embedded_ips" + view_label: "UDM" + description: "Embedded IP addresses found in the file." + } # dimension events__target__file__embedded_ips +} # view events__target__file__embedded_ips + +view: events__target__file__embedded_urls { + dimension: events__target__file__embedded_urls { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.file.embedded_urls" + view_label: "UDM" + description: "Embedded urls found in the file." + } # dimension events__target__file__embedded_urls +} # view events__target__file__embedded_urls + +view: events__target__file__names { + dimension: events__target__file__names { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension events__target__file__names +} # view events__target__file__names + +view: events__target__file__pe_file__imports__functions { + dimension: events__target__file__pe_file__imports__functions { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.file.pe_file.imports.functions" + view_label: "UDM" + description: "Function field." + } # dimension events__target__file__pe_file__imports__functions +} # view events__target__file__pe_file__imports__functions + +view: events__target__file__pe_file__imports { + dimension: functions { + hidden: yes + } # dimension functions + + dimension: library { + type: string + sql: ${TABLE}.library ;; + group_label: "target" + label: "target.file.pe_file.imports.library" + view_label: "UDM" + description: "Library field." + } # dimension library + +} # view events__target__file__pe_file__imports + +view: events__target__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + group_label: "target" + label: "target.file.pe_file.resource.entropy" + view_label: "UDM" + description: "Entropy of the resource." + } # dimension entropy + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + group_label: "target" + label: "target.file.pe_file.resource.file_type" + view_label: "UDM" + description: "File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum." + } # dimension file_type + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + group_label: "target" + label: "target.file.pe_file.resource.filetype_magic" + view_label: "UDM" + description: "Type of resource content, as identified by the magic Python module. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/magic.py END GOOGLE-INTERNAL" + } # dimension filetype_magic + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + group_label: "target" + label: "target.file.pe_file.resource.language_code" + view_label: "UDM" + description: "Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/toolpefile.py?l=419&rcl=df1fcff7c5e82a39875359608b47669d5aff82c7 END GOOGLE-INTERNAL Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |" + } # dimension language_code + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + group_label: "target" + label: "target.file.pe_file.resource.sha256_hex" + view_label: "UDM" + description: "SHA256_hex field.." + } # dimension sha256_hex + +} # view events__target__file__pe_file__resource + +view: events__target__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + label: "target.file.pe_file.resources_language_count_str.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + label: "target.file.pe_file.resources_language_count_str.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__target__file__pe_file__resources_language_count_str + +view: events__target__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + label: "target.file.pe_file.resources_type_count_str.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + label: "target.file.pe_file.resources_type_count_str.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__target__file__pe_file__resources_type_count_str + +view: events__target__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + group_label: "target" + label: "target.file.pe_file.section.entropy" + view_label: "UDM" + description: "Entropy of the section." + } # dimension entropy + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + group_label: "target" + label: "target.file.pe_file.section.md5_hex" + view_label: "UDM" + description: "MD5 hex of the file." + } # dimension md5_hex + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.file.pe_file.section.name" + view_label: "UDM" + description: "Name of the section." + } # dimension name + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + group_label: "target" + label: "target.file.pe_file.section.raw_size_bytes" + view_label: "UDM" + description: "Raw file size in bytes." + } # dimension raw_size_bytes + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + group_label: "target" + label: "target.file.pe_file.section.virtual_size_bytes" + view_label: "UDM" + description: "Virtual file size in bytes." + } # dimension virtual_size_bytes + +} # view events__target__file__pe_file__section + +view: events__target__file__signature_info__sigcheck__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.file.signature_info.sigcheck.signers.name" + view_label: "UDM" + description: "Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority." + } # dimension name + +} # view events__target__file__signature_info__sigcheck__signers + +view: events__target__file__signature_info__sigcheck__x509 { + dimension: algorithm { + type: string + sql: ${TABLE}.algorithm ;; + group_label: "target" + label: "target.file.signature_info.sigcheck.x509.algorithm" + view_label: "UDM" + description: "Certificate algorithm." + } # dimension algorithm + + dimension: cert_issuer { + type: string + sql: ${TABLE}.cert_issuer ;; + group_label: "target" + label: "target.file.signature_info.sigcheck.x509.cert_issuer" + view_label: "UDM" + description: "Issuer of the certificate." + } # dimension cert_issuer + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.file.signature_info.sigcheck.x509.name" + view_label: "UDM" + description: "Certificate name." + } # dimension name + + dimension: serial_number { + type: string + sql: ${TABLE}.serial_number ;; + group_label: "target" + label: "target.file.signature_info.sigcheck.x509.serial_number" + view_label: "UDM" + description: "Certificate serial number." + } # dimension serial_number + + dimension: thumbprint { + type: string + sql: ${TABLE}.thumbprint ;; + group_label: "target" + label: "target.file.signature_info.sigcheck.x509.thumbprint" + view_label: "UDM" + description: "Certificate thumbprint." + } # dimension thumbprint + +} # view events__target__file__signature_info__sigcheck__x509 + +view: events__target__file__tags { + dimension: events__target__file__tags { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.file.tags" + view_label: "UDM" + description: "Tags for the file." + } # dimension events__target__file__tags +} # view events__target__file__tags + +view: events__target__group__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + label: "target.group.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + label: "target.group.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__target__group__attribute__labels + +view: events__target__group__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.group.attribute.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.group.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view events__target__group__attribute__permissions + +view: events__target__group__attribute__roles { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.group.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + +} # view events__target__group__attribute__roles + +view: events__target__group__email_addresses { + dimension: events__target__group__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.group.email_addresses" + view_label: "UDM" + description: "Email addresses of the group." + } # dimension events__target__group__email_addresses +} # view events__target__group__email_addresses + +view: events__target__investigation__comments { + dimension: events__target__investigation__comments { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.investigation.comments" + view_label: "UDM" + description: "Comment added by the Analyst." + } # dimension events__target__investigation__comments +} # view events__target__investigation__comments + +view: events__target__ip { + dimension: events__target__ip { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.ip" + view_label: "UDM" + description: "A list of IP addresses associated with a network connection." + } # dimension events__target__ip +} # view events__target__ip + +view: events__target__ip_geo_artifact { + dimension: ip { + type: string + sql: ${TABLE}.ip ;; + group_label: "target" + label: "target.ip_geo_artifact.ip" + view_label: "UDM" + description: "IP address of the artifact." + } # dimension ip + + dimension: location { + hidden: yes + } # dimension location + + dimension: location__country_or_region { + type: string + sql: ${TABLE}.location.country_or_region ;; + group_label: "target" + label: "target.ip_geo_artifact.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension location__country_or_region + + dimension: location__region_coordinates { + type: location + sql_latitude: ${TABLE}.location.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.location.region_coordinates.longitude ;; + group_label: "target" + group_item_label: "target.ip_geo_artifact.location.region_coordinates [L]" + label: "target.ip_geo_artifact.location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." + } # dimension location__region_coordinates + + dimension: location__region_latitude { + type: number + sql: ${TABLE}.location.region_latitude ;; + group_label: "target" + group_item_label: "target.ip_geo_artifact.location.region_latitude [D]" + label: "target.ip_geo_artifact.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension location__region_latitude + + dimension: location__region_longitude { + type: number + sql: ${TABLE}.location.region_longitude ;; + group_label: "target" + group_item_label: "target.ip_geo_artifact.location.region_longitude [D]" + label: "target.ip_geo_artifact.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension location__region_longitude + + dimension: location__location { + type: location + sql_latitude: ${TABLE}.location.region_latitude ;; + sql_longitude: ${TABLE}.location.region_longitude ;; + group_label: "target" + group_item_label: "target.ip_geo_artifact.location.location [D][L]" + label: "target.ip_geo_artifact.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension location__location + + dimension: location__state { + type: string + sql: ${TABLE}.location.state ;; + group_label: "target" + label: "target.ip_geo_artifact.location.state" + view_label: "UDM" + description: "The state." + } # dimension location__state + + dimension: network { + hidden: yes + } # dimension network + + dimension: network__asn { + type: string + sql: ${TABLE}.network.asn ;; + group_label: "target" + label: "target.ip_geo_artifact.network.asn" + view_label: "UDM" + description: "Autonomous system number." + } # dimension network__asn + + dimension: network__carrier_name { + type: string + sql: ${TABLE}.network.carrier_name ;; + group_label: "target" + label: "target.ip_geo_artifact.network.carrier_name" + view_label: "UDM" + description: "Carrier identification." + } # dimension network__carrier_name + + dimension: network__dns_domain { + type: string + sql: ${TABLE}.network.dns_domain ;; + group_label: "target" + label: "target.ip_geo_artifact.network.dns_domain" + view_label: "UDM" + description: "DNS domain name." + } # dimension network__dns_domain + + dimension: network__organization_name { + type: string + sql: ${TABLE}.network.organization_name ;; + group_label: "target" + label: "target.ip_geo_artifact.network.organization_name" + view_label: "UDM" + description: "Organization name (e.g Google)." + } # dimension network__organization_name + +} # view events__target__ip_geo_artifact + +view: events__target__ip_location { + dimension: city { + type: string + sql: ${TABLE}.city ;; + group_label: "target" + group_item_label: "target.ip_location.city [D]" + label: "target.ip_location.city" + view_label: "UDM" + description: "The city. [D]: This field is deprecated and will be removed in a future release" + } # dimension city + + dimension: country_or_region { + type: string + sql: ${TABLE}.country_or_region ;; + group_label: "target" + group_item_label: "target.ip_location.country_or_region [D]" + label: "target.ip_location.country_or_region" + view_label: "UDM" + description: "The country or region. [D]: This field is deprecated and will be removed in a future release" + } # dimension country_or_region + + dimension: desk_name { + type: string + sql: ${TABLE}.desk_name ;; + group_label: "target" + group_item_label: "target.ip_location.desk_name [D]" + label: "target.ip_location.desk_name" + view_label: "UDM" + description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\"). [D]: This field is deprecated and will be removed in a future release" + } # dimension desk_name + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + group_item_label: "target.ip_location.name [D]" + label: "target.ip_location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\"). [D]: This field is deprecated and will be removed in a future release" + } # dimension name + + dimension: region_coordinates { + type: location + sql_latitude: ${TABLE}.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.region_coordinates.longitude ;; + group_label: "target" + group_item_label: "target.ip_location.region_coordinates [D][L]" + label: "target.ip_location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension region_coordinates + + dimension: region_latitude { + type: number + sql: ${TABLE}.region_latitude ;; + group_label: "target" + group_item_label: "target.ip_location.region_latitude [D]" + label: "target.ip_location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension region_latitude + + dimension: region_longitude { + type: number + sql: ${TABLE}.region_longitude ;; + group_label: "target" + group_item_label: "target.ip_location.region_longitude [D]" + label: "target.ip_location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension region_longitude + + dimension: location { + type: location + sql_latitude: ${TABLE}.region_latitude ;; + sql_longitude: ${TABLE}.region_longitude ;; + group_label: "target" + group_item_label: "target.ip_location.location [D][L]" + label: "target.ip_location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension location + + dimension: state { + type: string + sql: ${TABLE}.state ;; + group_label: "target" + group_item_label: "target.ip_location.state [D]" + label: "target.ip_location.state" + view_label: "UDM" + description: "The state. [D]: This field is deprecated and will be removed in a future release" + } # dimension state + +} # view events__target__ip_location + +view: events__target__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + group_item_label: "target.labels.key [D]" + label: "target.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: source { + type: string + sql: ${TABLE}.source ;; + group_label: "target" + group_item_label: "target.labels.source [D]" + label: "target.labels.source" + view_label: "UDM" + description: "@hide_from_doc [D]: This field is deprecated and will be removed in a future release" + } # dimension source + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + group_item_label: "target.labels.value [D]" + label: "target.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view events__target__labels + +view: events__target__mac { + dimension: events__target__mac { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.mac" + view_label: "UDM" + description: "List of MAC addresses associated with a device." + } # dimension events__target__mac +} # view events__target__mac + +view: events__target__nat_ip { + dimension: events__target__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.nat_ip" + view_label: "UDM" + description: "A list of NAT translated IP addresses associated with a network connection." + } # dimension events__target__nat_ip +} # view events__target__nat_ip + +view: events__target__process__command_line_history { + dimension: events__target__process__command_line_history { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.process.command_line_history" + view_label: "UDM" + description: "The command line history of the process." + } # dimension events__target__process__command_line_history +} # view events__target__process__command_line_history + +view: events__target__process__file__capabilities_tags { + dimension: events__target__process__file__capabilities_tags { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.process.file.capabilities_tags" + view_label: "UDM" + description: "Capabilities tags." + } # dimension events__target__process__file__capabilities_tags +} # view events__target__process__file__capabilities_tags + +view: events__target__process__file__names { + dimension: events__target__process__file__names { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.process.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension events__target__process__file__names +} # view events__target__process__file__names + +view: events__target__process__file__pe_file__signature_info__signer { + dimension: events__target__process__file__pe_file__signature_info__signer { + type: string + sql: ${TABLE} ;; + group_label: "target" + group_item_label: "target.process.file.pe_file.signature_info.signer [D]" + label: "target.process.file.pe_file.signature_info.signer" + view_label: "UDM" + description: "Deprecated: use signers field. [D]: This field is deprecated and will be removed in a future release" + } # dimension events__target__process__file__pe_file__signature_info__signer +} # view events__target__process__file__pe_file__signature_info__signer + +view: events__target__process__parent_process__file__capabilities_tags { + dimension: events__target__process__parent_process__file__capabilities_tags { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.process.parent_process.file.capabilities_tags" + view_label: "UDM" + description: "Capabilities tags." + } # dimension events__target__process__parent_process__file__capabilities_tags +} # view events__target__process__parent_process__file__capabilities_tags + +view: events__target__process__parent_process__file__names { + dimension: events__target__process__parent_process__file__names { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.process.parent_process.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension events__target__process__parent_process__file__names +} # view events__target__process__parent_process__file__names + +view: events__target__process_ancestors { + dimension: command_line { + type: string + sql: ${TABLE}.command_line ;; + group_label: "target" + label: "target.process_ancestors.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension command_line + + dimension: file { + hidden: yes + } # dimension file + + dimension: file__full_path { + type: string + sql: ${TABLE}.file.full_path ;; + group_label: "target" + label: "target.process_ancestors.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension file__full_path + +} # view events__target__process_ancestors + +view: events__target__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + label: "target.resource.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: source { + type: string + sql: ${TABLE}.source ;; + group_label: "target" + label: "target.resource.attribute.labels.source" + view_label: "UDM" + description: "@hide_from_doc" + } # dimension source + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + label: "target.resource.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__target__resource__attribute__labels + +view: events__target__resource__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.resource.attribute.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.resource.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "target" + label: "target.resource.attribute.permissions.type" + view_label: "UDM" + description: "Type of the permission." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; + group_label: "target" + label: "target.resource.attribute.permissions.type_enum_name" + view_label: "UDM" + description: "Type of the permission." + } # dimension type_enum_name + +} # view events__target__resource__attribute__permissions + +view: events__target__resource__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.resource.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.resource.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "target" + label: "target.resource.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "target" + label: "target.resource.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view events__target__resource__attribute__roles + +view: events__target__resource_ancestors__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + label: "target.resource_ancestors.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + label: "target.resource_ancestors.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__target__resource_ancestors__attribute__labels + +view: events__target__resource_ancestors__attribute__permissions { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.resource_ancestors.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view events__target__resource_ancestors__attribute__permissions + +view: events__target__resource_ancestors { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension_group: target__resource_ancestors__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.resource_ancestors.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension target__resource_ancestors__attribute__creation_time + + dimension: attribute__labels { + hidden: yes + } # dimension attribute__labels + + dimension: attribute__permissions { + hidden: yes + } # dimension attribute__permissions + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.resource_ancestors.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension name + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "target" + label: "target.resource_ancestors.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension product_object_id + + dimension: resource_subtype { + type: string + sql: ${TABLE}.resource_subtype ;; + group_label: "target" + label: "target.resource_ancestors.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension resource_subtype + + dimension: resource_type { + type: number + sql: ${TABLE}.resource_type ;; + group_label: "target" + label: "target.resource_ancestors.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension resource_type + + dimension: resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "target" + label: "target.resource_ancestors.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension resource_type_enum_name + +} # view events__target__resource_ancestors + +view: events__target__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + label: "target.user.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + label: "target.user.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__target__user__attribute__labels + +view: events__target__user__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.user.attribute.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.user.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "target" + label: "target.user.attribute.permissions.type" + view_label: "UDM" + description: "Type of the permission." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; + group_label: "target" + label: "target.user.attribute.permissions.type_enum_name" + view_label: "UDM" + description: "Type of the permission." + } # dimension type_enum_name + +} # view events__target__user__attribute__permissions + +view: events__target__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.user.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.user.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "target" + label: "target.user.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "target" + label: "target.user.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view events__target__user__attribute__roles + +view: events__target__user__department { + dimension: events__target__user__department { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.user.department" + view_label: "UDM" + description: "User job department" + } # dimension events__target__user__department +} # view events__target__user__department + +view: events__target__user__email_addresses { + dimension: events__target__user__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.user.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension events__target__user__email_addresses +} # view events__target__user__email_addresses + +view: events__target__user__group_identifiers { + dimension: events__target__user__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.user.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension events__target__user__group_identifiers +} # view events__target__user__group_identifiers + +view: events__target__user__managers__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + label: "target.user.managers.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + label: "target.user.managers.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view events__target__user__managers__attribute__labels + +view: events__target__user__managers__attribute__roles { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.user.managers.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "target" + label: "target.user.managers.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "target" + label: "target.user.managers.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view events__target__user__managers__attribute__roles + +view: events__target__user__managers__department { + dimension: events__target__user__managers__department { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.user.managers.department" + view_label: "UDM" + description: "User job department" + } # dimension events__target__user__managers__department +} # view events__target__user__managers__department + +view: events__target__user__managers__email_addresses { + dimension: events__target__user__managers__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.user.managers.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension events__target__user__managers__email_addresses +} # view events__target__user__managers__email_addresses + +view: events__target__user__managers__group_identifiers { + dimension: events__target__user__managers__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.user.managers.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension events__target__user__managers__group_identifiers +} # view events__target__user__managers__group_identifiers + +view: events__target__user__managers__phone_numbers { + dimension: events__target__user__managers__phone_numbers { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.user.managers.phone_numbers" + view_label: "UDM" + description: "Phone numbers for the user." + } # dimension events__target__user__managers__phone_numbers +} # view events__target__user__managers__phone_numbers + +view: events__target__user__managers { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension: attribute__labels { + hidden: yes + } # dimension attribute__labels + + dimension: attribute__roles { + hidden: yes + } # dimension attribute__roles + + dimension: company_name { + type: string + sql: ${TABLE}.company_name ;; + group_label: "target" + label: "target.user.managers.company_name" + view_label: "UDM" + description: "User job company name." + } # dimension company_name + + dimension: department { + hidden: yes + } # dimension department + + dimension: email_addresses { + hidden: yes + } # dimension email_addresses + + dimension: employee_id { + type: string + sql: ${TABLE}.employee_id ;; + group_label: "target" + label: "target.user.managers.employee_id" + view_label: "UDM" + description: "Human capital management identifier." + } # dimension employee_id + + dimension: first_name { + type: string + sql: ${TABLE}.first_name ;; + group_label: "target" + label: "target.user.managers.first_name" + view_label: "UDM" + description: "First name of the user (e.g. \"John\")." + } # dimension first_name + + dimension: group_identifiers { + hidden: yes + } # dimension group_identifiers + + dimension: last_name { + type: string + sql: ${TABLE}.last_name ;; + group_label: "target" + label: "target.user.managers.last_name" + view_label: "UDM" + description: "Last name of the user (e.g. \"Locke\")." + } # dimension last_name + + dimension: personal_address { + hidden: yes + } # dimension personal_address + + dimension: personal_address__city { + type: string + sql: ${TABLE}.personal_address.city ;; + group_label: "target" + label: "target.user.managers.personal_address.city" + view_label: "UDM" + description: "The city." + } # dimension personal_address__city + + dimension: personal_address__country_or_region { + type: string + sql: ${TABLE}.personal_address.country_or_region ;; + group_label: "target" + label: "target.user.managers.personal_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension personal_address__country_or_region + + dimension: personal_address__name { + type: string + sql: ${TABLE}.personal_address.name ;; + group_label: "target" + label: "target.user.managers.personal_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension personal_address__name + + dimension: personal_address__state { + type: string + sql: ${TABLE}.personal_address.state ;; + group_label: "target" + label: "target.user.managers.personal_address.state" + view_label: "UDM" + description: "The state." + } # dimension personal_address__state + + dimension: phone_numbers { + hidden: yes + } # dimension phone_numbers + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "target" + label: "target.user.managers.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension product_object_id + + dimension: title { + type: string + sql: ${TABLE}.title ;; + group_label: "target" + label: "target.user.managers.title" + view_label: "UDM" + description: "User job title." + } # dimension title + + dimension: user_display_name { + type: string + sql: ${TABLE}.user_display_name ;; + group_label: "target" + label: "target.user.managers.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension user_display_name + + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + group_label: "target" + label: "target.user.managers.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension userid + + dimension: windows_sid { + type: string + sql: ${TABLE}.windows_sid ;; + group_label: "target" + label: "target.user.managers.windows_sid" + view_label: "UDM" + description: "The Microsoft Windows SID of the user." + } # dimension windows_sid + +} # view events__target__user__managers + +view: events__target__user__phone_numbers { + dimension: events__target__user__phone_numbers { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.user.phone_numbers" + view_label: "UDM" + description: "Phone numbers for the user." + } # dimension events__target__user__phone_numbers +} # view events__target__user__phone_numbers + +view: events__target__user__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.user.time_off.description" + view_label: "UDM" + description: "Description of the leave if available (e.g. 'Vacation')." + } # dimension description + + dimension_group: target__user__time_off__interval { + type: duration + intervals: [ second, minute, hour ] + sql_start: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.start_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.start_time.nanos,0) / 1000) as INT64)) ;; + sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.end_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.end_time.nanos,0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.user.time_off.interval" + view_label: "UDM" + description: "Interval duration of the leave." + } # dimension target__user__time_off__interval + +} # view events__target__user__time_off + +view: events__target__user_management_chain { + dimension: user_display_name { + type: string + sql: ${TABLE}.user_display_name ;; + group_label: "target" + label: "target.user_management_chain.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension user_display_name + +} # view events__target__user_management_chain + +explore: events { + ### BEGIN googlex/security/malachite/dashboards/lookml/udm/events_explore_preamble.lkml + label: "UDM Events" + + required_access_grants: [ + has_chronicle_feature_bq_export_external_source_enabled, + has_chronicle_explores_enabled + ] + + conditionally_filter: { + filters: { + field: events.time_filter + value: "last 24 hours" + } + } + + fields: [ALL_FIELDS*,] + sql_always_where: {% condition events.time_filter %} hour_time_bucket {% endcondition %} + AND {% condition events.time_filter %} ${metadata__event_timestamp_raw} {% endcondition %};; + + ### END googlex/security/malachite/dashboards/lookml/udm/events_explore_preamble.lkml + join: events__about { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.about}) as events__about ;; + view_label: "UDM" + } # join events__about + + join: events__about__asset__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__about.asset}.attribute.labels) as events__about__asset__attribute__labels ;; + view_label: "UDM" + } # join events__about__asset__attribute__labels + + join: events__about__asset__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__about.asset}.attribute.permissions) as events__about__asset__attribute__permissions ;; + view_label: "UDM" + } # join events__about__asset__attribute__permissions + + join: events__about__asset__hardware { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__about.asset}.hardware) as events__about__asset__hardware ;; + view_label: "UDM" + } # join events__about__asset__hardware + + join: events__about__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__about.asset}.ip) as events__about__asset__ip ;; + view_label: "UDM" + } # join events__about__asset__ip + + join: events__about__asset__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__about.asset}.labels) as events__about__asset__labels ;; + view_label: "UDM" + } # join events__about__asset__labels + + join: events__about__asset__vulnerabilities { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__about.asset}.vulnerabilities) as events__about__asset__vulnerabilities ;; + view_label: "UDM" + } # join events__about__asset__vulnerabilities + + join: events__about__file__capabilities_tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__about.file}.capabilities_tags) as events__about__file__capabilities_tags ;; + view_label: "UDM" + } # join events__about__file__capabilities_tags + + join: events__about__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__about.file}.names) as events__about__file__names ;; + view_label: "UDM" + } # join events__about__file__names + + join: events__about__investigation__comments { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__about.investigation}.comments) as events__about__investigation__comments ;; + view_label: "UDM" + } # join events__about__investigation__comments + + join: events__about__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__about.ip}) as events__about__ip ;; + view_label: "UDM" + } # join events__about__ip + + join: events__about__ip_location { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__about.ip_location}) as events__about__ip_location ;; + view_label: "UDM" + } # join events__about__ip_location + + join: events__about__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__about.labels}) as events__about__labels ;; + view_label: "UDM" + } # join events__about__labels + + join: events__about__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__about.mac}) as events__about__mac ;; + view_label: "UDM" + } # join events__about__mac + + join: events__about__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__about.nat_ip}) as events__about__nat_ip ;; + view_label: "UDM" + } # join events__about__nat_ip + + join: events__about__resource__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__about.resource}.attribute.labels) as events__about__resource__attribute__labels ;; + view_label: "UDM" + } # join events__about__resource__attribute__labels + + join: events__about__resource__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__about.resource}.attribute.permissions) as events__about__resource__attribute__permissions ;; + view_label: "UDM" + } # join events__about__resource__attribute__permissions + + join: events__about__resource_ancestors { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__about.resource_ancestors}) as events__about__resource_ancestors ;; + view_label: "UDM" + } # join events__about__resource_ancestors + + join: events__about__resource_ancestors__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__about__resource_ancestors.attribute}.labels) as events__about__resource_ancestors__attribute__labels ;; + view_label: "UDM" + } # join events__about__resource_ancestors__attribute__labels + + join: events__about__user__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__about.user}.attribute.labels) as events__about__user__attribute__labels ;; + view_label: "UDM" + } # join events__about__user__attribute__labels + + join: events__about__user__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__about.user}.attribute.permissions) as events__about__user__attribute__permissions ;; + view_label: "UDM" + } # join events__about__user__attribute__permissions + + join: events__about__user__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__about.user}.attribute.roles) as events__about__user__attribute__roles ;; + view_label: "UDM" + } # join events__about__user__attribute__roles + + join: events__about__user__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__about.user}.department) as events__about__user__department ;; + view_label: "UDM" + } # join events__about__user__department + + join: events__about__user__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__about.user}.email_addresses) as events__about__user__email_addresses ;; + view_label: "UDM" + } # join events__about__user__email_addresses + + join: events__about__user__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__about.user}.group_identifiers) as events__about__user__group_identifiers ;; + view_label: "UDM" + } # join events__about__user__group_identifiers + + join: events__additional__fields { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.additional}.fields) as events__additional__fields ;; + view_label: "UDM" + } # join events__additional__fields + + join: events__additional__fields__value__list_value__values { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__additional__fields.value}.list_value.values) as events__additional__fields__value__list_value__values ;; + view_label: "UDM" + } # join events__additional__fields__value__list_value__values + + join: events__additional__fields__value__list_value__values__struct_value__fields { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__additional__fields__value__list_value__values.struct_value}.fields) as events__additional__fields__value__list_value__values__struct_value__fields ;; + view_label: "UDM" + } # join events__additional__fields__value__list_value__values__struct_value__fields + + join: events__additional__fields__value__struct_value__fields { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__additional__fields.value}.struct_value.fields) as events__additional__fields__value__struct_value__fields ;; + view_label: "UDM" + } # join events__additional__fields__value__struct_value__fields + + join: events__extensions__auth__mechanism { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.extensions}.auth.mechanism) as events__extensions__auth__mechanism ;; + view_label: "UDM" + } # join events__extensions__auth__mechanism + + join: events__extensions__auth__mechanism_enum_name { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.extensions}.auth.mechanism) as events__extensions__auth__mechanism_enum_name ;; + view_label: "UDM" + } # join events__extensions__auth__mechanism_enum_name + + join: events__extensions__vulns__vulnerabilities { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.extensions}.vulns.vulnerabilities) as events__extensions__vulns__vulnerabilities ;; + view_label: "UDM" + } # join events__extensions__vulns__vulnerabilities + + join: events__extensions__vulns__vulnerabilities__about__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__extensions__vulns__vulnerabilities.about}.asset.ip) as events__extensions__vulns__vulnerabilities__about__asset__ip ;; + view_label: "UDM" + } # join events__extensions__vulns__vulnerabilities__about__asset__ip + + join: events__extensions__vulns__vulnerabilities__about__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__extensions__vulns__vulnerabilities.about}.labels) as events__extensions__vulns__vulnerabilities__about__labels ;; + view_label: "UDM" + } # join events__extensions__vulns__vulnerabilities__about__labels + + join: events__extensions__vulns__vulnerabilities__about__resource__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__extensions__vulns__vulnerabilities.about}.resource.attribute.labels) as events__extensions__vulns__vulnerabilities__about__resource__attribute__labels ;; + view_label: "UDM" + } # join events__extensions__vulns__vulnerabilities__about__resource__attribute__labels + + join: events__intermediary { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.intermediary}) as events__intermediary ;; + view_label: "UDM" + } # join events__intermediary + + join: events__intermediary__asset__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__intermediary.asset}.attribute.labels) as events__intermediary__asset__attribute__labels ;; + view_label: "UDM" + } # join events__intermediary__asset__attribute__labels + + join: events__intermediary__asset__hardware { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__intermediary.asset}.hardware) as events__intermediary__asset__hardware ;; + view_label: "UDM" + } # join events__intermediary__asset__hardware + + join: events__intermediary__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__intermediary.asset}.ip) as events__intermediary__asset__ip ;; + view_label: "UDM" + } # join events__intermediary__asset__ip + + join: events__intermediary__asset__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__intermediary.asset}.labels) as events__intermediary__asset__labels ;; + view_label: "UDM" + } # join events__intermediary__asset__labels + + join: events__intermediary__asset__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__intermediary.asset}.mac) as events__intermediary__asset__mac ;; + view_label: "UDM" + } # join events__intermediary__asset__mac + + join: events__intermediary__asset__software { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__intermediary.asset}.software) as events__intermediary__asset__software ;; + view_label: "UDM" + } # join events__intermediary__asset__software + + join: events__intermediary__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__intermediary.ip}) as events__intermediary__ip ;; + view_label: "UDM" + } # join events__intermediary__ip + + join: events__intermediary__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__intermediary.labels}) as events__intermediary__labels ;; + view_label: "UDM" + } # join events__intermediary__labels + + join: events__intermediary__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__intermediary.mac}) as events__intermediary__mac ;; + view_label: "UDM" + } # join events__intermediary__mac + + join: events__intermediary__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__intermediary.nat_ip}) as events__intermediary__nat_ip ;; + view_label: "UDM" + } # join events__intermediary__nat_ip + + join: events__intermediary__process__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__intermediary.process}.file.names) as events__intermediary__process__file__names ;; + view_label: "UDM" + } # join events__intermediary__process__file__names + + join: events__intermediary__resource__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__intermediary.resource}.attribute.labels) as events__intermediary__resource__attribute__labels ;; + view_label: "UDM" + } # join events__intermediary__resource__attribute__labels + + join: events__intermediary__user__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__intermediary.user}.email_addresses) as events__intermediary__user__email_addresses ;; + view_label: "UDM" + } # join events__intermediary__user__email_addresses + + join: events__intermediary__user__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__intermediary.user}.group_identifiers) as events__intermediary__user__group_identifiers ;; + view_label: "UDM" + } # join events__intermediary__user__group_identifiers + + join: events__metadata__base_labels__log_types { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.metadata}.base_labels.log_types) as events__metadata__base_labels__log_types ;; + view_label: "UDM" + } # join events__metadata__base_labels__log_types + + join: events__metadata__base_labels__namespaces { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.metadata}.base_labels.namespaces) as events__metadata__base_labels__namespaces ;; + view_label: "UDM" + } # join events__metadata__base_labels__namespaces + + join: events__metadata__ingestion_labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.metadata}.ingestion_labels) as events__metadata__ingestion_labels ;; + view_label: "UDM" + } # join events__metadata__ingestion_labels + + join: events__metadata__tags__data_tap_config_name { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.metadata}.tags.data_tap_config_name) as events__metadata__tags__data_tap_config_name ;; + view_label: "UDM" + } # join events__metadata__tags__data_tap_config_name + + join: events__metadata__tags__tenant_id { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.metadata}.tags.tenant_id) as events__metadata__tags__tenant_id ;; + view_label: "UDM" + } # join events__metadata__tags__tenant_id + + join: events__network__dhcp__options { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.network}.dhcp.options) as events__network__dhcp__options ;; + view_label: "UDM" + } # join events__network__dhcp__options + + join: events__network__dns__additional { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.network}.dns.additional) as events__network__dns__additional ;; + view_label: "UDM" + } # join events__network__dns__additional + + join: events__network__dns__answers { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.network}.dns.answers) as events__network__dns__answers ;; + view_label: "UDM" + } # join events__network__dns__answers + + join: events__network__dns__authority { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.network}.dns.authority) as events__network__dns__authority ;; + view_label: "UDM" + } # join events__network__dns__authority + + join: events__network__dns__questions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.network}.dns.questions) as events__network__dns__questions ;; + view_label: "UDM" + } # join events__network__dns__questions + + join: events__network__email__bcc { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.network}.email.bcc) as events__network__email__bcc ;; + view_label: "UDM" + } # join events__network__email__bcc + + join: events__network__email__cc { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.network}.email.cc) as events__network__email__cc ;; + view_label: "UDM" + } # join events__network__email__cc + + join: events__network__email__subject { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.network}.email.subject) as events__network__email__subject ;; + view_label: "UDM" + } # join events__network__email__subject + + join: events__network__email__to { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.network}.email.to) as events__network__email__to ;; + view_label: "UDM" + } # join events__network__email__to + + join: events__network__http__parsed_user_agent__annotation { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.network}.http.parsed_user_agent.annotation) as events__network__http__parsed_user_agent__annotation ;; + view_label: "UDM" + } # join events__network__http__parsed_user_agent__annotation + + join: events__network__tls__client__supported_ciphers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.network}.tls.client.supported_ciphers) as events__network__tls__client__supported_ciphers ;; + view_label: "UDM" + } # join events__network__tls__client__supported_ciphers + + join: events__observer__asset__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.observer}.asset.attribute.labels) as events__observer__asset__attribute__labels ;; + view_label: "UDM" + } # join events__observer__asset__attribute__labels + + join: events__observer__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.observer}.asset.ip) as events__observer__asset__ip ;; + view_label: "UDM" + } # join events__observer__asset__ip + + join: events__observer__asset__software { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.observer}.asset.software) as events__observer__asset__software ;; + view_label: "UDM" + } # join events__observer__asset__software + + join: events__observer__asset__vulnerabilities { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.observer}.asset.vulnerabilities) as events__observer__asset__vulnerabilities ;; + view_label: "UDM" + } # join events__observer__asset__vulnerabilities + + join: events__observer__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.observer}.ip) as events__observer__ip ;; + view_label: "UDM" + } # join events__observer__ip + + join: events__observer__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.observer}.labels) as events__observer__labels ;; + view_label: "UDM" + } # join events__observer__labels + + join: events__observer__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.observer}.mac) as events__observer__mac ;; + view_label: "UDM" + } # join events__observer__mac + + join: events__observer__resource__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.observer}.resource.attribute.labels) as events__observer__resource__attribute__labels ;; + view_label: "UDM" + } # join events__observer__resource__attribute__labels + + join: events__observer__user__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.observer}.user.email_addresses) as events__observer__user__email_addresses ;; + view_label: "UDM" + } # join events__observer__user__email_addresses + + join: events__observer__user__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.observer}.user.group_identifiers) as events__observer__user__group_identifiers ;; + view_label: "UDM" + } # join events__observer__user__group_identifiers + + join: events__principal__artifact__network__dns__answers { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.artifact.network.dns.answers) as events__principal__artifact__network__dns__answers ;; + view_label: "UDM" + } # join events__principal__artifact__network__dns__answers + + join: events__principal__asset__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.asset.attribute.labels) as events__principal__asset__attribute__labels ;; + view_label: "UDM" + } # join events__principal__asset__attribute__labels + + join: events__principal__asset__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.asset.attribute.roles) as events__principal__asset__attribute__roles ;; + view_label: "UDM" + } # join events__principal__asset__attribute__roles + + join: events__principal__asset__hardware { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.asset.hardware) as events__principal__asset__hardware ;; + view_label: "UDM" + } # join events__principal__asset__hardware + + join: events__principal__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.asset.ip) as events__principal__asset__ip ;; + view_label: "UDM" + } # join events__principal__asset__ip + + join: events__principal__asset__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.asset.labels) as events__principal__asset__labels ;; + view_label: "UDM" + } # join events__principal__asset__labels + + join: events__principal__asset__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.asset.mac) as events__principal__asset__mac ;; + view_label: "UDM" + } # join events__principal__asset__mac + + join: events__principal__asset__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.asset.nat_ip) as events__principal__asset__nat_ip ;; + view_label: "UDM" + } # join events__principal__asset__nat_ip + + join: events__principal__asset__software { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.asset.software) as events__principal__asset__software ;; + view_label: "UDM" + } # join events__principal__asset__software + + join: events__principal__asset__software__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__principal__asset__software.permissions}) as events__principal__asset__software__permissions ;; + view_label: "UDM" + } # join events__principal__asset__software__permissions + + join: events__principal__asset__vulnerabilities { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.asset.vulnerabilities) as events__principal__asset__vulnerabilities ;; + view_label: "UDM" + } # join events__principal__asset__vulnerabilities + + join: events__principal__domain__name_server { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.domain.name_server) as events__principal__domain__name_server ;; + view_label: "UDM" + } # join events__principal__domain__name_server + + join: events__principal__domain__tech__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.domain.tech.group_identifiers) as events__principal__domain__tech__group_identifiers ;; + view_label: "UDM" + } # join events__principal__domain__tech__group_identifiers + + join: events__principal__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.file.names) as events__principal__file__names ;; + view_label: "UDM" + } # join events__principal__file__names + + join: events__principal__group__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.group.attribute.labels) as events__principal__group__attribute__labels ;; + view_label: "UDM" + } # join events__principal__group__attribute__labels + + join: events__principal__group__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.group.attribute.roles) as events__principal__group__attribute__roles ;; + view_label: "UDM" + } # join events__principal__group__attribute__roles + + join: events__principal__group__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.group.email_addresses) as events__principal__group__email_addresses ;; + view_label: "UDM" + } # join events__principal__group__email_addresses + + join: events__principal__investigation__comments { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.investigation.comments) as events__principal__investigation__comments ;; + view_label: "UDM" + } # join events__principal__investigation__comments + + join: events__principal__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.ip) as events__principal__ip ;; + view_label: "UDM" + } # join events__principal__ip + + join: events__principal__ip_geo_artifact { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.ip_geo_artifact) as events__principal__ip_geo_artifact ;; + view_label: "UDM" + } # join events__principal__ip_geo_artifact + + join: events__principal__ip_location { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.ip_location) as events__principal__ip_location ;; + view_label: "UDM" + } # join events__principal__ip_location + + join: events__principal__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.labels) as events__principal__labels ;; + view_label: "UDM" + } # join events__principal__labels + + join: events__principal__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.mac) as events__principal__mac ;; + view_label: "UDM" + } # join events__principal__mac + + join: events__principal__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.nat_ip) as events__principal__nat_ip ;; + view_label: "UDM" + } # join events__principal__nat_ip + + join: events__principal__process__command_line_history { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.process.command_line_history) as events__principal__process__command_line_history ;; + view_label: "UDM" + } # join events__principal__process__command_line_history + + join: events__principal__process__file__capabilities_tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.process.file.capabilities_tags) as events__principal__process__file__capabilities_tags ;; + view_label: "UDM" + } # join events__principal__process__file__capabilities_tags + + join: events__principal__process__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.process.file.names) as events__principal__process__file__names ;; + view_label: "UDM" + } # join events__principal__process__file__names + + join: events__principal__process_ancestors { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.process_ancestors) as events__principal__process_ancestors ;; + view_label: "UDM" + } # join events__principal__process_ancestors + + join: events__principal__resource__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.resource.attribute.labels) as events__principal__resource__attribute__labels ;; + view_label: "UDM" + } # join events__principal__resource__attribute__labels + + join: events__principal__resource__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.resource.attribute.permissions) as events__principal__resource__attribute__permissions ;; + view_label: "UDM" + } # join events__principal__resource__attribute__permissions + + join: events__principal__resource__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.resource.attribute.roles) as events__principal__resource__attribute__roles ;; + view_label: "UDM" + } # join events__principal__resource__attribute__roles + + join: events__principal__resource_ancestors { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.resource_ancestors) as events__principal__resource_ancestors ;; + view_label: "UDM" + } # join events__principal__resource_ancestors + + join: events__principal__resource_ancestors__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__principal__resource_ancestors.attribute}.labels) as events__principal__resource_ancestors__attribute__labels ;; + view_label: "UDM" + } # join events__principal__resource_ancestors__attribute__labels + + join: events__principal__user__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.user.attribute.labels) as events__principal__user__attribute__labels ;; + view_label: "UDM" + } # join events__principal__user__attribute__labels + + join: events__principal__user__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.user.attribute.permissions) as events__principal__user__attribute__permissions ;; + view_label: "UDM" + } # join events__principal__user__attribute__permissions + + join: events__principal__user__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.user.attribute.roles) as events__principal__user__attribute__roles ;; + view_label: "UDM" + } # join events__principal__user__attribute__roles + + join: events__principal__user__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.user.department) as events__principal__user__department ;; + view_label: "UDM" + } # join events__principal__user__department + + join: events__principal__user__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.user.email_addresses) as events__principal__user__email_addresses ;; + view_label: "UDM" + } # join events__principal__user__email_addresses + + join: events__principal__user__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.user.group_identifiers) as events__principal__user__group_identifiers ;; + view_label: "UDM" + } # join events__principal__user__group_identifiers + + join: events__principal__user__managers { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.user.managers) as events__principal__user__managers ;; + view_label: "UDM" + } # join events__principal__user__managers + + join: events__principal__user__managers__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__principal__user__managers.attribute}.labels) as events__principal__user__managers__attribute__labels ;; + view_label: "UDM" + } # join events__principal__user__managers__attribute__labels + + join: events__principal__user__managers__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__principal__user__managers.attribute}.roles) as events__principal__user__managers__attribute__roles ;; + view_label: "UDM" + } # join events__principal__user__managers__attribute__roles + + join: events__principal__user__managers__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__principal__user__managers.department}) as events__principal__user__managers__department ;; + view_label: "UDM" + } # join events__principal__user__managers__department + + join: events__principal__user__managers__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__principal__user__managers.email_addresses}) as events__principal__user__managers__email_addresses ;; + view_label: "UDM" + } # join events__principal__user__managers__email_addresses + + join: events__principal__user__managers__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__principal__user__managers.group_identifiers}) as events__principal__user__managers__group_identifiers ;; + view_label: "UDM" + } # join events__principal__user__managers__group_identifiers + + join: events__principal__user__managers__phone_numbers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__principal__user__managers.phone_numbers}) as events__principal__user__managers__phone_numbers ;; + view_label: "UDM" + } # join events__principal__user__managers__phone_numbers + + join: events__principal__user__phone_numbers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.principal}.user.phone_numbers) as events__principal__user__phone_numbers ;; + view_label: "UDM" + } # join events__principal__user__phone_numbers + + join: events__principal__user__time_off { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.principal}.user.time_off) as events__principal__user__time_off ;; + view_label: "UDM" + } # join events__principal__user__time_off + + join: events__security_result { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.security_result}) as events__security_result ;; + view_label: "UDM" + } # join events__security_result + + join: events__security_result__about__asset__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result.about}.asset.attribute.permissions) as events__security_result__about__asset__attribute__permissions ;; + view_label: "UDM" + } # join events__security_result__about__asset__attribute__permissions + + join: events__security_result__about__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__security_result.about}.asset.ip) as events__security_result__about__asset__ip ;; + view_label: "UDM" + } # join events__security_result__about__asset__ip + + join: events__security_result__about__asset__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result.about}.asset.labels) as events__security_result__about__asset__labels ;; + view_label: "UDM" + } # join events__security_result__about__asset__labels + + join: events__security_result__about__asset__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__security_result.about}.asset.mac) as events__security_result__about__asset__mac ;; + view_label: "UDM" + } # join events__security_result__about__asset__mac + + join: events__security_result__about__asset__software { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result.about}.asset.software) as events__security_result__about__asset__software ;; + view_label: "UDM" + } # join events__security_result__about__asset__software + + join: events__security_result__about__asset__software__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result__about__asset__software.permissions}) as events__security_result__about__asset__software__permissions ;; + view_label: "UDM" + } # join events__security_result__about__asset__software__permissions + + join: events__security_result__about__asset__vulnerabilities { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result.about}.asset.vulnerabilities) as events__security_result__about__asset__vulnerabilities ;; + view_label: "UDM" + } # join events__security_result__about__asset__vulnerabilities + + join: events__security_result__about__domain__tech__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result.about}.domain.tech.attribute.permissions) as events__security_result__about__domain__tech__attribute__permissions ;; + view_label: "UDM" + } # join events__security_result__about__domain__tech__attribute__permissions + + join: events__security_result__about__file__capabilities_tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__security_result.about}.file.capabilities_tags) as events__security_result__about__file__capabilities_tags ;; + view_label: "UDM" + } # join events__security_result__about__file__capabilities_tags + + join: events__security_result__about__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__security_result.about}.file.names) as events__security_result__about__file__names ;; + view_label: "UDM" + } # join events__security_result__about__file__names + + join: events__security_result__about__investigation__comments { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__security_result.about}.investigation.comments) as events__security_result__about__investigation__comments ;; + view_label: "UDM" + } # join events__security_result__about__investigation__comments + + join: events__security_result__about__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__security_result.about}.ip) as events__security_result__about__ip ;; + view_label: "UDM" + } # join events__security_result__about__ip + + join: events__security_result__about__ip_location { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result.about}.ip_location) as events__security_result__about__ip_location ;; + view_label: "UDM" + } # join events__security_result__about__ip_location + + join: events__security_result__about__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result.about}.labels) as events__security_result__about__labels ;; + view_label: "UDM" + } # join events__security_result__about__labels + + join: events__security_result__about__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__security_result.about}.mac) as events__security_result__about__mac ;; + view_label: "UDM" + } # join events__security_result__about__mac + + join: events__security_result__about__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__security_result.about}.nat_ip) as events__security_result__about__nat_ip ;; + view_label: "UDM" + } # join events__security_result__about__nat_ip + + join: events__security_result__about__process__command_line_history { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__security_result.about}.process.command_line_history) as events__security_result__about__process__command_line_history ;; + view_label: "UDM" + } # join events__security_result__about__process__command_line_history + + join: events__security_result__about__resource__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result.about}.resource.attribute.labels) as events__security_result__about__resource__attribute__labels ;; + view_label: "UDM" + } # join events__security_result__about__resource__attribute__labels + + join: events__security_result__about__resource_ancestors { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result.about}.resource_ancestors) as events__security_result__about__resource_ancestors ;; + view_label: "UDM" + } # join events__security_result__about__resource_ancestors + + join: events__security_result__about__user__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result.about}.user.attribute.labels) as events__security_result__about__user__attribute__labels ;; + view_label: "UDM" + } # join events__security_result__about__user__attribute__labels + + join: events__security_result__about__user__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result.about}.user.attribute.roles) as events__security_result__about__user__attribute__roles ;; + view_label: "UDM" + } # join events__security_result__about__user__attribute__roles + + join: events__security_result__about__user__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__security_result.about}.user.email_addresses) as events__security_result__about__user__email_addresses ;; + view_label: "UDM" + } # join events__security_result__about__user__email_addresses + + join: events__security_result__about__user__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__security_result.about}.user.group_identifiers) as events__security_result__about__user__group_identifiers ;; + view_label: "UDM" + } # join events__security_result__about__user__group_identifiers + + join: events__security_result__about__user_management_chain { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result.about}.user_management_chain) as events__security_result__about__user_management_chain ;; + view_label: "UDM" + } # join events__security_result__about__user_management_chain + + join: events__security_result__action { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__security_result.action}) as events__security_result__action ;; + view_label: "UDM" + } # join events__security_result__action + + join: events__security_result__action_enum_name { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__security_result.action}) as events__security_result__action_enum_name ;; + view_label: "UDM" + } # join events__security_result__action_enum_name + + join: events__security_result__attack_details__tactics { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result.attack_details}.tactics) as events__security_result__attack_details__tactics ;; + view_label: "UDM" + } # join events__security_result__attack_details__tactics + + join: events__security_result__attack_details__techniques { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result.attack_details}.techniques) as events__security_result__attack_details__techniques ;; + view_label: "UDM" + } # join events__security_result__attack_details__techniques + + join: events__security_result__category { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__security_result.category}) as events__security_result__category ;; + view_label: "UDM" + } # join events__security_result__category + + join: events__security_result__category_enum_name { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__security_result.category}) as events__security_result__category_enum_name ;; + view_label: "UDM" + } # join events__security_result__category_enum_name + + join: events__security_result__category_details { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__security_result.category_details}) as events__security_result__category_details ;; + view_label: "UDM" + } # join events__security_result__category_details + + join: events__security_result__detection_fields { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result.detection_fields}) as events__security_result__detection_fields ;; + view_label: "UDM" + } # join events__security_result__detection_fields + + join: events__security_result__outcomes { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result.outcomes}) as events__security_result__outcomes ;; + view_label: "UDM" + } # join events__security_result__outcomes + + join: events__security_result__rule_labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__security_result.rule_labels}) as events__security_result__rule_labels ;; + view_label: "UDM" + } # join events__security_result__rule_labels + + join: events__src__artifact__network__dns__questions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.artifact.network.dns.questions) as events__src__artifact__network__dns__questions ;; + view_label: "UDM" + } # join events__src__artifact__network__dns__questions + + join: events__src__asset__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.asset.attribute.labels) as events__src__asset__attribute__labels ;; + view_label: "UDM" + } # join events__src__asset__attribute__labels + + join: events__src__asset__hardware { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.asset.hardware) as events__src__asset__hardware ;; + view_label: "UDM" + } # join events__src__asset__hardware + + join: events__src__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.src}.asset.ip) as events__src__asset__ip ;; + view_label: "UDM" + } # join events__src__asset__ip + + join: events__src__asset__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.asset.labels) as events__src__asset__labels ;; + view_label: "UDM" + } # join events__src__asset__labels + + join: events__src__asset__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.src}.asset.mac) as events__src__asset__mac ;; + view_label: "UDM" + } # join events__src__asset__mac + + join: events__src__asset__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.src}.asset.nat_ip) as events__src__asset__nat_ip ;; + view_label: "UDM" + } # join events__src__asset__nat_ip + + join: events__src__asset__software { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.asset.software) as events__src__asset__software ;; + view_label: "UDM" + } # join events__src__asset__software + + join: events__src__asset__software__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__src__asset__software.permissions}) as events__src__asset__software__permissions ;; + view_label: "UDM" + } # join events__src__asset__software__permissions + + join: events__src__asset__vulnerabilities { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.asset.vulnerabilities) as events__src__asset__vulnerabilities ;; + view_label: "UDM" + } # join events__src__asset__vulnerabilities + + join: events__src__file__capabilities_tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.src}.file.capabilities_tags) as events__src__file__capabilities_tags ;; + view_label: "UDM" + } # join events__src__file__capabilities_tags + + join: events__src__file__embedded_domains { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.src}.file.embedded_domains) as events__src__file__embedded_domains ;; + view_label: "UDM" + } # join events__src__file__embedded_domains + + join: events__src__file__embedded_ips { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.src}.file.embedded_ips) as events__src__file__embedded_ips ;; + view_label: "UDM" + } # join events__src__file__embedded_ips + + join: events__src__file__embedded_urls { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.src}.file.embedded_urls) as events__src__file__embedded_urls ;; + view_label: "UDM" + } # join events__src__file__embedded_urls + + join: events__src__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.src}.file.names) as events__src__file__names ;; + view_label: "UDM" + } # join events__src__file__names + + join: events__src__file__signature_info__sigcheck__signers { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.file.signature_info.sigcheck.signers) as events__src__file__signature_info__sigcheck__signers ;; + view_label: "UDM" + } # join events__src__file__signature_info__sigcheck__signers + + join: events__src__file__tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.src}.file.tags) as events__src__file__tags ;; + view_label: "UDM" + } # join events__src__file__tags + + join: events__src__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.src}.ip) as events__src__ip ;; + view_label: "UDM" + } # join events__src__ip + + join: events__src__ip_geo_artifact { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.ip_geo_artifact) as events__src__ip_geo_artifact ;; + view_label: "UDM" + } # join events__src__ip_geo_artifact + + join: events__src__ip_location { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.ip_location) as events__src__ip_location ;; + view_label: "UDM" + } # join events__src__ip_location + + join: events__src__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.labels) as events__src__labels ;; + view_label: "UDM" + } # join events__src__labels + + join: events__src__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.src}.mac) as events__src__mac ;; + view_label: "UDM" + } # join events__src__mac + + join: events__src__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.src}.nat_ip) as events__src__nat_ip ;; + view_label: "UDM" + } # join events__src__nat_ip + + join: events__src__process__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.src}.process.file.names) as events__src__process__file__names ;; + view_label: "UDM" + } # join events__src__process__file__names + + join: events__src__process_ancestors { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.process_ancestors) as events__src__process_ancestors ;; + view_label: "UDM" + } # join events__src__process_ancestors + + join: events__src__resource__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.resource.attribute.labels) as events__src__resource__attribute__labels ;; + view_label: "UDM" + } # join events__src__resource__attribute__labels + + join: events__src__resource__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.resource.attribute.permissions) as events__src__resource__attribute__permissions ;; + view_label: "UDM" + } # join events__src__resource__attribute__permissions + + join: events__src__resource_ancestors { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.resource_ancestors) as events__src__resource_ancestors ;; + view_label: "UDM" + } # join events__src__resource_ancestors + + join: events__src__resource_ancestors__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__src__resource_ancestors.attribute}.labels) as events__src__resource_ancestors__attribute__labels ;; + view_label: "UDM" + } # join events__src__resource_ancestors__attribute__labels + + join: events__src__user__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.user.attribute.labels) as events__src__user__attribute__labels ;; + view_label: "UDM" + } # join events__src__user__attribute__labels + + join: events__src__user__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.user.attribute.roles) as events__src__user__attribute__roles ;; + view_label: "UDM" + } # join events__src__user__attribute__roles + + join: events__src__user__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.src}.user.department) as events__src__user__department ;; + view_label: "UDM" + } # join events__src__user__department + + join: events__src__user__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.src}.user.email_addresses) as events__src__user__email_addresses ;; + view_label: "UDM" + } # join events__src__user__email_addresses + + join: events__src__user__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.src}.user.group_identifiers) as events__src__user__group_identifiers ;; + view_label: "UDM" + } # join events__src__user__group_identifiers + + join: events__src__user__managers { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.user.managers) as events__src__user__managers ;; + view_label: "UDM" + } # join events__src__user__managers + + join: events__src__user__managers__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__src__user__managers.attribute}.labels) as events__src__user__managers__attribute__labels ;; + view_label: "UDM" + } # join events__src__user__managers__attribute__labels + + join: events__src__user__managers__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__src__user__managers.attribute}.roles) as events__src__user__managers__attribute__roles ;; + view_label: "UDM" + } # join events__src__user__managers__attribute__roles + + join: events__src__user__managers__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__src__user__managers.department}) as events__src__user__managers__department ;; + view_label: "UDM" + } # join events__src__user__managers__department + + join: events__src__user__managers__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__src__user__managers.email_addresses}) as events__src__user__managers__email_addresses ;; + view_label: "UDM" + } # join events__src__user__managers__email_addresses + + join: events__src__user__managers__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__src__user__managers.group_identifiers}) as events__src__user__managers__group_identifiers ;; + view_label: "UDM" + } # join events__src__user__managers__group_identifiers + + join: events__src__user__managers__phone_numbers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__src__user__managers.phone_numbers}) as events__src__user__managers__phone_numbers ;; + view_label: "UDM" + } # join events__src__user__managers__phone_numbers + + join: events__src__user__phone_numbers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.src}.user.phone_numbers) as events__src__user__phone_numbers ;; + view_label: "UDM" + } # join events__src__user__phone_numbers + + join: events__src__user__time_off { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.src}.user.time_off) as events__src__user__time_off ;; + view_label: "UDM" + } # join events__src__user__time_off + + join: events__target__artifact__network__email__subject { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.artifact.network.email.subject) as events__target__artifact__network__email__subject ;; + view_label: "UDM" + } # join events__target__artifact__network__email__subject + + join: events__target__asset__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.asset.attribute.labels) as events__target__asset__attribute__labels ;; + view_label: "UDM" + } # join events__target__asset__attribute__labels + + join: events__target__asset__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.asset.attribute.permissions) as events__target__asset__attribute__permissions ;; + view_label: "UDM" + } # join events__target__asset__attribute__permissions + + join: events__target__asset__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.asset.attribute.roles) as events__target__asset__attribute__roles ;; + view_label: "UDM" + } # join events__target__asset__attribute__roles + + join: events__target__asset__hardware { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.asset.hardware) as events__target__asset__hardware ;; + view_label: "UDM" + } # join events__target__asset__hardware + + join: events__target__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.asset.ip) as events__target__asset__ip ;; + view_label: "UDM" + } # join events__target__asset__ip + + join: events__target__asset__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.asset.labels) as events__target__asset__labels ;; + view_label: "UDM" + } # join events__target__asset__labels + + join: events__target__asset__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.asset.mac) as events__target__asset__mac ;; + view_label: "UDM" + } # join events__target__asset__mac + + join: events__target__asset__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.asset.nat_ip) as events__target__asset__nat_ip ;; + view_label: "UDM" + } # join events__target__asset__nat_ip + + join: events__target__asset__software { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.asset.software) as events__target__asset__software ;; + view_label: "UDM" + } # join events__target__asset__software + + join: events__target__asset__software__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__target__asset__software.permissions}) as events__target__asset__software__permissions ;; + view_label: "UDM" + } # join events__target__asset__software__permissions + + join: events__target__asset__vulnerabilities { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.asset.vulnerabilities) as events__target__asset__vulnerabilities ;; + view_label: "UDM" + } # join events__target__asset__vulnerabilities + + join: events__target__cloud__project__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.cloud.project.attribute.labels) as events__target__cloud__project__attribute__labels ;; + view_label: "UDM" + } # join events__target__cloud__project__attribute__labels + + join: events__target__domain__name_server { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.domain.name_server) as events__target__domain__name_server ;; + view_label: "UDM" + } # join events__target__domain__name_server + + join: events__target__file__capabilities_tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.file.capabilities_tags) as events__target__file__capabilities_tags ;; + view_label: "UDM" + } # join events__target__file__capabilities_tags + + join: events__target__file__embedded_domains { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.file.embedded_domains) as events__target__file__embedded_domains ;; + view_label: "UDM" + } # join events__target__file__embedded_domains + + join: events__target__file__embedded_ips { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.file.embedded_ips) as events__target__file__embedded_ips ;; + view_label: "UDM" + } # join events__target__file__embedded_ips + + join: events__target__file__embedded_urls { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.file.embedded_urls) as events__target__file__embedded_urls ;; + view_label: "UDM" + } # join events__target__file__embedded_urls + + join: events__target__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.file.names) as events__target__file__names ;; + view_label: "UDM" + } # join events__target__file__names + + join: events__target__file__pe_file__imports { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.file.pe_file.imports) as events__target__file__pe_file__imports ;; + view_label: "UDM" + } # join events__target__file__pe_file__imports + + join: events__target__file__pe_file__imports__functions { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__target__file__pe_file__imports.functions}) as events__target__file__pe_file__imports__functions ;; + view_label: "UDM" + } # join events__target__file__pe_file__imports__functions + + join: events__target__file__pe_file__resource { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.file.pe_file.resource) as events__target__file__pe_file__resource ;; + view_label: "UDM" + } # join events__target__file__pe_file__resource + + join: events__target__file__pe_file__resources_language_count_str { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.file.pe_file.resources_language_count_str) as events__target__file__pe_file__resources_language_count_str ;; + view_label: "UDM" + } # join events__target__file__pe_file__resources_language_count_str + + join: events__target__file__pe_file__resources_type_count_str { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.file.pe_file.resources_type_count_str) as events__target__file__pe_file__resources_type_count_str ;; + view_label: "UDM" + } # join events__target__file__pe_file__resources_type_count_str + + join: events__target__file__pe_file__section { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.file.pe_file.section) as events__target__file__pe_file__section ;; + view_label: "UDM" + } # join events__target__file__pe_file__section + + join: events__target__file__signature_info__sigcheck__signers { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.file.signature_info.sigcheck.signers) as events__target__file__signature_info__sigcheck__signers ;; + view_label: "UDM" + } # join events__target__file__signature_info__sigcheck__signers + + join: events__target__file__signature_info__sigcheck__x509 { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.file.signature_info.sigcheck.x509) as events__target__file__signature_info__sigcheck__x509 ;; + view_label: "UDM" + } # join events__target__file__signature_info__sigcheck__x509 + + join: events__target__file__tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.file.tags) as events__target__file__tags ;; + view_label: "UDM" + } # join events__target__file__tags + + join: events__target__group__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.group.attribute.labels) as events__target__group__attribute__labels ;; + view_label: "UDM" + } # join events__target__group__attribute__labels + + join: events__target__group__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.group.attribute.permissions) as events__target__group__attribute__permissions ;; + view_label: "UDM" + } # join events__target__group__attribute__permissions + + join: events__target__group__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.group.attribute.roles) as events__target__group__attribute__roles ;; + view_label: "UDM" + } # join events__target__group__attribute__roles + + join: events__target__group__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.group.email_addresses) as events__target__group__email_addresses ;; + view_label: "UDM" + } # join events__target__group__email_addresses + + join: events__target__investigation__comments { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.investigation.comments) as events__target__investigation__comments ;; + view_label: "UDM" + } # join events__target__investigation__comments + + join: events__target__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.ip) as events__target__ip ;; + view_label: "UDM" + } # join events__target__ip + + join: events__target__ip_geo_artifact { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.ip_geo_artifact) as events__target__ip_geo_artifact ;; + view_label: "UDM" + } # join events__target__ip_geo_artifact + + join: events__target__ip_location { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.ip_location) as events__target__ip_location ;; + view_label: "UDM" + } # join events__target__ip_location + + join: events__target__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.labels) as events__target__labels ;; + view_label: "UDM" + } # join events__target__labels + + join: events__target__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.mac) as events__target__mac ;; + view_label: "UDM" + } # join events__target__mac + + join: events__target__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.nat_ip) as events__target__nat_ip ;; + view_label: "UDM" + } # join events__target__nat_ip + + join: events__target__process__command_line_history { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.process.command_line_history) as events__target__process__command_line_history ;; + view_label: "UDM" + } # join events__target__process__command_line_history + + join: events__target__process__file__capabilities_tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.process.file.capabilities_tags) as events__target__process__file__capabilities_tags ;; + view_label: "UDM" + } # join events__target__process__file__capabilities_tags + + join: events__target__process__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.process.file.names) as events__target__process__file__names ;; + view_label: "UDM" + } # join events__target__process__file__names + + join: events__target__process__file__pe_file__signature_info__signer { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.process.file.pe_file.signature_info.signer) as events__target__process__file__pe_file__signature_info__signer ;; + view_label: "UDM" + } # join events__target__process__file__pe_file__signature_info__signer + + join: events__target__process__parent_process__file__capabilities_tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.process.parent_process.file.capabilities_tags) as events__target__process__parent_process__file__capabilities_tags ;; + view_label: "UDM" + } # join events__target__process__parent_process__file__capabilities_tags + + join: events__target__process__parent_process__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.process.parent_process.file.names) as events__target__process__parent_process__file__names ;; + view_label: "UDM" + } # join events__target__process__parent_process__file__names + + join: events__target__process_ancestors { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.process_ancestors) as events__target__process_ancestors ;; + view_label: "UDM" + } # join events__target__process_ancestors + + join: events__target__resource__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.resource.attribute.labels) as events__target__resource__attribute__labels ;; + view_label: "UDM" + } # join events__target__resource__attribute__labels + + join: events__target__resource__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.resource.attribute.permissions) as events__target__resource__attribute__permissions ;; + view_label: "UDM" + } # join events__target__resource__attribute__permissions + + join: events__target__resource__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.resource.attribute.roles) as events__target__resource__attribute__roles ;; + view_label: "UDM" + } # join events__target__resource__attribute__roles + + join: events__target__resource_ancestors { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.resource_ancestors) as events__target__resource_ancestors ;; + view_label: "UDM" + } # join events__target__resource_ancestors + + join: events__target__resource_ancestors__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__target__resource_ancestors.attribute}.labels) as events__target__resource_ancestors__attribute__labels ;; + view_label: "UDM" + } # join events__target__resource_ancestors__attribute__labels + + join: events__target__resource_ancestors__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__target__resource_ancestors.attribute}.permissions) as events__target__resource_ancestors__attribute__permissions ;; + view_label: "UDM" + } # join events__target__resource_ancestors__attribute__permissions + + join: events__target__user__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.user.attribute.labels) as events__target__user__attribute__labels ;; + view_label: "UDM" + } # join events__target__user__attribute__labels + + join: events__target__user__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.user.attribute.permissions) as events__target__user__attribute__permissions ;; + view_label: "UDM" + } # join events__target__user__attribute__permissions + + join: events__target__user__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.user.attribute.roles) as events__target__user__attribute__roles ;; + view_label: "UDM" + } # join events__target__user__attribute__roles + + join: events__target__user__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.user.department) as events__target__user__department ;; + view_label: "UDM" + } # join events__target__user__department + + join: events__target__user__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.user.email_addresses) as events__target__user__email_addresses ;; + view_label: "UDM" + } # join events__target__user__email_addresses + + join: events__target__user__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.user.group_identifiers) as events__target__user__group_identifiers ;; + view_label: "UDM" + } # join events__target__user__group_identifiers + + join: events__target__user__managers { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.user.managers) as events__target__user__managers ;; + view_label: "UDM" + } # join events__target__user__managers + + join: events__target__user__managers__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__target__user__managers.attribute}.labels) as events__target__user__managers__attribute__labels ;; + view_label: "UDM" + } # join events__target__user__managers__attribute__labels + + join: events__target__user__managers__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events__target__user__managers.attribute}.roles) as events__target__user__managers__attribute__roles ;; + view_label: "UDM" + } # join events__target__user__managers__attribute__roles + + join: events__target__user__managers__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__target__user__managers.department}) as events__target__user__managers__department ;; + view_label: "UDM" + } # join events__target__user__managers__department + + join: events__target__user__managers__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__target__user__managers.email_addresses}) as events__target__user__managers__email_addresses ;; + view_label: "UDM" + } # join events__target__user__managers__email_addresses + + join: events__target__user__managers__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__target__user__managers.group_identifiers}) as events__target__user__managers__group_identifiers ;; + view_label: "UDM" + } # join events__target__user__managers__group_identifiers + + join: events__target__user__managers__phone_numbers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events__target__user__managers.phone_numbers}) as events__target__user__managers__phone_numbers ;; + view_label: "UDM" + } # join events__target__user__managers__phone_numbers + + join: events__target__user__phone_numbers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${events.target}.user.phone_numbers) as events__target__user__phone_numbers ;; + view_label: "UDM" + } # join events__target__user__phone_numbers + + join: events__target__user__time_off { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.user.time_off) as events__target__user__time_off ;; + view_label: "UDM" + } # join events__target__user__time_off + + join: events__target__user_management_chain { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${events.target}.user_management_chain) as events__target__user_management_chain ;; + view_label: "UDM" + } # join events__target__user_management_chain + +} # explore events + diff --git a/proto2lkml/udm_events.lkml b/proto2lkml/udm_events.lkml new file mode 100644 index 0000000..ed06cf0 --- /dev/null +++ b/proto2lkml/udm_events.lkml @@ -0,0 +1,19329 @@ +# Copyright Google Inc 2023 and onwards. +# This file was generated by proto2lkml. Do not modify it. +# Source: googlex/security/malachite/proto/external/udm.proto +### BEGIN googlex/security/malachite/dashboards/lookml/udm/udm_events_preamble.lkml +include: "/chronicle_features.lkml" + +### END googlex/security/malachite/dashboards/lookml/udm/udm_events_preamble.lkml +view: udm_events { + ### BEGIN googlex/security/malachite/dashboards/lookml/udm/udm_view_preamble.lkml + sql_table_name: `@{EVENTS}`;; + + dimension: primary_key { + primary_key: yes + hidden: yes + sql: CONCAT(IFNULL(to_hex(${TABLE}.metadata.id), ""), + IFNULL(${TABLE}.metadata.product_log_id, ""), + IFNULL(${TABLE}.metadata.event_timestamp.seconds,0), + IFNULL(${TABLE}.metadata.event_timestamp.nanos,0), + IFNULL(${TABLE}.metadata.event_type,0), + IFNULL(${TABLE}.metadata.vendor_name,""), + IFNULL(${TABLE}.metadata.product_name,""));; + } + + measure: count { + description: "Count of UDM events; COUNT(DISTINCT ...) is used." + type: count + view_label: "UDM" + } + + measure: count_all { + description: "Count of all UDM events; COUNT(DISTINCT ...) is not used." + type: number + sql: count(*) ;; + label: "Count (all)" + view_label: "UDM" + } + + filter: time_filter { + label: "metadata.event_timestamp" + type: date_time + view_label: "UDM" + description: "Filter on the metadata.event_timestamp" + } + + #------------------------------------------------------------------------------- + # The following dimensions are here for backwards compatibility. + # Do not remove because it might break some old dashbaords that depend on it. + dimension_group: event_timestamp { + hidden: yes + type: time + timeframes: [ + raw, + time, + date, + week, + month, + hour, + minute, + year + ] + datatype: epoch + sql: ${TABLE}.metadata.event_timestamp.seconds ;; + } + + dimension: period { + hidden: yes + type: string + description: "The reporting period as selected by the Period Filter. Values - 'This Period' and 'Previous Period'. + Apply Filter 'This Period' to get values from current period." + sql: + CASE + WHEN {% date_start period_filter %} is not null AND {% date_end period_filter %} is not null /* date ranges or in the past x days */ + THEN + CASE + WHEN ${event_timestamp_raw} >= UNIX_SECONDS({% date_start period_filter %}) + AND ${event_timestamp_raw} <= UNIX_SECONDS({% date_end period_filter %}) + THEN 'This Period' + WHEN ${event_timestamp_raw} >= UNIX_SECONDS(TIMESTAMP_ADD({% date_start period_filter %}, INTERVAL 1 * (TIMESTAMP_DIFF({% date_start period_filter %},{% date_end period_filter %}, DAY)) DAY)) + AND ${event_timestamp_raw} <= UNIX_SECONDS(TIMESTAMP_ADD({% date_start period_filter %}, INTERVAL -1 DAY)) + THEN 'Previous Period' + END + END ;; + } + + dimension: domain { + hidden: yes + type: string + sql: REGEXP_EXTRACT(COALESCE(${TABLE}.network.dns.questions[SAFE_OFFSET(0)].name, ${TABLE}.target.hostname), r"^(?:[a-zA-Z0-9-]+\.)*([a-zA-Z0-9-]+\.[a-zA-Z0-9-]*[a-zA-Z-][a-zA-Z0-9-]*)$");; + } + + dimension: asset { + hidden: yes + type: string + label: "Asset" + sql: COALESCE(${TABLE}.principal.hostname, ${TABLE}.principal.ip[SAFE_OFFSET(0)]) ;; + } + + dimension: full_domain { + hidden: yes + type: string + sql: COALESCE(${TABLE}.network.dns.questions[SAFE_OFFSET(0)].name, ${TABLE}.target.hostname);; + } + + # This does not even exist in BQ, maybe it used to exist. + dimension_group: _partitiondate { + hidden: yes + type: time + timeframes: [ + raw, + date, + week, + month, + quarter, + year + ] + convert_tz: no + datatype: date + sql: ${TABLE}.hour_time_bucket ;; + } + + dimension_group: _partitiontime { + hidden: yes + type: time + timeframes: [ + raw, + date, + week, + month, + quarter, + year + ] + convert_tz: no + datatype: date + sql: ${TABLE}.hour_time_bucket ;; + } + + dimension_group: hour_time_bucket { + hidden: yes + type: time + timeframes: [ + raw, + time, + date, + week, + month, + quarter, + year + ] + sql: ${TABLE}.hour_time_bucket ;; + } + + dimension: prevalence { + hidden: yes + type: number + sql: COALESCE(${TABLE}.principal.hostname}, ${TABLE}.principal.ip}) ;; + } + + #------------------------------------------------------------------------------- + + ### END googlex/security/malachite/dashboards/lookml/udm/udm_view_preamble.lkml + filter: ip_grouped_field_filter { + label: "ip" + group_label: "Grouped Fields" + view_label: "UDM" + description: "IP address fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${udm_events__principal__ip.udm_events__principal__ip} {%endcondition%} or +{%condition%}${udm_events__src__ip.udm_events__src__ip} {%endcondition%} or +{%condition%}${udm_events__target__ip.udm_events__target__ip} {%endcondition%} or +{%condition%}${udm_events__observer__ip.udm_events__observer__ip} {%endcondition%} or +{%condition%}${udm_events__intermediary__ip.udm_events__intermediary__ip} {%endcondition%} or +{%condition%}${udm_events.principal__artifact__ip} {%endcondition%} or +{%condition%}${udm_events.src__artifact__ip} {%endcondition%} or +{%condition%}${udm_events.target__artifact__ip} {%endcondition%} or +{%condition%}${udm_events__principal__asset__ip.udm_events__principal__asset__ip} {%endcondition%} or +{%condition%}${udm_events__src__asset__ip.udm_events__src__asset__ip} {%endcondition%} or +{%condition%}${udm_events__target__asset__ip.udm_events__target__asset__ip} {%endcondition%} +;; + } # ip + + filter: domain_grouped_field_filter { + label: "domain" + group_label: "Grouped Fields" + view_label: "UDM" + description: "Domain fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${udm_events.network__dns_domain} {%endcondition%} or +{%condition%}${udm_events__network__dns__questions.name} {%endcondition%} or +{%condition%}${udm_events.principal__administrative_domain} {%endcondition%} or +{%condition%}${udm_events.target__administrative_domain} {%endcondition%} or +{%condition%}${udm_events__about.administrative_domain} {%endcondition%} or +{%condition%}${udm_events.target__hostname} {%endcondition%} or +{%condition%}${udm_events.target__asset__hostname} {%endcondition%} or +{%condition%}${udm_events.principal__asset__network_domain} {%endcondition%} or +{%condition%}${udm_events.target__asset__network_domain} {%endcondition%} +;; + } # domain + + filter: hostname_grouped_field_filter { + label: "hostname" + group_label: "Grouped Fields" + view_label: "UDM" + description: "Hostname fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${udm_events.principal__hostname} {%endcondition%} or +{%condition%}${udm_events.src__hostname} {%endcondition%} or +{%condition%}${udm_events.target__hostname} {%endcondition%} or +{%condition%}${udm_events__intermediary.hostname} {%endcondition%} or +{%condition%}${udm_events.observer__hostname} {%endcondition%} or +{%condition%}${udm_events.principal__asset__hostname} {%endcondition%} or +{%condition%}${udm_events.src__asset__hostname} {%endcondition%} or +{%condition%}${udm_events.target__asset__hostname} {%endcondition%} +;; + } # hostname + + filter: user_grouped_field_filter { + label: "user" + group_label: "Grouped Fields" + view_label: "UDM" + description: "User ID fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${udm_events.principal__user__userid} {%endcondition%} or +{%condition%}${udm_events.src__user__userid} {%endcondition%} or +{%condition%}${udm_events.target__user__userid} {%endcondition%} or +{%condition%}${udm_events.observer__user__userid} {%endcondition%} or +{%condition%}${udm_events__about.user__userid} {%endcondition%} or +{%condition%}${udm_events.principal__user__windows_sid} {%endcondition%} or +{%condition%}${udm_events.target__user__windows_sid} {%endcondition%} or +{%condition%}${udm_events.principal__user__user_display_name} {%endcondition%} or +{%condition%}${udm_events.target__user__user_display_name} {%endcondition%} +;; + } # user + + filter: email_grouped_field_filter { + label: "email" + group_label: "Grouped Fields" + view_label: "UDM" + description: "Email address fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${udm_events__principal__user__email_addresses.udm_events__principal__user__email_addresses} {%endcondition%} or +{%condition%}${udm_events__target__user__email_addresses.udm_events__target__user__email_addresses} {%endcondition%} or +{%condition%}${udm_events__intermediary__user__email_addresses.udm_events__intermediary__user__email_addresses} {%endcondition%} or +{%condition%}${udm_events__security_result__about__user__email_addresses.udm_events__security_result__about__user__email_addresses} {%endcondition%} or +{%condition%}${udm_events.network__email__from} {%endcondition%} or +{%condition%}${udm_events__network__email__to.udm_events__network__email__to} {%endcondition%} +;; + } # email + + filter: file_path_grouped_field_filter { + label: "file_path" + group_label: "Grouped Fields" + view_label: "UDM" + description: "File path fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${udm_events.principal__file__full_path} {%endcondition%} or +{%condition%}${udm_events.target__file__full_path} {%endcondition%} or +{%condition%}${udm_events.principal__process__file__full_path} {%endcondition%} or +{%condition%}${udm_events.target__process__file__full_path} {%endcondition%} +;; + } # file_path + + filter: hash_grouped_field_filter { + label: "hash" + group_label: "Grouped Fields" + view_label: "UDM" + description: "File hash fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${udm_events.principal__process__file__md5} {%endcondition%} or +{%condition%}${udm_events.target__process__file__md5} {%endcondition%} or +{%condition%}${udm_events.principal__process__file__sha1} {%endcondition%} or +{%condition%}${udm_events.target__process__file__sha1} {%endcondition%} or +{%condition%}${udm_events.principal__process__file__sha256} {%endcondition%} or +{%condition%}${udm_events.target__process__file__sha256} {%endcondition%} or +{%condition%}${udm_events.target__file__md5} {%endcondition%} or +{%condition%}${udm_events.target__file__sha1} {%endcondition%} or +{%condition%}${udm_events.target__file__sha256} {%endcondition%} or +{%condition%}${udm_events__about.file__md5} {%endcondition%} or +{%condition%}${udm_events__about.file__sha256} {%endcondition%} or +{%condition%}${udm_events__about.file__sha1} {%endcondition%} or +{%condition%}${udm_events__security_result.about__file__sha256} {%endcondition%} +;; + } # hash + + filter: process_id_grouped_field_filter { + label: "process_id" + group_label: "Grouped Fields" + view_label: "UDM" + description: "Process ID fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${udm_events.principal__process__pid} {%endcondition%} or +{%condition%}${udm_events.target__process__pid} {%endcondition%} or +{%condition%}${udm_events.principal__process__product_specific_process_id} {%endcondition%} or +{%condition%}${udm_events.target__process__product_specific_process_id} {%endcondition%} +;; + } # process_id + + filter: namespace_grouped_field_filter { + label: "namespace" + group_label: "Grouped Fields" + view_label: "UDM" + description: "Namespace fields. Grouped Fields filter based on multiple UDM fields." + sql: {%condition%} ${udm_events.principal__namespace} {%endcondition%} or +{%condition%}${udm_events.src__namespace} {%endcondition%} or +{%condition%}${udm_events.target__namespace} {%endcondition%} +;; + } # namespace + + dimension: about { + hidden: yes + } # dimension about + + dimension: additional { + hidden: yes + } # dimension additional + + dimension: additional__fields { + hidden: yes + } # dimension additional__fields + + dimension: extensions { + hidden: yes + } # dimension extensions + + dimension: extensions__auth { + hidden: yes + } # dimension extensions__auth + + dimension: extensions__auth__auth_details { + type: string + sql: ${TABLE}.extensions.auth.auth_details ;; + group_label: "extensions" + label: "extensions.auth.auth_details" + view_label: "UDM" + description: "The vendor defined details of the authentication." + } # dimension extensions__auth__auth_details + + dimension: extensions__auth__mechanism { + hidden: yes + } # dimension extensions__auth__mechanism + + dimension: extensions__auth__mechanism_enum_name { + hidden: yes + } # dimension extensions__auth__mechanism_enum_name + + dimension: extensions__auth__type { + type: number + sql: ${TABLE}.extensions.auth.type ;; + group_label: "extensions" + label: "extensions.auth.type" + view_label: "UDM" + description: "The type of authentication." + } # dimension extensions__auth__type + + dimension: extensions__auth__type_enum_name { + type: string + suggestions: ["AUTHTYPE_UNSPECIFIED", "MACHINE", "PHYSICAL", "SSO", "TACACS", "VPN"] + sql: CASE ${TABLE}.extensions.auth.type WHEN 0 THEN 'AUTHTYPE_UNSPECIFIED' WHEN 1 THEN 'MACHINE' WHEN 2 THEN 'SSO' WHEN 3 THEN 'VPN' WHEN 4 THEN 'PHYSICAL' WHEN 5 THEN 'TACACS' END ;; + group_label: "extensions" + label: "extensions.auth.type_enum_name" + view_label: "UDM" + description: "The type of authentication." + } # dimension extensions__auth__type_enum_name + + dimension: extensions__vulns { + hidden: yes + } # dimension extensions__vulns + + dimension: extensions__vulns__vulnerabilities { + hidden: yes + } # dimension extensions__vulns__vulnerabilities + + dimension: intermediary { + hidden: yes + } # dimension intermediary + + dimension: metadata { + hidden: yes + } # dimension metadata + + dimension: metadata__base_labels { + hidden: yes + } # dimension metadata__base_labels + + dimension: metadata__base_labels__log_types { + hidden: yes + } # dimension metadata__base_labels__log_types + + dimension: metadata__base_labels__namespaces { + hidden: yes + } # dimension metadata__base_labels__namespaces + + dimension_group: metadata__collected_timestamp { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.collected_timestamp.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.collected_timestamp.nanos, 0) / 1000) as INT64)) ;; + group_label: "metadata" + label: "metadata.collected_timestamp" + view_label: "UDM" + description: "The GMT timestamp when the event was collected by the vendor's local collection infrastructure." + } # dimension metadata__collected_timestamp + + dimension: metadata__description { + type: string + sql: ${TABLE}.metadata.description ;; + group_label: "metadata" + label: "metadata.description" + view_label: "UDM" + description: "A human-readable unparsable description of the event." + } # dimension metadata__description + + dimension: metadata__enrichment_state { + type: number + sql: ${TABLE}.metadata.enrichment_state ;; + group_label: "metadata" + label: "metadata.enrichment_state" + view_label: "UDM" + description: "The enrichment state." + } # dimension metadata__enrichment_state + + dimension: metadata__enrichment_state_enum_name { + type: string + suggestions: ["ENRICHED", "ENRICHMENT_STATE_UNSPECIFIED", "UNENRICHED"] + sql: CASE ${TABLE}.metadata.enrichment_state WHEN 0 THEN 'ENRICHMENT_STATE_UNSPECIFIED' WHEN 1 THEN 'ENRICHED' WHEN 2 THEN 'UNENRICHED' END ;; + group_label: "metadata" + label: "metadata.enrichment_state_enum_name" + view_label: "UDM" + description: "The enrichment state." + } # dimension metadata__enrichment_state_enum_name + + dimension_group: metadata__event_timestamp { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.event_timestamp.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.event_timestamp.nanos, 0) / 1000) as INT64)) ;; + group_label: "metadata" + label: "metadata.event_timestamp" + view_label: "UDM" + description: "The GMT timestamp when the event was generated." + } # dimension metadata__event_timestamp + + dimension: metadata__event_type { + type: number + sql: ${TABLE}.metadata.event_type ;; + group_label: "metadata" + label: "metadata.event_type" + view_label: "UDM" + description: "The event type. If an event has multiple possible types, this specifies the most specific type." + } # dimension metadata__event_type + + dimension: metadata__event_type_enum_name { + type: string + suggestions: ["ANALYST_ADD_COMMENT", "ANALYST_UPDATE_PRIORITY", "ANALYST_UPDATE_REASON", "ANALYST_UPDATE_REPUTATION", "ANALYST_UPDATE_RISK_SCORE", "ANALYST_UPDATE_ROOT_CAUSE", "ANALYST_UPDATE_SEVERITY_SCORE", "ANALYST_UPDATE_STATUS", "ANALYST_UPDATE_VERDICT", "DEVICE_CONFIG_UPDATE", "DEVICE_FIRMWARE_UPDATE", "DEVICE_PROGRAM_DOWNLOAD", "DEVICE_PROGRAM_UPLOAD", "EMAIL_TRANSACTION", "EMAIL_UNCATEGORIZED", "EMAIL_URL_CLICK", "EVENTTYPE_UNSPECIFIED", "FILE_COPY", "FILE_CREATION", "FILE_DELETION", "FILE_MODIFICATION", "FILE_MOVE", "FILE_OPEN", "FILE_READ", "FILE_SYNC", "FILE_UNCATEGORIZED", "GENERIC_EVENT", "GROUP_CREATION", "GROUP_DELETION", "GROUP_MODIFICATION", "GROUP_UNCATEGORIZED", "MUTEX_CREATION", "MUTEX_UNCATEGORIZED", "NETWORK_CONNECTION", "NETWORK_DHCP", "NETWORK_DNS", "NETWORK_FLOW", "NETWORK_FTP", "NETWORK_HTTP", "NETWORK_SMTP", "NETWORK_UNCATEGORIZED", "PROCESS_INJECTION", "PROCESS_LAUNCH", "PROCESS_MODULE_LOAD", "PROCESS_OPEN", "PROCESS_PRIVILEGE_ESCALATION", "PROCESS_TERMINATION", "PROCESS_UNCATEGORIZED", "REGISTRY_CREATION", "REGISTRY_DELETION", "REGISTRY_MODIFICATION", "REGISTRY_UNCATEGORIZED", "RESOURCE_CREATION", "RESOURCE_DELETION", "RESOURCE_PERMISSIONS_CHANGE", "RESOURCE_READ", "RESOURCE_WRITTEN", "SCAN_FILE", "SCAN_HOST", "SCAN_NETWORK", "SCAN_PROCESS", "SCAN_PROCESS_BEHAVIORS", "SCAN_UNCATEGORIZED", "SCAN_VULN_HOST", "SCAN_VULN_NETWORK", "SCHEDULED_TASK_CREATION", "SCHEDULED_TASK_DELETION", "SCHEDULED_TASK_DISABLE", "SCHEDULED_TASK_ENABLE", "SCHEDULED_TASK_MODIFICATION", "SCHEDULED_TASK_UNCATEGORIZED", "SERVICE_CREATION", "SERVICE_DELETION", "SERVICE_MODIFICATION", "SERVICE_START", "SERVICE_STOP", "SERVICE_UNSPECIFIED", "SETTING_CREATION", "SETTING_DELETION", "SETTING_MODIFICATION", "SETTING_UNCATEGORIZED", "STATUS_HEARTBEAT", "STATUS_SHUTDOWN", "STATUS_STARTUP", "STATUS_UNCATEGORIZED", "STATUS_UPDATE", "SYSTEM_AUDIT_LOG_UNCATEGORIZED", "SYSTEM_AUDIT_LOG_WIPE", "USER_BADGE_IN", "USER_CHANGE_PASSWORD", "USER_CHANGE_PERMISSIONS", "USER_COMMUNICATION", "USER_CREATION", "USER_DELETION", "USER_LOGIN", "USER_LOGOUT", "USER_RESOURCE_ACCESS", "USER_RESOURCE_CREATION", "USER_RESOURCE_DELETION", "USER_RESOURCE_UPDATE_CONTENT", "USER_RESOURCE_UPDATE_PERMISSIONS", "USER_STATS", "USER_UNCATEGORIZED"] + sql: CASE ${TABLE}.metadata.event_type WHEN 0 THEN 'EVENTTYPE_UNSPECIFIED' WHEN 10000 THEN 'PROCESS_UNCATEGORIZED' WHEN 10001 THEN 'PROCESS_LAUNCH' WHEN 10002 THEN 'PROCESS_INJECTION' WHEN 10003 THEN 'PROCESS_PRIVILEGE_ESCALATION' WHEN 10004 THEN 'PROCESS_TERMINATION' WHEN 10005 THEN 'PROCESS_OPEN' WHEN 10006 THEN 'PROCESS_MODULE_LOAD' WHEN 11000 THEN 'REGISTRY_UNCATEGORIZED' WHEN 11001 THEN 'REGISTRY_CREATION' WHEN 11002 THEN 'REGISTRY_MODIFICATION' WHEN 11003 THEN 'REGISTRY_DELETION' WHEN 12000 THEN 'SETTING_UNCATEGORIZED' WHEN 12001 THEN 'SETTING_CREATION' WHEN 12002 THEN 'SETTING_MODIFICATION' WHEN 12003 THEN 'SETTING_DELETION' WHEN 13000 THEN 'MUTEX_UNCATEGORIZED' WHEN 13001 THEN 'MUTEX_CREATION' WHEN 14000 THEN 'FILE_UNCATEGORIZED' WHEN 14001 THEN 'FILE_CREATION' WHEN 14002 THEN 'FILE_DELETION' WHEN 14003 THEN 'FILE_MODIFICATION' WHEN 14004 THEN 'FILE_READ' WHEN 14005 THEN 'FILE_COPY' WHEN 14006 THEN 'FILE_OPEN' WHEN 14007 THEN 'FILE_MOVE' WHEN 14008 THEN 'FILE_SYNC' WHEN 15000 THEN 'USER_UNCATEGORIZED' WHEN 15001 THEN 'USER_LOGIN' WHEN 15002 THEN 'USER_LOGOUT' WHEN 15003 THEN 'USER_CREATION' WHEN 15004 THEN 'USER_CHANGE_PASSWORD' WHEN 15005 THEN 'USER_CHANGE_PERMISSIONS' WHEN 15006 THEN 'USER_STATS' WHEN 15007 THEN 'USER_BADGE_IN' WHEN 15008 THEN 'USER_DELETION' WHEN 15009 THEN 'USER_RESOURCE_CREATION' WHEN 15010 THEN 'USER_RESOURCE_UPDATE_CONTENT' WHEN 15011 THEN 'USER_RESOURCE_UPDATE_PERMISSIONS' WHEN 15012 THEN 'USER_COMMUNICATION' WHEN 15013 THEN 'USER_RESOURCE_ACCESS' WHEN 15014 THEN 'USER_RESOURCE_DELETION' WHEN 23000 THEN 'GROUP_UNCATEGORIZED' WHEN 23001 THEN 'GROUP_CREATION' WHEN 23002 THEN 'GROUP_DELETION' WHEN 23003 THEN 'GROUP_MODIFICATION' WHEN 19000 THEN 'EMAIL_UNCATEGORIZED' WHEN 19001 THEN 'EMAIL_TRANSACTION' WHEN 19002 THEN 'EMAIL_URL_CLICK' WHEN 16000 THEN 'NETWORK_UNCATEGORIZED' WHEN 16001 THEN 'NETWORK_FLOW' WHEN 16002 THEN 'NETWORK_CONNECTION' WHEN 16003 THEN 'NETWORK_FTP' WHEN 16004 THEN 'NETWORK_DHCP' WHEN 16005 THEN 'NETWORK_DNS' WHEN 16006 THEN 'NETWORK_HTTP' WHEN 16007 THEN 'NETWORK_SMTP' WHEN 17000 THEN 'STATUS_UNCATEGORIZED' WHEN 17001 THEN 'STATUS_HEARTBEAT' WHEN 17002 THEN 'STATUS_STARTUP' WHEN 17003 THEN 'STATUS_SHUTDOWN' WHEN 17004 THEN 'STATUS_UPDATE' WHEN 18000 THEN 'SCAN_UNCATEGORIZED' WHEN 18001 THEN 'SCAN_FILE' WHEN 18002 THEN 'SCAN_PROCESS_BEHAVIORS' WHEN 18003 THEN 'SCAN_PROCESS' WHEN 18004 THEN 'SCAN_HOST' WHEN 18005 THEN 'SCAN_VULN_HOST' WHEN 18006 THEN 'SCAN_VULN_NETWORK' WHEN 18007 THEN 'SCAN_NETWORK' WHEN 20000 THEN 'SCHEDULED_TASK_UNCATEGORIZED' WHEN 20001 THEN 'SCHEDULED_TASK_CREATION' WHEN 20002 THEN 'SCHEDULED_TASK_DELETION' WHEN 20003 THEN 'SCHEDULED_TASK_ENABLE' WHEN 20004 THEN 'SCHEDULED_TASK_DISABLE' WHEN 20005 THEN 'SCHEDULED_TASK_MODIFICATION' WHEN 21000 THEN 'SYSTEM_AUDIT_LOG_UNCATEGORIZED' WHEN 21001 THEN 'SYSTEM_AUDIT_LOG_WIPE' WHEN 22000 THEN 'SERVICE_UNSPECIFIED' WHEN 22001 THEN 'SERVICE_CREATION' WHEN 22002 THEN 'SERVICE_DELETION' WHEN 22003 THEN 'SERVICE_START' WHEN 22004 THEN 'SERVICE_STOP' WHEN 22005 THEN 'SERVICE_MODIFICATION' WHEN 100000 THEN 'GENERIC_EVENT' WHEN 1 THEN 'RESOURCE_CREATION' WHEN 2 THEN 'RESOURCE_DELETION' WHEN 3 THEN 'RESOURCE_PERMISSIONS_CHANGE' WHEN 4 THEN 'RESOURCE_READ' WHEN 5 THEN 'RESOURCE_WRITTEN' WHEN 25000 THEN 'DEVICE_FIRMWARE_UPDATE' WHEN 25001 THEN 'DEVICE_CONFIG_UPDATE' WHEN 25002 THEN 'DEVICE_PROGRAM_UPLOAD' WHEN 25003 THEN 'DEVICE_PROGRAM_DOWNLOAD' WHEN 24000 THEN 'ANALYST_UPDATE_VERDICT' WHEN 24001 THEN 'ANALYST_UPDATE_REPUTATION' WHEN 24002 THEN 'ANALYST_UPDATE_SEVERITY_SCORE' WHEN 24007 THEN 'ANALYST_UPDATE_STATUS' WHEN 24008 THEN 'ANALYST_ADD_COMMENT' WHEN 24009 THEN 'ANALYST_UPDATE_PRIORITY' WHEN 24010 THEN 'ANALYST_UPDATE_ROOT_CAUSE' WHEN 24011 THEN 'ANALYST_UPDATE_REASON' WHEN 24012 THEN 'ANALYST_UPDATE_RISK_SCORE' END ;; + group_label: "metadata" + label: "metadata.event_type_enum_name" + view_label: "UDM" + description: "The event type. If an event has multiple possible types, this specifies the most specific type." + } # dimension metadata__event_type_enum_name + + dimension: metadata__id { + type: string + sql: ${TABLE}.metadata.id ;; + group_label: "metadata" + label: "metadata.id" + view_label: "UDM" + description: "ID of the UDM event. Can be used for raw and normalized event retrieval." + } # dimension metadata__id + + dimension_group: metadata__ingested_timestamp { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.ingested_timestamp.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.ingested_timestamp.nanos, 0) / 1000) as INT64)) ;; + group_label: "metadata" + label: "metadata.ingested_timestamp" + view_label: "UDM" + description: "The GMT timestamp when the event was ingested (received) by Chronicle." + } # dimension metadata__ingested_timestamp + + dimension: metadata__ingestion_labels { + hidden: yes + } # dimension metadata__ingestion_labels + + dimension: metadata__log_type { + type: string + sql: ${TABLE}.metadata.log_type ;; + group_label: "metadata" + label: "metadata.log_type" + view_label: "UDM" + description: "The string value of log type." + } # dimension metadata__log_type + + dimension: metadata__product_deployment_id { + type: string + sql: ${TABLE}.metadata.product_deployment_id ;; + group_label: "metadata" + label: "metadata.product_deployment_id" + view_label: "UDM" + description: "The deployment identifier assigned by the vendor for a product deployment." + } # dimension metadata__product_deployment_id + + dimension: metadata__product_event_type { + type: string + sql: ${TABLE}.metadata.product_event_type ;; + group_label: "metadata" + label: "metadata.product_event_type" + view_label: "UDM" + description: "A short, descriptive, human-readable, product-specific event name or type (e.g. \"Scanned X\", \"User account created\", \"process_start\")." + } # dimension metadata__product_event_type + + dimension: metadata__product_log_id { + type: string + sql: ${TABLE}.metadata.product_log_id ;; + group_label: "metadata" + label: "metadata.product_log_id" + view_label: "UDM" + description: "A vendor-specific event identifier to uniquely identify the event (e.g. a GUID)." + } # dimension metadata__product_log_id + + dimension: metadata__product_name { + type: string + sql: ${TABLE}.metadata.product_name ;; + group_label: "metadata" + label: "metadata.product_name" + view_label: "UDM" + description: "The name of the product." + } # dimension metadata__product_name + + dimension: metadata__product_version { + type: string + sql: ${TABLE}.metadata.product_version ;; + group_label: "metadata" + label: "metadata.product_version" + view_label: "UDM" + description: "The version of the product." + } # dimension metadata__product_version + + dimension: metadata__tags { + hidden: yes + } # dimension metadata__tags + + dimension: metadata__tags__data_tap_config_name { + hidden: yes + } # dimension metadata__tags__data_tap_config_name + + dimension: metadata__tags__tenant_id { + hidden: yes + } # dimension metadata__tags__tenant_id + + dimension: metadata__url_back_to_product { + type: string + sql: ${TABLE}.metadata.url_back_to_product ;; + group_label: "metadata" + label: "metadata.url_back_to_product" + view_label: "UDM" + description: "A URL that takes the user to the source product console for this event." + } # dimension metadata__url_back_to_product + + dimension: metadata__vendor_name { + type: string + sql: ${TABLE}.metadata.vendor_name ;; + group_label: "metadata" + label: "metadata.vendor_name" + view_label: "UDM" + description: "The name of the product vendor." + } # dimension metadata__vendor_name + + dimension: network { + hidden: yes + } # dimension network + + dimension: network__application_protocol { + type: number + sql: ${TABLE}.network.application_protocol ;; + group_label: "network" + label: "network.application_protocol" + view_label: "UDM" + description: "The application protocol." + } # dimension network__application_protocol + + dimension: network__application_protocol_enum_name { + type: string + suggestions: ["AFP", "AMQP", "APPC", "ATOM", "BEEP", "BITCOIN", "BIT_TORRENT", "CFDP", "CIP", "COAP", "COTP", "DCERPC", "DDS", "DEVICE_NET", "DHCP", "DICOM", "DNP3", "DNS", "ENRP", "E_DONKEY", "FAST_TRACK", "FINGER", "FREENET", "FTAM", "GOOSE", "GOPHER", "H323", "HL7", "HTTP", "HTTPS", "IEC104", "IRCP", "KADEMLIA", "KRB5", "LDAP", "LPD", "MIME", "MMS", "MODBUS", "MQTT", "NETCONF", "NFS", "NIS", "NNTP", "NTCIP", "NTP", "OSCAR", "PNRP", "PTP", "QUIC", "RDP", "RELP", "RIP", "RLOGIN", "RPC", "RTMP", "RTP", "RTPS", "RTSP", "SAP", "SDP", "SIP", "SLP", "SMB", "SMTP", "SNMP", "SNTP", "SSH", "SSMS", "STYX", "SV", "TCAP", "TDS", "TOR", "TSP", "UNKNOWN_APPLICATION_PROTOCOL", "VTP", "WEB_DAV", "WHOIS", "X400", "X500", "XMPP"] + sql: CASE ${TABLE}.network.application_protocol WHEN 0 THEN 'UNKNOWN_APPLICATION_PROTOCOL' WHEN 1 THEN 'AFP' WHEN 2 THEN 'APPC' WHEN 3 THEN 'AMQP' WHEN 4 THEN 'ATOM' WHEN 5 THEN 'BEEP' WHEN 6 THEN 'BITCOIN' WHEN 7 THEN 'BIT_TORRENT' WHEN 8 THEN 'CFDP' WHEN 67 THEN 'CIP' WHEN 9 THEN 'COAP' WHEN 68 THEN 'COTP' WHEN 66 THEN 'DCERPC' WHEN 10 THEN 'DDS' WHEN 11 THEN 'DEVICE_NET' WHEN 4000 THEN 'DHCP' WHEN 69 THEN 'DICOM' WHEN 70 THEN 'DNP3' WHEN 3000 THEN 'DNS' WHEN 12 THEN 'E_DONKEY' WHEN 13 THEN 'ENRP' WHEN 14 THEN 'FAST_TRACK' WHEN 15 THEN 'FINGER' WHEN 16 THEN 'FREENET' WHEN 17 THEN 'FTAM' WHEN 71 THEN 'GOOSE' WHEN 18 THEN 'GOPHER' WHEN 19 THEN 'HL7' WHEN 20 THEN 'H323' WHEN 2000 THEN 'HTTP' WHEN 2001 THEN 'HTTPS' WHEN 72 THEN 'IEC104' WHEN 21 THEN 'IRCP' WHEN 22 THEN 'KADEMLIA' WHEN 65 THEN 'KRB5' WHEN 23 THEN 'LDAP' WHEN 24 THEN 'LPD' WHEN 25 THEN 'MIME' WHEN 73 THEN 'MMS' WHEN 26 THEN 'MODBUS' WHEN 27 THEN 'MQTT' WHEN 28 THEN 'NETCONF' WHEN 29 THEN 'NFS' WHEN 30 THEN 'NIS' WHEN 31 THEN 'NNTP' WHEN 32 THEN 'NTCIP' WHEN 33 THEN 'NTP' WHEN 34 THEN 'OSCAR' WHEN 35 THEN 'PNRP' WHEN 74 THEN 'PTP' WHEN 1000 THEN 'QUIC' WHEN 36 THEN 'RDP' WHEN 37 THEN 'RELP' WHEN 38 THEN 'RIP' WHEN 39 THEN 'RLOGIN' WHEN 40 THEN 'RPC' WHEN 41 THEN 'RTMP' WHEN 42 THEN 'RTP' WHEN 43 THEN 'RTPS' WHEN 44 THEN 'RTSP' WHEN 45 THEN 'SAP' WHEN 46 THEN 'SDP' WHEN 47 THEN 'SIP' WHEN 48 THEN 'SLP' WHEN 49 THEN 'SMB' WHEN 50 THEN 'SMTP' WHEN 75 THEN 'SNMP' WHEN 51 THEN 'SNTP' WHEN 52 THEN 'SSH' WHEN 53 THEN 'SSMS' WHEN 54 THEN 'STYX' WHEN 76 THEN 'SV' WHEN 55 THEN 'TCAP' WHEN 56 THEN 'TDS' WHEN 57 THEN 'TOR' WHEN 58 THEN 'TSP' WHEN 59 THEN 'VTP' WHEN 60 THEN 'WHOIS' WHEN 61 THEN 'WEB_DAV' WHEN 62 THEN 'X400' WHEN 63 THEN 'X500' WHEN 64 THEN 'XMPP' END ;; + group_label: "network" + label: "network.application_protocol_enum_name" + view_label: "UDM" + description: "The application protocol." + } # dimension network__application_protocol_enum_name + + dimension: network__application_protocol_version { + type: string + sql: ${TABLE}.network.application_protocol_version ;; + group_label: "network" + label: "network.application_protocol_version" + view_label: "UDM" + description: "The version of the application protocol. e.g. \"1.1, 2.0\"" + } # dimension network__application_protocol_version + + dimension: network__asn { + type: string + sql: ${TABLE}.network.asn ;; + group_label: "network" + label: "network.asn" + view_label: "UDM" + description: "Autonomous system number." + } # dimension network__asn + + dimension: network__carrier_name { + type: string + sql: ${TABLE}.network.carrier_name ;; + group_label: "network" + label: "network.carrier_name" + view_label: "UDM" + description: "Carrier identification." + } # dimension network__carrier_name + + dimension: network__community_id { + type: string + sql: ${TABLE}.network.community_id ;; + group_label: "network" + label: "network.community_id" + view_label: "UDM" + description: "Community ID network flow hash." + } # dimension network__community_id + + dimension: network__dhcp { + hidden: yes + } # dimension network__dhcp + + dimension: network__dhcp__chaddr { + type: string + sql: ${TABLE}.network.dhcp.chaddr ;; + group_label: "network" + label: "network.dhcp.chaddr" + view_label: "UDM" + description: "Client hardware address (chaddr)." + } # dimension network__dhcp__chaddr + + dimension: network__dhcp__ciaddr { + type: string + sql: ${TABLE}.network.dhcp.ciaddr ;; + group_label: "network" + label: "network.dhcp.ciaddr" + view_label: "UDM" + description: "Client IP address (ciaddr)." + } # dimension network__dhcp__ciaddr + + dimension: network__dhcp__client_hostname { + type: string + sql: ${TABLE}.network.dhcp.client_hostname ;; + group_label: "network" + label: "network.dhcp.client_hostname" + view_label: "UDM" + description: "Client hostname. See RFC2132, section 3.14." + } # dimension network__dhcp__client_hostname + + dimension: network__dhcp__client_identifier { + type: string + sql: ${TABLE}.network.dhcp.client_identifier ;; + group_label: "network" + label: "network.dhcp.client_identifier" + view_label: "UDM" + description: "Client identifier. See RFC2132, section 9.14." + } # dimension network__dhcp__client_identifier + + dimension: network__dhcp__file { + type: string + sql: ${TABLE}.network.dhcp.file ;; + group_label: "network" + label: "network.dhcp.file" + view_label: "UDM" + description: "Boot image filename." + } # dimension network__dhcp__file + + dimension: network__dhcp__flags { + type: number + sql: ${TABLE}.network.dhcp.flags ;; + group_label: "network" + label: "network.dhcp.flags" + view_label: "UDM" + description: "Flags." + } # dimension network__dhcp__flags + + dimension: network__dhcp__giaddr { + type: string + sql: ${TABLE}.network.dhcp.giaddr ;; + group_label: "network" + label: "network.dhcp.giaddr" + view_label: "UDM" + description: "Relay agent IP address (giaddr)." + } # dimension network__dhcp__giaddr + + dimension: network__dhcp__hlen { + type: number + sql: ${TABLE}.network.dhcp.hlen ;; + group_label: "network" + label: "network.dhcp.hlen" + view_label: "UDM" + description: "Hardware address length." + } # dimension network__dhcp__hlen + + dimension: network__dhcp__hops { + type: number + sql: ${TABLE}.network.dhcp.hops ;; + group_label: "network" + label: "network.dhcp.hops" + view_label: "UDM" + description: "Hardware ops." + } # dimension network__dhcp__hops + + dimension: network__dhcp__htype { + type: number + sql: ${TABLE}.network.dhcp.htype ;; + group_label: "network" + label: "network.dhcp.htype" + view_label: "UDM" + description: "Hardware address type." + } # dimension network__dhcp__htype + + dimension: network__dhcp__lease_time_seconds { + type: number + sql: ${TABLE}.network.dhcp.lease_time_seconds ;; + group_label: "network" + label: "network.dhcp.lease_time_seconds" + view_label: "UDM" + description: "Lease time in seconds. See RFC2132, section 9.2." + } # dimension network__dhcp__lease_time_seconds + + dimension: network__dhcp__opcode { + type: number + sql: ${TABLE}.network.dhcp.opcode ;; + group_label: "network" + label: "network.dhcp.opcode" + view_label: "UDM" + description: "The BOOTP op code." + } # dimension network__dhcp__opcode + + dimension: network__dhcp__opcode_enum_name { + type: string + suggestions: ["BOOTREPLY", "BOOTREQUEST", "UNKNOWN_OPCODE"] + sql: CASE ${TABLE}.network.dhcp.opcode WHEN 0 THEN 'UNKNOWN_OPCODE' WHEN 1 THEN 'BOOTREQUEST' WHEN 2 THEN 'BOOTREPLY' END ;; + group_label: "network" + label: "network.dhcp.opcode_enum_name" + view_label: "UDM" + description: "The BOOTP op code." + } # dimension network__dhcp__opcode_enum_name + + dimension: network__dhcp__options { + hidden: yes + } # dimension network__dhcp__options + + dimension: network__dhcp__requested_address { + type: string + sql: ${TABLE}.network.dhcp.requested_address ;; + group_label: "network" + label: "network.dhcp.requested_address" + view_label: "UDM" + description: "Requested IP address. See RFC2132, section 9.1." + } # dimension network__dhcp__requested_address + + dimension: network__dhcp__seconds { + type: number + sql: ${TABLE}.network.dhcp.seconds ;; + group_label: "network" + label: "network.dhcp.seconds" + view_label: "UDM" + description: "Seconds elapsed since client began address acquisition/renewal process." + } # dimension network__dhcp__seconds + + dimension: network__dhcp__siaddr { + type: string + sql: ${TABLE}.network.dhcp.siaddr ;; + group_label: "network" + label: "network.dhcp.siaddr" + view_label: "UDM" + description: "IP address of the next bootstrap server." + } # dimension network__dhcp__siaddr + + dimension: network__dhcp__sname { + type: string + sql: ${TABLE}.network.dhcp.sname ;; + group_label: "network" + label: "network.dhcp.sname" + view_label: "UDM" + description: "Server name that the client wishes to boot from." + } # dimension network__dhcp__sname + + dimension: network__dhcp__transaction_id { + type: number + sql: ${TABLE}.network.dhcp.transaction_id ;; + group_label: "network" + label: "network.dhcp.transaction_id" + view_label: "UDM" + description: "Transaction ID." + } # dimension network__dhcp__transaction_id + + dimension: network__dhcp__type { + type: number + sql: ${TABLE}.network.dhcp.type ;; + group_label: "network" + label: "network.dhcp.type" + view_label: "UDM" + description: "DHCP message type." + } # dimension network__dhcp__type + + dimension: network__dhcp__type_enum_name { + type: string + suggestions: ["ACK", "DECLINE", "DISCOVER", "INFORM", "NAK", "OFFER", "RELEASE", "REQUEST", "UNKNOWN_MESSAGE_TYPE", "WIN_DELETED", "WIN_EXPIRED"] + sql: CASE ${TABLE}.network.dhcp.type WHEN 0 THEN 'UNKNOWN_MESSAGE_TYPE' WHEN 1 THEN 'DISCOVER' WHEN 2 THEN 'OFFER' WHEN 3 THEN 'REQUEST' WHEN 4 THEN 'DECLINE' WHEN 5 THEN 'ACK' WHEN 6 THEN 'NAK' WHEN 7 THEN 'RELEASE' WHEN 8 THEN 'INFORM' WHEN 100 THEN 'WIN_DELETED' WHEN 101 THEN 'WIN_EXPIRED' END ;; + group_label: "network" + label: "network.dhcp.type_enum_name" + view_label: "UDM" + description: "DHCP message type." + } # dimension network__dhcp__type_enum_name + + dimension: network__dhcp__yiaddr { + type: string + sql: ${TABLE}.network.dhcp.yiaddr ;; + group_label: "network" + label: "network.dhcp.yiaddr" + view_label: "UDM" + description: "Your IP address (yiaddr)." + } # dimension network__dhcp__yiaddr + + dimension: network__direction { + type: number + sql: ${TABLE}.network.direction ;; + group_label: "network" + label: "network.direction" + view_label: "UDM" + description: "The direction of network traffic." + } # dimension network__direction + + dimension: network__direction_enum_name { + type: string + suggestions: ["BROADCAST", "INBOUND", "OUTBOUND", "UNKNOWN_DIRECTION"] + sql: CASE ${TABLE}.network.direction WHEN 0 THEN 'UNKNOWN_DIRECTION' WHEN 1 THEN 'INBOUND' WHEN 2 THEN 'OUTBOUND' WHEN 3 THEN 'BROADCAST' END ;; + group_label: "network" + label: "network.direction_enum_name" + view_label: "UDM" + description: "The direction of network traffic." + } # dimension network__direction_enum_name + + dimension: network__dns { + hidden: yes + } # dimension network__dns + + dimension: network__dns__additional { + hidden: yes + } # dimension network__dns__additional + + dimension: network__dns__answers { + hidden: yes + } # dimension network__dns__answers + + dimension: network__dns__authoritative { + type: yesno + sql: ${TABLE}.network.dns.authoritative ;; + group_label: "network" + label: "network.dns.authoritative" + view_label: "UDM" + description: "Other DNS header flags. See RFC1035, section 4.1.1." + } # dimension network__dns__authoritative + + dimension: network__dns__authority { + hidden: yes + } # dimension network__dns__authority + + dimension: network__dns__id { + type: number + sql: ${TABLE}.network.dns.id ;; + group_label: "network" + label: "network.dns.id" + view_label: "UDM" + description: "DNS query id." + } # dimension network__dns__id + + dimension: network__dns__opcode { + type: number + sql: ${TABLE}.network.dns.opcode ;; + group_label: "network" + label: "network.dns.opcode" + view_label: "UDM" + description: "The DNS OpCode used to specify the type of DNS query (e.g. QUERY, IQUERY, STATUS, etc.)." + } # dimension network__dns__opcode + + dimension: network__dns__questions { + hidden: yes + } # dimension network__dns__questions + + dimension: network__dns__recursion_available { + type: yesno + sql: ${TABLE}.network.dns.recursion_available ;; + group_label: "network" + label: "network.dns.recursion_available" + view_label: "UDM" + description: "Whether a recursive DNS lookup is available." + } # dimension network__dns__recursion_available + + dimension: network__dns__recursion_desired { + type: yesno + sql: ${TABLE}.network.dns.recursion_desired ;; + group_label: "network" + label: "network.dns.recursion_desired" + view_label: "UDM" + description: "Whether a recursive DNS lookup is desired." + } # dimension network__dns__recursion_desired + + dimension: network__dns__response { + type: yesno + sql: ${TABLE}.network.dns.response ;; + group_label: "network" + label: "network.dns.response" + view_label: "UDM" + description: "Set to true if the event is a DNS response. See QR field from RFC1035." + } # dimension network__dns__response + + dimension: network__dns__response_code { + type: number + sql: ${TABLE}.network.dns.response_code ;; + group_label: "network" + label: "network.dns.response_code" + view_label: "UDM" + description: "Response code. See RCODE from RFC1035." + } # dimension network__dns__response_code + + dimension: network__dns__truncated { + type: yesno + sql: ${TABLE}.network.dns.truncated ;; + group_label: "network" + label: "network.dns.truncated" + view_label: "UDM" + description: "Whether the DNS response was truncated." + } # dimension network__dns__truncated + + dimension: network__dns_domain { + type: string + sql: ${TABLE}.network.dns_domain ;; + group_label: "network" + label: "network.dns_domain" + view_label: "UDM" + description: "DNS domain name." + } # dimension network__dns_domain + + dimension: network__email { + hidden: yes + } # dimension network__email + + dimension: network__email__bcc { + hidden: yes + } # dimension network__email__bcc + + dimension: network__email__bounce_address { + type: string + sql: ${TABLE}.network.email.bounce_address ;; + group_label: "network" + label: "network.email.bounce_address" + view_label: "UDM" + description: "The envelope from address. https://en.wikipedia.org/wiki/Bounce_address" + } # dimension network__email__bounce_address + + dimension: network__email__cc { + hidden: yes + } # dimension network__email__cc + + dimension: network__email__from { + type: string + sql: ${TABLE}.network.email.from ;; + group_label: "network" + label: "network.email.from" + view_label: "UDM" + description: "The 'from' address." + } # dimension network__email__from + + dimension: network__email__mail_id { + type: string + sql: ${TABLE}.network.email.mail_id ;; + group_label: "network" + label: "network.email.mail_id" + view_label: "UDM" + description: "The mail (or message) ID." + } # dimension network__email__mail_id + + dimension: network__email__reply_to { + type: string + sql: ${TABLE}.network.email.reply_to ;; + group_label: "network" + label: "network.email.reply_to" + view_label: "UDM" + description: "The 'reply to' address." + } # dimension network__email__reply_to + + dimension: network__email__subject { + hidden: yes + } # dimension network__email__subject + + dimension: network__email__to { + hidden: yes + } # dimension network__email__to + + dimension: network__ftp { + hidden: yes + } # dimension network__ftp + + dimension: network__ftp__command { + type: string + sql: ${TABLE}.network.ftp.command ;; + group_label: "network" + label: "network.ftp.command" + view_label: "UDM" + description: "The FTP command." + } # dimension network__ftp__command + + dimension: network__http { + hidden: yes + } # dimension network__http + + dimension: network__http__method { + type: string + sql: ${TABLE}.network.http.method ;; + group_label: "network" + label: "network.http.method" + view_label: "UDM" + description: "The HTTP request method (e.g. \"GET\", \"POST\", \"PATCH\", \"DELETE\")." + } # dimension network__http__method + + dimension: network__http__parsed_user_agent { + hidden: yes + } # dimension network__http__parsed_user_agent + + dimension: network__http__parsed_user_agent__annotation { + hidden: yes + } # dimension network__http__parsed_user_agent__annotation + + dimension: network__http__parsed_user_agent__browser { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.browser ;; + group_label: "network" + label: "network.http.parsed_user_agent.browser" + view_label: "UDM" + description: "Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents." + } # dimension network__http__parsed_user_agent__browser + + dimension: network__http__parsed_user_agent__browser_engine_version { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.browser_engine_version ;; + group_label: "network" + label: "network.http.parsed_user_agent.browser_engine_version" + view_label: "UDM" + description: "Version of the rendering engine e.g. \"8.01\" for \"Opera/8.01\"" + } # dimension network__http__parsed_user_agent__browser_engine_version + + dimension: network__http__parsed_user_agent__browser_version { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.browser_version ;; + group_label: "network" + label: "network.http.parsed_user_agent.browser_version" + view_label: "UDM" + description: "Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." + } # dimension network__http__parsed_user_agent__browser_version + + dimension: network__http__parsed_user_agent__carrier { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.carrier ;; + group_label: "network" + label: "network.http.parsed_user_agent.carrier" + view_label: "UDM" + description: "Mobile specific: name of mobile carrier" + } # dimension network__http__parsed_user_agent__carrier + + dimension: network__http__parsed_user_agent__device { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.device ;; + group_label: "network" + label: "network.http.parsed_user_agent.device" + view_label: "UDM" + description: "(Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to \"K\" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." + } # dimension network__http__parsed_user_agent__device + + dimension: network__http__parsed_user_agent__device_version { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.device_version ;; + group_label: "network" + label: "network.http.parsed_user_agent.device_version" + view_label: "UDM" + description: "(Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." + } # dimension network__http__parsed_user_agent__device_version + + dimension: network__http__parsed_user_agent__family { + type: number + sql: ${TABLE}.network.http.parsed_user_agent.family ;; + group_label: "network" + label: "network.http.parsed_user_agent.family" + view_label: "UDM" + description: "User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.." + } # dimension network__http__parsed_user_agent__family + + dimension: network__http__parsed_user_agent__family_enum_name { + type: string + suggestions: ["APPLE", "APPLEWEBKIT", "BLACKBERRY", "CLIENT_HINTS", "DOCOMO", "GECKO", "GOOGLE", "KHTML", "KOREAN", "MICROSOFT", "MSIE", "NETFRONT", "NOKIA", "OBIGO", "OPENWAVE", "OPERA", "OTHER", "POLARIS", "SEMC", "SMIT", "TELECA", "USER_DEFINED"] + sql: CASE ${TABLE}.network.http.parsed_user_agent.family WHEN 0 THEN 'USER_DEFINED' WHEN 1 THEN 'MSIE' WHEN 2 THEN 'GECKO' WHEN 3 THEN 'APPLEWEBKIT' WHEN 4 THEN 'OPERA' WHEN 5 THEN 'KHTML' WHEN 10 THEN 'OTHER' WHEN 11 THEN 'APPLE' WHEN 12 THEN 'BLACKBERRY' WHEN 13 THEN 'DOCOMO' WHEN 14 THEN 'GOOGLE' WHEN 15 THEN 'OPENWAVE' WHEN 16 THEN 'POLARIS' WHEN 17 THEN 'OBIGO' WHEN 18 THEN 'TELECA' WHEN 19 THEN 'MICROSOFT' WHEN 20 THEN 'NOKIA' WHEN 21 THEN 'NETFRONT' WHEN 22 THEN 'SEMC' WHEN 23 THEN 'SMIT' WHEN 24 THEN 'KOREAN' WHEN 25 THEN 'CLIENT_HINTS' END ;; + group_label: "network" + label: "network.http.parsed_user_agent.family_enum_name" + view_label: "UDM" + description: "User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.." + } # dimension network__http__parsed_user_agent__family_enum_name + + dimension: network__http__parsed_user_agent__google_toolbar_version { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.google_toolbar_version ;; + group_label: "network" + label: "network.http.parsed_user_agent.google_toolbar_version" + view_label: "UDM" + description: "Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time." + } # dimension network__http__parsed_user_agent__google_toolbar_version + + dimension: network__http__parsed_user_agent__java_configuration { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.java_configuration ;; + group_label: "network" + label: "network.http.parsed_user_agent.java_configuration" + view_label: "UDM" + description: "Mobile specific: e.g. Configuration/CLDC-1.1" + } # dimension network__http__parsed_user_agent__java_configuration + + dimension: network__http__parsed_user_agent__java_configuration_version { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.java_configuration_version ;; + group_label: "network" + label: "network.http.parsed_user_agent.java_configuration_version" + view_label: "UDM" + } # dimension network__http__parsed_user_agent__java_configuration_version + + dimension: network__http__parsed_user_agent__java_profile { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.java_profile ;; + group_label: "network" + label: "network.http.parsed_user_agent.java_profile" + view_label: "UDM" + description: "Mobile specific: e.g. Profile/MIDP-2.0" + } # dimension network__http__parsed_user_agent__java_profile + + dimension: network__http__parsed_user_agent__java_profile_version { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.java_profile_version ;; + group_label: "network" + label: "network.http.parsed_user_agent.java_profile_version" + view_label: "UDM" + } # dimension network__http__parsed_user_agent__java_profile_version + + dimension: network__http__parsed_user_agent__locale { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.locale ;; + group_label: "network" + label: "network.http.parsed_user_agent.locale" + view_label: "UDM" + description: "Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." + } # dimension network__http__parsed_user_agent__locale + + dimension: network__http__parsed_user_agent__messaging { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.messaging ;; + group_label: "network" + label: "network.http.parsed_user_agent.messaging" + view_label: "UDM" + description: "Mobile specific: e.g. MMP/2.0" + } # dimension network__http__parsed_user_agent__messaging + + dimension: network__http__parsed_user_agent__messaging_version { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.messaging_version ;; + group_label: "network" + label: "network.http.parsed_user_agent.messaging_version" + view_label: "UDM" + } # dimension network__http__parsed_user_agent__messaging_version + + dimension: network__http__parsed_user_agent__os { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.os ;; + group_label: "network" + label: "network.http.parsed_user_agent.os" + view_label: "UDM" + description: "Full name of the operating system e.g. \"Darwin/9.7.0\", \"Android 1.5\", \"Windows 98\" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." + } # dimension network__http__parsed_user_agent__os + + dimension: network__http__parsed_user_agent__os_variant { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.os_variant ;; + group_label: "network" + label: "network.http.parsed_user_agent.os_variant" + view_label: "UDM" + description: "Extra qualifier for the OS e.g. \"(i386)\", \"Build/CUPCAKE\", \"PalmSource/Palm-D061\" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." + } # dimension network__http__parsed_user_agent__os_variant + + dimension: network__http__parsed_user_agent__platform { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.platform ;; + group_label: "network" + label: "network.http.parsed_user_agent.platform" + view_label: "UDM" + description: "The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm." + } # dimension network__http__parsed_user_agent__platform + + dimension: network__http__parsed_user_agent__security { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.security ;; + group_label: "network" + label: "network.http.parsed_user_agent.security" + view_label: "UDM" + description: "Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." + } # dimension network__http__parsed_user_agent__security + + dimension: network__http__parsed_user_agent__sub_family { + type: string + sql: ${TABLE}.network.http.parsed_user_agent.sub_family ;; + group_label: "network" + label: "network.http.parsed_user_agent.sub_family" + view_label: "UDM" + description: "Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier." + } # dimension network__http__parsed_user_agent__sub_family + + dimension: network__http__referral_url { + type: string + sql: ${TABLE}.network.http.referral_url ;; + group_label: "network" + label: "network.http.referral_url" + view_label: "UDM" + description: "The URL for the HTTP referer." + } # dimension network__http__referral_url + + dimension: network__http__response_code { + type: number + sql: ${TABLE}.network.http.response_code ;; + group_label: "network" + label: "network.http.response_code" + view_label: "UDM" + description: "The response status code. e.g. 200, 302, 404, 500, etc." + } # dimension network__http__response_code + + dimension: network__http__user_agent { + type: string + sql: ${TABLE}.network.http.user_agent ;; + group_label: "network" + label: "network.http.user_agent" + view_label: "UDM" + description: "The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent." + } # dimension network__http__user_agent + + dimension: network__ip_protocol { + type: number + sql: ${TABLE}.network.ip_protocol ;; + group_label: "network" + label: "network.ip_protocol" + view_label: "UDM" + description: "The IP protocol." + } # dimension network__ip_protocol + + dimension: network__ip_protocol_enum_name { + type: string + suggestions: ["EIGRP", "ESP", "ETHERIP", "GRE", "ICMP", "ICMP6", "IGMP", "IP6IN4", "PIM", "SCTP", "TCP", "UDP", "UNKNOWN_IP_PROTOCOL", "VRRP"] + sql: CASE ${TABLE}.network.ip_protocol WHEN 0 THEN 'UNKNOWN_IP_PROTOCOL' WHEN 1 THEN 'ICMP' WHEN 2 THEN 'IGMP' WHEN 6 THEN 'TCP' WHEN 17 THEN 'UDP' WHEN 41 THEN 'IP6IN4' WHEN 47 THEN 'GRE' WHEN 50 THEN 'ESP' WHEN 58 THEN 'ICMP6' WHEN 88 THEN 'EIGRP' WHEN 97 THEN 'ETHERIP' WHEN 103 THEN 'PIM' WHEN 112 THEN 'VRRP' WHEN 132 THEN 'SCTP' END ;; + group_label: "network" + label: "network.ip_protocol_enum_name" + view_label: "UDM" + description: "The IP protocol." + } # dimension network__ip_protocol_enum_name + + dimension: network__organization_name { + type: string + sql: ${TABLE}.network.organization_name ;; + group_label: "network" + label: "network.organization_name" + view_label: "UDM" + description: "Organization name (e.g Google)." + } # dimension network__organization_name + + dimension: network__parent_session_id { + type: string + sql: ${TABLE}.network.parent_session_id ;; + group_label: "network" + label: "network.parent_session_id" + view_label: "UDM" + description: "The ID of the parent network session." + } # dimension network__parent_session_id + + dimension: network__received_bytes { + type: number + sql: ${TABLE}.network.received_bytes ;; + group_label: "network" + label: "network.received_bytes" + view_label: "UDM" + description: "The number of bytes received." + } # dimension network__received_bytes + + dimension: network__received_packets { + type: number + sql: ${TABLE}.network.received_packets ;; + group_label: "network" + label: "network.received_packets" + view_label: "UDM" + description: "The number of packets received." + } # dimension network__received_packets + + dimension: network__sent_bytes { + type: number + sql: ${TABLE}.network.sent_bytes ;; + group_label: "network" + label: "network.sent_bytes" + view_label: "UDM" + description: "The number of bytes sent." + } # dimension network__sent_bytes + + dimension: network__sent_packets { + type: number + sql: ${TABLE}.network.sent_packets ;; + group_label: "network" + label: "network.sent_packets" + view_label: "UDM" + description: "The number of packets sent." + } # dimension network__sent_packets + + dimension_group: network__session_duration { + type: duration + intervals: [ second, minute, hour ] + sql_start: TIMESTAMP_MICROS(0) ;; + sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.session_duration.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.session_duration.nanos, 0) / 1000) as INT64)) ;; + group_label: "network" + label: "network.session_duration" + view_label: "UDM" + description: "The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer." + } # dimension network__session_duration + + dimension: network__session_id { + type: string + sql: ${TABLE}.network.session_id ;; + group_label: "network" + label: "network.session_id" + view_label: "UDM" + description: "The ID of the network session." + } # dimension network__session_id + + dimension: network__smtp { + hidden: yes + } # dimension network__smtp + + dimension: network__smtp__helo { + type: string + sql: ${TABLE}.network.smtp.helo ;; + group_label: "network" + label: "network.smtp.helo" + view_label: "UDM" + description: "The client's 'HELO'/'EHLO' string." + } # dimension network__smtp__helo + + dimension: network__tls { + hidden: yes + } # dimension network__tls + + dimension: network__tls__cipher { + type: string + sql: ${TABLE}.network.tls.cipher ;; + group_label: "network" + label: "network.tls.cipher" + view_label: "UDM" + description: "Cipher used during the connection." + } # dimension network__tls__cipher + + dimension: network__tls__client { + hidden: yes + } # dimension network__tls__client + + dimension: network__tls__client__certificate { + hidden: yes + } # dimension network__tls__client__certificate + + dimension: network__tls__client__certificate__issuer { + type: string + sql: ${TABLE}.network.tls.client.certificate.issuer ;; + group_label: "network" + label: "network.tls.client.certificate.issuer" + view_label: "UDM" + description: "Issuer of the certificate." + } # dimension network__tls__client__certificate__issuer + + dimension_group: network__tls__client__certificate__not_after { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.tls.client.certificate.not_after.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.tls.client.certificate.not_after.nanos, 0) / 1000) as INT64)) ;; + group_label: "network" + label: "network.tls.client.certificate.not_after" + view_label: "UDM" + description: "Indicates when the certificate is no longer valid." + } # dimension network__tls__client__certificate__not_after + + dimension_group: network__tls__client__certificate__not_before { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.tls.client.certificate.not_before.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.tls.client.certificate.not_before.nanos, 0) / 1000) as INT64)) ;; + group_label: "network" + label: "network.tls.client.certificate.not_before" + view_label: "UDM" + description: "Indicates when the certificate is first valid." + } # dimension network__tls__client__certificate__not_before + + dimension: network__tls__client__certificate__serial { + type: string + sql: ${TABLE}.network.tls.client.certificate.serial ;; + group_label: "network" + label: "network.tls.client.certificate.serial" + view_label: "UDM" + description: "Certificate serial number." + } # dimension network__tls__client__certificate__serial + + dimension: network__tls__client__certificate__sha1 { + type: string + sql: ${TABLE}.network.tls.client.certificate.sha1 ;; + group_label: "network" + label: "network.tls.client.certificate.sha1" + view_label: "UDM" + description: "The SHA1 hash of the certificate." + } # dimension network__tls__client__certificate__sha1 + + dimension: network__tls__client__certificate__sha256 { + type: string + sql: ${TABLE}.network.tls.client.certificate.sha256 ;; + group_label: "network" + label: "network.tls.client.certificate.sha256" + view_label: "UDM" + description: "The SHA256 hash of the certificate." + } # dimension network__tls__client__certificate__sha256 + + dimension: network__tls__client__certificate__subject { + type: string + sql: ${TABLE}.network.tls.client.certificate.subject ;; + group_label: "network" + label: "network.tls.client.certificate.subject" + view_label: "UDM" + description: "Subject of the certificate." + } # dimension network__tls__client__certificate__subject + + dimension: network__tls__client__certificate__version { + type: string + sql: ${TABLE}.network.tls.client.certificate.version ;; + group_label: "network" + label: "network.tls.client.certificate.version" + view_label: "UDM" + description: "Certificate version." + } # dimension network__tls__client__certificate__version + + dimension: network__tls__client__ja3 { + type: string + sql: ${TABLE}.network.tls.client.ja3 ;; + group_label: "network" + label: "network.tls.client.ja3" + view_label: "UDM" + description: "JA3 hash from client hello." + } # dimension network__tls__client__ja3 + + dimension: network__tls__client__server_name { + type: string + sql: ${TABLE}.network.tls.client.server_name ;; + group_label: "network" + label: "network.tls.client.server_name" + view_label: "UDM" + description: "Host name of the server, that the client is connecting to." + } # dimension network__tls__client__server_name + + dimension: network__tls__client__supported_ciphers { + hidden: yes + } # dimension network__tls__client__supported_ciphers + + dimension: network__tls__curve { + type: string + sql: ${TABLE}.network.tls.curve ;; + group_label: "network" + label: "network.tls.curve" + view_label: "UDM" + description: "Elliptical curve used for a given cipher." + } # dimension network__tls__curve + + dimension: network__tls__established { + type: yesno + sql: ${TABLE}.network.tls.established ;; + group_label: "network" + label: "network.tls.established" + view_label: "UDM" + description: "Indicates whether the TLS negotiation was successful." + } # dimension network__tls__established + + dimension: network__tls__next_protocol { + type: string + sql: ${TABLE}.network.tls.next_protocol ;; + group_label: "network" + label: "network.tls.next_protocol" + view_label: "UDM" + description: "Protocol to be used for tunnel." + } # dimension network__tls__next_protocol + + dimension: network__tls__resumed { + type: yesno + sql: ${TABLE}.network.tls.resumed ;; + group_label: "network" + label: "network.tls.resumed" + view_label: "UDM" + description: "Indicates whether the TLS connection was resumed from a previous TLS negotiation." + } # dimension network__tls__resumed + + dimension: network__tls__server { + hidden: yes + } # dimension network__tls__server + + dimension: network__tls__server__certificate { + hidden: yes + } # dimension network__tls__server__certificate + + dimension: network__tls__server__certificate__issuer { + type: string + sql: ${TABLE}.network.tls.server.certificate.issuer ;; + group_label: "network" + label: "network.tls.server.certificate.issuer" + view_label: "UDM" + description: "Issuer of the certificate." + } # dimension network__tls__server__certificate__issuer + + dimension: network__tls__server__certificate__md5 { + type: string + sql: ${TABLE}.network.tls.server.certificate.md5 ;; + group_label: "network" + label: "network.tls.server.certificate.md5" + view_label: "UDM" + description: "The MD5 hash of the certificate." + } # dimension network__tls__server__certificate__md5 + + dimension_group: network__tls__server__certificate__not_after { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.tls.server.certificate.not_after.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.tls.server.certificate.not_after.nanos, 0) / 1000) as INT64)) ;; + group_label: "network" + label: "network.tls.server.certificate.not_after" + view_label: "UDM" + description: "Indicates when the certificate is no longer valid." + } # dimension network__tls__server__certificate__not_after + + dimension_group: network__tls__server__certificate__not_before { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.tls.server.certificate.not_before.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.tls.server.certificate.not_before.nanos, 0) / 1000) as INT64)) ;; + group_label: "network" + label: "network.tls.server.certificate.not_before" + view_label: "UDM" + description: "Indicates when the certificate is first valid." + } # dimension network__tls__server__certificate__not_before + + dimension: network__tls__server__certificate__serial { + type: string + sql: ${TABLE}.network.tls.server.certificate.serial ;; + group_label: "network" + label: "network.tls.server.certificate.serial" + view_label: "UDM" + description: "Certificate serial number." + } # dimension network__tls__server__certificate__serial + + dimension: network__tls__server__certificate__sha1 { + type: string + sql: ${TABLE}.network.tls.server.certificate.sha1 ;; + group_label: "network" + label: "network.tls.server.certificate.sha1" + view_label: "UDM" + description: "The SHA1 hash of the certificate." + } # dimension network__tls__server__certificate__sha1 + + dimension: network__tls__server__certificate__sha256 { + type: string + sql: ${TABLE}.network.tls.server.certificate.sha256 ;; + group_label: "network" + label: "network.tls.server.certificate.sha256" + view_label: "UDM" + description: "The SHA256 hash of the certificate." + } # dimension network__tls__server__certificate__sha256 + + dimension: network__tls__server__certificate__subject { + type: string + sql: ${TABLE}.network.tls.server.certificate.subject ;; + group_label: "network" + label: "network.tls.server.certificate.subject" + view_label: "UDM" + description: "Subject of the certificate." + } # dimension network__tls__server__certificate__subject + + dimension: network__tls__server__certificate__version { + type: string + sql: ${TABLE}.network.tls.server.certificate.version ;; + group_label: "network" + label: "network.tls.server.certificate.version" + view_label: "UDM" + description: "Certificate version." + } # dimension network__tls__server__certificate__version + + dimension: network__tls__server__ja3s { + type: string + sql: ${TABLE}.network.tls.server.ja3s ;; + group_label: "network" + label: "network.tls.server.ja3s" + view_label: "UDM" + description: "JA3 hash from server hello." + } # dimension network__tls__server__ja3s + + dimension: network__tls__version { + type: string + sql: ${TABLE}.network.tls.version ;; + group_label: "network" + label: "network.tls.version" + view_label: "UDM" + description: "TLS version." + } # dimension network__tls__version + + dimension: network__tls__version_protocol { + type: string + sql: ${TABLE}.network.tls.version_protocol ;; + group_label: "network" + label: "network.tls.version_protocol" + view_label: "UDM" + description: "Protocol." + } # dimension network__tls__version_protocol + + dimension: observer { + hidden: yes + } # dimension observer + + dimension: observer__administrative_domain { + type: string + sql: ${TABLE}.observer.administrative_domain ;; + group_label: "observer" + label: "observer.administrative_domain" + view_label: "UDM" + description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." + } # dimension observer__administrative_domain + + dimension: observer__application { + type: string + sql: ${TABLE}.observer.application ;; + group_label: "observer" + label: "observer.application" + view_label: "UDM" + description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." + } # dimension observer__application + + dimension: observer__artifact { + hidden: yes + } # dimension observer__artifact + + dimension: observer__artifact__location { + hidden: yes + } # dimension observer__artifact__location + + dimension: observer__artifact__location__name { + type: string + sql: ${TABLE}.observer.artifact.location.name ;; + group_label: "observer" + label: "observer.artifact.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension observer__artifact__location__name + + dimension: observer__artifact__location__state { + type: string + sql: ${TABLE}.observer.artifact.location.state ;; + group_label: "observer" + label: "observer.artifact.location.state" + view_label: "UDM" + description: "The state." + } # dimension observer__artifact__location__state + + dimension: observer__asset { + hidden: yes + } # dimension observer__asset + + dimension: observer__asset__attribute { + hidden: yes + } # dimension observer__asset__attribute + + dimension: observer__asset__attribute__labels { + hidden: yes + } # dimension observer__asset__attribute__labels + + dimension: observer__asset__category { + type: string + sql: ${TABLE}.observer.asset.category ;; + group_label: "observer" + label: "observer.asset.category" + view_label: "UDM" + description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." + } # dimension observer__asset__category + + dimension: observer__asset__hostname { + type: string + sql: ${TABLE}.observer.asset.hostname ;; + group_label: "observer" + label: "observer.asset.hostname" + view_label: "UDM" + description: "Asset hostname or domain name field." + } # dimension observer__asset__hostname + + dimension: observer__asset__ip { + hidden: yes + } # dimension observer__asset__ip + + dimension: observer__asset__location { + hidden: yes + } # dimension observer__asset__location + + dimension: observer__asset__location__name { + type: string + sql: ${TABLE}.observer.asset.location.name ;; + group_label: "observer" + label: "observer.asset.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension observer__asset__location__name + + dimension: observer__asset__network_domain { + type: string + sql: ${TABLE}.observer.asset.network_domain ;; + group_label: "observer" + label: "observer.asset.network_domain" + view_label: "UDM" + description: "The network domain of the asset (e.g. \"corp.acme.com\")" + } # dimension observer__asset__network_domain + + dimension: observer__asset__platform_software { + hidden: yes + } # dimension observer__asset__platform_software + + dimension: observer__asset__platform_software__platform_version { + type: string + sql: ${TABLE}.observer.asset.platform_software.platform_version ;; + group_label: "observer" + label: "observer.asset.platform_software.platform_version" + view_label: "UDM" + description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." + } # dimension observer__asset__platform_software__platform_version + + dimension: observer__asset__product_object_id { + type: string + sql: ${TABLE}.observer.asset.product_object_id ;; + group_label: "observer" + label: "observer.asset.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension observer__asset__product_object_id + + dimension: observer__asset__software { + hidden: yes + } # dimension observer__asset__software + + dimension: observer__asset__vulnerabilities { + hidden: yes + } # dimension observer__asset__vulnerabilities + + dimension: observer__asset_id { + type: string + sql: ${TABLE}.observer.asset_id ;; + group_label: "observer" + label: "observer.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension observer__asset_id + + dimension: observer__cloud { + hidden: yes + } # dimension observer__cloud + + dimension: observer__cloud__environment { + type: number + sql: ${TABLE}.observer.cloud.environment ;; + group_label: "observer" + group_item_label: "observer.cloud.environment [D]" + label: "observer.cloud.environment" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension observer__cloud__environment + + dimension: observer__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.observer.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "observer" + group_item_label: "observer.cloud.environment_enum_name [D]" + label: "observer.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension observer__cloud__environment_enum_name + + dimension: observer__cloud__project { + hidden: yes + } # dimension observer__cloud__project + + dimension: observer__cloud__project__id { + type: string + sql: ${TABLE}.observer.cloud.project.id ;; + group_label: "observer" + group_item_label: "observer.cloud.project.id [D]" + label: "observer.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension observer__cloud__project__id + + dimension: observer__cloud__project__name { + type: string + sql: ${TABLE}.observer.cloud.project.name ;; + group_label: "observer" + group_item_label: "observer.cloud.project.name [D]" + label: "observer.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension observer__cloud__project__name + + dimension: observer__domain { + hidden: yes + } # dimension observer__domain + + dimension: observer__domain__name { + type: string + sql: ${TABLE}.observer.domain.name ;; + group_label: "observer" + label: "observer.domain.name" + view_label: "UDM" + description: "The domain name." + } # dimension observer__domain__name + + dimension: observer__file { + hidden: yes + } # dimension observer__file + + dimension: observer__file__full_path { + type: string + sql: ${TABLE}.observer.file.full_path ;; + group_label: "observer" + label: "observer.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension observer__file__full_path + + dimension: observer__file__sha256 { + type: string + sql: ${TABLE}.observer.file.sha256 ;; + group_label: "observer" + label: "observer.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension observer__file__sha256 + + dimension: observer__group { + hidden: yes + } # dimension observer__group + + dimension: observer__group__group_display_name { + type: string + sql: ${TABLE}.observer.group.group_display_name ;; + group_label: "observer" + label: "observer.group.group_display_name" + view_label: "UDM" + description: "Group display name. e.g. \"Finance\"." + } # dimension observer__group__group_display_name + + dimension: observer__hostname { + type: string + sql: ${TABLE}.observer.hostname ;; + group_label: "observer" + label: "observer.hostname" + view_label: "UDM" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension observer__hostname + + dimension: observer__ip { + hidden: yes + } # dimension observer__ip + + dimension: observer__labels { + hidden: yes + } # dimension observer__labels + + dimension: observer__location { + hidden: yes + } # dimension observer__location + + dimension: observer__location__country_or_region { + type: string + sql: ${TABLE}.observer.location.country_or_region ;; + group_label: "observer" + label: "observer.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension observer__location__country_or_region + + dimension: observer__location__name { + type: string + sql: ${TABLE}.observer.location.name ;; + group_label: "observer" + label: "observer.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension observer__location__name + + dimension: observer__mac { + hidden: yes + } # dimension observer__mac + + dimension: observer__namespace { + type: string + sql: ${TABLE}.observer.namespace ;; + group_label: "observer" + label: "observer.namespace" + view_label: "UDM" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension observer__namespace + + dimension: observer__platform { + type: number + sql: ${TABLE}.observer.platform ;; + group_label: "observer" + label: "observer.platform" + view_label: "UDM" + description: "Platform." + } # dimension observer__platform + + dimension: observer__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.observer.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "observer" + label: "observer.platform_enum_name" + view_label: "UDM" + description: "Platform." + } # dimension observer__platform_enum_name + + dimension: observer__platform_version { + type: string + sql: ${TABLE}.observer.platform_version ;; + group_label: "observer" + label: "observer.platform_version" + view_label: "UDM" + description: "Platform version. For example, \"Microsoft Windows 1803\"." + } # dimension observer__platform_version + + dimension: observer__port { + type: number + value_format: "#" + sql: ${TABLE}.observer.port ;; + group_label: "observer" + label: "observer.port" + view_label: "UDM" + description: "Source or destination network port number when a specific network connection is described within an event." + } # dimension observer__port + + dimension: observer__process { + hidden: yes + } # dimension observer__process + + dimension: observer__process__file { + hidden: yes + } # dimension observer__process__file + + dimension: observer__process__file__full_path { + type: string + sql: ${TABLE}.observer.process.file.full_path ;; + group_label: "observer" + label: "observer.process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension observer__process__file__full_path + + dimension: observer__process__parent_pid { + type: string + sql: ${TABLE}.observer.process.parent_pid ;; + group_label: "observer" + group_item_label: "observer.process.parent_pid [D]" + label: "observer.process.parent_pid" + view_label: "UDM" + description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension observer__process__parent_pid + + dimension: observer__process__pid { + type: string + sql: ${TABLE}.observer.process.pid ;; + group_label: "observer" + label: "observer.process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension observer__process__pid + + dimension: observer__resource { + hidden: yes + } # dimension observer__resource + + dimension: observer__resource__attribute { + hidden: yes + } # dimension observer__resource__attribute + + dimension: observer__resource__attribute__cloud { + hidden: yes + } # dimension observer__resource__attribute__cloud + + dimension: observer__resource__attribute__cloud__environment { + type: number + sql: ${TABLE}.observer.resource.attribute.cloud.environment ;; + group_label: "observer" + label: "observer.resource.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension observer__resource__attribute__cloud__environment + + dimension: observer__resource__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.observer.resource.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "observer" + label: "observer.resource.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension observer__resource__attribute__cloud__environment_enum_name + + dimension: observer__resource__attribute__labels { + hidden: yes + } # dimension observer__resource__attribute__labels + + dimension: observer__resource__name { + type: string + sql: ${TABLE}.observer.resource.name ;; + group_label: "observer" + label: "observer.resource.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension observer__resource__name + + dimension: observer__resource__parent { + type: string + sql: ${TABLE}.observer.resource.parent ;; + group_label: "observer" + group_item_label: "observer.resource.parent [D]" + label: "observer.resource.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension observer__resource__parent + + dimension: observer__resource__product_object_id { + type: string + sql: ${TABLE}.observer.resource.product_object_id ;; + group_label: "observer" + label: "observer.resource.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension observer__resource__product_object_id + + dimension: observer__resource__resource_subtype { + type: string + sql: ${TABLE}.observer.resource.resource_subtype ;; + group_label: "observer" + label: "observer.resource.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension observer__resource__resource_subtype + + dimension: observer__resource__resource_type { + type: number + sql: ${TABLE}.observer.resource.resource_type ;; + group_label: "observer" + label: "observer.resource.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension observer__resource__resource_type + + dimension: observer__resource__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.observer.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "observer" + label: "observer.resource.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension observer__resource__resource_type_enum_name + + dimension: observer__resource__type { + type: string + sql: ${TABLE}.observer.resource.type ;; + group_label: "observer" + group_item_label: "observer.resource.type [D]" + label: "observer.resource.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension observer__resource__type + + dimension: observer__url { + type: string + sql: ${TABLE}.observer.url ;; + group_label: "observer" + label: "observer.url" + view_label: "UDM" + description: "The URL." + } # dimension observer__url + + dimension: observer__user { + hidden: yes + } # dimension observer__user + + dimension: observer__user__company_name { + type: string + sql: ${TABLE}.observer.user.company_name ;; + group_label: "observer" + label: "observer.user.company_name" + view_label: "UDM" + description: "User job company name." + } # dimension observer__user__company_name + + dimension: observer__user__email_addresses { + hidden: yes + } # dimension observer__user__email_addresses + + dimension: observer__user__group_identifiers { + hidden: yes + } # dimension observer__user__group_identifiers + + dimension: observer__user__product_object_id { + type: string + sql: ${TABLE}.observer.user.product_object_id ;; + group_label: "observer" + label: "observer.user.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension observer__user__product_object_id + + dimension: observer__user__user_display_name { + type: string + sql: ${TABLE}.observer.user.user_display_name ;; + group_label: "observer" + label: "observer.user.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension observer__user__user_display_name + + dimension: observer__user__userid { + type: string + sql: ${TABLE}.observer.user.userid ;; + group_label: "observer" + label: "observer.user.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension observer__user__userid + + dimension: principal { + hidden: yes + } # dimension principal + + dimension: principal__administrative_domain { + type: string + sql: ${TABLE}.principal.administrative_domain ;; + group_label: "principal" + label: "principal.administrative_domain" + view_label: "UDM" + description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." + } # dimension principal__administrative_domain + + dimension: principal__application { + type: string + sql: ${TABLE}.principal.application ;; + group_label: "principal" + label: "principal.application" + view_label: "UDM" + description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." + } # dimension principal__application + + dimension: principal__artifact { + hidden: yes + } # dimension principal__artifact + + dimension: principal__artifact__ip { + type: string + sql: ${TABLE}.principal.artifact.ip ;; + group_label: "principal" + label: "principal.artifact.ip" + view_label: "UDM" + description: "IP address of the artifact." + } # dimension principal__artifact__ip + + dimension: principal__artifact__network { + hidden: yes + } # dimension principal__artifact__network + + dimension: principal__artifact__network__dns { + hidden: yes + } # dimension principal__artifact__network__dns + + dimension: principal__artifact__network__dns__answers { + hidden: yes + } # dimension principal__artifact__network__dns__answers + + dimension: principal__artifact__network__http { + hidden: yes + } # dimension principal__artifact__network__http + + dimension: principal__artifact__network__http__method { + type: string + sql: ${TABLE}.principal.artifact.network.http.method ;; + group_label: "principal" + label: "principal.artifact.network.http.method" + view_label: "UDM" + description: "The HTTP request method (e.g. \"GET\", \"POST\", \"PATCH\", \"DELETE\")." + } # dimension principal__artifact__network__http__method + + dimension: principal__artifact__prevalence { + hidden: yes + } # dimension principal__artifact__prevalence + + dimension: principal__artifact__prevalence__day_count { + type: number + sql: ${TABLE}.principal.artifact.prevalence.day_count ;; + group_label: "principal" + label: "principal.artifact.prevalence.day_count" + view_label: "UDM" + description: "The number of days over which rolling_max is calculated." + } # dimension principal__artifact__prevalence__day_count + + dimension: principal__asset { + hidden: yes + } # dimension principal__asset + + dimension: principal__asset__asset_id { + type: string + sql: ${TABLE}.principal.asset.asset_id ;; + group_label: "principal" + label: "principal.asset.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension principal__asset__asset_id + + dimension: principal__asset__attribute { + hidden: yes + } # dimension principal__asset__attribute + + dimension: principal__asset__attribute__cloud { + hidden: yes + } # dimension principal__asset__attribute__cloud + + dimension: principal__asset__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.principal.asset.attribute.cloud.availability_zone ;; + group_label: "principal" + label: "principal.asset.attribute.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name)." + } # dimension principal__asset__attribute__cloud__availability_zone + + dimension: principal__asset__attribute__cloud__environment { + type: number + sql: ${TABLE}.principal.asset.attribute.cloud.environment ;; + group_label: "principal" + label: "principal.asset.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension principal__asset__attribute__cloud__environment + + dimension: principal__asset__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.principal.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "principal" + label: "principal.asset.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension principal__asset__attribute__cloud__environment_enum_name + + dimension: principal__asset__attribute__cloud__project { + hidden: yes + } # dimension principal__asset__attribute__cloud__project + + dimension: principal__asset__attribute__cloud__project__name { + type: string + sql: ${TABLE}.principal.asset.attribute.cloud.project.name ;; + group_label: "principal" + group_item_label: "principal.asset.attribute.cloud.project.name [D]" + label: "principal.asset.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__attribute__cloud__project__name + + dimension: principal__asset__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.principal.asset.attribute.cloud.project.resource_type ;; + group_label: "principal" + group_item_label: "principal.asset.attribute.cloud.project.resource_type [D]" + label: "principal.asset.attribute.cloud.project.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__attribute__cloud__project__resource_type + + dimension: principal__asset__attribute__cloud__project__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.principal.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "principal" + group_item_label: "principal.asset.attribute.cloud.project.resource_type_enum_name [D]" + label: "principal.asset.attribute.cloud.project.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__attribute__cloud__project__resource_type_enum_name + + dimension: principal__asset__attribute__cloud__vpc { + hidden: yes + } # dimension principal__asset__attribute__cloud__vpc + + dimension: principal__asset__attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.principal.asset.attribute.cloud.vpc.name ;; + group_label: "principal" + group_item_label: "principal.asset.attribute.cloud.vpc.name [D]" + label: "principal.asset.attribute.cloud.vpc.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__attribute__cloud__vpc__name + + dimension: principal__asset__attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.principal.asset.attribute.cloud.vpc.resource_type ;; + group_label: "principal" + group_item_label: "principal.asset.attribute.cloud.vpc.resource_type [D]" + label: "principal.asset.attribute.cloud.vpc.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__attribute__cloud__vpc__resource_type + + dimension: principal__asset__attribute__cloud__vpc__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.principal.asset.attribute.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "principal" + group_item_label: "principal.asset.attribute.cloud.vpc.resource_type_enum_name [D]" + label: "principal.asset.attribute.cloud.vpc.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__attribute__cloud__vpc__resource_type_enum_name + + dimension_group: principal__asset__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension principal__asset__attribute__creation_time + + dimension: principal__asset__attribute__labels { + hidden: yes + } # dimension principal__asset__attribute__labels + + dimension_group: principal__asset__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension principal__asset__attribute__last_update_time + + dimension: principal__asset__attribute__roles { + hidden: yes + } # dimension principal__asset__attribute__roles + + dimension: principal__asset__category { + type: string + sql: ${TABLE}.principal.asset.category ;; + group_label: "principal" + label: "principal.asset.category" + view_label: "UDM" + description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." + } # dimension principal__asset__category + + dimension_group: principal__asset__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + group_item_label: "principal.asset.creation_time [D]" + label: "principal.asset.creation_time" + view_label: "UDM" + description: "Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__creation_time + + dimension: principal__asset__deployment_status { + type: number + sql: ${TABLE}.principal.asset.deployment_status ;; + group_label: "principal" + label: "principal.asset.deployment_status" + view_label: "UDM" + description: "The deployment status of the asset for device lifecycle purposes." + } # dimension principal__asset__deployment_status + + dimension: principal__asset__deployment_status_enum_name { + type: string + suggestions: ["ACTIVE", "DECOMISSIONED", "DEPLOYMENT_STATUS_UNSPECIFIED", "PENDING_DECOMISSION"] + sql: CASE ${TABLE}.principal.asset.deployment_status WHEN 0 THEN 'DEPLOYMENT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'PENDING_DECOMISSION' WHEN 3 THEN 'DECOMISSIONED' END ;; + group_label: "principal" + label: "principal.asset.deployment_status_enum_name" + view_label: "UDM" + description: "The deployment status of the asset for device lifecycle purposes." + } # dimension principal__asset__deployment_status_enum_name + + dimension_group: principal__asset__first_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.first_discover_time" + view_label: "UDM" + description: "Time the asset was first discovered (by asset management/discoverability software)." + } # dimension principal__asset__first_discover_time + + dimension_group: principal__asset__first_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.first_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.first_seen_time" + view_label: "UDM" + description: "The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed." + } # dimension principal__asset__first_seen_time + + dimension: principal__asset__hardware { + hidden: yes + } # dimension principal__asset__hardware + + dimension: principal__asset__hostname { + type: string + sql: ${TABLE}.principal.asset.hostname ;; + group_label: "principal" + label: "principal.asset.hostname" + view_label: "UDM" + description: "Asset hostname or domain name field." + } # dimension principal__asset__hostname + + dimension: principal__asset__ip { + hidden: yes + } # dimension principal__asset__ip + + dimension: principal__asset__labels { + hidden: yes + } # dimension principal__asset__labels + + dimension_group: principal__asset__last_boot_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.last_boot_time" + view_label: "UDM" + description: "Time the asset was last boot started." + } # dimension principal__asset__last_boot_time + + dimension_group: principal__asset__last_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.last_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.last_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.last_discover_time" + view_label: "UDM" + description: "Time the asset was last discovered (by asset management/discoverability software)." + } # dimension principal__asset__last_discover_time + + dimension: principal__asset__location { + hidden: yes + } # dimension principal__asset__location + + dimension: principal__asset__location__city { + type: string + sql: ${TABLE}.principal.asset.location.city ;; + group_label: "principal" + label: "principal.asset.location.city" + view_label: "UDM" + description: "The city." + } # dimension principal__asset__location__city + + dimension: principal__asset__location__country_or_region { + type: string + sql: ${TABLE}.principal.asset.location.country_or_region ;; + group_label: "principal" + label: "principal.asset.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension principal__asset__location__country_or_region + + dimension: principal__asset__location__desk_name { + type: string + sql: ${TABLE}.principal.asset.location.desk_name ;; + group_label: "principal" + label: "principal.asset.location.desk_name" + view_label: "UDM" + description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." + } # dimension principal__asset__location__desk_name + + dimension: principal__asset__location__floor_name { + type: string + sql: ${TABLE}.principal.asset.location.floor_name ;; + group_label: "principal" + label: "principal.asset.location.floor_name" + view_label: "UDM" + description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." + } # dimension principal__asset__location__floor_name + + dimension: principal__asset__location__name { + type: string + sql: ${TABLE}.principal.asset.location.name ;; + group_label: "principal" + label: "principal.asset.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension principal__asset__location__name + + dimension: principal__asset__location__region_coordinates { + type: location + sql_latitude: ${TABLE}.principal.asset.location.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.principal.asset.location.region_coordinates.longitude ;; + group_label: "principal" + group_item_label: "principal.asset.location.region_coordinates [L]" + label: "principal.asset.location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." + } # dimension principal__asset__location__region_coordinates + + dimension: principal__asset__location__region_latitude { + type: number + sql: ${TABLE}.principal.asset.location.region_latitude ;; + group_label: "principal" + group_item_label: "principal.asset.location.region_latitude [D]" + label: "principal.asset.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__location__region_latitude + + dimension: principal__asset__location__region_longitude { + type: number + sql: ${TABLE}.principal.asset.location.region_longitude ;; + group_label: "principal" + group_item_label: "principal.asset.location.region_longitude [D]" + label: "principal.asset.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__asset__location__region_longitude + + dimension: principal__asset__location__location { + type: location + sql_latitude: ${TABLE}.principal.asset.location.region_latitude ;; + sql_longitude: ${TABLE}.principal.asset.location.region_longitude ;; + group_label: "principal" + group_item_label: "principal.asset.location.location [D][L]" + label: "principal.asset.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension principal__asset__location__location + + dimension: principal__asset__location__state { + type: string + sql: ${TABLE}.principal.asset.location.state ;; + group_label: "principal" + label: "principal.asset.location.state" + view_label: "UDM" + description: "The state." + } # dimension principal__asset__location__state + + dimension: principal__asset__mac { + hidden: yes + } # dimension principal__asset__mac + + dimension: principal__asset__nat_ip { + hidden: yes + } # dimension principal__asset__nat_ip + + dimension: principal__asset__network_domain { + type: string + sql: ${TABLE}.principal.asset.network_domain ;; + group_label: "principal" + label: "principal.asset.network_domain" + view_label: "UDM" + description: "The network domain of the asset (e.g. \"corp.acme.com\")" + } # dimension principal__asset__network_domain + + dimension: principal__asset__platform_software { + hidden: yes + } # dimension principal__asset__platform_software + + dimension: principal__asset__platform_software__platform { + type: number + sql: ${TABLE}.principal.asset.platform_software.platform ;; + group_label: "principal" + label: "principal.asset.platform_software.platform" + view_label: "UDM" + description: "The platform operating system." + } # dimension principal__asset__platform_software__platform + + dimension: principal__asset__platform_software__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.principal.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "principal" + label: "principal.asset.platform_software.platform_enum_name" + view_label: "UDM" + description: "The platform operating system." + } # dimension principal__asset__platform_software__platform_enum_name + + dimension: principal__asset__platform_software__platform_patch_level { + type: string + sql: ${TABLE}.principal.asset.platform_software.platform_patch_level ;; + group_label: "principal" + label: "principal.asset.platform_software.platform_patch_level" + view_label: "UDM" + description: "The platform software patch level ( e.g. \"Build 17134.48\", \"SP1\")." + } # dimension principal__asset__platform_software__platform_patch_level + + dimension: principal__asset__platform_software__platform_version { + type: string + sql: ${TABLE}.principal.asset.platform_software.platform_version ;; + group_label: "principal" + label: "principal.asset.platform_software.platform_version" + view_label: "UDM" + description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." + } # dimension principal__asset__platform_software__platform_version + + dimension: principal__asset__product_object_id { + type: string + sql: ${TABLE}.principal.asset.product_object_id ;; + group_label: "principal" + label: "principal.asset.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension principal__asset__product_object_id + + dimension: principal__asset__software { + hidden: yes + } # dimension principal__asset__software + + dimension_group: principal__asset__system_last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.system_last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.system_last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.system_last_update_time" + view_label: "UDM" + description: "Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time." + } # dimension principal__asset__system_last_update_time + + dimension: principal__asset__type { + type: number + sql: ${TABLE}.principal.asset.type ;; + group_label: "principal" + label: "principal.asset.type" + view_label: "UDM" + description: "The type of the asset (e.g. workstation or laptop or server)." + } # dimension principal__asset__type + + dimension: principal__asset__type_enum_name { + type: string + suggestions: ["IOT", "LAPTOP", "MOBILE", "NETWORK_ATTACHED_STORAGE", "PRINTER", "ROLE_UNSPECIFIED", "SCANNER", "SERVER", "TAPE_LIBRARY", "WORKSTATION"] + sql: CASE ${TABLE}.principal.asset.type WHEN 0 THEN 'ROLE_UNSPECIFIED' WHEN 1 THEN 'WORKSTATION' WHEN 2 THEN 'LAPTOP' WHEN 3 THEN 'IOT' WHEN 4 THEN 'NETWORK_ATTACHED_STORAGE' WHEN 5 THEN 'PRINTER' WHEN 6 THEN 'SCANNER' WHEN 7 THEN 'SERVER' WHEN 8 THEN 'TAPE_LIBRARY' WHEN 9 THEN 'MOBILE' END ;; + group_label: "principal" + label: "principal.asset.type_enum_name" + view_label: "UDM" + description: "The type of the asset (e.g. workstation or laptop or server)." + } # dimension principal__asset__type_enum_name + + dimension: principal__asset__vulnerabilities { + hidden: yes + } # dimension principal__asset__vulnerabilities + + dimension: principal__asset_id { + type: string + sql: ${TABLE}.principal.asset_id ;; + group_label: "principal" + label: "principal.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension principal__asset_id + + dimension: principal__cloud { + hidden: yes + } # dimension principal__cloud + + dimension: principal__cloud__availability_zone { + type: string + sql: ${TABLE}.principal.cloud.availability_zone ;; + group_label: "principal" + group_item_label: "principal.cloud.availability_zone [D]" + label: "principal.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__availability_zone + + dimension: principal__cloud__environment { + type: number + sql: ${TABLE}.principal.cloud.environment ;; + group_label: "principal" + group_item_label: "principal.cloud.environment [D]" + label: "principal.cloud.environment" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__environment + + dimension: principal__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.principal.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "principal" + group_item_label: "principal.cloud.environment_enum_name [D]" + label: "principal.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__environment_enum_name + + dimension: principal__cloud__project { + hidden: yes + } # dimension principal__cloud__project + + dimension: principal__cloud__project__id { + type: string + sql: ${TABLE}.principal.cloud.project.id ;; + group_label: "principal" + group_item_label: "principal.cloud.project.id [D]" + label: "principal.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__project__id + + dimension: principal__cloud__project__name { + type: string + sql: ${TABLE}.principal.cloud.project.name ;; + group_label: "principal" + group_item_label: "principal.cloud.project.name [D]" + label: "principal.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__project__name + + dimension: principal__cloud__project__parent { + type: string + sql: ${TABLE}.principal.cloud.project.parent ;; + group_label: "principal" + group_item_label: "principal.cloud.project.parent [D]" + label: "principal.cloud.project.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__project__parent + + dimension: principal__cloud__project__product_object_id { + type: string + sql: ${TABLE}.principal.cloud.project.product_object_id ;; + group_label: "principal" + group_item_label: "principal.cloud.project.product_object_id [D]" + label: "principal.cloud.project.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__project__product_object_id + + dimension: principal__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.principal.cloud.project.resource_subtype ;; + group_label: "principal" + group_item_label: "principal.cloud.project.resource_subtype [D]" + label: "principal.cloud.project.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__project__resource_subtype + + dimension: principal__cloud__project__type { + type: string + sql: ${TABLE}.principal.cloud.project.type ;; + group_label: "principal" + group_item_label: "principal.cloud.project.type [D]" + label: "principal.cloud.project.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__project__type + + dimension: principal__cloud__vpc { + hidden: yes + } # dimension principal__cloud__vpc + + dimension: principal__cloud__vpc__id { + type: string + sql: ${TABLE}.principal.cloud.vpc.id ;; + group_label: "principal" + group_item_label: "principal.cloud.vpc.id [D]" + label: "principal.cloud.vpc.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__vpc__id + + dimension: principal__cloud__vpc__name { + type: string + sql: ${TABLE}.principal.cloud.vpc.name ;; + group_label: "principal" + group_item_label: "principal.cloud.vpc.name [D]" + label: "principal.cloud.vpc.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__vpc__name + + dimension: principal__cloud__vpc__parent { + type: string + sql: ${TABLE}.principal.cloud.vpc.parent ;; + group_label: "principal" + group_item_label: "principal.cloud.vpc.parent [D]" + label: "principal.cloud.vpc.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__vpc__parent + + dimension: principal__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.principal.cloud.vpc.product_object_id ;; + group_label: "principal" + group_item_label: "principal.cloud.vpc.product_object_id [D]" + label: "principal.cloud.vpc.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__vpc__product_object_id + + dimension: principal__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.principal.cloud.vpc.resource_subtype ;; + group_label: "principal" + group_item_label: "principal.cloud.vpc.resource_subtype [D]" + label: "principal.cloud.vpc.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__vpc__resource_subtype + + dimension: principal__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.principal.cloud.vpc.resource_type ;; + group_label: "principal" + group_item_label: "principal.cloud.vpc.resource_type [D]" + label: "principal.cloud.vpc.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__vpc__resource_type + + dimension: principal__cloud__vpc__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.principal.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "principal" + group_item_label: "principal.cloud.vpc.resource_type_enum_name [D]" + label: "principal.cloud.vpc.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__vpc__resource_type_enum_name + + dimension: principal__cloud__vpc__type { + type: string + sql: ${TABLE}.principal.cloud.vpc.type ;; + group_label: "principal" + group_item_label: "principal.cloud.vpc.type [D]" + label: "principal.cloud.vpc.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__cloud__vpc__type + + dimension: principal__domain { + hidden: yes + } # dimension principal__domain + + dimension: principal__domain__admin { + hidden: yes + } # dimension principal__domain__admin + + dimension: principal__domain__admin__userid { + type: string + sql: ${TABLE}.principal.domain.admin.userid ;; + group_label: "principal" + label: "principal.domain.admin.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension principal__domain__admin__userid + + dimension: principal__domain__billing { + hidden: yes + } # dimension principal__domain__billing + + dimension: principal__domain__billing__userid { + type: string + sql: ${TABLE}.principal.domain.billing.userid ;; + group_label: "principal" + label: "principal.domain.billing.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension principal__domain__billing__userid + + dimension_group: principal__domain__first_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.domain.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.domain.first_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.domain.first_seen_time" + view_label: "UDM" + description: "First seen timestamp of the domain in the customer's environment." + } # dimension principal__domain__first_seen_time + + dimension_group: principal__domain__last_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.domain.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.domain.last_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.domain.last_seen_time" + view_label: "UDM" + description: "Last seen timestamp of the domain in the customer's environment." + } # dimension principal__domain__last_seen_time + + dimension: principal__domain__name { + type: string + sql: ${TABLE}.principal.domain.name ;; + group_label: "principal" + label: "principal.domain.name" + view_label: "UDM" + description: "The domain name." + } # dimension principal__domain__name + + dimension: principal__domain__name_server { + hidden: yes + } # dimension principal__domain__name_server + + dimension: principal__domain__prevalence { + hidden: yes + } # dimension principal__domain__prevalence + + dimension: principal__domain__prevalence__day_count { + type: number + sql: ${TABLE}.principal.domain.prevalence.day_count ;; + group_label: "principal" + label: "principal.domain.prevalence.day_count" + view_label: "UDM" + description: "The number of days over which rolling_max is calculated." + } # dimension principal__domain__prevalence__day_count + + dimension: principal__domain__prevalence__rolling_max { + type: number + sql: ${TABLE}.principal.domain.prevalence.rolling_max ;; + group_label: "principal" + label: "principal.domain.prevalence.rolling_max" + view_label: "UDM" + description: "The maximum number of assets per day accessing the resource over the trailing day_count days." + } # dimension principal__domain__prevalence__rolling_max + + dimension: principal__domain__tech { + hidden: yes + } # dimension principal__domain__tech + + dimension: principal__domain__tech__group_identifiers { + hidden: yes + } # dimension principal__domain__tech__group_identifiers + + dimension: principal__domain__tech__product_object_id { + type: string + sql: ${TABLE}.principal.domain.tech.product_object_id ;; + group_label: "principal" + label: "principal.domain.tech.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension principal__domain__tech__product_object_id + + dimension: principal__domain__whois_server { + type: string + sql: ${TABLE}.principal.domain.whois_server ;; + group_label: "principal" + label: "principal.domain.whois_server" + view_label: "UDM" + description: "Whois server name." + } # dimension principal__domain__whois_server + + dimension: principal__email { + type: string + sql: ${TABLE}.principal.email ;; + group_label: "principal" + label: "principal.email" + view_label: "UDM" + description: "Email address. Only filled in for security_result.about" + } # dimension principal__email + + dimension: principal__file { + hidden: yes + } # dimension principal__file + + dimension: principal__file__authentihash { + type: string + sql: ${TABLE}.principal.file.authentihash ;; + group_label: "principal" + label: "principal.file.authentihash" + view_label: "UDM" + description: "Authentihash of the file." + } # dimension principal__file__authentihash + + dimension: principal__file__full_path { + type: string + sql: ${TABLE}.principal.file.full_path ;; + group_label: "principal" + label: "principal.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension principal__file__full_path + + dimension: principal__file__md5 { + type: string + sql: ${TABLE}.principal.file.md5 ;; + group_label: "principal" + label: "principal.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension principal__file__md5 + + dimension: principal__file__names { + hidden: yes + } # dimension principal__file__names + + dimension: principal__file__sha1 { + type: string + sql: ${TABLE}.principal.file.sha1 ;; + group_label: "principal" + label: "principal.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension principal__file__sha1 + + dimension: principal__file__sha256 { + type: string + sql: ${TABLE}.principal.file.sha256 ;; + group_label: "principal" + label: "principal.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension principal__file__sha256 + + dimension: principal__file__size { + type: number + sql: ${TABLE}.principal.file.size ;; + group_label: "principal" + label: "principal.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension principal__file__size + + dimension: principal__group { + hidden: yes + } # dimension principal__group + + dimension: principal__group__attribute { + hidden: yes + } # dimension principal__group__attribute + + dimension: principal__group__attribute__labels { + hidden: yes + } # dimension principal__group__attribute__labels + + dimension: principal__group__attribute__roles { + hidden: yes + } # dimension principal__group__attribute__roles + + dimension: principal__group__email_addresses { + hidden: yes + } # dimension principal__group__email_addresses + + dimension: principal__group__group_display_name { + type: string + sql: ${TABLE}.principal.group.group_display_name ;; + group_label: "principal" + label: "principal.group.group_display_name" + view_label: "UDM" + description: "Group display name. e.g. \"Finance\"." + } # dimension principal__group__group_display_name + + dimension: principal__group__product_object_id { + type: string + sql: ${TABLE}.principal.group.product_object_id ;; + group_label: "principal" + label: "principal.group.product_object_id" + view_label: "UDM" + description: "Product globally unique user object identifier, such as an LDAP Object Identifier." + } # dimension principal__group__product_object_id + + dimension: principal__group__windows_sid { + type: string + sql: ${TABLE}.principal.group.windows_sid ;; + group_label: "principal" + label: "principal.group.windows_sid" + view_label: "UDM" + description: "Microsoft Windows SID of the group." + } # dimension principal__group__windows_sid + + dimension: principal__hostname { + type: string + sql: ${TABLE}.principal.hostname ;; + group_label: "principal" + label: "principal.hostname" + view_label: "UDM" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension principal__hostname + + dimension: principal__investigation { + hidden: yes + } # dimension principal__investigation + + dimension: principal__investigation__comments { + hidden: yes + } # dimension principal__investigation__comments + + dimension: principal__investigation__risk_score { + type: number + sql: ${TABLE}.principal.investigation.risk_score ;; + group_label: "principal" + label: "principal.investigation.risk_score" + view_label: "UDM" + description: "Risk score for a finding set by an analyst." + } # dimension principal__investigation__risk_score + + dimension: principal__investigation__root_cause { + type: string + sql: ${TABLE}.principal.investigation.root_cause ;; + group_label: "principal" + label: "principal.investigation.root_cause" + view_label: "UDM" + description: "Root cause of the Alert or Finding set by analyst." + } # dimension principal__investigation__root_cause + + dimension: principal__investigation__status { + type: number + sql: ${TABLE}.principal.investigation.status ;; + group_label: "principal" + label: "principal.investigation.status" + view_label: "UDM" + description: "Describes the workflow status of a finding." + } # dimension principal__investigation__status + + dimension: principal__investigation__status_enum_name { + type: string + suggestions: ["CLOSED", "NEW", "OPEN", "REVIEWED", "STATUS_UNSPECIFIED"] + sql: CASE ${TABLE}.principal.investigation.status WHEN 0 THEN 'STATUS_UNSPECIFIED' WHEN 1 THEN 'NEW' WHEN 2 THEN 'REVIEWED' WHEN 3 THEN 'CLOSED' WHEN 4 THEN 'OPEN' END ;; + group_label: "principal" + label: "principal.investigation.status_enum_name" + view_label: "UDM" + description: "Describes the workflow status of a finding." + } # dimension principal__investigation__status_enum_name + + dimension: principal__investigation__verdict { + type: number + sql: ${TABLE}.principal.investigation.verdict ;; + group_label: "principal" + label: "principal.investigation.verdict" + view_label: "UDM" + description: "Describes reason a finding investigation was resolved." + } # dimension principal__investigation__verdict + + dimension: principal__investigation__verdict_enum_name { + type: string + suggestions: ["FALSE_POSITIVE", "TRUE_POSITIVE", "VERDICT_UNSPECIFIED"] + sql: CASE ${TABLE}.principal.investigation.verdict WHEN 0 THEN 'VERDICT_UNSPECIFIED' WHEN 1 THEN 'TRUE_POSITIVE' WHEN 2 THEN 'FALSE_POSITIVE' END ;; + group_label: "principal" + label: "principal.investigation.verdict_enum_name" + view_label: "UDM" + description: "Describes reason a finding investigation was resolved." + } # dimension principal__investigation__verdict_enum_name + + dimension: principal__ip { + hidden: yes + } # dimension principal__ip + + dimension: principal__ip_geo_artifact { + hidden: yes + } # dimension principal__ip_geo_artifact + + dimension: principal__ip_location { + hidden: yes + } # dimension principal__ip_location + + dimension: principal__labels { + hidden: yes + } # dimension principal__labels + + dimension: principal__location { + hidden: yes + } # dimension principal__location + + dimension: principal__location__city { + type: string + sql: ${TABLE}.principal.location.city ;; + group_label: "principal" + label: "principal.location.city" + view_label: "UDM" + description: "The city." + } # dimension principal__location__city + + dimension: principal__location__country_or_region { + type: string + sql: ${TABLE}.principal.location.country_or_region ;; + group_label: "principal" + label: "principal.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension principal__location__country_or_region + + dimension: principal__location__floor_name { + type: string + sql: ${TABLE}.principal.location.floor_name ;; + group_label: "principal" + label: "principal.location.floor_name" + view_label: "UDM" + description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." + } # dimension principal__location__floor_name + + dimension: principal__location__name { + type: string + sql: ${TABLE}.principal.location.name ;; + group_label: "principal" + label: "principal.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension principal__location__name + + dimension: principal__location__region_coordinates { + type: location + sql_latitude: ${TABLE}.principal.location.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.principal.location.region_coordinates.longitude ;; + group_label: "principal" + group_item_label: "principal.location.region_coordinates [L]" + label: "principal.location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." + } # dimension principal__location__region_coordinates + + dimension: principal__location__region_latitude { + type: number + sql: ${TABLE}.principal.location.region_latitude ;; + group_label: "principal" + group_item_label: "principal.location.region_latitude [D]" + label: "principal.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__location__region_latitude + + dimension: principal__location__region_longitude { + type: number + sql: ${TABLE}.principal.location.region_longitude ;; + group_label: "principal" + group_item_label: "principal.location.region_longitude [D]" + label: "principal.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__location__region_longitude + + dimension: principal__location__location { + type: location + sql_latitude: ${TABLE}.principal.location.region_latitude ;; + sql_longitude: ${TABLE}.principal.location.region_longitude ;; + group_label: "principal" + group_item_label: "principal.location.location [D][L]" + label: "principal.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension principal__location__location + + dimension: principal__location__state { + type: string + sql: ${TABLE}.principal.location.state ;; + group_label: "principal" + label: "principal.location.state" + view_label: "UDM" + description: "The state." + } # dimension principal__location__state + + dimension: principal__mac { + hidden: yes + } # dimension principal__mac + + dimension: principal__namespace { + type: string + sql: ${TABLE}.principal.namespace ;; + group_label: "principal" + label: "principal.namespace" + view_label: "UDM" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension principal__namespace + + dimension: principal__nat_ip { + hidden: yes + } # dimension principal__nat_ip + + dimension: principal__nat_port { + type: number + value_format: "#" + sql: ${TABLE}.principal.nat_port ;; + group_label: "principal" + label: "principal.nat_port" + view_label: "UDM" + description: "NAT external network port number when a specific network connection is described within an event." + } # dimension principal__nat_port + + dimension: principal__network { + hidden: yes + } # dimension principal__network + + dimension: principal__platform { + type: number + sql: ${TABLE}.principal.platform ;; + group_label: "principal" + label: "principal.platform" + view_label: "UDM" + description: "Platform." + } # dimension principal__platform + + dimension: principal__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.principal.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "principal" + label: "principal.platform_enum_name" + view_label: "UDM" + description: "Platform." + } # dimension principal__platform_enum_name + + dimension: principal__platform_patch_level { + type: string + sql: ${TABLE}.principal.platform_patch_level ;; + group_label: "principal" + label: "principal.platform_patch_level" + view_label: "UDM" + description: "Platform patch level. For example, \"Build 17134.48\"" + } # dimension principal__platform_patch_level + + dimension: principal__platform_version { + type: string + sql: ${TABLE}.principal.platform_version ;; + group_label: "principal" + label: "principal.platform_version" + view_label: "UDM" + description: "Platform version. For example, \"Microsoft Windows 1803\"." + } # dimension principal__platform_version + + dimension: principal__port { + type: number + value_format: "#" + sql: ${TABLE}.principal.port ;; + group_label: "principal" + label: "principal.port" + view_label: "UDM" + description: "Source or destination network port number when a specific network connection is described within an event." + } # dimension principal__port + + dimension: principal__process { + hidden: yes + } # dimension principal__process + + dimension: principal__process__access_mask { + type: number + sql: ${TABLE}.principal.process.access_mask ;; + group_label: "principal" + label: "principal.process.access_mask" + view_label: "UDM" + description: "A bit mask representing the level of access." + } # dimension principal__process__access_mask + + dimension: principal__process__command_line { + type: string + sql: ${TABLE}.principal.process.command_line ;; + group_label: "principal" + label: "principal.process.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension principal__process__command_line + + dimension: principal__process__command_line_history { + hidden: yes + } # dimension principal__process__command_line_history + + dimension: principal__process__file { + hidden: yes + } # dimension principal__process__file + + dimension: principal__process__file__capabilities_tags { + hidden: yes + } # dimension principal__process__file__capabilities_tags + + dimension: principal__process__file__file_metadata { + hidden: yes + } # dimension principal__process__file__file_metadata + + dimension: principal__process__file__file_metadata__pe { + hidden: yes + } # dimension principal__process__file__file_metadata__pe + + dimension: principal__process__file__file_metadata__pe__import_hash { + type: string + sql: ${TABLE}.principal.process.file.file_metadata.pe.import_hash ;; + group_label: "principal" + group_item_label: "principal.process.file.file_metadata.pe.import_hash [D]" + label: "principal.process.file.file_metadata.pe.import_hash" + view_label: "UDM" + description: "Hash of PE imports. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__process__file__file_metadata__pe__import_hash + + dimension: principal__process__file__file_type { + type: number + sql: ${TABLE}.principal.process.file.file_type ;; + group_label: "principal" + label: "principal.process.file.file_type" + view_label: "UDM" + description: "FileType field." + } # dimension principal__process__file__file_type + + dimension: principal__process__file__file_type_enum_name { + type: string + suggestions: ["FILE_TYPE_ACE", "FILE_TYPE_ANDROID", "FILE_TYPE_APPLE", "FILE_TYPE_APPLEDOUBLE", "FILE_TYPE_APPLESCRIPT", "FILE_TYPE_APPLESCRIPT_COMPILED", "FILE_TYPE_APPLESINGLE", "FILE_TYPE_APPLE_PLIST", "FILE_TYPE_ARC", "FILE_TYPE_ARJ", "FILE_TYPE_ASD", "FILE_TYPE_ASF", "FILE_TYPE_AVI", "FILE_TYPE_AWK", "FILE_TYPE_BLACKHOLE", "FILE_TYPE_BMP", "FILE_TYPE_BZIP", "FILE_TYPE_C", "FILE_TYPE_CAB", "FILE_TYPE_CAP", "FILE_TYPE_CHM", "FILE_TYPE_COFF", "FILE_TYPE_COOKIE", "FILE_TYPE_CPP", "FILE_TYPE_CRX", "FILE_TYPE_DEB", "FILE_TYPE_DIB", "FILE_TYPE_DIVX", "FILE_TYPE_DMG", "FILE_TYPE_DOC", "FILE_TYPE_DOCX", "FILE_TYPE_DOS_COM", "FILE_TYPE_DOS_EXE", "FILE_TYPE_DYALOG", "FILE_TYPE_DZIP", "FILE_TYPE_EBOOK", "FILE_TYPE_ELF", "FILE_TYPE_EMAIL_TYPE", "FILE_TYPE_EMF", "FILE_TYPE_EOT", "FILE_TYPE_EPS", "FILE_TYPE_FLA", "FILE_TYPE_FLAC", "FILE_TYPE_FLC", "FILE_TYPE_FLI", "FILE_TYPE_FLV", "FILE_TYPE_FORTRAN", "FILE_TYPE_FPX", "FILE_TYPE_GIF", "FILE_TYPE_GIMP", "FILE_TYPE_GUL", "FILE_TYPE_GZIP", "FILE_TYPE_HTML", "FILE_TYPE_HWP", "FILE_TYPE_ICO", "FILE_TYPE_IN_DESIGN", "FILE_TYPE_IPHONE", "FILE_TYPE_ISOIMAGE", "FILE_TYPE_JAR", "FILE_TYPE_JAVA", "FILE_TYPE_JAVASCRIPT", "FILE_TYPE_JAVA_BYTECODE", "FILE_TYPE_JNG", "FILE_TYPE_JPEG", "FILE_TYPE_KGB", "FILE_TYPE_LATEX", "FILE_TYPE_LINUX", "FILE_TYPE_LINUX_KERNEL", "FILE_TYPE_LNK", "FILE_TYPE_MACH_O", "FILE_TYPE_MACINTOSH", "FILE_TYPE_MACINTOSH_HFS", "FILE_TYPE_MACINTOSH_LIB", "FILE_TYPE_MIDI", "FILE_TYPE_MOV", "FILE_TYPE_MP3", "FILE_TYPE_MP4", "FILE_TYPE_MPEG", "FILE_TYPE_MSCOMPRESS", "FILE_TYPE_MSI", "FILE_TYPE_NE_DLL", "FILE_TYPE_NE_EXE", "FILE_TYPE_ODF", "FILE_TYPE_ODG", "FILE_TYPE_ODP", "FILE_TYPE_ODS", "FILE_TYPE_ODT", "FILE_TYPE_OGG", "FILE_TYPE_OUTLOOK", "FILE_TYPE_PALMOS", "FILE_TYPE_PASCAL", "FILE_TYPE_PDF", "FILE_TYPE_PERL", "FILE_TYPE_PE_DLL", "FILE_TYPE_PE_EXE", "FILE_TYPE_PHP", "FILE_TYPE_PKG", "FILE_TYPE_PNG", "FILE_TYPE_POWERSHELL", "FILE_TYPE_PPSX", "FILE_TYPE_PPT", "FILE_TYPE_PPTX", "FILE_TYPE_PS", "FILE_TYPE_PSD", "FILE_TYPE_PYTHON", "FILE_TYPE_QUICKTIME", "FILE_TYPE_RAR", "FILE_TYPE_RM", "FILE_TYPE_ROM", "FILE_TYPE_RPM", "FILE_TYPE_RTF", "FILE_TYPE_RUBY", "FILE_TYPE_RZIP", "FILE_TYPE_SCRIPT", "FILE_TYPE_SEVENZIP", "FILE_TYPE_SHELLSCRIPT", "FILE_TYPE_SVG", "FILE_TYPE_SWF", "FILE_TYPE_SYMBIAN", "FILE_TYPE_T3GP", "FILE_TYPE_TAR", "FILE_TYPE_TARGA", "FILE_TYPE_TEXT", "FILE_TYPE_TIFF", "FILE_TYPE_TORRENT", "FILE_TYPE_TTF", "FILE_TYPE_UNSPECIFIED", "FILE_TYPE_VBA", "FILE_TYPE_WAV", "FILE_TYPE_WEBP", "FILE_TYPE_WINCE", "FILE_TYPE_WMA", "FILE_TYPE_WMV", "FILE_TYPE_WOFF", "FILE_TYPE_XLS", "FILE_TYPE_XLSX", "FILE_TYPE_XML", "FILE_TYPE_XPI", "FILE_TYPE_XWD", "FILE_TYPE_ZIP", "FILE_TYPE_ZLIB"] + sql: CASE ${TABLE}.principal.process.file.file_type WHEN 0 THEN 'FILE_TYPE_UNSPECIFIED' WHEN 1 THEN 'FILE_TYPE_PE_EXE' WHEN 2 THEN 'FILE_TYPE_PE_DLL' WHEN 3 THEN 'FILE_TYPE_MSI' WHEN 10 THEN 'FILE_TYPE_NE_EXE' WHEN 11 THEN 'FILE_TYPE_NE_DLL' WHEN 20 THEN 'FILE_TYPE_DOS_EXE' WHEN 21 THEN 'FILE_TYPE_DOS_COM' WHEN 30 THEN 'FILE_TYPE_COFF' WHEN 31 THEN 'FILE_TYPE_ELF' WHEN 32 THEN 'FILE_TYPE_LINUX_KERNEL' WHEN 33 THEN 'FILE_TYPE_RPM' WHEN 34 THEN 'FILE_TYPE_LINUX' WHEN 35 THEN 'FILE_TYPE_MACH_O' WHEN 36 THEN 'FILE_TYPE_JAVA_BYTECODE' WHEN 37 THEN 'FILE_TYPE_DMG' WHEN 38 THEN 'FILE_TYPE_DEB' WHEN 39 THEN 'FILE_TYPE_PKG' WHEN 50 THEN 'FILE_TYPE_LNK' WHEN 100 THEN 'FILE_TYPE_JPEG' WHEN 101 THEN 'FILE_TYPE_TIFF' WHEN 102 THEN 'FILE_TYPE_GIF' WHEN 103 THEN 'FILE_TYPE_PNG' WHEN 104 THEN 'FILE_TYPE_BMP' WHEN 105 THEN 'FILE_TYPE_GIMP' WHEN 106 THEN 'FILE_TYPE_IN_DESIGN' WHEN 107 THEN 'FILE_TYPE_PSD' WHEN 108 THEN 'FILE_TYPE_TARGA' WHEN 109 THEN 'FILE_TYPE_XWD' WHEN 110 THEN 'FILE_TYPE_DIB' WHEN 111 THEN 'FILE_TYPE_JNG' WHEN 112 THEN 'FILE_TYPE_ICO' WHEN 113 THEN 'FILE_TYPE_FPX' WHEN 114 THEN 'FILE_TYPE_EPS' WHEN 115 THEN 'FILE_TYPE_SVG' WHEN 116 THEN 'FILE_TYPE_EMF' WHEN 117 THEN 'FILE_TYPE_WEBP' WHEN 150 THEN 'FILE_TYPE_OGG' WHEN 151 THEN 'FILE_TYPE_FLC' WHEN 152 THEN 'FILE_TYPE_FLI' WHEN 153 THEN 'FILE_TYPE_MP3' WHEN 154 THEN 'FILE_TYPE_FLAC' WHEN 155 THEN 'FILE_TYPE_WAV' WHEN 156 THEN 'FILE_TYPE_MIDI' WHEN 157 THEN 'FILE_TYPE_AVI' WHEN 158 THEN 'FILE_TYPE_MPEG' WHEN 159 THEN 'FILE_TYPE_QUICKTIME' WHEN 160 THEN 'FILE_TYPE_ASF' WHEN 161 THEN 'FILE_TYPE_DIVX' WHEN 162 THEN 'FILE_TYPE_FLV' WHEN 163 THEN 'FILE_TYPE_WMA' WHEN 164 THEN 'FILE_TYPE_WMV' WHEN 165 THEN 'FILE_TYPE_RM' WHEN 166 THEN 'FILE_TYPE_MOV' WHEN 167 THEN 'FILE_TYPE_MP4' WHEN 168 THEN 'FILE_TYPE_T3GP' WHEN 200 THEN 'FILE_TYPE_PDF' WHEN 201 THEN 'FILE_TYPE_PS' WHEN 202 THEN 'FILE_TYPE_DOC' WHEN 203 THEN 'FILE_TYPE_DOCX' WHEN 204 THEN 'FILE_TYPE_PPT' WHEN 205 THEN 'FILE_TYPE_PPTX' WHEN 209 THEN 'FILE_TYPE_PPSX' WHEN 206 THEN 'FILE_TYPE_XLS' WHEN 207 THEN 'FILE_TYPE_XLSX' WHEN 208 THEN 'FILE_TYPE_RTF' WHEN 250 THEN 'FILE_TYPE_ODP' WHEN 251 THEN 'FILE_TYPE_ODS' WHEN 252 THEN 'FILE_TYPE_ODT' WHEN 253 THEN 'FILE_TYPE_HWP' WHEN 254 THEN 'FILE_TYPE_GUL' WHEN 255 THEN 'FILE_TYPE_ODF' WHEN 256 THEN 'FILE_TYPE_ODG' WHEN 260 THEN 'FILE_TYPE_EBOOK' WHEN 261 THEN 'FILE_TYPE_LATEX' WHEN 262 THEN 'FILE_TYPE_TTF' WHEN 263 THEN 'FILE_TYPE_EOT' WHEN 264 THEN 'FILE_TYPE_WOFF' WHEN 265 THEN 'FILE_TYPE_CHM' WHEN 300 THEN 'FILE_TYPE_ZIP' WHEN 301 THEN 'FILE_TYPE_GZIP' WHEN 302 THEN 'FILE_TYPE_BZIP' WHEN 303 THEN 'FILE_TYPE_RZIP' WHEN 304 THEN 'FILE_TYPE_DZIP' WHEN 305 THEN 'FILE_TYPE_SEVENZIP' WHEN 306 THEN 'FILE_TYPE_CAB' WHEN 307 THEN 'FILE_TYPE_JAR' WHEN 308 THEN 'FILE_TYPE_RAR' WHEN 309 THEN 'FILE_TYPE_MSCOMPRESS' WHEN 310 THEN 'FILE_TYPE_ACE' WHEN 311 THEN 'FILE_TYPE_ARC' WHEN 312 THEN 'FILE_TYPE_ARJ' WHEN 313 THEN 'FILE_TYPE_ASD' WHEN 314 THEN 'FILE_TYPE_BLACKHOLE' WHEN 315 THEN 'FILE_TYPE_KGB' WHEN 316 THEN 'FILE_TYPE_ZLIB' WHEN 317 THEN 'FILE_TYPE_TAR' WHEN 400 THEN 'FILE_TYPE_TEXT' WHEN 401 THEN 'FILE_TYPE_SCRIPT' WHEN 402 THEN 'FILE_TYPE_PHP' WHEN 403 THEN 'FILE_TYPE_PYTHON' WHEN 404 THEN 'FILE_TYPE_PERL' WHEN 405 THEN 'FILE_TYPE_RUBY' WHEN 406 THEN 'FILE_TYPE_C' WHEN 407 THEN 'FILE_TYPE_CPP' WHEN 408 THEN 'FILE_TYPE_JAVA' WHEN 409 THEN 'FILE_TYPE_SHELLSCRIPT' WHEN 410 THEN 'FILE_TYPE_PASCAL' WHEN 411 THEN 'FILE_TYPE_AWK' WHEN 412 THEN 'FILE_TYPE_DYALOG' WHEN 413 THEN 'FILE_TYPE_FORTRAN' WHEN 414 THEN 'FILE_TYPE_JAVASCRIPT' WHEN 415 THEN 'FILE_TYPE_POWERSHELL' WHEN 416 THEN 'FILE_TYPE_VBA' WHEN 500 THEN 'FILE_TYPE_SYMBIAN' WHEN 501 THEN 'FILE_TYPE_PALMOS' WHEN 502 THEN 'FILE_TYPE_WINCE' WHEN 503 THEN 'FILE_TYPE_ANDROID' WHEN 504 THEN 'FILE_TYPE_IPHONE' WHEN 600 THEN 'FILE_TYPE_HTML' WHEN 601 THEN 'FILE_TYPE_XML' WHEN 602 THEN 'FILE_TYPE_SWF' WHEN 603 THEN 'FILE_TYPE_FLA' WHEN 604 THEN 'FILE_TYPE_COOKIE' WHEN 605 THEN 'FILE_TYPE_TORRENT' WHEN 606 THEN 'FILE_TYPE_EMAIL_TYPE' WHEN 607 THEN 'FILE_TYPE_OUTLOOK' WHEN 700 THEN 'FILE_TYPE_CAP' WHEN 800 THEN 'FILE_TYPE_ISOIMAGE' WHEN 1000 THEN 'FILE_TYPE_APPLE' WHEN 1001 THEN 'FILE_TYPE_MACINTOSH' WHEN 1002 THEN 'FILE_TYPE_APPLESINGLE' WHEN 1003 THEN 'FILE_TYPE_APPLEDOUBLE' WHEN 1004 THEN 'FILE_TYPE_MACINTOSH_HFS' WHEN 1005 THEN 'FILE_TYPE_APPLE_PLIST' WHEN 1006 THEN 'FILE_TYPE_MACINTOSH_LIB' WHEN 1007 THEN 'FILE_TYPE_APPLESCRIPT' WHEN 1008 THEN 'FILE_TYPE_APPLESCRIPT_COMPILED' WHEN 1100 THEN 'FILE_TYPE_CRX' WHEN 1101 THEN 'FILE_TYPE_XPI' WHEN 1200 THEN 'FILE_TYPE_ROM' END ;; + group_label: "principal" + label: "principal.process.file.file_type_enum_name" + view_label: "UDM" + description: "FileType field." + } # dimension principal__process__file__file_type_enum_name + + dimension: principal__process__file__full_path { + type: string + sql: ${TABLE}.principal.process.file.full_path ;; + group_label: "principal" + label: "principal.process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension principal__process__file__full_path + + dimension: principal__process__file__md5 { + type: string + sql: ${TABLE}.principal.process.file.md5 ;; + group_label: "principal" + label: "principal.process.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension principal__process__file__md5 + + dimension: principal__process__file__mime_type { + type: string + sql: ${TABLE}.principal.process.file.mime_type ;; + group_label: "principal" + label: "principal.process.file.mime_type" + view_label: "UDM" + description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." + } # dimension principal__process__file__mime_type + + dimension: principal__process__file__names { + hidden: yes + } # dimension principal__process__file__names + + dimension: principal__process__file__pe_file { + hidden: yes + } # dimension principal__process__file__pe_file + + dimension: principal__process__file__pe_file__signature_info { + hidden: yes + } # dimension principal__process__file__pe_file__signature_info + + dimension: principal__process__file__pe_file__signature_info__verification_message { + type: string + sql: ${TABLE}.principal.process.file.pe_file.signature_info.verification_message ;; + group_label: "principal" + group_item_label: "principal.process.file.pe_file.signature_info.verification_message [D]" + label: "principal.process.file.pe_file.signature_info.verification_message" + view_label: "UDM" + description: "Status of the certificate. Valid values are \"Signed\", \"Unsigned\" or a description of the certificate anomaly, if found. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__process__file__pe_file__signature_info__verification_message + + dimension: principal__process__file__sha1 { + type: string + sql: ${TABLE}.principal.process.file.sha1 ;; + group_label: "principal" + label: "principal.process.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension principal__process__file__sha1 + + dimension: principal__process__file__sha256 { + type: string + sql: ${TABLE}.principal.process.file.sha256 ;; + group_label: "principal" + label: "principal.process.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension principal__process__file__sha256 + + dimension: principal__process__file__size { + type: number + sql: ${TABLE}.principal.process.file.size ;; + group_label: "principal" + label: "principal.process.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension principal__process__file__size + + dimension: principal__process__parent_pid { + type: string + sql: ${TABLE}.principal.process.parent_pid ;; + group_label: "principal" + group_item_label: "principal.process.parent_pid [D]" + label: "principal.process.parent_pid" + view_label: "UDM" + description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__process__parent_pid + + dimension: principal__process__parent_process { + hidden: yes + } # dimension principal__process__parent_process + + dimension: principal__process__parent_process__command_line { + type: string + sql: ${TABLE}.principal.process.parent_process.command_line ;; + group_label: "principal" + label: "principal.process.parent_process.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension principal__process__parent_process__command_line + + dimension: principal__process__parent_process__file { + hidden: yes + } # dimension principal__process__parent_process__file + + dimension: principal__process__parent_process__file__file_metadata { + hidden: yes + } # dimension principal__process__parent_process__file__file_metadata + + dimension: principal__process__parent_process__file__file_metadata__pe { + hidden: yes + } # dimension principal__process__parent_process__file__file_metadata__pe + + dimension: principal__process__parent_process__file__file_metadata__pe__import_hash { + type: string + sql: ${TABLE}.principal.process.parent_process.file.file_metadata.pe.import_hash ;; + group_label: "principal" + group_item_label: "principal.process.parent_process.file.file_metadata.pe.import_hash [D]" + label: "principal.process.parent_process.file.file_metadata.pe.import_hash" + view_label: "UDM" + description: "Hash of PE imports. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__process__parent_process__file__file_metadata__pe__import_hash + + dimension: principal__process__parent_process__file__full_path { + type: string + sql: ${TABLE}.principal.process.parent_process.file.full_path ;; + group_label: "principal" + label: "principal.process.parent_process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension principal__process__parent_process__file__full_path + + dimension: principal__process__parent_process__file__md5 { + type: string + sql: ${TABLE}.principal.process.parent_process.file.md5 ;; + group_label: "principal" + label: "principal.process.parent_process.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension principal__process__parent_process__file__md5 + + dimension: principal__process__parent_process__file__mime_type { + type: string + sql: ${TABLE}.principal.process.parent_process.file.mime_type ;; + group_label: "principal" + label: "principal.process.parent_process.file.mime_type" + view_label: "UDM" + description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." + } # dimension principal__process__parent_process__file__mime_type + + dimension: principal__process__parent_process__file__sha1 { + type: string + sql: ${TABLE}.principal.process.parent_process.file.sha1 ;; + group_label: "principal" + label: "principal.process.parent_process.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension principal__process__parent_process__file__sha1 + + dimension: principal__process__parent_process__file__sha256 { + type: string + sql: ${TABLE}.principal.process.parent_process.file.sha256 ;; + group_label: "principal" + label: "principal.process.parent_process.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension principal__process__parent_process__file__sha256 + + dimension: principal__process__parent_process__file__size { + type: number + sql: ${TABLE}.principal.process.parent_process.file.size ;; + group_label: "principal" + label: "principal.process.parent_process.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension principal__process__parent_process__file__size + + dimension: principal__process__parent_process__parent_pid { + type: string + sql: ${TABLE}.principal.process.parent_process.parent_pid ;; + group_label: "principal" + group_item_label: "principal.process.parent_process.parent_pid [D]" + label: "principal.process.parent_process.parent_pid" + view_label: "UDM" + description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__process__parent_process__parent_pid + + dimension: principal__process__parent_process__pid { + type: string + sql: ${TABLE}.principal.process.parent_process.pid ;; + group_label: "principal" + label: "principal.process.parent_process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension principal__process__parent_process__pid + + dimension: principal__process__parent_process__product_specific_process_id { + type: string + sql: ${TABLE}.principal.process.parent_process.product_specific_process_id ;; + group_label: "principal" + label: "principal.process.parent_process.product_specific_process_id" + view_label: "UDM" + description: "A product specific process id." + } # dimension principal__process__parent_process__product_specific_process_id + + dimension: principal__process__pid { + type: string + sql: ${TABLE}.principal.process.pid ;; + group_label: "principal" + label: "principal.process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension principal__process__pid + + dimension: principal__process__product_specific_parent_process_id { + type: string + sql: ${TABLE}.principal.process.product_specific_parent_process_id ;; + group_label: "principal" + group_item_label: "principal.process.product_specific_parent_process_id [D]" + label: "principal.process.product_specific_parent_process_id" + view_label: "UDM" + description: "A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__process__product_specific_parent_process_id + + dimension: principal__process__product_specific_process_id { + type: string + sql: ${TABLE}.principal.process.product_specific_process_id ;; + group_label: "principal" + label: "principal.process.product_specific_process_id" + view_label: "UDM" + description: "A product specific process id." + } # dimension principal__process__product_specific_process_id + + dimension: principal__process_ancestors { + hidden: yes + } # dimension principal__process_ancestors + + dimension: principal__registry { + hidden: yes + } # dimension principal__registry + + dimension: principal__registry__registry_key { + type: string + sql: ${TABLE}.principal.registry.registry_key ;; + group_label: "principal" + label: "principal.registry.registry_key" + view_label: "UDM" + description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." + } # dimension principal__registry__registry_key + + dimension: principal__registry__registry_value_data { + type: string + sql: ${TABLE}.principal.registry.registry_value_data ;; + group_label: "principal" + label: "principal.registry.registry_value_data" + view_label: "UDM" + description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." + } # dimension principal__registry__registry_value_data + + dimension: principal__registry__registry_value_name { + type: string + sql: ${TABLE}.principal.registry.registry_value_name ;; + group_label: "principal" + label: "principal.registry.registry_value_name" + view_label: "UDM" + description: "Name of the registry value associated with an application or system component (e.g. TEMP)." + } # dimension principal__registry__registry_value_name + + dimension: principal__resource { + hidden: yes + } # dimension principal__resource + + dimension: principal__resource__attribute { + hidden: yes + } # dimension principal__resource__attribute + + dimension: principal__resource__attribute__cloud { + hidden: yes + } # dimension principal__resource__attribute__cloud + + dimension: principal__resource__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.principal.resource.attribute.cloud.availability_zone ;; + group_label: "principal" + label: "principal.resource.attribute.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name)." + } # dimension principal__resource__attribute__cloud__availability_zone + + dimension: principal__resource__attribute__cloud__environment { + type: number + sql: ${TABLE}.principal.resource.attribute.cloud.environment ;; + group_label: "principal" + label: "principal.resource.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension principal__resource__attribute__cloud__environment + + dimension: principal__resource__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.principal.resource.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "principal" + label: "principal.resource.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension principal__resource__attribute__cloud__environment_enum_name + + dimension: principal__resource__attribute__cloud__project { + hidden: yes + } # dimension principal__resource__attribute__cloud__project + + dimension: principal__resource__attribute__cloud__project__name { + type: string + sql: ${TABLE}.principal.resource.attribute.cloud.project.name ;; + group_label: "principal" + group_item_label: "principal.resource.attribute.cloud.project.name [D]" + label: "principal.resource.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__resource__attribute__cloud__project__name + + dimension: principal__resource__attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.principal.resource.attribute.cloud.project.resource_subtype ;; + group_label: "principal" + group_item_label: "principal.resource.attribute.cloud.project.resource_subtype [D]" + label: "principal.resource.attribute.cloud.project.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__resource__attribute__cloud__project__resource_subtype + + dimension_group: principal__resource__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.resource.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension principal__resource__attribute__creation_time + + dimension: principal__resource__attribute__labels { + hidden: yes + } # dimension principal__resource__attribute__labels + + dimension_group: principal__resource__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.resource.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension principal__resource__attribute__last_update_time + + dimension: principal__resource__attribute__permissions { + hidden: yes + } # dimension principal__resource__attribute__permissions + + dimension: principal__resource__attribute__roles { + hidden: yes + } # dimension principal__resource__attribute__roles + + dimension: principal__resource__id { + type: string + sql: ${TABLE}.principal.resource.id ;; + group_label: "principal" + group_item_label: "principal.resource.id [D]" + label: "principal.resource.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__resource__id + + dimension: principal__resource__name { + type: string + sql: ${TABLE}.principal.resource.name ;; + group_label: "principal" + label: "principal.resource.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension principal__resource__name + + dimension: principal__resource__parent { + type: string + sql: ${TABLE}.principal.resource.parent ;; + group_label: "principal" + group_item_label: "principal.resource.parent [D]" + label: "principal.resource.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__resource__parent + + dimension: principal__resource__product_object_id { + type: string + sql: ${TABLE}.principal.resource.product_object_id ;; + group_label: "principal" + label: "principal.resource.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension principal__resource__product_object_id + + dimension: principal__resource__resource_subtype { + type: string + sql: ${TABLE}.principal.resource.resource_subtype ;; + group_label: "principal" + label: "principal.resource.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension principal__resource__resource_subtype + + dimension: principal__resource__resource_type { + type: number + sql: ${TABLE}.principal.resource.resource_type ;; + group_label: "principal" + label: "principal.resource.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension principal__resource__resource_type + + dimension: principal__resource__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.principal.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "principal" + label: "principal.resource.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension principal__resource__resource_type_enum_name + + dimension: principal__resource__type { + type: string + sql: ${TABLE}.principal.resource.type ;; + group_label: "principal" + group_item_label: "principal.resource.type [D]" + label: "principal.resource.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__resource__type + + dimension: principal__resource_ancestors { + hidden: yes + } # dimension principal__resource_ancestors + + dimension: principal__url { + type: string + sql: ${TABLE}.principal.url ;; + group_label: "principal" + label: "principal.url" + view_label: "UDM" + description: "The URL." + } # dimension principal__url + + dimension: principal__user { + hidden: yes + } # dimension principal__user + + dimension: principal__user__account_type { + type: number + sql: ${TABLE}.principal.user.account_type ;; + group_label: "principal" + label: "principal.user.account_type" + view_label: "UDM" + description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" + } # dimension principal__user__account_type + + dimension: principal__user__account_type_enum_name { + type: string + suggestions: ["ACCOUNT_TYPE_UNSPECIFIED", "CLOUD_ACCOUNT_TYPE", "DEFAULT_ACCOUNT_TYPE", "DOMAIN_ACCOUNT_TYPE", "LOCAL_ACCOUNT_TYPE", "SERVICE_ACCOUNT_TYPE"] + sql: CASE ${TABLE}.principal.user.account_type WHEN 0 THEN 'ACCOUNT_TYPE_UNSPECIFIED' WHEN 1 THEN 'DOMAIN_ACCOUNT_TYPE' WHEN 2 THEN 'LOCAL_ACCOUNT_TYPE' WHEN 3 THEN 'CLOUD_ACCOUNT_TYPE' WHEN 4 THEN 'SERVICE_ACCOUNT_TYPE' WHEN 5 THEN 'DEFAULT_ACCOUNT_TYPE' END ;; + group_label: "principal" + label: "principal.user.account_type_enum_name" + view_label: "UDM" + description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" + } # dimension principal__user__account_type_enum_name + + dimension: principal__user__attribute { + hidden: yes + } # dimension principal__user__attribute + + dimension: principal__user__attribute__cloud { + hidden: yes + } # dimension principal__user__attribute__cloud + + dimension: principal__user__attribute__cloud__environment { + type: number + sql: ${TABLE}.principal.user.attribute.cloud.environment ;; + group_label: "principal" + label: "principal.user.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension principal__user__attribute__cloud__environment + + dimension: principal__user__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.principal.user.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "principal" + label: "principal.user.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension principal__user__attribute__cloud__environment_enum_name + + dimension: principal__user__attribute__cloud__project { + hidden: yes + } # dimension principal__user__attribute__cloud__project + + dimension: principal__user__attribute__cloud__project__id { + type: string + sql: ${TABLE}.principal.user.attribute.cloud.project.id ;; + group_label: "principal" + group_item_label: "principal.user.attribute.cloud.project.id [D]" + label: "principal.user.attribute.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__user__attribute__cloud__project__id + + dimension_group: principal__user__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.user.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension principal__user__attribute__creation_time + + dimension: principal__user__attribute__labels { + hidden: yes + } # dimension principal__user__attribute__labels + + dimension_group: principal__user__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.user.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension principal__user__attribute__last_update_time + + dimension: principal__user__attribute__permissions { + hidden: yes + } # dimension principal__user__attribute__permissions + + dimension: principal__user__attribute__roles { + hidden: yes + } # dimension principal__user__attribute__roles + + dimension: principal__user__company_name { + type: string + sql: ${TABLE}.principal.user.company_name ;; + group_label: "principal" + label: "principal.user.company_name" + view_label: "UDM" + description: "User job company name." + } # dimension principal__user__company_name + + dimension: principal__user__department { + hidden: yes + } # dimension principal__user__department + + dimension: principal__user__email_addresses { + hidden: yes + } # dimension principal__user__email_addresses + + dimension: principal__user__employee_id { + type: string + sql: ${TABLE}.principal.user.employee_id ;; + group_label: "principal" + label: "principal.user.employee_id" + view_label: "UDM" + description: "Human capital management identifier." + } # dimension principal__user__employee_id + + dimension: principal__user__first_name { + type: string + sql: ${TABLE}.principal.user.first_name ;; + group_label: "principal" + label: "principal.user.first_name" + view_label: "UDM" + description: "First name of the user (e.g. \"John\")." + } # dimension principal__user__first_name + + dimension: principal__user__group_identifiers { + hidden: yes + } # dimension principal__user__group_identifiers + + dimension: principal__user__groupid { + type: string + sql: ${TABLE}.principal.user.groupid ;; + group_label: "principal" + group_item_label: "principal.user.groupid [D]" + label: "principal.user.groupid" + view_label: "UDM" + description: "The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__user__groupid + + dimension_group: principal__user__hire_date { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.user.hire_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.user.hire_date.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.user.hire_date" + view_label: "UDM" + description: "User job employment hire date." + } # dimension principal__user__hire_date + + dimension: principal__user__last_name { + type: string + sql: ${TABLE}.principal.user.last_name ;; + group_label: "principal" + label: "principal.user.last_name" + view_label: "UDM" + description: "Last name of the user (e.g. \"Locke\")." + } # dimension principal__user__last_name + + dimension: principal__user__managers { + hidden: yes + } # dimension principal__user__managers + + dimension: principal__user__office_address { + hidden: yes + } # dimension principal__user__office_address + + dimension: principal__user__office_address__city { + type: string + sql: ${TABLE}.principal.user.office_address.city ;; + group_label: "principal" + label: "principal.user.office_address.city" + view_label: "UDM" + description: "The city." + } # dimension principal__user__office_address__city + + dimension: principal__user__office_address__country_or_region { + type: string + sql: ${TABLE}.principal.user.office_address.country_or_region ;; + group_label: "principal" + label: "principal.user.office_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension principal__user__office_address__country_or_region + + dimension: principal__user__office_address__desk_name { + type: string + sql: ${TABLE}.principal.user.office_address.desk_name ;; + group_label: "principal" + label: "principal.user.office_address.desk_name" + view_label: "UDM" + description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." + } # dimension principal__user__office_address__desk_name + + dimension: principal__user__office_address__floor_name { + type: string + sql: ${TABLE}.principal.user.office_address.floor_name ;; + group_label: "principal" + label: "principal.user.office_address.floor_name" + view_label: "UDM" + description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." + } # dimension principal__user__office_address__floor_name + + dimension: principal__user__office_address__name { + type: string + sql: ${TABLE}.principal.user.office_address.name ;; + group_label: "principal" + label: "principal.user.office_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension principal__user__office_address__name + + dimension: principal__user__office_address__state { + type: string + sql: ${TABLE}.principal.user.office_address.state ;; + group_label: "principal" + label: "principal.user.office_address.state" + view_label: "UDM" + description: "The state." + } # dimension principal__user__office_address__state + + dimension: principal__user__personal_address { + hidden: yes + } # dimension principal__user__personal_address + + dimension: principal__user__personal_address__city { + type: string + sql: ${TABLE}.principal.user.personal_address.city ;; + group_label: "principal" + label: "principal.user.personal_address.city" + view_label: "UDM" + description: "The city." + } # dimension principal__user__personal_address__city + + dimension: principal__user__personal_address__country_or_region { + type: string + sql: ${TABLE}.principal.user.personal_address.country_or_region ;; + group_label: "principal" + label: "principal.user.personal_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension principal__user__personal_address__country_or_region + + dimension: principal__user__personal_address__name { + type: string + sql: ${TABLE}.principal.user.personal_address.name ;; + group_label: "principal" + label: "principal.user.personal_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension principal__user__personal_address__name + + dimension: principal__user__personal_address__state { + type: string + sql: ${TABLE}.principal.user.personal_address.state ;; + group_label: "principal" + label: "principal.user.personal_address.state" + view_label: "UDM" + description: "The state." + } # dimension principal__user__personal_address__state + + dimension: principal__user__phone_numbers { + hidden: yes + } # dimension principal__user__phone_numbers + + dimension: principal__user__product_object_id { + type: string + sql: ${TABLE}.principal.user.product_object_id ;; + group_label: "principal" + label: "principal.user.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension principal__user__product_object_id + + dimension: principal__user__role_description { + type: string + sql: ${TABLE}.principal.user.role_description ;; + group_label: "principal" + group_item_label: "principal.user.role_description [D]" + label: "principal.user.role_description" + view_label: "UDM" + description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__user__role_description + + dimension: principal__user__role_name { + type: string + sql: ${TABLE}.principal.user.role_name ;; + group_label: "principal" + group_item_label: "principal.user.role_name [D]" + label: "principal.user.role_name" + view_label: "UDM" + description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__user__role_name + + dimension_group: principal__user__termination_date { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.user.termination_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.user.termination_date.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.user.termination_date" + view_label: "UDM" + description: "User job employment termination date." + } # dimension principal__user__termination_date + + dimension: principal__user__time_off { + hidden: yes + } # dimension principal__user__time_off + + dimension: principal__user__title { + type: string + sql: ${TABLE}.principal.user.title ;; + group_label: "principal" + label: "principal.user.title" + view_label: "UDM" + description: "User job title." + } # dimension principal__user__title + + dimension: principal__user__user_authentication_status { + type: number + sql: ${TABLE}.principal.user.user_authentication_status ;; + group_label: "principal" + label: "principal.user.user_authentication_status" + view_label: "UDM" + description: "System authentication status for user." + } # dimension principal__user__user_authentication_status + + dimension: principal__user__user_authentication_status_enum_name { + type: string + suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] + sql: CASE ${TABLE}.principal.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; + group_label: "principal" + label: "principal.user.user_authentication_status_enum_name" + view_label: "UDM" + description: "System authentication status for user." + } # dimension principal__user__user_authentication_status_enum_name + + dimension: principal__user__user_display_name { + type: string + sql: ${TABLE}.principal.user.user_display_name ;; + group_label: "principal" + label: "principal.user.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension principal__user__user_display_name + + dimension: principal__user__user_role { + type: number + sql: ${TABLE}.principal.user.user_role ;; + group_label: "principal" + group_item_label: "principal.user.user_role [D]" + label: "principal.user.user_role" + view_label: "UDM" + description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__user__user_role + + dimension: principal__user__user_role_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "UNKNOWN_ROLE"] + sql: CASE ${TABLE}.principal.user.user_role WHEN 0 THEN 'UNKNOWN_ROLE' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "principal" + group_item_label: "principal.user.user_role_enum_name [D]" + label: "principal.user.user_role_enum_name" + view_label: "UDM" + description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension principal__user__user_role_enum_name + + dimension: principal__user__userid { + type: string + sql: ${TABLE}.principal.user.userid ;; + group_label: "principal" + label: "principal.user.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension principal__user__userid + + dimension: principal__user__windows_sid { + type: string + sql: ${TABLE}.principal.user.windows_sid ;; + group_label: "principal" + label: "principal.user.windows_sid" + view_label: "UDM" + description: "The Microsoft Windows SID of the user." + } # dimension principal__user__windows_sid + + dimension: security_result { + hidden: yes + } # dimension security_result + + dimension: src { + hidden: yes + } # dimension src + + dimension: src__administrative_domain { + type: string + sql: ${TABLE}.src.administrative_domain ;; + group_label: "src" + label: "src.administrative_domain" + view_label: "UDM" + description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." + } # dimension src__administrative_domain + + dimension: src__application { + type: string + sql: ${TABLE}.src.application ;; + group_label: "src" + label: "src.application" + view_label: "UDM" + description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." + } # dimension src__application + + dimension: src__artifact { + hidden: yes + } # dimension src__artifact + + dimension: src__artifact__ip { + type: string + sql: ${TABLE}.src.artifact.ip ;; + group_label: "src" + label: "src.artifact.ip" + view_label: "UDM" + description: "IP address of the artifact." + } # dimension src__artifact__ip + + dimension: src__artifact__network { + hidden: yes + } # dimension src__artifact__network + + dimension: src__artifact__network__dns { + hidden: yes + } # dimension src__artifact__network__dns + + dimension: src__artifact__network__dns__questions { + hidden: yes + } # dimension src__artifact__network__dns__questions + + dimension: src__artifact__network__http { + hidden: yes + } # dimension src__artifact__network__http + + dimension: src__artifact__network__http__parsed_user_agent { + hidden: yes + } # dimension src__artifact__network__http__parsed_user_agent + + dimension: src__artifact__network__http__parsed_user_agent__browser { + type: string + sql: ${TABLE}.src.artifact.network.http.parsed_user_agent.browser ;; + group_label: "src" + label: "src.artifact.network.http.parsed_user_agent.browser" + view_label: "UDM" + description: "Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents." + } # dimension src__artifact__network__http__parsed_user_agent__browser + + dimension: src__asset { + hidden: yes + } # dimension src__asset + + dimension: src__asset__asset_id { + type: string + sql: ${TABLE}.src.asset.asset_id ;; + group_label: "src" + label: "src.asset.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension src__asset__asset_id + + dimension: src__asset__attribute { + hidden: yes + } # dimension src__asset__attribute + + dimension: src__asset__attribute__cloud { + hidden: yes + } # dimension src__asset__attribute__cloud + + dimension: src__asset__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.src.asset.attribute.cloud.availability_zone ;; + group_label: "src" + label: "src.asset.attribute.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name)." + } # dimension src__asset__attribute__cloud__availability_zone + + dimension: src__asset__attribute__cloud__environment { + type: number + sql: ${TABLE}.src.asset.attribute.cloud.environment ;; + group_label: "src" + label: "src.asset.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension src__asset__attribute__cloud__environment + + dimension: src__asset__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.src.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "src" + label: "src.asset.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension src__asset__attribute__cloud__environment_enum_name + + dimension: src__asset__attribute__cloud__project { + hidden: yes + } # dimension src__asset__attribute__cloud__project + + dimension: src__asset__attribute__cloud__project__name { + type: string + sql: ${TABLE}.src.asset.attribute.cloud.project.name ;; + group_label: "src" + group_item_label: "src.asset.attribute.cloud.project.name [D]" + label: "src.asset.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__asset__attribute__cloud__project__name + + dimension: src__asset__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.src.asset.attribute.cloud.project.resource_type ;; + group_label: "src" + group_item_label: "src.asset.attribute.cloud.project.resource_type [D]" + label: "src.asset.attribute.cloud.project.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__asset__attribute__cloud__project__resource_type + + dimension: src__asset__attribute__cloud__project__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.src.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "src" + group_item_label: "src.asset.attribute.cloud.project.resource_type_enum_name [D]" + label: "src.asset.attribute.cloud.project.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__asset__attribute__cloud__project__resource_type_enum_name + + dimension: src__asset__attribute__cloud__vpc { + hidden: yes + } # dimension src__asset__attribute__cloud__vpc + + dimension: src__asset__attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.src.asset.attribute.cloud.vpc.name ;; + group_label: "src" + group_item_label: "src.asset.attribute.cloud.vpc.name [D]" + label: "src.asset.attribute.cloud.vpc.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__asset__attribute__cloud__vpc__name + + dimension: src__asset__attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.src.asset.attribute.cloud.vpc.resource_type ;; + group_label: "src" + group_item_label: "src.asset.attribute.cloud.vpc.resource_type [D]" + label: "src.asset.attribute.cloud.vpc.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__asset__attribute__cloud__vpc__resource_type + + dimension: src__asset__attribute__cloud__vpc__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.src.asset.attribute.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "src" + group_item_label: "src.asset.attribute.cloud.vpc.resource_type_enum_name [D]" + label: "src.asset.attribute.cloud.vpc.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__asset__attribute__cloud__vpc__resource_type_enum_name + + dimension_group: src__asset__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension src__asset__attribute__creation_time + + dimension: src__asset__attribute__labels { + hidden: yes + } # dimension src__asset__attribute__labels + + dimension_group: src__asset__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension src__asset__attribute__last_update_time + + dimension: src__asset__category { + type: string + sql: ${TABLE}.src.asset.category ;; + group_label: "src" + label: "src.asset.category" + view_label: "UDM" + description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." + } # dimension src__asset__category + + dimension: src__asset__deployment_status { + type: number + sql: ${TABLE}.src.asset.deployment_status ;; + group_label: "src" + label: "src.asset.deployment_status" + view_label: "UDM" + description: "The deployment status of the asset for device lifecycle purposes." + } # dimension src__asset__deployment_status + + dimension: src__asset__deployment_status_enum_name { + type: string + suggestions: ["ACTIVE", "DECOMISSIONED", "DEPLOYMENT_STATUS_UNSPECIFIED", "PENDING_DECOMISSION"] + sql: CASE ${TABLE}.src.asset.deployment_status WHEN 0 THEN 'DEPLOYMENT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'PENDING_DECOMISSION' WHEN 3 THEN 'DECOMISSIONED' END ;; + group_label: "src" + label: "src.asset.deployment_status_enum_name" + view_label: "UDM" + description: "The deployment status of the asset for device lifecycle purposes." + } # dimension src__asset__deployment_status_enum_name + + dimension_group: src__asset__first_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.first_discover_time" + view_label: "UDM" + description: "Time the asset was first discovered (by asset management/discoverability software)." + } # dimension src__asset__first_discover_time + + dimension_group: src__asset__first_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.first_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.first_seen_time" + view_label: "UDM" + description: "The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed." + } # dimension src__asset__first_seen_time + + dimension: src__asset__hardware { + hidden: yes + } # dimension src__asset__hardware + + dimension: src__asset__hostname { + type: string + sql: ${TABLE}.src.asset.hostname ;; + group_label: "src" + label: "src.asset.hostname" + view_label: "UDM" + description: "Asset hostname or domain name field." + } # dimension src__asset__hostname + + dimension: src__asset__ip { + hidden: yes + } # dimension src__asset__ip + + dimension: src__asset__labels { + hidden: yes + } # dimension src__asset__labels + + dimension_group: src__asset__last_boot_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.last_boot_time" + view_label: "UDM" + description: "Time the asset was last boot started." + } # dimension src__asset__last_boot_time + + dimension_group: src__asset__last_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.last_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.last_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.last_discover_time" + view_label: "UDM" + description: "Time the asset was last discovered (by asset management/discoverability software)." + } # dimension src__asset__last_discover_time + + dimension: src__asset__location { + hidden: yes + } # dimension src__asset__location + + dimension: src__asset__location__city { + type: string + sql: ${TABLE}.src.asset.location.city ;; + group_label: "src" + label: "src.asset.location.city" + view_label: "UDM" + description: "The city." + } # dimension src__asset__location__city + + dimension: src__asset__location__country_or_region { + type: string + sql: ${TABLE}.src.asset.location.country_or_region ;; + group_label: "src" + label: "src.asset.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension src__asset__location__country_or_region + + dimension: src__asset__location__floor_name { + type: string + sql: ${TABLE}.src.asset.location.floor_name ;; + group_label: "src" + label: "src.asset.location.floor_name" + view_label: "UDM" + description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." + } # dimension src__asset__location__floor_name + + dimension: src__asset__location__name { + type: string + sql: ${TABLE}.src.asset.location.name ;; + group_label: "src" + label: "src.asset.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension src__asset__location__name + + dimension: src__asset__location__region_latitude { + type: number + sql: ${TABLE}.src.asset.location.region_latitude ;; + group_label: "src" + group_item_label: "src.asset.location.region_latitude [D]" + label: "src.asset.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__asset__location__region_latitude + + dimension: src__asset__location__region_longitude { + type: number + sql: ${TABLE}.src.asset.location.region_longitude ;; + group_label: "src" + group_item_label: "src.asset.location.region_longitude [D]" + label: "src.asset.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__asset__location__region_longitude + + dimension: src__asset__location__location { + type: location + sql_latitude: ${TABLE}.src.asset.location.region_latitude ;; + sql_longitude: ${TABLE}.src.asset.location.region_longitude ;; + group_label: "src" + group_item_label: "src.asset.location.location [D][L]" + label: "src.asset.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension src__asset__location__location + + dimension: src__asset__location__state { + type: string + sql: ${TABLE}.src.asset.location.state ;; + group_label: "src" + label: "src.asset.location.state" + view_label: "UDM" + description: "The state." + } # dimension src__asset__location__state + + dimension: src__asset__mac { + hidden: yes + } # dimension src__asset__mac + + dimension: src__asset__nat_ip { + hidden: yes + } # dimension src__asset__nat_ip + + dimension: src__asset__network_domain { + type: string + sql: ${TABLE}.src.asset.network_domain ;; + group_label: "src" + label: "src.asset.network_domain" + view_label: "UDM" + description: "The network domain of the asset (e.g. \"corp.acme.com\")" + } # dimension src__asset__network_domain + + dimension: src__asset__platform_software { + hidden: yes + } # dimension src__asset__platform_software + + dimension: src__asset__platform_software__platform { + type: number + sql: ${TABLE}.src.asset.platform_software.platform ;; + group_label: "src" + label: "src.asset.platform_software.platform" + view_label: "UDM" + description: "The platform operating system." + } # dimension src__asset__platform_software__platform + + dimension: src__asset__platform_software__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.src.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "src" + label: "src.asset.platform_software.platform_enum_name" + view_label: "UDM" + description: "The platform operating system." + } # dimension src__asset__platform_software__platform_enum_name + + dimension: src__asset__platform_software__platform_patch_level { + type: string + sql: ${TABLE}.src.asset.platform_software.platform_patch_level ;; + group_label: "src" + label: "src.asset.platform_software.platform_patch_level" + view_label: "UDM" + description: "The platform software patch level ( e.g. \"Build 17134.48\", \"SP1\")." + } # dimension src__asset__platform_software__platform_patch_level + + dimension: src__asset__platform_software__platform_version { + type: string + sql: ${TABLE}.src.asset.platform_software.platform_version ;; + group_label: "src" + label: "src.asset.platform_software.platform_version" + view_label: "UDM" + description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." + } # dimension src__asset__platform_software__platform_version + + dimension: src__asset__product_object_id { + type: string + sql: ${TABLE}.src.asset.product_object_id ;; + group_label: "src" + label: "src.asset.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension src__asset__product_object_id + + dimension: src__asset__software { + hidden: yes + } # dimension src__asset__software + + dimension_group: src__asset__system_last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.system_last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.system_last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.system_last_update_time" + view_label: "UDM" + description: "Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time." + } # dimension src__asset__system_last_update_time + + dimension: src__asset__type { + type: number + sql: ${TABLE}.src.asset.type ;; + group_label: "src" + label: "src.asset.type" + view_label: "UDM" + description: "The type of the asset (e.g. workstation or laptop or server)." + } # dimension src__asset__type + + dimension: src__asset__type_enum_name { + type: string + suggestions: ["IOT", "LAPTOP", "MOBILE", "NETWORK_ATTACHED_STORAGE", "PRINTER", "ROLE_UNSPECIFIED", "SCANNER", "SERVER", "TAPE_LIBRARY", "WORKSTATION"] + sql: CASE ${TABLE}.src.asset.type WHEN 0 THEN 'ROLE_UNSPECIFIED' WHEN 1 THEN 'WORKSTATION' WHEN 2 THEN 'LAPTOP' WHEN 3 THEN 'IOT' WHEN 4 THEN 'NETWORK_ATTACHED_STORAGE' WHEN 5 THEN 'PRINTER' WHEN 6 THEN 'SCANNER' WHEN 7 THEN 'SERVER' WHEN 8 THEN 'TAPE_LIBRARY' WHEN 9 THEN 'MOBILE' END ;; + group_label: "src" + label: "src.asset.type_enum_name" + view_label: "UDM" + description: "The type of the asset (e.g. workstation or laptop or server)." + } # dimension src__asset__type_enum_name + + dimension: src__asset__vulnerabilities { + hidden: yes + } # dimension src__asset__vulnerabilities + + dimension: src__asset_id { + type: string + sql: ${TABLE}.src.asset_id ;; + group_label: "src" + label: "src.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension src__asset_id + + dimension: src__cloud { + hidden: yes + } # dimension src__cloud + + dimension: src__cloud__availability_zone { + type: string + sql: ${TABLE}.src.cloud.availability_zone ;; + group_label: "src" + group_item_label: "src.cloud.availability_zone [D]" + label: "src.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" + } # dimension src__cloud__availability_zone + + dimension: src__cloud__project { + hidden: yes + } # dimension src__cloud__project + + dimension: src__cloud__project__id { + type: string + sql: ${TABLE}.src.cloud.project.id ;; + group_label: "src" + group_item_label: "src.cloud.project.id [D]" + label: "src.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__cloud__project__id + + dimension: src__domain { + hidden: yes + } # dimension src__domain + + dimension: src__domain__name { + type: string + sql: ${TABLE}.src.domain.name ;; + group_label: "src" + label: "src.domain.name" + view_label: "UDM" + description: "The domain name." + } # dimension src__domain__name + + dimension: src__domain__status { + type: string + sql: ${TABLE}.src.domain.status ;; + group_label: "src" + label: "src.domain.status" + view_label: "UDM" + description: "Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values" + } # dimension src__domain__status + + dimension: src__email { + type: string + sql: ${TABLE}.src.email ;; + group_label: "src" + label: "src.email" + view_label: "UDM" + description: "Email address. Only filled in for security_result.about" + } # dimension src__email + + dimension: src__file { + hidden: yes + } # dimension src__file + + dimension: src__file__ahash { + type: string + sql: ${TABLE}.src.file.ahash ;; + group_label: "src" + group_item_label: "src.file.ahash [D]" + label: "src.file.ahash" + view_label: "UDM" + description: "Deprecated. Use authentihash instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__file__ahash + + dimension: src__file__capabilities_tags { + hidden: yes + } # dimension src__file__capabilities_tags + + dimension: src__file__embedded_domains { + hidden: yes + } # dimension src__file__embedded_domains + + dimension: src__file__embedded_ips { + hidden: yes + } # dimension src__file__embedded_ips + + dimension: src__file__embedded_urls { + hidden: yes + } # dimension src__file__embedded_urls + + dimension: src__file__file_type { + type: number + sql: ${TABLE}.src.file.file_type ;; + group_label: "src" + label: "src.file.file_type" + view_label: "UDM" + description: "FileType field." + } # dimension src__file__file_type + + dimension: src__file__file_type_enum_name { + type: string + suggestions: ["FILE_TYPE_ACE", "FILE_TYPE_ANDROID", "FILE_TYPE_APPLE", "FILE_TYPE_APPLEDOUBLE", "FILE_TYPE_APPLESCRIPT", "FILE_TYPE_APPLESCRIPT_COMPILED", "FILE_TYPE_APPLESINGLE", "FILE_TYPE_APPLE_PLIST", "FILE_TYPE_ARC", "FILE_TYPE_ARJ", "FILE_TYPE_ASD", "FILE_TYPE_ASF", "FILE_TYPE_AVI", "FILE_TYPE_AWK", "FILE_TYPE_BLACKHOLE", "FILE_TYPE_BMP", "FILE_TYPE_BZIP", "FILE_TYPE_C", "FILE_TYPE_CAB", "FILE_TYPE_CAP", "FILE_TYPE_CHM", "FILE_TYPE_COFF", "FILE_TYPE_COOKIE", "FILE_TYPE_CPP", "FILE_TYPE_CRX", "FILE_TYPE_DEB", "FILE_TYPE_DIB", "FILE_TYPE_DIVX", "FILE_TYPE_DMG", "FILE_TYPE_DOC", "FILE_TYPE_DOCX", "FILE_TYPE_DOS_COM", "FILE_TYPE_DOS_EXE", "FILE_TYPE_DYALOG", "FILE_TYPE_DZIP", "FILE_TYPE_EBOOK", "FILE_TYPE_ELF", "FILE_TYPE_EMAIL_TYPE", "FILE_TYPE_EMF", "FILE_TYPE_EOT", "FILE_TYPE_EPS", "FILE_TYPE_FLA", "FILE_TYPE_FLAC", "FILE_TYPE_FLC", "FILE_TYPE_FLI", "FILE_TYPE_FLV", "FILE_TYPE_FORTRAN", "FILE_TYPE_FPX", "FILE_TYPE_GIF", "FILE_TYPE_GIMP", "FILE_TYPE_GUL", "FILE_TYPE_GZIP", "FILE_TYPE_HTML", "FILE_TYPE_HWP", "FILE_TYPE_ICO", "FILE_TYPE_IN_DESIGN", "FILE_TYPE_IPHONE", "FILE_TYPE_ISOIMAGE", "FILE_TYPE_JAR", "FILE_TYPE_JAVA", "FILE_TYPE_JAVASCRIPT", "FILE_TYPE_JAVA_BYTECODE", "FILE_TYPE_JNG", "FILE_TYPE_JPEG", "FILE_TYPE_KGB", "FILE_TYPE_LATEX", "FILE_TYPE_LINUX", "FILE_TYPE_LINUX_KERNEL", "FILE_TYPE_LNK", "FILE_TYPE_MACH_O", "FILE_TYPE_MACINTOSH", "FILE_TYPE_MACINTOSH_HFS", "FILE_TYPE_MACINTOSH_LIB", "FILE_TYPE_MIDI", "FILE_TYPE_MOV", "FILE_TYPE_MP3", "FILE_TYPE_MP4", "FILE_TYPE_MPEG", "FILE_TYPE_MSCOMPRESS", "FILE_TYPE_MSI", "FILE_TYPE_NE_DLL", "FILE_TYPE_NE_EXE", "FILE_TYPE_ODF", "FILE_TYPE_ODG", "FILE_TYPE_ODP", "FILE_TYPE_ODS", "FILE_TYPE_ODT", "FILE_TYPE_OGG", "FILE_TYPE_OUTLOOK", "FILE_TYPE_PALMOS", "FILE_TYPE_PASCAL", "FILE_TYPE_PDF", "FILE_TYPE_PERL", "FILE_TYPE_PE_DLL", "FILE_TYPE_PE_EXE", "FILE_TYPE_PHP", "FILE_TYPE_PKG", "FILE_TYPE_PNG", "FILE_TYPE_POWERSHELL", "FILE_TYPE_PPSX", "FILE_TYPE_PPT", "FILE_TYPE_PPTX", "FILE_TYPE_PS", "FILE_TYPE_PSD", "FILE_TYPE_PYTHON", "FILE_TYPE_QUICKTIME", "FILE_TYPE_RAR", "FILE_TYPE_RM", "FILE_TYPE_ROM", "FILE_TYPE_RPM", "FILE_TYPE_RTF", "FILE_TYPE_RUBY", "FILE_TYPE_RZIP", "FILE_TYPE_SCRIPT", "FILE_TYPE_SEVENZIP", "FILE_TYPE_SHELLSCRIPT", "FILE_TYPE_SVG", "FILE_TYPE_SWF", "FILE_TYPE_SYMBIAN", "FILE_TYPE_T3GP", "FILE_TYPE_TAR", "FILE_TYPE_TARGA", "FILE_TYPE_TEXT", "FILE_TYPE_TIFF", "FILE_TYPE_TORRENT", "FILE_TYPE_TTF", "FILE_TYPE_UNSPECIFIED", "FILE_TYPE_VBA", "FILE_TYPE_WAV", "FILE_TYPE_WEBP", "FILE_TYPE_WINCE", "FILE_TYPE_WMA", "FILE_TYPE_WMV", "FILE_TYPE_WOFF", "FILE_TYPE_XLS", "FILE_TYPE_XLSX", "FILE_TYPE_XML", "FILE_TYPE_XPI", "FILE_TYPE_XWD", "FILE_TYPE_ZIP", "FILE_TYPE_ZLIB"] + sql: CASE ${TABLE}.src.file.file_type WHEN 0 THEN 'FILE_TYPE_UNSPECIFIED' WHEN 1 THEN 'FILE_TYPE_PE_EXE' WHEN 2 THEN 'FILE_TYPE_PE_DLL' WHEN 3 THEN 'FILE_TYPE_MSI' WHEN 10 THEN 'FILE_TYPE_NE_EXE' WHEN 11 THEN 'FILE_TYPE_NE_DLL' WHEN 20 THEN 'FILE_TYPE_DOS_EXE' WHEN 21 THEN 'FILE_TYPE_DOS_COM' WHEN 30 THEN 'FILE_TYPE_COFF' WHEN 31 THEN 'FILE_TYPE_ELF' WHEN 32 THEN 'FILE_TYPE_LINUX_KERNEL' WHEN 33 THEN 'FILE_TYPE_RPM' WHEN 34 THEN 'FILE_TYPE_LINUX' WHEN 35 THEN 'FILE_TYPE_MACH_O' WHEN 36 THEN 'FILE_TYPE_JAVA_BYTECODE' WHEN 37 THEN 'FILE_TYPE_DMG' WHEN 38 THEN 'FILE_TYPE_DEB' WHEN 39 THEN 'FILE_TYPE_PKG' WHEN 50 THEN 'FILE_TYPE_LNK' WHEN 100 THEN 'FILE_TYPE_JPEG' WHEN 101 THEN 'FILE_TYPE_TIFF' WHEN 102 THEN 'FILE_TYPE_GIF' WHEN 103 THEN 'FILE_TYPE_PNG' WHEN 104 THEN 'FILE_TYPE_BMP' WHEN 105 THEN 'FILE_TYPE_GIMP' WHEN 106 THEN 'FILE_TYPE_IN_DESIGN' WHEN 107 THEN 'FILE_TYPE_PSD' WHEN 108 THEN 'FILE_TYPE_TARGA' WHEN 109 THEN 'FILE_TYPE_XWD' WHEN 110 THEN 'FILE_TYPE_DIB' WHEN 111 THEN 'FILE_TYPE_JNG' WHEN 112 THEN 'FILE_TYPE_ICO' WHEN 113 THEN 'FILE_TYPE_FPX' WHEN 114 THEN 'FILE_TYPE_EPS' WHEN 115 THEN 'FILE_TYPE_SVG' WHEN 116 THEN 'FILE_TYPE_EMF' WHEN 117 THEN 'FILE_TYPE_WEBP' WHEN 150 THEN 'FILE_TYPE_OGG' WHEN 151 THEN 'FILE_TYPE_FLC' WHEN 152 THEN 'FILE_TYPE_FLI' WHEN 153 THEN 'FILE_TYPE_MP3' WHEN 154 THEN 'FILE_TYPE_FLAC' WHEN 155 THEN 'FILE_TYPE_WAV' WHEN 156 THEN 'FILE_TYPE_MIDI' WHEN 157 THEN 'FILE_TYPE_AVI' WHEN 158 THEN 'FILE_TYPE_MPEG' WHEN 159 THEN 'FILE_TYPE_QUICKTIME' WHEN 160 THEN 'FILE_TYPE_ASF' WHEN 161 THEN 'FILE_TYPE_DIVX' WHEN 162 THEN 'FILE_TYPE_FLV' WHEN 163 THEN 'FILE_TYPE_WMA' WHEN 164 THEN 'FILE_TYPE_WMV' WHEN 165 THEN 'FILE_TYPE_RM' WHEN 166 THEN 'FILE_TYPE_MOV' WHEN 167 THEN 'FILE_TYPE_MP4' WHEN 168 THEN 'FILE_TYPE_T3GP' WHEN 200 THEN 'FILE_TYPE_PDF' WHEN 201 THEN 'FILE_TYPE_PS' WHEN 202 THEN 'FILE_TYPE_DOC' WHEN 203 THEN 'FILE_TYPE_DOCX' WHEN 204 THEN 'FILE_TYPE_PPT' WHEN 205 THEN 'FILE_TYPE_PPTX' WHEN 209 THEN 'FILE_TYPE_PPSX' WHEN 206 THEN 'FILE_TYPE_XLS' WHEN 207 THEN 'FILE_TYPE_XLSX' WHEN 208 THEN 'FILE_TYPE_RTF' WHEN 250 THEN 'FILE_TYPE_ODP' WHEN 251 THEN 'FILE_TYPE_ODS' WHEN 252 THEN 'FILE_TYPE_ODT' WHEN 253 THEN 'FILE_TYPE_HWP' WHEN 254 THEN 'FILE_TYPE_GUL' WHEN 255 THEN 'FILE_TYPE_ODF' WHEN 256 THEN 'FILE_TYPE_ODG' WHEN 260 THEN 'FILE_TYPE_EBOOK' WHEN 261 THEN 'FILE_TYPE_LATEX' WHEN 262 THEN 'FILE_TYPE_TTF' WHEN 263 THEN 'FILE_TYPE_EOT' WHEN 264 THEN 'FILE_TYPE_WOFF' WHEN 265 THEN 'FILE_TYPE_CHM' WHEN 300 THEN 'FILE_TYPE_ZIP' WHEN 301 THEN 'FILE_TYPE_GZIP' WHEN 302 THEN 'FILE_TYPE_BZIP' WHEN 303 THEN 'FILE_TYPE_RZIP' WHEN 304 THEN 'FILE_TYPE_DZIP' WHEN 305 THEN 'FILE_TYPE_SEVENZIP' WHEN 306 THEN 'FILE_TYPE_CAB' WHEN 307 THEN 'FILE_TYPE_JAR' WHEN 308 THEN 'FILE_TYPE_RAR' WHEN 309 THEN 'FILE_TYPE_MSCOMPRESS' WHEN 310 THEN 'FILE_TYPE_ACE' WHEN 311 THEN 'FILE_TYPE_ARC' WHEN 312 THEN 'FILE_TYPE_ARJ' WHEN 313 THEN 'FILE_TYPE_ASD' WHEN 314 THEN 'FILE_TYPE_BLACKHOLE' WHEN 315 THEN 'FILE_TYPE_KGB' WHEN 316 THEN 'FILE_TYPE_ZLIB' WHEN 317 THEN 'FILE_TYPE_TAR' WHEN 400 THEN 'FILE_TYPE_TEXT' WHEN 401 THEN 'FILE_TYPE_SCRIPT' WHEN 402 THEN 'FILE_TYPE_PHP' WHEN 403 THEN 'FILE_TYPE_PYTHON' WHEN 404 THEN 'FILE_TYPE_PERL' WHEN 405 THEN 'FILE_TYPE_RUBY' WHEN 406 THEN 'FILE_TYPE_C' WHEN 407 THEN 'FILE_TYPE_CPP' WHEN 408 THEN 'FILE_TYPE_JAVA' WHEN 409 THEN 'FILE_TYPE_SHELLSCRIPT' WHEN 410 THEN 'FILE_TYPE_PASCAL' WHEN 411 THEN 'FILE_TYPE_AWK' WHEN 412 THEN 'FILE_TYPE_DYALOG' WHEN 413 THEN 'FILE_TYPE_FORTRAN' WHEN 414 THEN 'FILE_TYPE_JAVASCRIPT' WHEN 415 THEN 'FILE_TYPE_POWERSHELL' WHEN 416 THEN 'FILE_TYPE_VBA' WHEN 500 THEN 'FILE_TYPE_SYMBIAN' WHEN 501 THEN 'FILE_TYPE_PALMOS' WHEN 502 THEN 'FILE_TYPE_WINCE' WHEN 503 THEN 'FILE_TYPE_ANDROID' WHEN 504 THEN 'FILE_TYPE_IPHONE' WHEN 600 THEN 'FILE_TYPE_HTML' WHEN 601 THEN 'FILE_TYPE_XML' WHEN 602 THEN 'FILE_TYPE_SWF' WHEN 603 THEN 'FILE_TYPE_FLA' WHEN 604 THEN 'FILE_TYPE_COOKIE' WHEN 605 THEN 'FILE_TYPE_TORRENT' WHEN 606 THEN 'FILE_TYPE_EMAIL_TYPE' WHEN 607 THEN 'FILE_TYPE_OUTLOOK' WHEN 700 THEN 'FILE_TYPE_CAP' WHEN 800 THEN 'FILE_TYPE_ISOIMAGE' WHEN 1000 THEN 'FILE_TYPE_APPLE' WHEN 1001 THEN 'FILE_TYPE_MACINTOSH' WHEN 1002 THEN 'FILE_TYPE_APPLESINGLE' WHEN 1003 THEN 'FILE_TYPE_APPLEDOUBLE' WHEN 1004 THEN 'FILE_TYPE_MACINTOSH_HFS' WHEN 1005 THEN 'FILE_TYPE_APPLE_PLIST' WHEN 1006 THEN 'FILE_TYPE_MACINTOSH_LIB' WHEN 1007 THEN 'FILE_TYPE_APPLESCRIPT' WHEN 1008 THEN 'FILE_TYPE_APPLESCRIPT_COMPILED' WHEN 1100 THEN 'FILE_TYPE_CRX' WHEN 1101 THEN 'FILE_TYPE_XPI' WHEN 1200 THEN 'FILE_TYPE_ROM' END ;; + group_label: "src" + label: "src.file.file_type_enum_name" + view_label: "UDM" + description: "FileType field." + } # dimension src__file__file_type_enum_name + + dimension_group: src__file__first_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.first_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.file.first_seen_time" + view_label: "UDM" + description: "Timestamp the file was first seen in the customer's environment." + } # dimension src__file__first_seen_time + + dimension: src__file__full_path { + type: string + sql: ${TABLE}.src.file.full_path ;; + group_label: "src" + label: "src.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension src__file__full_path + + dimension_group: src__file__last_analysis_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.last_analysis_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.last_analysis_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.file.last_analysis_time" + view_label: "UDM" + description: "Timestamp the file was last analysed." + } # dimension src__file__last_analysis_time + + dimension_group: src__file__last_modification_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.last_modification_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.last_modification_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.file.last_modification_time" + view_label: "UDM" + description: "Timestamp when the file was last updated." + } # dimension src__file__last_modification_time + + dimension_group: src__file__last_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.last_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.file.last_seen_time" + view_label: "UDM" + description: "Timestamp the file was last seen in the customer's environment." + } # dimension src__file__last_seen_time + + dimension: src__file__md5 { + type: string + sql: ${TABLE}.src.file.md5 ;; + group_label: "src" + label: "src.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension src__file__md5 + + dimension: src__file__mime_type { + type: string + sql: ${TABLE}.src.file.mime_type ;; + group_label: "src" + label: "src.file.mime_type" + view_label: "UDM" + description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." + } # dimension src__file__mime_type + + dimension: src__file__names { + hidden: yes + } # dimension src__file__names + + dimension: src__file__sha1 { + type: string + sql: ${TABLE}.src.file.sha1 ;; + group_label: "src" + label: "src.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension src__file__sha1 + + dimension: src__file__sha256 { + type: string + sql: ${TABLE}.src.file.sha256 ;; + group_label: "src" + label: "src.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension src__file__sha256 + + dimension: src__file__signature_info { + hidden: yes + } # dimension src__file__signature_info + + dimension: src__file__signature_info__codesign { + hidden: yes + } # dimension src__file__signature_info__codesign + + dimension_group: src__file__signature_info__codesign__compilation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.signature_info.codesign.compilation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.signature_info.codesign.compilation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.file.signature_info.codesign.compilation_time" + view_label: "UDM" + description: "Code sign timestamp" + } # dimension src__file__signature_info__codesign__compilation_time + + dimension: src__file__signature_info__codesign__format { + type: string + sql: ${TABLE}.src.file.signature_info.codesign.format ;; + group_label: "src" + label: "src.file.signature_info.codesign.format" + view_label: "UDM" + description: "Code sign format." + } # dimension src__file__signature_info__codesign__format + + dimension: src__file__signature_info__codesign__id { + type: string + sql: ${TABLE}.src.file.signature_info.codesign.id ;; + group_label: "src" + label: "src.file.signature_info.codesign.id" + view_label: "UDM" + description: "Code sign identifier." + } # dimension src__file__signature_info__codesign__id + + dimension: src__file__signature_info__sigcheck { + hidden: yes + } # dimension src__file__signature_info__sigcheck + + dimension: src__file__signature_info__sigcheck__signers { + hidden: yes + } # dimension src__file__signature_info__sigcheck__signers + + dimension: src__file__signature_info__sigcheck__verification_message { + type: string + sql: ${TABLE}.src.file.signature_info.sigcheck.verification_message ;; + group_label: "src" + label: "src.file.signature_info.sigcheck.verification_message" + view_label: "UDM" + description: "Status of the certificate. Valid values are \"Signed\", \"Unsigned\" or a description of the certificate anomaly, if found." + } # dimension src__file__signature_info__sigcheck__verification_message + + dimension: src__file__signature_info__sigcheck__verified { + type: yesno + sql: ${TABLE}.src.file.signature_info.sigcheck.verified ;; + group_label: "src" + label: "src.file.signature_info.sigcheck.verified" + view_label: "UDM" + description: "True iff verification_message == \"Signed\"" + } # dimension src__file__signature_info__sigcheck__verified + + dimension: src__file__size { + type: number + sql: ${TABLE}.src.file.size ;; + group_label: "src" + label: "src.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension src__file__size + + dimension: src__file__ssdeep { + type: string + sql: ${TABLE}.src.file.ssdeep ;; + group_label: "src" + label: "src.file.ssdeep" + view_label: "UDM" + description: "Ssdeep of the file" + } # dimension src__file__ssdeep + + dimension: src__file__tags { + hidden: yes + } # dimension src__file__tags + + dimension: src__file__vhash { + type: string + sql: ${TABLE}.src.file.vhash ;; + group_label: "src" + label: "src.file.vhash" + view_label: "UDM" + description: "Vhash of the file." + } # dimension src__file__vhash + + dimension: src__group { + hidden: yes + } # dimension src__group + + dimension: src__group__group_display_name { + type: string + sql: ${TABLE}.src.group.group_display_name ;; + group_label: "src" + label: "src.group.group_display_name" + view_label: "UDM" + description: "Group display name. e.g. \"Finance\"." + } # dimension src__group__group_display_name + + dimension: src__group__product_object_id { + type: string + sql: ${TABLE}.src.group.product_object_id ;; + group_label: "src" + label: "src.group.product_object_id" + view_label: "UDM" + description: "Product globally unique user object identifier, such as an LDAP Object Identifier." + } # dimension src__group__product_object_id + + dimension: src__hostname { + type: string + sql: ${TABLE}.src.hostname ;; + group_label: "src" + label: "src.hostname" + view_label: "UDM" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension src__hostname + + dimension: src__investigation { + hidden: yes + } # dimension src__investigation + + dimension: src__investigation__risk_score { + type: number + sql: ${TABLE}.src.investigation.risk_score ;; + group_label: "src" + label: "src.investigation.risk_score" + view_label: "UDM" + description: "Risk score for a finding set by an analyst." + } # dimension src__investigation__risk_score + + dimension: src__ip { + hidden: yes + } # dimension src__ip + + dimension: src__ip_geo_artifact { + hidden: yes + } # dimension src__ip_geo_artifact + + dimension: src__ip_location { + hidden: yes + } # dimension src__ip_location + + dimension: src__labels { + hidden: yes + } # dimension src__labels + + dimension: src__location { + hidden: yes + } # dimension src__location + + dimension: src__location__city { + type: string + sql: ${TABLE}.src.location.city ;; + group_label: "src" + label: "src.location.city" + view_label: "UDM" + description: "The city." + } # dimension src__location__city + + dimension: src__location__country_or_region { + type: string + sql: ${TABLE}.src.location.country_or_region ;; + group_label: "src" + label: "src.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension src__location__country_or_region + + dimension: src__location__name { + type: string + sql: ${TABLE}.src.location.name ;; + group_label: "src" + label: "src.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension src__location__name + + dimension: src__location__region_coordinates { + type: location + sql_latitude: ${TABLE}.src.location.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.src.location.region_coordinates.longitude ;; + group_label: "src" + group_item_label: "src.location.region_coordinates [L]" + label: "src.location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." + } # dimension src__location__region_coordinates + + dimension: src__location__region_latitude { + type: number + sql: ${TABLE}.src.location.region_latitude ;; + group_label: "src" + group_item_label: "src.location.region_latitude [D]" + label: "src.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__location__region_latitude + + dimension: src__location__region_longitude { + type: number + sql: ${TABLE}.src.location.region_longitude ;; + group_label: "src" + group_item_label: "src.location.region_longitude [D]" + label: "src.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__location__region_longitude + + dimension: src__location__location { + type: location + sql_latitude: ${TABLE}.src.location.region_latitude ;; + sql_longitude: ${TABLE}.src.location.region_longitude ;; + group_label: "src" + group_item_label: "src.location.location [D][L]" + label: "src.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension src__location__location + + dimension: src__location__state { + type: string + sql: ${TABLE}.src.location.state ;; + group_label: "src" + label: "src.location.state" + view_label: "UDM" + description: "The state." + } # dimension src__location__state + + dimension: src__mac { + hidden: yes + } # dimension src__mac + + dimension: src__namespace { + type: string + sql: ${TABLE}.src.namespace ;; + group_label: "src" + label: "src.namespace" + view_label: "UDM" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension src__namespace + + dimension: src__nat_ip { + hidden: yes + } # dimension src__nat_ip + + dimension: src__network { + hidden: yes + } # dimension src__network + + dimension: src__network__application_protocol_version { + type: string + sql: ${TABLE}.src.network.application_protocol_version ;; + group_label: "src" + label: "src.network.application_protocol_version" + view_label: "UDM" + description: "The version of the application protocol. e.g. \"1.1, 2.0\"" + } # dimension src__network__application_protocol_version + + dimension: src__platform_version { + type: string + sql: ${TABLE}.src.platform_version ;; + group_label: "src" + label: "src.platform_version" + view_label: "UDM" + description: "Platform version. For example, \"Microsoft Windows 1803\"." + } # dimension src__platform_version + + dimension: src__port { + type: number + value_format: "#" + sql: ${TABLE}.src.port ;; + group_label: "src" + label: "src.port" + view_label: "UDM" + description: "Source or destination network port number when a specific network connection is described within an event." + } # dimension src__port + + dimension: src__process { + hidden: yes + } # dimension src__process + + dimension: src__process__command_line { + type: string + sql: ${TABLE}.src.process.command_line ;; + group_label: "src" + label: "src.process.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension src__process__command_line + + dimension: src__process__file { + hidden: yes + } # dimension src__process__file + + dimension: src__process__file__full_path { + type: string + sql: ${TABLE}.src.process.file.full_path ;; + group_label: "src" + label: "src.process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension src__process__file__full_path + + dimension: src__process__file__md5 { + type: string + sql: ${TABLE}.src.process.file.md5 ;; + group_label: "src" + label: "src.process.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension src__process__file__md5 + + dimension: src__process__file__names { + hidden: yes + } # dimension src__process__file__names + + dimension: src__process__file__sha1 { + type: string + sql: ${TABLE}.src.process.file.sha1 ;; + group_label: "src" + label: "src.process.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension src__process__file__sha1 + + dimension: src__process__file__sha256 { + type: string + sql: ${TABLE}.src.process.file.sha256 ;; + group_label: "src" + label: "src.process.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension src__process__file__sha256 + + dimension: src__process__file__size { + type: number + sql: ${TABLE}.src.process.file.size ;; + group_label: "src" + label: "src.process.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension src__process__file__size + + dimension: src__process__parent_process { + hidden: yes + } # dimension src__process__parent_process + + dimension: src__process__parent_process__file { + hidden: yes + } # dimension src__process__parent_process__file + + dimension: src__process__parent_process__file__full_path { + type: string + sql: ${TABLE}.src.process.parent_process.file.full_path ;; + group_label: "src" + label: "src.process.parent_process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension src__process__parent_process__file__full_path + + dimension: src__process__pid { + type: string + sql: ${TABLE}.src.process.pid ;; + group_label: "src" + label: "src.process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension src__process__pid + + dimension: src__process_ancestors { + hidden: yes + } # dimension src__process_ancestors + + dimension: src__registry { + hidden: yes + } # dimension src__registry + + dimension: src__registry__registry_key { + type: string + sql: ${TABLE}.src.registry.registry_key ;; + group_label: "src" + label: "src.registry.registry_key" + view_label: "UDM" + description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." + } # dimension src__registry__registry_key + + dimension: src__registry__registry_value_data { + type: string + sql: ${TABLE}.src.registry.registry_value_data ;; + group_label: "src" + label: "src.registry.registry_value_data" + view_label: "UDM" + description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." + } # dimension src__registry__registry_value_data + + dimension: src__registry__registry_value_name { + type: string + sql: ${TABLE}.src.registry.registry_value_name ;; + group_label: "src" + label: "src.registry.registry_value_name" + view_label: "UDM" + description: "Name of the registry value associated with an application or system component (e.g. TEMP)." + } # dimension src__registry__registry_value_name + + dimension: src__resource { + hidden: yes + } # dimension src__resource + + dimension: src__resource__attribute { + hidden: yes + } # dimension src__resource__attribute + + dimension_group: src__resource__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.resource.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension src__resource__attribute__creation_time + + dimension: src__resource__attribute__labels { + hidden: yes + } # dimension src__resource__attribute__labels + + dimension_group: src__resource__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.resource.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension src__resource__attribute__last_update_time + + dimension: src__resource__attribute__permissions { + hidden: yes + } # dimension src__resource__attribute__permissions + + dimension: src__resource__id { + type: string + sql: ${TABLE}.src.resource.id ;; + group_label: "src" + group_item_label: "src.resource.id [D]" + label: "src.resource.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__resource__id + + dimension: src__resource__name { + type: string + sql: ${TABLE}.src.resource.name ;; + group_label: "src" + label: "src.resource.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension src__resource__name + + dimension: src__resource__parent { + type: string + sql: ${TABLE}.src.resource.parent ;; + group_label: "src" + group_item_label: "src.resource.parent [D]" + label: "src.resource.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__resource__parent + + dimension: src__resource__product_object_id { + type: string + sql: ${TABLE}.src.resource.product_object_id ;; + group_label: "src" + label: "src.resource.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension src__resource__product_object_id + + dimension: src__resource__resource_subtype { + type: string + sql: ${TABLE}.src.resource.resource_subtype ;; + group_label: "src" + label: "src.resource.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension src__resource__resource_subtype + + dimension: src__resource__resource_type { + type: number + sql: ${TABLE}.src.resource.resource_type ;; + group_label: "src" + label: "src.resource.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension src__resource__resource_type + + dimension: src__resource__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.src.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "src" + label: "src.resource.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension src__resource__resource_type_enum_name + + dimension: src__resource__type { + type: string + sql: ${TABLE}.src.resource.type ;; + group_label: "src" + group_item_label: "src.resource.type [D]" + label: "src.resource.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__resource__type + + dimension: src__resource_ancestors { + hidden: yes + } # dimension src__resource_ancestors + + dimension: src__url { + type: string + sql: ${TABLE}.src.url ;; + group_label: "src" + label: "src.url" + view_label: "UDM" + description: "The URL." + } # dimension src__url + + dimension: src__user { + hidden: yes + } # dimension src__user + + dimension: src__user__account_type { + type: number + sql: ${TABLE}.src.user.account_type ;; + group_label: "src" + label: "src.user.account_type" + view_label: "UDM" + description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" + } # dimension src__user__account_type + + dimension: src__user__account_type_enum_name { + type: string + suggestions: ["ACCOUNT_TYPE_UNSPECIFIED", "CLOUD_ACCOUNT_TYPE", "DEFAULT_ACCOUNT_TYPE", "DOMAIN_ACCOUNT_TYPE", "LOCAL_ACCOUNT_TYPE", "SERVICE_ACCOUNT_TYPE"] + sql: CASE ${TABLE}.src.user.account_type WHEN 0 THEN 'ACCOUNT_TYPE_UNSPECIFIED' WHEN 1 THEN 'DOMAIN_ACCOUNT_TYPE' WHEN 2 THEN 'LOCAL_ACCOUNT_TYPE' WHEN 3 THEN 'CLOUD_ACCOUNT_TYPE' WHEN 4 THEN 'SERVICE_ACCOUNT_TYPE' WHEN 5 THEN 'DEFAULT_ACCOUNT_TYPE' END ;; + group_label: "src" + label: "src.user.account_type_enum_name" + view_label: "UDM" + description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" + } # dimension src__user__account_type_enum_name + + dimension: src__user__attribute { + hidden: yes + } # dimension src__user__attribute + + dimension: src__user__attribute__cloud { + hidden: yes + } # dimension src__user__attribute__cloud + + dimension: src__user__attribute__cloud__project { + hidden: yes + } # dimension src__user__attribute__cloud__project + + dimension: src__user__attribute__cloud__project__name { + type: string + sql: ${TABLE}.src.user.attribute.cloud.project.name ;; + group_label: "src" + group_item_label: "src.user.attribute.cloud.project.name [D]" + label: "src.user.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__user__attribute__cloud__project__name + + dimension_group: src__user__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.user.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension src__user__attribute__creation_time + + dimension: src__user__attribute__labels { + hidden: yes + } # dimension src__user__attribute__labels + + dimension_group: src__user__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.user.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension src__user__attribute__last_update_time + + dimension: src__user__attribute__roles { + hidden: yes + } # dimension src__user__attribute__roles + + dimension: src__user__company_name { + type: string + sql: ${TABLE}.src.user.company_name ;; + group_label: "src" + label: "src.user.company_name" + view_label: "UDM" + description: "User job company name." + } # dimension src__user__company_name + + dimension: src__user__department { + hidden: yes + } # dimension src__user__department + + dimension: src__user__email_addresses { + hidden: yes + } # dimension src__user__email_addresses + + dimension: src__user__employee_id { + type: string + sql: ${TABLE}.src.user.employee_id ;; + group_label: "src" + label: "src.user.employee_id" + view_label: "UDM" + description: "Human capital management identifier." + } # dimension src__user__employee_id + + dimension: src__user__first_name { + type: string + sql: ${TABLE}.src.user.first_name ;; + group_label: "src" + label: "src.user.first_name" + view_label: "UDM" + description: "First name of the user (e.g. \"John\")." + } # dimension src__user__first_name + + dimension: src__user__group_identifiers { + hidden: yes + } # dimension src__user__group_identifiers + + dimension: src__user__groupid { + type: string + sql: ${TABLE}.src.user.groupid ;; + group_label: "src" + group_item_label: "src.user.groupid [D]" + label: "src.user.groupid" + view_label: "UDM" + description: "The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__user__groupid + + dimension_group: src__user__hire_date { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.user.hire_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.user.hire_date.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.user.hire_date" + view_label: "UDM" + description: "User job employment hire date." + } # dimension src__user__hire_date + + dimension: src__user__last_name { + type: string + sql: ${TABLE}.src.user.last_name ;; + group_label: "src" + label: "src.user.last_name" + view_label: "UDM" + description: "Last name of the user (e.g. \"Locke\")." + } # dimension src__user__last_name + + dimension: src__user__managers { + hidden: yes + } # dimension src__user__managers + + dimension: src__user__middle_name { + type: string + sql: ${TABLE}.src.user.middle_name ;; + group_label: "src" + label: "src.user.middle_name" + view_label: "UDM" + description: "Middle name of the user." + } # dimension src__user__middle_name + + dimension: src__user__office_address { + hidden: yes + } # dimension src__user__office_address + + dimension: src__user__office_address__city { + type: string + sql: ${TABLE}.src.user.office_address.city ;; + group_label: "src" + label: "src.user.office_address.city" + view_label: "UDM" + description: "The city." + } # dimension src__user__office_address__city + + dimension: src__user__office_address__country_or_region { + type: string + sql: ${TABLE}.src.user.office_address.country_or_region ;; + group_label: "src" + label: "src.user.office_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension src__user__office_address__country_or_region + + dimension: src__user__office_address__desk_name { + type: string + sql: ${TABLE}.src.user.office_address.desk_name ;; + group_label: "src" + label: "src.user.office_address.desk_name" + view_label: "UDM" + description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." + } # dimension src__user__office_address__desk_name + + dimension: src__user__office_address__floor_name { + type: string + sql: ${TABLE}.src.user.office_address.floor_name ;; + group_label: "src" + label: "src.user.office_address.floor_name" + view_label: "UDM" + description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." + } # dimension src__user__office_address__floor_name + + dimension: src__user__office_address__name { + type: string + sql: ${TABLE}.src.user.office_address.name ;; + group_label: "src" + label: "src.user.office_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension src__user__office_address__name + + dimension: src__user__office_address__state { + type: string + sql: ${TABLE}.src.user.office_address.state ;; + group_label: "src" + label: "src.user.office_address.state" + view_label: "UDM" + description: "The state." + } # dimension src__user__office_address__state + + dimension: src__user__personal_address { + hidden: yes + } # dimension src__user__personal_address + + dimension: src__user__personal_address__city { + type: string + sql: ${TABLE}.src.user.personal_address.city ;; + group_label: "src" + label: "src.user.personal_address.city" + view_label: "UDM" + description: "The city." + } # dimension src__user__personal_address__city + + dimension: src__user__personal_address__country_or_region { + type: string + sql: ${TABLE}.src.user.personal_address.country_or_region ;; + group_label: "src" + label: "src.user.personal_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension src__user__personal_address__country_or_region + + dimension: src__user__personal_address__name { + type: string + sql: ${TABLE}.src.user.personal_address.name ;; + group_label: "src" + label: "src.user.personal_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension src__user__personal_address__name + + dimension: src__user__personal_address__state { + type: string + sql: ${TABLE}.src.user.personal_address.state ;; + group_label: "src" + label: "src.user.personal_address.state" + view_label: "UDM" + description: "The state." + } # dimension src__user__personal_address__state + + dimension: src__user__phone_numbers { + hidden: yes + } # dimension src__user__phone_numbers + + dimension: src__user__product_object_id { + type: string + sql: ${TABLE}.src.user.product_object_id ;; + group_label: "src" + label: "src.user.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension src__user__product_object_id + + dimension: src__user__role_name { + type: string + sql: ${TABLE}.src.user.role_name ;; + group_label: "src" + group_item_label: "src.user.role_name [D]" + label: "src.user.role_name" + view_label: "UDM" + description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension src__user__role_name + + dimension_group: src__user__termination_date { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.user.termination_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.user.termination_date.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.user.termination_date" + view_label: "UDM" + description: "User job employment termination date." + } # dimension src__user__termination_date + + dimension: src__user__time_off { + hidden: yes + } # dimension src__user__time_off + + dimension: src__user__title { + type: string + sql: ${TABLE}.src.user.title ;; + group_label: "src" + label: "src.user.title" + view_label: "UDM" + description: "User job title." + } # dimension src__user__title + + dimension: src__user__user_authentication_status { + type: number + sql: ${TABLE}.src.user.user_authentication_status ;; + group_label: "src" + label: "src.user.user_authentication_status" + view_label: "UDM" + description: "System authentication status for user." + } # dimension src__user__user_authentication_status + + dimension: src__user__user_authentication_status_enum_name { + type: string + suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] + sql: CASE ${TABLE}.src.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; + group_label: "src" + label: "src.user.user_authentication_status_enum_name" + view_label: "UDM" + description: "System authentication status for user." + } # dimension src__user__user_authentication_status_enum_name + + dimension: src__user__user_display_name { + type: string + sql: ${TABLE}.src.user.user_display_name ;; + group_label: "src" + label: "src.user.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension src__user__user_display_name + + dimension: src__user__userid { + type: string + sql: ${TABLE}.src.user.userid ;; + group_label: "src" + label: "src.user.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension src__user__userid + + dimension: src__user__windows_sid { + type: string + sql: ${TABLE}.src.user.windows_sid ;; + group_label: "src" + label: "src.user.windows_sid" + view_label: "UDM" + description: "The Microsoft Windows SID of the user." + } # dimension src__user__windows_sid + + dimension: target { + hidden: yes + } # dimension target + + dimension: target__administrative_domain { + type: string + sql: ${TABLE}.target.administrative_domain ;; + group_label: "target" + label: "target.administrative_domain" + view_label: "UDM" + description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." + } # dimension target__administrative_domain + + dimension: target__application { + type: string + sql: ${TABLE}.target.application ;; + group_label: "target" + label: "target.application" + view_label: "UDM" + description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." + } # dimension target__application + + dimension: target__artifact { + hidden: yes + } # dimension target__artifact + + dimension: target__artifact__ip { + type: string + sql: ${TABLE}.target.artifact.ip ;; + group_label: "target" + label: "target.artifact.ip" + view_label: "UDM" + description: "IP address of the artifact." + } # dimension target__artifact__ip + + dimension: target__artifact__network { + hidden: yes + } # dimension target__artifact__network + + dimension: target__artifact__network__email { + hidden: yes + } # dimension target__artifact__network__email + + dimension: target__artifact__network__email__subject { + hidden: yes + } # dimension target__artifact__network__email__subject + + dimension: target__artifact__network__sent_bytes { + type: number + sql: ${TABLE}.target.artifact.network.sent_bytes ;; + group_label: "target" + label: "target.artifact.network.sent_bytes" + view_label: "UDM" + description: "The number of bytes sent." + } # dimension target__artifact__network__sent_bytes + + dimension: target__asset { + hidden: yes + } # dimension target__asset + + dimension: target__asset__asset_id { + type: string + sql: ${TABLE}.target.asset.asset_id ;; + group_label: "target" + label: "target.asset.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension target__asset__asset_id + + dimension: target__asset__attribute { + hidden: yes + } # dimension target__asset__attribute + + dimension: target__asset__attribute__cloud { + hidden: yes + } # dimension target__asset__attribute__cloud + + dimension: target__asset__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.target.asset.attribute.cloud.availability_zone ;; + group_label: "target" + label: "target.asset.attribute.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name)." + } # dimension target__asset__attribute__cloud__availability_zone + + dimension: target__asset__attribute__cloud__environment { + type: number + sql: ${TABLE}.target.asset.attribute.cloud.environment ;; + group_label: "target" + label: "target.asset.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension target__asset__attribute__cloud__environment + + dimension: target__asset__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.target.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "target" + label: "target.asset.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension target__asset__attribute__cloud__environment_enum_name + + dimension: target__asset__attribute__cloud__project { + hidden: yes + } # dimension target__asset__attribute__cloud__project + + dimension: target__asset__attribute__cloud__project__id { + type: string + sql: ${TABLE}.target.asset.attribute.cloud.project.id ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.project.id [D]" + label: "target.asset.attribute.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__project__id + + dimension: target__asset__attribute__cloud__project__name { + type: string + sql: ${TABLE}.target.asset.attribute.cloud.project.name ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.project.name [D]" + label: "target.asset.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__project__name + + dimension: target__asset__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.target.asset.attribute.cloud.project.product_object_id ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.project.product_object_id [D]" + label: "target.asset.attribute.cloud.project.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__project__product_object_id + + dimension: target__asset__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.target.asset.attribute.cloud.project.resource_type ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.project.resource_type [D]" + label: "target.asset.attribute.cloud.project.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__project__resource_type + + dimension: target__asset__attribute__cloud__project__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.target.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.project.resource_type_enum_name [D]" + label: "target.asset.attribute.cloud.project.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__project__resource_type_enum_name + + dimension: target__asset__attribute__cloud__project__type { + type: string + sql: ${TABLE}.target.asset.attribute.cloud.project.type ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.project.type [D]" + label: "target.asset.attribute.cloud.project.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__project__type + + dimension: target__asset__attribute__cloud__vpc { + hidden: yes + } # dimension target__asset__attribute__cloud__vpc + + dimension: target__asset__attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.target.asset.attribute.cloud.vpc.id ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.vpc.id [D]" + label: "target.asset.attribute.cloud.vpc.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__vpc__id + + dimension: target__asset__attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.target.asset.attribute.cloud.vpc.name ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.vpc.name [D]" + label: "target.asset.attribute.cloud.vpc.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__vpc__name + + dimension: target__asset__attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.target.asset.attribute.cloud.vpc.resource_type ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.vpc.resource_type [D]" + label: "target.asset.attribute.cloud.vpc.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__vpc__resource_type + + dimension: target__asset__attribute__cloud__vpc__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.target.asset.attribute.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "target" + group_item_label: "target.asset.attribute.cloud.vpc.resource_type_enum_name [D]" + label: "target.asset.attribute.cloud.vpc.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__attribute__cloud__vpc__resource_type_enum_name + + dimension_group: target__asset__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension target__asset__attribute__creation_time + + dimension: target__asset__attribute__labels { + hidden: yes + } # dimension target__asset__attribute__labels + + dimension_group: target__asset__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension target__asset__attribute__last_update_time + + dimension: target__asset__attribute__permissions { + hidden: yes + } # dimension target__asset__attribute__permissions + + dimension: target__asset__attribute__roles { + hidden: yes + } # dimension target__asset__attribute__roles + + dimension: target__asset__category { + type: string + sql: ${TABLE}.target.asset.category ;; + group_label: "target" + label: "target.asset.category" + view_label: "UDM" + description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." + } # dimension target__asset__category + + dimension_group: target__asset__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + group_item_label: "target.asset.creation_time [D]" + label: "target.asset.creation_time" + view_label: "UDM" + description: "Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__creation_time + + dimension: target__asset__deployment_status { + type: number + sql: ${TABLE}.target.asset.deployment_status ;; + group_label: "target" + label: "target.asset.deployment_status" + view_label: "UDM" + description: "The deployment status of the asset for device lifecycle purposes." + } # dimension target__asset__deployment_status + + dimension: target__asset__deployment_status_enum_name { + type: string + suggestions: ["ACTIVE", "DECOMISSIONED", "DEPLOYMENT_STATUS_UNSPECIFIED", "PENDING_DECOMISSION"] + sql: CASE ${TABLE}.target.asset.deployment_status WHEN 0 THEN 'DEPLOYMENT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'PENDING_DECOMISSION' WHEN 3 THEN 'DECOMISSIONED' END ;; + group_label: "target" + label: "target.asset.deployment_status_enum_name" + view_label: "UDM" + description: "The deployment status of the asset for device lifecycle purposes." + } # dimension target__asset__deployment_status_enum_name + + dimension_group: target__asset__first_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.first_discover_time" + view_label: "UDM" + description: "Time the asset was first discovered (by asset management/discoverability software)." + } # dimension target__asset__first_discover_time + + dimension_group: target__asset__first_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.first_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.first_seen_time" + view_label: "UDM" + description: "The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed." + } # dimension target__asset__first_seen_time + + dimension: target__asset__hardware { + hidden: yes + } # dimension target__asset__hardware + + dimension: target__asset__hostname { + type: string + sql: ${TABLE}.target.asset.hostname ;; + group_label: "target" + label: "target.asset.hostname" + view_label: "UDM" + description: "Asset hostname or domain name field." + } # dimension target__asset__hostname + + dimension: target__asset__ip { + hidden: yes + } # dimension target__asset__ip + + dimension: target__asset__labels { + hidden: yes + } # dimension target__asset__labels + + dimension_group: target__asset__last_boot_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.last_boot_time" + view_label: "UDM" + description: "Time the asset was last boot started." + } # dimension target__asset__last_boot_time + + dimension_group: target__asset__last_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.last_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.last_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.last_discover_time" + view_label: "UDM" + description: "Time the asset was last discovered (by asset management/discoverability software)." + } # dimension target__asset__last_discover_time + + dimension: target__asset__location { + hidden: yes + } # dimension target__asset__location + + dimension: target__asset__location__city { + type: string + sql: ${TABLE}.target.asset.location.city ;; + group_label: "target" + label: "target.asset.location.city" + view_label: "UDM" + description: "The city." + } # dimension target__asset__location__city + + dimension: target__asset__location__country_or_region { + type: string + sql: ${TABLE}.target.asset.location.country_or_region ;; + group_label: "target" + label: "target.asset.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension target__asset__location__country_or_region + + dimension: target__asset__location__floor_name { + type: string + sql: ${TABLE}.target.asset.location.floor_name ;; + group_label: "target" + label: "target.asset.location.floor_name" + view_label: "UDM" + description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." + } # dimension target__asset__location__floor_name + + dimension: target__asset__location__name { + type: string + sql: ${TABLE}.target.asset.location.name ;; + group_label: "target" + label: "target.asset.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension target__asset__location__name + + dimension: target__asset__location__region_latitude { + type: number + sql: ${TABLE}.target.asset.location.region_latitude ;; + group_label: "target" + group_item_label: "target.asset.location.region_latitude [D]" + label: "target.asset.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__location__region_latitude + + dimension: target__asset__location__region_longitude { + type: number + sql: ${TABLE}.target.asset.location.region_longitude ;; + group_label: "target" + group_item_label: "target.asset.location.region_longitude [D]" + label: "target.asset.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__asset__location__region_longitude + + dimension: target__asset__location__location { + type: location + sql_latitude: ${TABLE}.target.asset.location.region_latitude ;; + sql_longitude: ${TABLE}.target.asset.location.region_longitude ;; + group_label: "target" + group_item_label: "target.asset.location.location [D][L]" + label: "target.asset.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension target__asset__location__location + + dimension: target__asset__location__state { + type: string + sql: ${TABLE}.target.asset.location.state ;; + group_label: "target" + label: "target.asset.location.state" + view_label: "UDM" + description: "The state." + } # dimension target__asset__location__state + + dimension: target__asset__mac { + hidden: yes + } # dimension target__asset__mac + + dimension: target__asset__nat_ip { + hidden: yes + } # dimension target__asset__nat_ip + + dimension: target__asset__network_domain { + type: string + sql: ${TABLE}.target.asset.network_domain ;; + group_label: "target" + label: "target.asset.network_domain" + view_label: "UDM" + description: "The network domain of the asset (e.g. \"corp.acme.com\")" + } # dimension target__asset__network_domain + + dimension: target__asset__platform_software { + hidden: yes + } # dimension target__asset__platform_software + + dimension: target__asset__platform_software__platform { + type: number + sql: ${TABLE}.target.asset.platform_software.platform ;; + group_label: "target" + label: "target.asset.platform_software.platform" + view_label: "UDM" + description: "The platform operating system." + } # dimension target__asset__platform_software__platform + + dimension: target__asset__platform_software__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.target.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "target" + label: "target.asset.platform_software.platform_enum_name" + view_label: "UDM" + description: "The platform operating system." + } # dimension target__asset__platform_software__platform_enum_name + + dimension: target__asset__platform_software__platform_patch_level { + type: string + sql: ${TABLE}.target.asset.platform_software.platform_patch_level ;; + group_label: "target" + label: "target.asset.platform_software.platform_patch_level" + view_label: "UDM" + description: "The platform software patch level ( e.g. \"Build 17134.48\", \"SP1\")." + } # dimension target__asset__platform_software__platform_patch_level + + dimension: target__asset__platform_software__platform_version { + type: string + sql: ${TABLE}.target.asset.platform_software.platform_version ;; + group_label: "target" + label: "target.asset.platform_software.platform_version" + view_label: "UDM" + description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." + } # dimension target__asset__platform_software__platform_version + + dimension: target__asset__product_object_id { + type: string + sql: ${TABLE}.target.asset.product_object_id ;; + group_label: "target" + label: "target.asset.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension target__asset__product_object_id + + dimension: target__asset__software { + hidden: yes + } # dimension target__asset__software + + dimension_group: target__asset__system_last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.system_last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.system_last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.system_last_update_time" + view_label: "UDM" + description: "Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time." + } # dimension target__asset__system_last_update_time + + dimension: target__asset__type { + type: number + sql: ${TABLE}.target.asset.type ;; + group_label: "target" + label: "target.asset.type" + view_label: "UDM" + description: "The type of the asset (e.g. workstation or laptop or server)." + } # dimension target__asset__type + + dimension: target__asset__type_enum_name { + type: string + suggestions: ["IOT", "LAPTOP", "MOBILE", "NETWORK_ATTACHED_STORAGE", "PRINTER", "ROLE_UNSPECIFIED", "SCANNER", "SERVER", "TAPE_LIBRARY", "WORKSTATION"] + sql: CASE ${TABLE}.target.asset.type WHEN 0 THEN 'ROLE_UNSPECIFIED' WHEN 1 THEN 'WORKSTATION' WHEN 2 THEN 'LAPTOP' WHEN 3 THEN 'IOT' WHEN 4 THEN 'NETWORK_ATTACHED_STORAGE' WHEN 5 THEN 'PRINTER' WHEN 6 THEN 'SCANNER' WHEN 7 THEN 'SERVER' WHEN 8 THEN 'TAPE_LIBRARY' WHEN 9 THEN 'MOBILE' END ;; + group_label: "target" + label: "target.asset.type_enum_name" + view_label: "UDM" + description: "The type of the asset (e.g. workstation or laptop or server)." + } # dimension target__asset__type_enum_name + + dimension: target__asset__vulnerabilities { + hidden: yes + } # dimension target__asset__vulnerabilities + + dimension: target__asset_id { + type: string + sql: ${TABLE}.target.asset_id ;; + group_label: "target" + label: "target.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension target__asset_id + + dimension: target__cloud { + hidden: yes + } # dimension target__cloud + + dimension: target__cloud__availability_zone { + type: string + sql: ${TABLE}.target.cloud.availability_zone ;; + group_label: "target" + group_item_label: "target.cloud.availability_zone [D]" + label: "target.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__availability_zone + + dimension: target__cloud__environment { + type: number + sql: ${TABLE}.target.cloud.environment ;; + group_label: "target" + group_item_label: "target.cloud.environment [D]" + label: "target.cloud.environment" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__environment + + dimension: target__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.target.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "target" + group_item_label: "target.cloud.environment_enum_name [D]" + label: "target.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__environment_enum_name + + dimension: target__cloud__project { + hidden: yes + } # dimension target__cloud__project + + dimension: target__cloud__project__attribute { + hidden: yes + } # dimension target__cloud__project__attribute + + dimension: target__cloud__project__attribute__labels { + hidden: yes + } # dimension target__cloud__project__attribute__labels + + dimension: target__cloud__project__id { + type: string + sql: ${TABLE}.target.cloud.project.id ;; + group_label: "target" + group_item_label: "target.cloud.project.id [D]" + label: "target.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__project__id + + dimension: target__cloud__project__name { + type: string + sql: ${TABLE}.target.cloud.project.name ;; + group_label: "target" + group_item_label: "target.cloud.project.name [D]" + label: "target.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__project__name + + dimension: target__cloud__project__product_object_id { + type: string + sql: ${TABLE}.target.cloud.project.product_object_id ;; + group_label: "target" + group_item_label: "target.cloud.project.product_object_id [D]" + label: "target.cloud.project.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__project__product_object_id + + dimension: target__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.target.cloud.project.resource_subtype ;; + group_label: "target" + group_item_label: "target.cloud.project.resource_subtype [D]" + label: "target.cloud.project.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__project__resource_subtype + + dimension: target__cloud__project__type { + type: string + sql: ${TABLE}.target.cloud.project.type ;; + group_label: "target" + group_item_label: "target.cloud.project.type [D]" + label: "target.cloud.project.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__project__type + + dimension: target__cloud__vpc { + hidden: yes + } # dimension target__cloud__vpc + + dimension: target__cloud__vpc__id { + type: string + sql: ${TABLE}.target.cloud.vpc.id ;; + group_label: "target" + group_item_label: "target.cloud.vpc.id [D]" + label: "target.cloud.vpc.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__vpc__id + + dimension: target__cloud__vpc__name { + type: string + sql: ${TABLE}.target.cloud.vpc.name ;; + group_label: "target" + group_item_label: "target.cloud.vpc.name [D]" + label: "target.cloud.vpc.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__vpc__name + + dimension: target__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.target.cloud.vpc.product_object_id ;; + group_label: "target" + group_item_label: "target.cloud.vpc.product_object_id [D]" + label: "target.cloud.vpc.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__vpc__product_object_id + + dimension: target__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.target.cloud.vpc.resource_subtype ;; + group_label: "target" + group_item_label: "target.cloud.vpc.resource_subtype [D]" + label: "target.cloud.vpc.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__vpc__resource_subtype + + dimension: target__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.target.cloud.vpc.resource_type ;; + group_label: "target" + group_item_label: "target.cloud.vpc.resource_type [D]" + label: "target.cloud.vpc.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__vpc__resource_type + + dimension: target__cloud__vpc__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.target.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "target" + group_item_label: "target.cloud.vpc.resource_type_enum_name [D]" + label: "target.cloud.vpc.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__cloud__vpc__resource_type_enum_name + + dimension: target__domain { + hidden: yes + } # dimension target__domain + + dimension: target__domain__contact_email { + type: string + sql: ${TABLE}.target.domain.contact_email ;; + group_label: "target" + label: "target.domain.contact_email" + view_label: "UDM" + description: "Contact email address." + } # dimension target__domain__contact_email + + dimension_group: target__domain__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.domain.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.domain.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.domain.creation_time" + view_label: "UDM" + description: "Domain creation time." + } # dimension target__domain__creation_time + + dimension_group: target__domain__expiration_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.domain.expiration_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.domain.expiration_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.domain.expiration_time" + view_label: "UDM" + description: "Expiration time." + } # dimension target__domain__expiration_time + + dimension_group: target__domain__last_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.domain.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.domain.last_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.domain.last_seen_time" + view_label: "UDM" + description: "Last seen timestamp of the domain in the customer's environment." + } # dimension target__domain__last_seen_time + + dimension: target__domain__name { + type: string + sql: ${TABLE}.target.domain.name ;; + group_label: "target" + label: "target.domain.name" + view_label: "UDM" + description: "The domain name." + } # dimension target__domain__name + + dimension: target__domain__name_server { + hidden: yes + } # dimension target__domain__name_server + + dimension: target__domain__prevalence { + hidden: yes + } # dimension target__domain__prevalence + + dimension: target__domain__prevalence__day_count { + type: number + sql: ${TABLE}.target.domain.prevalence.day_count ;; + group_label: "target" + label: "target.domain.prevalence.day_count" + view_label: "UDM" + description: "The number of days over which rolling_max is calculated." + } # dimension target__domain__prevalence__day_count + + dimension: target__domain__prevalence__rolling_max { + type: number + sql: ${TABLE}.target.domain.prevalence.rolling_max ;; + group_label: "target" + label: "target.domain.prevalence.rolling_max" + view_label: "UDM" + description: "The maximum number of assets per day accessing the resource over the trailing day_count days." + } # dimension target__domain__prevalence__rolling_max + + dimension: target__domain__private_registration { + type: yesno + sql: ${TABLE}.target.domain.private_registration ;; + group_label: "target" + label: "target.domain.private_registration" + view_label: "UDM" + description: "Indicates whether the domain appears to be using a private registration service to mask the owner's contact information." + } # dimension target__domain__private_registration + + dimension: target__domain__registrar { + type: string + sql: ${TABLE}.target.domain.registrar ;; + group_label: "target" + label: "target.domain.registrar" + view_label: "UDM" + description: "Registrar name - e.g. \"Wild West Domains, Inc. (R120-LROR)\", \"GoDaddy.com, LLC\", \"PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM\", etc." + } # dimension target__domain__registrar + + dimension: target__domain__status { + type: string + sql: ${TABLE}.target.domain.status ;; + group_label: "target" + label: "target.domain.status" + view_label: "UDM" + description: "Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values" + } # dimension target__domain__status + + dimension: target__domain__tech { + hidden: yes + } # dimension target__domain__tech + + dimension: target__domain__tech__company_name { + type: string + sql: ${TABLE}.target.domain.tech.company_name ;; + group_label: "target" + label: "target.domain.tech.company_name" + view_label: "UDM" + description: "User job company name." + } # dimension target__domain__tech__company_name + + dimension_group: target__domain__update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.domain.update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.domain.update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.domain.update_time" + view_label: "UDM" + description: "Last updated time." + } # dimension target__domain__update_time + + dimension: target__domain__whois_server { + type: string + sql: ${TABLE}.target.domain.whois_server ;; + group_label: "target" + label: "target.domain.whois_server" + view_label: "UDM" + description: "Whois server name." + } # dimension target__domain__whois_server + + dimension: target__email { + type: string + sql: ${TABLE}.target.email ;; + group_label: "target" + label: "target.email" + view_label: "UDM" + description: "Email address. Only filled in for security_result.about" + } # dimension target__email + + dimension: target__file { + hidden: yes + } # dimension target__file + + dimension: target__file__authentihash { + type: string + sql: ${TABLE}.target.file.authentihash ;; + group_label: "target" + label: "target.file.authentihash" + view_label: "UDM" + description: "Authentihash of the file." + } # dimension target__file__authentihash + + dimension: target__file__capabilities_tags { + hidden: yes + } # dimension target__file__capabilities_tags + + dimension: target__file__embedded_domains { + hidden: yes + } # dimension target__file__embedded_domains + + dimension: target__file__embedded_ips { + hidden: yes + } # dimension target__file__embedded_ips + + dimension: target__file__embedded_urls { + hidden: yes + } # dimension target__file__embedded_urls + + dimension: target__file__exif_info { + hidden: yes + } # dimension target__file__exif_info + + dimension: target__file__exif_info__company { + type: string + sql: ${TABLE}.target.file.exif_info.company ;; + group_label: "target" + label: "target.file.exif_info.company" + view_label: "UDM" + description: "company name." + } # dimension target__file__exif_info__company + + dimension_group: target__file__exif_info__compilation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.exif_info.compilation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.exif_info.compilation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.file.exif_info.compilation_time" + view_label: "UDM" + description: "Compilation time." + } # dimension target__file__exif_info__compilation_time + + dimension: target__file__exif_info__entry_point { + type: number + sql: ${TABLE}.target.file.exif_info.entry_point ;; + group_label: "target" + label: "target.file.exif_info.entry_point" + view_label: "UDM" + description: "entry point." + } # dimension target__file__exif_info__entry_point + + dimension: target__file__exif_info__file_description { + type: string + sql: ${TABLE}.target.file.exif_info.file_description ;; + group_label: "target" + label: "target.file.exif_info.file_description" + view_label: "UDM" + description: "description of a file." + } # dimension target__file__exif_info__file_description + + dimension: target__file__exif_info__original_file { + type: string + sql: ${TABLE}.target.file.exif_info.original_file ;; + group_label: "target" + label: "target.file.exif_info.original_file" + view_label: "UDM" + description: "original file name." + } # dimension target__file__exif_info__original_file + + dimension: target__file__exif_info__product { + type: string + sql: ${TABLE}.target.file.exif_info.product ;; + group_label: "target" + label: "target.file.exif_info.product" + view_label: "UDM" + description: "product name." + } # dimension target__file__exif_info__product + + dimension: target__file__file_metadata { + hidden: yes + } # dimension target__file__file_metadata + + dimension: target__file__file_metadata__pe { + hidden: yes + } # dimension target__file__file_metadata__pe + + dimension: target__file__file_metadata__pe__import_hash { + type: string + sql: ${TABLE}.target.file.file_metadata.pe.import_hash ;; + group_label: "target" + group_item_label: "target.file.file_metadata.pe.import_hash [D]" + label: "target.file.file_metadata.pe.import_hash" + view_label: "UDM" + description: "Hash of PE imports. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__file__file_metadata__pe__import_hash + + dimension: target__file__file_type { + type: number + sql: ${TABLE}.target.file.file_type ;; + group_label: "target" + label: "target.file.file_type" + view_label: "UDM" + description: "FileType field." + } # dimension target__file__file_type + + dimension: target__file__file_type_enum_name { + type: string + suggestions: ["FILE_TYPE_ACE", "FILE_TYPE_ANDROID", "FILE_TYPE_APPLE", "FILE_TYPE_APPLEDOUBLE", "FILE_TYPE_APPLESCRIPT", "FILE_TYPE_APPLESCRIPT_COMPILED", "FILE_TYPE_APPLESINGLE", "FILE_TYPE_APPLE_PLIST", "FILE_TYPE_ARC", "FILE_TYPE_ARJ", "FILE_TYPE_ASD", "FILE_TYPE_ASF", "FILE_TYPE_AVI", "FILE_TYPE_AWK", "FILE_TYPE_BLACKHOLE", "FILE_TYPE_BMP", "FILE_TYPE_BZIP", "FILE_TYPE_C", "FILE_TYPE_CAB", "FILE_TYPE_CAP", "FILE_TYPE_CHM", "FILE_TYPE_COFF", "FILE_TYPE_COOKIE", "FILE_TYPE_CPP", "FILE_TYPE_CRX", "FILE_TYPE_DEB", "FILE_TYPE_DIB", "FILE_TYPE_DIVX", "FILE_TYPE_DMG", "FILE_TYPE_DOC", "FILE_TYPE_DOCX", "FILE_TYPE_DOS_COM", "FILE_TYPE_DOS_EXE", "FILE_TYPE_DYALOG", "FILE_TYPE_DZIP", "FILE_TYPE_EBOOK", "FILE_TYPE_ELF", "FILE_TYPE_EMAIL_TYPE", "FILE_TYPE_EMF", "FILE_TYPE_EOT", "FILE_TYPE_EPS", "FILE_TYPE_FLA", "FILE_TYPE_FLAC", "FILE_TYPE_FLC", "FILE_TYPE_FLI", "FILE_TYPE_FLV", "FILE_TYPE_FORTRAN", "FILE_TYPE_FPX", "FILE_TYPE_GIF", "FILE_TYPE_GIMP", "FILE_TYPE_GUL", "FILE_TYPE_GZIP", "FILE_TYPE_HTML", "FILE_TYPE_HWP", "FILE_TYPE_ICO", "FILE_TYPE_IN_DESIGN", "FILE_TYPE_IPHONE", "FILE_TYPE_ISOIMAGE", "FILE_TYPE_JAR", "FILE_TYPE_JAVA", "FILE_TYPE_JAVASCRIPT", "FILE_TYPE_JAVA_BYTECODE", "FILE_TYPE_JNG", "FILE_TYPE_JPEG", "FILE_TYPE_KGB", "FILE_TYPE_LATEX", "FILE_TYPE_LINUX", "FILE_TYPE_LINUX_KERNEL", "FILE_TYPE_LNK", "FILE_TYPE_MACH_O", "FILE_TYPE_MACINTOSH", "FILE_TYPE_MACINTOSH_HFS", "FILE_TYPE_MACINTOSH_LIB", "FILE_TYPE_MIDI", "FILE_TYPE_MOV", "FILE_TYPE_MP3", "FILE_TYPE_MP4", "FILE_TYPE_MPEG", "FILE_TYPE_MSCOMPRESS", "FILE_TYPE_MSI", "FILE_TYPE_NE_DLL", "FILE_TYPE_NE_EXE", "FILE_TYPE_ODF", "FILE_TYPE_ODG", "FILE_TYPE_ODP", "FILE_TYPE_ODS", "FILE_TYPE_ODT", "FILE_TYPE_OGG", "FILE_TYPE_OUTLOOK", "FILE_TYPE_PALMOS", "FILE_TYPE_PASCAL", "FILE_TYPE_PDF", "FILE_TYPE_PERL", "FILE_TYPE_PE_DLL", "FILE_TYPE_PE_EXE", "FILE_TYPE_PHP", "FILE_TYPE_PKG", "FILE_TYPE_PNG", "FILE_TYPE_POWERSHELL", "FILE_TYPE_PPSX", "FILE_TYPE_PPT", "FILE_TYPE_PPTX", "FILE_TYPE_PS", "FILE_TYPE_PSD", "FILE_TYPE_PYTHON", "FILE_TYPE_QUICKTIME", "FILE_TYPE_RAR", "FILE_TYPE_RM", "FILE_TYPE_ROM", "FILE_TYPE_RPM", "FILE_TYPE_RTF", "FILE_TYPE_RUBY", "FILE_TYPE_RZIP", "FILE_TYPE_SCRIPT", "FILE_TYPE_SEVENZIP", "FILE_TYPE_SHELLSCRIPT", "FILE_TYPE_SVG", "FILE_TYPE_SWF", "FILE_TYPE_SYMBIAN", "FILE_TYPE_T3GP", "FILE_TYPE_TAR", "FILE_TYPE_TARGA", "FILE_TYPE_TEXT", "FILE_TYPE_TIFF", "FILE_TYPE_TORRENT", "FILE_TYPE_TTF", "FILE_TYPE_UNSPECIFIED", "FILE_TYPE_VBA", "FILE_TYPE_WAV", "FILE_TYPE_WEBP", "FILE_TYPE_WINCE", "FILE_TYPE_WMA", "FILE_TYPE_WMV", "FILE_TYPE_WOFF", "FILE_TYPE_XLS", "FILE_TYPE_XLSX", "FILE_TYPE_XML", "FILE_TYPE_XPI", "FILE_TYPE_XWD", "FILE_TYPE_ZIP", "FILE_TYPE_ZLIB"] + sql: CASE ${TABLE}.target.file.file_type WHEN 0 THEN 'FILE_TYPE_UNSPECIFIED' WHEN 1 THEN 'FILE_TYPE_PE_EXE' WHEN 2 THEN 'FILE_TYPE_PE_DLL' WHEN 3 THEN 'FILE_TYPE_MSI' WHEN 10 THEN 'FILE_TYPE_NE_EXE' WHEN 11 THEN 'FILE_TYPE_NE_DLL' WHEN 20 THEN 'FILE_TYPE_DOS_EXE' WHEN 21 THEN 'FILE_TYPE_DOS_COM' WHEN 30 THEN 'FILE_TYPE_COFF' WHEN 31 THEN 'FILE_TYPE_ELF' WHEN 32 THEN 'FILE_TYPE_LINUX_KERNEL' WHEN 33 THEN 'FILE_TYPE_RPM' WHEN 34 THEN 'FILE_TYPE_LINUX' WHEN 35 THEN 'FILE_TYPE_MACH_O' WHEN 36 THEN 'FILE_TYPE_JAVA_BYTECODE' WHEN 37 THEN 'FILE_TYPE_DMG' WHEN 38 THEN 'FILE_TYPE_DEB' WHEN 39 THEN 'FILE_TYPE_PKG' WHEN 50 THEN 'FILE_TYPE_LNK' WHEN 100 THEN 'FILE_TYPE_JPEG' WHEN 101 THEN 'FILE_TYPE_TIFF' WHEN 102 THEN 'FILE_TYPE_GIF' WHEN 103 THEN 'FILE_TYPE_PNG' WHEN 104 THEN 'FILE_TYPE_BMP' WHEN 105 THEN 'FILE_TYPE_GIMP' WHEN 106 THEN 'FILE_TYPE_IN_DESIGN' WHEN 107 THEN 'FILE_TYPE_PSD' WHEN 108 THEN 'FILE_TYPE_TARGA' WHEN 109 THEN 'FILE_TYPE_XWD' WHEN 110 THEN 'FILE_TYPE_DIB' WHEN 111 THEN 'FILE_TYPE_JNG' WHEN 112 THEN 'FILE_TYPE_ICO' WHEN 113 THEN 'FILE_TYPE_FPX' WHEN 114 THEN 'FILE_TYPE_EPS' WHEN 115 THEN 'FILE_TYPE_SVG' WHEN 116 THEN 'FILE_TYPE_EMF' WHEN 117 THEN 'FILE_TYPE_WEBP' WHEN 150 THEN 'FILE_TYPE_OGG' WHEN 151 THEN 'FILE_TYPE_FLC' WHEN 152 THEN 'FILE_TYPE_FLI' WHEN 153 THEN 'FILE_TYPE_MP3' WHEN 154 THEN 'FILE_TYPE_FLAC' WHEN 155 THEN 'FILE_TYPE_WAV' WHEN 156 THEN 'FILE_TYPE_MIDI' WHEN 157 THEN 'FILE_TYPE_AVI' WHEN 158 THEN 'FILE_TYPE_MPEG' WHEN 159 THEN 'FILE_TYPE_QUICKTIME' WHEN 160 THEN 'FILE_TYPE_ASF' WHEN 161 THEN 'FILE_TYPE_DIVX' WHEN 162 THEN 'FILE_TYPE_FLV' WHEN 163 THEN 'FILE_TYPE_WMA' WHEN 164 THEN 'FILE_TYPE_WMV' WHEN 165 THEN 'FILE_TYPE_RM' WHEN 166 THEN 'FILE_TYPE_MOV' WHEN 167 THEN 'FILE_TYPE_MP4' WHEN 168 THEN 'FILE_TYPE_T3GP' WHEN 200 THEN 'FILE_TYPE_PDF' WHEN 201 THEN 'FILE_TYPE_PS' WHEN 202 THEN 'FILE_TYPE_DOC' WHEN 203 THEN 'FILE_TYPE_DOCX' WHEN 204 THEN 'FILE_TYPE_PPT' WHEN 205 THEN 'FILE_TYPE_PPTX' WHEN 209 THEN 'FILE_TYPE_PPSX' WHEN 206 THEN 'FILE_TYPE_XLS' WHEN 207 THEN 'FILE_TYPE_XLSX' WHEN 208 THEN 'FILE_TYPE_RTF' WHEN 250 THEN 'FILE_TYPE_ODP' WHEN 251 THEN 'FILE_TYPE_ODS' WHEN 252 THEN 'FILE_TYPE_ODT' WHEN 253 THEN 'FILE_TYPE_HWP' WHEN 254 THEN 'FILE_TYPE_GUL' WHEN 255 THEN 'FILE_TYPE_ODF' WHEN 256 THEN 'FILE_TYPE_ODG' WHEN 260 THEN 'FILE_TYPE_EBOOK' WHEN 261 THEN 'FILE_TYPE_LATEX' WHEN 262 THEN 'FILE_TYPE_TTF' WHEN 263 THEN 'FILE_TYPE_EOT' WHEN 264 THEN 'FILE_TYPE_WOFF' WHEN 265 THEN 'FILE_TYPE_CHM' WHEN 300 THEN 'FILE_TYPE_ZIP' WHEN 301 THEN 'FILE_TYPE_GZIP' WHEN 302 THEN 'FILE_TYPE_BZIP' WHEN 303 THEN 'FILE_TYPE_RZIP' WHEN 304 THEN 'FILE_TYPE_DZIP' WHEN 305 THEN 'FILE_TYPE_SEVENZIP' WHEN 306 THEN 'FILE_TYPE_CAB' WHEN 307 THEN 'FILE_TYPE_JAR' WHEN 308 THEN 'FILE_TYPE_RAR' WHEN 309 THEN 'FILE_TYPE_MSCOMPRESS' WHEN 310 THEN 'FILE_TYPE_ACE' WHEN 311 THEN 'FILE_TYPE_ARC' WHEN 312 THEN 'FILE_TYPE_ARJ' WHEN 313 THEN 'FILE_TYPE_ASD' WHEN 314 THEN 'FILE_TYPE_BLACKHOLE' WHEN 315 THEN 'FILE_TYPE_KGB' WHEN 316 THEN 'FILE_TYPE_ZLIB' WHEN 317 THEN 'FILE_TYPE_TAR' WHEN 400 THEN 'FILE_TYPE_TEXT' WHEN 401 THEN 'FILE_TYPE_SCRIPT' WHEN 402 THEN 'FILE_TYPE_PHP' WHEN 403 THEN 'FILE_TYPE_PYTHON' WHEN 404 THEN 'FILE_TYPE_PERL' WHEN 405 THEN 'FILE_TYPE_RUBY' WHEN 406 THEN 'FILE_TYPE_C' WHEN 407 THEN 'FILE_TYPE_CPP' WHEN 408 THEN 'FILE_TYPE_JAVA' WHEN 409 THEN 'FILE_TYPE_SHELLSCRIPT' WHEN 410 THEN 'FILE_TYPE_PASCAL' WHEN 411 THEN 'FILE_TYPE_AWK' WHEN 412 THEN 'FILE_TYPE_DYALOG' WHEN 413 THEN 'FILE_TYPE_FORTRAN' WHEN 414 THEN 'FILE_TYPE_JAVASCRIPT' WHEN 415 THEN 'FILE_TYPE_POWERSHELL' WHEN 416 THEN 'FILE_TYPE_VBA' WHEN 500 THEN 'FILE_TYPE_SYMBIAN' WHEN 501 THEN 'FILE_TYPE_PALMOS' WHEN 502 THEN 'FILE_TYPE_WINCE' WHEN 503 THEN 'FILE_TYPE_ANDROID' WHEN 504 THEN 'FILE_TYPE_IPHONE' WHEN 600 THEN 'FILE_TYPE_HTML' WHEN 601 THEN 'FILE_TYPE_XML' WHEN 602 THEN 'FILE_TYPE_SWF' WHEN 603 THEN 'FILE_TYPE_FLA' WHEN 604 THEN 'FILE_TYPE_COOKIE' WHEN 605 THEN 'FILE_TYPE_TORRENT' WHEN 606 THEN 'FILE_TYPE_EMAIL_TYPE' WHEN 607 THEN 'FILE_TYPE_OUTLOOK' WHEN 700 THEN 'FILE_TYPE_CAP' WHEN 800 THEN 'FILE_TYPE_ISOIMAGE' WHEN 1000 THEN 'FILE_TYPE_APPLE' WHEN 1001 THEN 'FILE_TYPE_MACINTOSH' WHEN 1002 THEN 'FILE_TYPE_APPLESINGLE' WHEN 1003 THEN 'FILE_TYPE_APPLEDOUBLE' WHEN 1004 THEN 'FILE_TYPE_MACINTOSH_HFS' WHEN 1005 THEN 'FILE_TYPE_APPLE_PLIST' WHEN 1006 THEN 'FILE_TYPE_MACINTOSH_LIB' WHEN 1007 THEN 'FILE_TYPE_APPLESCRIPT' WHEN 1008 THEN 'FILE_TYPE_APPLESCRIPT_COMPILED' WHEN 1100 THEN 'FILE_TYPE_CRX' WHEN 1101 THEN 'FILE_TYPE_XPI' WHEN 1200 THEN 'FILE_TYPE_ROM' END ;; + group_label: "target" + label: "target.file.file_type_enum_name" + view_label: "UDM" + description: "FileType field." + } # dimension target__file__file_type_enum_name + + dimension_group: target__file__first_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.first_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.file.first_seen_time" + view_label: "UDM" + description: "Timestamp the file was first seen in the customer's environment." + } # dimension target__file__first_seen_time + + dimension: target__file__full_path { + type: string + sql: ${TABLE}.target.file.full_path ;; + group_label: "target" + label: "target.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension target__file__full_path + + dimension_group: target__file__last_analysis_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.last_analysis_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.last_analysis_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.file.last_analysis_time" + view_label: "UDM" + description: "Timestamp the file was last analysed." + } # dimension target__file__last_analysis_time + + dimension_group: target__file__last_modification_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.last_modification_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.last_modification_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.file.last_modification_time" + view_label: "UDM" + description: "Timestamp when the file was last updated." + } # dimension target__file__last_modification_time + + dimension_group: target__file__last_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.last_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.file.last_seen_time" + view_label: "UDM" + description: "Timestamp the file was last seen in the customer's environment." + } # dimension target__file__last_seen_time + + dimension: target__file__md5 { + type: string + sql: ${TABLE}.target.file.md5 ;; + group_label: "target" + label: "target.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension target__file__md5 + + dimension: target__file__mime_type { + type: string + sql: ${TABLE}.target.file.mime_type ;; + group_label: "target" + label: "target.file.mime_type" + view_label: "UDM" + description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." + } # dimension target__file__mime_type + + dimension: target__file__names { + hidden: yes + } # dimension target__file__names + + dimension: target__file__pe_file { + hidden: yes + } # dimension target__file__pe_file + + dimension_group: target__file__pe_file__compilation_exiftool_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.pe_file.compilation_exiftool_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.pe_file.compilation_exiftool_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.file.pe_file.compilation_exiftool_time" + view_label: "UDM" + description: "info.exiftool.TimeStamp." + } # dimension target__file__pe_file__compilation_exiftool_time + + dimension_group: target__file__pe_file__compilation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.pe_file.compilation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.pe_file.compilation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.file.pe_file.compilation_time" + view_label: "UDM" + description: "info.pe-timestamp." + } # dimension target__file__pe_file__compilation_time + + dimension: target__file__pe_file__entry_point { + type: number + sql: ${TABLE}.target.file.pe_file.entry_point ;; + group_label: "target" + label: "target.file.pe_file.entry_point" + view_label: "UDM" + description: "info.pe-entry-point." + } # dimension target__file__pe_file__entry_point + + dimension: target__file__pe_file__entry_point_exiftool { + type: number + sql: ${TABLE}.target.file.pe_file.entry_point_exiftool ;; + group_label: "target" + label: "target.file.pe_file.entry_point_exiftool" + view_label: "UDM" + description: "info.exiftool.EntryPoint." + } # dimension target__file__pe_file__entry_point_exiftool + + dimension: target__file__pe_file__imphash { + type: string + sql: ${TABLE}.target.file.pe_file.imphash ;; + group_label: "target" + label: "target.file.pe_file.imphash" + view_label: "UDM" + description: "Imphash of the file." + } # dimension target__file__pe_file__imphash + + dimension: target__file__pe_file__imports { + hidden: yes + } # dimension target__file__pe_file__imports + + dimension: target__file__pe_file__resource { + hidden: yes + } # dimension target__file__pe_file__resource + + dimension: target__file__pe_file__resources_language_count_str { + hidden: yes + } # dimension target__file__pe_file__resources_language_count_str + + dimension: target__file__pe_file__resources_type_count_str { + hidden: yes + } # dimension target__file__pe_file__resources_type_count_str + + dimension: target__file__pe_file__section { + hidden: yes + } # dimension target__file__pe_file__section + + dimension: target__file__sha1 { + type: string + sql: ${TABLE}.target.file.sha1 ;; + group_label: "target" + label: "target.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension target__file__sha1 + + dimension: target__file__sha256 { + type: string + sql: ${TABLE}.target.file.sha256 ;; + group_label: "target" + label: "target.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension target__file__sha256 + + dimension: target__file__signature_info { + hidden: yes + } # dimension target__file__signature_info + + dimension: target__file__signature_info__codesign { + hidden: yes + } # dimension target__file__signature_info__codesign + + dimension_group: target__file__signature_info__codesign__compilation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.signature_info.codesign.compilation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.signature_info.codesign.compilation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.file.signature_info.codesign.compilation_time" + view_label: "UDM" + description: "Code sign timestamp" + } # dimension target__file__signature_info__codesign__compilation_time + + dimension: target__file__signature_info__codesign__format { + type: string + sql: ${TABLE}.target.file.signature_info.codesign.format ;; + group_label: "target" + label: "target.file.signature_info.codesign.format" + view_label: "UDM" + description: "Code sign format." + } # dimension target__file__signature_info__codesign__format + + dimension: target__file__signature_info__codesign__id { + type: string + sql: ${TABLE}.target.file.signature_info.codesign.id ;; + group_label: "target" + label: "target.file.signature_info.codesign.id" + view_label: "UDM" + description: "Code sign identifier." + } # dimension target__file__signature_info__codesign__id + + dimension: target__file__signature_info__sigcheck { + hidden: yes + } # dimension target__file__signature_info__sigcheck + + dimension: target__file__signature_info__sigcheck__signers { + hidden: yes + } # dimension target__file__signature_info__sigcheck__signers + + dimension: target__file__signature_info__sigcheck__verification_message { + type: string + sql: ${TABLE}.target.file.signature_info.sigcheck.verification_message ;; + group_label: "target" + label: "target.file.signature_info.sigcheck.verification_message" + view_label: "UDM" + description: "Status of the certificate. Valid values are \"Signed\", \"Unsigned\" or a description of the certificate anomaly, if found." + } # dimension target__file__signature_info__sigcheck__verification_message + + dimension: target__file__signature_info__sigcheck__verified { + type: yesno + sql: ${TABLE}.target.file.signature_info.sigcheck.verified ;; + group_label: "target" + label: "target.file.signature_info.sigcheck.verified" + view_label: "UDM" + description: "True iff verification_message == \"Signed\"" + } # dimension target__file__signature_info__sigcheck__verified + + dimension: target__file__signature_info__sigcheck__x509 { + hidden: yes + } # dimension target__file__signature_info__sigcheck__x509 + + dimension: target__file__size { + type: number + sql: ${TABLE}.target.file.size ;; + group_label: "target" + label: "target.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension target__file__size + + dimension: target__file__ssdeep { + type: string + sql: ${TABLE}.target.file.ssdeep ;; + group_label: "target" + label: "target.file.ssdeep" + view_label: "UDM" + description: "Ssdeep of the file" + } # dimension target__file__ssdeep + + dimension: target__file__tags { + hidden: yes + } # dimension target__file__tags + + dimension: target__file__vhash { + type: string + sql: ${TABLE}.target.file.vhash ;; + group_label: "target" + label: "target.file.vhash" + view_label: "UDM" + description: "Vhash of the file." + } # dimension target__file__vhash + + dimension: target__group { + hidden: yes + } # dimension target__group + + dimension: target__group__attribute { + hidden: yes + } # dimension target__group__attribute + + dimension: target__group__attribute__labels { + hidden: yes + } # dimension target__group__attribute__labels + + dimension: target__group__attribute__permissions { + hidden: yes + } # dimension target__group__attribute__permissions + + dimension: target__group__attribute__roles { + hidden: yes + } # dimension target__group__attribute__roles + + dimension_group: target__group__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.group.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.group.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + group_item_label: "target.group.creation_time [D]" + label: "target.group.creation_time" + view_label: "UDM" + description: "Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__group__creation_time + + dimension: target__group__email_addresses { + hidden: yes + } # dimension target__group__email_addresses + + dimension: target__group__group_display_name { + type: string + sql: ${TABLE}.target.group.group_display_name ;; + group_label: "target" + label: "target.group.group_display_name" + view_label: "UDM" + description: "Group display name. e.g. \"Finance\"." + } # dimension target__group__group_display_name + + dimension: target__group__product_object_id { + type: string + sql: ${TABLE}.target.group.product_object_id ;; + group_label: "target" + label: "target.group.product_object_id" + view_label: "UDM" + description: "Product globally unique user object identifier, such as an LDAP Object Identifier." + } # dimension target__group__product_object_id + + dimension: target__group__windows_sid { + type: string + sql: ${TABLE}.target.group.windows_sid ;; + group_label: "target" + label: "target.group.windows_sid" + view_label: "UDM" + description: "Microsoft Windows SID of the group." + } # dimension target__group__windows_sid + + dimension: target__hostname { + type: string + sql: ${TABLE}.target.hostname ;; + group_label: "target" + label: "target.hostname" + view_label: "UDM" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension target__hostname + + dimension: target__investigation { + hidden: yes + } # dimension target__investigation + + dimension: target__investigation__comments { + hidden: yes + } # dimension target__investigation__comments + + dimension: target__investigation__severity_score { + type: number + sql: ${TABLE}.target.investigation.severity_score ;; + group_label: "target" + label: "target.investigation.severity_score" + view_label: "UDM" + description: "Severity score for a finding set by an analyst." + } # dimension target__investigation__severity_score + + dimension: target__ip { + hidden: yes + } # dimension target__ip + + dimension: target__ip_geo_artifact { + hidden: yes + } # dimension target__ip_geo_artifact + + dimension: target__ip_location { + hidden: yes + } # dimension target__ip_location + + dimension: target__labels { + hidden: yes + } # dimension target__labels + + dimension: target__location { + hidden: yes + } # dimension target__location + + dimension: target__location__city { + type: string + sql: ${TABLE}.target.location.city ;; + group_label: "target" + label: "target.location.city" + view_label: "UDM" + description: "The city." + } # dimension target__location__city + + dimension: target__location__country_or_region { + type: string + sql: ${TABLE}.target.location.country_or_region ;; + group_label: "target" + label: "target.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension target__location__country_or_region + + dimension: target__location__name { + type: string + sql: ${TABLE}.target.location.name ;; + group_label: "target" + label: "target.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension target__location__name + + dimension: target__location__region_coordinates { + type: location + sql_latitude: ${TABLE}.target.location.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.target.location.region_coordinates.longitude ;; + group_label: "target" + group_item_label: "target.location.region_coordinates [L]" + label: "target.location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." + } # dimension target__location__region_coordinates + + dimension: target__location__region_latitude { + type: number + sql: ${TABLE}.target.location.region_latitude ;; + group_label: "target" + group_item_label: "target.location.region_latitude [D]" + label: "target.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__location__region_latitude + + dimension: target__location__region_longitude { + type: number + sql: ${TABLE}.target.location.region_longitude ;; + group_label: "target" + group_item_label: "target.location.region_longitude [D]" + label: "target.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__location__region_longitude + + dimension: target__location__location { + type: location + sql_latitude: ${TABLE}.target.location.region_latitude ;; + sql_longitude: ${TABLE}.target.location.region_longitude ;; + group_label: "target" + group_item_label: "target.location.location [D][L]" + label: "target.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension target__location__location + + dimension: target__location__state { + type: string + sql: ${TABLE}.target.location.state ;; + group_label: "target" + label: "target.location.state" + view_label: "UDM" + description: "The state." + } # dimension target__location__state + + dimension: target__mac { + hidden: yes + } # dimension target__mac + + dimension: target__namespace { + type: string + sql: ${TABLE}.target.namespace ;; + group_label: "target" + label: "target.namespace" + view_label: "UDM" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension target__namespace + + dimension: target__nat_ip { + hidden: yes + } # dimension target__nat_ip + + dimension: target__nat_port { + type: number + value_format: "#" + sql: ${TABLE}.target.nat_port ;; + group_label: "target" + label: "target.nat_port" + view_label: "UDM" + description: "NAT external network port number when a specific network connection is described within an event." + } # dimension target__nat_port + + dimension: target__network { + hidden: yes + } # dimension target__network + + dimension: target__network__http { + hidden: yes + } # dimension target__network__http + + dimension: target__network__http__method { + type: string + sql: ${TABLE}.target.network.http.method ;; + group_label: "target" + label: "target.network.http.method" + view_label: "UDM" + description: "The HTTP request method (e.g. \"GET\", \"POST\", \"PATCH\", \"DELETE\")." + } # dimension target__network__http__method + + dimension: target__network__http__referral_url { + type: string + sql: ${TABLE}.target.network.http.referral_url ;; + group_label: "target" + label: "target.network.http.referral_url" + view_label: "UDM" + description: "The URL for the HTTP referer." + } # dimension target__network__http__referral_url + + dimension: target__platform { + type: number + sql: ${TABLE}.target.platform ;; + group_label: "target" + label: "target.platform" + view_label: "UDM" + description: "Platform." + } # dimension target__platform + + dimension: target__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.target.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "target" + label: "target.platform_enum_name" + view_label: "UDM" + description: "Platform." + } # dimension target__platform_enum_name + + dimension: target__platform_patch_level { + type: string + sql: ${TABLE}.target.platform_patch_level ;; + group_label: "target" + label: "target.platform_patch_level" + view_label: "UDM" + description: "Platform patch level. For example, \"Build 17134.48\"" + } # dimension target__platform_patch_level + + dimension: target__platform_version { + type: string + sql: ${TABLE}.target.platform_version ;; + group_label: "target" + label: "target.platform_version" + view_label: "UDM" + description: "Platform version. For example, \"Microsoft Windows 1803\"." + } # dimension target__platform_version + + dimension: target__port { + type: number + value_format: "#" + sql: ${TABLE}.target.port ;; + group_label: "target" + label: "target.port" + view_label: "UDM" + description: "Source or destination network port number when a specific network connection is described within an event." + } # dimension target__port + + dimension: target__process { + hidden: yes + } # dimension target__process + + dimension: target__process__access_mask { + type: number + sql: ${TABLE}.target.process.access_mask ;; + group_label: "target" + label: "target.process.access_mask" + view_label: "UDM" + description: "A bit mask representing the level of access." + } # dimension target__process__access_mask + + dimension: target__process__command_line { + type: string + sql: ${TABLE}.target.process.command_line ;; + group_label: "target" + label: "target.process.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension target__process__command_line + + dimension: target__process__command_line_history { + hidden: yes + } # dimension target__process__command_line_history + + dimension: target__process__file { + hidden: yes + } # dimension target__process__file + + dimension: target__process__file__capabilities_tags { + hidden: yes + } # dimension target__process__file__capabilities_tags + + dimension: target__process__file__file_metadata { + hidden: yes + } # dimension target__process__file__file_metadata + + dimension: target__process__file__file_metadata__pe { + hidden: yes + } # dimension target__process__file__file_metadata__pe + + dimension: target__process__file__file_metadata__pe__import_hash { + type: string + sql: ${TABLE}.target.process.file.file_metadata.pe.import_hash ;; + group_label: "target" + group_item_label: "target.process.file.file_metadata.pe.import_hash [D]" + label: "target.process.file.file_metadata.pe.import_hash" + view_label: "UDM" + description: "Hash of PE imports. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__process__file__file_metadata__pe__import_hash + + dimension: target__process__file__file_type { + type: number + sql: ${TABLE}.target.process.file.file_type ;; + group_label: "target" + label: "target.process.file.file_type" + view_label: "UDM" + description: "FileType field." + } # dimension target__process__file__file_type + + dimension: target__process__file__file_type_enum_name { + type: string + suggestions: ["FILE_TYPE_ACE", "FILE_TYPE_ANDROID", "FILE_TYPE_APPLE", "FILE_TYPE_APPLEDOUBLE", "FILE_TYPE_APPLESCRIPT", "FILE_TYPE_APPLESCRIPT_COMPILED", "FILE_TYPE_APPLESINGLE", "FILE_TYPE_APPLE_PLIST", "FILE_TYPE_ARC", "FILE_TYPE_ARJ", "FILE_TYPE_ASD", "FILE_TYPE_ASF", "FILE_TYPE_AVI", "FILE_TYPE_AWK", "FILE_TYPE_BLACKHOLE", "FILE_TYPE_BMP", "FILE_TYPE_BZIP", "FILE_TYPE_C", "FILE_TYPE_CAB", "FILE_TYPE_CAP", "FILE_TYPE_CHM", "FILE_TYPE_COFF", "FILE_TYPE_COOKIE", "FILE_TYPE_CPP", "FILE_TYPE_CRX", "FILE_TYPE_DEB", "FILE_TYPE_DIB", "FILE_TYPE_DIVX", "FILE_TYPE_DMG", "FILE_TYPE_DOC", "FILE_TYPE_DOCX", "FILE_TYPE_DOS_COM", "FILE_TYPE_DOS_EXE", "FILE_TYPE_DYALOG", "FILE_TYPE_DZIP", "FILE_TYPE_EBOOK", "FILE_TYPE_ELF", "FILE_TYPE_EMAIL_TYPE", "FILE_TYPE_EMF", "FILE_TYPE_EOT", "FILE_TYPE_EPS", "FILE_TYPE_FLA", "FILE_TYPE_FLAC", "FILE_TYPE_FLC", "FILE_TYPE_FLI", "FILE_TYPE_FLV", "FILE_TYPE_FORTRAN", "FILE_TYPE_FPX", "FILE_TYPE_GIF", "FILE_TYPE_GIMP", "FILE_TYPE_GUL", "FILE_TYPE_GZIP", "FILE_TYPE_HTML", "FILE_TYPE_HWP", "FILE_TYPE_ICO", "FILE_TYPE_IN_DESIGN", "FILE_TYPE_IPHONE", "FILE_TYPE_ISOIMAGE", "FILE_TYPE_JAR", "FILE_TYPE_JAVA", "FILE_TYPE_JAVASCRIPT", "FILE_TYPE_JAVA_BYTECODE", "FILE_TYPE_JNG", "FILE_TYPE_JPEG", "FILE_TYPE_KGB", "FILE_TYPE_LATEX", "FILE_TYPE_LINUX", "FILE_TYPE_LINUX_KERNEL", "FILE_TYPE_LNK", "FILE_TYPE_MACH_O", "FILE_TYPE_MACINTOSH", "FILE_TYPE_MACINTOSH_HFS", "FILE_TYPE_MACINTOSH_LIB", "FILE_TYPE_MIDI", "FILE_TYPE_MOV", "FILE_TYPE_MP3", "FILE_TYPE_MP4", "FILE_TYPE_MPEG", "FILE_TYPE_MSCOMPRESS", "FILE_TYPE_MSI", "FILE_TYPE_NE_DLL", "FILE_TYPE_NE_EXE", "FILE_TYPE_ODF", "FILE_TYPE_ODG", "FILE_TYPE_ODP", "FILE_TYPE_ODS", "FILE_TYPE_ODT", "FILE_TYPE_OGG", "FILE_TYPE_OUTLOOK", "FILE_TYPE_PALMOS", "FILE_TYPE_PASCAL", "FILE_TYPE_PDF", "FILE_TYPE_PERL", "FILE_TYPE_PE_DLL", "FILE_TYPE_PE_EXE", "FILE_TYPE_PHP", "FILE_TYPE_PKG", "FILE_TYPE_PNG", "FILE_TYPE_POWERSHELL", "FILE_TYPE_PPSX", "FILE_TYPE_PPT", "FILE_TYPE_PPTX", "FILE_TYPE_PS", "FILE_TYPE_PSD", "FILE_TYPE_PYTHON", "FILE_TYPE_QUICKTIME", "FILE_TYPE_RAR", "FILE_TYPE_RM", "FILE_TYPE_ROM", "FILE_TYPE_RPM", "FILE_TYPE_RTF", "FILE_TYPE_RUBY", "FILE_TYPE_RZIP", "FILE_TYPE_SCRIPT", "FILE_TYPE_SEVENZIP", "FILE_TYPE_SHELLSCRIPT", "FILE_TYPE_SVG", "FILE_TYPE_SWF", "FILE_TYPE_SYMBIAN", "FILE_TYPE_T3GP", "FILE_TYPE_TAR", "FILE_TYPE_TARGA", "FILE_TYPE_TEXT", "FILE_TYPE_TIFF", "FILE_TYPE_TORRENT", "FILE_TYPE_TTF", "FILE_TYPE_UNSPECIFIED", "FILE_TYPE_VBA", "FILE_TYPE_WAV", "FILE_TYPE_WEBP", "FILE_TYPE_WINCE", "FILE_TYPE_WMA", "FILE_TYPE_WMV", "FILE_TYPE_WOFF", "FILE_TYPE_XLS", "FILE_TYPE_XLSX", "FILE_TYPE_XML", "FILE_TYPE_XPI", "FILE_TYPE_XWD", "FILE_TYPE_ZIP", "FILE_TYPE_ZLIB"] + sql: CASE ${TABLE}.target.process.file.file_type WHEN 0 THEN 'FILE_TYPE_UNSPECIFIED' WHEN 1 THEN 'FILE_TYPE_PE_EXE' WHEN 2 THEN 'FILE_TYPE_PE_DLL' WHEN 3 THEN 'FILE_TYPE_MSI' WHEN 10 THEN 'FILE_TYPE_NE_EXE' WHEN 11 THEN 'FILE_TYPE_NE_DLL' WHEN 20 THEN 'FILE_TYPE_DOS_EXE' WHEN 21 THEN 'FILE_TYPE_DOS_COM' WHEN 30 THEN 'FILE_TYPE_COFF' WHEN 31 THEN 'FILE_TYPE_ELF' WHEN 32 THEN 'FILE_TYPE_LINUX_KERNEL' WHEN 33 THEN 'FILE_TYPE_RPM' WHEN 34 THEN 'FILE_TYPE_LINUX' WHEN 35 THEN 'FILE_TYPE_MACH_O' WHEN 36 THEN 'FILE_TYPE_JAVA_BYTECODE' WHEN 37 THEN 'FILE_TYPE_DMG' WHEN 38 THEN 'FILE_TYPE_DEB' WHEN 39 THEN 'FILE_TYPE_PKG' WHEN 50 THEN 'FILE_TYPE_LNK' WHEN 100 THEN 'FILE_TYPE_JPEG' WHEN 101 THEN 'FILE_TYPE_TIFF' WHEN 102 THEN 'FILE_TYPE_GIF' WHEN 103 THEN 'FILE_TYPE_PNG' WHEN 104 THEN 'FILE_TYPE_BMP' WHEN 105 THEN 'FILE_TYPE_GIMP' WHEN 106 THEN 'FILE_TYPE_IN_DESIGN' WHEN 107 THEN 'FILE_TYPE_PSD' WHEN 108 THEN 'FILE_TYPE_TARGA' WHEN 109 THEN 'FILE_TYPE_XWD' WHEN 110 THEN 'FILE_TYPE_DIB' WHEN 111 THEN 'FILE_TYPE_JNG' WHEN 112 THEN 'FILE_TYPE_ICO' WHEN 113 THEN 'FILE_TYPE_FPX' WHEN 114 THEN 'FILE_TYPE_EPS' WHEN 115 THEN 'FILE_TYPE_SVG' WHEN 116 THEN 'FILE_TYPE_EMF' WHEN 117 THEN 'FILE_TYPE_WEBP' WHEN 150 THEN 'FILE_TYPE_OGG' WHEN 151 THEN 'FILE_TYPE_FLC' WHEN 152 THEN 'FILE_TYPE_FLI' WHEN 153 THEN 'FILE_TYPE_MP3' WHEN 154 THEN 'FILE_TYPE_FLAC' WHEN 155 THEN 'FILE_TYPE_WAV' WHEN 156 THEN 'FILE_TYPE_MIDI' WHEN 157 THEN 'FILE_TYPE_AVI' WHEN 158 THEN 'FILE_TYPE_MPEG' WHEN 159 THEN 'FILE_TYPE_QUICKTIME' WHEN 160 THEN 'FILE_TYPE_ASF' WHEN 161 THEN 'FILE_TYPE_DIVX' WHEN 162 THEN 'FILE_TYPE_FLV' WHEN 163 THEN 'FILE_TYPE_WMA' WHEN 164 THEN 'FILE_TYPE_WMV' WHEN 165 THEN 'FILE_TYPE_RM' WHEN 166 THEN 'FILE_TYPE_MOV' WHEN 167 THEN 'FILE_TYPE_MP4' WHEN 168 THEN 'FILE_TYPE_T3GP' WHEN 200 THEN 'FILE_TYPE_PDF' WHEN 201 THEN 'FILE_TYPE_PS' WHEN 202 THEN 'FILE_TYPE_DOC' WHEN 203 THEN 'FILE_TYPE_DOCX' WHEN 204 THEN 'FILE_TYPE_PPT' WHEN 205 THEN 'FILE_TYPE_PPTX' WHEN 209 THEN 'FILE_TYPE_PPSX' WHEN 206 THEN 'FILE_TYPE_XLS' WHEN 207 THEN 'FILE_TYPE_XLSX' WHEN 208 THEN 'FILE_TYPE_RTF' WHEN 250 THEN 'FILE_TYPE_ODP' WHEN 251 THEN 'FILE_TYPE_ODS' WHEN 252 THEN 'FILE_TYPE_ODT' WHEN 253 THEN 'FILE_TYPE_HWP' WHEN 254 THEN 'FILE_TYPE_GUL' WHEN 255 THEN 'FILE_TYPE_ODF' WHEN 256 THEN 'FILE_TYPE_ODG' WHEN 260 THEN 'FILE_TYPE_EBOOK' WHEN 261 THEN 'FILE_TYPE_LATEX' WHEN 262 THEN 'FILE_TYPE_TTF' WHEN 263 THEN 'FILE_TYPE_EOT' WHEN 264 THEN 'FILE_TYPE_WOFF' WHEN 265 THEN 'FILE_TYPE_CHM' WHEN 300 THEN 'FILE_TYPE_ZIP' WHEN 301 THEN 'FILE_TYPE_GZIP' WHEN 302 THEN 'FILE_TYPE_BZIP' WHEN 303 THEN 'FILE_TYPE_RZIP' WHEN 304 THEN 'FILE_TYPE_DZIP' WHEN 305 THEN 'FILE_TYPE_SEVENZIP' WHEN 306 THEN 'FILE_TYPE_CAB' WHEN 307 THEN 'FILE_TYPE_JAR' WHEN 308 THEN 'FILE_TYPE_RAR' WHEN 309 THEN 'FILE_TYPE_MSCOMPRESS' WHEN 310 THEN 'FILE_TYPE_ACE' WHEN 311 THEN 'FILE_TYPE_ARC' WHEN 312 THEN 'FILE_TYPE_ARJ' WHEN 313 THEN 'FILE_TYPE_ASD' WHEN 314 THEN 'FILE_TYPE_BLACKHOLE' WHEN 315 THEN 'FILE_TYPE_KGB' WHEN 316 THEN 'FILE_TYPE_ZLIB' WHEN 317 THEN 'FILE_TYPE_TAR' WHEN 400 THEN 'FILE_TYPE_TEXT' WHEN 401 THEN 'FILE_TYPE_SCRIPT' WHEN 402 THEN 'FILE_TYPE_PHP' WHEN 403 THEN 'FILE_TYPE_PYTHON' WHEN 404 THEN 'FILE_TYPE_PERL' WHEN 405 THEN 'FILE_TYPE_RUBY' WHEN 406 THEN 'FILE_TYPE_C' WHEN 407 THEN 'FILE_TYPE_CPP' WHEN 408 THEN 'FILE_TYPE_JAVA' WHEN 409 THEN 'FILE_TYPE_SHELLSCRIPT' WHEN 410 THEN 'FILE_TYPE_PASCAL' WHEN 411 THEN 'FILE_TYPE_AWK' WHEN 412 THEN 'FILE_TYPE_DYALOG' WHEN 413 THEN 'FILE_TYPE_FORTRAN' WHEN 414 THEN 'FILE_TYPE_JAVASCRIPT' WHEN 415 THEN 'FILE_TYPE_POWERSHELL' WHEN 416 THEN 'FILE_TYPE_VBA' WHEN 500 THEN 'FILE_TYPE_SYMBIAN' WHEN 501 THEN 'FILE_TYPE_PALMOS' WHEN 502 THEN 'FILE_TYPE_WINCE' WHEN 503 THEN 'FILE_TYPE_ANDROID' WHEN 504 THEN 'FILE_TYPE_IPHONE' WHEN 600 THEN 'FILE_TYPE_HTML' WHEN 601 THEN 'FILE_TYPE_XML' WHEN 602 THEN 'FILE_TYPE_SWF' WHEN 603 THEN 'FILE_TYPE_FLA' WHEN 604 THEN 'FILE_TYPE_COOKIE' WHEN 605 THEN 'FILE_TYPE_TORRENT' WHEN 606 THEN 'FILE_TYPE_EMAIL_TYPE' WHEN 607 THEN 'FILE_TYPE_OUTLOOK' WHEN 700 THEN 'FILE_TYPE_CAP' WHEN 800 THEN 'FILE_TYPE_ISOIMAGE' WHEN 1000 THEN 'FILE_TYPE_APPLE' WHEN 1001 THEN 'FILE_TYPE_MACINTOSH' WHEN 1002 THEN 'FILE_TYPE_APPLESINGLE' WHEN 1003 THEN 'FILE_TYPE_APPLEDOUBLE' WHEN 1004 THEN 'FILE_TYPE_MACINTOSH_HFS' WHEN 1005 THEN 'FILE_TYPE_APPLE_PLIST' WHEN 1006 THEN 'FILE_TYPE_MACINTOSH_LIB' WHEN 1007 THEN 'FILE_TYPE_APPLESCRIPT' WHEN 1008 THEN 'FILE_TYPE_APPLESCRIPT_COMPILED' WHEN 1100 THEN 'FILE_TYPE_CRX' WHEN 1101 THEN 'FILE_TYPE_XPI' WHEN 1200 THEN 'FILE_TYPE_ROM' END ;; + group_label: "target" + label: "target.process.file.file_type_enum_name" + view_label: "UDM" + description: "FileType field." + } # dimension target__process__file__file_type_enum_name + + dimension: target__process__file__full_path { + type: string + sql: ${TABLE}.target.process.file.full_path ;; + group_label: "target" + label: "target.process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension target__process__file__full_path + + dimension: target__process__file__md5 { + type: string + sql: ${TABLE}.target.process.file.md5 ;; + group_label: "target" + label: "target.process.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension target__process__file__md5 + + dimension: target__process__file__mime_type { + type: string + sql: ${TABLE}.target.process.file.mime_type ;; + group_label: "target" + label: "target.process.file.mime_type" + view_label: "UDM" + description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." + } # dimension target__process__file__mime_type + + dimension: target__process__file__names { + hidden: yes + } # dimension target__process__file__names + + dimension: target__process__file__pe_file { + hidden: yes + } # dimension target__process__file__pe_file + + dimension: target__process__file__pe_file__signature_info { + hidden: yes + } # dimension target__process__file__pe_file__signature_info + + dimension: target__process__file__pe_file__signature_info__signer { + hidden: yes + } # dimension target__process__file__pe_file__signature_info__signer + + dimension: target__process__file__pe_file__signature_info__verification_message { + type: string + sql: ${TABLE}.target.process.file.pe_file.signature_info.verification_message ;; + group_label: "target" + group_item_label: "target.process.file.pe_file.signature_info.verification_message [D]" + label: "target.process.file.pe_file.signature_info.verification_message" + view_label: "UDM" + description: "Status of the certificate. Valid values are \"Signed\", \"Unsigned\" or a description of the certificate anomaly, if found. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__process__file__pe_file__signature_info__verification_message + + dimension: target__process__file__sha1 { + type: string + sql: ${TABLE}.target.process.file.sha1 ;; + group_label: "target" + label: "target.process.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension target__process__file__sha1 + + dimension: target__process__file__sha256 { + type: string + sql: ${TABLE}.target.process.file.sha256 ;; + group_label: "target" + label: "target.process.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension target__process__file__sha256 + + dimension: target__process__file__size { + type: number + sql: ${TABLE}.target.process.file.size ;; + group_label: "target" + label: "target.process.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension target__process__file__size + + dimension: target__process__parent_pid { + type: string + sql: ${TABLE}.target.process.parent_pid ;; + group_label: "target" + group_item_label: "target.process.parent_pid [D]" + label: "target.process.parent_pid" + view_label: "UDM" + description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__process__parent_pid + + dimension: target__process__parent_process { + hidden: yes + } # dimension target__process__parent_process + + dimension: target__process__parent_process__command_line { + type: string + sql: ${TABLE}.target.process.parent_process.command_line ;; + group_label: "target" + label: "target.process.parent_process.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension target__process__parent_process__command_line + + dimension: target__process__parent_process__file { + hidden: yes + } # dimension target__process__parent_process__file + + dimension: target__process__parent_process__file__capabilities_tags { + hidden: yes + } # dimension target__process__parent_process__file__capabilities_tags + + dimension: target__process__parent_process__file__full_path { + type: string + sql: ${TABLE}.target.process.parent_process.file.full_path ;; + group_label: "target" + label: "target.process.parent_process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension target__process__parent_process__file__full_path + + dimension: target__process__parent_process__file__md5 { + type: string + sql: ${TABLE}.target.process.parent_process.file.md5 ;; + group_label: "target" + label: "target.process.parent_process.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension target__process__parent_process__file__md5 + + dimension: target__process__parent_process__file__names { + hidden: yes + } # dimension target__process__parent_process__file__names + + dimension: target__process__parent_process__file__sha1 { + type: string + sql: ${TABLE}.target.process.parent_process.file.sha1 ;; + group_label: "target" + label: "target.process.parent_process.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension target__process__parent_process__file__sha1 + + dimension: target__process__parent_process__file__sha256 { + type: string + sql: ${TABLE}.target.process.parent_process.file.sha256 ;; + group_label: "target" + label: "target.process.parent_process.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension target__process__parent_process__file__sha256 + + dimension: target__process__parent_process__parent_pid { + type: string + sql: ${TABLE}.target.process.parent_process.parent_pid ;; + group_label: "target" + group_item_label: "target.process.parent_process.parent_pid [D]" + label: "target.process.parent_process.parent_pid" + view_label: "UDM" + description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__process__parent_process__parent_pid + + dimension: target__process__parent_process__pid { + type: string + sql: ${TABLE}.target.process.parent_process.pid ;; + group_label: "target" + label: "target.process.parent_process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension target__process__parent_process__pid + + dimension: target__process__parent_process__product_specific_process_id { + type: string + sql: ${TABLE}.target.process.parent_process.product_specific_process_id ;; + group_label: "target" + label: "target.process.parent_process.product_specific_process_id" + view_label: "UDM" + description: "A product specific process id." + } # dimension target__process__parent_process__product_specific_process_id + + dimension: target__process__pid { + type: string + sql: ${TABLE}.target.process.pid ;; + group_label: "target" + label: "target.process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension target__process__pid + + dimension: target__process__product_specific_parent_process_id { + type: string + sql: ${TABLE}.target.process.product_specific_parent_process_id ;; + group_label: "target" + group_item_label: "target.process.product_specific_parent_process_id [D]" + label: "target.process.product_specific_parent_process_id" + view_label: "UDM" + description: "A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__process__product_specific_parent_process_id + + dimension: target__process__product_specific_process_id { + type: string + sql: ${TABLE}.target.process.product_specific_process_id ;; + group_label: "target" + label: "target.process.product_specific_process_id" + view_label: "UDM" + description: "A product specific process id." + } # dimension target__process__product_specific_process_id + + dimension: target__process_ancestors { + hidden: yes + } # dimension target__process_ancestors + + dimension: target__registry { + hidden: yes + } # dimension target__registry + + dimension: target__registry__registry_key { + type: string + sql: ${TABLE}.target.registry.registry_key ;; + group_label: "target" + label: "target.registry.registry_key" + view_label: "UDM" + description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." + } # dimension target__registry__registry_key + + dimension: target__registry__registry_value_data { + type: string + sql: ${TABLE}.target.registry.registry_value_data ;; + group_label: "target" + label: "target.registry.registry_value_data" + view_label: "UDM" + description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." + } # dimension target__registry__registry_value_data + + dimension: target__registry__registry_value_name { + type: string + sql: ${TABLE}.target.registry.registry_value_name ;; + group_label: "target" + label: "target.registry.registry_value_name" + view_label: "UDM" + description: "Name of the registry value associated with an application or system component (e.g. TEMP)." + } # dimension target__registry__registry_value_name + + dimension: target__resource { + hidden: yes + } # dimension target__resource + + dimension: target__resource__attribute { + hidden: yes + } # dimension target__resource__attribute + + dimension: target__resource__attribute__cloud { + hidden: yes + } # dimension target__resource__attribute__cloud + + dimension: target__resource__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.target.resource.attribute.cloud.availability_zone ;; + group_label: "target" + label: "target.resource.attribute.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name)." + } # dimension target__resource__attribute__cloud__availability_zone + + dimension: target__resource__attribute__cloud__environment { + type: number + sql: ${TABLE}.target.resource.attribute.cloud.environment ;; + group_label: "target" + label: "target.resource.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension target__resource__attribute__cloud__environment + + dimension: target__resource__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.target.resource.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "target" + label: "target.resource.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension target__resource__attribute__cloud__environment_enum_name + + dimension: target__resource__attribute__cloud__project { + hidden: yes + } # dimension target__resource__attribute__cloud__project + + dimension: target__resource__attribute__cloud__project__id { + type: string + sql: ${TABLE}.target.resource.attribute.cloud.project.id ;; + group_label: "target" + group_item_label: "target.resource.attribute.cloud.project.id [D]" + label: "target.resource.attribute.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__resource__attribute__cloud__project__id + + dimension: target__resource__attribute__cloud__project__name { + type: string + sql: ${TABLE}.target.resource.attribute.cloud.project.name ;; + group_label: "target" + group_item_label: "target.resource.attribute.cloud.project.name [D]" + label: "target.resource.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__resource__attribute__cloud__project__name + + dimension_group: target__resource__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.resource.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension target__resource__attribute__creation_time + + dimension: target__resource__attribute__labels { + hidden: yes + } # dimension target__resource__attribute__labels + + dimension_group: target__resource__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.resource.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension target__resource__attribute__last_update_time + + dimension: target__resource__attribute__permissions { + hidden: yes + } # dimension target__resource__attribute__permissions + + dimension: target__resource__attribute__roles { + hidden: yes + } # dimension target__resource__attribute__roles + + dimension: target__resource__id { + type: string + sql: ${TABLE}.target.resource.id ;; + group_label: "target" + group_item_label: "target.resource.id [D]" + label: "target.resource.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__resource__id + + dimension: target__resource__name { + type: string + sql: ${TABLE}.target.resource.name ;; + group_label: "target" + label: "target.resource.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension target__resource__name + + dimension: target__resource__parent { + type: string + sql: ${TABLE}.target.resource.parent ;; + group_label: "target" + group_item_label: "target.resource.parent [D]" + label: "target.resource.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__resource__parent + + dimension: target__resource__product_object_id { + type: string + sql: ${TABLE}.target.resource.product_object_id ;; + group_label: "target" + label: "target.resource.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension target__resource__product_object_id + + dimension: target__resource__resource_subtype { + type: string + sql: ${TABLE}.target.resource.resource_subtype ;; + group_label: "target" + label: "target.resource.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension target__resource__resource_subtype + + dimension: target__resource__resource_type { + type: number + sql: ${TABLE}.target.resource.resource_type ;; + group_label: "target" + label: "target.resource.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension target__resource__resource_type + + dimension: target__resource__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.target.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "target" + label: "target.resource.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension target__resource__resource_type_enum_name + + dimension: target__resource__type { + type: string + sql: ${TABLE}.target.resource.type ;; + group_label: "target" + group_item_label: "target.resource.type [D]" + label: "target.resource.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__resource__type + + dimension: target__resource_ancestors { + hidden: yes + } # dimension target__resource_ancestors + + dimension: target__url { + type: string + sql: ${TABLE}.target.url ;; + group_label: "target" + label: "target.url" + view_label: "UDM" + description: "The URL." + } # dimension target__url + + dimension: target__user { + hidden: yes + } # dimension target__user + + dimension: target__user__account_type { + type: number + sql: ${TABLE}.target.user.account_type ;; + group_label: "target" + label: "target.user.account_type" + view_label: "UDM" + description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" + } # dimension target__user__account_type + + dimension: target__user__account_type_enum_name { + type: string + suggestions: ["ACCOUNT_TYPE_UNSPECIFIED", "CLOUD_ACCOUNT_TYPE", "DEFAULT_ACCOUNT_TYPE", "DOMAIN_ACCOUNT_TYPE", "LOCAL_ACCOUNT_TYPE", "SERVICE_ACCOUNT_TYPE"] + sql: CASE ${TABLE}.target.user.account_type WHEN 0 THEN 'ACCOUNT_TYPE_UNSPECIFIED' WHEN 1 THEN 'DOMAIN_ACCOUNT_TYPE' WHEN 2 THEN 'LOCAL_ACCOUNT_TYPE' WHEN 3 THEN 'CLOUD_ACCOUNT_TYPE' WHEN 4 THEN 'SERVICE_ACCOUNT_TYPE' WHEN 5 THEN 'DEFAULT_ACCOUNT_TYPE' END ;; + group_label: "target" + label: "target.user.account_type_enum_name" + view_label: "UDM" + description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" + } # dimension target__user__account_type_enum_name + + dimension: target__user__attribute { + hidden: yes + } # dimension target__user__attribute + + dimension: target__user__attribute__cloud { + hidden: yes + } # dimension target__user__attribute__cloud + + dimension: target__user__attribute__cloud__environment { + type: number + sql: ${TABLE}.target.user.attribute.cloud.environment ;; + group_label: "target" + label: "target.user.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension target__user__attribute__cloud__environment + + dimension: target__user__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.target.user.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "target" + label: "target.user.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension target__user__attribute__cloud__environment_enum_name + + dimension: target__user__attribute__cloud__project { + hidden: yes + } # dimension target__user__attribute__cloud__project + + dimension: target__user__attribute__cloud__project__id { + type: string + sql: ${TABLE}.target.user.attribute.cloud.project.id ;; + group_label: "target" + group_item_label: "target.user.attribute.cloud.project.id [D]" + label: "target.user.attribute.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__attribute__cloud__project__id + + dimension: target__user__attribute__cloud__vpc { + hidden: yes + } # dimension target__user__attribute__cloud__vpc + + dimension: target__user__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.target.user.attribute.cloud.vpc.product_object_id ;; + group_label: "target" + group_item_label: "target.user.attribute.cloud.vpc.product_object_id [D]" + label: "target.user.attribute.cloud.vpc.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__attribute__cloud__vpc__product_object_id + + dimension_group: target__user__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.user.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension target__user__attribute__creation_time + + dimension: target__user__attribute__labels { + hidden: yes + } # dimension target__user__attribute__labels + + dimension_group: target__user__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.user.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension target__user__attribute__last_update_time + + dimension: target__user__attribute__permissions { + hidden: yes + } # dimension target__user__attribute__permissions + + dimension: target__user__attribute__roles { + hidden: yes + } # dimension target__user__attribute__roles + + dimension: target__user__company_name { + type: string + sql: ${TABLE}.target.user.company_name ;; + group_label: "target" + label: "target.user.company_name" + view_label: "UDM" + description: "User job company name." + } # dimension target__user__company_name + + dimension: target__user__department { + hidden: yes + } # dimension target__user__department + + dimension: target__user__email_addresses { + hidden: yes + } # dimension target__user__email_addresses + + dimension: target__user__employee_id { + type: string + sql: ${TABLE}.target.user.employee_id ;; + group_label: "target" + label: "target.user.employee_id" + view_label: "UDM" + description: "Human capital management identifier." + } # dimension target__user__employee_id + + dimension: target__user__first_name { + type: string + sql: ${TABLE}.target.user.first_name ;; + group_label: "target" + label: "target.user.first_name" + view_label: "UDM" + description: "First name of the user (e.g. \"John\")." + } # dimension target__user__first_name + + dimension: target__user__group_identifiers { + hidden: yes + } # dimension target__user__group_identifiers + + dimension: target__user__groupid { + type: string + sql: ${TABLE}.target.user.groupid ;; + group_label: "target" + group_item_label: "target.user.groupid [D]" + label: "target.user.groupid" + view_label: "UDM" + description: "The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__groupid + + dimension_group: target__user__hire_date { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.user.hire_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.user.hire_date.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.user.hire_date" + view_label: "UDM" + description: "User job employment hire date." + } # dimension target__user__hire_date + + dimension: target__user__last_name { + type: string + sql: ${TABLE}.target.user.last_name ;; + group_label: "target" + label: "target.user.last_name" + view_label: "UDM" + description: "Last name of the user (e.g. \"Locke\")." + } # dimension target__user__last_name + + dimension: target__user__managers { + hidden: yes + } # dimension target__user__managers + + dimension: target__user__middle_name { + type: string + sql: ${TABLE}.target.user.middle_name ;; + group_label: "target" + label: "target.user.middle_name" + view_label: "UDM" + description: "Middle name of the user." + } # dimension target__user__middle_name + + dimension: target__user__office_address { + hidden: yes + } # dimension target__user__office_address + + dimension: target__user__office_address__city { + type: string + sql: ${TABLE}.target.user.office_address.city ;; + group_label: "target" + label: "target.user.office_address.city" + view_label: "UDM" + description: "The city." + } # dimension target__user__office_address__city + + dimension: target__user__office_address__country_or_region { + type: string + sql: ${TABLE}.target.user.office_address.country_or_region ;; + group_label: "target" + label: "target.user.office_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension target__user__office_address__country_or_region + + dimension: target__user__office_address__desk_name { + type: string + sql: ${TABLE}.target.user.office_address.desk_name ;; + group_label: "target" + label: "target.user.office_address.desk_name" + view_label: "UDM" + description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." + } # dimension target__user__office_address__desk_name + + dimension: target__user__office_address__floor_name { + type: string + sql: ${TABLE}.target.user.office_address.floor_name ;; + group_label: "target" + label: "target.user.office_address.floor_name" + view_label: "UDM" + description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." + } # dimension target__user__office_address__floor_name + + dimension: target__user__office_address__name { + type: string + sql: ${TABLE}.target.user.office_address.name ;; + group_label: "target" + label: "target.user.office_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension target__user__office_address__name + + dimension: target__user__office_address__state { + type: string + sql: ${TABLE}.target.user.office_address.state ;; + group_label: "target" + label: "target.user.office_address.state" + view_label: "UDM" + description: "The state." + } # dimension target__user__office_address__state + + dimension: target__user__personal_address { + hidden: yes + } # dimension target__user__personal_address + + dimension: target__user__personal_address__city { + type: string + sql: ${TABLE}.target.user.personal_address.city ;; + group_label: "target" + label: "target.user.personal_address.city" + view_label: "UDM" + description: "The city." + } # dimension target__user__personal_address__city + + dimension: target__user__personal_address__country_or_region { + type: string + sql: ${TABLE}.target.user.personal_address.country_or_region ;; + group_label: "target" + label: "target.user.personal_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension target__user__personal_address__country_or_region + + dimension: target__user__personal_address__name { + type: string + sql: ${TABLE}.target.user.personal_address.name ;; + group_label: "target" + label: "target.user.personal_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension target__user__personal_address__name + + dimension: target__user__personal_address__region_latitude { + type: number + sql: ${TABLE}.target.user.personal_address.region_latitude ;; + group_label: "target" + group_item_label: "target.user.personal_address.region_latitude [D]" + label: "target.user.personal_address.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__personal_address__region_latitude + + dimension: target__user__personal_address__region_longitude { + type: number + sql: ${TABLE}.target.user.personal_address.region_longitude ;; + group_label: "target" + group_item_label: "target.user.personal_address.region_longitude [D]" + label: "target.user.personal_address.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__personal_address__region_longitude + + dimension: target__user__personal_address__location { + type: location + sql_latitude: ${TABLE}.target.user.personal_address.region_latitude ;; + sql_longitude: ${TABLE}.target.user.personal_address.region_longitude ;; + group_label: "target" + group_item_label: "target.user.personal_address.location [D][L]" + label: "target.user.personal_address.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension target__user__personal_address__location + + dimension: target__user__personal_address__state { + type: string + sql: ${TABLE}.target.user.personal_address.state ;; + group_label: "target" + label: "target.user.personal_address.state" + view_label: "UDM" + description: "The state." + } # dimension target__user__personal_address__state + + dimension: target__user__phone_numbers { + hidden: yes + } # dimension target__user__phone_numbers + + dimension: target__user__product_object_id { + type: string + sql: ${TABLE}.target.user.product_object_id ;; + group_label: "target" + label: "target.user.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension target__user__product_object_id + + dimension: target__user__role_description { + type: string + sql: ${TABLE}.target.user.role_description ;; + group_label: "target" + group_item_label: "target.user.role_description [D]" + label: "target.user.role_description" + view_label: "UDM" + description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__role_description + + dimension: target__user__role_name { + type: string + sql: ${TABLE}.target.user.role_name ;; + group_label: "target" + group_item_label: "target.user.role_name [D]" + label: "target.user.role_name" + view_label: "UDM" + description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__role_name + + dimension_group: target__user__termination_date { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.user.termination_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.user.termination_date.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.user.termination_date" + view_label: "UDM" + description: "User job employment termination date." + } # dimension target__user__termination_date + + dimension: target__user__time_off { + hidden: yes + } # dimension target__user__time_off + + dimension: target__user__title { + type: string + sql: ${TABLE}.target.user.title ;; + group_label: "target" + label: "target.user.title" + view_label: "UDM" + description: "User job title." + } # dimension target__user__title + + dimension: target__user__user_authentication_status { + type: number + sql: ${TABLE}.target.user.user_authentication_status ;; + group_label: "target" + label: "target.user.user_authentication_status" + view_label: "UDM" + description: "System authentication status for user." + } # dimension target__user__user_authentication_status + + dimension: target__user__user_authentication_status_enum_name { + type: string + suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] + sql: CASE ${TABLE}.target.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; + group_label: "target" + label: "target.user.user_authentication_status_enum_name" + view_label: "UDM" + description: "System authentication status for user." + } # dimension target__user__user_authentication_status_enum_name + + dimension: target__user__user_display_name { + type: string + sql: ${TABLE}.target.user.user_display_name ;; + group_label: "target" + label: "target.user.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension target__user__user_display_name + + dimension: target__user__user_role { + type: number + sql: ${TABLE}.target.user.user_role ;; + group_label: "target" + group_item_label: "target.user.user_role [D]" + label: "target.user.user_role" + view_label: "UDM" + description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__user_role + + dimension: target__user__user_role_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "UNKNOWN_ROLE"] + sql: CASE ${TABLE}.target.user.user_role WHEN 0 THEN 'UNKNOWN_ROLE' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "target" + group_item_label: "target.user.user_role_enum_name [D]" + label: "target.user.user_role_enum_name" + view_label: "UDM" + description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension target__user__user_role_enum_name + + dimension: target__user__userid { + type: string + sql: ${TABLE}.target.user.userid ;; + group_label: "target" + label: "target.user.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension target__user__userid + + dimension: target__user__windows_sid { + type: string + sql: ${TABLE}.target.user.windows_sid ;; + group_label: "target" + label: "target.user.windows_sid" + view_label: "UDM" + description: "The Microsoft Windows SID of the user." + } # dimension target__user__windows_sid + + dimension: target__user_management_chain { + hidden: yes + } # dimension target__user_management_chain + +} # view udm_events + +view: udm_events__about__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "about" + label: "about.asset.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "about" + label: "about.asset.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__about__asset__attribute__labels + +view: udm_events__about__asset__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "about" + label: "about.asset.attribute.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + +} # view udm_events__about__asset__attribute__permissions + +view: udm_events__about__asset__hardware { + dimension: manufacturer { + type: string + sql: ${TABLE}.manufacturer ;; + group_label: "about" + label: "about.asset.hardware.manufacturer" + view_label: "UDM" + description: "Hardware manufacturer." + } # dimension manufacturer + + dimension: model { + type: string + sql: ${TABLE}.model ;; + group_label: "about" + label: "about.asset.hardware.model" + view_label: "UDM" + description: "Hardware model." + } # dimension model + + dimension: serial_number { + type: string + sql: ${TABLE}.serial_number ;; + group_label: "about" + label: "about.asset.hardware.serial_number" + view_label: "UDM" + description: "Hardware serial number." + } # dimension serial_number + +} # view udm_events__about__asset__hardware + +view: udm_events__about__asset__ip { + dimension: udm_events__about__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.asset.ip" + view_label: "UDM" + description: "A list of IP addresses associated with an asset." + } # dimension udm_events__about__asset__ip +} # view udm_events__about__asset__ip + +view: udm_events__about__asset__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "about" + group_item_label: "about.asset.labels.key [D]" + label: "about.asset.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "about" + group_item_label: "about.asset.labels.value [D]" + label: "about.asset.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view udm_events__about__asset__labels + +view: udm_events__about__asset__vulnerabilities { + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + group_label: "about" + label: "about.asset.vulnerabilities.severity" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity + + dimension: severity_enum_name { + type: string + suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] + sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; + group_label: "about" + label: "about.asset.vulnerabilities.severity_enum_name" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity_enum_name + +} # view udm_events__about__asset__vulnerabilities + +view: udm_events__about__file__capabilities_tags { + dimension: udm_events__about__file__capabilities_tags { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.file.capabilities_tags" + view_label: "UDM" + description: "Capabilities tags." + } # dimension udm_events__about__file__capabilities_tags +} # view udm_events__about__file__capabilities_tags + +view: udm_events__about__file__names { + dimension: udm_events__about__file__names { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension udm_events__about__file__names +} # view udm_events__about__file__names + +view: udm_events__about__investigation__comments { + dimension: udm_events__about__investigation__comments { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.investigation.comments" + view_label: "UDM" + description: "Comment added by the Analyst." + } # dimension udm_events__about__investigation__comments +} # view udm_events__about__investigation__comments + +view: udm_events__about__ip { + dimension: udm_events__about__ip { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.ip" + view_label: "UDM" + description: "A list of IP addresses associated with a network connection." + } # dimension udm_events__about__ip +} # view udm_events__about__ip + +view: udm_events__about__ip_location { + dimension: country_or_region { + type: string + sql: ${TABLE}.country_or_region ;; + group_label: "about" + group_item_label: "about.ip_location.country_or_region [D]" + label: "about.ip_location.country_or_region" + view_label: "UDM" + description: "The country or region. [D]: This field is deprecated and will be removed in a future release" + } # dimension country_or_region + +} # view udm_events__about__ip_location + +view: udm_events__about__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "about" + group_item_label: "about.labels.key [D]" + label: "about.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "about" + group_item_label: "about.labels.value [D]" + label: "about.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view udm_events__about__labels + +view: udm_events__about__mac { + dimension: udm_events__about__mac { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.mac" + view_label: "UDM" + description: "List of MAC addresses associated with a device." + } # dimension udm_events__about__mac +} # view udm_events__about__mac + +view: udm_events__about__nat_ip { + dimension: udm_events__about__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.nat_ip" + view_label: "UDM" + description: "A list of NAT translated IP addresses associated with a network connection." + } # dimension udm_events__about__nat_ip +} # view udm_events__about__nat_ip + +view: udm_events__about__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "about" + label: "about.resource.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "about" + label: "about.resource.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__about__resource__attribute__labels + +view: udm_events__about__resource__attribute__permissions { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "about" + label: "about.resource.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view udm_events__about__resource__attribute__permissions + +view: udm_events__about__resource_ancestors__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "about" + label: "about.resource_ancestors.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "about" + label: "about.resource_ancestors.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__about__resource_ancestors__attribute__labels + +view: udm_events__about__resource_ancestors { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension_group: about__resource_ancestors__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "about" + label: "about.resource_ancestors.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension about__resource_ancestors__attribute__creation_time + + dimension: attribute__labels { + hidden: yes + } # dimension attribute__labels + + dimension_group: about__resource_ancestors__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "about" + label: "about.resource_ancestors.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension about__resource_ancestors__attribute__last_update_time + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "about" + label: "about.resource_ancestors.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension name + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "about" + label: "about.resource_ancestors.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension product_object_id + +} # view udm_events__about__resource_ancestors + +view: udm_events__about__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "about" + label: "about.user.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "about" + label: "about.user.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__about__user__attribute__labels + +view: udm_events__about__user__attribute__permissions { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "about" + label: "about.user.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view udm_events__about__user__attribute__permissions + +view: udm_events__about__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "about" + label: "about.user.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "about" + label: "about.user.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + +} # view udm_events__about__user__attribute__roles + +view: udm_events__about__user__department { + dimension: udm_events__about__user__department { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.user.department" + view_label: "UDM" + description: "User job department" + } # dimension udm_events__about__user__department +} # view udm_events__about__user__department + +view: udm_events__about__user__email_addresses { + dimension: udm_events__about__user__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.user.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension udm_events__about__user__email_addresses +} # view udm_events__about__user__email_addresses + +view: udm_events__about__user__group_identifiers { + dimension: udm_events__about__user__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "about" + label: "about.user.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension udm_events__about__user__group_identifiers +} # view udm_events__about__user__group_identifiers + +view: udm_events__about { + dimension: administrative_domain { + type: string + sql: ${TABLE}.administrative_domain ;; + group_label: "about" + label: "about.administrative_domain" + view_label: "UDM" + description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." + } # dimension administrative_domain + + dimension: application { + type: string + sql: ${TABLE}.application ;; + group_label: "about" + label: "about.application" + view_label: "UDM" + description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." + } # dimension application + + dimension: artifact { + hidden: yes + } # dimension artifact + + dimension: artifact__prevalence { + hidden: yes + } # dimension artifact__prevalence + + dimension: artifact__prevalence__day_count { + type: number + sql: ${TABLE}.artifact.prevalence.day_count ;; + group_label: "about" + label: "about.artifact.prevalence.day_count" + view_label: "UDM" + description: "The number of days over which rolling_max is calculated." + } # dimension artifact__prevalence__day_count + + dimension: artifact__prevalence__day_max { + type: number + sql: ${TABLE}.artifact.prevalence.day_max ;; + group_label: "about" + label: "about.artifact.prevalence.day_max" + view_label: "UDM" + description: "The max prevalence score in a day interval window." + } # dimension artifact__prevalence__day_max + + dimension: asset { + hidden: yes + } # dimension asset + + dimension: asset__asset_id { + type: string + sql: ${TABLE}.asset.asset_id ;; + group_label: "about" + label: "about.asset.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension asset__asset_id + + dimension: asset__attribute { + hidden: yes + } # dimension asset__attribute + + dimension: asset__attribute__labels { + hidden: yes + } # dimension asset__attribute__labels + + dimension: asset__attribute__permissions { + hidden: yes + } # dimension asset__attribute__permissions + + dimension: asset__category { + type: string + sql: ${TABLE}.asset.category ;; + group_label: "about" + label: "about.asset.category" + view_label: "UDM" + description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." + } # dimension asset__category + + dimension_group: about__asset__first_discover_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "about" + label: "about.asset.first_discover_time" + view_label: "UDM" + description: "Time the asset was first discovered (by asset management/discoverability software)." + } # dimension about__asset__first_discover_time + + dimension: asset__hardware { + hidden: yes + } # dimension asset__hardware + + dimension: asset__hostname { + type: string + sql: ${TABLE}.asset.hostname ;; + group_label: "about" + label: "about.asset.hostname" + view_label: "UDM" + description: "Asset hostname or domain name field." + } # dimension asset__hostname + + dimension: asset__ip { + hidden: yes + } # dimension asset__ip + + dimension: asset__labels { + hidden: yes + } # dimension asset__labels + + dimension_group: about__asset__last_boot_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "about" + label: "about.asset.last_boot_time" + view_label: "UDM" + description: "Time the asset was last boot started." + } # dimension about__asset__last_boot_time + + dimension: asset__location { + hidden: yes + } # dimension asset__location + + dimension: asset__location__name { + type: string + sql: ${TABLE}.asset.location.name ;; + group_label: "about" + label: "about.asset.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension asset__location__name + + dimension: asset__product_object_id { + type: string + sql: ${TABLE}.asset.product_object_id ;; + group_label: "about" + label: "about.asset.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension asset__product_object_id + + dimension: asset__vulnerabilities { + hidden: yes + } # dimension asset__vulnerabilities + + dimension: asset_id { + type: string + sql: ${TABLE}.asset_id ;; + group_label: "about" + label: "about.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension asset_id + + dimension: cloud { + hidden: yes + } # dimension cloud + + dimension: cloud__vpc { + hidden: yes + } # dimension cloud__vpc + + dimension: cloud__vpc__id { + type: string + sql: ${TABLE}.cloud.vpc.id ;; + group_label: "about" + group_item_label: "about.cloud.vpc.id [D]" + label: "about.cloud.vpc.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension cloud__vpc__id + + dimension: domain { + hidden: yes + } # dimension domain + + dimension: domain__billing { + hidden: yes + } # dimension domain__billing + + dimension: domain__billing__title { + type: string + sql: ${TABLE}.domain.billing.title ;; + group_label: "about" + label: "about.domain.billing.title" + view_label: "UDM" + description: "User job title." + } # dimension domain__billing__title + + dimension: domain__name { + type: string + sql: ${TABLE}.domain.name ;; + group_label: "about" + label: "about.domain.name" + view_label: "UDM" + description: "The domain name." + } # dimension domain__name + + dimension: email { + type: string + sql: ${TABLE}.email ;; + group_label: "about" + label: "about.email" + view_label: "UDM" + description: "Email address. Only filled in for security_result.about" + } # dimension email + + dimension: file { + hidden: yes + } # dimension file + + dimension: file__capabilities_tags { + hidden: yes + } # dimension file__capabilities_tags + + dimension: file__full_path { + type: string + sql: ${TABLE}.file.full_path ;; + group_label: "about" + label: "about.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension file__full_path + + dimension_group: about__file__last_modification_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.file.last_modification_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.file.last_modification_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "about" + label: "about.file.last_modification_time" + view_label: "UDM" + description: "Timestamp when the file was last updated." + } # dimension about__file__last_modification_time + + dimension: file__md5 { + type: string + sql: ${TABLE}.file.md5 ;; + group_label: "about" + label: "about.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension file__md5 + + dimension: file__mime_type { + type: string + sql: ${TABLE}.file.mime_type ;; + group_label: "about" + label: "about.file.mime_type" + view_label: "UDM" + description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." + } # dimension file__mime_type + + dimension: file__names { + hidden: yes + } # dimension file__names + + dimension: file__sha1 { + type: string + sql: ${TABLE}.file.sha1 ;; + group_label: "about" + label: "about.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension file__sha1 + + dimension: file__sha256 { + type: string + sql: ${TABLE}.file.sha256 ;; + group_label: "about" + label: "about.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension file__sha256 + + dimension: file__size { + type: number + sql: ${TABLE}.file.size ;; + group_label: "about" + label: "about.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension file__size + + dimension: group { + hidden: yes + } # dimension group + + dimension: group__group_display_name { + type: string + sql: ${TABLE}.group.group_display_name ;; + group_label: "about" + label: "about.group.group_display_name" + view_label: "UDM" + description: "Group display name. e.g. \"Finance\"." + } # dimension group__group_display_name + + dimension: group__product_object_id { + type: string + sql: ${TABLE}.group.product_object_id ;; + group_label: "about" + label: "about.group.product_object_id" + view_label: "UDM" + description: "Product globally unique user object identifier, such as an LDAP Object Identifier." + } # dimension group__product_object_id + + dimension: hostname { + type: string + sql: ${TABLE}.hostname ;; + group_label: "about" + label: "about.hostname" + view_label: "UDM" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension hostname + + dimension: investigation { + hidden: yes + } # dimension investigation + + dimension: investigation__comments { + hidden: yes + } # dimension investigation__comments + + dimension: investigation__root_cause { + type: string + sql: ${TABLE}.investigation.root_cause ;; + group_label: "about" + label: "about.investigation.root_cause" + view_label: "UDM" + description: "Root cause of the Alert or Finding set by analyst." + } # dimension investigation__root_cause + + dimension: ip { + hidden: yes + } # dimension ip + + dimension: ip_location { + hidden: yes + } # dimension ip_location + + dimension: labels { + hidden: yes + } # dimension labels + + dimension: location { + hidden: yes + } # dimension location + + dimension: location__city { + type: string + sql: ${TABLE}.location.city ;; + group_label: "about" + label: "about.location.city" + view_label: "UDM" + description: "The city." + } # dimension location__city + + dimension: location__country_or_region { + type: string + sql: ${TABLE}.location.country_or_region ;; + group_label: "about" + label: "about.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension location__country_or_region + + dimension: location__state { + type: string + sql: ${TABLE}.location.state ;; + group_label: "about" + label: "about.location.state" + view_label: "UDM" + description: "The state." + } # dimension location__state + + dimension: mac { + hidden: yes + } # dimension mac + + dimension: namespace { + type: string + sql: ${TABLE}.namespace ;; + group_label: "about" + label: "about.namespace" + view_label: "UDM" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension namespace + + dimension: nat_ip { + hidden: yes + } # dimension nat_ip + + dimension: platform_patch_level { + type: string + sql: ${TABLE}.platform_patch_level ;; + group_label: "about" + label: "about.platform_patch_level" + view_label: "UDM" + description: "Platform patch level. For example, \"Build 17134.48\"" + } # dimension platform_patch_level + + dimension: platform_version { + type: string + sql: ${TABLE}.platform_version ;; + group_label: "about" + label: "about.platform_version" + view_label: "UDM" + description: "Platform version. For example, \"Microsoft Windows 1803\"." + } # dimension platform_version + + dimension: port { + type: number + value_format: "#" + sql: ${TABLE}.port ;; + group_label: "about" + label: "about.port" + view_label: "UDM" + description: "Source or destination network port number when a specific network connection is described within an event." + } # dimension port + + dimension: process { + hidden: yes + } # dimension process + + dimension: process__access_mask { + type: number + sql: ${TABLE}.process.access_mask ;; + group_label: "about" + label: "about.process.access_mask" + view_label: "UDM" + description: "A bit mask representing the level of access." + } # dimension process__access_mask + + dimension: process__command_line { + type: string + sql: ${TABLE}.process.command_line ;; + group_label: "about" + label: "about.process.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension process__command_line + + dimension: process__file { + hidden: yes + } # dimension process__file + + dimension: process__file__full_path { + type: string + sql: ${TABLE}.process.file.full_path ;; + group_label: "about" + label: "about.process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension process__file__full_path + + dimension: process__parent_pid { + type: string + sql: ${TABLE}.process.parent_pid ;; + group_label: "about" + group_item_label: "about.process.parent_pid [D]" + label: "about.process.parent_pid" + view_label: "UDM" + description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension process__parent_pid + + dimension: process__pid { + type: string + sql: ${TABLE}.process.pid ;; + group_label: "about" + label: "about.process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension process__pid + + dimension: registry { + hidden: yes + } # dimension registry + + dimension: registry__registry_key { + type: string + sql: ${TABLE}.registry.registry_key ;; + group_label: "about" + label: "about.registry.registry_key" + view_label: "UDM" + description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." + } # dimension registry__registry_key + + dimension: resource { + hidden: yes + } # dimension resource + + dimension: resource__attribute { + hidden: yes + } # dimension resource__attribute + + dimension: resource__attribute__cloud { + hidden: yes + } # dimension resource__attribute__cloud + + dimension: resource__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.resource.attribute.cloud.availability_zone ;; + group_label: "about" + label: "about.resource.attribute.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name)." + } # dimension resource__attribute__cloud__availability_zone + + dimension_group: about__resource__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "about" + label: "about.resource.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension about__resource__attribute__creation_time + + dimension: resource__attribute__labels { + hidden: yes + } # dimension resource__attribute__labels + + dimension_group: about__resource__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "about" + label: "about.resource.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension about__resource__attribute__last_update_time + + dimension: resource__attribute__permissions { + hidden: yes + } # dimension resource__attribute__permissions + + dimension: resource__id { + type: string + sql: ${TABLE}.resource.id ;; + group_label: "about" + group_item_label: "about.resource.id [D]" + label: "about.resource.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension resource__id + + dimension: resource__name { + type: string + sql: ${TABLE}.resource.name ;; + group_label: "about" + label: "about.resource.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension resource__name + + dimension: resource__parent { + type: string + sql: ${TABLE}.resource.parent ;; + group_label: "about" + group_item_label: "about.resource.parent [D]" + label: "about.resource.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension resource__parent + + dimension: resource__product_object_id { + type: string + sql: ${TABLE}.resource.product_object_id ;; + group_label: "about" + label: "about.resource.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension resource__product_object_id + + dimension: resource__resource_subtype { + type: string + sql: ${TABLE}.resource.resource_subtype ;; + group_label: "about" + label: "about.resource.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension resource__resource_subtype + + dimension: resource__resource_type { + type: number + sql: ${TABLE}.resource.resource_type ;; + group_label: "about" + label: "about.resource.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension resource__resource_type + + dimension: resource__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "about" + label: "about.resource.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension resource__resource_type_enum_name + + dimension: resource__type { + type: string + sql: ${TABLE}.resource.type ;; + group_label: "about" + group_item_label: "about.resource.type [D]" + label: "about.resource.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension resource__type + + dimension: resource_ancestors { + hidden: yes + } # dimension resource_ancestors + + dimension: url { + type: string + sql: ${TABLE}.url ;; + group_label: "about" + label: "about.url" + view_label: "UDM" + description: "The URL." + } # dimension url + + dimension: user { + hidden: yes + } # dimension user + + dimension: user__attribute { + hidden: yes + } # dimension user__attribute + + dimension: user__attribute__labels { + hidden: yes + } # dimension user__attribute__labels + + dimension: user__attribute__permissions { + hidden: yes + } # dimension user__attribute__permissions + + dimension: user__attribute__roles { + hidden: yes + } # dimension user__attribute__roles + + dimension: user__department { + hidden: yes + } # dimension user__department + + dimension: user__email_addresses { + hidden: yes + } # dimension user__email_addresses + + dimension: user__group_identifiers { + hidden: yes + } # dimension user__group_identifiers + + dimension: user__groupid { + type: string + sql: ${TABLE}.user.groupid ;; + group_label: "about" + group_item_label: "about.user.groupid [D]" + label: "about.user.groupid" + view_label: "UDM" + description: "The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. [D]: This field is deprecated and will be removed in a future release" + } # dimension user__groupid + + dimension: user__product_object_id { + type: string + sql: ${TABLE}.user.product_object_id ;; + group_label: "about" + label: "about.user.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension user__product_object_id + + dimension: user__role_description { + type: string + sql: ${TABLE}.user.role_description ;; + group_label: "about" + group_item_label: "about.user.role_description [D]" + label: "about.user.role_description" + view_label: "UDM" + description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension user__role_description + + dimension: user__role_name { + type: string + sql: ${TABLE}.user.role_name ;; + group_label: "about" + group_item_label: "about.user.role_name [D]" + label: "about.user.role_name" + view_label: "UDM" + description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension user__role_name + + dimension: user__user_authentication_status { + type: number + sql: ${TABLE}.user.user_authentication_status ;; + group_label: "about" + label: "about.user.user_authentication_status" + view_label: "UDM" + description: "System authentication status for user." + } # dimension user__user_authentication_status + + dimension: user__user_authentication_status_enum_name { + type: string + suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] + sql: CASE ${TABLE}.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; + group_label: "about" + label: "about.user.user_authentication_status_enum_name" + view_label: "UDM" + description: "System authentication status for user." + } # dimension user__user_authentication_status_enum_name + + dimension: user__user_display_name { + type: string + sql: ${TABLE}.user.user_display_name ;; + group_label: "about" + label: "about.user.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension user__user_display_name + + dimension: user__userid { + type: string + sql: ${TABLE}.user.userid ;; + group_label: "about" + label: "about.user.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension user__userid + + dimension: user__windows_sid { + type: string + sql: ${TABLE}.user.windows_sid ;; + group_label: "about" + label: "about.user.windows_sid" + view_label: "UDM" + description: "The Microsoft Windows SID of the user." + } # dimension user__windows_sid + +} # view udm_events__about + +view: udm_events__additional__fields__value__list_value__values__struct_value__fields { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "additional" + label: "additional.fields.value.list_value.values.struct_value.fields.key" + view_label: "UDM" + } # dimension key + +} # view udm_events__additional__fields__value__list_value__values__struct_value__fields + +view: udm_events__additional__fields__value__list_value__values { + dimension: string_value { + type: string + sql: ${TABLE}.string_value ;; + group_label: "additional" + label: "additional.fields.value.list_value.values.string_value" + view_label: "UDM" + } # dimension string_value + + dimension: struct_value { + hidden: yes + } # dimension struct_value + + dimension: struct_value__fields { + hidden: yes + } # dimension struct_value__fields + +} # view udm_events__additional__fields__value__list_value__values + +view: udm_events__additional__fields__value__struct_value__fields { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "additional" + label: "additional.fields.value.struct_value.fields.key" + view_label: "UDM" + } # dimension key + +} # view udm_events__additional__fields__value__struct_value__fields + +view: udm_events__additional__fields { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "additional" + label: "additional.fields.key" + view_label: "UDM" + } # dimension key + + dimension: value { + hidden: yes + } # dimension value + + dimension: value__bool_value { + type: yesno + sql: ${TABLE}.value.bool_value ;; + group_label: "additional" + label: "additional.fields.value.bool_value" + view_label: "UDM" + } # dimension value__bool_value + + dimension: value__list_value { + hidden: yes + } # dimension value__list_value + + dimension: value__list_value__values { + hidden: yes + } # dimension value__list_value__values + + dimension: value__null_value { + type: number + sql: ${TABLE}.value.null_value ;; + group_label: "additional" + label: "additional.fields.value.null_value" + view_label: "UDM" + } # dimension value__null_value + + dimension: value__null_value_enum_name { + type: string + suggestions: ["NULL_VALUE"] + sql: CASE ${TABLE}.value.null_value WHEN 0 THEN 'NULL_VALUE' END ;; + group_label: "additional" + label: "additional.fields.value.null_value_enum_name" + view_label: "UDM" + } # dimension value__null_value_enum_name + + dimension: value__number_value { + type: number + sql: ${TABLE}.value.number_value ;; + group_label: "additional" + label: "additional.fields.value.number_value" + view_label: "UDM" + } # dimension value__number_value + + dimension: value__string_value { + type: string + sql: ${TABLE}.value.string_value ;; + group_label: "additional" + label: "additional.fields.value.string_value" + view_label: "UDM" + } # dimension value__string_value + + dimension: value__struct_value { + hidden: yes + } # dimension value__struct_value + + dimension: value__struct_value__fields { + hidden: yes + } # dimension value__struct_value__fields + +} # view udm_events__additional__fields + +view: udm_events__extensions__auth__mechanism { + dimension: udm_events__extensions__auth__mechanism { + type: number + sql: ${TABLE} ;; + group_label: "extensions" + label: "extensions.auth.mechanism" + view_label: "UDM" + description: "The authentication mechanism." + } # dimension udm_events__extensions__auth__mechanism +} # view udm_events__extensions__auth__mechanism + +view: udm_events__extensions__auth__mechanism_enum_name { + dimension: udm_events__extensions__auth__mechanism_enum_name { + type: string + suggestions: ["BADGE_READER", "BATCH", "CACHED_INTERACTIVE", "CACHED_REMOTE_INTERACTIVE", "CACHED_UNLOCK", "HARDWARE_KEY", "INTERACTIVE", "LOCAL", "MECHANISM_OTHER", "MECHANISM_UNSPECIFIED", "NETWORK", "NETWORK_CLEAR_TEXT", "NEW_CREDENTIALS", "OTP", "REMOTE", "REMOTE_INTERACTIVE", "SERVICE", "UNLOCK", "USERNAME_PASSWORD"] + sql: CASE ${TABLE} WHEN 0 THEN 'MECHANISM_UNSPECIFIED' WHEN 1 THEN 'USERNAME_PASSWORD' WHEN 2 THEN 'OTP' WHEN 3 THEN 'HARDWARE_KEY' WHEN 4 THEN 'LOCAL' WHEN 5 THEN 'REMOTE' WHEN 6 THEN 'REMOTE_INTERACTIVE' WHEN 7 THEN 'MECHANISM_OTHER' WHEN 8 THEN 'BADGE_READER' WHEN 9 THEN 'NETWORK' WHEN 10 THEN 'BATCH' WHEN 11 THEN 'SERVICE' WHEN 12 THEN 'UNLOCK' WHEN 13 THEN 'NETWORK_CLEAR_TEXT' WHEN 14 THEN 'NEW_CREDENTIALS' WHEN 15 THEN 'INTERACTIVE' WHEN 16 THEN 'CACHED_INTERACTIVE' WHEN 17 THEN 'CACHED_REMOTE_INTERACTIVE' WHEN 18 THEN 'CACHED_UNLOCK' END ;; + group_label: "extensions" + label: "extensions.auth.mechanism_enum_name" + view_label: "UDM" + description: "The authentication mechanism." + } # dimension udm_events__extensions__auth__mechanism_enum_name +} # view udm_events__extensions__auth__mechanism_enum_name + +view: udm_events__extensions__vulns__vulnerabilities__about__asset__ip { + dimension: udm_events__extensions__vulns__vulnerabilities__about__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.asset.ip" + view_label: "UDM" + description: "A list of IP addresses associated with an asset." + } # dimension udm_events__extensions__vulns__vulnerabilities__about__asset__ip +} # view udm_events__extensions__vulns__vulnerabilities__about__asset__ip + +view: udm_events__extensions__vulns__vulnerabilities__about__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "extensions" + group_item_label: "extensions.vulns.vulnerabilities.about.labels.key [D]" + label: "extensions.vulns.vulnerabilities.about.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "extensions" + group_item_label: "extensions.vulns.vulnerabilities.about.labels.value [D]" + label: "extensions.vulns.vulnerabilities.about.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view udm_events__extensions__vulns__vulnerabilities__about__labels + +view: udm_events__extensions__vulns__vulnerabilities__about__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.resource.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.resource.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__extensions__vulns__vulnerabilities__about__resource__attribute__labels + +view: udm_events__extensions__vulns__vulnerabilities { + dimension: about { + hidden: yes + } # dimension about + + dimension: about__asset { + hidden: yes + } # dimension about__asset + + dimension: about__asset__hostname { + type: string + sql: ${TABLE}.about.asset.hostname ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.asset.hostname" + view_label: "UDM" + description: "Asset hostname or domain name field." + } # dimension about__asset__hostname + + dimension: about__asset__ip { + hidden: yes + } # dimension about__asset__ip + + dimension: about__asset__platform_software { + hidden: yes + } # dimension about__asset__platform_software + + dimension: about__asset__platform_software__platform { + type: number + sql: ${TABLE}.about.asset.platform_software.platform ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.asset.platform_software.platform" + view_label: "UDM" + description: "The platform operating system." + } # dimension about__asset__platform_software__platform + + dimension: about__asset__platform_software__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.about.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.asset.platform_software.platform_enum_name" + view_label: "UDM" + description: "The platform operating system." + } # dimension about__asset__platform_software__platform_enum_name + + dimension: about__asset__product_object_id { + type: string + sql: ${TABLE}.about.asset.product_object_id ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.asset.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension about__asset__product_object_id + + dimension: about__cloud { + hidden: yes + } # dimension about__cloud + + dimension: about__cloud__availability_zone { + type: string + sql: ${TABLE}.about.cloud.availability_zone ;; + group_label: "extensions" + group_item_label: "extensions.vulns.vulnerabilities.about.cloud.availability_zone [D]" + label: "extensions.vulns.vulnerabilities.about.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__availability_zone + + dimension: about__cloud__environment { + type: number + sql: ${TABLE}.about.cloud.environment ;; + group_label: "extensions" + group_item_label: "extensions.vulns.vulnerabilities.about.cloud.environment [D]" + label: "extensions.vulns.vulnerabilities.about.cloud.environment" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__environment + + dimension: about__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.about.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "extensions" + group_item_label: "extensions.vulns.vulnerabilities.about.cloud.environment_enum_name [D]" + label: "extensions.vulns.vulnerabilities.about.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__environment_enum_name + + dimension: about__cloud__project { + hidden: yes + } # dimension about__cloud__project + + dimension: about__cloud__project__name { + type: string + sql: ${TABLE}.about.cloud.project.name ;; + group_label: "extensions" + group_item_label: "extensions.vulns.vulnerabilities.about.cloud.project.name [D]" + label: "extensions.vulns.vulnerabilities.about.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__project__name + + dimension: about__group { + hidden: yes + } # dimension about__group + + dimension: about__group__attribute { + hidden: yes + } # dimension about__group__attribute + + dimension: about__group__attribute__cloud { + hidden: yes + } # dimension about__group__attribute__cloud + + dimension: about__group__attribute__cloud__project { + hidden: yes + } # dimension about__group__attribute__cloud__project + + dimension: about__group__attribute__cloud__project__name { + type: string + sql: ${TABLE}.about.group.attribute.cloud.project.name ;; + group_label: "extensions" + group_item_label: "extensions.vulns.vulnerabilities.about.group.attribute.cloud.project.name [D]" + label: "extensions.vulns.vulnerabilities.about.group.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__group__attribute__cloud__project__name + + dimension: about__hostname { + type: string + sql: ${TABLE}.about.hostname ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.hostname" + view_label: "UDM" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension about__hostname + + dimension: about__labels { + hidden: yes + } # dimension about__labels + + dimension: about__namespace { + type: string + sql: ${TABLE}.about.namespace ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.namespace" + view_label: "UDM" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension about__namespace + + dimension: about__platform { + type: number + sql: ${TABLE}.about.platform ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.platform" + view_label: "UDM" + description: "Platform." + } # dimension about__platform + + dimension: about__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.about.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.platform_enum_name" + view_label: "UDM" + description: "Platform." + } # dimension about__platform_enum_name + + dimension: about__resource { + hidden: yes + } # dimension about__resource + + dimension: about__resource__attribute { + hidden: yes + } # dimension about__resource__attribute + + dimension: about__resource__attribute__labels { + hidden: yes + } # dimension about__resource__attribute__labels + + dimension: about__resource__product_object_id { + type: string + sql: ${TABLE}.about.resource.product_object_id ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.about.resource.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension about__resource__product_object_id + + dimension: cve_description { + type: string + sql: ${TABLE}.cve_description ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.cve_description" + view_label: "UDM" + description: "Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record" + } # dimension cve_description + + dimension: cve_id { + type: string + sql: ${TABLE}.cve_id ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.cve_id" + view_label: "UDM" + description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" + } # dimension cve_id + + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.cvss_base_score" + view_label: "UDM" + description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." + } # dimension cvss_base_score + + dimension: cvss_vector { + type: string + sql: ${TABLE}.cvss_vector ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.cvss_vector" + view_label: "UDM" + description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" + } # dimension cvss_vector + + dimension: cvss_version { + type: string + sql: ${TABLE}.cvss_version ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.cvss_version" + view_label: "UDM" + description: "Version of CVSS Vector/Score." + } # dimension cvss_version + + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.description" + view_label: "UDM" + description: "Description of the vulnerability." + } # dimension description + + dimension_group: extensions__vulns__vulnerabilities__first_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.first_found" + view_label: "UDM" + description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." + } # dimension extensions__vulns__vulnerabilities__first_found + + dimension_group: extensions__vulns__vulnerabilities__last_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.last_found" + view_label: "UDM" + description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." + } # dimension extensions__vulns__vulnerabilities__last_found + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.name" + view_label: "UDM" + description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." + } # dimension name + + dimension_group: extensions__vulns__vulnerabilities__scan_end_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.scan_end_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." + } # dimension extensions__vulns__vulnerabilities__scan_end_time + + dimension_group: extensions__vulns__vulnerabilities__scan_start_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.scan_start_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." + } # dimension extensions__vulns__vulnerabilities__scan_start_time + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.severity" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity + + dimension: severity_enum_name { + type: string + suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] + sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.severity_enum_name" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity_enum_name + + dimension: severity_details { + type: string + sql: ${TABLE}.severity_details ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.severity_details" + view_label: "UDM" + description: "Vendor-specific severity" + } # dimension severity_details + + dimension: vendor { + type: string + sql: ${TABLE}.vendor ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.vendor" + view_label: "UDM" + description: "Vendor of scan that discovered vulnerability." + } # dimension vendor + + dimension: vendor_knowledge_base_article_id { + type: string + sql: ${TABLE}.vendor_knowledge_base_article_id ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.vendor_knowledge_base_article_id" + view_label: "UDM" + description: "Vendor specific knowledge base article (e.g. \"KBXXXXXX\" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase" + } # dimension vendor_knowledge_base_article_id + + dimension: vendor_vulnerability_id { + type: string + sql: ${TABLE}.vendor_vulnerability_id ;; + group_label: "extensions" + label: "extensions.vulns.vulnerabilities.vendor_vulnerability_id" + view_label: "UDM" + description: "Vendor specific vulnerability id (e.g. Microsoft security bulletin id)." + } # dimension vendor_vulnerability_id + +} # view udm_events__extensions__vulns__vulnerabilities + +view: udm_events__intermediary__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "intermediary" + label: "intermediary.asset.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "intermediary" + label: "intermediary.asset.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__intermediary__asset__attribute__labels + +view: udm_events__intermediary__asset__hardware { + dimension: model { + type: string + sql: ${TABLE}.model ;; + group_label: "intermediary" + label: "intermediary.asset.hardware.model" + view_label: "UDM" + description: "Hardware model." + } # dimension model + + dimension: serial_number { + type: string + sql: ${TABLE}.serial_number ;; + group_label: "intermediary" + label: "intermediary.asset.hardware.serial_number" + view_label: "UDM" + description: "Hardware serial number." + } # dimension serial_number + +} # view udm_events__intermediary__asset__hardware + +view: udm_events__intermediary__asset__ip { + dimension: udm_events__intermediary__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "intermediary" + label: "intermediary.asset.ip" + view_label: "UDM" + description: "A list of IP addresses associated with an asset." + } # dimension udm_events__intermediary__asset__ip +} # view udm_events__intermediary__asset__ip + +view: udm_events__intermediary__asset__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "intermediary" + group_item_label: "intermediary.asset.labels.key [D]" + label: "intermediary.asset.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "intermediary" + group_item_label: "intermediary.asset.labels.value [D]" + label: "intermediary.asset.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view udm_events__intermediary__asset__labels + +view: udm_events__intermediary__asset__mac { + dimension: udm_events__intermediary__asset__mac { + type: string + sql: ${TABLE} ;; + group_label: "intermediary" + label: "intermediary.asset.mac" + view_label: "UDM" + description: "List of MAC addresses associated with an asset." + } # dimension udm_events__intermediary__asset__mac +} # view udm_events__intermediary__asset__mac + +view: udm_events__intermediary__asset__software { + dimension: version { + type: string + sql: ${TABLE}.version ;; + group_label: "intermediary" + label: "intermediary.asset.software.version" + view_label: "UDM" + description: "The version of the software." + } # dimension version + +} # view udm_events__intermediary__asset__software + +view: udm_events__intermediary__ip { + dimension: udm_events__intermediary__ip { + type: string + sql: ${TABLE} ;; + group_label: "intermediary" + label: "intermediary.ip" + view_label: "UDM" + description: "A list of IP addresses associated with a network connection." + } # dimension udm_events__intermediary__ip +} # view udm_events__intermediary__ip + +view: udm_events__intermediary__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "intermediary" + group_item_label: "intermediary.labels.key [D]" + label: "intermediary.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "intermediary" + group_item_label: "intermediary.labels.value [D]" + label: "intermediary.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view udm_events__intermediary__labels + +view: udm_events__intermediary__mac { + dimension: udm_events__intermediary__mac { + type: string + sql: ${TABLE} ;; + group_label: "intermediary" + label: "intermediary.mac" + view_label: "UDM" + description: "List of MAC addresses associated with a device." + } # dimension udm_events__intermediary__mac +} # view udm_events__intermediary__mac + +view: udm_events__intermediary__nat_ip { + dimension: udm_events__intermediary__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "intermediary" + label: "intermediary.nat_ip" + view_label: "UDM" + description: "A list of NAT translated IP addresses associated with a network connection." + } # dimension udm_events__intermediary__nat_ip +} # view udm_events__intermediary__nat_ip + +view: udm_events__intermediary__process__file__names { + dimension: udm_events__intermediary__process__file__names { + type: string + sql: ${TABLE} ;; + group_label: "intermediary" + label: "intermediary.process.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension udm_events__intermediary__process__file__names +} # view udm_events__intermediary__process__file__names + +view: udm_events__intermediary__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "intermediary" + label: "intermediary.resource.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "intermediary" + label: "intermediary.resource.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__intermediary__resource__attribute__labels + +view: udm_events__intermediary__user__email_addresses { + dimension: udm_events__intermediary__user__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "intermediary" + label: "intermediary.user.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension udm_events__intermediary__user__email_addresses +} # view udm_events__intermediary__user__email_addresses + +view: udm_events__intermediary__user__group_identifiers { + dimension: udm_events__intermediary__user__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "intermediary" + label: "intermediary.user.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension udm_events__intermediary__user__group_identifiers +} # view udm_events__intermediary__user__group_identifiers + +view: udm_events__intermediary { + dimension: administrative_domain { + type: string + sql: ${TABLE}.administrative_domain ;; + group_label: "intermediary" + label: "intermediary.administrative_domain" + view_label: "UDM" + description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." + } # dimension administrative_domain + + dimension: application { + type: string + sql: ${TABLE}.application ;; + group_label: "intermediary" + label: "intermediary.application" + view_label: "UDM" + description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." + } # dimension application + + dimension: asset { + hidden: yes + } # dimension asset + + dimension: asset__asset_id { + type: string + sql: ${TABLE}.asset.asset_id ;; + group_label: "intermediary" + label: "intermediary.asset.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension asset__asset_id + + dimension: asset__attribute { + hidden: yes + } # dimension asset__attribute + + dimension: asset__attribute__labels { + hidden: yes + } # dimension asset__attribute__labels + + dimension: asset__category { + type: string + sql: ${TABLE}.asset.category ;; + group_label: "intermediary" + label: "intermediary.asset.category" + view_label: "UDM" + description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." + } # dimension asset__category + + dimension: asset__hardware { + hidden: yes + } # dimension asset__hardware + + dimension: asset__hostname { + type: string + sql: ${TABLE}.asset.hostname ;; + group_label: "intermediary" + label: "intermediary.asset.hostname" + view_label: "UDM" + description: "Asset hostname or domain name field." + } # dimension asset__hostname + + dimension: asset__ip { + hidden: yes + } # dimension asset__ip + + dimension: asset__labels { + hidden: yes + } # dimension asset__labels + + dimension: asset__location { + hidden: yes + } # dimension asset__location + + dimension: asset__location__country_or_region { + type: string + sql: ${TABLE}.asset.location.country_or_region ;; + group_label: "intermediary" + label: "intermediary.asset.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension asset__location__country_or_region + + dimension: asset__mac { + hidden: yes + } # dimension asset__mac + + dimension: asset__network_domain { + type: string + sql: ${TABLE}.asset.network_domain ;; + group_label: "intermediary" + label: "intermediary.asset.network_domain" + view_label: "UDM" + description: "The network domain of the asset (e.g. \"corp.acme.com\")" + } # dimension asset__network_domain + + dimension: asset__platform_software { + hidden: yes + } # dimension asset__platform_software + + dimension: asset__platform_software__platform_version { + type: string + sql: ${TABLE}.asset.platform_software.platform_version ;; + group_label: "intermediary" + label: "intermediary.asset.platform_software.platform_version" + view_label: "UDM" + description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." + } # dimension asset__platform_software__platform_version + + dimension: asset__product_object_id { + type: string + sql: ${TABLE}.asset.product_object_id ;; + group_label: "intermediary" + label: "intermediary.asset.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension asset__product_object_id + + dimension: asset__software { + hidden: yes + } # dimension asset__software + + dimension: asset_id { + type: string + sql: ${TABLE}.asset_id ;; + group_label: "intermediary" + label: "intermediary.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension asset_id + + dimension: cloud { + hidden: yes + } # dimension cloud + + dimension: cloud__environment { + type: number + sql: ${TABLE}.cloud.environment ;; + group_label: "intermediary" + group_item_label: "intermediary.cloud.environment [D]" + label: "intermediary.cloud.environment" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension cloud__environment + + dimension: cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "intermediary" + group_item_label: "intermediary.cloud.environment_enum_name [D]" + label: "intermediary.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" + } # dimension cloud__environment_enum_name + + dimension: domain { + hidden: yes + } # dimension domain + + dimension: domain__name { + type: string + sql: ${TABLE}.domain.name ;; + group_label: "intermediary" + label: "intermediary.domain.name" + view_label: "UDM" + description: "The domain name." + } # dimension domain__name + + dimension: email { + type: string + sql: ${TABLE}.email ;; + group_label: "intermediary" + label: "intermediary.email" + view_label: "UDM" + description: "Email address. Only filled in for security_result.about" + } # dimension email + + dimension: file { + hidden: yes + } # dimension file + + dimension: file__full_path { + type: string + sql: ${TABLE}.file.full_path ;; + group_label: "intermediary" + label: "intermediary.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension file__full_path + + dimension: file__md5 { + type: string + sql: ${TABLE}.file.md5 ;; + group_label: "intermediary" + label: "intermediary.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension file__md5 + + dimension: file__mime_type { + type: string + sql: ${TABLE}.file.mime_type ;; + group_label: "intermediary" + label: "intermediary.file.mime_type" + view_label: "UDM" + description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." + } # dimension file__mime_type + + dimension: file__sha1 { + type: string + sql: ${TABLE}.file.sha1 ;; + group_label: "intermediary" + label: "intermediary.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension file__sha1 + + dimension: file__sha256 { + type: string + sql: ${TABLE}.file.sha256 ;; + group_label: "intermediary" + label: "intermediary.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension file__sha256 + + dimension: file__size { + type: number + sql: ${TABLE}.file.size ;; + group_label: "intermediary" + label: "intermediary.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension file__size + + dimension: group { + hidden: yes + } # dimension group + + dimension: group__group_display_name { + type: string + sql: ${TABLE}.group.group_display_name ;; + group_label: "intermediary" + label: "intermediary.group.group_display_name" + view_label: "UDM" + description: "Group display name. e.g. \"Finance\"." + } # dimension group__group_display_name + + dimension: group__product_object_id { + type: string + sql: ${TABLE}.group.product_object_id ;; + group_label: "intermediary" + label: "intermediary.group.product_object_id" + view_label: "UDM" + description: "Product globally unique user object identifier, such as an LDAP Object Identifier." + } # dimension group__product_object_id + + dimension: hostname { + type: string + sql: ${TABLE}.hostname ;; + group_label: "intermediary" + label: "intermediary.hostname" + view_label: "UDM" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension hostname + + dimension: ip { + hidden: yes + } # dimension ip + + dimension: labels { + hidden: yes + } # dimension labels + + dimension: location { + hidden: yes + } # dimension location + + dimension: location__city { + type: string + sql: ${TABLE}.location.city ;; + group_label: "intermediary" + label: "intermediary.location.city" + view_label: "UDM" + description: "The city." + } # dimension location__city + + dimension: location__country_or_region { + type: string + sql: ${TABLE}.location.country_or_region ;; + group_label: "intermediary" + label: "intermediary.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension location__country_or_region + + dimension: location__name { + type: string + sql: ${TABLE}.location.name ;; + group_label: "intermediary" + label: "intermediary.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension location__name + + dimension: location__region_latitude { + type: number + sql: ${TABLE}.location.region_latitude ;; + group_label: "intermediary" + group_item_label: "intermediary.location.region_latitude [D]" + label: "intermediary.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension location__region_latitude + + dimension: location__region_longitude { + type: number + sql: ${TABLE}.location.region_longitude ;; + group_label: "intermediary" + group_item_label: "intermediary.location.region_longitude [D]" + label: "intermediary.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension location__region_longitude + + dimension: location__location { + type: location + sql_latitude: ${TABLE}.location.region_latitude ;; + sql_longitude: ${TABLE}.location.region_longitude ;; + group_label: "intermediary" + group_item_label: "intermediary.location.location [D][L]" + label: "intermediary.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension location__location + + dimension: location__state { + type: string + sql: ${TABLE}.location.state ;; + group_label: "intermediary" + label: "intermediary.location.state" + view_label: "UDM" + description: "The state." + } # dimension location__state + + dimension: mac { + hidden: yes + } # dimension mac + + dimension: namespace { + type: string + sql: ${TABLE}.namespace ;; + group_label: "intermediary" + label: "intermediary.namespace" + view_label: "UDM" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension namespace + + dimension: nat_ip { + hidden: yes + } # dimension nat_ip + + dimension: platform { + type: number + sql: ${TABLE}.platform ;; + group_label: "intermediary" + label: "intermediary.platform" + view_label: "UDM" + description: "Platform." + } # dimension platform + + dimension: platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "intermediary" + label: "intermediary.platform_enum_name" + view_label: "UDM" + description: "Platform." + } # dimension platform_enum_name + + dimension: platform_version { + type: string + sql: ${TABLE}.platform_version ;; + group_label: "intermediary" + label: "intermediary.platform_version" + view_label: "UDM" + description: "Platform version. For example, \"Microsoft Windows 1803\"." + } # dimension platform_version + + dimension: port { + type: number + value_format: "#" + sql: ${TABLE}.port ;; + group_label: "intermediary" + label: "intermediary.port" + view_label: "UDM" + description: "Source or destination network port number when a specific network connection is described within an event." + } # dimension port + + dimension: process { + hidden: yes + } # dimension process + + dimension: process__command_line { + type: string + sql: ${TABLE}.process.command_line ;; + group_label: "intermediary" + label: "intermediary.process.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension process__command_line + + dimension: process__file { + hidden: yes + } # dimension process__file + + dimension: process__file__full_path { + type: string + sql: ${TABLE}.process.file.full_path ;; + group_label: "intermediary" + label: "intermediary.process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension process__file__full_path + + dimension: process__file__names { + hidden: yes + } # dimension process__file__names + + dimension: process__file__sha1 { + type: string + sql: ${TABLE}.process.file.sha1 ;; + group_label: "intermediary" + label: "intermediary.process.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension process__file__sha1 + + dimension: process__file__sha256 { + type: string + sql: ${TABLE}.process.file.sha256 ;; + group_label: "intermediary" + label: "intermediary.process.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension process__file__sha256 + + dimension: process__file__size { + type: number + sql: ${TABLE}.process.file.size ;; + group_label: "intermediary" + label: "intermediary.process.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension process__file__size + + dimension: process__parent_process { + hidden: yes + } # dimension process__parent_process + + dimension: process__parent_process__file { + hidden: yes + } # dimension process__parent_process__file + + dimension: process__parent_process__file__full_path { + type: string + sql: ${TABLE}.process.parent_process.file.full_path ;; + group_label: "intermediary" + label: "intermediary.process.parent_process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension process__parent_process__file__full_path + + dimension: process__parent_process__file__size { + type: number + sql: ${TABLE}.process.parent_process.file.size ;; + group_label: "intermediary" + label: "intermediary.process.parent_process.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension process__parent_process__file__size + + dimension: process__parent_process__pid { + type: string + sql: ${TABLE}.process.parent_process.pid ;; + group_label: "intermediary" + label: "intermediary.process.parent_process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension process__parent_process__pid + + dimension: process__pid { + type: string + sql: ${TABLE}.process.pid ;; + group_label: "intermediary" + label: "intermediary.process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension process__pid + + dimension: registry { + hidden: yes + } # dimension registry + + dimension: registry__registry_key { + type: string + sql: ${TABLE}.registry.registry_key ;; + group_label: "intermediary" + label: "intermediary.registry.registry_key" + view_label: "UDM" + description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." + } # dimension registry__registry_key + + dimension: registry__registry_value_data { + type: string + sql: ${TABLE}.registry.registry_value_data ;; + group_label: "intermediary" + label: "intermediary.registry.registry_value_data" + view_label: "UDM" + description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." + } # dimension registry__registry_value_data + + dimension: registry__registry_value_name { + type: string + sql: ${TABLE}.registry.registry_value_name ;; + group_label: "intermediary" + label: "intermediary.registry.registry_value_name" + view_label: "UDM" + description: "Name of the registry value associated with an application or system component (e.g. TEMP)." + } # dimension registry__registry_value_name + + dimension: resource { + hidden: yes + } # dimension resource + + dimension: resource__attribute { + hidden: yes + } # dimension resource__attribute + + dimension: resource__attribute__labels { + hidden: yes + } # dimension resource__attribute__labels + + dimension: resource__id { + type: string + sql: ${TABLE}.resource.id ;; + group_label: "intermediary" + group_item_label: "intermediary.resource.id [D]" + label: "intermediary.resource.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension resource__id + + dimension: resource__name { + type: string + sql: ${TABLE}.resource.name ;; + group_label: "intermediary" + label: "intermediary.resource.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension resource__name + + dimension: resource__parent { + type: string + sql: ${TABLE}.resource.parent ;; + group_label: "intermediary" + group_item_label: "intermediary.resource.parent [D]" + label: "intermediary.resource.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension resource__parent + + dimension: resource__product_object_id { + type: string + sql: ${TABLE}.resource.product_object_id ;; + group_label: "intermediary" + label: "intermediary.resource.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension resource__product_object_id + + dimension: resource__resource_subtype { + type: string + sql: ${TABLE}.resource.resource_subtype ;; + group_label: "intermediary" + label: "intermediary.resource.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension resource__resource_subtype + + dimension: resource__resource_type { + type: number + sql: ${TABLE}.resource.resource_type ;; + group_label: "intermediary" + label: "intermediary.resource.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension resource__resource_type + + dimension: resource__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "intermediary" + label: "intermediary.resource.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension resource__resource_type_enum_name + + dimension: resource__type { + type: string + sql: ${TABLE}.resource.type ;; + group_label: "intermediary" + group_item_label: "intermediary.resource.type [D]" + label: "intermediary.resource.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension resource__type + + dimension: url { + type: string + sql: ${TABLE}.url ;; + group_label: "intermediary" + label: "intermediary.url" + view_label: "UDM" + description: "The URL." + } # dimension url + + dimension: user { + hidden: yes + } # dimension user + + dimension: user__email_addresses { + hidden: yes + } # dimension user__email_addresses + + dimension: user__group_identifiers { + hidden: yes + } # dimension user__group_identifiers + + dimension: user__product_object_id { + type: string + sql: ${TABLE}.user.product_object_id ;; + group_label: "intermediary" + label: "intermediary.user.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension user__product_object_id + + dimension: user__user_display_name { + type: string + sql: ${TABLE}.user.user_display_name ;; + group_label: "intermediary" + label: "intermediary.user.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension user__user_display_name + + dimension: user__userid { + type: string + sql: ${TABLE}.user.userid ;; + group_label: "intermediary" + label: "intermediary.user.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension user__userid + + dimension: user__windows_sid { + type: string + sql: ${TABLE}.user.windows_sid ;; + group_label: "intermediary" + label: "intermediary.user.windows_sid" + view_label: "UDM" + description: "The Microsoft Windows SID of the user." + } # dimension user__windows_sid + +} # view udm_events__intermediary + +view: udm_events__metadata__base_labels__log_types { + dimension: udm_events__metadata__base_labels__log_types { + type: string + sql: ${TABLE} ;; + group_label: "metadata" + label: "metadata.base_labels.log_types" + view_label: "UDM" + description: "All the LogType labels. We use string to log types to avoid moving LogType proto, which contains customer info, to external." + } # dimension udm_events__metadata__base_labels__log_types +} # view udm_events__metadata__base_labels__log_types + +view: udm_events__metadata__base_labels__namespaces { + dimension: udm_events__metadata__base_labels__namespaces { + type: string + sql: ${TABLE} ;; + group_label: "metadata" + label: "metadata.base_labels.namespaces" + view_label: "UDM" + description: "All the namespaces." + } # dimension udm_events__metadata__base_labels__namespaces +} # view udm_events__metadata__base_labels__namespaces + +view: udm_events__metadata__ingestion_labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "metadata" + label: "metadata.ingestion_labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: source { + type: string + sql: ${TABLE}.source ;; + group_label: "metadata" + label: "metadata.ingestion_labels.source" + view_label: "UDM" + description: "@hide_from_doc" + } # dimension source + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "metadata" + label: "metadata.ingestion_labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__metadata__ingestion_labels + +view: udm_events__metadata__tags__data_tap_config_name { + dimension: udm_events__metadata__tags__data_tap_config_name { + type: string + sql: ${TABLE} ;; + group_label: "metadata" + label: "metadata.tags.data_tap_config_name" + view_label: "UDM" + description: "A list of sink name values defined in DataTap configurations." + } # dimension udm_events__metadata__tags__data_tap_config_name +} # view udm_events__metadata__tags__data_tap_config_name + +view: udm_events__metadata__tags__tenant_id { + dimension: udm_events__metadata__tags__tenant_id { + type: string + sql: ${TABLE} ;; + group_label: "metadata" + label: "metadata.tags.tenant_id" + view_label: "UDM" + description: "A list of subtenant ids that this event belongs to." + } # dimension udm_events__metadata__tags__tenant_id +} # view udm_events__metadata__tags__tenant_id + +view: udm_events__network__dhcp__options { + dimension: code { + type: number + sql: ${TABLE}.code ;; + group_label: "network" + label: "network.dhcp.options.code" + view_label: "UDM" + description: "Code. See RFC1533." + } # dimension code + +} # view udm_events__network__dhcp__options + +view: udm_events__network__dns__additional { + dimension: class { + type: number + sql: ${TABLE}.class ;; + group_label: "network" + label: "network.dns.additional.class" + view_label: "UDM" + description: "The code specifying the class of the resource record." + } # dimension class + + dimension: data { + type: string + sql: ${TABLE}.data ;; + group_label: "network" + label: "network.dns.additional.data" + view_label: "UDM" + description: "The payload or response to the DNS question for all responses encoded in UTF-8 format" + } # dimension data + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "network" + label: "network.dns.additional.name" + view_label: "UDM" + description: "The name of the owner of the resource record." + } # dimension name + + dimension: ttl { + type: number + sql: ${TABLE}.ttl ;; + group_label: "network" + label: "network.dns.additional.ttl" + view_label: "UDM" + description: "The time interval for which the resource record can be cached before the source of the information should again be queried." + } # dimension ttl + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "network" + label: "network.dns.additional.type" + view_label: "UDM" + description: "The code specifying the type of the resource record." + } # dimension type + +} # view udm_events__network__dns__additional + +view: udm_events__network__dns__answers { + dimension: binary_data { + type: string + sql: ${TABLE}.binary_data ;; + group_label: "network" + label: "network.dns.answers.binary_data" + view_label: "UDM" + description: "The raw bytes of any non-UTF8 strings that might be included as part of a DNS response." + } # dimension binary_data + + dimension: class { + type: number + sql: ${TABLE}.class ;; + group_label: "network" + label: "network.dns.answers.class" + view_label: "UDM" + description: "The code specifying the class of the resource record." + } # dimension class + + dimension: data { + type: string + sql: ${TABLE}.data ;; + group_label: "network" + label: "network.dns.answers.data" + view_label: "UDM" + description: "The payload or response to the DNS question for all responses encoded in UTF-8 format" + } # dimension data + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "network" + label: "network.dns.answers.name" + view_label: "UDM" + description: "The name of the owner of the resource record." + } # dimension name + + dimension: ttl { + type: number + sql: ${TABLE}.ttl ;; + group_label: "network" + label: "network.dns.answers.ttl" + view_label: "UDM" + description: "The time interval for which the resource record can be cached before the source of the information should again be queried." + } # dimension ttl + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "network" + label: "network.dns.answers.type" + view_label: "UDM" + description: "The code specifying the type of the resource record." + } # dimension type + +} # view udm_events__network__dns__answers + +view: udm_events__network__dns__authority { + dimension: class { + type: number + sql: ${TABLE}.class ;; + group_label: "network" + label: "network.dns.authority.class" + view_label: "UDM" + description: "The code specifying the class of the resource record." + } # dimension class + + dimension: data { + type: string + sql: ${TABLE}.data ;; + group_label: "network" + label: "network.dns.authority.data" + view_label: "UDM" + description: "The payload or response to the DNS question for all responses encoded in UTF-8 format" + } # dimension data + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "network" + label: "network.dns.authority.name" + view_label: "UDM" + description: "The name of the owner of the resource record." + } # dimension name + + dimension: ttl { + type: number + sql: ${TABLE}.ttl ;; + group_label: "network" + label: "network.dns.authority.ttl" + view_label: "UDM" + description: "The time interval for which the resource record can be cached before the source of the information should again be queried." + } # dimension ttl + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "network" + label: "network.dns.authority.type" + view_label: "UDM" + description: "The code specifying the type of the resource record." + } # dimension type + +} # view udm_events__network__dns__authority + +view: udm_events__network__dns__questions { + dimension: class { + type: number + sql: ${TABLE}.class ;; + group_label: "network" + label: "network.dns.questions.class" + view_label: "UDM" + description: "The code specifying the class of the query." + } # dimension class + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "network" + label: "network.dns.questions.name" + view_label: "UDM" + description: "The domain name." + } # dimension name + + dimension: prevalence { + hidden: yes + } # dimension prevalence + + dimension: prevalence__day_count { + type: number + sql: ${TABLE}.prevalence.day_count ;; + group_label: "network" + label: "network.dns.questions.prevalence.day_count" + view_label: "UDM" + description: "The number of days over which rolling_max is calculated." + } # dimension prevalence__day_count + + dimension: prevalence__rolling_max { + type: number + sql: ${TABLE}.prevalence.rolling_max ;; + group_label: "network" + label: "network.dns.questions.prevalence.rolling_max" + view_label: "UDM" + description: "The maximum number of assets per day accessing the resource over the trailing day_count days." + } # dimension prevalence__rolling_max + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "network" + label: "network.dns.questions.type" + view_label: "UDM" + description: "The code specifying the type of the query." + } # dimension type + +} # view udm_events__network__dns__questions + +view: udm_events__network__email__bcc { + dimension: udm_events__network__email__bcc { + type: string + sql: ${TABLE} ;; + group_label: "network" + label: "network.email.bcc" + view_label: "UDM" + description: "A list of 'bcc' addresses." + } # dimension udm_events__network__email__bcc +} # view udm_events__network__email__bcc + +view: udm_events__network__email__cc { + dimension: udm_events__network__email__cc { + type: string + sql: ${TABLE} ;; + group_label: "network" + label: "network.email.cc" + view_label: "UDM" + description: "A list of 'cc' addresses." + } # dimension udm_events__network__email__cc +} # view udm_events__network__email__cc + +view: udm_events__network__email__subject { + dimension: udm_events__network__email__subject { + type: string + sql: ${TABLE} ;; + group_label: "network" + label: "network.email.subject" + view_label: "UDM" + description: "The subject line(s) of the email." + } # dimension udm_events__network__email__subject +} # view udm_events__network__email__subject + +view: udm_events__network__email__to { + dimension: udm_events__network__email__to { + type: string + sql: ${TABLE} ;; + group_label: "network" + label: "network.email.to" + view_label: "UDM" + description: "A list of 'to' addresses." + } # dimension udm_events__network__email__to +} # view udm_events__network__email__to + +view: udm_events__network__http__parsed_user_agent__annotation { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "network" + label: "network.http.parsed_user_agent.annotation.key" + view_label: "UDM" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "network" + label: "network.http.parsed_user_agent.annotation.value" + view_label: "UDM" + } # dimension value + +} # view udm_events__network__http__parsed_user_agent__annotation + +view: udm_events__network__tls__client__supported_ciphers { + dimension: udm_events__network__tls__client__supported_ciphers { + type: string + sql: ${TABLE} ;; + group_label: "network" + label: "network.tls.client.supported_ciphers" + view_label: "UDM" + description: "Ciphers supported by the client during client hello." + } # dimension udm_events__network__tls__client__supported_ciphers +} # view udm_events__network__tls__client__supported_ciphers + +view: udm_events__observer__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "observer" + label: "observer.asset.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "observer" + label: "observer.asset.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__observer__asset__attribute__labels + +view: udm_events__observer__asset__ip { + dimension: udm_events__observer__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "observer" + label: "observer.asset.ip" + view_label: "UDM" + description: "A list of IP addresses associated with an asset." + } # dimension udm_events__observer__asset__ip +} # view udm_events__observer__asset__ip + +view: udm_events__observer__asset__software { + dimension: version { + type: string + sql: ${TABLE}.version ;; + group_label: "observer" + label: "observer.asset.software.version" + view_label: "UDM" + description: "The version of the software." + } # dimension version + +} # view udm_events__observer__asset__software + +view: udm_events__observer__asset__vulnerabilities { + dimension_group: observer__asset__vulnerabilities__scan_start_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "observer" + label: "observer.asset.vulnerabilities.scan_start_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." + } # dimension observer__asset__vulnerabilities__scan_start_time + +} # view udm_events__observer__asset__vulnerabilities + +view: udm_events__observer__ip { + dimension: udm_events__observer__ip { + type: string + sql: ${TABLE} ;; + group_label: "observer" + label: "observer.ip" + view_label: "UDM" + description: "A list of IP addresses associated with a network connection." + } # dimension udm_events__observer__ip +} # view udm_events__observer__ip + +view: udm_events__observer__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "observer" + group_item_label: "observer.labels.key [D]" + label: "observer.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "observer" + group_item_label: "observer.labels.value [D]" + label: "observer.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view udm_events__observer__labels + +view: udm_events__observer__mac { + dimension: udm_events__observer__mac { + type: string + sql: ${TABLE} ;; + group_label: "observer" + label: "observer.mac" + view_label: "UDM" + description: "List of MAC addresses associated with a device." + } # dimension udm_events__observer__mac +} # view udm_events__observer__mac + +view: udm_events__observer__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "observer" + label: "observer.resource.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "observer" + label: "observer.resource.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__observer__resource__attribute__labels + +view: udm_events__observer__user__email_addresses { + dimension: udm_events__observer__user__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "observer" + label: "observer.user.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension udm_events__observer__user__email_addresses +} # view udm_events__observer__user__email_addresses + +view: udm_events__observer__user__group_identifiers { + dimension: udm_events__observer__user__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "observer" + label: "observer.user.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension udm_events__observer__user__group_identifiers +} # view udm_events__observer__user__group_identifiers + +view: udm_events__principal__artifact__network__dns__answers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.artifact.network.dns.answers.name" + view_label: "UDM" + description: "The name of the owner of the resource record." + } # dimension name + +} # view udm_events__principal__artifact__network__dns__answers + +view: udm_events__principal__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "principal" + label: "principal.asset.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "principal" + label: "principal.asset.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__principal__asset__attribute__labels + +view: udm_events__principal__asset__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.asset.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.asset.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "principal" + label: "principal.asset.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "principal" + label: "principal.asset.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view udm_events__principal__asset__attribute__roles + +view: udm_events__principal__asset__hardware { + dimension: cpu_model { + type: string + sql: ${TABLE}.cpu_model ;; + group_label: "principal" + label: "principal.asset.hardware.cpu_model" + view_label: "UDM" + description: "Model description of the hardware CPU (e.g. \"2.8 GHz Quad-Core Intel Core i5\")." + } # dimension cpu_model + + dimension: cpu_platform { + type: string + sql: ${TABLE}.cpu_platform ;; + group_label: "principal" + label: "principal.asset.hardware.cpu_platform" + view_label: "UDM" + description: "Platform of the hardware CPU (e.g. \"Intel Broadwell\")." + } # dimension cpu_platform + + dimension: manufacturer { + type: string + sql: ${TABLE}.manufacturer ;; + group_label: "principal" + label: "principal.asset.hardware.manufacturer" + view_label: "UDM" + description: "Hardware manufacturer." + } # dimension manufacturer + + dimension: model { + type: string + sql: ${TABLE}.model ;; + group_label: "principal" + label: "principal.asset.hardware.model" + view_label: "UDM" + description: "Hardware model." + } # dimension model + + dimension: ram { + type: number + sql: ${TABLE}.ram ;; + group_label: "principal" + label: "principal.asset.hardware.ram" + view_label: "UDM" + description: "Amount of the hardware ramdom access memory (RAM) in Mb." + } # dimension ram + + dimension: serial_number { + type: string + sql: ${TABLE}.serial_number ;; + group_label: "principal" + label: "principal.asset.hardware.serial_number" + view_label: "UDM" + description: "Hardware serial number." + } # dimension serial_number + +} # view udm_events__principal__asset__hardware + +view: udm_events__principal__asset__ip { + dimension: udm_events__principal__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.asset.ip" + view_label: "UDM" + description: "A list of IP addresses associated with an asset." + } # dimension udm_events__principal__asset__ip +} # view udm_events__principal__asset__ip + +view: udm_events__principal__asset__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "principal" + group_item_label: "principal.asset.labels.key [D]" + label: "principal.asset.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "principal" + group_item_label: "principal.asset.labels.value [D]" + label: "principal.asset.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view udm_events__principal__asset__labels + +view: udm_events__principal__asset__mac { + dimension: udm_events__principal__asset__mac { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.asset.mac" + view_label: "UDM" + description: "List of MAC addresses associated with an asset." + } # dimension udm_events__principal__asset__mac +} # view udm_events__principal__asset__mac + +view: udm_events__principal__asset__nat_ip { + dimension: udm_events__principal__asset__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.asset.nat_ip" + view_label: "UDM" + description: "List of NAT IP addresses associated with an asset." + } # dimension udm_events__principal__asset__nat_ip +} # view udm_events__principal__asset__nat_ip + +view: udm_events__principal__asset__software__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.asset.software.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.asset.software.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view udm_events__principal__asset__software__permissions + +view: udm_events__principal__asset__software { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.asset.software.description" + view_label: "UDM" + description: "The description of the software." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.asset.software.name" + view_label: "UDM" + description: "The name of the software." + } # dimension name + + dimension: permissions { + hidden: yes + } # dimension permissions + + dimension: vendor_name { + type: string + sql: ${TABLE}.vendor_name ;; + group_label: "principal" + label: "principal.asset.software.vendor_name" + view_label: "UDM" + description: "The name of the software vendor." + } # dimension vendor_name + + dimension: version { + type: string + sql: ${TABLE}.version ;; + group_label: "principal" + label: "principal.asset.software.version" + view_label: "UDM" + description: "The version of the software." + } # dimension version + +} # view udm_events__principal__asset__software + +view: udm_events__principal__asset__vulnerabilities { + dimension: cve_description { + type: string + sql: ${TABLE}.cve_description ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.cve_description" + view_label: "UDM" + description: "Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record" + } # dimension cve_description + + dimension: cve_id { + type: string + sql: ${TABLE}.cve_id ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.cve_id" + view_label: "UDM" + description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" + } # dimension cve_id + + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.cvss_base_score" + view_label: "UDM" + description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." + } # dimension cvss_base_score + + dimension: cvss_vector { + type: string + sql: ${TABLE}.cvss_vector ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.cvss_vector" + view_label: "UDM" + description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" + } # dimension cvss_vector + + dimension: cvss_version { + type: string + sql: ${TABLE}.cvss_version ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.cvss_version" + view_label: "UDM" + description: "Version of CVSS Vector/Score." + } # dimension cvss_version + + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.description" + view_label: "UDM" + description: "Description of the vulnerability." + } # dimension description + + dimension_group: principal__asset__vulnerabilities__first_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.first_found" + view_label: "UDM" + description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." + } # dimension principal__asset__vulnerabilities__first_found + + dimension_group: principal__asset__vulnerabilities__last_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.last_found" + view_label: "UDM" + description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." + } # dimension principal__asset__vulnerabilities__last_found + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.name" + view_label: "UDM" + description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." + } # dimension name + + dimension_group: principal__asset__vulnerabilities__scan_end_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.scan_end_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." + } # dimension principal__asset__vulnerabilities__scan_end_time + + dimension_group: principal__asset__vulnerabilities__scan_start_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.scan_start_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." + } # dimension principal__asset__vulnerabilities__scan_start_time + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.severity" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity + + dimension: severity_enum_name { + type: string + suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] + sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.severity_enum_name" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity_enum_name + + dimension: severity_details { + type: string + sql: ${TABLE}.severity_details ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.severity_details" + view_label: "UDM" + description: "Vendor-specific severity" + } # dimension severity_details + + dimension: vendor { + type: string + sql: ${TABLE}.vendor ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.vendor" + view_label: "UDM" + description: "Vendor of scan that discovered vulnerability." + } # dimension vendor + + dimension: vendor_knowledge_base_article_id { + type: string + sql: ${TABLE}.vendor_knowledge_base_article_id ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.vendor_knowledge_base_article_id" + view_label: "UDM" + description: "Vendor specific knowledge base article (e.g. \"KBXXXXXX\" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase" + } # dimension vendor_knowledge_base_article_id + + dimension: vendor_vulnerability_id { + type: string + sql: ${TABLE}.vendor_vulnerability_id ;; + group_label: "principal" + label: "principal.asset.vulnerabilities.vendor_vulnerability_id" + view_label: "UDM" + description: "Vendor specific vulnerability id (e.g. Microsoft security bulletin id)." + } # dimension vendor_vulnerability_id + +} # view udm_events__principal__asset__vulnerabilities + +view: udm_events__principal__domain__name_server { + dimension: udm_events__principal__domain__name_server { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.domain.name_server" + view_label: "UDM" + description: "Repeated list of name servers." + } # dimension udm_events__principal__domain__name_server +} # view udm_events__principal__domain__name_server + +view: udm_events__principal__domain__tech__group_identifiers { + dimension: udm_events__principal__domain__tech__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.domain.tech.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension udm_events__principal__domain__tech__group_identifiers +} # view udm_events__principal__domain__tech__group_identifiers + +view: udm_events__principal__file__names { + dimension: udm_events__principal__file__names { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension udm_events__principal__file__names +} # view udm_events__principal__file__names + +view: udm_events__principal__group__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "principal" + label: "principal.group.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "principal" + label: "principal.group.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__principal__group__attribute__labels + +view: udm_events__principal__group__attribute__roles { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.group.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + +} # view udm_events__principal__group__attribute__roles + +view: udm_events__principal__group__email_addresses { + dimension: udm_events__principal__group__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.group.email_addresses" + view_label: "UDM" + description: "Email addresses of the group." + } # dimension udm_events__principal__group__email_addresses +} # view udm_events__principal__group__email_addresses + +view: udm_events__principal__investigation__comments { + dimension: udm_events__principal__investigation__comments { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.investigation.comments" + view_label: "UDM" + description: "Comment added by the Analyst." + } # dimension udm_events__principal__investigation__comments +} # view udm_events__principal__investigation__comments + +view: udm_events__principal__ip { + dimension: udm_events__principal__ip { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.ip" + view_label: "UDM" + description: "A list of IP addresses associated with a network connection." + } # dimension udm_events__principal__ip +} # view udm_events__principal__ip + +view: udm_events__principal__ip_geo_artifact { + dimension: ip { + type: string + sql: ${TABLE}.ip ;; + group_label: "principal" + label: "principal.ip_geo_artifact.ip" + view_label: "UDM" + description: "IP address of the artifact." + } # dimension ip + + dimension: location { + hidden: yes + } # dimension location + + dimension: location__country_or_region { + type: string + sql: ${TABLE}.location.country_or_region ;; + group_label: "principal" + label: "principal.ip_geo_artifact.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension location__country_or_region + + dimension: location__region_coordinates { + type: location + sql_latitude: ${TABLE}.location.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.location.region_coordinates.longitude ;; + group_label: "principal" + group_item_label: "principal.ip_geo_artifact.location.region_coordinates [L]" + label: "principal.ip_geo_artifact.location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." + } # dimension location__region_coordinates + + dimension: location__region_latitude { + type: number + sql: ${TABLE}.location.region_latitude ;; + group_label: "principal" + group_item_label: "principal.ip_geo_artifact.location.region_latitude [D]" + label: "principal.ip_geo_artifact.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension location__region_latitude + + dimension: location__region_longitude { + type: number + sql: ${TABLE}.location.region_longitude ;; + group_label: "principal" + group_item_label: "principal.ip_geo_artifact.location.region_longitude [D]" + label: "principal.ip_geo_artifact.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension location__region_longitude + + dimension: location__location { + type: location + sql_latitude: ${TABLE}.location.region_latitude ;; + sql_longitude: ${TABLE}.location.region_longitude ;; + group_label: "principal" + group_item_label: "principal.ip_geo_artifact.location.location [D][L]" + label: "principal.ip_geo_artifact.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension location__location + + dimension: location__state { + type: string + sql: ${TABLE}.location.state ;; + group_label: "principal" + label: "principal.ip_geo_artifact.location.state" + view_label: "UDM" + description: "The state." + } # dimension location__state + + dimension: network { + hidden: yes + } # dimension network + + dimension: network__asn { + type: string + sql: ${TABLE}.network.asn ;; + group_label: "principal" + label: "principal.ip_geo_artifact.network.asn" + view_label: "UDM" + description: "Autonomous system number." + } # dimension network__asn + + dimension: network__carrier_name { + type: string + sql: ${TABLE}.network.carrier_name ;; + group_label: "principal" + label: "principal.ip_geo_artifact.network.carrier_name" + view_label: "UDM" + description: "Carrier identification." + } # dimension network__carrier_name + + dimension: network__dns_domain { + type: string + sql: ${TABLE}.network.dns_domain ;; + group_label: "principal" + label: "principal.ip_geo_artifact.network.dns_domain" + view_label: "UDM" + description: "DNS domain name." + } # dimension network__dns_domain + + dimension: network__organization_name { + type: string + sql: ${TABLE}.network.organization_name ;; + group_label: "principal" + label: "principal.ip_geo_artifact.network.organization_name" + view_label: "UDM" + description: "Organization name (e.g Google)." + } # dimension network__organization_name + +} # view udm_events__principal__ip_geo_artifact + +view: udm_events__principal__ip_location { + dimension: city { + type: string + sql: ${TABLE}.city ;; + group_label: "principal" + group_item_label: "principal.ip_location.city [D]" + label: "principal.ip_location.city" + view_label: "UDM" + description: "The city. [D]: This field is deprecated and will be removed in a future release" + } # dimension city + + dimension: country_or_region { + type: string + sql: ${TABLE}.country_or_region ;; + group_label: "principal" + group_item_label: "principal.ip_location.country_or_region [D]" + label: "principal.ip_location.country_or_region" + view_label: "UDM" + description: "The country or region. [D]: This field is deprecated and will be removed in a future release" + } # dimension country_or_region + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + group_item_label: "principal.ip_location.name [D]" + label: "principal.ip_location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\"). [D]: This field is deprecated and will be removed in a future release" + } # dimension name + + dimension: region_coordinates { + type: location + sql_latitude: ${TABLE}.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.region_coordinates.longitude ;; + group_label: "principal" + group_item_label: "principal.ip_location.region_coordinates [D][L]" + label: "principal.ip_location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension region_coordinates + + dimension: region_latitude { + type: number + sql: ${TABLE}.region_latitude ;; + group_label: "principal" + group_item_label: "principal.ip_location.region_latitude [D]" + label: "principal.ip_location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension region_latitude + + dimension: region_longitude { + type: number + sql: ${TABLE}.region_longitude ;; + group_label: "principal" + group_item_label: "principal.ip_location.region_longitude [D]" + label: "principal.ip_location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension region_longitude + + dimension: location { + type: location + sql_latitude: ${TABLE}.region_latitude ;; + sql_longitude: ${TABLE}.region_longitude ;; + group_label: "principal" + group_item_label: "principal.ip_location.location [D][L]" + label: "principal.ip_location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension location + + dimension: state { + type: string + sql: ${TABLE}.state ;; + group_label: "principal" + group_item_label: "principal.ip_location.state [D]" + label: "principal.ip_location.state" + view_label: "UDM" + description: "The state. [D]: This field is deprecated and will be removed in a future release" + } # dimension state + +} # view udm_events__principal__ip_location + +view: udm_events__principal__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "principal" + group_item_label: "principal.labels.key [D]" + label: "principal.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "principal" + group_item_label: "principal.labels.value [D]" + label: "principal.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view udm_events__principal__labels + +view: udm_events__principal__mac { + dimension: udm_events__principal__mac { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.mac" + view_label: "UDM" + description: "List of MAC addresses associated with a device." + } # dimension udm_events__principal__mac +} # view udm_events__principal__mac + +view: udm_events__principal__nat_ip { + dimension: udm_events__principal__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.nat_ip" + view_label: "UDM" + description: "A list of NAT translated IP addresses associated with a network connection." + } # dimension udm_events__principal__nat_ip +} # view udm_events__principal__nat_ip + +view: udm_events__principal__process__command_line_history { + dimension: udm_events__principal__process__command_line_history { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.process.command_line_history" + view_label: "UDM" + description: "The command line history of the process." + } # dimension udm_events__principal__process__command_line_history +} # view udm_events__principal__process__command_line_history + +view: udm_events__principal__process__file__capabilities_tags { + dimension: udm_events__principal__process__file__capabilities_tags { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.process.file.capabilities_tags" + view_label: "UDM" + description: "Capabilities tags." + } # dimension udm_events__principal__process__file__capabilities_tags +} # view udm_events__principal__process__file__capabilities_tags + +view: udm_events__principal__process__file__names { + dimension: udm_events__principal__process__file__names { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.process.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension udm_events__principal__process__file__names +} # view udm_events__principal__process__file__names + +view: udm_events__principal__process_ancestors { + dimension: file { + hidden: yes + } # dimension file + + dimension: file__full_path { + type: string + sql: ${TABLE}.file.full_path ;; + group_label: "principal" + label: "principal.process_ancestors.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension file__full_path + + dimension: pid { + type: string + sql: ${TABLE}.pid ;; + group_label: "principal" + label: "principal.process_ancestors.pid" + view_label: "UDM" + description: "The process ID." + } # dimension pid + +} # view udm_events__principal__process_ancestors + +view: udm_events__principal__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "principal" + label: "principal.resource.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "principal" + label: "principal.resource.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__principal__resource__attribute__labels + +view: udm_events__principal__resource__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.resource.attribute.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.resource.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "principal" + label: "principal.resource.attribute.permissions.type" + view_label: "UDM" + description: "Type of the permission." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; + group_label: "principal" + label: "principal.resource.attribute.permissions.type_enum_name" + view_label: "UDM" + description: "Type of the permission." + } # dimension type_enum_name + +} # view udm_events__principal__resource__attribute__permissions + +view: udm_events__principal__resource__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.resource.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.resource.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "principal" + label: "principal.resource.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "principal" + label: "principal.resource.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view udm_events__principal__resource__attribute__roles + +view: udm_events__principal__resource_ancestors__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "principal" + label: "principal.resource_ancestors.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "principal" + label: "principal.resource_ancestors.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__principal__resource_ancestors__attribute__labels + +view: udm_events__principal__resource_ancestors { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension: attribute__labels { + hidden: yes + } # dimension attribute__labels + + dimension: id { + type: string + sql: ${TABLE}.id ;; + group_label: "principal" + group_item_label: "principal.resource_ancestors.id [D]" + label: "principal.resource_ancestors.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension id + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.resource_ancestors.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension name + + dimension: parent { + type: string + sql: ${TABLE}.parent ;; + group_label: "principal" + group_item_label: "principal.resource_ancestors.parent [D]" + label: "principal.resource_ancestors.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension parent + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "principal" + label: "principal.resource_ancestors.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension product_object_id + + dimension: resource_type { + type: number + sql: ${TABLE}.resource_type ;; + group_label: "principal" + label: "principal.resource_ancestors.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension resource_type + + dimension: resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "principal" + label: "principal.resource_ancestors.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension resource_type_enum_name + +} # view udm_events__principal__resource_ancestors + +view: udm_events__principal__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "principal" + label: "principal.user.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "principal" + label: "principal.user.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__principal__user__attribute__labels + +view: udm_events__principal__user__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.user.attribute.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.user.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "principal" + label: "principal.user.attribute.permissions.type" + view_label: "UDM" + description: "Type of the permission." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; + group_label: "principal" + label: "principal.user.attribute.permissions.type_enum_name" + view_label: "UDM" + description: "Type of the permission." + } # dimension type_enum_name + +} # view udm_events__principal__user__attribute__permissions + +view: udm_events__principal__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.user.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.user.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "principal" + label: "principal.user.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "principal" + label: "principal.user.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view udm_events__principal__user__attribute__roles + +view: udm_events__principal__user__department { + dimension: udm_events__principal__user__department { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.user.department" + view_label: "UDM" + description: "User job department" + } # dimension udm_events__principal__user__department +} # view udm_events__principal__user__department + +view: udm_events__principal__user__email_addresses { + dimension: udm_events__principal__user__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.user.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension udm_events__principal__user__email_addresses +} # view udm_events__principal__user__email_addresses + +view: udm_events__principal__user__group_identifiers { + dimension: udm_events__principal__user__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.user.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension udm_events__principal__user__group_identifiers +} # view udm_events__principal__user__group_identifiers + +view: udm_events__principal__user__managers__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "principal" + label: "principal.user.managers.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "principal" + label: "principal.user.managers.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__principal__user__managers__attribute__labels + +view: udm_events__principal__user__managers__attribute__roles { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "principal" + label: "principal.user.managers.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "principal" + label: "principal.user.managers.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "principal" + label: "principal.user.managers.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view udm_events__principal__user__managers__attribute__roles + +view: udm_events__principal__user__managers__department { + dimension: udm_events__principal__user__managers__department { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.user.managers.department" + view_label: "UDM" + description: "User job department" + } # dimension udm_events__principal__user__managers__department +} # view udm_events__principal__user__managers__department + +view: udm_events__principal__user__managers__email_addresses { + dimension: udm_events__principal__user__managers__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.user.managers.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension udm_events__principal__user__managers__email_addresses +} # view udm_events__principal__user__managers__email_addresses + +view: udm_events__principal__user__managers__group_identifiers { + dimension: udm_events__principal__user__managers__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.user.managers.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension udm_events__principal__user__managers__group_identifiers +} # view udm_events__principal__user__managers__group_identifiers + +view: udm_events__principal__user__managers__phone_numbers { + dimension: udm_events__principal__user__managers__phone_numbers { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.user.managers.phone_numbers" + view_label: "UDM" + description: "Phone numbers for the user." + } # dimension udm_events__principal__user__managers__phone_numbers +} # view udm_events__principal__user__managers__phone_numbers + +view: udm_events__principal__user__managers { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension: attribute__labels { + hidden: yes + } # dimension attribute__labels + + dimension: attribute__roles { + hidden: yes + } # dimension attribute__roles + + dimension: company_name { + type: string + sql: ${TABLE}.company_name ;; + group_label: "principal" + label: "principal.user.managers.company_name" + view_label: "UDM" + description: "User job company name." + } # dimension company_name + + dimension: department { + hidden: yes + } # dimension department + + dimension: email_addresses { + hidden: yes + } # dimension email_addresses + + dimension: employee_id { + type: string + sql: ${TABLE}.employee_id ;; + group_label: "principal" + label: "principal.user.managers.employee_id" + view_label: "UDM" + description: "Human capital management identifier." + } # dimension employee_id + + dimension: first_name { + type: string + sql: ${TABLE}.first_name ;; + group_label: "principal" + label: "principal.user.managers.first_name" + view_label: "UDM" + description: "First name of the user (e.g. \"John\")." + } # dimension first_name + + dimension: group_identifiers { + hidden: yes + } # dimension group_identifiers + + dimension: last_name { + type: string + sql: ${TABLE}.last_name ;; + group_label: "principal" + label: "principal.user.managers.last_name" + view_label: "UDM" + description: "Last name of the user (e.g. \"Locke\")." + } # dimension last_name + + dimension: personal_address { + hidden: yes + } # dimension personal_address + + dimension: personal_address__city { + type: string + sql: ${TABLE}.personal_address.city ;; + group_label: "principal" + label: "principal.user.managers.personal_address.city" + view_label: "UDM" + description: "The city." + } # dimension personal_address__city + + dimension: personal_address__country_or_region { + type: string + sql: ${TABLE}.personal_address.country_or_region ;; + group_label: "principal" + label: "principal.user.managers.personal_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension personal_address__country_or_region + + dimension: personal_address__name { + type: string + sql: ${TABLE}.personal_address.name ;; + group_label: "principal" + label: "principal.user.managers.personal_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension personal_address__name + + dimension: personal_address__state { + type: string + sql: ${TABLE}.personal_address.state ;; + group_label: "principal" + label: "principal.user.managers.personal_address.state" + view_label: "UDM" + description: "The state." + } # dimension personal_address__state + + dimension: phone_numbers { + hidden: yes + } # dimension phone_numbers + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "principal" + label: "principal.user.managers.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension product_object_id + + dimension: title { + type: string + sql: ${TABLE}.title ;; + group_label: "principal" + label: "principal.user.managers.title" + view_label: "UDM" + description: "User job title." + } # dimension title + + dimension: user_display_name { + type: string + sql: ${TABLE}.user_display_name ;; + group_label: "principal" + label: "principal.user.managers.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension user_display_name + + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + group_label: "principal" + label: "principal.user.managers.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension userid + + dimension: windows_sid { + type: string + sql: ${TABLE}.windows_sid ;; + group_label: "principal" + label: "principal.user.managers.windows_sid" + view_label: "UDM" + description: "The Microsoft Windows SID of the user." + } # dimension windows_sid + +} # view udm_events__principal__user__managers + +view: udm_events__principal__user__phone_numbers { + dimension: udm_events__principal__user__phone_numbers { + type: string + sql: ${TABLE} ;; + group_label: "principal" + label: "principal.user.phone_numbers" + view_label: "UDM" + description: "Phone numbers for the user." + } # dimension udm_events__principal__user__phone_numbers +} # view udm_events__principal__user__phone_numbers + +view: udm_events__principal__user__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "principal" + label: "principal.user.time_off.description" + view_label: "UDM" + description: "Description of the leave if available (e.g. 'Vacation')." + } # dimension description + + dimension_group: principal__user__time_off__interval { + type: duration + intervals: [ second, minute, hour ] + sql_start: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.start_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.start_time.nanos,0) / 1000) as INT64)) ;; + sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.end_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.end_time.nanos,0) / 1000) as INT64)) ;; + group_label: "principal" + label: "principal.user.time_off.interval" + view_label: "UDM" + description: "Interval duration of the leave." + } # dimension principal__user__time_off__interval + +} # view udm_events__principal__user__time_off + +view: udm_events__security_result__about__asset__attribute__permissions { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "security_result" + label: "security_result.about.asset.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view udm_events__security_result__about__asset__attribute__permissions + +view: udm_events__security_result__about__asset__ip { + dimension: udm_events__security_result__about__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.asset.ip" + view_label: "UDM" + description: "A list of IP addresses associated with an asset." + } # dimension udm_events__security_result__about__asset__ip +} # view udm_events__security_result__about__asset__ip + +view: udm_events__security_result__about__asset__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "security_result" + group_item_label: "security_result.about.asset.labels.key [D]" + label: "security_result.about.asset.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "security_result" + group_item_label: "security_result.about.asset.labels.value [D]" + label: "security_result.about.asset.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view udm_events__security_result__about__asset__labels + +view: udm_events__security_result__about__asset__mac { + dimension: udm_events__security_result__about__asset__mac { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.asset.mac" + view_label: "UDM" + description: "List of MAC addresses associated with an asset." + } # dimension udm_events__security_result__about__asset__mac +} # view udm_events__security_result__about__asset__mac + +view: udm_events__security_result__about__asset__software__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "security_result" + label: "security_result.about.asset.software.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "security_result" + label: "security_result.about.asset.software.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view udm_events__security_result__about__asset__software__permissions + +view: udm_events__security_result__about__asset__software { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "security_result" + label: "security_result.about.asset.software.name" + view_label: "UDM" + description: "The name of the software." + } # dimension name + + dimension: permissions { + hidden: yes + } # dimension permissions + + dimension: version { + type: string + sql: ${TABLE}.version ;; + group_label: "security_result" + label: "security_result.about.asset.software.version" + view_label: "UDM" + description: "The version of the software." + } # dimension version + +} # view udm_events__security_result__about__asset__software + +view: udm_events__security_result__about__asset__vulnerabilities { + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + group_label: "security_result" + label: "security_result.about.asset.vulnerabilities.cvss_base_score" + view_label: "UDM" + description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." + } # dimension cvss_base_score + +} # view udm_events__security_result__about__asset__vulnerabilities + +view: udm_events__security_result__about__domain__tech__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "security_result" + label: "security_result.about.domain.tech.attribute.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + +} # view udm_events__security_result__about__domain__tech__attribute__permissions + +view: udm_events__security_result__about__file__capabilities_tags { + dimension: udm_events__security_result__about__file__capabilities_tags { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.file.capabilities_tags" + view_label: "UDM" + description: "Capabilities tags." + } # dimension udm_events__security_result__about__file__capabilities_tags +} # view udm_events__security_result__about__file__capabilities_tags + +view: udm_events__security_result__about__file__names { + dimension: udm_events__security_result__about__file__names { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension udm_events__security_result__about__file__names +} # view udm_events__security_result__about__file__names + +view: udm_events__security_result__about__investigation__comments { + dimension: udm_events__security_result__about__investigation__comments { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.investigation.comments" + view_label: "UDM" + description: "Comment added by the Analyst." + } # dimension udm_events__security_result__about__investigation__comments +} # view udm_events__security_result__about__investigation__comments + +view: udm_events__security_result__about__ip { + dimension: udm_events__security_result__about__ip { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.ip" + view_label: "UDM" + description: "A list of IP addresses associated with a network connection." + } # dimension udm_events__security_result__about__ip +} # view udm_events__security_result__about__ip + +view: udm_events__security_result__about__ip_location { + dimension: country_or_region { + type: string + sql: ${TABLE}.country_or_region ;; + group_label: "security_result" + group_item_label: "security_result.about.ip_location.country_or_region [D]" + label: "security_result.about.ip_location.country_or_region" + view_label: "UDM" + description: "The country or region. [D]: This field is deprecated and will be removed in a future release" + } # dimension country_or_region + +} # view udm_events__security_result__about__ip_location + +view: udm_events__security_result__about__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "security_result" + group_item_label: "security_result.about.labels.key [D]" + label: "security_result.about.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "security_result" + group_item_label: "security_result.about.labels.value [D]" + label: "security_result.about.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view udm_events__security_result__about__labels + +view: udm_events__security_result__about__mac { + dimension: udm_events__security_result__about__mac { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.mac" + view_label: "UDM" + description: "List of MAC addresses associated with a device." + } # dimension udm_events__security_result__about__mac +} # view udm_events__security_result__about__mac + +view: udm_events__security_result__about__nat_ip { + dimension: udm_events__security_result__about__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.nat_ip" + view_label: "UDM" + description: "A list of NAT translated IP addresses associated with a network connection." + } # dimension udm_events__security_result__about__nat_ip +} # view udm_events__security_result__about__nat_ip + +view: udm_events__security_result__about__process__command_line_history { + dimension: udm_events__security_result__about__process__command_line_history { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.process.command_line_history" + view_label: "UDM" + description: "The command line history of the process." + } # dimension udm_events__security_result__about__process__command_line_history +} # view udm_events__security_result__about__process__command_line_history + +view: udm_events__security_result__about__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "security_result" + label: "security_result.about.resource.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "security_result" + label: "security_result.about.resource.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__security_result__about__resource__attribute__labels + +view: udm_events__security_result__about__resource_ancestors { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "security_result" + label: "security_result.about.resource_ancestors.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension name + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "security_result" + label: "security_result.about.resource_ancestors.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension product_object_id + + dimension: resource_type { + type: number + sql: ${TABLE}.resource_type ;; + group_label: "security_result" + label: "security_result.about.resource_ancestors.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension resource_type + + dimension: resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "security_result" + label: "security_result.about.resource_ancestors.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension resource_type_enum_name + +} # view udm_events__security_result__about__resource_ancestors + +view: udm_events__security_result__about__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "security_result" + label: "security_result.about.user.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "security_result" + label: "security_result.about.user.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__security_result__about__user__attribute__labels + +view: udm_events__security_result__about__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "security_result" + label: "security_result.about.user.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "security_result" + label: "security_result.about.user.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + +} # view udm_events__security_result__about__user__attribute__roles + +view: udm_events__security_result__about__user__email_addresses { + dimension: udm_events__security_result__about__user__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.user.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension udm_events__security_result__about__user__email_addresses +} # view udm_events__security_result__about__user__email_addresses + +view: udm_events__security_result__about__user__group_identifiers { + dimension: udm_events__security_result__about__user__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.about.user.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension udm_events__security_result__about__user__group_identifiers +} # view udm_events__security_result__about__user__group_identifiers + +view: udm_events__security_result__about__user_management_chain { + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + group_label: "security_result" + label: "security_result.about.user_management_chain.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension userid + +} # view udm_events__security_result__about__user_management_chain + +view: udm_events__security_result__action { + dimension: udm_events__security_result__action { + type: number + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.action" + view_label: "UDM" + description: "Actions taken for this event." + } # dimension udm_events__security_result__action +} # view udm_events__security_result__action + +view: udm_events__security_result__action_enum_name { + dimension: udm_events__security_result__action_enum_name { + type: string + suggestions: ["ALLOW", "ALLOW_WITH_MODIFICATION", "BLOCK", "CHALLENGE", "FAIL", "QUARANTINE", "UNKNOWN_ACTION"] + sql: CASE ${TABLE} WHEN 0 THEN 'UNKNOWN_ACTION' WHEN 1 THEN 'ALLOW' WHEN 2 THEN 'BLOCK' WHEN 3 THEN 'ALLOW_WITH_MODIFICATION' WHEN 4 THEN 'QUARANTINE' WHEN 5 THEN 'FAIL' WHEN 6 THEN 'CHALLENGE' END ;; + group_label: "security_result" + label: "security_result.action_enum_name" + view_label: "UDM" + description: "Actions taken for this event." + } # dimension udm_events__security_result__action_enum_name +} # view udm_events__security_result__action_enum_name + +view: udm_events__security_result__attack_details__tactics { + dimension: id { + type: string + sql: ${TABLE}.id ;; + group_label: "security_result" + label: "security_result.attack_details.tactics.id" + view_label: "UDM" + description: "Tactic ID (e.g. \"TA0043\")." + } # dimension id + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "security_result" + label: "security_result.attack_details.tactics.name" + view_label: "UDM" + description: "Tactic Name (e.g. \"Reconnaissance\")" + } # dimension name + +} # view udm_events__security_result__attack_details__tactics + +view: udm_events__security_result__attack_details__techniques { + dimension: id { + type: string + sql: ${TABLE}.id ;; + group_label: "security_result" + label: "security_result.attack_details.techniques.id" + view_label: "UDM" + description: "Technique ID (e.g. \"T1595\")." + } # dimension id + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "security_result" + label: "security_result.attack_details.techniques.name" + view_label: "UDM" + description: "Technique Name (e.g. \"Active Scanning\")." + } # dimension name + + dimension: subtechnique_id { + type: string + sql: ${TABLE}.subtechnique_id ;; + group_label: "security_result" + label: "security_result.attack_details.techniques.subtechnique_id" + view_label: "UDM" + description: "Subtechnique ID (e.g. \"T1595.001\")." + } # dimension subtechnique_id + + dimension: subtechnique_name { + type: string + sql: ${TABLE}.subtechnique_name ;; + group_label: "security_result" + label: "security_result.attack_details.techniques.subtechnique_name" + view_label: "UDM" + description: "Subtechnique Name (e.g. \"Scanning IP Blocks\")." + } # dimension subtechnique_name + +} # view udm_events__security_result__attack_details__techniques + +view: udm_events__security_result__category { + dimension: udm_events__security_result__category { + type: number + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.category" + view_label: "UDM" + description: "The security category." + } # dimension udm_events__security_result__category +} # view udm_events__security_result__category + +view: udm_events__security_result__category_enum_name { + dimension: udm_events__security_result__category_enum_name { + type: string + suggestions: ["ACL_VIOLATION", "AUTH_VIOLATION", "DATA_AT_REST", "DATA_DESTRUCTION", "DATA_EXFILTRATION", "EXPLOIT", "MAIL_PHISHING", "MAIL_SPAM", "MAIL_SPOOFING", "NETWORK_CATEGORIZED_CONTENT", "NETWORK_COMMAND_AND_CONTROL", "NETWORK_DENIAL_OF_SERVICE", "NETWORK_MALICIOUS", "NETWORK_RECON", "NETWORK_SUSPICIOUS", "PHISHING", "POLICY_VIOLATION", "SOCIAL_ENGINEERING", "SOFTWARE_MALICIOUS", "SOFTWARE_PUA", "SOFTWARE_SUSPICIOUS", "TOR_EXIT_NODE", "UNKNOWN_CATEGORY"] + sql: CASE ${TABLE} WHEN 0 THEN 'UNKNOWN_CATEGORY' WHEN 10000 THEN 'SOFTWARE_MALICIOUS' WHEN 10100 THEN 'SOFTWARE_SUSPICIOUS' WHEN 10200 THEN 'SOFTWARE_PUA' WHEN 20000 THEN 'NETWORK_MALICIOUS' WHEN 20100 THEN 'NETWORK_SUSPICIOUS' WHEN 20200 THEN 'NETWORK_CATEGORIZED_CONTENT' WHEN 20300 THEN 'NETWORK_DENIAL_OF_SERVICE' WHEN 20400 THEN 'NETWORK_RECON' WHEN 20500 THEN 'NETWORK_COMMAND_AND_CONTROL' WHEN 30000 THEN 'ACL_VIOLATION' WHEN 40000 THEN 'AUTH_VIOLATION' WHEN 50000 THEN 'EXPLOIT' WHEN 60000 THEN 'DATA_EXFILTRATION' WHEN 60100 THEN 'DATA_AT_REST' WHEN 60200 THEN 'DATA_DESTRUCTION' WHEN 60300 THEN 'TOR_EXIT_NODE' WHEN 70000 THEN 'MAIL_SPAM' WHEN 70100 THEN 'MAIL_PHISHING' WHEN 70200 THEN 'MAIL_SPOOFING' WHEN 80000 THEN 'POLICY_VIOLATION' WHEN 90001 THEN 'SOCIAL_ENGINEERING' WHEN 90002 THEN 'PHISHING' END ;; + group_label: "security_result" + label: "security_result.category_enum_name" + view_label: "UDM" + description: "The security category." + } # dimension udm_events__security_result__category_enum_name +} # view udm_events__security_result__category_enum_name + +view: udm_events__security_result__category_details { + dimension: udm_events__security_result__category_details { + type: string + sql: ${TABLE} ;; + group_label: "security_result" + label: "security_result.category_details" + view_label: "UDM" + description: "For vendor-specific categories. For web categorization, put type in here such as \"gambling\", \"porn\", etc." + } # dimension udm_events__security_result__category_details +} # view udm_events__security_result__category_details + +view: udm_events__security_result__detection_fields { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "security_result" + label: "security_result.detection_fields.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: source { + type: string + sql: ${TABLE}.source ;; + group_label: "security_result" + label: "security_result.detection_fields.source" + view_label: "UDM" + description: "@hide_from_doc" + } # dimension source + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "security_result" + label: "security_result.detection_fields.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__security_result__detection_fields + +view: udm_events__security_result__outcomes { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "security_result" + label: "security_result.outcomes.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "security_result" + label: "security_result.outcomes.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__security_result__outcomes + +view: udm_events__security_result__rule_labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "security_result" + label: "security_result.rule_labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "security_result" + label: "security_result.rule_labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__security_result__rule_labels + +view: udm_events__security_result { + dimension: about { + hidden: yes + } # dimension about + + dimension: about__administrative_domain { + type: string + sql: ${TABLE}.about.administrative_domain ;; + group_label: "security_result" + label: "security_result.about.administrative_domain" + view_label: "UDM" + description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." + } # dimension about__administrative_domain + + dimension: about__application { + type: string + sql: ${TABLE}.about.application ;; + group_label: "security_result" + label: "security_result.about.application" + view_label: "UDM" + description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." + } # dimension about__application + + dimension: about__artifact { + hidden: yes + } # dimension about__artifact + + dimension_group: security_result__about__artifact__first_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.artifact.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.artifact.first_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.artifact.first_seen_time" + view_label: "UDM" + description: "First seen timestamp of the IP in the customer's environment." + } # dimension security_result__about__artifact__first_seen_time + + dimension_group: security_result__about__artifact__last_seen_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.artifact.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.artifact.last_seen_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.artifact.last_seen_time" + view_label: "UDM" + description: "Last seen timestamp of the IP address in the customer's environment." + } # dimension security_result__about__artifact__last_seen_time + + dimension: about__asset { + hidden: yes + } # dimension about__asset + + dimension: about__asset__asset_id { + type: string + sql: ${TABLE}.about.asset.asset_id ;; + group_label: "security_result" + label: "security_result.about.asset.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension about__asset__asset_id + + dimension: about__asset__attribute { + hidden: yes + } # dimension about__asset__attribute + + dimension: about__asset__attribute__cloud { + hidden: yes + } # dimension about__asset__attribute__cloud + + dimension: about__asset__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.availability_zone ;; + group_label: "security_result" + label: "security_result.about.asset.attribute.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name)." + } # dimension about__asset__attribute__cloud__availability_zone + + dimension: about__asset__attribute__cloud__environment { + type: number + sql: ${TABLE}.about.asset.attribute.cloud.environment ;; + group_label: "security_result" + label: "security_result.about.asset.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension about__asset__attribute__cloud__environment + + dimension: about__asset__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.about.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "security_result" + label: "security_result.about.asset.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension about__asset__attribute__cloud__environment_enum_name + + dimension: about__asset__attribute__cloud__project { + hidden: yes + } # dimension about__asset__attribute__cloud__project + + dimension: about__asset__attribute__cloud__project__id { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.project.id ;; + group_label: "security_result" + group_item_label: "security_result.about.asset.attribute.cloud.project.id [D]" + label: "security_result.about.asset.attribute.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__asset__attribute__cloud__project__id + + dimension: about__asset__attribute__cloud__project__name { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.project.name ;; + group_label: "security_result" + group_item_label: "security_result.about.asset.attribute.cloud.project.name [D]" + label: "security_result.about.asset.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__asset__attribute__cloud__project__name + + dimension: about__asset__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.project.product_object_id ;; + group_label: "security_result" + group_item_label: "security_result.about.asset.attribute.cloud.project.product_object_id [D]" + label: "security_result.about.asset.attribute.cloud.project.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension about__asset__attribute__cloud__project__product_object_id + + dimension: about__asset__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.about.asset.attribute.cloud.project.resource_type ;; + group_label: "security_result" + group_item_label: "security_result.about.asset.attribute.cloud.project.resource_type [D]" + label: "security_result.about.asset.attribute.cloud.project.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__asset__attribute__cloud__project__resource_type + + dimension: about__asset__attribute__cloud__project__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.about.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "security_result" + group_item_label: "security_result.about.asset.attribute.cloud.project.resource_type_enum_name [D]" + label: "security_result.about.asset.attribute.cloud.project.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__asset__attribute__cloud__project__resource_type_enum_name + + dimension_group: security_result__about__asset__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.asset.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension security_result__about__asset__attribute__creation_time + + dimension_group: security_result__about__asset__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.asset.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension security_result__about__asset__attribute__last_update_time + + dimension: about__asset__attribute__permissions { + hidden: yes + } # dimension about__asset__attribute__permissions + + dimension: about__asset__category { + type: string + sql: ${TABLE}.about.asset.category ;; + group_label: "security_result" + label: "security_result.about.asset.category" + view_label: "UDM" + description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." + } # dimension about__asset__category + + dimension: about__asset__hostname { + type: string + sql: ${TABLE}.about.asset.hostname ;; + group_label: "security_result" + label: "security_result.about.asset.hostname" + view_label: "UDM" + description: "Asset hostname or domain name field." + } # dimension about__asset__hostname + + dimension: about__asset__ip { + hidden: yes + } # dimension about__asset__ip + + dimension: about__asset__labels { + hidden: yes + } # dimension about__asset__labels + + dimension: about__asset__location { + hidden: yes + } # dimension about__asset__location + + dimension: about__asset__location__city { + type: string + sql: ${TABLE}.about.asset.location.city ;; + group_label: "security_result" + label: "security_result.about.asset.location.city" + view_label: "UDM" + description: "The city." + } # dimension about__asset__location__city + + dimension: about__asset__location__country_or_region { + type: string + sql: ${TABLE}.about.asset.location.country_or_region ;; + group_label: "security_result" + label: "security_result.about.asset.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension about__asset__location__country_or_region + + dimension: about__asset__location__state { + type: string + sql: ${TABLE}.about.asset.location.state ;; + group_label: "security_result" + label: "security_result.about.asset.location.state" + view_label: "UDM" + description: "The state." + } # dimension about__asset__location__state + + dimension: about__asset__mac { + hidden: yes + } # dimension about__asset__mac + + dimension: about__asset__product_object_id { + type: string + sql: ${TABLE}.about.asset.product_object_id ;; + group_label: "security_result" + label: "security_result.about.asset.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." + } # dimension about__asset__product_object_id + + dimension: about__asset__software { + hidden: yes + } # dimension about__asset__software + + dimension: about__asset__vulnerabilities { + hidden: yes + } # dimension about__asset__vulnerabilities + + dimension: about__asset_id { + type: string + sql: ${TABLE}.about.asset_id ;; + group_label: "security_result" + label: "security_result.about.asset_id" + view_label: "UDM" + description: "The asset ID." + } # dimension about__asset_id + + dimension: about__cloud { + hidden: yes + } # dimension about__cloud + + dimension: about__cloud__availability_zone { + type: string + sql: ${TABLE}.about.cloud.availability_zone ;; + group_label: "security_result" + group_item_label: "security_result.about.cloud.availability_zone [D]" + label: "security_result.about.cloud.availability_zone" + view_label: "UDM" + description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__availability_zone + + dimension: about__cloud__project { + hidden: yes + } # dimension about__cloud__project + + dimension: about__cloud__project__id { + type: string + sql: ${TABLE}.about.cloud.project.id ;; + group_label: "security_result" + group_item_label: "security_result.about.cloud.project.id [D]" + label: "security_result.about.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__project__id + + dimension: about__cloud__project__name { + type: string + sql: ${TABLE}.about.cloud.project.name ;; + group_label: "security_result" + group_item_label: "security_result.about.cloud.project.name [D]" + label: "security_result.about.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__project__name + + dimension: about__cloud__project__parent { + type: string + sql: ${TABLE}.about.cloud.project.parent ;; + group_label: "security_result" + group_item_label: "security_result.about.cloud.project.parent [D]" + label: "security_result.about.cloud.project.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__project__parent + + dimension: about__cloud__project__product_object_id { + type: string + sql: ${TABLE}.about.cloud.project.product_object_id ;; + group_label: "security_result" + group_item_label: "security_result.about.cloud.project.product_object_id [D]" + label: "security_result.about.cloud.project.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" + } # dimension about__cloud__project__product_object_id + + dimension: about__domain { + hidden: yes + } # dimension about__domain + + dimension: about__domain__admin { + hidden: yes + } # dimension about__domain__admin + + dimension: about__domain__admin__userid { + type: string + sql: ${TABLE}.about.domain.admin.userid ;; + group_label: "security_result" + label: "security_result.about.domain.admin.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension about__domain__admin__userid + + dimension: about__domain__registrant { + hidden: yes + } # dimension about__domain__registrant + + dimension: about__domain__registrant__role_description { + type: string + sql: ${TABLE}.about.domain.registrant.role_description ;; + group_label: "security_result" + group_item_label: "security_result.about.domain.registrant.role_description [D]" + label: "security_result.about.domain.registrant.role_description" + view_label: "UDM" + description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__domain__registrant__role_description + + dimension: about__domain__tech { + hidden: yes + } # dimension about__domain__tech + + dimension: about__domain__tech__attribute { + hidden: yes + } # dimension about__domain__tech__attribute + + dimension: about__domain__tech__attribute__permissions { + hidden: yes + } # dimension about__domain__tech__attribute__permissions + + dimension: about__email { + type: string + sql: ${TABLE}.about.email ;; + group_label: "security_result" + label: "security_result.about.email" + view_label: "UDM" + description: "Email address. Only filled in for security_result.about" + } # dimension about__email + + dimension: about__file { + hidden: yes + } # dimension about__file + + dimension: about__file__ahash { + type: string + sql: ${TABLE}.about.file.ahash ;; + group_label: "security_result" + group_item_label: "security_result.about.file.ahash [D]" + label: "security_result.about.file.ahash" + view_label: "UDM" + description: "Deprecated. Use authentihash instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__file__ahash + + dimension: about__file__capabilities_tags { + hidden: yes + } # dimension about__file__capabilities_tags + + dimension: about__file__full_path { + type: string + sql: ${TABLE}.about.file.full_path ;; + group_label: "security_result" + label: "security_result.about.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension about__file__full_path + + dimension_group: security_result__about__file__last_modification_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.file.last_modification_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.file.last_modification_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.file.last_modification_time" + view_label: "UDM" + description: "Timestamp when the file was last updated." + } # dimension security_result__about__file__last_modification_time + + dimension: about__file__md5 { + type: string + sql: ${TABLE}.about.file.md5 ;; + group_label: "security_result" + label: "security_result.about.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension about__file__md5 + + dimension: about__file__mime_type { + type: string + sql: ${TABLE}.about.file.mime_type ;; + group_label: "security_result" + label: "security_result.about.file.mime_type" + view_label: "UDM" + description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." + } # dimension about__file__mime_type + + dimension: about__file__names { + hidden: yes + } # dimension about__file__names + + dimension: about__file__sha1 { + type: string + sql: ${TABLE}.about.file.sha1 ;; + group_label: "security_result" + label: "security_result.about.file.sha1" + view_label: "UDM" + description: "The SHA1 hash of the file." + } # dimension about__file__sha1 + + dimension: about__file__sha256 { + type: string + sql: ${TABLE}.about.file.sha256 ;; + group_label: "security_result" + label: "security_result.about.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension about__file__sha256 + + dimension: about__file__size { + type: number + sql: ${TABLE}.about.file.size ;; + group_label: "security_result" + label: "security_result.about.file.size" + view_label: "UDM" + description: "The size of the file in bytes." + } # dimension about__file__size + + dimension: about__file__ssdeep { + type: string + sql: ${TABLE}.about.file.ssdeep ;; + group_label: "security_result" + label: "security_result.about.file.ssdeep" + view_label: "UDM" + description: "Ssdeep of the file" + } # dimension about__file__ssdeep + + dimension: about__group { + hidden: yes + } # dimension about__group + + dimension: about__group__group_display_name { + type: string + sql: ${TABLE}.about.group.group_display_name ;; + group_label: "security_result" + label: "security_result.about.group.group_display_name" + view_label: "UDM" + description: "Group display name. e.g. \"Finance\"." + } # dimension about__group__group_display_name + + dimension: about__group__product_object_id { + type: string + sql: ${TABLE}.about.group.product_object_id ;; + group_label: "security_result" + label: "security_result.about.group.product_object_id" + view_label: "UDM" + description: "Product globally unique user object identifier, such as an LDAP Object Identifier." + } # dimension about__group__product_object_id + + dimension: about__hostname { + type: string + sql: ${TABLE}.about.hostname ;; + group_label: "security_result" + label: "security_result.about.hostname" + view_label: "UDM" + description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." + } # dimension about__hostname + + dimension: about__investigation { + hidden: yes + } # dimension about__investigation + + dimension: about__investigation__comments { + hidden: yes + } # dimension about__investigation__comments + + dimension: about__investigation__risk_score { + type: number + sql: ${TABLE}.about.investigation.risk_score ;; + group_label: "security_result" + label: "security_result.about.investigation.risk_score" + view_label: "UDM" + description: "Risk score for a finding set by an analyst." + } # dimension about__investigation__risk_score + + dimension: about__investigation__root_cause { + type: string + sql: ${TABLE}.about.investigation.root_cause ;; + group_label: "security_result" + label: "security_result.about.investigation.root_cause" + view_label: "UDM" + description: "Root cause of the Alert or Finding set by analyst." + } # dimension about__investigation__root_cause + + dimension: about__investigation__severity_score { + type: number + sql: ${TABLE}.about.investigation.severity_score ;; + group_label: "security_result" + label: "security_result.about.investigation.severity_score" + view_label: "UDM" + description: "Severity score for a finding set by an analyst." + } # dimension about__investigation__severity_score + + dimension: about__investigation__status { + type: number + sql: ${TABLE}.about.investigation.status ;; + group_label: "security_result" + label: "security_result.about.investigation.status" + view_label: "UDM" + description: "Describes the workflow status of a finding." + } # dimension about__investigation__status + + dimension: about__investigation__status_enum_name { + type: string + suggestions: ["CLOSED", "NEW", "OPEN", "REVIEWED", "STATUS_UNSPECIFIED"] + sql: CASE ${TABLE}.about.investigation.status WHEN 0 THEN 'STATUS_UNSPECIFIED' WHEN 1 THEN 'NEW' WHEN 2 THEN 'REVIEWED' WHEN 3 THEN 'CLOSED' WHEN 4 THEN 'OPEN' END ;; + group_label: "security_result" + label: "security_result.about.investigation.status_enum_name" + view_label: "UDM" + description: "Describes the workflow status of a finding." + } # dimension about__investigation__status_enum_name + + dimension: about__investigation__verdict { + type: number + sql: ${TABLE}.about.investigation.verdict ;; + group_label: "security_result" + label: "security_result.about.investigation.verdict" + view_label: "UDM" + description: "Describes reason a finding investigation was resolved." + } # dimension about__investigation__verdict + + dimension: about__investigation__verdict_enum_name { + type: string + suggestions: ["FALSE_POSITIVE", "TRUE_POSITIVE", "VERDICT_UNSPECIFIED"] + sql: CASE ${TABLE}.about.investigation.verdict WHEN 0 THEN 'VERDICT_UNSPECIFIED' WHEN 1 THEN 'TRUE_POSITIVE' WHEN 2 THEN 'FALSE_POSITIVE' END ;; + group_label: "security_result" + label: "security_result.about.investigation.verdict_enum_name" + view_label: "UDM" + description: "Describes reason a finding investigation was resolved." + } # dimension about__investigation__verdict_enum_name + + dimension: about__ip { + hidden: yes + } # dimension about__ip + + dimension: about__ip_location { + hidden: yes + } # dimension about__ip_location + + dimension: about__labels { + hidden: yes + } # dimension about__labels + + dimension: about__location { + hidden: yes + } # dimension about__location + + dimension: about__location__city { + type: string + sql: ${TABLE}.about.location.city ;; + group_label: "security_result" + label: "security_result.about.location.city" + view_label: "UDM" + description: "The city." + } # dimension about__location__city + + dimension: about__location__country_or_region { + type: string + sql: ${TABLE}.about.location.country_or_region ;; + group_label: "security_result" + label: "security_result.about.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension about__location__country_or_region + + dimension: about__location__name { + type: string + sql: ${TABLE}.about.location.name ;; + group_label: "security_result" + label: "security_result.about.location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension about__location__name + + dimension: about__location__state { + type: string + sql: ${TABLE}.about.location.state ;; + group_label: "security_result" + label: "security_result.about.location.state" + view_label: "UDM" + description: "The state." + } # dimension about__location__state + + dimension: about__mac { + hidden: yes + } # dimension about__mac + + dimension: about__namespace { + type: string + sql: ${TABLE}.about.namespace ;; + group_label: "security_result" + label: "security_result.about.namespace" + view_label: "UDM" + description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." + } # dimension about__namespace + + dimension: about__nat_ip { + hidden: yes + } # dimension about__nat_ip + + dimension: about__object_reference { + hidden: yes + } # dimension about__object_reference + + dimension: about__object_reference__id { + type: string + sql: ${TABLE}.about.object_reference.id ;; + group_label: "security_result" + label: "security_result.about.object_reference.id" + view_label: "UDM" + description: "Full raw ID." + } # dimension about__object_reference__id + + dimension: about__platform { + type: number + sql: ${TABLE}.about.platform ;; + group_label: "security_result" + label: "security_result.about.platform" + view_label: "UDM" + description: "Platform." + } # dimension about__platform + + dimension: about__platform_enum_name { + type: string + suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] + sql: CASE ${TABLE}.about.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; + group_label: "security_result" + label: "security_result.about.platform_enum_name" + view_label: "UDM" + description: "Platform." + } # dimension about__platform_enum_name + + dimension: about__platform_version { + type: string + sql: ${TABLE}.about.platform_version ;; + group_label: "security_result" + label: "security_result.about.platform_version" + view_label: "UDM" + description: "Platform version. For example, \"Microsoft Windows 1803\"." + } # dimension about__platform_version + + dimension: about__port { + type: number + value_format: "#" + sql: ${TABLE}.about.port ;; + group_label: "security_result" + label: "security_result.about.port" + view_label: "UDM" + description: "Source or destination network port number when a specific network connection is described within an event." + } # dimension about__port + + dimension: about__process { + hidden: yes + } # dimension about__process + + dimension: about__process__command_line { + type: string + sql: ${TABLE}.about.process.command_line ;; + group_label: "security_result" + label: "security_result.about.process.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension about__process__command_line + + dimension: about__process__command_line_history { + hidden: yes + } # dimension about__process__command_line_history + + dimension: about__process__file { + hidden: yes + } # dimension about__process__file + + dimension: about__process__file__full_path { + type: string + sql: ${TABLE}.about.process.file.full_path ;; + group_label: "security_result" + label: "security_result.about.process.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension about__process__file__full_path + + dimension: about__process__file__md5 { + type: string + sql: ${TABLE}.about.process.file.md5 ;; + group_label: "security_result" + label: "security_result.about.process.file.md5" + view_label: "UDM" + description: "The MD5 hash of the file." + } # dimension about__process__file__md5 + + dimension: about__process__file__sha256 { + type: string + sql: ${TABLE}.about.process.file.sha256 ;; + group_label: "security_result" + label: "security_result.about.process.file.sha256" + view_label: "UDM" + description: "The SHA256 hash of the file." + } # dimension about__process__file__sha256 + + dimension: about__process__parent_pid { + type: string + sql: ${TABLE}.about.process.parent_pid ;; + group_label: "security_result" + group_item_label: "security_result.about.process.parent_pid [D]" + label: "security_result.about.process.parent_pid" + view_label: "UDM" + description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__process__parent_pid + + dimension: about__process__parent_process { + hidden: yes + } # dimension about__process__parent_process + + dimension: about__process__parent_process__pid { + type: string + sql: ${TABLE}.about.process.parent_process.pid ;; + group_label: "security_result" + label: "security_result.about.process.parent_process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension about__process__parent_process__pid + + dimension: about__process__pid { + type: string + sql: ${TABLE}.about.process.pid ;; + group_label: "security_result" + label: "security_result.about.process.pid" + view_label: "UDM" + description: "The process ID." + } # dimension about__process__pid + + dimension: about__process__product_specific_process_id { + type: string + sql: ${TABLE}.about.process.product_specific_process_id ;; + group_label: "security_result" + label: "security_result.about.process.product_specific_process_id" + view_label: "UDM" + description: "A product specific process id." + } # dimension about__process__product_specific_process_id + + dimension: about__registry { + hidden: yes + } # dimension about__registry + + dimension: about__registry__registry_key { + type: string + sql: ${TABLE}.about.registry.registry_key ;; + group_label: "security_result" + label: "security_result.about.registry.registry_key" + view_label: "UDM" + description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." + } # dimension about__registry__registry_key + + dimension: about__registry__registry_value_data { + type: string + sql: ${TABLE}.about.registry.registry_value_data ;; + group_label: "security_result" + label: "security_result.about.registry.registry_value_data" + view_label: "UDM" + description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." + } # dimension about__registry__registry_value_data + + dimension: about__resource { + hidden: yes + } # dimension about__resource + + dimension: about__resource__attribute { + hidden: yes + } # dimension about__resource__attribute + + dimension_group: security_result__about__resource__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.resource.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension security_result__about__resource__attribute__creation_time + + dimension: about__resource__attribute__labels { + hidden: yes + } # dimension about__resource__attribute__labels + + dimension_group: security_result__about__resource__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.resource.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension security_result__about__resource__attribute__last_update_time + + dimension: about__resource__id { + type: string + sql: ${TABLE}.about.resource.id ;; + group_label: "security_result" + group_item_label: "security_result.about.resource.id [D]" + label: "security_result.about.resource.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__resource__id + + dimension: about__resource__name { + type: string + sql: ${TABLE}.about.resource.name ;; + group_label: "security_result" + label: "security_result.about.resource.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension about__resource__name + + dimension: about__resource__parent { + type: string + sql: ${TABLE}.about.resource.parent ;; + group_label: "security_result" + group_item_label: "security_result.about.resource.parent [D]" + label: "security_result.about.resource.parent" + view_label: "UDM" + description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__resource__parent + + dimension: about__resource__product_object_id { + type: string + sql: ${TABLE}.about.resource.product_object_id ;; + group_label: "security_result" + label: "security_result.about.resource.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension about__resource__product_object_id + + dimension: about__resource__resource_subtype { + type: string + sql: ${TABLE}.about.resource.resource_subtype ;; + group_label: "security_result" + label: "security_result.about.resource.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension about__resource__resource_subtype + + dimension: about__resource__resource_type { + type: number + sql: ${TABLE}.about.resource.resource_type ;; + group_label: "security_result" + label: "security_result.about.resource.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension about__resource__resource_type + + dimension: about__resource__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.about.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "security_result" + label: "security_result.about.resource.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension about__resource__resource_type_enum_name + + dimension: about__resource__type { + type: string + sql: ${TABLE}.about.resource.type ;; + group_label: "security_result" + group_item_label: "security_result.about.resource.type [D]" + label: "security_result.about.resource.type" + view_label: "UDM" + description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__resource__type + + dimension: about__resource_ancestors { + hidden: yes + } # dimension about__resource_ancestors + + dimension: about__url { + type: string + sql: ${TABLE}.about.url ;; + group_label: "security_result" + label: "security_result.about.url" + view_label: "UDM" + description: "The URL." + } # dimension about__url + + dimension: about__user { + hidden: yes + } # dimension about__user + + dimension: about__user__attribute { + hidden: yes + } # dimension about__user__attribute + + dimension: about__user__attribute__cloud { + hidden: yes + } # dimension about__user__attribute__cloud + + dimension: about__user__attribute__cloud__environment { + type: number + sql: ${TABLE}.about.user.attribute.cloud.environment ;; + group_label: "security_result" + label: "security_result.about.user.attribute.cloud.environment" + view_label: "UDM" + description: "The Cloud environment." + } # dimension about__user__attribute__cloud__environment + + dimension: about__user__attribute__cloud__environment_enum_name { + type: string + suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] + sql: CASE ${TABLE}.about.user.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; + group_label: "security_result" + label: "security_result.about.user.attribute.cloud.environment_enum_name" + view_label: "UDM" + description: "The Cloud environment." + } # dimension about__user__attribute__cloud__environment_enum_name + + dimension: about__user__attribute__cloud__project { + hidden: yes + } # dimension about__user__attribute__cloud__project + + dimension: about__user__attribute__cloud__project__id { + type: string + sql: ${TABLE}.about.user.attribute.cloud.project.id ;; + group_label: "security_result" + group_item_label: "security_result.about.user.attribute.cloud.project.id [D]" + label: "security_result.about.user.attribute.cloud.project.id" + view_label: "UDM" + description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__user__attribute__cloud__project__id + + dimension: about__user__attribute__cloud__project__name { + type: string + sql: ${TABLE}.about.user.attribute.cloud.project.name ;; + group_label: "security_result" + group_item_label: "security_result.about.user.attribute.cloud.project.name [D]" + label: "security_result.about.user.attribute.cloud.project.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__user__attribute__cloud__project__name + + dimension: about__user__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.about.user.attribute.cloud.project.resource_type ;; + group_label: "security_result" + group_item_label: "security_result.about.user.attribute.cloud.project.resource_type [D]" + label: "security_result.about.user.attribute.cloud.project.resource_type" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__user__attribute__cloud__project__resource_type + + dimension: about__user__attribute__cloud__project__resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.about.user.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "security_result" + group_item_label: "security_result.about.user.attribute.cloud.project.resource_type_enum_name [D]" + label: "security_result.about.user.attribute.cloud.project.resource_type_enum_name" + view_label: "UDM" + description: "Resource type. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__user__attribute__cloud__project__resource_type_enum_name + + dimension_group: security_result__about__user__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.user.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension security_result__about__user__attribute__creation_time + + dimension: about__user__attribute__labels { + hidden: yes + } # dimension about__user__attribute__labels + + dimension_group: security_result__about__user__attribute__last_update_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "security_result" + label: "security_result.about.user.attribute.last_update_time" + view_label: "UDM" + description: "Time the resource or entity was last updated." + } # dimension security_result__about__user__attribute__last_update_time + + dimension: about__user__attribute__roles { + hidden: yes + } # dimension about__user__attribute__roles + + dimension: about__user__email_addresses { + hidden: yes + } # dimension about__user__email_addresses + + dimension: about__user__group_identifiers { + hidden: yes + } # dimension about__user__group_identifiers + + dimension: about__user__product_object_id { + type: string + sql: ${TABLE}.about.user.product_object_id ;; + group_label: "security_result" + label: "security_result.about.user.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension about__user__product_object_id + + dimension: about__user__role_description { + type: string + sql: ${TABLE}.about.user.role_description ;; + group_label: "security_result" + group_item_label: "security_result.about.user.role_description [D]" + label: "security_result.about.user.role_description" + view_label: "UDM" + description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" + } # dimension about__user__role_description + + dimension: about__user__user_authentication_status { + type: number + sql: ${TABLE}.about.user.user_authentication_status ;; + group_label: "security_result" + label: "security_result.about.user.user_authentication_status" + view_label: "UDM" + description: "System authentication status for user." + } # dimension about__user__user_authentication_status + + dimension: about__user__user_authentication_status_enum_name { + type: string + suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] + sql: CASE ${TABLE}.about.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; + group_label: "security_result" + label: "security_result.about.user.user_authentication_status_enum_name" + view_label: "UDM" + description: "System authentication status for user." + } # dimension about__user__user_authentication_status_enum_name + + dimension: about__user__user_display_name { + type: string + sql: ${TABLE}.about.user.user_display_name ;; + group_label: "security_result" + label: "security_result.about.user.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension about__user__user_display_name + + dimension: about__user__userid { + type: string + sql: ${TABLE}.about.user.userid ;; + group_label: "security_result" + label: "security_result.about.user.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension about__user__userid + + dimension: about__user_management_chain { + hidden: yes + } # dimension about__user_management_chain + + dimension: action { + hidden: yes + } # dimension action + + dimension: action_enum_name { + hidden: yes + } # dimension action_enum_name + + dimension: action_details { + type: string + sql: ${TABLE}.action_details ;; + group_label: "security_result" + label: "security_result.action_details" + view_label: "UDM" + description: "The detail of the action taken as provided by the vendor." + } # dimension action_details + + dimension: alert_state { + type: number + sql: ${TABLE}.alert_state ;; + group_label: "security_result" + label: "security_result.alert_state" + view_label: "UDM" + description: "The alerting types of this security result." + } # dimension alert_state + + dimension: alert_state_enum_name { + type: string + suggestions: ["ALERTING", "NOT_ALERTING", "UNSPECIFIED"] + sql: CASE ${TABLE}.alert_state WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'NOT_ALERTING' WHEN 2 THEN 'ALERTING' END ;; + group_label: "security_result" + label: "security_result.alert_state_enum_name" + view_label: "UDM" + description: "The alerting types of this security result." + } # dimension alert_state_enum_name + + dimension: attack_details { + hidden: yes + } # dimension attack_details + + dimension: attack_details__tactics { + hidden: yes + } # dimension attack_details__tactics + + dimension: attack_details__techniques { + hidden: yes + } # dimension attack_details__techniques + + dimension: attack_details__version { + type: string + sql: ${TABLE}.attack_details.version ;; + group_label: "security_result" + label: "security_result.attack_details.version" + view_label: "UDM" + description: "ATT&CK version (e.g. 12.1)." + } # dimension attack_details__version + + dimension: category { + hidden: yes + } # dimension category + + dimension: category_enum_name { + hidden: yes + } # dimension category_enum_name + + dimension: category_details { + hidden: yes + } # dimension category_details + + dimension: confidence { + type: number + sql: ${TABLE}.confidence ;; + group_label: "security_result" + label: "security_result.confidence" + view_label: "UDM" + description: "The confidence level of the result as estimated by the product." + } # dimension confidence + + dimension: confidence_enum_name { + type: string + suggestions: ["HIGH_CONFIDENCE", "LOW_CONFIDENCE", "MEDIUM_CONFIDENCE", "UNKNOWN_CONFIDENCE"] + sql: CASE ${TABLE}.confidence WHEN 0 THEN 'UNKNOWN_CONFIDENCE' WHEN 200 THEN 'LOW_CONFIDENCE' WHEN 300 THEN 'MEDIUM_CONFIDENCE' WHEN 400 THEN 'HIGH_CONFIDENCE' END ;; + group_label: "security_result" + label: "security_result.confidence_enum_name" + view_label: "UDM" + description: "The confidence level of the result as estimated by the product." + } # dimension confidence_enum_name + + dimension: confidence_details { + type: string + sql: ${TABLE}.confidence_details ;; + group_label: "security_result" + label: "security_result.confidence_details" + view_label: "UDM" + description: "Additional detail with regards to the confidence of a security event as estimated by the product vendor." + } # dimension confidence_details + + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "security_result" + label: "security_result.description" + view_label: "UDM" + description: "A human readable description (e.g. \"user password was wrong\")" + } # dimension description + + dimension: detection_fields { + hidden: yes + } # dimension detection_fields + + dimension: outcomes { + hidden: yes + } # dimension outcomes + + dimension: priority { + type: number + sql: ${TABLE}.priority ;; + group_label: "security_result" + label: "security_result.priority" + view_label: "UDM" + description: "The priority of the result." + } # dimension priority + + dimension: priority_enum_name { + type: string + suggestions: ["HIGH_PRIORITY", "LOW_PRIORITY", "MEDIUM_PRIORITY", "UNKNOWN_PRIORITY"] + sql: CASE ${TABLE}.priority WHEN 0 THEN 'UNKNOWN_PRIORITY' WHEN 200 THEN 'LOW_PRIORITY' WHEN 300 THEN 'MEDIUM_PRIORITY' WHEN 400 THEN 'HIGH_PRIORITY' END ;; + group_label: "security_result" + label: "security_result.priority_enum_name" + view_label: "UDM" + description: "The priority of the result." + } # dimension priority_enum_name + + dimension: priority_details { + type: string + sql: ${TABLE}.priority_details ;; + group_label: "security_result" + label: "security_result.priority_details" + view_label: "UDM" + description: "Vendor-specific information about the security result priority." + } # dimension priority_details + + dimension: rule_author { + type: string + sql: ${TABLE}.rule_author ;; + group_label: "security_result" + label: "security_result.rule_author" + view_label: "UDM" + description: "Author of the security rule." + } # dimension rule_author + + dimension: rule_id { + type: string + sql: ${TABLE}.rule_id ;; + group_label: "security_result" + label: "security_result.rule_id" + view_label: "UDM" + description: "A vendor-specific ID and name for a rule, varying by observerer type (e.g. \"08123\", \"5d2b44d0-5ef6-40f5-a704-47d61d3babbe\")." + } # dimension rule_id + + dimension: rule_labels { + hidden: yes + } # dimension rule_labels + + dimension: rule_name { + type: string + sql: ${TABLE}.rule_name ;; + group_label: "security_result" + label: "security_result.rule_name" + view_label: "UDM" + description: "Name of the security rule (e.g. \"BlockInboundToOracle\")." + } # dimension rule_name + + dimension: rule_set { + type: string + sql: ${TABLE}.rule_set ;; + group_label: "security_result" + label: "security_result.rule_set" + view_label: "UDM" + description: "The result's rule set identifier. (e.g. \"windows-threats\")" + } # dimension rule_set + + dimension: rule_set_display_name { + type: string + sql: ${TABLE}.rule_set_display_name ;; + group_label: "security_result" + label: "security_result.rule_set_display_name" + view_label: "UDM" + description: "The result's rule set display name. (e.g. \"Windows Threats\")" + } # dimension rule_set_display_name + + dimension: rule_type { + type: string + sql: ${TABLE}.rule_type ;; + group_label: "security_result" + label: "security_result.rule_type" + view_label: "UDM" + description: "The type of security rule." + } # dimension rule_type + + dimension: rule_version { + type: string + sql: ${TABLE}.rule_version ;; + group_label: "security_result" + label: "security_result.rule_version" + view_label: "UDM" + description: "Version of the security rule. (e.g. \"v1.1\", \"00001\", \"1604709794\", \"2020-11-16T23:04:19+00:00\"). Note that rule versions are source-dependant and lexical ordering should not be assumed." + } # dimension rule_version + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + group_label: "security_result" + label: "security_result.severity" + view_label: "UDM" + description: "The severity of the result." + } # dimension severity + + dimension: severity_enum_name { + type: string + suggestions: ["CRITICAL", "ERROR", "HIGH", "INFORMATIONAL", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] + sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 100 THEN 'INFORMATIONAL' WHEN 150 THEN 'ERROR' WHEN 200 THEN 'LOW' WHEN 300 THEN 'MEDIUM' WHEN 400 THEN 'HIGH' WHEN 500 THEN 'CRITICAL' END ;; + group_label: "security_result" + label: "security_result.severity_enum_name" + view_label: "UDM" + description: "The severity of the result." + } # dimension severity_enum_name + + dimension: severity_details { + type: string + sql: ${TABLE}.severity_details ;; + group_label: "security_result" + label: "security_result.severity_details" + view_label: "UDM" + description: "Vendor-specific severity." + } # dimension severity_details + + dimension: summary { + type: string + sql: ${TABLE}.summary ;; + group_label: "security_result" + label: "security_result.summary" + view_label: "UDM" + description: "A human readable summary (e.g. \"failed login occurred\")" + } # dimension summary + + dimension: threat_feed_name { + type: string + sql: ${TABLE}.threat_feed_name ;; + group_label: "security_result" + label: "security_result.threat_feed_name" + view_label: "UDM" + description: "Vendor feed name for a threat indicator feed." + } # dimension threat_feed_name + + dimension: threat_id { + type: string + sql: ${TABLE}.threat_id ;; + group_label: "security_result" + label: "security_result.threat_id" + view_label: "UDM" + description: "Vendor-specific ID for a threat." + } # dimension threat_id + + dimension: threat_id_namespace { + type: number + sql: ${TABLE}.threat_id_namespace ;; + group_label: "security_result" + label: "security_result.threat_id_namespace" + view_label: "UDM" + description: "The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id." + } # dimension threat_id_namespace + + dimension: threat_id_namespace_enum_name { + type: string + suggestions: ["MACHINE_INTELLIGENCE", "NORMALIZED_TELEMETRY", "RAW_TELEMETRY", "RULE_DETECTIONS", "SECURITY_COMMAND_CENTER", "SOAR_ALERT", "UNSPECIFIED", "UPPERCASE"] + sql: CASE ${TABLE}.threat_id_namespace WHEN 0 THEN 'NORMALIZED_TELEMETRY' WHEN 1 THEN 'RAW_TELEMETRY' WHEN 2 THEN 'RULE_DETECTIONS' WHEN 3 THEN 'UPPERCASE' WHEN 4 THEN 'MACHINE_INTELLIGENCE' WHEN 5 THEN 'SECURITY_COMMAND_CENTER' WHEN 6 THEN 'UNSPECIFIED' WHEN 7 THEN 'SOAR_ALERT' END ;; + group_label: "security_result" + label: "security_result.threat_id_namespace_enum_name" + view_label: "UDM" + description: "The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id." + } # dimension threat_id_namespace_enum_name + + dimension: threat_name { + type: string + sql: ${TABLE}.threat_name ;; + group_label: "security_result" + label: "security_result.threat_name" + view_label: "UDM" + description: "A vendor-assigned classification common across multiple customers (e.g. \"W32/File-A\", \"Slammer\")." + } # dimension threat_name + + dimension: threat_status { + type: number + sql: ${TABLE}.threat_status ;; + group_label: "security_result" + label: "security_result.threat_status" + view_label: "UDM" + description: "Current status of the threat" + } # dimension threat_status + + dimension: threat_status_enum_name { + type: string + suggestions: ["ACTIVE", "CLEARED", "FALSE_POSITIVE", "THREAT_STATUS_UNSPECIFIED"] + sql: CASE ${TABLE}.threat_status WHEN 0 THEN 'THREAT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'CLEARED' WHEN 3 THEN 'FALSE_POSITIVE' END ;; + group_label: "security_result" + label: "security_result.threat_status_enum_name" + view_label: "UDM" + description: "Current status of the threat" + } # dimension threat_status_enum_name + + dimension: url_back_to_product { + type: string + sql: ${TABLE}.url_back_to_product ;; + group_label: "security_result" + label: "security_result.url_back_to_product" + view_label: "UDM" + description: "URL that takes the user to the source product console for this event." + } # dimension url_back_to_product + +} # view udm_events__security_result + +view: udm_events__src__artifact__network__dns__questions { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.artifact.network.dns.questions.name" + view_label: "UDM" + description: "The domain name." + } # dimension name + +} # view udm_events__src__artifact__network__dns__questions + +view: udm_events__src__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "src" + label: "src.asset.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "src" + label: "src.asset.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__src__asset__attribute__labels + +view: udm_events__src__asset__hardware { + dimension: cpu_model { + type: string + sql: ${TABLE}.cpu_model ;; + group_label: "src" + label: "src.asset.hardware.cpu_model" + view_label: "UDM" + description: "Model description of the hardware CPU (e.g. \"2.8 GHz Quad-Core Intel Core i5\")." + } # dimension cpu_model + + dimension: cpu_platform { + type: string + sql: ${TABLE}.cpu_platform ;; + group_label: "src" + label: "src.asset.hardware.cpu_platform" + view_label: "UDM" + description: "Platform of the hardware CPU (e.g. \"Intel Broadwell\")." + } # dimension cpu_platform + + dimension: manufacturer { + type: string + sql: ${TABLE}.manufacturer ;; + group_label: "src" + label: "src.asset.hardware.manufacturer" + view_label: "UDM" + description: "Hardware manufacturer." + } # dimension manufacturer + + dimension: model { + type: string + sql: ${TABLE}.model ;; + group_label: "src" + label: "src.asset.hardware.model" + view_label: "UDM" + description: "Hardware model." + } # dimension model + + dimension: ram { + type: number + sql: ${TABLE}.ram ;; + group_label: "src" + label: "src.asset.hardware.ram" + view_label: "UDM" + description: "Amount of the hardware ramdom access memory (RAM) in Mb." + } # dimension ram + + dimension: serial_number { + type: string + sql: ${TABLE}.serial_number ;; + group_label: "src" + label: "src.asset.hardware.serial_number" + view_label: "UDM" + description: "Hardware serial number." + } # dimension serial_number + +} # view udm_events__src__asset__hardware + +view: udm_events__src__asset__ip { + dimension: udm_events__src__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.asset.ip" + view_label: "UDM" + description: "A list of IP addresses associated with an asset." + } # dimension udm_events__src__asset__ip +} # view udm_events__src__asset__ip + +view: udm_events__src__asset__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "src" + group_item_label: "src.asset.labels.key [D]" + label: "src.asset.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "src" + group_item_label: "src.asset.labels.value [D]" + label: "src.asset.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view udm_events__src__asset__labels + +view: udm_events__src__asset__mac { + dimension: udm_events__src__asset__mac { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.asset.mac" + view_label: "UDM" + description: "List of MAC addresses associated with an asset." + } # dimension udm_events__src__asset__mac +} # view udm_events__src__asset__mac + +view: udm_events__src__asset__nat_ip { + dimension: udm_events__src__asset__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.asset.nat_ip" + view_label: "UDM" + description: "List of NAT IP addresses associated with an asset." + } # dimension udm_events__src__asset__nat_ip +} # view udm_events__src__asset__nat_ip + +view: udm_events__src__asset__software__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "src" + label: "src.asset.software.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.asset.software.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view udm_events__src__asset__software__permissions + +view: udm_events__src__asset__software { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.asset.software.name" + view_label: "UDM" + description: "The name of the software." + } # dimension name + + dimension: permissions { + hidden: yes + } # dimension permissions + + dimension: version { + type: string + sql: ${TABLE}.version ;; + group_label: "src" + label: "src.asset.software.version" + view_label: "UDM" + description: "The version of the software." + } # dimension version + +} # view udm_events__src__asset__software + +view: udm_events__src__asset__vulnerabilities { + dimension: cve_id { + type: string + sql: ${TABLE}.cve_id ;; + group_label: "src" + label: "src.asset.vulnerabilities.cve_id" + view_label: "UDM" + description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" + } # dimension cve_id + + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + group_label: "src" + label: "src.asset.vulnerabilities.cvss_base_score" + view_label: "UDM" + description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." + } # dimension cvss_base_score + + dimension: cvss_vector { + type: string + sql: ${TABLE}.cvss_vector ;; + group_label: "src" + label: "src.asset.vulnerabilities.cvss_vector" + view_label: "UDM" + description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" + } # dimension cvss_vector + + dimension: cvss_version { + type: string + sql: ${TABLE}.cvss_version ;; + group_label: "src" + label: "src.asset.vulnerabilities.cvss_version" + view_label: "UDM" + description: "Version of CVSS Vector/Score." + } # dimension cvss_version + + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "src" + label: "src.asset.vulnerabilities.description" + view_label: "UDM" + description: "Description of the vulnerability." + } # dimension description + + dimension_group: src__asset__vulnerabilities__first_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.vulnerabilities.first_found" + view_label: "UDM" + description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." + } # dimension src__asset__vulnerabilities__first_found + + dimension_group: src__asset__vulnerabilities__last_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.vulnerabilities.last_found" + view_label: "UDM" + description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." + } # dimension src__asset__vulnerabilities__last_found + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.asset.vulnerabilities.name" + view_label: "UDM" + description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." + } # dimension name + + dimension_group: src__asset__vulnerabilities__scan_end_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.vulnerabilities.scan_end_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." + } # dimension src__asset__vulnerabilities__scan_end_time + + dimension_group: src__asset__vulnerabilities__scan_start_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.asset.vulnerabilities.scan_start_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." + } # dimension src__asset__vulnerabilities__scan_start_time + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + group_label: "src" + label: "src.asset.vulnerabilities.severity" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity + + dimension: severity_enum_name { + type: string + suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] + sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; + group_label: "src" + label: "src.asset.vulnerabilities.severity_enum_name" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity_enum_name + +} # view udm_events__src__asset__vulnerabilities + +view: udm_events__src__file__capabilities_tags { + dimension: udm_events__src__file__capabilities_tags { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.file.capabilities_tags" + view_label: "UDM" + description: "Capabilities tags." + } # dimension udm_events__src__file__capabilities_tags +} # view udm_events__src__file__capabilities_tags + +view: udm_events__src__file__embedded_domains { + dimension: udm_events__src__file__embedded_domains { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.file.embedded_domains" + view_label: "UDM" + description: "Embedded domains found in the file." + } # dimension udm_events__src__file__embedded_domains +} # view udm_events__src__file__embedded_domains + +view: udm_events__src__file__embedded_ips { + dimension: udm_events__src__file__embedded_ips { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.file.embedded_ips" + view_label: "UDM" + description: "Embedded IP addresses found in the file." + } # dimension udm_events__src__file__embedded_ips +} # view udm_events__src__file__embedded_ips + +view: udm_events__src__file__embedded_urls { + dimension: udm_events__src__file__embedded_urls { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.file.embedded_urls" + view_label: "UDM" + description: "Embedded urls found in the file." + } # dimension udm_events__src__file__embedded_urls +} # view udm_events__src__file__embedded_urls + +view: udm_events__src__file__names { + dimension: udm_events__src__file__names { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension udm_events__src__file__names +} # view udm_events__src__file__names + +view: udm_events__src__file__signature_info__sigcheck__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.file.signature_info.sigcheck.signers.name" + view_label: "UDM" + description: "Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority." + } # dimension name + +} # view udm_events__src__file__signature_info__sigcheck__signers + +view: udm_events__src__file__tags { + dimension: udm_events__src__file__tags { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.file.tags" + view_label: "UDM" + description: "Tags for the file." + } # dimension udm_events__src__file__tags +} # view udm_events__src__file__tags + +view: udm_events__src__ip { + dimension: udm_events__src__ip { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.ip" + view_label: "UDM" + description: "A list of IP addresses associated with a network connection." + } # dimension udm_events__src__ip +} # view udm_events__src__ip + +view: udm_events__src__ip_geo_artifact { + dimension: ip { + type: string + sql: ${TABLE}.ip ;; + group_label: "src" + label: "src.ip_geo_artifact.ip" + view_label: "UDM" + description: "IP address of the artifact." + } # dimension ip + + dimension: location { + hidden: yes + } # dimension location + + dimension: location__country_or_region { + type: string + sql: ${TABLE}.location.country_or_region ;; + group_label: "src" + label: "src.ip_geo_artifact.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension location__country_or_region + + dimension: location__region_coordinates { + type: location + sql_latitude: ${TABLE}.location.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.location.region_coordinates.longitude ;; + group_label: "src" + group_item_label: "src.ip_geo_artifact.location.region_coordinates [L]" + label: "src.ip_geo_artifact.location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." + } # dimension location__region_coordinates + + dimension: location__region_latitude { + type: number + sql: ${TABLE}.location.region_latitude ;; + group_label: "src" + group_item_label: "src.ip_geo_artifact.location.region_latitude [D]" + label: "src.ip_geo_artifact.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension location__region_latitude + + dimension: location__region_longitude { + type: number + sql: ${TABLE}.location.region_longitude ;; + group_label: "src" + group_item_label: "src.ip_geo_artifact.location.region_longitude [D]" + label: "src.ip_geo_artifact.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension location__region_longitude + + dimension: location__location { + type: location + sql_latitude: ${TABLE}.location.region_latitude ;; + sql_longitude: ${TABLE}.location.region_longitude ;; + group_label: "src" + group_item_label: "src.ip_geo_artifact.location.location [D][L]" + label: "src.ip_geo_artifact.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension location__location + + dimension: location__state { + type: string + sql: ${TABLE}.location.state ;; + group_label: "src" + label: "src.ip_geo_artifact.location.state" + view_label: "UDM" + description: "The state." + } # dimension location__state + + dimension: network { + hidden: yes + } # dimension network + + dimension: network__asn { + type: string + sql: ${TABLE}.network.asn ;; + group_label: "src" + label: "src.ip_geo_artifact.network.asn" + view_label: "UDM" + description: "Autonomous system number." + } # dimension network__asn + + dimension: network__carrier_name { + type: string + sql: ${TABLE}.network.carrier_name ;; + group_label: "src" + label: "src.ip_geo_artifact.network.carrier_name" + view_label: "UDM" + description: "Carrier identification." + } # dimension network__carrier_name + + dimension: network__dns_domain { + type: string + sql: ${TABLE}.network.dns_domain ;; + group_label: "src" + label: "src.ip_geo_artifact.network.dns_domain" + view_label: "UDM" + description: "DNS domain name." + } # dimension network__dns_domain + + dimension: network__organization_name { + type: string + sql: ${TABLE}.network.organization_name ;; + group_label: "src" + label: "src.ip_geo_artifact.network.organization_name" + view_label: "UDM" + description: "Organization name (e.g Google)." + } # dimension network__organization_name + +} # view udm_events__src__ip_geo_artifact + +view: udm_events__src__ip_location { + dimension: country_or_region { + type: string + sql: ${TABLE}.country_or_region ;; + group_label: "src" + group_item_label: "src.ip_location.country_or_region [D]" + label: "src.ip_location.country_or_region" + view_label: "UDM" + description: "The country or region. [D]: This field is deprecated and will be removed in a future release" + } # dimension country_or_region + + dimension: region_coordinates { + type: location + sql_latitude: ${TABLE}.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.region_coordinates.longitude ;; + group_label: "src" + group_item_label: "src.ip_location.region_coordinates [D][L]" + label: "src.ip_location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension region_coordinates + + dimension: region_latitude { + type: number + sql: ${TABLE}.region_latitude ;; + group_label: "src" + group_item_label: "src.ip_location.region_latitude [D]" + label: "src.ip_location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension region_latitude + + dimension: region_longitude { + type: number + sql: ${TABLE}.region_longitude ;; + group_label: "src" + group_item_label: "src.ip_location.region_longitude [D]" + label: "src.ip_location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension region_longitude + + dimension: location { + type: location + sql_latitude: ${TABLE}.region_latitude ;; + sql_longitude: ${TABLE}.region_longitude ;; + group_label: "src" + group_item_label: "src.ip_location.location [D][L]" + label: "src.ip_location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension location + + dimension: state { + type: string + sql: ${TABLE}.state ;; + group_label: "src" + group_item_label: "src.ip_location.state [D]" + label: "src.ip_location.state" + view_label: "UDM" + description: "The state. [D]: This field is deprecated and will be removed in a future release" + } # dimension state + +} # view udm_events__src__ip_location + +view: udm_events__src__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "src" + group_item_label: "src.labels.key [D]" + label: "src.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "src" + group_item_label: "src.labels.value [D]" + label: "src.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view udm_events__src__labels + +view: udm_events__src__mac { + dimension: udm_events__src__mac { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.mac" + view_label: "UDM" + description: "List of MAC addresses associated with a device." + } # dimension udm_events__src__mac +} # view udm_events__src__mac + +view: udm_events__src__nat_ip { + dimension: udm_events__src__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.nat_ip" + view_label: "UDM" + description: "A list of NAT translated IP addresses associated with a network connection." + } # dimension udm_events__src__nat_ip +} # view udm_events__src__nat_ip + +view: udm_events__src__process__file__names { + dimension: udm_events__src__process__file__names { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.process.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension udm_events__src__process__file__names +} # view udm_events__src__process__file__names + +view: udm_events__src__process_ancestors { + dimension: file { + hidden: yes + } # dimension file + + dimension: file__full_path { + type: string + sql: ${TABLE}.file.full_path ;; + group_label: "src" + label: "src.process_ancestors.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension file__full_path + +} # view udm_events__src__process_ancestors + +view: udm_events__src__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "src" + label: "src.resource.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: source { + type: string + sql: ${TABLE}.source ;; + group_label: "src" + label: "src.resource.attribute.labels.source" + view_label: "UDM" + description: "@hide_from_doc" + } # dimension source + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "src" + label: "src.resource.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__src__resource__attribute__labels + +view: udm_events__src__resource__attribute__permissions { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.resource.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view udm_events__src__resource__attribute__permissions + +view: udm_events__src__resource_ancestors__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "src" + label: "src.resource_ancestors.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "src" + label: "src.resource_ancestors.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__src__resource_ancestors__attribute__labels + +view: udm_events__src__resource_ancestors { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension: attribute__labels { + hidden: yes + } # dimension attribute__labels + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.resource_ancestors.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension name + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "src" + label: "src.resource_ancestors.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension product_object_id + + dimension: resource_type { + type: number + sql: ${TABLE}.resource_type ;; + group_label: "src" + label: "src.resource_ancestors.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension resource_type + + dimension: resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "src" + label: "src.resource_ancestors.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension resource_type_enum_name + +} # view udm_events__src__resource_ancestors + +view: udm_events__src__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "src" + label: "src.user.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "src" + label: "src.user.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__src__user__attribute__labels + +view: udm_events__src__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "src" + label: "src.user.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.user.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "src" + label: "src.user.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "src" + label: "src.user.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view udm_events__src__user__attribute__roles + +view: udm_events__src__user__department { + dimension: udm_events__src__user__department { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.user.department" + view_label: "UDM" + description: "User job department" + } # dimension udm_events__src__user__department +} # view udm_events__src__user__department + +view: udm_events__src__user__email_addresses { + dimension: udm_events__src__user__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.user.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension udm_events__src__user__email_addresses +} # view udm_events__src__user__email_addresses + +view: udm_events__src__user__group_identifiers { + dimension: udm_events__src__user__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.user.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension udm_events__src__user__group_identifiers +} # view udm_events__src__user__group_identifiers + +view: udm_events__src__user__managers__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "src" + label: "src.user.managers.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "src" + label: "src.user.managers.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__src__user__managers__attribute__labels + +view: udm_events__src__user__managers__attribute__roles { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "src" + label: "src.user.managers.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "src" + label: "src.user.managers.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "src" + label: "src.user.managers.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view udm_events__src__user__managers__attribute__roles + +view: udm_events__src__user__managers__department { + dimension: udm_events__src__user__managers__department { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.user.managers.department" + view_label: "UDM" + description: "User job department" + } # dimension udm_events__src__user__managers__department +} # view udm_events__src__user__managers__department + +view: udm_events__src__user__managers__email_addresses { + dimension: udm_events__src__user__managers__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.user.managers.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension udm_events__src__user__managers__email_addresses +} # view udm_events__src__user__managers__email_addresses + +view: udm_events__src__user__managers__group_identifiers { + dimension: udm_events__src__user__managers__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.user.managers.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension udm_events__src__user__managers__group_identifiers +} # view udm_events__src__user__managers__group_identifiers + +view: udm_events__src__user__managers__phone_numbers { + dimension: udm_events__src__user__managers__phone_numbers { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.user.managers.phone_numbers" + view_label: "UDM" + description: "Phone numbers for the user." + } # dimension udm_events__src__user__managers__phone_numbers +} # view udm_events__src__user__managers__phone_numbers + +view: udm_events__src__user__managers { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension: attribute__labels { + hidden: yes + } # dimension attribute__labels + + dimension: attribute__roles { + hidden: yes + } # dimension attribute__roles + + dimension: company_name { + type: string + sql: ${TABLE}.company_name ;; + group_label: "src" + label: "src.user.managers.company_name" + view_label: "UDM" + description: "User job company name." + } # dimension company_name + + dimension: department { + hidden: yes + } # dimension department + + dimension: email_addresses { + hidden: yes + } # dimension email_addresses + + dimension: employee_id { + type: string + sql: ${TABLE}.employee_id ;; + group_label: "src" + label: "src.user.managers.employee_id" + view_label: "UDM" + description: "Human capital management identifier." + } # dimension employee_id + + dimension: first_name { + type: string + sql: ${TABLE}.first_name ;; + group_label: "src" + label: "src.user.managers.first_name" + view_label: "UDM" + description: "First name of the user (e.g. \"John\")." + } # dimension first_name + + dimension: group_identifiers { + hidden: yes + } # dimension group_identifiers + + dimension: last_name { + type: string + sql: ${TABLE}.last_name ;; + group_label: "src" + label: "src.user.managers.last_name" + view_label: "UDM" + description: "Last name of the user (e.g. \"Locke\")." + } # dimension last_name + + dimension: personal_address { + hidden: yes + } # dimension personal_address + + dimension: personal_address__city { + type: string + sql: ${TABLE}.personal_address.city ;; + group_label: "src" + label: "src.user.managers.personal_address.city" + view_label: "UDM" + description: "The city." + } # dimension personal_address__city + + dimension: personal_address__country_or_region { + type: string + sql: ${TABLE}.personal_address.country_or_region ;; + group_label: "src" + label: "src.user.managers.personal_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension personal_address__country_or_region + + dimension: personal_address__name { + type: string + sql: ${TABLE}.personal_address.name ;; + group_label: "src" + label: "src.user.managers.personal_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension personal_address__name + + dimension: personal_address__state { + type: string + sql: ${TABLE}.personal_address.state ;; + group_label: "src" + label: "src.user.managers.personal_address.state" + view_label: "UDM" + description: "The state." + } # dimension personal_address__state + + dimension: phone_numbers { + hidden: yes + } # dimension phone_numbers + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "src" + label: "src.user.managers.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension product_object_id + + dimension: title { + type: string + sql: ${TABLE}.title ;; + group_label: "src" + label: "src.user.managers.title" + view_label: "UDM" + description: "User job title." + } # dimension title + + dimension: user_display_name { + type: string + sql: ${TABLE}.user_display_name ;; + group_label: "src" + label: "src.user.managers.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension user_display_name + + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + group_label: "src" + label: "src.user.managers.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension userid + + dimension: windows_sid { + type: string + sql: ${TABLE}.windows_sid ;; + group_label: "src" + label: "src.user.managers.windows_sid" + view_label: "UDM" + description: "The Microsoft Windows SID of the user." + } # dimension windows_sid + +} # view udm_events__src__user__managers + +view: udm_events__src__user__phone_numbers { + dimension: udm_events__src__user__phone_numbers { + type: string + sql: ${TABLE} ;; + group_label: "src" + label: "src.user.phone_numbers" + view_label: "UDM" + description: "Phone numbers for the user." + } # dimension udm_events__src__user__phone_numbers +} # view udm_events__src__user__phone_numbers + +view: udm_events__src__user__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "src" + label: "src.user.time_off.description" + view_label: "UDM" + description: "Description of the leave if available (e.g. 'Vacation')." + } # dimension description + + dimension_group: src__user__time_off__interval { + type: duration + intervals: [ second, minute, hour ] + sql_start: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.start_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.start_time.nanos,0) / 1000) as INT64)) ;; + sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.end_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.end_time.nanos,0) / 1000) as INT64)) ;; + group_label: "src" + label: "src.user.time_off.interval" + view_label: "UDM" + description: "Interval duration of the leave." + } # dimension src__user__time_off__interval + +} # view udm_events__src__user__time_off + +view: udm_events__target__artifact__network__email__subject { + dimension: udm_events__target__artifact__network__email__subject { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.artifact.network.email.subject" + view_label: "UDM" + description: "The subject line(s) of the email." + } # dimension udm_events__target__artifact__network__email__subject +} # view udm_events__target__artifact__network__email__subject + +view: udm_events__target__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + label: "target.asset.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + label: "target.asset.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__target__asset__attribute__labels + +view: udm_events__target__asset__attribute__permissions { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.asset.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view udm_events__target__asset__attribute__permissions + +view: udm_events__target__asset__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.asset.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.asset.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + +} # view udm_events__target__asset__attribute__roles + +view: udm_events__target__asset__hardware { + dimension: cpu_model { + type: string + sql: ${TABLE}.cpu_model ;; + group_label: "target" + label: "target.asset.hardware.cpu_model" + view_label: "UDM" + description: "Model description of the hardware CPU (e.g. \"2.8 GHz Quad-Core Intel Core i5\")." + } # dimension cpu_model + + dimension: cpu_number_cores { + type: number + sql: ${TABLE}.cpu_number_cores ;; + group_label: "target" + label: "target.asset.hardware.cpu_number_cores" + view_label: "UDM" + description: "Number of CPU cores." + } # dimension cpu_number_cores + + dimension: cpu_platform { + type: string + sql: ${TABLE}.cpu_platform ;; + group_label: "target" + label: "target.asset.hardware.cpu_platform" + view_label: "UDM" + description: "Platform of the hardware CPU (e.g. \"Intel Broadwell\")." + } # dimension cpu_platform + + dimension: manufacturer { + type: string + sql: ${TABLE}.manufacturer ;; + group_label: "target" + label: "target.asset.hardware.manufacturer" + view_label: "UDM" + description: "Hardware manufacturer." + } # dimension manufacturer + + dimension: model { + type: string + sql: ${TABLE}.model ;; + group_label: "target" + label: "target.asset.hardware.model" + view_label: "UDM" + description: "Hardware model." + } # dimension model + + dimension: ram { + type: number + sql: ${TABLE}.ram ;; + group_label: "target" + label: "target.asset.hardware.ram" + view_label: "UDM" + description: "Amount of the hardware ramdom access memory (RAM) in Mb." + } # dimension ram + + dimension: serial_number { + type: string + sql: ${TABLE}.serial_number ;; + group_label: "target" + label: "target.asset.hardware.serial_number" + view_label: "UDM" + description: "Hardware serial number." + } # dimension serial_number + +} # view udm_events__target__asset__hardware + +view: udm_events__target__asset__ip { + dimension: udm_events__target__asset__ip { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.asset.ip" + view_label: "UDM" + description: "A list of IP addresses associated with an asset." + } # dimension udm_events__target__asset__ip +} # view udm_events__target__asset__ip + +view: udm_events__target__asset__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + group_item_label: "target.asset.labels.key [D]" + label: "target.asset.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + group_item_label: "target.asset.labels.value [D]" + label: "target.asset.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view udm_events__target__asset__labels + +view: udm_events__target__asset__mac { + dimension: udm_events__target__asset__mac { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.asset.mac" + view_label: "UDM" + description: "List of MAC addresses associated with an asset." + } # dimension udm_events__target__asset__mac +} # view udm_events__target__asset__mac + +view: udm_events__target__asset__nat_ip { + dimension: udm_events__target__asset__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.asset.nat_ip" + view_label: "UDM" + description: "List of NAT IP addresses associated with an asset." + } # dimension udm_events__target__asset__nat_ip +} # view udm_events__target__asset__nat_ip + +view: udm_events__target__asset__software__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.asset.software.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.asset.software.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view udm_events__target__asset__software__permissions + +view: udm_events__target__asset__software { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.asset.software.name" + view_label: "UDM" + description: "The name of the software." + } # dimension name + + dimension: permissions { + hidden: yes + } # dimension permissions + + dimension: version { + type: string + sql: ${TABLE}.version ;; + group_label: "target" + label: "target.asset.software.version" + view_label: "UDM" + description: "The version of the software." + } # dimension version + +} # view udm_events__target__asset__software + +view: udm_events__target__asset__vulnerabilities { + dimension: cve_id { + type: string + sql: ${TABLE}.cve_id ;; + group_label: "target" + label: "target.asset.vulnerabilities.cve_id" + view_label: "UDM" + description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" + } # dimension cve_id + + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + group_label: "target" + label: "target.asset.vulnerabilities.cvss_base_score" + view_label: "UDM" + description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." + } # dimension cvss_base_score + + dimension: cvss_vector { + type: string + sql: ${TABLE}.cvss_vector ;; + group_label: "target" + label: "target.asset.vulnerabilities.cvss_vector" + view_label: "UDM" + description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" + } # dimension cvss_vector + + dimension: cvss_version { + type: string + sql: ${TABLE}.cvss_version ;; + group_label: "target" + label: "target.asset.vulnerabilities.cvss_version" + view_label: "UDM" + description: "Version of CVSS Vector/Score." + } # dimension cvss_version + + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.asset.vulnerabilities.description" + view_label: "UDM" + description: "Description of the vulnerability." + } # dimension description + + dimension_group: target__asset__vulnerabilities__first_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.vulnerabilities.first_found" + view_label: "UDM" + description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." + } # dimension target__asset__vulnerabilities__first_found + + dimension_group: target__asset__vulnerabilities__last_found { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.vulnerabilities.last_found" + view_label: "UDM" + description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." + } # dimension target__asset__vulnerabilities__last_found + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.asset.vulnerabilities.name" + view_label: "UDM" + description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." + } # dimension name + + dimension_group: target__asset__vulnerabilities__scan_end_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.vulnerabilities.scan_end_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." + } # dimension target__asset__vulnerabilities__scan_end_time + + dimension_group: target__asset__vulnerabilities__scan_start_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.asset.vulnerabilities.scan_start_time" + view_label: "UDM" + description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." + } # dimension target__asset__vulnerabilities__scan_start_time + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + group_label: "target" + label: "target.asset.vulnerabilities.severity" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity + + dimension: severity_enum_name { + type: string + suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] + sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; + group_label: "target" + label: "target.asset.vulnerabilities.severity_enum_name" + view_label: "UDM" + description: "The severity of the vulnerability." + } # dimension severity_enum_name + +} # view udm_events__target__asset__vulnerabilities + +view: udm_events__target__cloud__project__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + group_item_label: "target.cloud.project.attribute.labels.key [D]" + label: "target.cloud.project.attribute.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + group_item_label: "target.cloud.project.attribute.labels.value [D]" + label: "target.cloud.project.attribute.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view udm_events__target__cloud__project__attribute__labels + +view: udm_events__target__domain__name_server { + dimension: udm_events__target__domain__name_server { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.domain.name_server" + view_label: "UDM" + description: "Repeated list of name servers." + } # dimension udm_events__target__domain__name_server +} # view udm_events__target__domain__name_server + +view: udm_events__target__file__capabilities_tags { + dimension: udm_events__target__file__capabilities_tags { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.file.capabilities_tags" + view_label: "UDM" + description: "Capabilities tags." + } # dimension udm_events__target__file__capabilities_tags +} # view udm_events__target__file__capabilities_tags + +view: udm_events__target__file__embedded_domains { + dimension: udm_events__target__file__embedded_domains { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.file.embedded_domains" + view_label: "UDM" + description: "Embedded domains found in the file." + } # dimension udm_events__target__file__embedded_domains +} # view udm_events__target__file__embedded_domains + +view: udm_events__target__file__embedded_ips { + dimension: udm_events__target__file__embedded_ips { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.file.embedded_ips" + view_label: "UDM" + description: "Embedded IP addresses found in the file." + } # dimension udm_events__target__file__embedded_ips +} # view udm_events__target__file__embedded_ips + +view: udm_events__target__file__embedded_urls { + dimension: udm_events__target__file__embedded_urls { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.file.embedded_urls" + view_label: "UDM" + description: "Embedded urls found in the file." + } # dimension udm_events__target__file__embedded_urls +} # view udm_events__target__file__embedded_urls + +view: udm_events__target__file__names { + dimension: udm_events__target__file__names { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension udm_events__target__file__names +} # view udm_events__target__file__names + +view: udm_events__target__file__pe_file__imports__functions { + dimension: udm_events__target__file__pe_file__imports__functions { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.file.pe_file.imports.functions" + view_label: "UDM" + description: "Function field." + } # dimension udm_events__target__file__pe_file__imports__functions +} # view udm_events__target__file__pe_file__imports__functions + +view: udm_events__target__file__pe_file__imports { + dimension: functions { + hidden: yes + } # dimension functions + + dimension: library { + type: string + sql: ${TABLE}.library ;; + group_label: "target" + label: "target.file.pe_file.imports.library" + view_label: "UDM" + description: "Library field." + } # dimension library + +} # view udm_events__target__file__pe_file__imports + +view: udm_events__target__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + group_label: "target" + label: "target.file.pe_file.resource.entropy" + view_label: "UDM" + description: "Entropy of the resource." + } # dimension entropy + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + group_label: "target" + label: "target.file.pe_file.resource.file_type" + view_label: "UDM" + description: "File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum." + } # dimension file_type + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + group_label: "target" + label: "target.file.pe_file.resource.filetype_magic" + view_label: "UDM" + description: "Type of resource content, as identified by the magic Python module. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/magic.py END GOOGLE-INTERNAL" + } # dimension filetype_magic + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + group_label: "target" + label: "target.file.pe_file.resource.language_code" + view_label: "UDM" + description: "Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/toolpefile.py?l=419&rcl=df1fcff7c5e82a39875359608b47669d5aff82c7 END GOOGLE-INTERNAL Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |" + } # dimension language_code + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + group_label: "target" + label: "target.file.pe_file.resource.sha256_hex" + view_label: "UDM" + description: "SHA256_hex field.." + } # dimension sha256_hex + +} # view udm_events__target__file__pe_file__resource + +view: udm_events__target__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + label: "target.file.pe_file.resources_language_count_str.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + label: "target.file.pe_file.resources_language_count_str.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__target__file__pe_file__resources_language_count_str + +view: udm_events__target__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + label: "target.file.pe_file.resources_type_count_str.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + label: "target.file.pe_file.resources_type_count_str.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__target__file__pe_file__resources_type_count_str + +view: udm_events__target__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + group_label: "target" + label: "target.file.pe_file.section.entropy" + view_label: "UDM" + description: "Entropy of the section." + } # dimension entropy + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + group_label: "target" + label: "target.file.pe_file.section.md5_hex" + view_label: "UDM" + description: "MD5 hex of the file." + } # dimension md5_hex + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.file.pe_file.section.name" + view_label: "UDM" + description: "Name of the section." + } # dimension name + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + group_label: "target" + label: "target.file.pe_file.section.raw_size_bytes" + view_label: "UDM" + description: "Raw file size in bytes." + } # dimension raw_size_bytes + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + group_label: "target" + label: "target.file.pe_file.section.virtual_size_bytes" + view_label: "UDM" + description: "Virtual file size in bytes." + } # dimension virtual_size_bytes + +} # view udm_events__target__file__pe_file__section + +view: udm_events__target__file__signature_info__sigcheck__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.file.signature_info.sigcheck.signers.name" + view_label: "UDM" + description: "Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority." + } # dimension name + +} # view udm_events__target__file__signature_info__sigcheck__signers + +view: udm_events__target__file__signature_info__sigcheck__x509 { + dimension: algorithm { + type: string + sql: ${TABLE}.algorithm ;; + group_label: "target" + label: "target.file.signature_info.sigcheck.x509.algorithm" + view_label: "UDM" + description: "Certificate algorithm." + } # dimension algorithm + + dimension: cert_issuer { + type: string + sql: ${TABLE}.cert_issuer ;; + group_label: "target" + label: "target.file.signature_info.sigcheck.x509.cert_issuer" + view_label: "UDM" + description: "Issuer of the certificate." + } # dimension cert_issuer + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.file.signature_info.sigcheck.x509.name" + view_label: "UDM" + description: "Certificate name." + } # dimension name + + dimension: serial_number { + type: string + sql: ${TABLE}.serial_number ;; + group_label: "target" + label: "target.file.signature_info.sigcheck.x509.serial_number" + view_label: "UDM" + description: "Certificate serial number." + } # dimension serial_number + + dimension: thumbprint { + type: string + sql: ${TABLE}.thumbprint ;; + group_label: "target" + label: "target.file.signature_info.sigcheck.x509.thumbprint" + view_label: "UDM" + description: "Certificate thumbprint." + } # dimension thumbprint + +} # view udm_events__target__file__signature_info__sigcheck__x509 + +view: udm_events__target__file__tags { + dimension: udm_events__target__file__tags { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.file.tags" + view_label: "UDM" + description: "Tags for the file." + } # dimension udm_events__target__file__tags +} # view udm_events__target__file__tags + +view: udm_events__target__group__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + label: "target.group.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + label: "target.group.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__target__group__attribute__labels + +view: udm_events__target__group__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.group.attribute.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.group.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view udm_events__target__group__attribute__permissions + +view: udm_events__target__group__attribute__roles { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.group.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + +} # view udm_events__target__group__attribute__roles + +view: udm_events__target__group__email_addresses { + dimension: udm_events__target__group__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.group.email_addresses" + view_label: "UDM" + description: "Email addresses of the group." + } # dimension udm_events__target__group__email_addresses +} # view udm_events__target__group__email_addresses + +view: udm_events__target__investigation__comments { + dimension: udm_events__target__investigation__comments { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.investigation.comments" + view_label: "UDM" + description: "Comment added by the Analyst." + } # dimension udm_events__target__investigation__comments +} # view udm_events__target__investigation__comments + +view: udm_events__target__ip { + dimension: udm_events__target__ip { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.ip" + view_label: "UDM" + description: "A list of IP addresses associated with a network connection." + } # dimension udm_events__target__ip +} # view udm_events__target__ip + +view: udm_events__target__ip_geo_artifact { + dimension: ip { + type: string + sql: ${TABLE}.ip ;; + group_label: "target" + label: "target.ip_geo_artifact.ip" + view_label: "UDM" + description: "IP address of the artifact." + } # dimension ip + + dimension: location { + hidden: yes + } # dimension location + + dimension: location__country_or_region { + type: string + sql: ${TABLE}.location.country_or_region ;; + group_label: "target" + label: "target.ip_geo_artifact.location.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension location__country_or_region + + dimension: location__region_coordinates { + type: location + sql_latitude: ${TABLE}.location.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.location.region_coordinates.longitude ;; + group_label: "target" + group_item_label: "target.ip_geo_artifact.location.region_coordinates [L]" + label: "target.ip_geo_artifact.location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." + } # dimension location__region_coordinates + + dimension: location__region_latitude { + type: number + sql: ${TABLE}.location.region_latitude ;; + group_label: "target" + group_item_label: "target.ip_geo_artifact.location.region_latitude [D]" + label: "target.ip_geo_artifact.location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension location__region_latitude + + dimension: location__region_longitude { + type: number + sql: ${TABLE}.location.region_longitude ;; + group_label: "target" + group_item_label: "target.ip_geo_artifact.location.region_longitude [D]" + label: "target.ip_geo_artifact.location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension location__region_longitude + + dimension: location__location { + type: location + sql_latitude: ${TABLE}.location.region_latitude ;; + sql_longitude: ${TABLE}.location.region_longitude ;; + group_label: "target" + group_item_label: "target.ip_geo_artifact.location.location [D][L]" + label: "target.ip_geo_artifact.location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension location__location + + dimension: location__state { + type: string + sql: ${TABLE}.location.state ;; + group_label: "target" + label: "target.ip_geo_artifact.location.state" + view_label: "UDM" + description: "The state." + } # dimension location__state + + dimension: network { + hidden: yes + } # dimension network + + dimension: network__asn { + type: string + sql: ${TABLE}.network.asn ;; + group_label: "target" + label: "target.ip_geo_artifact.network.asn" + view_label: "UDM" + description: "Autonomous system number." + } # dimension network__asn + + dimension: network__carrier_name { + type: string + sql: ${TABLE}.network.carrier_name ;; + group_label: "target" + label: "target.ip_geo_artifact.network.carrier_name" + view_label: "UDM" + description: "Carrier identification." + } # dimension network__carrier_name + + dimension: network__dns_domain { + type: string + sql: ${TABLE}.network.dns_domain ;; + group_label: "target" + label: "target.ip_geo_artifact.network.dns_domain" + view_label: "UDM" + description: "DNS domain name." + } # dimension network__dns_domain + + dimension: network__organization_name { + type: string + sql: ${TABLE}.network.organization_name ;; + group_label: "target" + label: "target.ip_geo_artifact.network.organization_name" + view_label: "UDM" + description: "Organization name (e.g Google)." + } # dimension network__organization_name + +} # view udm_events__target__ip_geo_artifact + +view: udm_events__target__ip_location { + dimension: city { + type: string + sql: ${TABLE}.city ;; + group_label: "target" + group_item_label: "target.ip_location.city [D]" + label: "target.ip_location.city" + view_label: "UDM" + description: "The city. [D]: This field is deprecated and will be removed in a future release" + } # dimension city + + dimension: country_or_region { + type: string + sql: ${TABLE}.country_or_region ;; + group_label: "target" + group_item_label: "target.ip_location.country_or_region [D]" + label: "target.ip_location.country_or_region" + view_label: "UDM" + description: "The country or region. [D]: This field is deprecated and will be removed in a future release" + } # dimension country_or_region + + dimension: desk_name { + type: string + sql: ${TABLE}.desk_name ;; + group_label: "target" + group_item_label: "target.ip_location.desk_name [D]" + label: "target.ip_location.desk_name" + view_label: "UDM" + description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\"). [D]: This field is deprecated and will be removed in a future release" + } # dimension desk_name + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + group_item_label: "target.ip_location.name [D]" + label: "target.ip_location.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\"). [D]: This field is deprecated and will be removed in a future release" + } # dimension name + + dimension: region_coordinates { + type: location + sql_latitude: ${TABLE}.region_coordinates.latitude ;; + sql_longitude: ${TABLE}.region_coordinates.longitude ;; + group_label: "target" + group_item_label: "target.ip_location.region_coordinates [D][L]" + label: "target.ip_location.region_coordinates" + view_label: "UDM" + description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension region_coordinates + + dimension: region_latitude { + type: number + sql: ${TABLE}.region_latitude ;; + group_label: "target" + group_item_label: "target.ip_location.region_latitude [D]" + label: "target.ip_location.region_latitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension region_latitude + + dimension: region_longitude { + type: number + sql: ${TABLE}.region_longitude ;; + group_label: "target" + group_item_label: "target.ip_location.region_longitude [D]" + label: "target.ip_location.region_longitude" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" + } # dimension region_longitude + + dimension: location { + type: location + sql_latitude: ${TABLE}.region_latitude ;; + sql_longitude: ${TABLE}.region_longitude ;; + group_label: "target" + group_item_label: "target.ip_location.location [D][L]" + label: "target.ip_location.location" + view_label: "UDM" + description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." + } # dimension location + + dimension: state { + type: string + sql: ${TABLE}.state ;; + group_label: "target" + group_item_label: "target.ip_location.state [D]" + label: "target.ip_location.state" + view_label: "UDM" + description: "The state. [D]: This field is deprecated and will be removed in a future release" + } # dimension state + +} # view udm_events__target__ip_location + +view: udm_events__target__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + group_item_label: "target.labels.key [D]" + label: "target.labels.key" + view_label: "UDM" + description: "The key. [D]: This field is deprecated and will be removed in a future release" + } # dimension key + + dimension: source { + type: string + sql: ${TABLE}.source ;; + group_label: "target" + group_item_label: "target.labels.source [D]" + label: "target.labels.source" + view_label: "UDM" + description: "@hide_from_doc [D]: This field is deprecated and will be removed in a future release" + } # dimension source + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + group_item_label: "target.labels.value [D]" + label: "target.labels.value" + view_label: "UDM" + description: "The value. [D]: This field is deprecated and will be removed in a future release" + } # dimension value + +} # view udm_events__target__labels + +view: udm_events__target__mac { + dimension: udm_events__target__mac { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.mac" + view_label: "UDM" + description: "List of MAC addresses associated with a device." + } # dimension udm_events__target__mac +} # view udm_events__target__mac + +view: udm_events__target__nat_ip { + dimension: udm_events__target__nat_ip { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.nat_ip" + view_label: "UDM" + description: "A list of NAT translated IP addresses associated with a network connection." + } # dimension udm_events__target__nat_ip +} # view udm_events__target__nat_ip + +view: udm_events__target__process__command_line_history { + dimension: udm_events__target__process__command_line_history { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.process.command_line_history" + view_label: "UDM" + description: "The command line history of the process." + } # dimension udm_events__target__process__command_line_history +} # view udm_events__target__process__command_line_history + +view: udm_events__target__process__file__capabilities_tags { + dimension: udm_events__target__process__file__capabilities_tags { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.process.file.capabilities_tags" + view_label: "UDM" + description: "Capabilities tags." + } # dimension udm_events__target__process__file__capabilities_tags +} # view udm_events__target__process__file__capabilities_tags + +view: udm_events__target__process__file__names { + dimension: udm_events__target__process__file__names { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.process.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension udm_events__target__process__file__names +} # view udm_events__target__process__file__names + +view: udm_events__target__process__file__pe_file__signature_info__signer { + dimension: udm_events__target__process__file__pe_file__signature_info__signer { + type: string + sql: ${TABLE} ;; + group_label: "target" + group_item_label: "target.process.file.pe_file.signature_info.signer [D]" + label: "target.process.file.pe_file.signature_info.signer" + view_label: "UDM" + description: "Deprecated: use signers field. [D]: This field is deprecated and will be removed in a future release" + } # dimension udm_events__target__process__file__pe_file__signature_info__signer +} # view udm_events__target__process__file__pe_file__signature_info__signer + +view: udm_events__target__process__parent_process__file__capabilities_tags { + dimension: udm_events__target__process__parent_process__file__capabilities_tags { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.process.parent_process.file.capabilities_tags" + view_label: "UDM" + description: "Capabilities tags." + } # dimension udm_events__target__process__parent_process__file__capabilities_tags +} # view udm_events__target__process__parent_process__file__capabilities_tags + +view: udm_events__target__process__parent_process__file__names { + dimension: udm_events__target__process__parent_process__file__names { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.process.parent_process.file.names" + view_label: "UDM" + description: "Names fields." + } # dimension udm_events__target__process__parent_process__file__names +} # view udm_events__target__process__parent_process__file__names + +view: udm_events__target__process_ancestors { + dimension: command_line { + type: string + sql: ${TABLE}.command_line ;; + group_label: "target" + label: "target.process_ancestors.command_line" + view_label: "UDM" + description: "The command line command that created the process." + } # dimension command_line + + dimension: file { + hidden: yes + } # dimension file + + dimension: file__full_path { + type: string + sql: ${TABLE}.file.full_path ;; + group_label: "target" + label: "target.process_ancestors.file.full_path" + view_label: "UDM" + description: "The full path identifying the location of the file on the system." + } # dimension file__full_path + +} # view udm_events__target__process_ancestors + +view: udm_events__target__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + label: "target.resource.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: source { + type: string + sql: ${TABLE}.source ;; + group_label: "target" + label: "target.resource.attribute.labels.source" + view_label: "UDM" + description: "@hide_from_doc" + } # dimension source + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + label: "target.resource.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__target__resource__attribute__labels + +view: udm_events__target__resource__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.resource.attribute.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.resource.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "target" + label: "target.resource.attribute.permissions.type" + view_label: "UDM" + description: "Type of the permission." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; + group_label: "target" + label: "target.resource.attribute.permissions.type_enum_name" + view_label: "UDM" + description: "Type of the permission." + } # dimension type_enum_name + +} # view udm_events__target__resource__attribute__permissions + +view: udm_events__target__resource__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.resource.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.resource.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "target" + label: "target.resource.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "target" + label: "target.resource.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view udm_events__target__resource__attribute__roles + +view: udm_events__target__resource_ancestors__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + label: "target.resource_ancestors.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + label: "target.resource_ancestors.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__target__resource_ancestors__attribute__labels + +view: udm_events__target__resource_ancestors__attribute__permissions { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.resource_ancestors.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + +} # view udm_events__target__resource_ancestors__attribute__permissions + +view: udm_events__target__resource_ancestors { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension_group: target__resource_ancestors__attribute__creation_time { + type: time + timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] + sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.resource_ancestors.attribute.creation_time" + view_label: "UDM" + description: "Time the resource or entity was created or provisioned." + } # dimension target__resource_ancestors__attribute__creation_time + + dimension: attribute__labels { + hidden: yes + } # dimension attribute__labels + + dimension: attribute__permissions { + hidden: yes + } # dimension attribute__permissions + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.resource_ancestors.name" + view_label: "UDM" + description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." + } # dimension name + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "target" + label: "target.resource_ancestors.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" + } # dimension product_object_id + + dimension: resource_subtype { + type: string + sql: ${TABLE}.resource_subtype ;; + group_label: "target" + label: "target.resource_ancestors.resource_subtype" + view_label: "UDM" + description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." + } # dimension resource_subtype + + dimension: resource_type { + type: number + sql: ${TABLE}.resource_type ;; + group_label: "target" + label: "target.resource_ancestors.resource_type" + view_label: "UDM" + description: "Resource type." + } # dimension resource_type + + dimension: resource_type_enum_name { + type: string + suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] + sql: CASE ${TABLE}.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; + group_label: "target" + label: "target.resource_ancestors.resource_type_enum_name" + view_label: "UDM" + description: "Resource type." + } # dimension resource_type_enum_name + +} # view udm_events__target__resource_ancestors + +view: udm_events__target__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + label: "target.user.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + label: "target.user.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__target__user__attribute__labels + +view: udm_events__target__user__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.user.attribute.permissions.description" + view_label: "UDM" + description: "Description of the permission (e.g. 'Ability to update detect rules')." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.user.attribute.permissions.name" + view_label: "UDM" + description: "Name of the permission (e.g. chronicle.analyst.updateRule)." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "target" + label: "target.user.attribute.permissions.type" + view_label: "UDM" + description: "Type of the permission." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; + group_label: "target" + label: "target.user.attribute.permissions.type_enum_name" + view_label: "UDM" + description: "Type of the permission." + } # dimension type_enum_name + +} # view udm_events__target__user__attribute__permissions + +view: udm_events__target__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.user.attribute.roles.description" + view_label: "UDM" + description: "System role description for user." + } # dimension description + + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.user.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "target" + label: "target.user.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "target" + label: "target.user.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view udm_events__target__user__attribute__roles + +view: udm_events__target__user__department { + dimension: udm_events__target__user__department { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.user.department" + view_label: "UDM" + description: "User job department" + } # dimension udm_events__target__user__department +} # view udm_events__target__user__department + +view: udm_events__target__user__email_addresses { + dimension: udm_events__target__user__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.user.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension udm_events__target__user__email_addresses +} # view udm_events__target__user__email_addresses + +view: udm_events__target__user__group_identifiers { + dimension: udm_events__target__user__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.user.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension udm_events__target__user__group_identifiers +} # view udm_events__target__user__group_identifiers + +view: udm_events__target__user__managers__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + group_label: "target" + label: "target.user.managers.attribute.labels.key" + view_label: "UDM" + description: "The key." + } # dimension key + + dimension: value { + type: string + sql: ${TABLE}.value ;; + group_label: "target" + label: "target.user.managers.attribute.labels.value" + view_label: "UDM" + description: "The value." + } # dimension value + +} # view udm_events__target__user__managers__attribute__labels + +view: udm_events__target__user__managers__attribute__roles { + dimension: name { + type: string + sql: ${TABLE}.name ;; + group_label: "target" + label: "target.user.managers.attribute.roles.name" + view_label: "UDM" + description: "System role name for user." + } # dimension name + + dimension: type { + type: number + sql: ${TABLE}.type ;; + group_label: "target" + label: "target.user.managers.attribute.roles.type" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type + + dimension: type_enum_name { + type: string + suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] + sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; + group_label: "target" + label: "target.user.managers.attribute.roles.type_enum_name" + view_label: "UDM" + description: "System role type for well known roles." + } # dimension type_enum_name + +} # view udm_events__target__user__managers__attribute__roles + +view: udm_events__target__user__managers__department { + dimension: udm_events__target__user__managers__department { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.user.managers.department" + view_label: "UDM" + description: "User job department" + } # dimension udm_events__target__user__managers__department +} # view udm_events__target__user__managers__department + +view: udm_events__target__user__managers__email_addresses { + dimension: udm_events__target__user__managers__email_addresses { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.user.managers.email_addresses" + view_label: "UDM" + description: "Email addresses of the user." + } # dimension udm_events__target__user__managers__email_addresses +} # view udm_events__target__user__managers__email_addresses + +view: udm_events__target__user__managers__group_identifiers { + dimension: udm_events__target__user__managers__group_identifiers { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.user.managers.group_identifiers" + view_label: "UDM" + description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." + } # dimension udm_events__target__user__managers__group_identifiers +} # view udm_events__target__user__managers__group_identifiers + +view: udm_events__target__user__managers__phone_numbers { + dimension: udm_events__target__user__managers__phone_numbers { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.user.managers.phone_numbers" + view_label: "UDM" + description: "Phone numbers for the user." + } # dimension udm_events__target__user__managers__phone_numbers +} # view udm_events__target__user__managers__phone_numbers + +view: udm_events__target__user__managers { + dimension: attribute { + hidden: yes + } # dimension attribute + + dimension: attribute__labels { + hidden: yes + } # dimension attribute__labels + + dimension: attribute__roles { + hidden: yes + } # dimension attribute__roles + + dimension: company_name { + type: string + sql: ${TABLE}.company_name ;; + group_label: "target" + label: "target.user.managers.company_name" + view_label: "UDM" + description: "User job company name." + } # dimension company_name + + dimension: department { + hidden: yes + } # dimension department + + dimension: email_addresses { + hidden: yes + } # dimension email_addresses + + dimension: employee_id { + type: string + sql: ${TABLE}.employee_id ;; + group_label: "target" + label: "target.user.managers.employee_id" + view_label: "UDM" + description: "Human capital management identifier." + } # dimension employee_id + + dimension: first_name { + type: string + sql: ${TABLE}.first_name ;; + group_label: "target" + label: "target.user.managers.first_name" + view_label: "UDM" + description: "First name of the user (e.g. \"John\")." + } # dimension first_name + + dimension: group_identifiers { + hidden: yes + } # dimension group_identifiers + + dimension: last_name { + type: string + sql: ${TABLE}.last_name ;; + group_label: "target" + label: "target.user.managers.last_name" + view_label: "UDM" + description: "Last name of the user (e.g. \"Locke\")." + } # dimension last_name + + dimension: personal_address { + hidden: yes + } # dimension personal_address + + dimension: personal_address__city { + type: string + sql: ${TABLE}.personal_address.city ;; + group_label: "target" + label: "target.user.managers.personal_address.city" + view_label: "UDM" + description: "The city." + } # dimension personal_address__city + + dimension: personal_address__country_or_region { + type: string + sql: ${TABLE}.personal_address.country_or_region ;; + group_label: "target" + label: "target.user.managers.personal_address.country_or_region" + view_label: "UDM" + description: "The country or region." + } # dimension personal_address__country_or_region + + dimension: personal_address__name { + type: string + sql: ${TABLE}.personal_address.name ;; + group_label: "target" + label: "target.user.managers.personal_address.name" + view_label: "UDM" + description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." + } # dimension personal_address__name + + dimension: personal_address__state { + type: string + sql: ${TABLE}.personal_address.state ;; + group_label: "target" + label: "target.user.managers.personal_address.state" + view_label: "UDM" + description: "The state." + } # dimension personal_address__state + + dimension: phone_numbers { + hidden: yes + } # dimension phone_numbers + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + group_label: "target" + label: "target.user.managers.product_object_id" + view_label: "UDM" + description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." + } # dimension product_object_id + + dimension: title { + type: string + sql: ${TABLE}.title ;; + group_label: "target" + label: "target.user.managers.title" + view_label: "UDM" + description: "User job title." + } # dimension title + + dimension: user_display_name { + type: string + sql: ${TABLE}.user_display_name ;; + group_label: "target" + label: "target.user.managers.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension user_display_name + + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + group_label: "target" + label: "target.user.managers.userid" + view_label: "UDM" + description: "The ID of the user." + } # dimension userid + + dimension: windows_sid { + type: string + sql: ${TABLE}.windows_sid ;; + group_label: "target" + label: "target.user.managers.windows_sid" + view_label: "UDM" + description: "The Microsoft Windows SID of the user." + } # dimension windows_sid + +} # view udm_events__target__user__managers + +view: udm_events__target__user__phone_numbers { + dimension: udm_events__target__user__phone_numbers { + type: string + sql: ${TABLE} ;; + group_label: "target" + label: "target.user.phone_numbers" + view_label: "UDM" + description: "Phone numbers for the user." + } # dimension udm_events__target__user__phone_numbers +} # view udm_events__target__user__phone_numbers + +view: udm_events__target__user__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + group_label: "target" + label: "target.user.time_off.description" + view_label: "UDM" + description: "Description of the leave if available (e.g. 'Vacation')." + } # dimension description + + dimension_group: target__user__time_off__interval { + type: duration + intervals: [ second, minute, hour ] + sql_start: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.start_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.start_time.nanos,0) / 1000) as INT64)) ;; + sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.end_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.end_time.nanos,0) / 1000) as INT64)) ;; + group_label: "target" + label: "target.user.time_off.interval" + view_label: "UDM" + description: "Interval duration of the leave." + } # dimension target__user__time_off__interval + +} # view udm_events__target__user__time_off + +view: udm_events__target__user_management_chain { + dimension: user_display_name { + type: string + sql: ${TABLE}.user_display_name ;; + group_label: "target" + label: "target.user_management_chain.user_display_name" + view_label: "UDM" + description: "The display name of the user (e.g. \"John Locke\")." + } # dimension user_display_name + +} # view udm_events__target__user_management_chain + +explore: udm_events { + ### BEGIN googlex/security/malachite/dashboards/lookml/udm/udm_events_explore_preamble.lkml + label: "UDM Events (Deprecated)" + + hidden: yes + + required_access_grants: [ + has_chronicle_explores_enabled + ] + + conditionally_filter: { + filters: { + field: udm_events.time_filter + value: "last 24 hours" + } + } + + fields: [ALL_FIELDS*,] + sql_always_where: {% condition udm_events.time_filter %} hour_time_bucket {% endcondition %} + AND {% condition udm_events.time_filter %} ${metadata__event_timestamp_raw} {% endcondition %};; + + ### END googlex/security/malachite/dashboards/lookml/udm/udm_events_explore_preamble.lkml + join: udm_events__about { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.about}) as udm_events__about ;; + view_label: "UDM" + } # join udm_events__about + + join: udm_events__about__asset__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__about.asset}.attribute.labels) as udm_events__about__asset__attribute__labels ;; + view_label: "UDM" + } # join udm_events__about__asset__attribute__labels + + join: udm_events__about__asset__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__about.asset}.attribute.permissions) as udm_events__about__asset__attribute__permissions ;; + view_label: "UDM" + } # join udm_events__about__asset__attribute__permissions + + join: udm_events__about__asset__hardware { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__about.asset}.hardware) as udm_events__about__asset__hardware ;; + view_label: "UDM" + } # join udm_events__about__asset__hardware + + join: udm_events__about__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__about.asset}.ip) as udm_events__about__asset__ip ;; + view_label: "UDM" + } # join udm_events__about__asset__ip + + join: udm_events__about__asset__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__about.asset}.labels) as udm_events__about__asset__labels ;; + view_label: "UDM" + } # join udm_events__about__asset__labels + + join: udm_events__about__asset__vulnerabilities { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__about.asset}.vulnerabilities) as udm_events__about__asset__vulnerabilities ;; + view_label: "UDM" + } # join udm_events__about__asset__vulnerabilities + + join: udm_events__about__file__capabilities_tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__about.file}.capabilities_tags) as udm_events__about__file__capabilities_tags ;; + view_label: "UDM" + } # join udm_events__about__file__capabilities_tags + + join: udm_events__about__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__about.file}.names) as udm_events__about__file__names ;; + view_label: "UDM" + } # join udm_events__about__file__names + + join: udm_events__about__investigation__comments { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__about.investigation}.comments) as udm_events__about__investigation__comments ;; + view_label: "UDM" + } # join udm_events__about__investigation__comments + + join: udm_events__about__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__about.ip}) as udm_events__about__ip ;; + view_label: "UDM" + } # join udm_events__about__ip + + join: udm_events__about__ip_location { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__about.ip_location}) as udm_events__about__ip_location ;; + view_label: "UDM" + } # join udm_events__about__ip_location + + join: udm_events__about__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__about.labels}) as udm_events__about__labels ;; + view_label: "UDM" + } # join udm_events__about__labels + + join: udm_events__about__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__about.mac}) as udm_events__about__mac ;; + view_label: "UDM" + } # join udm_events__about__mac + + join: udm_events__about__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__about.nat_ip}) as udm_events__about__nat_ip ;; + view_label: "UDM" + } # join udm_events__about__nat_ip + + join: udm_events__about__resource__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__about.resource}.attribute.labels) as udm_events__about__resource__attribute__labels ;; + view_label: "UDM" + } # join udm_events__about__resource__attribute__labels + + join: udm_events__about__resource__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__about.resource}.attribute.permissions) as udm_events__about__resource__attribute__permissions ;; + view_label: "UDM" + } # join udm_events__about__resource__attribute__permissions + + join: udm_events__about__resource_ancestors { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__about.resource_ancestors}) as udm_events__about__resource_ancestors ;; + view_label: "UDM" + } # join udm_events__about__resource_ancestors + + join: udm_events__about__resource_ancestors__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__about__resource_ancestors.attribute}.labels) as udm_events__about__resource_ancestors__attribute__labels ;; + view_label: "UDM" + } # join udm_events__about__resource_ancestors__attribute__labels + + join: udm_events__about__user__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__about.user}.attribute.labels) as udm_events__about__user__attribute__labels ;; + view_label: "UDM" + } # join udm_events__about__user__attribute__labels + + join: udm_events__about__user__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__about.user}.attribute.permissions) as udm_events__about__user__attribute__permissions ;; + view_label: "UDM" + } # join udm_events__about__user__attribute__permissions + + join: udm_events__about__user__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__about.user}.attribute.roles) as udm_events__about__user__attribute__roles ;; + view_label: "UDM" + } # join udm_events__about__user__attribute__roles + + join: udm_events__about__user__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__about.user}.department) as udm_events__about__user__department ;; + view_label: "UDM" + } # join udm_events__about__user__department + + join: udm_events__about__user__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__about.user}.email_addresses) as udm_events__about__user__email_addresses ;; + view_label: "UDM" + } # join udm_events__about__user__email_addresses + + join: udm_events__about__user__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__about.user}.group_identifiers) as udm_events__about__user__group_identifiers ;; + view_label: "UDM" + } # join udm_events__about__user__group_identifiers + + join: udm_events__additional__fields { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.additional}.fields) as udm_events__additional__fields ;; + view_label: "UDM" + } # join udm_events__additional__fields + + join: udm_events__additional__fields__value__list_value__values { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__additional__fields.value}.list_value.values) as udm_events__additional__fields__value__list_value__values ;; + view_label: "UDM" + } # join udm_events__additional__fields__value__list_value__values + + join: udm_events__additional__fields__value__list_value__values__struct_value__fields { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__additional__fields__value__list_value__values.struct_value}.fields) as udm_events__additional__fields__value__list_value__values__struct_value__fields ;; + view_label: "UDM" + } # join udm_events__additional__fields__value__list_value__values__struct_value__fields + + join: udm_events__additional__fields__value__struct_value__fields { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__additional__fields.value}.struct_value.fields) as udm_events__additional__fields__value__struct_value__fields ;; + view_label: "UDM" + } # join udm_events__additional__fields__value__struct_value__fields + + join: udm_events__extensions__auth__mechanism { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.extensions}.auth.mechanism) as udm_events__extensions__auth__mechanism ;; + view_label: "UDM" + } # join udm_events__extensions__auth__mechanism + + join: udm_events__extensions__auth__mechanism_enum_name { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.extensions}.auth.mechanism) as udm_events__extensions__auth__mechanism_enum_name ;; + view_label: "UDM" + } # join udm_events__extensions__auth__mechanism_enum_name + + join: udm_events__extensions__vulns__vulnerabilities { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.extensions}.vulns.vulnerabilities) as udm_events__extensions__vulns__vulnerabilities ;; + view_label: "UDM" + } # join udm_events__extensions__vulns__vulnerabilities + + join: udm_events__extensions__vulns__vulnerabilities__about__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__extensions__vulns__vulnerabilities.about}.asset.ip) as udm_events__extensions__vulns__vulnerabilities__about__asset__ip ;; + view_label: "UDM" + } # join udm_events__extensions__vulns__vulnerabilities__about__asset__ip + + join: udm_events__extensions__vulns__vulnerabilities__about__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__extensions__vulns__vulnerabilities.about}.labels) as udm_events__extensions__vulns__vulnerabilities__about__labels ;; + view_label: "UDM" + } # join udm_events__extensions__vulns__vulnerabilities__about__labels + + join: udm_events__extensions__vulns__vulnerabilities__about__resource__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__extensions__vulns__vulnerabilities.about}.resource.attribute.labels) as udm_events__extensions__vulns__vulnerabilities__about__resource__attribute__labels ;; + view_label: "UDM" + } # join udm_events__extensions__vulns__vulnerabilities__about__resource__attribute__labels + + join: udm_events__intermediary { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.intermediary}) as udm_events__intermediary ;; + view_label: "UDM" + } # join udm_events__intermediary + + join: udm_events__intermediary__asset__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__intermediary.asset}.attribute.labels) as udm_events__intermediary__asset__attribute__labels ;; + view_label: "UDM" + } # join udm_events__intermediary__asset__attribute__labels + + join: udm_events__intermediary__asset__hardware { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__intermediary.asset}.hardware) as udm_events__intermediary__asset__hardware ;; + view_label: "UDM" + } # join udm_events__intermediary__asset__hardware + + join: udm_events__intermediary__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__intermediary.asset}.ip) as udm_events__intermediary__asset__ip ;; + view_label: "UDM" + } # join udm_events__intermediary__asset__ip + + join: udm_events__intermediary__asset__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__intermediary.asset}.labels) as udm_events__intermediary__asset__labels ;; + view_label: "UDM" + } # join udm_events__intermediary__asset__labels + + join: udm_events__intermediary__asset__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__intermediary.asset}.mac) as udm_events__intermediary__asset__mac ;; + view_label: "UDM" + } # join udm_events__intermediary__asset__mac + + join: udm_events__intermediary__asset__software { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__intermediary.asset}.software) as udm_events__intermediary__asset__software ;; + view_label: "UDM" + } # join udm_events__intermediary__asset__software + + join: udm_events__intermediary__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__intermediary.ip}) as udm_events__intermediary__ip ;; + view_label: "UDM" + } # join udm_events__intermediary__ip + + join: udm_events__intermediary__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__intermediary.labels}) as udm_events__intermediary__labels ;; + view_label: "UDM" + } # join udm_events__intermediary__labels + + join: udm_events__intermediary__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__intermediary.mac}) as udm_events__intermediary__mac ;; + view_label: "UDM" + } # join udm_events__intermediary__mac + + join: udm_events__intermediary__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__intermediary.nat_ip}) as udm_events__intermediary__nat_ip ;; + view_label: "UDM" + } # join udm_events__intermediary__nat_ip + + join: udm_events__intermediary__process__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__intermediary.process}.file.names) as udm_events__intermediary__process__file__names ;; + view_label: "UDM" + } # join udm_events__intermediary__process__file__names + + join: udm_events__intermediary__resource__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__intermediary.resource}.attribute.labels) as udm_events__intermediary__resource__attribute__labels ;; + view_label: "UDM" + } # join udm_events__intermediary__resource__attribute__labels + + join: udm_events__intermediary__user__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__intermediary.user}.email_addresses) as udm_events__intermediary__user__email_addresses ;; + view_label: "UDM" + } # join udm_events__intermediary__user__email_addresses + + join: udm_events__intermediary__user__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__intermediary.user}.group_identifiers) as udm_events__intermediary__user__group_identifiers ;; + view_label: "UDM" + } # join udm_events__intermediary__user__group_identifiers + + join: udm_events__metadata__base_labels__log_types { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.metadata}.base_labels.log_types) as udm_events__metadata__base_labels__log_types ;; + view_label: "UDM" + } # join udm_events__metadata__base_labels__log_types + + join: udm_events__metadata__base_labels__namespaces { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.metadata}.base_labels.namespaces) as udm_events__metadata__base_labels__namespaces ;; + view_label: "UDM" + } # join udm_events__metadata__base_labels__namespaces + + join: udm_events__metadata__ingestion_labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.metadata}.ingestion_labels) as udm_events__metadata__ingestion_labels ;; + view_label: "UDM" + } # join udm_events__metadata__ingestion_labels + + join: udm_events__metadata__tags__data_tap_config_name { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.metadata}.tags.data_tap_config_name) as udm_events__metadata__tags__data_tap_config_name ;; + view_label: "UDM" + } # join udm_events__metadata__tags__data_tap_config_name + + join: udm_events__metadata__tags__tenant_id { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.metadata}.tags.tenant_id) as udm_events__metadata__tags__tenant_id ;; + view_label: "UDM" + } # join udm_events__metadata__tags__tenant_id + + join: udm_events__network__dhcp__options { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.network}.dhcp.options) as udm_events__network__dhcp__options ;; + view_label: "UDM" + } # join udm_events__network__dhcp__options + + join: udm_events__network__dns__additional { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.network}.dns.additional) as udm_events__network__dns__additional ;; + view_label: "UDM" + } # join udm_events__network__dns__additional + + join: udm_events__network__dns__answers { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.network}.dns.answers) as udm_events__network__dns__answers ;; + view_label: "UDM" + } # join udm_events__network__dns__answers + + join: udm_events__network__dns__authority { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.network}.dns.authority) as udm_events__network__dns__authority ;; + view_label: "UDM" + } # join udm_events__network__dns__authority + + join: udm_events__network__dns__questions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.network}.dns.questions) as udm_events__network__dns__questions ;; + view_label: "UDM" + } # join udm_events__network__dns__questions + + join: udm_events__network__email__bcc { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.network}.email.bcc) as udm_events__network__email__bcc ;; + view_label: "UDM" + } # join udm_events__network__email__bcc + + join: udm_events__network__email__cc { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.network}.email.cc) as udm_events__network__email__cc ;; + view_label: "UDM" + } # join udm_events__network__email__cc + + join: udm_events__network__email__subject { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.network}.email.subject) as udm_events__network__email__subject ;; + view_label: "UDM" + } # join udm_events__network__email__subject + + join: udm_events__network__email__to { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.network}.email.to) as udm_events__network__email__to ;; + view_label: "UDM" + } # join udm_events__network__email__to + + join: udm_events__network__http__parsed_user_agent__annotation { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.network}.http.parsed_user_agent.annotation) as udm_events__network__http__parsed_user_agent__annotation ;; + view_label: "UDM" + } # join udm_events__network__http__parsed_user_agent__annotation + + join: udm_events__network__tls__client__supported_ciphers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.network}.tls.client.supported_ciphers) as udm_events__network__tls__client__supported_ciphers ;; + view_label: "UDM" + } # join udm_events__network__tls__client__supported_ciphers + + join: udm_events__observer__asset__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.observer}.asset.attribute.labels) as udm_events__observer__asset__attribute__labels ;; + view_label: "UDM" + } # join udm_events__observer__asset__attribute__labels + + join: udm_events__observer__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.observer}.asset.ip) as udm_events__observer__asset__ip ;; + view_label: "UDM" + } # join udm_events__observer__asset__ip + + join: udm_events__observer__asset__software { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.observer}.asset.software) as udm_events__observer__asset__software ;; + view_label: "UDM" + } # join udm_events__observer__asset__software + + join: udm_events__observer__asset__vulnerabilities { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.observer}.asset.vulnerabilities) as udm_events__observer__asset__vulnerabilities ;; + view_label: "UDM" + } # join udm_events__observer__asset__vulnerabilities + + join: udm_events__observer__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.observer}.ip) as udm_events__observer__ip ;; + view_label: "UDM" + } # join udm_events__observer__ip + + join: udm_events__observer__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.observer}.labels) as udm_events__observer__labels ;; + view_label: "UDM" + } # join udm_events__observer__labels + + join: udm_events__observer__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.observer}.mac) as udm_events__observer__mac ;; + view_label: "UDM" + } # join udm_events__observer__mac + + join: udm_events__observer__resource__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.observer}.resource.attribute.labels) as udm_events__observer__resource__attribute__labels ;; + view_label: "UDM" + } # join udm_events__observer__resource__attribute__labels + + join: udm_events__observer__user__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.observer}.user.email_addresses) as udm_events__observer__user__email_addresses ;; + view_label: "UDM" + } # join udm_events__observer__user__email_addresses + + join: udm_events__observer__user__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.observer}.user.group_identifiers) as udm_events__observer__user__group_identifiers ;; + view_label: "UDM" + } # join udm_events__observer__user__group_identifiers + + join: udm_events__principal__artifact__network__dns__answers { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.artifact.network.dns.answers) as udm_events__principal__artifact__network__dns__answers ;; + view_label: "UDM" + } # join udm_events__principal__artifact__network__dns__answers + + join: udm_events__principal__asset__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.attribute.labels) as udm_events__principal__asset__attribute__labels ;; + view_label: "UDM" + } # join udm_events__principal__asset__attribute__labels + + join: udm_events__principal__asset__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.attribute.roles) as udm_events__principal__asset__attribute__roles ;; + view_label: "UDM" + } # join udm_events__principal__asset__attribute__roles + + join: udm_events__principal__asset__hardware { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.hardware) as udm_events__principal__asset__hardware ;; + view_label: "UDM" + } # join udm_events__principal__asset__hardware + + join: udm_events__principal__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.ip) as udm_events__principal__asset__ip ;; + view_label: "UDM" + } # join udm_events__principal__asset__ip + + join: udm_events__principal__asset__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.labels) as udm_events__principal__asset__labels ;; + view_label: "UDM" + } # join udm_events__principal__asset__labels + + join: udm_events__principal__asset__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.mac) as udm_events__principal__asset__mac ;; + view_label: "UDM" + } # join udm_events__principal__asset__mac + + join: udm_events__principal__asset__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.nat_ip) as udm_events__principal__asset__nat_ip ;; + view_label: "UDM" + } # join udm_events__principal__asset__nat_ip + + join: udm_events__principal__asset__software { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.software) as udm_events__principal__asset__software ;; + view_label: "UDM" + } # join udm_events__principal__asset__software + + join: udm_events__principal__asset__software__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__principal__asset__software.permissions}) as udm_events__principal__asset__software__permissions ;; + view_label: "UDM" + } # join udm_events__principal__asset__software__permissions + + join: udm_events__principal__asset__vulnerabilities { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.vulnerabilities) as udm_events__principal__asset__vulnerabilities ;; + view_label: "UDM" + } # join udm_events__principal__asset__vulnerabilities + + join: udm_events__principal__domain__name_server { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.domain.name_server) as udm_events__principal__domain__name_server ;; + view_label: "UDM" + } # join udm_events__principal__domain__name_server + + join: udm_events__principal__domain__tech__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.domain.tech.group_identifiers) as udm_events__principal__domain__tech__group_identifiers ;; + view_label: "UDM" + } # join udm_events__principal__domain__tech__group_identifiers + + join: udm_events__principal__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.file.names) as udm_events__principal__file__names ;; + view_label: "UDM" + } # join udm_events__principal__file__names + + join: udm_events__principal__group__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.group.attribute.labels) as udm_events__principal__group__attribute__labels ;; + view_label: "UDM" + } # join udm_events__principal__group__attribute__labels + + join: udm_events__principal__group__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.group.attribute.roles) as udm_events__principal__group__attribute__roles ;; + view_label: "UDM" + } # join udm_events__principal__group__attribute__roles + + join: udm_events__principal__group__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.group.email_addresses) as udm_events__principal__group__email_addresses ;; + view_label: "UDM" + } # join udm_events__principal__group__email_addresses + + join: udm_events__principal__investigation__comments { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.investigation.comments) as udm_events__principal__investigation__comments ;; + view_label: "UDM" + } # join udm_events__principal__investigation__comments + + join: udm_events__principal__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.ip) as udm_events__principal__ip ;; + view_label: "UDM" + } # join udm_events__principal__ip + + join: udm_events__principal__ip_geo_artifact { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.ip_geo_artifact) as udm_events__principal__ip_geo_artifact ;; + view_label: "UDM" + } # join udm_events__principal__ip_geo_artifact + + join: udm_events__principal__ip_location { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.ip_location) as udm_events__principal__ip_location ;; + view_label: "UDM" + } # join udm_events__principal__ip_location + + join: udm_events__principal__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.labels) as udm_events__principal__labels ;; + view_label: "UDM" + } # join udm_events__principal__labels + + join: udm_events__principal__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.mac) as udm_events__principal__mac ;; + view_label: "UDM" + } # join udm_events__principal__mac + + join: udm_events__principal__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.nat_ip) as udm_events__principal__nat_ip ;; + view_label: "UDM" + } # join udm_events__principal__nat_ip + + join: udm_events__principal__process__command_line_history { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.process.command_line_history) as udm_events__principal__process__command_line_history ;; + view_label: "UDM" + } # join udm_events__principal__process__command_line_history + + join: udm_events__principal__process__file__capabilities_tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.process.file.capabilities_tags) as udm_events__principal__process__file__capabilities_tags ;; + view_label: "UDM" + } # join udm_events__principal__process__file__capabilities_tags + + join: udm_events__principal__process__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.process.file.names) as udm_events__principal__process__file__names ;; + view_label: "UDM" + } # join udm_events__principal__process__file__names + + join: udm_events__principal__process_ancestors { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.process_ancestors) as udm_events__principal__process_ancestors ;; + view_label: "UDM" + } # join udm_events__principal__process_ancestors + + join: udm_events__principal__resource__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.resource.attribute.labels) as udm_events__principal__resource__attribute__labels ;; + view_label: "UDM" + } # join udm_events__principal__resource__attribute__labels + + join: udm_events__principal__resource__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.resource.attribute.permissions) as udm_events__principal__resource__attribute__permissions ;; + view_label: "UDM" + } # join udm_events__principal__resource__attribute__permissions + + join: udm_events__principal__resource__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.resource.attribute.roles) as udm_events__principal__resource__attribute__roles ;; + view_label: "UDM" + } # join udm_events__principal__resource__attribute__roles + + join: udm_events__principal__resource_ancestors { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.resource_ancestors) as udm_events__principal__resource_ancestors ;; + view_label: "UDM" + } # join udm_events__principal__resource_ancestors + + join: udm_events__principal__resource_ancestors__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__principal__resource_ancestors.attribute}.labels) as udm_events__principal__resource_ancestors__attribute__labels ;; + view_label: "UDM" + } # join udm_events__principal__resource_ancestors__attribute__labels + + join: udm_events__principal__user__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.user.attribute.labels) as udm_events__principal__user__attribute__labels ;; + view_label: "UDM" + } # join udm_events__principal__user__attribute__labels + + join: udm_events__principal__user__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.user.attribute.permissions) as udm_events__principal__user__attribute__permissions ;; + view_label: "UDM" + } # join udm_events__principal__user__attribute__permissions + + join: udm_events__principal__user__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.user.attribute.roles) as udm_events__principal__user__attribute__roles ;; + view_label: "UDM" + } # join udm_events__principal__user__attribute__roles + + join: udm_events__principal__user__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.user.department) as udm_events__principal__user__department ;; + view_label: "UDM" + } # join udm_events__principal__user__department + + join: udm_events__principal__user__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.user.email_addresses) as udm_events__principal__user__email_addresses ;; + view_label: "UDM" + } # join udm_events__principal__user__email_addresses + + join: udm_events__principal__user__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.user.group_identifiers) as udm_events__principal__user__group_identifiers ;; + view_label: "UDM" + } # join udm_events__principal__user__group_identifiers + + join: udm_events__principal__user__managers { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.user.managers) as udm_events__principal__user__managers ;; + view_label: "UDM" + } # join udm_events__principal__user__managers + + join: udm_events__principal__user__managers__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__principal__user__managers.attribute}.labels) as udm_events__principal__user__managers__attribute__labels ;; + view_label: "UDM" + } # join udm_events__principal__user__managers__attribute__labels + + join: udm_events__principal__user__managers__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__principal__user__managers.attribute}.roles) as udm_events__principal__user__managers__attribute__roles ;; + view_label: "UDM" + } # join udm_events__principal__user__managers__attribute__roles + + join: udm_events__principal__user__managers__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__principal__user__managers.department}) as udm_events__principal__user__managers__department ;; + view_label: "UDM" + } # join udm_events__principal__user__managers__department + + join: udm_events__principal__user__managers__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__principal__user__managers.email_addresses}) as udm_events__principal__user__managers__email_addresses ;; + view_label: "UDM" + } # join udm_events__principal__user__managers__email_addresses + + join: udm_events__principal__user__managers__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__principal__user__managers.group_identifiers}) as udm_events__principal__user__managers__group_identifiers ;; + view_label: "UDM" + } # join udm_events__principal__user__managers__group_identifiers + + join: udm_events__principal__user__managers__phone_numbers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__principal__user__managers.phone_numbers}) as udm_events__principal__user__managers__phone_numbers ;; + view_label: "UDM" + } # join udm_events__principal__user__managers__phone_numbers + + join: udm_events__principal__user__phone_numbers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.principal}.user.phone_numbers) as udm_events__principal__user__phone_numbers ;; + view_label: "UDM" + } # join udm_events__principal__user__phone_numbers + + join: udm_events__principal__user__time_off { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.principal}.user.time_off) as udm_events__principal__user__time_off ;; + view_label: "UDM" + } # join udm_events__principal__user__time_off + + join: udm_events__security_result { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.security_result}) as udm_events__security_result ;; + view_label: "UDM" + } # join udm_events__security_result + + join: udm_events__security_result__about__asset__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.asset.attribute.permissions) as udm_events__security_result__about__asset__attribute__permissions ;; + view_label: "UDM" + } # join udm_events__security_result__about__asset__attribute__permissions + + join: udm_events__security_result__about__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.asset.ip) as udm_events__security_result__about__asset__ip ;; + view_label: "UDM" + } # join udm_events__security_result__about__asset__ip + + join: udm_events__security_result__about__asset__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.asset.labels) as udm_events__security_result__about__asset__labels ;; + view_label: "UDM" + } # join udm_events__security_result__about__asset__labels + + join: udm_events__security_result__about__asset__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.asset.mac) as udm_events__security_result__about__asset__mac ;; + view_label: "UDM" + } # join udm_events__security_result__about__asset__mac + + join: udm_events__security_result__about__asset__software { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.asset.software) as udm_events__security_result__about__asset__software ;; + view_label: "UDM" + } # join udm_events__security_result__about__asset__software + + join: udm_events__security_result__about__asset__software__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result__about__asset__software.permissions}) as udm_events__security_result__about__asset__software__permissions ;; + view_label: "UDM" + } # join udm_events__security_result__about__asset__software__permissions + + join: udm_events__security_result__about__asset__vulnerabilities { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.asset.vulnerabilities) as udm_events__security_result__about__asset__vulnerabilities ;; + view_label: "UDM" + } # join udm_events__security_result__about__asset__vulnerabilities + + join: udm_events__security_result__about__domain__tech__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.domain.tech.attribute.permissions) as udm_events__security_result__about__domain__tech__attribute__permissions ;; + view_label: "UDM" + } # join udm_events__security_result__about__domain__tech__attribute__permissions + + join: udm_events__security_result__about__file__capabilities_tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.file.capabilities_tags) as udm_events__security_result__about__file__capabilities_tags ;; + view_label: "UDM" + } # join udm_events__security_result__about__file__capabilities_tags + + join: udm_events__security_result__about__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.file.names) as udm_events__security_result__about__file__names ;; + view_label: "UDM" + } # join udm_events__security_result__about__file__names + + join: udm_events__security_result__about__investigation__comments { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.investigation.comments) as udm_events__security_result__about__investigation__comments ;; + view_label: "UDM" + } # join udm_events__security_result__about__investigation__comments + + join: udm_events__security_result__about__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.ip) as udm_events__security_result__about__ip ;; + view_label: "UDM" + } # join udm_events__security_result__about__ip + + join: udm_events__security_result__about__ip_location { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.ip_location) as udm_events__security_result__about__ip_location ;; + view_label: "UDM" + } # join udm_events__security_result__about__ip_location + + join: udm_events__security_result__about__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.labels) as udm_events__security_result__about__labels ;; + view_label: "UDM" + } # join udm_events__security_result__about__labels + + join: udm_events__security_result__about__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.mac) as udm_events__security_result__about__mac ;; + view_label: "UDM" + } # join udm_events__security_result__about__mac + + join: udm_events__security_result__about__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.nat_ip) as udm_events__security_result__about__nat_ip ;; + view_label: "UDM" + } # join udm_events__security_result__about__nat_ip + + join: udm_events__security_result__about__process__command_line_history { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.process.command_line_history) as udm_events__security_result__about__process__command_line_history ;; + view_label: "UDM" + } # join udm_events__security_result__about__process__command_line_history + + join: udm_events__security_result__about__resource__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.resource.attribute.labels) as udm_events__security_result__about__resource__attribute__labels ;; + view_label: "UDM" + } # join udm_events__security_result__about__resource__attribute__labels + + join: udm_events__security_result__about__resource_ancestors { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.resource_ancestors) as udm_events__security_result__about__resource_ancestors ;; + view_label: "UDM" + } # join udm_events__security_result__about__resource_ancestors + + join: udm_events__security_result__about__user__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.user.attribute.labels) as udm_events__security_result__about__user__attribute__labels ;; + view_label: "UDM" + } # join udm_events__security_result__about__user__attribute__labels + + join: udm_events__security_result__about__user__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.user.attribute.roles) as udm_events__security_result__about__user__attribute__roles ;; + view_label: "UDM" + } # join udm_events__security_result__about__user__attribute__roles + + join: udm_events__security_result__about__user__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.user.email_addresses) as udm_events__security_result__about__user__email_addresses ;; + view_label: "UDM" + } # join udm_events__security_result__about__user__email_addresses + + join: udm_events__security_result__about__user__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.user.group_identifiers) as udm_events__security_result__about__user__group_identifiers ;; + view_label: "UDM" + } # join udm_events__security_result__about__user__group_identifiers + + join: udm_events__security_result__about__user_management_chain { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.user_management_chain) as udm_events__security_result__about__user_management_chain ;; + view_label: "UDM" + } # join udm_events__security_result__about__user_management_chain + + join: udm_events__security_result__action { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__security_result.action}) as udm_events__security_result__action ;; + view_label: "UDM" + } # join udm_events__security_result__action + + join: udm_events__security_result__action_enum_name { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__security_result.action}) as udm_events__security_result__action_enum_name ;; + view_label: "UDM" + } # join udm_events__security_result__action_enum_name + + join: udm_events__security_result__attack_details__tactics { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result.attack_details}.tactics) as udm_events__security_result__attack_details__tactics ;; + view_label: "UDM" + } # join udm_events__security_result__attack_details__tactics + + join: udm_events__security_result__attack_details__techniques { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result.attack_details}.techniques) as udm_events__security_result__attack_details__techniques ;; + view_label: "UDM" + } # join udm_events__security_result__attack_details__techniques + + join: udm_events__security_result__category { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__security_result.category}) as udm_events__security_result__category ;; + view_label: "UDM" + } # join udm_events__security_result__category + + join: udm_events__security_result__category_enum_name { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__security_result.category}) as udm_events__security_result__category_enum_name ;; + view_label: "UDM" + } # join udm_events__security_result__category_enum_name + + join: udm_events__security_result__category_details { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__security_result.category_details}) as udm_events__security_result__category_details ;; + view_label: "UDM" + } # join udm_events__security_result__category_details + + join: udm_events__security_result__detection_fields { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result.detection_fields}) as udm_events__security_result__detection_fields ;; + view_label: "UDM" + } # join udm_events__security_result__detection_fields + + join: udm_events__security_result__outcomes { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result.outcomes}) as udm_events__security_result__outcomes ;; + view_label: "UDM" + } # join udm_events__security_result__outcomes + + join: udm_events__security_result__rule_labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__security_result.rule_labels}) as udm_events__security_result__rule_labels ;; + view_label: "UDM" + } # join udm_events__security_result__rule_labels + + join: udm_events__src__artifact__network__dns__questions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.artifact.network.dns.questions) as udm_events__src__artifact__network__dns__questions ;; + view_label: "UDM" + } # join udm_events__src__artifact__network__dns__questions + + join: udm_events__src__asset__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.asset.attribute.labels) as udm_events__src__asset__attribute__labels ;; + view_label: "UDM" + } # join udm_events__src__asset__attribute__labels + + join: udm_events__src__asset__hardware { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.asset.hardware) as udm_events__src__asset__hardware ;; + view_label: "UDM" + } # join udm_events__src__asset__hardware + + join: udm_events__src__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.src}.asset.ip) as udm_events__src__asset__ip ;; + view_label: "UDM" + } # join udm_events__src__asset__ip + + join: udm_events__src__asset__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.asset.labels) as udm_events__src__asset__labels ;; + view_label: "UDM" + } # join udm_events__src__asset__labels + + join: udm_events__src__asset__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.src}.asset.mac) as udm_events__src__asset__mac ;; + view_label: "UDM" + } # join udm_events__src__asset__mac + + join: udm_events__src__asset__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.src}.asset.nat_ip) as udm_events__src__asset__nat_ip ;; + view_label: "UDM" + } # join udm_events__src__asset__nat_ip + + join: udm_events__src__asset__software { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.asset.software) as udm_events__src__asset__software ;; + view_label: "UDM" + } # join udm_events__src__asset__software + + join: udm_events__src__asset__software__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__src__asset__software.permissions}) as udm_events__src__asset__software__permissions ;; + view_label: "UDM" + } # join udm_events__src__asset__software__permissions + + join: udm_events__src__asset__vulnerabilities { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.asset.vulnerabilities) as udm_events__src__asset__vulnerabilities ;; + view_label: "UDM" + } # join udm_events__src__asset__vulnerabilities + + join: udm_events__src__file__capabilities_tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.src}.file.capabilities_tags) as udm_events__src__file__capabilities_tags ;; + view_label: "UDM" + } # join udm_events__src__file__capabilities_tags + + join: udm_events__src__file__embedded_domains { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.src}.file.embedded_domains) as udm_events__src__file__embedded_domains ;; + view_label: "UDM" + } # join udm_events__src__file__embedded_domains + + join: udm_events__src__file__embedded_ips { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.src}.file.embedded_ips) as udm_events__src__file__embedded_ips ;; + view_label: "UDM" + } # join udm_events__src__file__embedded_ips + + join: udm_events__src__file__embedded_urls { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.src}.file.embedded_urls) as udm_events__src__file__embedded_urls ;; + view_label: "UDM" + } # join udm_events__src__file__embedded_urls + + join: udm_events__src__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.src}.file.names) as udm_events__src__file__names ;; + view_label: "UDM" + } # join udm_events__src__file__names + + join: udm_events__src__file__signature_info__sigcheck__signers { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.file.signature_info.sigcheck.signers) as udm_events__src__file__signature_info__sigcheck__signers ;; + view_label: "UDM" + } # join udm_events__src__file__signature_info__sigcheck__signers + + join: udm_events__src__file__tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.src}.file.tags) as udm_events__src__file__tags ;; + view_label: "UDM" + } # join udm_events__src__file__tags + + join: udm_events__src__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.src}.ip) as udm_events__src__ip ;; + view_label: "UDM" + } # join udm_events__src__ip + + join: udm_events__src__ip_geo_artifact { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.ip_geo_artifact) as udm_events__src__ip_geo_artifact ;; + view_label: "UDM" + } # join udm_events__src__ip_geo_artifact + + join: udm_events__src__ip_location { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.ip_location) as udm_events__src__ip_location ;; + view_label: "UDM" + } # join udm_events__src__ip_location + + join: udm_events__src__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.labels) as udm_events__src__labels ;; + view_label: "UDM" + } # join udm_events__src__labels + + join: udm_events__src__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.src}.mac) as udm_events__src__mac ;; + view_label: "UDM" + } # join udm_events__src__mac + + join: udm_events__src__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.src}.nat_ip) as udm_events__src__nat_ip ;; + view_label: "UDM" + } # join udm_events__src__nat_ip + + join: udm_events__src__process__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.src}.process.file.names) as udm_events__src__process__file__names ;; + view_label: "UDM" + } # join udm_events__src__process__file__names + + join: udm_events__src__process_ancestors { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.process_ancestors) as udm_events__src__process_ancestors ;; + view_label: "UDM" + } # join udm_events__src__process_ancestors + + join: udm_events__src__resource__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.resource.attribute.labels) as udm_events__src__resource__attribute__labels ;; + view_label: "UDM" + } # join udm_events__src__resource__attribute__labels + + join: udm_events__src__resource__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.resource.attribute.permissions) as udm_events__src__resource__attribute__permissions ;; + view_label: "UDM" + } # join udm_events__src__resource__attribute__permissions + + join: udm_events__src__resource_ancestors { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.resource_ancestors) as udm_events__src__resource_ancestors ;; + view_label: "UDM" + } # join udm_events__src__resource_ancestors + + join: udm_events__src__resource_ancestors__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__src__resource_ancestors.attribute}.labels) as udm_events__src__resource_ancestors__attribute__labels ;; + view_label: "UDM" + } # join udm_events__src__resource_ancestors__attribute__labels + + join: udm_events__src__user__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.user.attribute.labels) as udm_events__src__user__attribute__labels ;; + view_label: "UDM" + } # join udm_events__src__user__attribute__labels + + join: udm_events__src__user__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.user.attribute.roles) as udm_events__src__user__attribute__roles ;; + view_label: "UDM" + } # join udm_events__src__user__attribute__roles + + join: udm_events__src__user__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.src}.user.department) as udm_events__src__user__department ;; + view_label: "UDM" + } # join udm_events__src__user__department + + join: udm_events__src__user__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.src}.user.email_addresses) as udm_events__src__user__email_addresses ;; + view_label: "UDM" + } # join udm_events__src__user__email_addresses + + join: udm_events__src__user__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.src}.user.group_identifiers) as udm_events__src__user__group_identifiers ;; + view_label: "UDM" + } # join udm_events__src__user__group_identifiers + + join: udm_events__src__user__managers { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.user.managers) as udm_events__src__user__managers ;; + view_label: "UDM" + } # join udm_events__src__user__managers + + join: udm_events__src__user__managers__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__src__user__managers.attribute}.labels) as udm_events__src__user__managers__attribute__labels ;; + view_label: "UDM" + } # join udm_events__src__user__managers__attribute__labels + + join: udm_events__src__user__managers__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__src__user__managers.attribute}.roles) as udm_events__src__user__managers__attribute__roles ;; + view_label: "UDM" + } # join udm_events__src__user__managers__attribute__roles + + join: udm_events__src__user__managers__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__src__user__managers.department}) as udm_events__src__user__managers__department ;; + view_label: "UDM" + } # join udm_events__src__user__managers__department + + join: udm_events__src__user__managers__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__src__user__managers.email_addresses}) as udm_events__src__user__managers__email_addresses ;; + view_label: "UDM" + } # join udm_events__src__user__managers__email_addresses + + join: udm_events__src__user__managers__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__src__user__managers.group_identifiers}) as udm_events__src__user__managers__group_identifiers ;; + view_label: "UDM" + } # join udm_events__src__user__managers__group_identifiers + + join: udm_events__src__user__managers__phone_numbers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__src__user__managers.phone_numbers}) as udm_events__src__user__managers__phone_numbers ;; + view_label: "UDM" + } # join udm_events__src__user__managers__phone_numbers + + join: udm_events__src__user__phone_numbers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.src}.user.phone_numbers) as udm_events__src__user__phone_numbers ;; + view_label: "UDM" + } # join udm_events__src__user__phone_numbers + + join: udm_events__src__user__time_off { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.src}.user.time_off) as udm_events__src__user__time_off ;; + view_label: "UDM" + } # join udm_events__src__user__time_off + + join: udm_events__target__artifact__network__email__subject { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.artifact.network.email.subject) as udm_events__target__artifact__network__email__subject ;; + view_label: "UDM" + } # join udm_events__target__artifact__network__email__subject + + join: udm_events__target__asset__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.asset.attribute.labels) as udm_events__target__asset__attribute__labels ;; + view_label: "UDM" + } # join udm_events__target__asset__attribute__labels + + join: udm_events__target__asset__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.asset.attribute.permissions) as udm_events__target__asset__attribute__permissions ;; + view_label: "UDM" + } # join udm_events__target__asset__attribute__permissions + + join: udm_events__target__asset__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.asset.attribute.roles) as udm_events__target__asset__attribute__roles ;; + view_label: "UDM" + } # join udm_events__target__asset__attribute__roles + + join: udm_events__target__asset__hardware { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.asset.hardware) as udm_events__target__asset__hardware ;; + view_label: "UDM" + } # join udm_events__target__asset__hardware + + join: udm_events__target__asset__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.asset.ip) as udm_events__target__asset__ip ;; + view_label: "UDM" + } # join udm_events__target__asset__ip + + join: udm_events__target__asset__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.asset.labels) as udm_events__target__asset__labels ;; + view_label: "UDM" + } # join udm_events__target__asset__labels + + join: udm_events__target__asset__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.asset.mac) as udm_events__target__asset__mac ;; + view_label: "UDM" + } # join udm_events__target__asset__mac + + join: udm_events__target__asset__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.asset.nat_ip) as udm_events__target__asset__nat_ip ;; + view_label: "UDM" + } # join udm_events__target__asset__nat_ip + + join: udm_events__target__asset__software { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.asset.software) as udm_events__target__asset__software ;; + view_label: "UDM" + } # join udm_events__target__asset__software + + join: udm_events__target__asset__software__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__target__asset__software.permissions}) as udm_events__target__asset__software__permissions ;; + view_label: "UDM" + } # join udm_events__target__asset__software__permissions + + join: udm_events__target__asset__vulnerabilities { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.asset.vulnerabilities) as udm_events__target__asset__vulnerabilities ;; + view_label: "UDM" + } # join udm_events__target__asset__vulnerabilities + + join: udm_events__target__cloud__project__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.cloud.project.attribute.labels) as udm_events__target__cloud__project__attribute__labels ;; + view_label: "UDM" + } # join udm_events__target__cloud__project__attribute__labels + + join: udm_events__target__domain__name_server { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.domain.name_server) as udm_events__target__domain__name_server ;; + view_label: "UDM" + } # join udm_events__target__domain__name_server + + join: udm_events__target__file__capabilities_tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.file.capabilities_tags) as udm_events__target__file__capabilities_tags ;; + view_label: "UDM" + } # join udm_events__target__file__capabilities_tags + + join: udm_events__target__file__embedded_domains { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.file.embedded_domains) as udm_events__target__file__embedded_domains ;; + view_label: "UDM" + } # join udm_events__target__file__embedded_domains + + join: udm_events__target__file__embedded_ips { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.file.embedded_ips) as udm_events__target__file__embedded_ips ;; + view_label: "UDM" + } # join udm_events__target__file__embedded_ips + + join: udm_events__target__file__embedded_urls { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.file.embedded_urls) as udm_events__target__file__embedded_urls ;; + view_label: "UDM" + } # join udm_events__target__file__embedded_urls + + join: udm_events__target__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.file.names) as udm_events__target__file__names ;; + view_label: "UDM" + } # join udm_events__target__file__names + + join: udm_events__target__file__pe_file__imports { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.file.pe_file.imports) as udm_events__target__file__pe_file__imports ;; + view_label: "UDM" + } # join udm_events__target__file__pe_file__imports + + join: udm_events__target__file__pe_file__imports__functions { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__target__file__pe_file__imports.functions}) as udm_events__target__file__pe_file__imports__functions ;; + view_label: "UDM" + } # join udm_events__target__file__pe_file__imports__functions + + join: udm_events__target__file__pe_file__resource { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.file.pe_file.resource) as udm_events__target__file__pe_file__resource ;; + view_label: "UDM" + } # join udm_events__target__file__pe_file__resource + + join: udm_events__target__file__pe_file__resources_language_count_str { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.file.pe_file.resources_language_count_str) as udm_events__target__file__pe_file__resources_language_count_str ;; + view_label: "UDM" + } # join udm_events__target__file__pe_file__resources_language_count_str + + join: udm_events__target__file__pe_file__resources_type_count_str { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.file.pe_file.resources_type_count_str) as udm_events__target__file__pe_file__resources_type_count_str ;; + view_label: "UDM" + } # join udm_events__target__file__pe_file__resources_type_count_str + + join: udm_events__target__file__pe_file__section { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.file.pe_file.section) as udm_events__target__file__pe_file__section ;; + view_label: "UDM" + } # join udm_events__target__file__pe_file__section + + join: udm_events__target__file__signature_info__sigcheck__signers { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.file.signature_info.sigcheck.signers) as udm_events__target__file__signature_info__sigcheck__signers ;; + view_label: "UDM" + } # join udm_events__target__file__signature_info__sigcheck__signers + + join: udm_events__target__file__signature_info__sigcheck__x509 { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.file.signature_info.sigcheck.x509) as udm_events__target__file__signature_info__sigcheck__x509 ;; + view_label: "UDM" + } # join udm_events__target__file__signature_info__sigcheck__x509 + + join: udm_events__target__file__tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.file.tags) as udm_events__target__file__tags ;; + view_label: "UDM" + } # join udm_events__target__file__tags + + join: udm_events__target__group__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.group.attribute.labels) as udm_events__target__group__attribute__labels ;; + view_label: "UDM" + } # join udm_events__target__group__attribute__labels + + join: udm_events__target__group__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.group.attribute.permissions) as udm_events__target__group__attribute__permissions ;; + view_label: "UDM" + } # join udm_events__target__group__attribute__permissions + + join: udm_events__target__group__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.group.attribute.roles) as udm_events__target__group__attribute__roles ;; + view_label: "UDM" + } # join udm_events__target__group__attribute__roles + + join: udm_events__target__group__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.group.email_addresses) as udm_events__target__group__email_addresses ;; + view_label: "UDM" + } # join udm_events__target__group__email_addresses + + join: udm_events__target__investigation__comments { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.investigation.comments) as udm_events__target__investigation__comments ;; + view_label: "UDM" + } # join udm_events__target__investigation__comments + + join: udm_events__target__ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.ip) as udm_events__target__ip ;; + view_label: "UDM" + } # join udm_events__target__ip + + join: udm_events__target__ip_geo_artifact { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.ip_geo_artifact) as udm_events__target__ip_geo_artifact ;; + view_label: "UDM" + } # join udm_events__target__ip_geo_artifact + + join: udm_events__target__ip_location { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.ip_location) as udm_events__target__ip_location ;; + view_label: "UDM" + } # join udm_events__target__ip_location + + join: udm_events__target__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.labels) as udm_events__target__labels ;; + view_label: "UDM" + } # join udm_events__target__labels + + join: udm_events__target__mac { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.mac) as udm_events__target__mac ;; + view_label: "UDM" + } # join udm_events__target__mac + + join: udm_events__target__nat_ip { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.nat_ip) as udm_events__target__nat_ip ;; + view_label: "UDM" + } # join udm_events__target__nat_ip + + join: udm_events__target__process__command_line_history { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.process.command_line_history) as udm_events__target__process__command_line_history ;; + view_label: "UDM" + } # join udm_events__target__process__command_line_history + + join: udm_events__target__process__file__capabilities_tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.process.file.capabilities_tags) as udm_events__target__process__file__capabilities_tags ;; + view_label: "UDM" + } # join udm_events__target__process__file__capabilities_tags + + join: udm_events__target__process__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.process.file.names) as udm_events__target__process__file__names ;; + view_label: "UDM" + } # join udm_events__target__process__file__names + + join: udm_events__target__process__file__pe_file__signature_info__signer { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.process.file.pe_file.signature_info.signer) as udm_events__target__process__file__pe_file__signature_info__signer ;; + view_label: "UDM" + } # join udm_events__target__process__file__pe_file__signature_info__signer + + join: udm_events__target__process__parent_process__file__capabilities_tags { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.process.parent_process.file.capabilities_tags) as udm_events__target__process__parent_process__file__capabilities_tags ;; + view_label: "UDM" + } # join udm_events__target__process__parent_process__file__capabilities_tags + + join: udm_events__target__process__parent_process__file__names { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.process.parent_process.file.names) as udm_events__target__process__parent_process__file__names ;; + view_label: "UDM" + } # join udm_events__target__process__parent_process__file__names + + join: udm_events__target__process_ancestors { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.process_ancestors) as udm_events__target__process_ancestors ;; + view_label: "UDM" + } # join udm_events__target__process_ancestors + + join: udm_events__target__resource__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.resource.attribute.labels) as udm_events__target__resource__attribute__labels ;; + view_label: "UDM" + } # join udm_events__target__resource__attribute__labels + + join: udm_events__target__resource__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.resource.attribute.permissions) as udm_events__target__resource__attribute__permissions ;; + view_label: "UDM" + } # join udm_events__target__resource__attribute__permissions + + join: udm_events__target__resource__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.resource.attribute.roles) as udm_events__target__resource__attribute__roles ;; + view_label: "UDM" + } # join udm_events__target__resource__attribute__roles + + join: udm_events__target__resource_ancestors { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.resource_ancestors) as udm_events__target__resource_ancestors ;; + view_label: "UDM" + } # join udm_events__target__resource_ancestors + + join: udm_events__target__resource_ancestors__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__target__resource_ancestors.attribute}.labels) as udm_events__target__resource_ancestors__attribute__labels ;; + view_label: "UDM" + } # join udm_events__target__resource_ancestors__attribute__labels + + join: udm_events__target__resource_ancestors__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__target__resource_ancestors.attribute}.permissions) as udm_events__target__resource_ancestors__attribute__permissions ;; + view_label: "UDM" + } # join udm_events__target__resource_ancestors__attribute__permissions + + join: udm_events__target__user__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.user.attribute.labels) as udm_events__target__user__attribute__labels ;; + view_label: "UDM" + } # join udm_events__target__user__attribute__labels + + join: udm_events__target__user__attribute__permissions { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.user.attribute.permissions) as udm_events__target__user__attribute__permissions ;; + view_label: "UDM" + } # join udm_events__target__user__attribute__permissions + + join: udm_events__target__user__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.user.attribute.roles) as udm_events__target__user__attribute__roles ;; + view_label: "UDM" + } # join udm_events__target__user__attribute__roles + + join: udm_events__target__user__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.user.department) as udm_events__target__user__department ;; + view_label: "UDM" + } # join udm_events__target__user__department + + join: udm_events__target__user__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.user.email_addresses) as udm_events__target__user__email_addresses ;; + view_label: "UDM" + } # join udm_events__target__user__email_addresses + + join: udm_events__target__user__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.user.group_identifiers) as udm_events__target__user__group_identifiers ;; + view_label: "UDM" + } # join udm_events__target__user__group_identifiers + + join: udm_events__target__user__managers { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.user.managers) as udm_events__target__user__managers ;; + view_label: "UDM" + } # join udm_events__target__user__managers + + join: udm_events__target__user__managers__attribute__labels { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__target__user__managers.attribute}.labels) as udm_events__target__user__managers__attribute__labels ;; + view_label: "UDM" + } # join udm_events__target__user__managers__attribute__labels + + join: udm_events__target__user__managers__attribute__roles { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events__target__user__managers.attribute}.roles) as udm_events__target__user__managers__attribute__roles ;; + view_label: "UDM" + } # join udm_events__target__user__managers__attribute__roles + + join: udm_events__target__user__managers__department { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__target__user__managers.department}) as udm_events__target__user__managers__department ;; + view_label: "UDM" + } # join udm_events__target__user__managers__department + + join: udm_events__target__user__managers__email_addresses { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__target__user__managers.email_addresses}) as udm_events__target__user__managers__email_addresses ;; + view_label: "UDM" + } # join udm_events__target__user__managers__email_addresses + + join: udm_events__target__user__managers__group_identifiers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__target__user__managers.group_identifiers}) as udm_events__target__user__managers__group_identifiers ;; + view_label: "UDM" + } # join udm_events__target__user__managers__group_identifiers + + join: udm_events__target__user__managers__phone_numbers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events__target__user__managers.phone_numbers}) as udm_events__target__user__managers__phone_numbers ;; + view_label: "UDM" + } # join udm_events__target__user__managers__phone_numbers + + join: udm_events__target__user__phone_numbers { + relationship: one_to_one + sql: LEFT JOIN UNNEST(${udm_events.target}.user.phone_numbers) as udm_events__target__user__phone_numbers ;; + view_label: "UDM" + } # join udm_events__target__user__phone_numbers + + join: udm_events__target__user__time_off { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.user.time_off) as udm_events__target__user__time_off ;; + view_label: "UDM" + } # join udm_events__target__user__time_off + + join: udm_events__target__user_management_chain { + relationship: one_to_many + sql: LEFT JOIN UNNEST(${udm_events.target}.user_management_chain) as udm_events__target__user_management_chain ;; + view_label: "UDM" + } # join udm_events__target__user_management_chain + +} # explore udm_events + From 43252138e4459952f234adaef9463133965cca06 Mon Sep 17 00:00:00 2001 From: Himanshu Dahiya <11634174+hdahiya18@users.noreply.github.com> Date: Tue, 28 Mar 2023 13:26:18 +0530 Subject: [PATCH 05/14] [b/268283630] Enhance drill down for rules_detections dashboard (#98) * [b/268283630] Enhance drill down for rules_detections dashboard --- dashboards/rule_detections.dashboard.lookml | 72 ++++++++++----------- views/refinements/rule_detections.view.lkml | 17 +++++ 2 files changed, 53 insertions(+), 36 deletions(-) diff --git a/dashboards/rule_detections.dashboard.lookml b/dashboards/rule_detections.dashboard.lookml index 4be7098..ded5a9d 100644 --- a/dashboards/rule_detections.dashboard.lookml +++ b/dashboards/rule_detections.dashboard.lookml @@ -9,7 +9,7 @@ type: looker_line fields: [rule_detections.count, rule_detections.event_timestamp_week] fill_fields: [rule_detections.event_timestamp_week] - sorts: [ule_detections.event_timestamp_week desc] + sorts: [rule_detections.event_timestamp_week desc] limit: 500 query_timezone: America/Los_Angeles x_axis_gridlines: false @@ -208,8 +208,8 @@ name: Top 10 Rule Names by Detections explore: rule_detections type: looker_grid - fields: [rule_detections.count, rule_detections.rule_name] - sorts: [rule_detections.count desc] + fields: [rule_detections.count_for_drill, rule_detections.rule_name] + sorts: [rule_detections.count_for_drill desc] limit: 30 query_timezone: America/Los_Angeles show_view_names: false @@ -259,8 +259,8 @@ show_totals_labels: false show_silhouette: false totals_color: "#808080" - y_axes: [{label: Rule Detection Count, orientation: bottom, series: [{axisId: rule_detections.count, - id: rule_detections.count, name: Rule Matches Data}], showLabels: true, + y_axes: [{label: Rule Detection Count, orientation: bottom, series: [{axisId: rule_detections.count_for_drill, + id: rule_detections.count_for_drill, name: Rule Matches Data}], showLabels: true, showValues: true, unpinAxis: false, tickDensity: default, tickDensityCustom: 5, type: linear}] x_axis_label: '' @@ -281,10 +281,10 @@ name: Rule Detections by Name Over Time explore: rule_detections type: looker_column - fields: [rule_detections.count, rule_detections.rule_name, rule_detections.event_timestamp_date] + fields: [rule_detections.count_for_drill, rule_detections.rule_name, rule_detections.event_timestamp_date] pivots: [rule_detections.rule_name] fill_fields: [rule_detections.event_timestamp_date] - sorts: [rule_detections.count desc 0, rule_detections.rule_name desc, rule_detections.event_timestamp_date + sorts: [rule_detections.count_for_drill desc 0, rule_detections.rule_name desc, rule_detections.event_timestamp_date desc] limit: 500 query_timezone: America/Los_Angeles @@ -321,41 +321,41 @@ options: steps: 5 y_axes: [{label: Rule Detections, orientation: left, series: [{axisId: WojasonDailyDetectionQuotaDevTest - - ru_95fe0f44-122c-459f-a51a-0c95cffd3f3b - rule_detections.count, id: WojasonDailyDetectionQuotaDevTest - - ru_95fe0f44-122c-459f-a51a-0c95cffd3f3b - rule_detections.count, name: WojasonDailyDetectionQuotaDevTest}, + - ru_95fe0f44-122c-459f-a51a-0c95cffd3f3b - rule_detections.count_for_drill, id: WojasonDailyDetectionQuotaDevTest + - ru_95fe0f44-122c-459f-a51a-0c95cffd3f3b - rule_detections.count_for_drill, name: WojasonDailyDetectionQuotaDevTest}, {axisId: testConsistentTimeRangeLiveWorksEnabled_SingleEvent - ru_caedfdcb-3312-4b7b-8567-848e1f1f9fba - - rule_detections.count, id: testConsistentTimeRangeLiveWorksEnabled_SingleEvent - - ru_caedfdcb-3312-4b7b-8567-848e1f1f9fba - rule_detections.count, name: testConsistentTimeRangeLiveWorksEnabled_SingleEvent}, + - rule_detections.count_for_drill, id: testConsistentTimeRangeLiveWorksEnabled_SingleEvent + - ru_caedfdcb-3312-4b7b-8567-848e1f1f9fba - rule_detections.count_for_drill, name: testConsistentTimeRangeLiveWorksEnabled_SingleEvent}, {axisId: testConsistentTimeRangeLiveWorksEnabled_MultiEvent - ru_ad2a5f8d-743e-4aef-a9a7-4cbd3f670f10 - - rule_detections.count, id: testConsistentTimeRangeLiveWorksEnabled_MultiEvent - - ru_ad2a5f8d-743e-4aef-a9a7-4cbd3f670f10 - rule_detections.count, name: testConsistentTimeRangeLiveWorksEnabled_MultiEvent}, + - rule_detections.count_for_drill, id: testConsistentTimeRangeLiveWorksEnabled_MultiEvent + - ru_ad2a5f8d-743e-4aef-a9a7-4cbd3f670f10 - rule_detections.count_for_drill, name: testConsistentTimeRangeLiveWorksEnabled_MultiEvent}, {axisId: RegexTargetHostname - ru_7d9ce84b-4319-45a9-bf40-08b6c32e0d4c - - rule_detections.count, id: RegexTargetHostname - ru_7d9ce84b-4319-45a9-bf40-08b6c32e0d4c - - rule_detections.count, name: RegexTargetHostname}, {axisId: RegexTargetHostname - - ru_7e0099b9-96b1-486d-8876-f78748fd6a1a - rule_detections.count, id: RegexTargetHostname - - ru_7e0099b9-96b1-486d-8876-f78748fd6a1a - rule_detections.count, name: RegexTargetHostname}, + rule_detections.count_for_drill, id: RegexTargetHostname - ru_7d9ce84b-4319-45a9-bf40-08b6c32e0d4c + - rule_detections.count_for_drill, name: RegexTargetHostname}, {axisId: RegexTargetHostname + - ru_7e0099b9-96b1-486d-8876-f78748fd6a1a - rule_detections.count_for_drill, id: RegexTargetHostname + - ru_7e0099b9-96b1-486d-8876-f78748fd6a1a - rule_detections.count_for_drill, name: RegexTargetHostname}, {axisId: RegexTargetHostname - ru_7f622f4c-b87d-4724-a7a0-0a265d0e71f9 - - rule_detections.count, id: RegexTargetHostname - ru_7f622f4c-b87d-4724-a7a0-0a265d0e71f9 - - rule_detections.count, name: RegexTargetHostname}, {axisId: RegexTargetHostname - - ru_93cdd742-aefc-4567-84b3-c0d18368d5ec - rule_detections.count, id: RegexTargetHostname - - ru_93cdd742-aefc-4567-84b3-c0d18368d5ec - rule_detections.count, name: RegexTargetHostname}, + rule_detections.count_for_drill, id: RegexTargetHostname - ru_7f622f4c-b87d-4724-a7a0-0a265d0e71f9 + - rule_detections.count_for_drill, name: RegexTargetHostname}, {axisId: RegexTargetHostname + - ru_93cdd742-aefc-4567-84b3-c0d18368d5ec - rule_detections.count_for_drill, id: RegexTargetHostname + - ru_93cdd742-aefc-4567-84b3-c0d18368d5ec - rule_detections.count_for_drill, name: RegexTargetHostname}, {axisId: RegexTargetHostname - ru_9edaec90-6c20-49b7-9659-c2eb5acb3ac1 - - rule_detections.count, id: RegexTargetHostname - ru_9edaec90-6c20-49b7-9659-c2eb5acb3ac1 - - rule_detections.count, name: RegexTargetHostname}, {axisId: RegexTargetHostname - - ru_ab812ad0-922a-44c8-b8c6-505ed51628ce - rule_detections.count, id: RegexTargetHostname - - ru_ab812ad0-922a-44c8-b8c6-505ed51628ce - rule_detections.count, name: RegexTargetHostname}, - {axisId: LotsOfDNS - ru_ab337c04-7ebc-4bdc-b6df-3186e63b897d - rule_detections.count, - id: LotsOfDNS - ru_ab337c04-7ebc-4bdc-b6df-3186e63b897d - rule_detections.count, + rule_detections.count_for_drill, id: RegexTargetHostname - ru_9edaec90-6c20-49b7-9659-c2eb5acb3ac1 + - rule_detections.count_for_drill, name: RegexTargetHostname}, {axisId: RegexTargetHostname + - ru_ab812ad0-922a-44c8-b8c6-505ed51628ce - rule_detections.count_for_drill, id: RegexTargetHostname + - ru_ab812ad0-922a-44c8-b8c6-505ed51628ce - rule_detections.count_for_drill, name: RegexTargetHostname}, + {axisId: LotsOfDNS - ru_ab337c04-7ebc-4bdc-b6df-3186e63b897d - rule_detections.count_for_drill, + id: LotsOfDNS - ru_ab337c04-7ebc-4bdc-b6df-3186e63b897d - rule_detections.count_for_drill, name: LotsOfDNS}, {axisId: google_not_google_com - ru_8e9e2d75-0a15-4d09-8d26-704039940d75 - - rule_detections.count, id: google_not_google_com - ru_8e9e2d75-0a15-4d09-8d26-704039940d75 - - rule_detections.count, name: google_not_google_com}, {axisId: abu_nx_domain - - ru_972100f0-36f8-4d57-b88b-b980e2f48b41 - rule_detections.count, id: abu_nx_domain - - ru_972100f0-36f8-4d57-b88b-b980e2f48b41 - rule_detections.count, name: abu_nx_domain}, + - rule_detections.count_for_drill, id: google_not_google_com - ru_8e9e2d75-0a15-4d09-8d26-704039940d75 + - rule_detections.count_for_drill, name: google_not_google_com}, {axisId: abu_nx_domain + - ru_972100f0-36f8-4d57-b88b-b980e2f48b41 - rule_detections.count_for_drill, id: abu_nx_domain + - ru_972100f0-36f8-4d57-b88b-b980e2f48b41 - rule_detections.count_for_drill, name: abu_nx_domain}, {axisId: abu_dns_not_google_not_ms - ru_2fc72958-b76e-4b84-9693-b51440a206ac - - rule_detections.count, id: abu_dns_not_google_not_ms - ru_2fc72958-b76e-4b84-9693-b51440a206ac - - rule_detections.count, name: abu_dns_not_google_not_ms}, {axisId: abu_asset_aliasing - - ru_e28942e2-2191-449e-831e-881975fa0e00 - rule_detections.count, id: abu_asset_aliasing - - ru_e28942e2-2191-449e-831e-881975fa0e00 - rule_detections.count, name: abu_asset_aliasing}], + - rule_detections.count_for_drill, id: abu_dns_not_google_not_ms - ru_2fc72958-b76e-4b84-9693-b51440a206ac + - rule_detections.count_for_drill, name: abu_dns_not_google_not_ms}, {axisId: abu_asset_aliasing + - ru_e28942e2-2191-449e-831e-881975fa0e00 - rule_detections.count_for_drill, id: abu_asset_aliasing + - ru_e28942e2-2191-449e-831e-881975fa0e00 - rule_detections.count_for_drill, name: abu_asset_aliasing}], showLabels: true, showValues: true, unpinAxis: false, tickDensity: default, tickDensityCustom: 5, type: linear}] x_axis_label: Date @@ -538,7 +538,7 @@ name: Top 10 Users by Rule Detections explore: rule_detections type: looker_grid - fields: [rule_detections__detection__users.user_name, rule_detections.count] + fields: [rule_detections__detection__users.user_name_with_link, rule_detections.count] sorts: [rule_detections.count desc] limit: 30 query_timezone: America/Los_Angeles diff --git a/views/refinements/rule_detections.view.lkml b/views/refinements/rule_detections.view.lkml index 2934b74..b951a42 100644 --- a/views/refinements/rule_detections.view.lkml +++ b/views/refinements/rule_detections.view.lkml @@ -26,6 +26,11 @@ view: +rule_detections { } } + measure: count { + type: count + drill_fields: [rule_name, count] + } + filter: period_filter { label: "Filter for Period Dimension" hidden: yes @@ -76,3 +81,15 @@ view: +rule_detections { sql: ${detection__detection_timestamp__seconds} ;; } } + +view: +rule_detections__detection__users { + dimension: user_name_with_link { + type: string + sql: ${TABLE}.user_name ;; + link: { + label: "Investigate in Chronicle" + url: "@{CHRONICLE_URL}/userResults?userName={{value}}" + icon_url: "@{USER_PAGE_ICON_URL}" + } + } +} From 5f2c5562ac9e18ec098f4226d4368ef9bb3015e1 Mon Sep 17 00:00:00 2001 From: Smriti Nahata Date: Sun, 30 Apr 2023 04:29:53 +0000 Subject: [PATCH 06/14] Add tooltip + pivot to alert view --- manifest.lkml | 4 ++++ views/refinements/rule_detections.view.lkml | 11 +++++++++++ 2 files changed, 15 insertions(+) diff --git a/manifest.lkml b/manifest.lkml index f0b6bd3..e9c7eaf 100644 --- a/manifest.lkml +++ b/manifest.lkml @@ -117,6 +117,10 @@ constant: RULE_DETECTIONS_PAGE_ICON_URL { value: "https://backstory.chronicle.security/static/pageicons/rule-detections-white.svg" } +constant: ALERTS_VIEW_PAGE_ICON_URL { + value: "https://backstory.chronicle.security/static/pageicons/rule-detections-white.svg" +} + constant: STRUCTURED_SEARCH_PAGE_ICON_URL { value: "https://backstory.chronicle.security/static/pageicons/structured-search-white.svg" } diff --git a/views/refinements/rule_detections.view.lkml b/views/refinements/rule_detections.view.lkml index b951a42..2fc4998 100644 --- a/views/refinements/rule_detections.view.lkml +++ b/views/refinements/rule_detections.view.lkml @@ -17,6 +17,17 @@ view: +rule_detections { } } + dimension: alert_name { + type: string + sql: ${TABLE}.rule_name ;; + link: { + label: "Investigate alerts" + url: "@{CHRONICLE_URL}/alerts?snapshotQuery=feedback_summary.status!=\"CLOSED\" AND detection.rule_name=\"{{rule_detections.rule_name._value}}\"" + icon_url: "@{RULE_DETECTIONS_PAGE_ICON_URL}" + } + } + + measure: count_for_drill { type: count link: { From 5f619cf2b1df6ac5550617c4c690eb7e4b6c549a Mon Sep 17 00:00:00 2001 From: Smriti Nahata Date: Thu, 18 May 2023 07:14:12 +0000 Subject: [PATCH 07/14] b/281842161 fix --- .../health_ingestion_metrics.dashboard.lookml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/dashboards/health_ingestion_metrics.dashboard.lookml b/dashboards/health_ingestion_metrics.dashboard.lookml index dd1efad..89afb61 100644 --- a/dashboards/health_ingestion_metrics.dashboard.lookml +++ b/dashboards/health_ingestion_metrics.dashboard.lookml @@ -10,7 +10,6 @@ fields: [ingestion_metric_with_ingestion_stats.log_type, ingestion_metric_with_ingestion_stats.total_entry_number] filters: ingestion_metric_with_ingestion_stats.period: This Period - ingestion_metric_with_ingestion_stats.log_type: "-NULL" sorts: [ingestion_metric_with_ingestion_stats.total_entry_number desc] limit: 500 value_labels: legend @@ -57,7 +56,6 @@ fields: [ingestion_metric_with_ingestion_stats.log_type, ingestion_metric_with_ingestion_stats.total_size_bytes] filters: ingestion_metric_with_ingestion_stats.period: This Period - ingestion_metric_with_ingestion_stats.log_type: "-NULL" sorts: [ingestion_metric_with_ingestion_stats.total_size_bytes desc] limit: 500 value_labels: legend @@ -1119,3 +1117,16 @@ explore: ingestion_metric_with_ingestion_stats listens_to_filters: [] field: ingestion_metric_with_ingestion_stats.period_filter + - name: Log Type + title: Log Type + type: field_filter + default_value: "-NULL" + allow_multiple_values: true + required: false + ui_config: + type: advanced + display: popover + options: [] + explore: ingestion_metric_with_ingestion_stats + listens_to_filters: [] + field: ingestion_metric_with_ingestion_stats.log_type \ No newline at end of file From 334b4b047a686f5726bdc6e120fc8c63cedbf2cf Mon Sep 17 00:00:00 2001 From: Panos Kougiouris Date: Fri, 19 May 2023 22:48:12 +0000 Subject: [PATCH 08/14] cuts ove all LookMLs from a table called udm_events toa table called events --- explores/refinements/events.explore.lkml | 4 +--- explores/refinements/udm_events.explore.lkml | 8 ++++---- manifest.lkml | 5 +++++ proto2lkml/udm_events.lkml | 4 ---- .../asset_rule_detections_with_udm_events.view.lkml | 4 ++-- .../custom/user_rule_detections_with_udm_events.view.lkml | 4 ++-- views/udm_events.view.lkml | 6 +++--- 7 files changed, 17 insertions(+), 18 deletions(-) diff --git a/explores/refinements/events.explore.lkml b/explores/refinements/events.explore.lkml index 73b1b0b..1e6e881 100644 --- a/explores/refinements/events.explore.lkml +++ b/explores/refinements/events.explore.lkml @@ -4,9 +4,7 @@ include: "/views/refinements/udm_enum_value_to_name_mapping.view.lkml" include: "/explores/events.explore.lkml" explore: +events { - label: "UDM Events (Preview)" - # This is an embedded looker only accress_grant - # required_access_grants: [has_chronicle_feature_bq_export_external_source_enabled] + label: "UDM Events" # Naming enums join: metadata__event_type__enum { diff --git a/explores/refinements/udm_events.explore.lkml b/explores/refinements/udm_events.explore.lkml index 52a2b44..b684efb 100644 --- a/explores/refinements/udm_events.explore.lkml +++ b/explores/refinements/udm_events.explore.lkml @@ -8,9 +8,9 @@ access_grant: can_explore_udm_events { } explore: +udm_events { - label: "UDM Events" + label: "UDM Events (Deprecated)" - # required_access_grants: [can_explore_udm_events] + hidden: yes # Naming enums join: metadata__event_type__enum { @@ -99,6 +99,6 @@ explore: +udm_events { } fields: [ALL_FIELDS*,] - sql_always_where: {% condition udm_events.time_filter %} udm_events._PARTITIONTIME {% endcondition %} - AND {% condition udm_events.time_filter %} TIMESTAMP_SECONDS(${event_timestamp_raw}) {% endcondition %};; + sql_always_where: {% condition udm_events.time_filter %} hour_time_bucket {% endcondition %} + AND {% condition udm_events.time_filter %} TIMESTAMP_SECONDS(${event_timestamp_raw}) {% endcondition %};; } diff --git a/manifest.lkml b/manifest.lkml index e9c7eaf..015fd26 100644 --- a/manifest.lkml +++ b/manifest.lkml @@ -37,6 +37,11 @@ constant: RULE_DETECTIONS{ value: "rule_detections" } +constant: RULESETS{ + value: "rulesets" +} + +# DEPRECATED use EVENTS constant: UDM_EVENTS{ value: "udm_events" } diff --git a/proto2lkml/udm_events.lkml b/proto2lkml/udm_events.lkml index ed06cf0..50cdbbb 100644 --- a/proto2lkml/udm_events.lkml +++ b/proto2lkml/udm_events.lkml @@ -17689,10 +17689,6 @@ explore: udm_events { hidden: yes - required_access_grants: [ - has_chronicle_explores_enabled - ] - conditionally_filter: { filters: { field: udm_events.time_filter diff --git a/views/custom/asset_rule_detections_with_udm_events.view.lkml b/views/custom/asset_rule_detections_with_udm_events.view.lkml index 42cfa07..1409ad9 100644 --- a/views/custom/asset_rule_detections_with_udm_events.view.lkml +++ b/views/custom/asset_rule_detections_with_udm_events.view.lkml @@ -4,7 +4,7 @@ view: asset_rule_detections_with_udm_events { COALESCE(udm_events.principal.hostname, udm_events.principal.ip[SAFE_OFFSET(0)]) AS asset, TIMESTAMP_SECONDS(udm_events.metadata.event_timestamp.seconds) AS time, COUNT(*) AS udm_events_count - FROM `@{DATASET_NAME}.@{UDM_EVENTS}` AS udm_events + FROM `@{DATASET_NAME}.@{EVENTS}` AS udm_events WHERE (((COALESCE(udm_events.principal.hostname, udm_events.principal.ip[SAFE_OFFSET(0)])) IS NOT NULL)) AND {% condition period_filter %} TIMESTAMP_SECONDS(udm_events.metadata.event_timestamp.seconds) {% endcondition %} @@ -21,7 +21,7 @@ view: asset_rule_detections_with_udm_events { (((COALESCE(rule_detections__detection__assets.hostname, rule_detections__detection__assets.asset_ip_address)) IS NOT NULL)) AND {% condition period_filter %} TIMESTAMP_SECONDS(rule_detections__detection__detection_timestamp.seconds) {% endcondition %} GROUP BY 1,2) - SELECT * FROM @{RULE_DETECTIONS} FULL JOIN @{UDM_EVENTS} USING (asset, time) ORDER BY time DESC + SELECT * FROM @{RULE_DETECTIONS} FULL JOIN @{EVENTS} USING (asset, time) ORDER BY time DESC ;; } diff --git a/views/custom/user_rule_detections_with_udm_events.view.lkml b/views/custom/user_rule_detections_with_udm_events.view.lkml index 1592dbe..1eb78d6 100644 --- a/views/custom/user_rule_detections_with_udm_events.view.lkml +++ b/views/custom/user_rule_detections_with_udm_events.view.lkml @@ -4,7 +4,7 @@ view: user_rule_detections_with_udm_events { udm_events.principal.user.userid AS user_name, TIMESTAMP_SECONDS(udm_events.metadata.event_timestamp.seconds) AS time, COUNT(*) AS udm_events_count - FROM `@{DATASET_NAME}.@{UDM_EVENTS}` AS udm_events + FROM `@{DATASET_NAME}.@{EVENTS}` AS udm_events WHERE udm_events.principal.user.userid IS NOT NULL AND {% condition period_filter %} TIMESTAMP_SECONDS(udm_events.metadata.event_timestamp.seconds) {% endcondition %} GROUP BY 1, 2), @@ -19,7 +19,7 @@ view: user_rule_detections_with_udm_events { WHERE rule_detections__detection__users.user_name IS NOT NULL AND {% condition period_filter %} TIMESTAMP_SECONDS(rule_detections__detection__detection_timestamp.seconds) {% endcondition %} GROUP BY 1,2) - SELECT * FROM @{RULE_DETECTIONS} FULL JOIN @{UDM_EVENTS} USING (user_name, time) ORDER BY time DESC + SELECT * FROM @{RULE_DETECTIONS} FULL JOIN @{EVENTS} USING (user_name, time) ORDER BY time DESC ;; } diff --git a/views/udm_events.view.lkml b/views/udm_events.view.lkml index c1cabcd..b01708a 100644 --- a/views/udm_events.view.lkml +++ b/views/udm_events.view.lkml @@ -1,5 +1,5 @@ view: udm_events { - sql_table_name: `@{DATASET_NAME}.@{UDM_EVENTS}`;; + sql_table_name: `@{DATASET_NAME}.@{EVENTS}`;; dimension_group: _partitiondate { type: time @@ -13,7 +13,7 @@ view: udm_events { ] convert_tz: no datatype: date - sql: ${TABLE}._PARTITIONDATE ;; + sql: ${TABLE}.hour_time_bucket ;; } dimension_group: _partitiontime { @@ -28,7 +28,7 @@ view: udm_events { ] convert_tz: no datatype: date - sql: ${TABLE}._PARTITIONTIME ;; + sql: ${TABLE}.hour_time_bucket ;; } dimension: about { From 7d55ac6abe1f8d1a2844af41deb4d25dacbf2d39 Mon Sep 17 00:00:00 2001 From: Himanshu Dahiya <11634174+hdahiya18@users.noreply.github.com> Date: Mon, 22 May 2023 16:19:02 +0530 Subject: [PATCH 09/14] [b/283363477] Non-impacting change to test force fetching of ref from remote to looker (#120) --- dashboards/health_ingestion_metrics.dashboard.lookml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dashboards/health_ingestion_metrics.dashboard.lookml b/dashboards/health_ingestion_metrics.dashboard.lookml index 89afb61..1987913 100644 --- a/dashboards/health_ingestion_metrics.dashboard.lookml +++ b/dashboards/health_ingestion_metrics.dashboard.lookml @@ -1129,4 +1129,4 @@ options: [] explore: ingestion_metric_with_ingestion_stats listens_to_filters: [] - field: ingestion_metric_with_ingestion_stats.log_type \ No newline at end of file + field: ingestion_metric_with_ingestion_stats.log_type From aa2e90e4b6c8866ec72c4df9cc81c700512d158a Mon Sep 17 00:00:00 2001 From: Pradeep Thangamuthu <9770876+pradeepthangamuthu@users.noreply.github.com> Date: Tue, 23 May 2023 15:53:03 +0530 Subject: [PATCH 10/14] [b/260331943] Fixes drill down issues with UDM Events & Events explore. (#121) * [b/260331943] Fixes drill down issue with UDM Events & Events --------- Co-authored-by: Pradeep Thangamuthu --- views/refinements/events.view.lkml | 11 +++++++++++ views/refinements/udm_events.view.lkml | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/views/refinements/events.view.lkml b/views/refinements/events.view.lkml index f48239d..e14dc02 100644 --- a/views/refinements/events.view.lkml +++ b/views/refinements/events.view.lkml @@ -2,6 +2,17 @@ include: "/views/events.view.lkml" view: +events { + set: detail { + fields: [ + metadata__id, + metadata__product_log_id, + metadata__vendor_name, + metadata__product_name, + metadata__event_type, + metadata__event_timestamp__seconds + ] + } + dimension: primary_key { primary_key: yes hidden: yes diff --git a/views/refinements/udm_events.view.lkml b/views/refinements/udm_events.view.lkml index f02b60b..6344ccb 100644 --- a/views/refinements/udm_events.view.lkml +++ b/views/refinements/udm_events.view.lkml @@ -2,6 +2,17 @@ include: "/views/udm_events.view.lkml" view: +udm_events { + set: detail { + fields: [ + metadata__id, + metadata__product_log_id, + metadata__vendor_name, + metadata__product_name, + metadata__event_type, + metadata__event_timestamp__seconds + ] + } + dimension: primary_key { primary_key: yes hidden: yes From 7f5ef989a835e03fb439049a468cd0780296ea59 Mon Sep 17 00:00:00 2001 From: Pradeep Thangamuthu Date: Thu, 15 Jun 2023 13:21:16 +0530 Subject: [PATCH 11/14] Removes access grants for Events --- explores/refinements/udm_events.explore.lkml | 5 ----- explores/refinements/udm_events_gcs.explore.lkml | 9 +-------- 2 files changed, 1 insertion(+), 13 deletions(-) diff --git a/explores/refinements/udm_events.explore.lkml b/explores/refinements/udm_events.explore.lkml index b684efb..f7f5778 100644 --- a/explores/refinements/udm_events.explore.lkml +++ b/explores/refinements/udm_events.explore.lkml @@ -2,11 +2,6 @@ include: "/views/refinements/udm_events.view.lkml" include: "/views/refinements/udm_enum_value_to_name_mapping.view.lkml" include: "/explores/udm_events.explore.lkml" -access_grant: can_explore_udm_events { - user_attribute: chronicle_feature_bq_export_udm_events_enabled - allowed_values: ["yes"] -} - explore: +udm_events { label: "UDM Events (Deprecated)" diff --git a/explores/refinements/udm_events_gcs.explore.lkml b/explores/refinements/udm_events_gcs.explore.lkml index e6b1e5a..121447a 100644 --- a/explores/refinements/udm_events_gcs.explore.lkml +++ b/explores/refinements/udm_events_gcs.explore.lkml @@ -1,12 +1,5 @@ include: "/explores/udm_events_gcs.explore.lkml" -# This is an embedded looker only accress_grant -access_grant: can_explore_udm_events_gcs { - user_attribute: chronicle_feature_bq_export_external_source_enabled - allowed_values: ["yes"] -} - explore: +udm_events_gcs { - # This is an embedded looker only accress_grant - # required_access_grants: [can_explore_udm_events_gcs] + label: "UDM Events" } From fd7d53aa045b0cb7a8041026b5856d59404f6c7a Mon Sep 17 00:00:00 2001 From: Pradeep Thangamuthu Date: Thu, 15 Jun 2023 14:39:48 +0530 Subject: [PATCH 12/14] Fixes label for UDM Events GCS --- explores/refinements/udm_events_gcs.explore.lkml | 1 - 1 file changed, 1 deletion(-) diff --git a/explores/refinements/udm_events_gcs.explore.lkml b/explores/refinements/udm_events_gcs.explore.lkml index 121447a..0936d41 100644 --- a/explores/refinements/udm_events_gcs.explore.lkml +++ b/explores/refinements/udm_events_gcs.explore.lkml @@ -1,5 +1,4 @@ include: "/explores/udm_events_gcs.explore.lkml" explore: +udm_events_gcs { - label: "UDM Events" } From 7e00579cdfc91b0141504a2634fe0f480ff0bc59 Mon Sep 17 00:00:00 2001 From: Pradeep Thangamuthu Date: Thu, 15 Jun 2023 20:20:16 +0530 Subject: [PATCH 13/14] Reverts proto2lkml changes --- proto2lkml/.gitkeep | 0 proto2lkml/entity_graph.lkml | 5563 ---------- proto2lkml/events.lkml | 19328 --------------------------------- proto2lkml/udm_events.lkml | 19325 -------------------------------- 4 files changed, 44216 deletions(-) delete mode 100644 proto2lkml/.gitkeep delete mode 100644 proto2lkml/entity_graph.lkml delete mode 100644 proto2lkml/events.lkml delete mode 100644 proto2lkml/udm_events.lkml diff --git a/proto2lkml/.gitkeep b/proto2lkml/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/proto2lkml/entity_graph.lkml b/proto2lkml/entity_graph.lkml deleted file mode 100644 index 7f5f9ad..0000000 --- a/proto2lkml/entity_graph.lkml +++ /dev/null @@ -1,5563 +0,0 @@ -# Copyright Google Inc 2023 and onwards. -# This file was generated by proto2lkml. Do not modify it. -# Source: googlex/security/malachite/proto/external/entity.proto -### BEGIN googlex/security/malachite/dashboards/lookml/entity_graph/entity_graph_preamble.lkml -include: "/chronicle_features.lkml" - -### END googlex/security/malachite/dashboards/lookml/entity_graph/entity_graph_preamble.lkml -view: entity_graph { - ### BEGIN googlex/security/malachite/dashboards/lookml/entity_graph/entity_graph_view_preamble.lkml - sql_table_name: `@{ENTITY_GRAPH}`;; - - dimension: primary_key { - primary_key: yes - hidden: yes - sql: CONCAT(IFNULL(to_hex(${TABLE}.metadata.product_entity_id), ""), - IFNULL(${TABLE}.metadata.creation_timestamp.seconds,0), - IFNULL(${TABLE}.metadata.creation_timestamp.nanos,0), - IFNULL(${TABLE}.metadata.entity_type,0), - IFNULL(${TABLE}.metadata.vendor_name,""), - IFNULL(${TABLE}.metadata.product_name,""));; - } - - measure: count { - description: "Count of entities; COUNT(DISTINCT ...) is used." - type: count - view_label: "Entity" - } - - measure: count_all { - description: "Count of all entities; COUNT(DISTINCT ...) is not used." - type: number - sql: count(*) ;; - label: "Count (all)" - view_label: "Entity" - } - - - filter: time_filter { - label: "metadata.collected_timestamp" - type: date_time - view_label: "Entity" - description: "Filter on collected_timestamp" - } - - ### END googlex/security/malachite/dashboards/lookml/entity_graph/entity_graph_view_preamble.lkml - dimension: additional { - hidden: yes - } # dimension additional - - dimension: additional__fields { - hidden: yes - } # dimension additional__fields - - dimension: entity { - hidden: yes - } # dimension entity - - dimension: entity__administrative_domain { - type: string - sql: ${TABLE}.entity.administrative_domain ;; - group_label: "entity" - label: "entity.administrative_domain" - view_label: "Entity" - description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." - } # dimension entity__administrative_domain - - dimension: entity__application { - type: string - sql: ${TABLE}.entity.application ;; - group_label: "entity" - label: "entity.application" - view_label: "Entity" - description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." - } # dimension entity__application - - dimension: entity__artifact { - hidden: yes - } # dimension entity__artifact - - dimension: entity__artifact__ip { - type: string - sql: ${TABLE}.entity.artifact.ip ;; - group_label: "entity" - label: "entity.artifact.ip" - view_label: "Entity" - description: "IP address of the artifact." - } # dimension entity__artifact__ip - - dimension: entity__artifact__network { - hidden: yes - } # dimension entity__artifact__network - - dimension: entity__artifact__network__email { - hidden: yes - } # dimension entity__artifact__network__email - - dimension: entity__artifact__network__email__to { - hidden: yes - } # dimension entity__artifact__network__email__to - - dimension: entity__artifact__prevalence { - hidden: yes - } # dimension entity__artifact__prevalence - - dimension: entity__artifact__prevalence__day_count { - type: number - sql: ${TABLE}.entity.artifact.prevalence.day_count ;; - group_label: "entity" - label: "entity.artifact.prevalence.day_count" - view_label: "Entity" - description: "The number of days over which rolling_max is calculated." - } # dimension entity__artifact__prevalence__day_count - - dimension: entity__artifact__prevalence__day_max { - type: number - sql: ${TABLE}.entity.artifact.prevalence.day_max ;; - group_label: "entity" - label: "entity.artifact.prevalence.day_max" - view_label: "Entity" - description: "The max prevalence score in a day interval window." - } # dimension entity__artifact__prevalence__day_max - - dimension: entity__artifact__prevalence__rolling_max { - type: number - sql: ${TABLE}.entity.artifact.prevalence.rolling_max ;; - group_label: "entity" - label: "entity.artifact.prevalence.rolling_max" - view_label: "Entity" - description: "The maximum number of assets per day accessing the resource over the trailing day_count days." - } # dimension entity__artifact__prevalence__rolling_max - - dimension: entity__artifact__prevalence__rolling_max_sub_domains { - type: number - sql: ${TABLE}.entity.artifact.prevalence.rolling_max_sub_domains ;; - group_label: "entity" - label: "entity.artifact.prevalence.rolling_max_sub_domains" - view_label: "Entity" - description: "The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains." - } # dimension entity__artifact__prevalence__rolling_max_sub_domains - - dimension: entity__asset { - hidden: yes - } # dimension entity__asset - - dimension: entity__asset__asset_id { - type: string - sql: ${TABLE}.entity.asset.asset_id ;; - group_label: "entity" - label: "entity.asset.asset_id" - view_label: "Entity" - description: "The asset ID." - } # dimension entity__asset__asset_id - - dimension: entity__asset__attribute { - hidden: yes - } # dimension entity__asset__attribute - - dimension: entity__asset__attribute__cloud { - hidden: yes - } # dimension entity__asset__attribute__cloud - - dimension: entity__asset__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.entity.asset.attribute.cloud.availability_zone ;; - group_label: "entity" - label: "entity.asset.attribute.cloud.availability_zone" - view_label: "Entity" - description: "The cloud environment availability zone (different from region which is location.name)." - } # dimension entity__asset__attribute__cloud__availability_zone - - dimension: entity__asset__attribute__cloud__environment { - type: number - sql: ${TABLE}.entity.asset.attribute.cloud.environment ;; - group_label: "entity" - label: "entity.asset.attribute.cloud.environment" - view_label: "Entity" - description: "The Cloud environment." - } # dimension entity__asset__attribute__cloud__environment - - dimension: entity__asset__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.entity.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "entity" - label: "entity.asset.attribute.cloud.environment_enum_name" - view_label: "Entity" - description: "The Cloud environment." - } # dimension entity__asset__attribute__cloud__environment_enum_name - - dimension: entity__asset__attribute__cloud__project { - hidden: yes - } # dimension entity__asset__attribute__cloud__project - - dimension: entity__asset__attribute__cloud__project__id { - type: string - sql: ${TABLE}.entity.asset.attribute.cloud.project.id ;; - group_label: "entity" - group_item_label: "entity.asset.attribute.cloud.project.id [D]" - label: "entity.asset.attribute.cloud.project.id" - view_label: "Entity" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__asset__attribute__cloud__project__id - - dimension: entity__asset__attribute__cloud__project__name { - type: string - sql: ${TABLE}.entity.asset.attribute.cloud.project.name ;; - group_label: "entity" - group_item_label: "entity.asset.attribute.cloud.project.name [D]" - label: "entity.asset.attribute.cloud.project.name" - view_label: "Entity" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__asset__attribute__cloud__project__name - - dimension: entity__asset__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.entity.asset.attribute.cloud.project.product_object_id ;; - group_label: "entity" - group_item_label: "entity.asset.attribute.cloud.project.product_object_id [D]" - label: "entity.asset.attribute.cloud.project.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__asset__attribute__cloud__project__product_object_id - - dimension: entity__asset__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.entity.asset.attribute.cloud.project.resource_type ;; - group_label: "entity" - group_item_label: "entity.asset.attribute.cloud.project.resource_type [D]" - label: "entity.asset.attribute.cloud.project.resource_type" - view_label: "Entity" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__asset__attribute__cloud__project__resource_type - - dimension: entity__asset__attribute__cloud__project__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.entity.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "entity" - group_item_label: "entity.asset.attribute.cloud.project.resource_type_enum_name [D]" - label: "entity.asset.attribute.cloud.project.resource_type_enum_name" - view_label: "Entity" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__asset__attribute__cloud__project__resource_type_enum_name - - dimension: entity__asset__attribute__cloud__vpc { - hidden: yes - } # dimension entity__asset__attribute__cloud__vpc - - dimension: entity__asset__attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.entity.asset.attribute.cloud.vpc.name ;; - group_label: "entity" - group_item_label: "entity.asset.attribute.cloud.vpc.name [D]" - label: "entity.asset.attribute.cloud.vpc.name" - view_label: "Entity" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__asset__attribute__cloud__vpc__name - - dimension: entity__asset__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.entity.asset.attribute.cloud.vpc.product_object_id ;; - group_label: "entity" - group_item_label: "entity.asset.attribute.cloud.vpc.product_object_id [D]" - label: "entity.asset.attribute.cloud.vpc.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__asset__attribute__cloud__vpc__product_object_id - - dimension: entity__asset__attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.entity.asset.attribute.cloud.vpc.resource_type ;; - group_label: "entity" - group_item_label: "entity.asset.attribute.cloud.vpc.resource_type [D]" - label: "entity.asset.attribute.cloud.vpc.resource_type" - view_label: "Entity" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__asset__attribute__cloud__vpc__resource_type - - dimension: entity__asset__attribute__cloud__vpc__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.entity.asset.attribute.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "entity" - group_item_label: "entity.asset.attribute.cloud.vpc.resource_type_enum_name [D]" - label: "entity.asset.attribute.cloud.vpc.resource_type_enum_name" - view_label: "Entity" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__asset__attribute__cloud__vpc__resource_type_enum_name - - dimension_group: entity__asset__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.asset.attribute.creation_time" - view_label: "Entity" - description: "Time the resource or entity was created or provisioned." - } # dimension entity__asset__attribute__creation_time - - dimension: entity__asset__attribute__labels { - hidden: yes - } # dimension entity__asset__attribute__labels - - dimension_group: entity__asset__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.asset.attribute.last_update_time" - view_label: "Entity" - description: "Time the resource or entity was last updated." - } # dimension entity__asset__attribute__last_update_time - - dimension: entity__asset__category { - type: string - sql: ${TABLE}.entity.asset.category ;; - group_label: "entity" - label: "entity.asset.category" - view_label: "Entity" - description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." - } # dimension entity__asset__category - - dimension_group: entity__asset__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - group_item_label: "entity.asset.creation_time [D]" - label: "entity.asset.creation_time" - view_label: "Entity" - description: "Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__asset__creation_time - - dimension: entity__asset__deployment_status { - type: number - sql: ${TABLE}.entity.asset.deployment_status ;; - group_label: "entity" - label: "entity.asset.deployment_status" - view_label: "Entity" - description: "The deployment status of the asset for device lifecycle purposes." - } # dimension entity__asset__deployment_status - - dimension: entity__asset__deployment_status_enum_name { - type: string - suggestions: ["ACTIVE", "DECOMISSIONED", "DEPLOYMENT_STATUS_UNSPECIFIED", "PENDING_DECOMISSION"] - sql: CASE ${TABLE}.entity.asset.deployment_status WHEN 0 THEN 'DEPLOYMENT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'PENDING_DECOMISSION' WHEN 3 THEN 'DECOMISSIONED' END ;; - group_label: "entity" - label: "entity.asset.deployment_status_enum_name" - view_label: "Entity" - description: "The deployment status of the asset for device lifecycle purposes." - } # dimension entity__asset__deployment_status_enum_name - - dimension_group: entity__asset__first_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.asset.first_discover_time" - view_label: "Entity" - description: "Time the asset was first discovered (by asset management/discoverability software)." - } # dimension entity__asset__first_discover_time - - dimension: entity__asset__hardware { - hidden: yes - } # dimension entity__asset__hardware - - dimension: entity__asset__hostname { - type: string - sql: ${TABLE}.entity.asset.hostname ;; - group_label: "entity" - label: "entity.asset.hostname" - view_label: "Entity" - description: "Asset hostname or domain name field." - } # dimension entity__asset__hostname - - dimension: entity__asset__ip { - hidden: yes - } # dimension entity__asset__ip - - dimension: entity__asset__labels { - hidden: yes - } # dimension entity__asset__labels - - dimension_group: entity__asset__last_boot_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.asset.last_boot_time" - view_label: "Entity" - description: "Time the asset was last boot started." - } # dimension entity__asset__last_boot_time - - dimension_group: entity__asset__last_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.last_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.last_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.asset.last_discover_time" - view_label: "Entity" - description: "Time the asset was last discovered (by asset management/discoverability software)." - } # dimension entity__asset__last_discover_time - - dimension: entity__asset__location { - hidden: yes - } # dimension entity__asset__location - - dimension: entity__asset__location__city { - type: string - sql: ${TABLE}.entity.asset.location.city ;; - group_label: "entity" - label: "entity.asset.location.city" - view_label: "Entity" - description: "The city." - } # dimension entity__asset__location__city - - dimension: entity__asset__location__country_or_region { - type: string - sql: ${TABLE}.entity.asset.location.country_or_region ;; - group_label: "entity" - label: "entity.asset.location.country_or_region" - view_label: "Entity" - description: "The country or region." - } # dimension entity__asset__location__country_or_region - - dimension: entity__asset__location__floor_name { - type: string - sql: ${TABLE}.entity.asset.location.floor_name ;; - group_label: "entity" - label: "entity.asset.location.floor_name" - view_label: "Entity" - description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." - } # dimension entity__asset__location__floor_name - - dimension: entity__asset__location__name { - type: string - sql: ${TABLE}.entity.asset.location.name ;; - group_label: "entity" - label: "entity.asset.location.name" - view_label: "Entity" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension entity__asset__location__name - - dimension: entity__asset__location__region_latitude { - type: number - sql: ${TABLE}.entity.asset.location.region_latitude ;; - group_label: "entity" - group_item_label: "entity.asset.location.region_latitude [D]" - label: "entity.asset.location.region_latitude" - view_label: "Entity" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__asset__location__region_latitude - - dimension: entity__asset__location__region_longitude { - type: number - sql: ${TABLE}.entity.asset.location.region_longitude ;; - group_label: "entity" - group_item_label: "entity.asset.location.region_longitude [D]" - label: "entity.asset.location.region_longitude" - view_label: "Entity" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__asset__location__region_longitude - - dimension: entity__asset__location__location { - type: location - sql_latitude: ${TABLE}.entity.asset.location.region_latitude ;; - sql_longitude: ${TABLE}.entity.asset.location.region_longitude ;; - group_label: "entity" - group_item_label: "entity.asset.location.location [D][L]" - label: "entity.asset.location.location" - view_label: "Entity" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension entity__asset__location__location - - dimension: entity__asset__location__state { - type: string - sql: ${TABLE}.entity.asset.location.state ;; - group_label: "entity" - label: "entity.asset.location.state" - view_label: "Entity" - description: "The state." - } # dimension entity__asset__location__state - - dimension: entity__asset__mac { - hidden: yes - } # dimension entity__asset__mac - - dimension: entity__asset__nat_ip { - hidden: yes - } # dimension entity__asset__nat_ip - - dimension: entity__asset__network_domain { - type: string - sql: ${TABLE}.entity.asset.network_domain ;; - group_label: "entity" - label: "entity.asset.network_domain" - view_label: "Entity" - description: "The network domain of the asset (e.g. \"corp.acme.com\")" - } # dimension entity__asset__network_domain - - dimension: entity__asset__platform_software { - hidden: yes - } # dimension entity__asset__platform_software - - dimension: entity__asset__platform_software__platform { - type: number - sql: ${TABLE}.entity.asset.platform_software.platform ;; - group_label: "entity" - label: "entity.asset.platform_software.platform" - view_label: "Entity" - description: "The platform operating system." - } # dimension entity__asset__platform_software__platform - - dimension: entity__asset__platform_software__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.entity.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "entity" - label: "entity.asset.platform_software.platform_enum_name" - view_label: "Entity" - description: "The platform operating system." - } # dimension entity__asset__platform_software__platform_enum_name - - dimension: entity__asset__platform_software__platform_patch_level { - type: string - sql: ${TABLE}.entity.asset.platform_software.platform_patch_level ;; - group_label: "entity" - label: "entity.asset.platform_software.platform_patch_level" - view_label: "Entity" - description: "The platform software patch level ( e.g. \"Build 17134.48\", \"SP1\")." - } # dimension entity__asset__platform_software__platform_patch_level - - dimension: entity__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.entity.asset.platform_software.platform_version ;; - group_label: "entity" - label: "entity.asset.platform_software.platform_version" - view_label: "Entity" - description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." - } # dimension entity__asset__platform_software__platform_version - - dimension: entity__asset__product_object_id { - type: string - sql: ${TABLE}.entity.asset.product_object_id ;; - group_label: "entity" - label: "entity.asset.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension entity__asset__product_object_id - - dimension: entity__asset__software { - hidden: yes - } # dimension entity__asset__software - - dimension_group: entity__asset__system_last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.system_last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.system_last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.asset.system_last_update_time" - view_label: "Entity" - description: "Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time." - } # dimension entity__asset__system_last_update_time - - dimension: entity__asset__type { - type: number - sql: ${TABLE}.entity.asset.type ;; - group_label: "entity" - label: "entity.asset.type" - view_label: "Entity" - description: "The type of the asset (e.g. workstation or laptop or server)." - } # dimension entity__asset__type - - dimension: entity__asset__type_enum_name { - type: string - suggestions: ["IOT", "LAPTOP", "MOBILE", "NETWORK_ATTACHED_STORAGE", "PRINTER", "ROLE_UNSPECIFIED", "SCANNER", "SERVER", "TAPE_LIBRARY", "WORKSTATION"] - sql: CASE ${TABLE}.entity.asset.type WHEN 0 THEN 'ROLE_UNSPECIFIED' WHEN 1 THEN 'WORKSTATION' WHEN 2 THEN 'LAPTOP' WHEN 3 THEN 'IOT' WHEN 4 THEN 'NETWORK_ATTACHED_STORAGE' WHEN 5 THEN 'PRINTER' WHEN 6 THEN 'SCANNER' WHEN 7 THEN 'SERVER' WHEN 8 THEN 'TAPE_LIBRARY' WHEN 9 THEN 'MOBILE' END ;; - group_label: "entity" - label: "entity.asset.type_enum_name" - view_label: "Entity" - description: "The type of the asset (e.g. workstation or laptop or server)." - } # dimension entity__asset__type_enum_name - - dimension: entity__asset__vulnerabilities { - hidden: yes - } # dimension entity__asset__vulnerabilities - - dimension: entity__asset_id { - type: string - sql: ${TABLE}.entity.asset_id ;; - group_label: "entity" - label: "entity.asset_id" - view_label: "Entity" - description: "The asset ID." - } # dimension entity__asset_id - - dimension: entity__cloud { - hidden: yes - } # dimension entity__cloud - - dimension: entity__cloud__project { - hidden: yes - } # dimension entity__cloud__project - - dimension: entity__cloud__project__product_object_id { - type: string - sql: ${TABLE}.entity.cloud.project.product_object_id ;; - group_label: "entity" - group_item_label: "entity.cloud.project.product_object_id [D]" - label: "entity.cloud.project.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__cloud__project__product_object_id - - dimension: entity__cloud__vpc { - hidden: yes - } # dimension entity__cloud__vpc - - dimension: entity__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.entity.cloud.vpc.product_object_id ;; - group_label: "entity" - group_item_label: "entity.cloud.vpc.product_object_id [D]" - label: "entity.cloud.vpc.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__cloud__vpc__product_object_id - - dimension: entity__domain { - hidden: yes - } # dimension entity__domain - - dimension: entity__domain__admin { - hidden: yes - } # dimension entity__domain__admin - - dimension: entity__domain__admin__attribute { - hidden: yes - } # dimension entity__domain__admin__attribute - - dimension: entity__domain__admin__attribute__labels { - hidden: yes - } # dimension entity__domain__admin__attribute__labels - - dimension: entity__domain__admin__office_address { - hidden: yes - } # dimension entity__domain__admin__office_address - - dimension: entity__domain__admin__office_address__country_or_region { - type: string - sql: ${TABLE}.entity.domain.admin.office_address.country_or_region ;; - group_label: "entity" - label: "entity.domain.admin.office_address.country_or_region" - view_label: "Entity" - description: "The country or region." - } # dimension entity__domain__admin__office_address__country_or_region - - dimension_group: entity__domain__audit_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.domain.audit_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.domain.audit_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.domain.audit_update_time" - view_label: "Entity" - description: "Audit updated time." - } # dimension entity__domain__audit_update_time - - dimension: entity__domain__billing { - hidden: yes - } # dimension entity__domain__billing - - dimension: entity__domain__billing__attribute { - hidden: yes - } # dimension entity__domain__billing__attribute - - dimension: entity__domain__billing__attribute__labels { - hidden: yes - } # dimension entity__domain__billing__attribute__labels - - dimension: entity__domain__billing__office_address { - hidden: yes - } # dimension entity__domain__billing__office_address - - dimension: entity__domain__billing__office_address__country_or_region { - type: string - sql: ${TABLE}.entity.domain.billing.office_address.country_or_region ;; - group_label: "entity" - label: "entity.domain.billing.office_address.country_or_region" - view_label: "Entity" - description: "The country or region." - } # dimension entity__domain__billing__office_address__country_or_region - - dimension: entity__domain__contact_email { - type: string - sql: ${TABLE}.entity.domain.contact_email ;; - group_label: "entity" - label: "entity.domain.contact_email" - view_label: "Entity" - description: "Contact email address." - } # dimension entity__domain__contact_email - - dimension_group: entity__domain__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.domain.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.domain.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.domain.creation_time" - view_label: "Entity" - description: "Domain creation time." - } # dimension entity__domain__creation_time - - dimension_group: entity__domain__expiration_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.domain.expiration_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.domain.expiration_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.domain.expiration_time" - view_label: "Entity" - description: "Expiration time." - } # dimension entity__domain__expiration_time - - dimension_group: entity__domain__first_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.domain.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.domain.first_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.domain.first_seen_time" - view_label: "Entity" - description: "First seen timestamp of the domain in the customer's environment." - } # dimension entity__domain__first_seen_time - - dimension: entity__domain__name { - type: string - sql: ${TABLE}.entity.domain.name ;; - group_label: "entity" - label: "entity.domain.name" - view_label: "Entity" - description: "The domain name." - } # dimension entity__domain__name - - dimension: entity__domain__name_server { - hidden: yes - } # dimension entity__domain__name_server - - dimension: entity__domain__prevalence { - hidden: yes - } # dimension entity__domain__prevalence - - dimension: entity__domain__prevalence__day_count { - type: number - sql: ${TABLE}.entity.domain.prevalence.day_count ;; - group_label: "entity" - label: "entity.domain.prevalence.day_count" - view_label: "Entity" - description: "The number of days over which rolling_max is calculated." - } # dimension entity__domain__prevalence__day_count - - dimension: entity__domain__prevalence__day_max { - type: number - sql: ${TABLE}.entity.domain.prevalence.day_max ;; - group_label: "entity" - label: "entity.domain.prevalence.day_max" - view_label: "Entity" - description: "The max prevalence score in a day interval window." - } # dimension entity__domain__prevalence__day_max - - dimension: entity__domain__prevalence__day_max_sub_domains { - type: number - sql: ${TABLE}.entity.domain.prevalence.day_max_sub_domains ;; - group_label: "entity" - label: "entity.domain.prevalence.day_max_sub_domains" - view_label: "Entity" - description: "The max prevalence score in a day interval window across sub-domains. This field is only valid for domains." - } # dimension entity__domain__prevalence__day_max_sub_domains - - dimension: entity__domain__prevalence__rolling_max { - type: number - sql: ${TABLE}.entity.domain.prevalence.rolling_max ;; - group_label: "entity" - label: "entity.domain.prevalence.rolling_max" - view_label: "Entity" - description: "The maximum number of assets per day accessing the resource over the trailing day_count days." - } # dimension entity__domain__prevalence__rolling_max - - dimension: entity__domain__prevalence__rolling_max_sub_domains { - type: number - sql: ${TABLE}.entity.domain.prevalence.rolling_max_sub_domains ;; - group_label: "entity" - label: "entity.domain.prevalence.rolling_max_sub_domains" - view_label: "Entity" - description: "The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains." - } # dimension entity__domain__prevalence__rolling_max_sub_domains - - dimension: entity__domain__registrant { - hidden: yes - } # dimension entity__domain__registrant - - dimension: entity__domain__registrant__attribute { - hidden: yes - } # dimension entity__domain__registrant__attribute - - dimension: entity__domain__registrant__attribute__labels { - hidden: yes - } # dimension entity__domain__registrant__attribute__labels - - dimension: entity__domain__registrant__company_name { - type: string - sql: ${TABLE}.entity.domain.registrant.company_name ;; - group_label: "entity" - label: "entity.domain.registrant.company_name" - view_label: "Entity" - description: "User job company name." - } # dimension entity__domain__registrant__company_name - - dimension: entity__domain__registrant__email_addresses { - hidden: yes - } # dimension entity__domain__registrant__email_addresses - - dimension: entity__domain__registrant__office_address { - hidden: yes - } # dimension entity__domain__registrant__office_address - - dimension: entity__domain__registrant__office_address__country_or_region { - type: string - sql: ${TABLE}.entity.domain.registrant.office_address.country_or_region ;; - group_label: "entity" - label: "entity.domain.registrant.office_address.country_or_region" - view_label: "Entity" - description: "The country or region." - } # dimension entity__domain__registrant__office_address__country_or_region - - dimension: entity__domain__registrant__office_address__state { - type: string - sql: ${TABLE}.entity.domain.registrant.office_address.state ;; - group_label: "entity" - label: "entity.domain.registrant.office_address.state" - view_label: "Entity" - description: "The state." - } # dimension entity__domain__registrant__office_address__state - - dimension: entity__domain__registrant__user_display_name { - type: string - sql: ${TABLE}.entity.domain.registrant.user_display_name ;; - group_label: "entity" - label: "entity.domain.registrant.user_display_name" - view_label: "Entity" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension entity__domain__registrant__user_display_name - - dimension: entity__domain__registrar { - type: string - sql: ${TABLE}.entity.domain.registrar ;; - group_label: "entity" - label: "entity.domain.registrar" - view_label: "Entity" - description: "Registrar name - e.g. \"Wild West Domains, Inc. (R120-LROR)\", \"GoDaddy.com, LLC\", \"PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM\", etc." - } # dimension entity__domain__registrar - - dimension: entity__domain__registry_data_raw_text { - type: string - sql: ${TABLE}.entity.domain.registry_data_raw_text ;; - group_label: "entity" - label: "entity.domain.registry_data_raw_text" - view_label: "Entity" - description: "Registry Data raw text" - } # dimension entity__domain__registry_data_raw_text - - dimension: entity__domain__status { - type: string - sql: ${TABLE}.entity.domain.status ;; - group_label: "entity" - label: "entity.domain.status" - view_label: "Entity" - description: "Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values" - } # dimension entity__domain__status - - dimension: entity__domain__tech { - hidden: yes - } # dimension entity__domain__tech - - dimension: entity__domain__tech__attribute { - hidden: yes - } # dimension entity__domain__tech__attribute - - dimension: entity__domain__tech__attribute__labels { - hidden: yes - } # dimension entity__domain__tech__attribute__labels - - dimension: entity__domain__tech__office_address { - hidden: yes - } # dimension entity__domain__tech__office_address - - dimension: entity__domain__tech__office_address__country_or_region { - type: string - sql: ${TABLE}.entity.domain.tech.office_address.country_or_region ;; - group_label: "entity" - label: "entity.domain.tech.office_address.country_or_region" - view_label: "Entity" - description: "The country or region." - } # dimension entity__domain__tech__office_address__country_or_region - - dimension_group: entity__domain__update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.domain.update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.domain.update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.domain.update_time" - view_label: "Entity" - description: "Last updated time." - } # dimension entity__domain__update_time - - dimension: entity__domain__whois_record_raw_text { - type: string - sql: ${TABLE}.entity.domain.whois_record_raw_text ;; - group_label: "entity" - label: "entity.domain.whois_record_raw_text" - view_label: "Entity" - description: "unix epoch of the time when the domaintools first catches the record, or the time when domaintools catch the record changes. domaintools_time_ms is also used as the bigtable timestamp." - } # dimension entity__domain__whois_record_raw_text - - dimension: entity__domain__whois_server { - type: string - sql: ${TABLE}.entity.domain.whois_server ;; - group_label: "entity" - label: "entity.domain.whois_server" - view_label: "Entity" - description: "Whois server name." - } # dimension entity__domain__whois_server - - dimension: entity__email { - type: string - sql: ${TABLE}.entity.email ;; - group_label: "entity" - label: "entity.email" - view_label: "Entity" - description: "Email address. Only filled in for security_result.about" - } # dimension entity__email - - dimension: entity__file { - hidden: yes - } # dimension entity__file - - dimension: entity__file__full_path { - type: string - sql: ${TABLE}.entity.file.full_path ;; - group_label: "entity" - label: "entity.file.full_path" - view_label: "Entity" - description: "The full path identifying the location of the file on the system." - } # dimension entity__file__full_path - - dimension: entity__file__md5 { - type: string - sql: ${TABLE}.entity.file.md5 ;; - group_label: "entity" - label: "entity.file.md5" - view_label: "Entity" - description: "The MD5 hash of the file." - } # dimension entity__file__md5 - - dimension: entity__file__mime_type { - type: string - sql: ${TABLE}.entity.file.mime_type ;; - group_label: "entity" - label: "entity.file.mime_type" - view_label: "Entity" - description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." - } # dimension entity__file__mime_type - - dimension: entity__file__names { - hidden: yes - } # dimension entity__file__names - - dimension: entity__file__pe_file { - hidden: yes - } # dimension entity__file__pe_file - - dimension: entity__file__pe_file__resource { - hidden: yes - } # dimension entity__file__pe_file__resource - - dimension: entity__file__prevalence { - hidden: yes - } # dimension entity__file__prevalence - - dimension: entity__file__prevalence__day_count { - type: number - sql: ${TABLE}.entity.file.prevalence.day_count ;; - group_label: "entity" - label: "entity.file.prevalence.day_count" - view_label: "Entity" - description: "The number of days over which rolling_max is calculated." - } # dimension entity__file__prevalence__day_count - - dimension: entity__file__prevalence__day_max { - type: number - sql: ${TABLE}.entity.file.prevalence.day_max ;; - group_label: "entity" - label: "entity.file.prevalence.day_max" - view_label: "Entity" - description: "The max prevalence score in a day interval window." - } # dimension entity__file__prevalence__day_max - - dimension: entity__file__prevalence__rolling_max { - type: number - sql: ${TABLE}.entity.file.prevalence.rolling_max ;; - group_label: "entity" - label: "entity.file.prevalence.rolling_max" - view_label: "Entity" - description: "The maximum number of assets per day accessing the resource over the trailing day_count days." - } # dimension entity__file__prevalence__rolling_max - - dimension: entity__file__sha1 { - type: string - sql: ${TABLE}.entity.file.sha1 ;; - group_label: "entity" - label: "entity.file.sha1" - view_label: "Entity" - description: "The SHA1 hash of the file." - } # dimension entity__file__sha1 - - dimension: entity__file__sha256 { - type: string - sql: ${TABLE}.entity.file.sha256 ;; - group_label: "entity" - label: "entity.file.sha256" - view_label: "Entity" - description: "The SHA256 hash of the file." - } # dimension entity__file__sha256 - - dimension: entity__group { - hidden: yes - } # dimension entity__group - - dimension: entity__group__attribute { - hidden: yes - } # dimension entity__group__attribute - - dimension: entity__group__attribute__cloud { - hidden: yes - } # dimension entity__group__attribute__cloud - - dimension: entity__group__attribute__cloud__project { - hidden: yes - } # dimension entity__group__attribute__cloud__project - - dimension: entity__group__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.entity.group.attribute.cloud.project.product_object_id ;; - group_label: "entity" - group_item_label: "entity.group.attribute.cloud.project.product_object_id [D]" - label: "entity.group.attribute.cloud.project.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__group__attribute__cloud__project__product_object_id - - dimension: entity__group__attribute__cloud__vpc { - hidden: yes - } # dimension entity__group__attribute__cloud__vpc - - dimension: entity__group__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.entity.group.attribute.cloud.vpc.product_object_id ;; - group_label: "entity" - group_item_label: "entity.group.attribute.cloud.vpc.product_object_id [D]" - label: "entity.group.attribute.cloud.vpc.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__group__attribute__cloud__vpc__product_object_id - - dimension: entity__group__attribute__labels { - hidden: yes - } # dimension entity__group__attribute__labels - - dimension: entity__group__email_addresses { - hidden: yes - } # dimension entity__group__email_addresses - - dimension: entity__group__group_display_name { - type: string - sql: ${TABLE}.entity.group.group_display_name ;; - group_label: "entity" - label: "entity.group.group_display_name" - view_label: "Entity" - description: "Group display name. e.g. \"Finance\"." - } # dimension entity__group__group_display_name - - dimension: entity__group__product_object_id { - type: string - sql: ${TABLE}.entity.group.product_object_id ;; - group_label: "entity" - label: "entity.group.product_object_id" - view_label: "Entity" - description: "Product globally unique user object identifier, such as an LDAP Object Identifier." - } # dimension entity__group__product_object_id - - dimension: entity__hostname { - type: string - sql: ${TABLE}.entity.hostname ;; - group_label: "entity" - label: "entity.hostname" - view_label: "Entity" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension entity__hostname - - dimension: entity__ip { - hidden: yes - } # dimension entity__ip - - dimension: entity__ip_geo_artifact { - hidden: yes - } # dimension entity__ip_geo_artifact - - dimension: entity__labels { - hidden: yes - } # dimension entity__labels - - dimension: entity__location { - hidden: yes - } # dimension entity__location - - dimension: entity__location__city { - type: string - sql: ${TABLE}.entity.location.city ;; - group_label: "entity" - label: "entity.location.city" - view_label: "Entity" - description: "The city." - } # dimension entity__location__city - - dimension: entity__location__country_or_region { - type: string - sql: ${TABLE}.entity.location.country_or_region ;; - group_label: "entity" - label: "entity.location.country_or_region" - view_label: "Entity" - description: "The country or region." - } # dimension entity__location__country_or_region - - dimension: entity__location__desk_name { - type: string - sql: ${TABLE}.entity.location.desk_name ;; - group_label: "entity" - label: "entity.location.desk_name" - view_label: "Entity" - description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." - } # dimension entity__location__desk_name - - dimension: entity__location__name { - type: string - sql: ${TABLE}.entity.location.name ;; - group_label: "entity" - label: "entity.location.name" - view_label: "Entity" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension entity__location__name - - dimension: entity__location__region_latitude { - type: number - sql: ${TABLE}.entity.location.region_latitude ;; - group_label: "entity" - group_item_label: "entity.location.region_latitude [D]" - label: "entity.location.region_latitude" - view_label: "Entity" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__location__region_latitude - - dimension: entity__location__region_longitude { - type: number - sql: ${TABLE}.entity.location.region_longitude ;; - group_label: "entity" - group_item_label: "entity.location.region_longitude [D]" - label: "entity.location.region_longitude" - view_label: "Entity" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__location__region_longitude - - dimension: entity__location__location { - type: location - sql_latitude: ${TABLE}.entity.location.region_latitude ;; - sql_longitude: ${TABLE}.entity.location.region_longitude ;; - group_label: "entity" - group_item_label: "entity.location.location [D][L]" - label: "entity.location.location" - view_label: "Entity" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension entity__location__location - - dimension: entity__location__state { - type: string - sql: ${TABLE}.entity.location.state ;; - group_label: "entity" - label: "entity.location.state" - view_label: "Entity" - description: "The state." - } # dimension entity__location__state - - dimension: entity__mac { - hidden: yes - } # dimension entity__mac - - dimension: entity__namespace { - type: string - sql: ${TABLE}.entity.namespace ;; - group_label: "entity" - label: "entity.namespace" - view_label: "Entity" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension entity__namespace - - dimension: entity__object_reference { - hidden: yes - } # dimension entity__object_reference - - dimension: entity__object_reference__id { - type: string - sql: ${TABLE}.entity.object_reference.id ;; - group_label: "entity" - label: "entity.object_reference.id" - view_label: "Entity" - description: "Full raw ID." - } # dimension entity__object_reference__id - - dimension: entity__object_reference__namespace { - type: number - sql: ${TABLE}.entity.object_reference.namespace ;; - group_label: "entity" - label: "entity.object_reference.namespace" - view_label: "Entity" - description: "Namespace the id belongs to." - } # dimension entity__object_reference__namespace - - dimension: entity__object_reference__namespace_enum_name { - type: string - suggestions: ["MACHINE_INTELLIGENCE", "NORMALIZED_TELEMETRY", "RAW_TELEMETRY", "RULE_DETECTIONS", "SECURITY_COMMAND_CENTER", "SOAR_ALERT", "UNSPECIFIED", "UPPERCASE"] - sql: CASE ${TABLE}.entity.object_reference.namespace WHEN 0 THEN 'NORMALIZED_TELEMETRY' WHEN 1 THEN 'RAW_TELEMETRY' WHEN 2 THEN 'RULE_DETECTIONS' WHEN 3 THEN 'UPPERCASE' WHEN 4 THEN 'MACHINE_INTELLIGENCE' WHEN 5 THEN 'SECURITY_COMMAND_CENTER' WHEN 6 THEN 'UNSPECIFIED' WHEN 7 THEN 'SOAR_ALERT' END ;; - group_label: "entity" - label: "entity.object_reference.namespace_enum_name" - view_label: "Entity" - description: "Namespace the id belongs to." - } # dimension entity__object_reference__namespace_enum_name - - dimension: entity__platform { - type: number - sql: ${TABLE}.entity.platform ;; - group_label: "entity" - label: "entity.platform" - view_label: "Entity" - description: "Platform." - } # dimension entity__platform - - dimension: entity__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.entity.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "entity" - label: "entity.platform_enum_name" - view_label: "Entity" - description: "Platform." - } # dimension entity__platform_enum_name - - dimension: entity__platform_patch_level { - type: string - sql: ${TABLE}.entity.platform_patch_level ;; - group_label: "entity" - label: "entity.platform_patch_level" - view_label: "Entity" - description: "Platform patch level. For example, \"Build 17134.48\"" - } # dimension entity__platform_patch_level - - dimension: entity__platform_version { - type: string - sql: ${TABLE}.entity.platform_version ;; - group_label: "entity" - label: "entity.platform_version" - view_label: "Entity" - description: "Platform version. For example, \"Microsoft Windows 1803\"." - } # dimension entity__platform_version - - dimension: entity__port { - type: number - value_format: "#" - sql: ${TABLE}.entity.port ;; - group_label: "entity" - label: "entity.port" - view_label: "Entity" - description: "Source or destination network port number when a specific network connection is described within an event." - } # dimension entity__port - - dimension: entity__process { - hidden: yes - } # dimension entity__process - - dimension: entity__process__command_line { - type: string - sql: ${TABLE}.entity.process.command_line ;; - group_label: "entity" - label: "entity.process.command_line" - view_label: "Entity" - description: "The command line command that created the process." - } # dimension entity__process__command_line - - dimension: entity__registry { - hidden: yes - } # dimension entity__registry - - dimension: entity__registry__registry_key { - type: string - sql: ${TABLE}.entity.registry.registry_key ;; - group_label: "entity" - label: "entity.registry.registry_key" - view_label: "Entity" - description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." - } # dimension entity__registry__registry_key - - dimension: entity__resource { - hidden: yes - } # dimension entity__resource - - dimension: entity__resource__attribute { - hidden: yes - } # dimension entity__resource__attribute - - dimension: entity__resource__attribute__cloud { - hidden: yes - } # dimension entity__resource__attribute__cloud - - dimension: entity__resource__attribute__cloud__environment { - type: number - sql: ${TABLE}.entity.resource.attribute.cloud.environment ;; - group_label: "entity" - label: "entity.resource.attribute.cloud.environment" - view_label: "Entity" - description: "The Cloud environment." - } # dimension entity__resource__attribute__cloud__environment - - dimension: entity__resource__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.entity.resource.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "entity" - label: "entity.resource.attribute.cloud.environment_enum_name" - view_label: "Entity" - description: "The Cloud environment." - } # dimension entity__resource__attribute__cloud__environment_enum_name - - dimension: entity__resource__attribute__cloud__project { - hidden: yes - } # dimension entity__resource__attribute__cloud__project - - dimension: entity__resource__attribute__cloud__project__id { - type: string - sql: ${TABLE}.entity.resource.attribute.cloud.project.id ;; - group_label: "entity" - group_item_label: "entity.resource.attribute.cloud.project.id [D]" - label: "entity.resource.attribute.cloud.project.id" - view_label: "Entity" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__resource__attribute__cloud__project__id - - dimension: entity__resource__attribute__cloud__project__name { - type: string - sql: ${TABLE}.entity.resource.attribute.cloud.project.name ;; - group_label: "entity" - group_item_label: "entity.resource.attribute.cloud.project.name [D]" - label: "entity.resource.attribute.cloud.project.name" - view_label: "Entity" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__resource__attribute__cloud__project__name - - dimension: entity__resource__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.entity.resource.attribute.cloud.project.resource_type ;; - group_label: "entity" - group_item_label: "entity.resource.attribute.cloud.project.resource_type [D]" - label: "entity.resource.attribute.cloud.project.resource_type" - view_label: "Entity" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__resource__attribute__cloud__project__resource_type - - dimension: entity__resource__attribute__cloud__project__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.entity.resource.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "entity" - group_item_label: "entity.resource.attribute.cloud.project.resource_type_enum_name [D]" - label: "entity.resource.attribute.cloud.project.resource_type_enum_name" - view_label: "Entity" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__resource__attribute__cloud__project__resource_type_enum_name - - dimension_group: entity__resource__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.resource.attribute.creation_time" - view_label: "Entity" - description: "Time the resource or entity was created or provisioned." - } # dimension entity__resource__attribute__creation_time - - dimension: entity__resource__attribute__labels { - hidden: yes - } # dimension entity__resource__attribute__labels - - dimension_group: entity__resource__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.resource.attribute.last_update_time" - view_label: "Entity" - description: "Time the resource or entity was last updated." - } # dimension entity__resource__attribute__last_update_time - - dimension: entity__resource__name { - type: string - sql: ${TABLE}.entity.resource.name ;; - group_label: "entity" - label: "entity.resource.name" - view_label: "Entity" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension entity__resource__name - - dimension: entity__resource__parent { - type: string - sql: ${TABLE}.entity.resource.parent ;; - group_label: "entity" - group_item_label: "entity.resource.parent [D]" - label: "entity.resource.parent" - view_label: "Entity" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__resource__parent - - dimension: entity__resource__product_object_id { - type: string - sql: ${TABLE}.entity.resource.product_object_id ;; - group_label: "entity" - label: "entity.resource.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension entity__resource__product_object_id - - dimension: entity__resource__resource_subtype { - type: string - sql: ${TABLE}.entity.resource.resource_subtype ;; - group_label: "entity" - label: "entity.resource.resource_subtype" - view_label: "Entity" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension entity__resource__resource_subtype - - dimension: entity__resource__resource_type { - type: number - sql: ${TABLE}.entity.resource.resource_type ;; - group_label: "entity" - label: "entity.resource.resource_type" - view_label: "Entity" - description: "Resource type." - } # dimension entity__resource__resource_type - - dimension: entity__resource__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.entity.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "entity" - label: "entity.resource.resource_type_enum_name" - view_label: "Entity" - description: "Resource type." - } # dimension entity__resource__resource_type_enum_name - - dimension: entity__resource__type { - type: string - sql: ${TABLE}.entity.resource.type ;; - group_label: "entity" - group_item_label: "entity.resource.type [D]" - label: "entity.resource.type" - view_label: "Entity" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__resource__type - - dimension: entity__url { - type: string - sql: ${TABLE}.entity.url ;; - group_label: "entity" - label: "entity.url" - view_label: "Entity" - description: "The URL." - } # dimension entity__url - - dimension: entity__user { - hidden: yes - } # dimension entity__user - - dimension: entity__user__attribute { - hidden: yes - } # dimension entity__user__attribute - - dimension: entity__user__attribute__cloud { - hidden: yes - } # dimension entity__user__attribute__cloud - - dimension: entity__user__attribute__cloud__environment { - type: number - sql: ${TABLE}.entity.user.attribute.cloud.environment ;; - group_label: "entity" - label: "entity.user.attribute.cloud.environment" - view_label: "Entity" - description: "The Cloud environment." - } # dimension entity__user__attribute__cloud__environment - - dimension: entity__user__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.entity.user.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "entity" - label: "entity.user.attribute.cloud.environment_enum_name" - view_label: "Entity" - description: "The Cloud environment." - } # dimension entity__user__attribute__cloud__environment_enum_name - - dimension: entity__user__attribute__cloud__project { - hidden: yes - } # dimension entity__user__attribute__cloud__project - - dimension: entity__user__attribute__cloud__project__id { - type: string - sql: ${TABLE}.entity.user.attribute.cloud.project.id ;; - group_label: "entity" - group_item_label: "entity.user.attribute.cloud.project.id [D]" - label: "entity.user.attribute.cloud.project.id" - view_label: "Entity" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__user__attribute__cloud__project__id - - dimension: entity__user__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.entity.user.attribute.cloud.project.product_object_id ;; - group_label: "entity" - group_item_label: "entity.user.attribute.cloud.project.product_object_id [D]" - label: "entity.user.attribute.cloud.project.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__user__attribute__cloud__project__product_object_id - - dimension: entity__user__attribute__cloud__vpc { - hidden: yes - } # dimension entity__user__attribute__cloud__vpc - - dimension: entity__user__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.entity.user.attribute.cloud.vpc.product_object_id ;; - group_label: "entity" - group_item_label: "entity.user.attribute.cloud.vpc.product_object_id [D]" - label: "entity.user.attribute.cloud.vpc.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__user__attribute__cloud__vpc__product_object_id - - dimension_group: entity__user__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.user.attribute.creation_time" - view_label: "Entity" - description: "Time the resource or entity was created or provisioned." - } # dimension entity__user__attribute__creation_time - - dimension: entity__user__attribute__labels { - hidden: yes - } # dimension entity__user__attribute__labels - - dimension_group: entity__user__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.user.attribute.last_update_time" - view_label: "Entity" - description: "Time the resource or entity was last updated." - } # dimension entity__user__attribute__last_update_time - - dimension: entity__user__attribute__permissions { - hidden: yes - } # dimension entity__user__attribute__permissions - - dimension: entity__user__attribute__roles { - hidden: yes - } # dimension entity__user__attribute__roles - - dimension: entity__user__company_name { - type: string - sql: ${TABLE}.entity.user.company_name ;; - group_label: "entity" - label: "entity.user.company_name" - view_label: "Entity" - description: "User job company name." - } # dimension entity__user__company_name - - dimension: entity__user__department { - hidden: yes - } # dimension entity__user__department - - dimension: entity__user__email_addresses { - hidden: yes - } # dimension entity__user__email_addresses - - dimension: entity__user__employee_id { - type: string - sql: ${TABLE}.entity.user.employee_id ;; - group_label: "entity" - label: "entity.user.employee_id" - view_label: "Entity" - description: "Human capital management identifier." - } # dimension entity__user__employee_id - - dimension: entity__user__first_name { - type: string - sql: ${TABLE}.entity.user.first_name ;; - group_label: "entity" - label: "entity.user.first_name" - view_label: "Entity" - description: "First name of the user (e.g. \"John\")." - } # dimension entity__user__first_name - - dimension: entity__user__group_identifiers { - hidden: yes - } # dimension entity__user__group_identifiers - - dimension_group: entity__user__hire_date { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.user.hire_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.user.hire_date.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.user.hire_date" - view_label: "Entity" - description: "User job employment hire date." - } # dimension entity__user__hire_date - - dimension: entity__user__last_name { - type: string - sql: ${TABLE}.entity.user.last_name ;; - group_label: "entity" - label: "entity.user.last_name" - view_label: "Entity" - description: "Last name of the user (e.g. \"Locke\")." - } # dimension entity__user__last_name - - dimension: entity__user__managers { - hidden: yes - } # dimension entity__user__managers - - dimension: entity__user__middle_name { - type: string - sql: ${TABLE}.entity.user.middle_name ;; - group_label: "entity" - label: "entity.user.middle_name" - view_label: "Entity" - description: "Middle name of the user." - } # dimension entity__user__middle_name - - dimension: entity__user__office_address { - hidden: yes - } # dimension entity__user__office_address - - dimension: entity__user__office_address__city { - type: string - sql: ${TABLE}.entity.user.office_address.city ;; - group_label: "entity" - label: "entity.user.office_address.city" - view_label: "Entity" - description: "The city." - } # dimension entity__user__office_address__city - - dimension: entity__user__office_address__country_or_region { - type: string - sql: ${TABLE}.entity.user.office_address.country_or_region ;; - group_label: "entity" - label: "entity.user.office_address.country_or_region" - view_label: "Entity" - description: "The country or region." - } # dimension entity__user__office_address__country_or_region - - dimension: entity__user__office_address__floor_name { - type: string - sql: ${TABLE}.entity.user.office_address.floor_name ;; - group_label: "entity" - label: "entity.user.office_address.floor_name" - view_label: "Entity" - description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." - } # dimension entity__user__office_address__floor_name - - dimension: entity__user__office_address__name { - type: string - sql: ${TABLE}.entity.user.office_address.name ;; - group_label: "entity" - label: "entity.user.office_address.name" - view_label: "Entity" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension entity__user__office_address__name - - dimension: entity__user__office_address__state { - type: string - sql: ${TABLE}.entity.user.office_address.state ;; - group_label: "entity" - label: "entity.user.office_address.state" - view_label: "Entity" - description: "The state." - } # dimension entity__user__office_address__state - - dimension: entity__user__personal_address { - hidden: yes - } # dimension entity__user__personal_address - - dimension: entity__user__personal_address__city { - type: string - sql: ${TABLE}.entity.user.personal_address.city ;; - group_label: "entity" - label: "entity.user.personal_address.city" - view_label: "Entity" - description: "The city." - } # dimension entity__user__personal_address__city - - dimension: entity__user__personal_address__country_or_region { - type: string - sql: ${TABLE}.entity.user.personal_address.country_or_region ;; - group_label: "entity" - label: "entity.user.personal_address.country_or_region" - view_label: "Entity" - description: "The country or region." - } # dimension entity__user__personal_address__country_or_region - - dimension: entity__user__personal_address__name { - type: string - sql: ${TABLE}.entity.user.personal_address.name ;; - group_label: "entity" - label: "entity.user.personal_address.name" - view_label: "Entity" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension entity__user__personal_address__name - - dimension: entity__user__personal_address__state { - type: string - sql: ${TABLE}.entity.user.personal_address.state ;; - group_label: "entity" - label: "entity.user.personal_address.state" - view_label: "Entity" - description: "The state." - } # dimension entity__user__personal_address__state - - dimension: entity__user__phone_numbers { - hidden: yes - } # dimension entity__user__phone_numbers - - dimension: entity__user__product_object_id { - type: string - sql: ${TABLE}.entity.user.product_object_id ;; - group_label: "entity" - label: "entity.user.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension entity__user__product_object_id - - dimension: entity__user__role_description { - type: string - sql: ${TABLE}.entity.user.role_description ;; - group_label: "entity" - group_item_label: "entity.user.role_description [D]" - label: "entity.user.role_description" - view_label: "Entity" - description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__user__role_description - - dimension: entity__user__role_name { - type: string - sql: ${TABLE}.entity.user.role_name ;; - group_label: "entity" - group_item_label: "entity.user.role_name [D]" - label: "entity.user.role_name" - view_label: "Entity" - description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__user__role_name - - dimension_group: entity__user__termination_date { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.user.termination_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.user.termination_date.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.user.termination_date" - view_label: "Entity" - description: "User job employment termination date." - } # dimension entity__user__termination_date - - dimension: entity__user__time_off { - hidden: yes - } # dimension entity__user__time_off - - dimension: entity__user__title { - type: string - sql: ${TABLE}.entity.user.title ;; - group_label: "entity" - label: "entity.user.title" - view_label: "Entity" - description: "User job title." - } # dimension entity__user__title - - dimension: entity__user__user_authentication_status { - type: number - sql: ${TABLE}.entity.user.user_authentication_status ;; - group_label: "entity" - label: "entity.user.user_authentication_status" - view_label: "Entity" - description: "System authentication status for user." - } # dimension entity__user__user_authentication_status - - dimension: entity__user__user_authentication_status_enum_name { - type: string - suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] - sql: CASE ${TABLE}.entity.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; - group_label: "entity" - label: "entity.user.user_authentication_status_enum_name" - view_label: "Entity" - description: "System authentication status for user." - } # dimension entity__user__user_authentication_status_enum_name - - dimension: entity__user__user_display_name { - type: string - sql: ${TABLE}.entity.user.user_display_name ;; - group_label: "entity" - label: "entity.user.user_display_name" - view_label: "Entity" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension entity__user__user_display_name - - dimension: entity__user__user_role { - type: number - sql: ${TABLE}.entity.user.user_role ;; - group_label: "entity" - group_item_label: "entity.user.user_role [D]" - label: "entity.user.user_role" - view_label: "Entity" - description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__user__user_role - - dimension: entity__user__user_role_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "UNKNOWN_ROLE"] - sql: CASE ${TABLE}.entity.user.user_role WHEN 0 THEN 'UNKNOWN_ROLE' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "entity" - group_item_label: "entity.user.user_role_enum_name [D]" - label: "entity.user.user_role_enum_name" - view_label: "Entity" - description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__user__user_role_enum_name - - dimension: entity__user__userid { - type: string - sql: ${TABLE}.entity.user.userid ;; - group_label: "entity" - label: "entity.user.userid" - view_label: "Entity" - description: "The ID of the user." - } # dimension entity__user__userid - - dimension: entity__user__windows_sid { - type: string - sql: ${TABLE}.entity.user.windows_sid ;; - group_label: "entity" - label: "entity.user.windows_sid" - view_label: "Entity" - description: "The Microsoft Windows SID of the user." - } # dimension entity__user__windows_sid - - dimension: entity__user_management_chain { - hidden: yes - } # dimension entity__user_management_chain - - dimension: metadata { - hidden: yes - } # dimension metadata - - dimension_group: metadata__collected_timestamp { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.collected_timestamp.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.collected_timestamp.nanos, 0) / 1000) as INT64)) ;; - group_label: "metadata" - label: "metadata.collected_timestamp" - view_label: "Entity" - description: "GMT timestamp when the entity information was collected by the vendor's local collection infrastructure." - } # dimension metadata__collected_timestamp - - dimension_group: metadata__creation_timestamp { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.creation_timestamp.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.creation_timestamp.nanos, 0) / 1000) as INT64)) ;; - group_label: "metadata" - label: "metadata.creation_timestamp" - view_label: "Entity" - description: "GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected." - } # dimension metadata__creation_timestamp - - dimension: metadata__description { - type: string - sql: ${TABLE}.metadata.description ;; - group_label: "metadata" - label: "metadata.description" - view_label: "Entity" - description: "Human-readable description of the entity." - } # dimension metadata__description - - dimension: metadata__entity_type { - type: number - sql: ${TABLE}.metadata.entity_type ;; - group_label: "metadata" - label: "metadata.entity_type" - view_label: "Entity" - description: "Entity type. If an entity has multiple possible types, this specifies the most specific type." - } # dimension metadata__entity_type - - dimension: metadata__entity_type_enum_name { - type: string - suggestions: ["ASSET", "DOMAIN_NAME", "FILE", "GROUP", "IP_ADDRESS", "METRIC", "MUTEX", "RESOURCE", "UNKNOWN_ENTITYTYPE", "URL", "USER"] - sql: CASE ${TABLE}.metadata.entity_type WHEN 0 THEN 'UNKNOWN_ENTITYTYPE' WHEN 1 THEN 'ASSET' WHEN 10000 THEN 'USER' WHEN 10001 THEN 'GROUP' WHEN 2 THEN 'RESOURCE' WHEN 3 THEN 'IP_ADDRESS' WHEN 4 THEN 'FILE' WHEN 5 THEN 'DOMAIN_NAME' WHEN 6 THEN 'URL' WHEN 7 THEN 'MUTEX' WHEN 8 THEN 'METRIC' END ;; - group_label: "metadata" - label: "metadata.entity_type_enum_name" - view_label: "Entity" - description: "Entity type. If an entity has multiple possible types, this specifies the most specific type." - } # dimension metadata__entity_type_enum_name - - dimension: metadata__event_metadata { - hidden: yes - } # dimension metadata__event_metadata - - dimension: metadata__event_metadata__base_labels { - hidden: yes - } # dimension metadata__event_metadata__base_labels - - dimension: metadata__event_metadata__base_labels__log_types { - hidden: yes - } # dimension metadata__event_metadata__base_labels__log_types - - dimension: metadata__event_metadata__base_labels__namespaces { - hidden: yes - } # dimension metadata__event_metadata__base_labels__namespaces - - dimension_group: metadata__interval { - type: duration - intervals: [ second, minute, hour ] - sql_start: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.interval.start_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.interval.start_time.nanos,0) / 1000) as INT64)) ;; - sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.interval.end_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.interval.end_time.nanos,0) / 1000) as INT64)) ;; - group_label: "metadata" - label: "metadata.interval" - view_label: "Entity" - description: "Valid existence time range for the version of the entity represented by this entity data." - } # dimension metadata__interval - - dimension: metadata__product_entity_id { - type: string - sql: ${TABLE}.metadata.product_entity_id ;; - group_label: "metadata" - label: "metadata.product_entity_id" - view_label: "Entity" - description: "A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension metadata__product_entity_id - - dimension: metadata__product_name { - type: string - sql: ${TABLE}.metadata.product_name ;; - group_label: "metadata" - label: "metadata.product_name" - view_label: "Entity" - description: "Product name that produced the entity information." - } # dimension metadata__product_name - - dimension: metadata__product_version { - type: string - sql: ${TABLE}.metadata.product_version ;; - group_label: "metadata" - label: "metadata.product_version" - view_label: "Entity" - description: "Version of the product that produced the entity information." - } # dimension metadata__product_version - - dimension: metadata__source_labels { - hidden: yes - } # dimension metadata__source_labels - - dimension: metadata__source_type { - type: number - sql: ${TABLE}.metadata.source_type ;; - group_label: "metadata" - label: "metadata.source_type" - view_label: "Entity" - description: "The source of the entity." - } # dimension metadata__source_type - - dimension: metadata__source_type_enum_name { - type: string - suggestions: ["DERIVED_CONTEXT", "ENTITY_CONTEXT", "GLOBAL_CONTEXT", "SOURCE_TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.metadata.source_type WHEN 0 THEN 'SOURCE_TYPE_UNSPECIFIED' WHEN 1 THEN 'ENTITY_CONTEXT' WHEN 2 THEN 'DERIVED_CONTEXT' WHEN 3 THEN 'GLOBAL_CONTEXT' END ;; - group_label: "metadata" - label: "metadata.source_type_enum_name" - view_label: "Entity" - description: "The source of the entity." - } # dimension metadata__source_type_enum_name - - dimension: metadata__threat { - hidden: yes - } # dimension metadata__threat - - dimension: metadata__vendor_name { - type: string - sql: ${TABLE}.metadata.vendor_name ;; - group_label: "metadata" - label: "metadata.vendor_name" - view_label: "Entity" - description: "Vendor name of the product that produced the entity information." - } # dimension metadata__vendor_name - - dimension: relations { - hidden: yes - } # dimension relations - -} # view entity_graph - -view: entity_graph__additional__fields { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "additional" - label: "additional.fields.key" - view_label: "Entity" - } # dimension key - - dimension: value { - hidden: yes - } # dimension value - - dimension: value__number_value { - type: number - sql: ${TABLE}.value.number_value ;; - group_label: "additional" - label: "additional.fields.value.number_value" - view_label: "Entity" - } # dimension value__number_value - - dimension: value__string_value { - type: string - sql: ${TABLE}.value.string_value ;; - group_label: "additional" - label: "additional.fields.value.string_value" - view_label: "Entity" - } # dimension value__string_value - -} # view entity_graph__additional__fields - -view: entity_graph__entity__artifact__network__email__to { - dimension: entity_graph__entity__artifact__network__email__to { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.artifact.network.email.to" - view_label: "Entity" - description: "A list of 'to' addresses." - } # dimension entity_graph__entity__artifact__network__email__to -} # view entity_graph__entity__artifact__network__email__to - -view: entity_graph__entity__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "entity" - label: "entity.asset.attribute.labels.key" - view_label: "Entity" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "entity" - label: "entity.asset.attribute.labels.value" - view_label: "Entity" - description: "The value." - } # dimension value - -} # view entity_graph__entity__asset__attribute__labels - -view: entity_graph__entity__asset__hardware { - dimension: cpu_model { - type: string - sql: ${TABLE}.cpu_model ;; - group_label: "entity" - label: "entity.asset.hardware.cpu_model" - view_label: "Entity" - description: "Model description of the hardware CPU (e.g. \"2.8 GHz Quad-Core Intel Core i5\")." - } # dimension cpu_model - - dimension: cpu_platform { - type: string - sql: ${TABLE}.cpu_platform ;; - group_label: "entity" - label: "entity.asset.hardware.cpu_platform" - view_label: "Entity" - description: "Platform of the hardware CPU (e.g. \"Intel Broadwell\")." - } # dimension cpu_platform - - dimension: manufacturer { - type: string - sql: ${TABLE}.manufacturer ;; - group_label: "entity" - label: "entity.asset.hardware.manufacturer" - view_label: "Entity" - description: "Hardware manufacturer." - } # dimension manufacturer - - dimension: model { - type: string - sql: ${TABLE}.model ;; - group_label: "entity" - label: "entity.asset.hardware.model" - view_label: "Entity" - description: "Hardware model." - } # dimension model - - dimension: ram { - type: number - sql: ${TABLE}.ram ;; - group_label: "entity" - label: "entity.asset.hardware.ram" - view_label: "Entity" - description: "Amount of the hardware ramdom access memory (RAM) in Mb." - } # dimension ram - - dimension: serial_number { - type: string - sql: ${TABLE}.serial_number ;; - group_label: "entity" - label: "entity.asset.hardware.serial_number" - view_label: "Entity" - description: "Hardware serial number." - } # dimension serial_number - -} # view entity_graph__entity__asset__hardware - -view: entity_graph__entity__asset__ip { - dimension: entity_graph__entity__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.asset.ip" - view_label: "Entity" - description: "A list of IP addresses associated with an asset." - } # dimension entity_graph__entity__asset__ip -} # view entity_graph__entity__asset__ip - -view: entity_graph__entity__asset__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "entity" - group_item_label: "entity.asset.labels.key [D]" - label: "entity.asset.labels.key" - view_label: "Entity" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "entity" - group_item_label: "entity.asset.labels.value [D]" - label: "entity.asset.labels.value" - view_label: "Entity" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view entity_graph__entity__asset__labels - -view: entity_graph__entity__asset__mac { - dimension: entity_graph__entity__asset__mac { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.asset.mac" - view_label: "Entity" - description: "List of MAC addresses associated with an asset." - } # dimension entity_graph__entity__asset__mac -} # view entity_graph__entity__asset__mac - -view: entity_graph__entity__asset__nat_ip { - dimension: entity_graph__entity__asset__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.asset.nat_ip" - view_label: "Entity" - description: "List of NAT IP addresses associated with an asset." - } # dimension entity_graph__entity__asset__nat_ip -} # view entity_graph__entity__asset__nat_ip - -view: entity_graph__entity__asset__software__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "entity" - label: "entity.asset.software.permissions.description" - view_label: "Entity" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "entity" - label: "entity.asset.software.permissions.name" - view_label: "Entity" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view entity_graph__entity__asset__software__permissions - -view: entity_graph__entity__asset__software { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "entity" - label: "entity.asset.software.name" - view_label: "Entity" - description: "The name of the software." - } # dimension name - - dimension: permissions { - hidden: yes - } # dimension permissions - - dimension: version { - type: string - sql: ${TABLE}.version ;; - group_label: "entity" - label: "entity.asset.software.version" - view_label: "Entity" - description: "The version of the software." - } # dimension version - -} # view entity_graph__entity__asset__software - -view: entity_graph__entity__asset__vulnerabilities__about__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "entity" - group_item_label: "entity.asset.vulnerabilities.about.labels.key [D]" - label: "entity.asset.vulnerabilities.about.labels.key" - view_label: "Entity" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "entity" - group_item_label: "entity.asset.vulnerabilities.about.labels.value [D]" - label: "entity.asset.vulnerabilities.about.labels.value" - view_label: "Entity" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view entity_graph__entity__asset__vulnerabilities__about__labels - -view: entity_graph__entity__asset__vulnerabilities { - dimension: about { - hidden: yes - } # dimension about - - dimension: about__labels { - hidden: yes - } # dimension about__labels - - dimension: about__namespace { - type: string - sql: ${TABLE}.about.namespace ;; - group_label: "entity" - label: "entity.asset.vulnerabilities.about.namespace" - view_label: "Entity" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension about__namespace - - dimension: cve_description { - type: string - sql: ${TABLE}.cve_description ;; - group_label: "entity" - label: "entity.asset.vulnerabilities.cve_description" - view_label: "Entity" - description: "Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record" - } # dimension cve_description - - dimension: cve_id { - type: string - sql: ${TABLE}.cve_id ;; - group_label: "entity" - label: "entity.asset.vulnerabilities.cve_id" - view_label: "Entity" - description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" - } # dimension cve_id - - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - group_label: "entity" - label: "entity.asset.vulnerabilities.cvss_base_score" - view_label: "Entity" - description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." - } # dimension cvss_base_score - - dimension: cvss_vector { - type: string - sql: ${TABLE}.cvss_vector ;; - group_label: "entity" - label: "entity.asset.vulnerabilities.cvss_vector" - view_label: "Entity" - description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" - } # dimension cvss_vector - - dimension: cvss_version { - type: string - sql: ${TABLE}.cvss_version ;; - group_label: "entity" - label: "entity.asset.vulnerabilities.cvss_version" - view_label: "Entity" - description: "Version of CVSS Vector/Score." - } # dimension cvss_version - - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "entity" - label: "entity.asset.vulnerabilities.description" - view_label: "Entity" - description: "Description of the vulnerability." - } # dimension description - - dimension_group: entity__asset__vulnerabilities__first_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.asset.vulnerabilities.first_found" - view_label: "Entity" - description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." - } # dimension entity__asset__vulnerabilities__first_found - - dimension_group: entity__asset__vulnerabilities__last_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.asset.vulnerabilities.last_found" - view_label: "Entity" - description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." - } # dimension entity__asset__vulnerabilities__last_found - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "entity" - label: "entity.asset.vulnerabilities.name" - view_label: "Entity" - description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." - } # dimension name - - dimension_group: entity__asset__vulnerabilities__scan_end_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.asset.vulnerabilities.scan_end_time" - view_label: "Entity" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." - } # dimension entity__asset__vulnerabilities__scan_end_time - - dimension_group: entity__asset__vulnerabilities__scan_start_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.asset.vulnerabilities.scan_start_time" - view_label: "Entity" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." - } # dimension entity__asset__vulnerabilities__scan_start_time - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - group_label: "entity" - label: "entity.asset.vulnerabilities.severity" - view_label: "Entity" - description: "The severity of the vulnerability." - } # dimension severity - - dimension: severity_enum_name { - type: string - suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] - sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; - group_label: "entity" - label: "entity.asset.vulnerabilities.severity_enum_name" - view_label: "Entity" - description: "The severity of the vulnerability." - } # dimension severity_enum_name - - dimension: severity_details { - type: string - sql: ${TABLE}.severity_details ;; - group_label: "entity" - label: "entity.asset.vulnerabilities.severity_details" - view_label: "Entity" - description: "Vendor-specific severity" - } # dimension severity_details - - dimension: vendor { - type: string - sql: ${TABLE}.vendor ;; - group_label: "entity" - label: "entity.asset.vulnerabilities.vendor" - view_label: "Entity" - description: "Vendor of scan that discovered vulnerability." - } # dimension vendor - - dimension: vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.vendor_knowledge_base_article_id ;; - group_label: "entity" - label: "entity.asset.vulnerabilities.vendor_knowledge_base_article_id" - view_label: "Entity" - description: "Vendor specific knowledge base article (e.g. \"KBXXXXXX\" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase" - } # dimension vendor_knowledge_base_article_id - -} # view entity_graph__entity__asset__vulnerabilities - -view: entity_graph__entity__domain__admin__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "entity" - label: "entity.domain.admin.attribute.labels.key" - view_label: "Entity" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "entity" - label: "entity.domain.admin.attribute.labels.value" - view_label: "Entity" - description: "The value." - } # dimension value - -} # view entity_graph__entity__domain__admin__attribute__labels - -view: entity_graph__entity__domain__billing__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "entity" - label: "entity.domain.billing.attribute.labels.key" - view_label: "Entity" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "entity" - label: "entity.domain.billing.attribute.labels.value" - view_label: "Entity" - description: "The value." - } # dimension value - -} # view entity_graph__entity__domain__billing__attribute__labels - -view: entity_graph__entity__domain__name_server { - dimension: entity_graph__entity__domain__name_server { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.domain.name_server" - view_label: "Entity" - description: "Repeated list of name servers." - } # dimension entity_graph__entity__domain__name_server -} # view entity_graph__entity__domain__name_server - -view: entity_graph__entity__domain__registrant__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "entity" - label: "entity.domain.registrant.attribute.labels.key" - view_label: "Entity" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "entity" - label: "entity.domain.registrant.attribute.labels.value" - view_label: "Entity" - description: "The value." - } # dimension value - -} # view entity_graph__entity__domain__registrant__attribute__labels - -view: entity_graph__entity__domain__registrant__email_addresses { - dimension: entity_graph__entity__domain__registrant__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.domain.registrant.email_addresses" - view_label: "Entity" - description: "Email addresses of the user." - } # dimension entity_graph__entity__domain__registrant__email_addresses -} # view entity_graph__entity__domain__registrant__email_addresses - -view: entity_graph__entity__domain__tech__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "entity" - label: "entity.domain.tech.attribute.labels.key" - view_label: "Entity" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "entity" - label: "entity.domain.tech.attribute.labels.value" - view_label: "Entity" - description: "The value." - } # dimension value - -} # view entity_graph__entity__domain__tech__attribute__labels - -view: entity_graph__entity__file__names { - dimension: entity_graph__entity__file__names { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.file.names" - view_label: "Entity" - description: "Names fields." - } # dimension entity_graph__entity__file__names -} # view entity_graph__entity__file__names - -view: entity_graph__entity__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - group_label: "entity" - label: "entity.file.pe_file.resource.entropy" - view_label: "Entity" - description: "Entropy of the resource." - } # dimension entropy - -} # view entity_graph__entity__file__pe_file__resource - -view: entity_graph__entity__group__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "entity" - label: "entity.group.attribute.labels.key" - view_label: "Entity" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "entity" - label: "entity.group.attribute.labels.value" - view_label: "Entity" - description: "The value." - } # dimension value - -} # view entity_graph__entity__group__attribute__labels - -view: entity_graph__entity__group__email_addresses { - dimension: entity_graph__entity__group__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.group.email_addresses" - view_label: "Entity" - description: "Email addresses of the group." - } # dimension entity_graph__entity__group__email_addresses -} # view entity_graph__entity__group__email_addresses - -view: entity_graph__entity__ip { - dimension: entity_graph__entity__ip { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.ip" - view_label: "Entity" - description: "A list of IP addresses associated with a network connection." - } # dimension entity_graph__entity__ip -} # view entity_graph__entity__ip - -view: entity_graph__entity__ip_geo_artifact { - dimension: ip { - type: string - sql: ${TABLE}.ip ;; - group_label: "entity" - label: "entity.ip_geo_artifact.ip" - view_label: "Entity" - description: "IP address of the artifact." - } # dimension ip - - dimension: location { - hidden: yes - } # dimension location - - dimension: location__city { - type: string - sql: ${TABLE}.location.city ;; - group_label: "entity" - label: "entity.ip_geo_artifact.location.city" - view_label: "Entity" - description: "The city." - } # dimension location__city - - dimension: location__country_or_region { - type: string - sql: ${TABLE}.location.country_or_region ;; - group_label: "entity" - label: "entity.ip_geo_artifact.location.country_or_region" - view_label: "Entity" - description: "The country or region." - } # dimension location__country_or_region - - dimension: location__region_coordinates { - type: location - sql_latitude: ${TABLE}.location.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.location.region_coordinates.longitude ;; - group_label: "entity" - group_item_label: "entity.ip_geo_artifact.location.region_coordinates [L]" - label: "entity.ip_geo_artifact.location.region_coordinates" - view_label: "Entity" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." - } # dimension location__region_coordinates - - dimension: network { - hidden: yes - } # dimension network - - dimension: network__asn { - type: string - sql: ${TABLE}.network.asn ;; - group_label: "entity" - label: "entity.ip_geo_artifact.network.asn" - view_label: "Entity" - description: "Autonomous system number." - } # dimension network__asn - - dimension: network__organization_name { - type: string - sql: ${TABLE}.network.organization_name ;; - group_label: "entity" - label: "entity.ip_geo_artifact.network.organization_name" - view_label: "Entity" - description: "Organization name (e.g Google)." - } # dimension network__organization_name - -} # view entity_graph__entity__ip_geo_artifact - -view: entity_graph__entity__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "entity" - group_item_label: "entity.labels.key [D]" - label: "entity.labels.key" - view_label: "Entity" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "entity" - group_item_label: "entity.labels.value [D]" - label: "entity.labels.value" - view_label: "Entity" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view entity_graph__entity__labels - -view: entity_graph__entity__mac { - dimension: entity_graph__entity__mac { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.mac" - view_label: "Entity" - description: "List of MAC addresses associated with a device." - } # dimension entity_graph__entity__mac -} # view entity_graph__entity__mac - -view: entity_graph__entity__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "entity" - label: "entity.resource.attribute.labels.key" - view_label: "Entity" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "entity" - label: "entity.resource.attribute.labels.value" - view_label: "Entity" - description: "The value." - } # dimension value - -} # view entity_graph__entity__resource__attribute__labels - -view: entity_graph__entity__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "entity" - label: "entity.user.attribute.labels.key" - view_label: "Entity" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "entity" - label: "entity.user.attribute.labels.value" - view_label: "Entity" - description: "The value." - } # dimension value - -} # view entity_graph__entity__user__attribute__labels - -view: entity_graph__entity__user__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "entity" - label: "entity.user.attribute.permissions.description" - view_label: "Entity" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "entity" - label: "entity.user.attribute.permissions.name" - view_label: "Entity" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "entity" - label: "entity.user.attribute.permissions.type" - view_label: "Entity" - description: "Type of the permission." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; - group_label: "entity" - label: "entity.user.attribute.permissions.type_enum_name" - view_label: "Entity" - description: "Type of the permission." - } # dimension type_enum_name - -} # view entity_graph__entity__user__attribute__permissions - -view: entity_graph__entity__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "entity" - label: "entity.user.attribute.roles.description" - view_label: "Entity" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "entity" - label: "entity.user.attribute.roles.name" - view_label: "Entity" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "entity" - label: "entity.user.attribute.roles.type" - view_label: "Entity" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "entity" - label: "entity.user.attribute.roles.type_enum_name" - view_label: "Entity" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view entity_graph__entity__user__attribute__roles - -view: entity_graph__entity__user__department { - dimension: entity_graph__entity__user__department { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.user.department" - view_label: "Entity" - description: "User job department" - } # dimension entity_graph__entity__user__department -} # view entity_graph__entity__user__department - -view: entity_graph__entity__user__email_addresses { - dimension: entity_graph__entity__user__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.user.email_addresses" - view_label: "Entity" - description: "Email addresses of the user." - } # dimension entity_graph__entity__user__email_addresses -} # view entity_graph__entity__user__email_addresses - -view: entity_graph__entity__user__group_identifiers { - dimension: entity_graph__entity__user__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.user.group_identifiers" - view_label: "Entity" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension entity_graph__entity__user__group_identifiers -} # view entity_graph__entity__user__group_identifiers - -view: entity_graph__entity__user__managers__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "entity" - label: "entity.user.managers.attribute.labels.key" - view_label: "Entity" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "entity" - label: "entity.user.managers.attribute.labels.value" - view_label: "Entity" - description: "The value." - } # dimension value - -} # view entity_graph__entity__user__managers__attribute__labels - -view: entity_graph__entity__user__managers__attribute__roles { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "entity" - label: "entity.user.managers.attribute.roles.name" - view_label: "Entity" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "entity" - label: "entity.user.managers.attribute.roles.type" - view_label: "Entity" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "entity" - label: "entity.user.managers.attribute.roles.type_enum_name" - view_label: "Entity" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view entity_graph__entity__user__managers__attribute__roles - -view: entity_graph__entity__user__managers__department { - dimension: entity_graph__entity__user__managers__department { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.user.managers.department" - view_label: "Entity" - description: "User job department" - } # dimension entity_graph__entity__user__managers__department -} # view entity_graph__entity__user__managers__department - -view: entity_graph__entity__user__managers__email_addresses { - dimension: entity_graph__entity__user__managers__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.user.managers.email_addresses" - view_label: "Entity" - description: "Email addresses of the user." - } # dimension entity_graph__entity__user__managers__email_addresses -} # view entity_graph__entity__user__managers__email_addresses - -view: entity_graph__entity__user__managers__group_identifiers { - dimension: entity_graph__entity__user__managers__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.user.managers.group_identifiers" - view_label: "Entity" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension entity_graph__entity__user__managers__group_identifiers -} # view entity_graph__entity__user__managers__group_identifiers - -view: entity_graph__entity__user__managers__phone_numbers { - dimension: entity_graph__entity__user__managers__phone_numbers { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.user.managers.phone_numbers" - view_label: "Entity" - description: "Phone numbers for the user." - } # dimension entity_graph__entity__user__managers__phone_numbers -} # view entity_graph__entity__user__managers__phone_numbers - -view: entity_graph__entity__user__managers { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension: attribute__labels { - hidden: yes - } # dimension attribute__labels - - dimension: attribute__roles { - hidden: yes - } # dimension attribute__roles - - dimension: company_name { - type: string - sql: ${TABLE}.company_name ;; - group_label: "entity" - label: "entity.user.managers.company_name" - view_label: "Entity" - description: "User job company name." - } # dimension company_name - - dimension: department { - hidden: yes - } # dimension department - - dimension: email_addresses { - hidden: yes - } # dimension email_addresses - - dimension: employee_id { - type: string - sql: ${TABLE}.employee_id ;; - group_label: "entity" - label: "entity.user.managers.employee_id" - view_label: "Entity" - description: "Human capital management identifier." - } # dimension employee_id - - dimension: first_name { - type: string - sql: ${TABLE}.first_name ;; - group_label: "entity" - label: "entity.user.managers.first_name" - view_label: "Entity" - description: "First name of the user (e.g. \"John\")." - } # dimension first_name - - dimension: group_identifiers { - hidden: yes - } # dimension group_identifiers - - dimension: last_name { - type: string - sql: ${TABLE}.last_name ;; - group_label: "entity" - label: "entity.user.managers.last_name" - view_label: "Entity" - description: "Last name of the user (e.g. \"Locke\")." - } # dimension last_name - - dimension: personal_address { - hidden: yes - } # dimension personal_address - - dimension: personal_address__city { - type: string - sql: ${TABLE}.personal_address.city ;; - group_label: "entity" - label: "entity.user.managers.personal_address.city" - view_label: "Entity" - description: "The city." - } # dimension personal_address__city - - dimension: personal_address__country_or_region { - type: string - sql: ${TABLE}.personal_address.country_or_region ;; - group_label: "entity" - label: "entity.user.managers.personal_address.country_or_region" - view_label: "Entity" - description: "The country or region." - } # dimension personal_address__country_or_region - - dimension: personal_address__name { - type: string - sql: ${TABLE}.personal_address.name ;; - group_label: "entity" - label: "entity.user.managers.personal_address.name" - view_label: "Entity" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension personal_address__name - - dimension: personal_address__state { - type: string - sql: ${TABLE}.personal_address.state ;; - group_label: "entity" - label: "entity.user.managers.personal_address.state" - view_label: "Entity" - description: "The state." - } # dimension personal_address__state - - dimension: phone_numbers { - hidden: yes - } # dimension phone_numbers - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "entity" - label: "entity.user.managers.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension product_object_id - - dimension: title { - type: string - sql: ${TABLE}.title ;; - group_label: "entity" - label: "entity.user.managers.title" - view_label: "Entity" - description: "User job title." - } # dimension title - - dimension: user_display_name { - type: string - sql: ${TABLE}.user_display_name ;; - group_label: "entity" - label: "entity.user.managers.user_display_name" - view_label: "Entity" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension user_display_name - - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - group_label: "entity" - label: "entity.user.managers.userid" - view_label: "Entity" - description: "The ID of the user." - } # dimension userid - - dimension: windows_sid { - type: string - sql: ${TABLE}.windows_sid ;; - group_label: "entity" - label: "entity.user.managers.windows_sid" - view_label: "Entity" - description: "The Microsoft Windows SID of the user." - } # dimension windows_sid - -} # view entity_graph__entity__user__managers - -view: entity_graph__entity__user__phone_numbers { - dimension: entity_graph__entity__user__phone_numbers { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.user.phone_numbers" - view_label: "Entity" - description: "Phone numbers for the user." - } # dimension entity_graph__entity__user__phone_numbers -} # view entity_graph__entity__user__phone_numbers - -view: entity_graph__entity__user__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "entity" - label: "entity.user.time_off.description" - view_label: "Entity" - description: "Description of the leave if available (e.g. 'Vacation')." - } # dimension description - - dimension_group: entity__user__time_off__interval { - type: duration - intervals: [ second, minute, hour ] - sql_start: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.start_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.start_time.nanos,0) / 1000) as INT64)) ;; - sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.end_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.end_time.nanos,0) / 1000) as INT64)) ;; - group_label: "entity" - label: "entity.user.time_off.interval" - view_label: "Entity" - description: "Interval duration of the leave." - } # dimension entity__user__time_off__interval - -} # view entity_graph__entity__user__time_off - -view: entity_graph__entity__user_management_chain__department { - dimension: entity_graph__entity__user_management_chain__department { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.user_management_chain.department" - view_label: "Entity" - description: "User job department" - } # dimension entity_graph__entity__user_management_chain__department -} # view entity_graph__entity__user_management_chain__department - -view: entity_graph__entity__user_management_chain__email_addresses { - dimension: entity_graph__entity__user_management_chain__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "entity" - label: "entity.user_management_chain.email_addresses" - view_label: "Entity" - description: "Email addresses of the user." - } # dimension entity_graph__entity__user_management_chain__email_addresses -} # view entity_graph__entity__user_management_chain__email_addresses - -view: entity_graph__entity__user_management_chain { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension: attribute__cloud { - hidden: yes - } # dimension attribute__cloud - - dimension: attribute__cloud__project { - hidden: yes - } # dimension attribute__cloud__project - - dimension: attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.project.product_object_id ;; - group_label: "entity" - group_item_label: "entity.user_management_chain.attribute.cloud.project.product_object_id [D]" - label: "entity.user_management_chain.attribute.cloud.project.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension attribute__cloud__project__product_object_id - - dimension: attribute__cloud__vpc { - hidden: yes - } # dimension attribute__cloud__vpc - - dimension: attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; - group_label: "entity" - group_item_label: "entity.user_management_chain.attribute.cloud.vpc.product_object_id [D]" - label: "entity.user_management_chain.attribute.cloud.vpc.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension attribute__cloud__vpc__product_object_id - - dimension: department { - hidden: yes - } # dimension department - - dimension: email_addresses { - hidden: yes - } # dimension email_addresses - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "entity" - label: "entity.user_management_chain.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension product_object_id - - dimension: title { - type: string - sql: ${TABLE}.title ;; - group_label: "entity" - label: "entity.user_management_chain.title" - view_label: "Entity" - description: "User job title." - } # dimension title - - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - group_label: "entity" - label: "entity.user_management_chain.userid" - view_label: "Entity" - description: "The ID of the user." - } # dimension userid - -} # view entity_graph__entity__user_management_chain - -view: entity_graph__metadata__event_metadata__base_labels__log_types { - dimension: entity_graph__metadata__event_metadata__base_labels__log_types { - type: string - sql: ${TABLE} ;; - group_label: "metadata" - label: "metadata.event_metadata.base_labels.log_types" - view_label: "Entity" - description: "All the LogType labels. We use string to log types to avoid moving LogType proto, which contains customer info, to external." - } # dimension entity_graph__metadata__event_metadata__base_labels__log_types -} # view entity_graph__metadata__event_metadata__base_labels__log_types - -view: entity_graph__metadata__event_metadata__base_labels__namespaces { - dimension: entity_graph__metadata__event_metadata__base_labels__namespaces { - type: string - sql: ${TABLE} ;; - group_label: "metadata" - label: "metadata.event_metadata.base_labels.namespaces" - view_label: "Entity" - description: "All the namespaces." - } # dimension entity_graph__metadata__event_metadata__base_labels__namespaces -} # view entity_graph__metadata__event_metadata__base_labels__namespaces - -view: entity_graph__metadata__source_labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "metadata" - label: "metadata.source_labels.key" - view_label: "Entity" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "metadata" - label: "metadata.source_labels.value" - view_label: "Entity" - description: "The value." - } # dimension value - -} # view entity_graph__metadata__source_labels - -view: entity_graph__metadata__threat__about__ip { - dimension: entity_graph__metadata__threat__about__ip { - type: string - sql: ${TABLE} ;; - group_label: "metadata" - label: "metadata.threat.about.ip" - view_label: "Entity" - description: "A list of IP addresses associated with a network connection." - } # dimension entity_graph__metadata__threat__about__ip -} # view entity_graph__metadata__threat__about__ip - -view: entity_graph__metadata__threat__about__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "metadata" - group_item_label: "metadata.threat.about.labels.key [D]" - label: "metadata.threat.about.labels.key" - view_label: "Entity" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "metadata" - group_item_label: "metadata.threat.about.labels.value [D]" - label: "metadata.threat.about.labels.value" - view_label: "Entity" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view entity_graph__metadata__threat__about__labels - -view: entity_graph__metadata__threat__about__user__email_addresses { - dimension: entity_graph__metadata__threat__about__user__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "metadata" - label: "metadata.threat.about.user.email_addresses" - view_label: "Entity" - description: "Email addresses of the user." - } # dimension entity_graph__metadata__threat__about__user__email_addresses -} # view entity_graph__metadata__threat__about__user__email_addresses - -view: entity_graph__metadata__threat__about__user_management_chain { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension: attribute__cloud { - hidden: yes - } # dimension attribute__cloud - - dimension: attribute__cloud__project { - hidden: yes - } # dimension attribute__cloud__project - - dimension: attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.project.product_object_id ;; - group_label: "metadata" - group_item_label: "metadata.threat.about.user_management_chain.attribute.cloud.project.product_object_id [D]" - label: "metadata.threat.about.user_management_chain.attribute.cloud.project.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension attribute__cloud__project__product_object_id - - dimension: attribute__cloud__vpc { - hidden: yes - } # dimension attribute__cloud__vpc - - dimension: attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; - group_label: "metadata" - group_item_label: "metadata.threat.about.user_management_chain.attribute.cloud.vpc.product_object_id [D]" - label: "metadata.threat.about.user_management_chain.attribute.cloud.vpc.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension attribute__cloud__vpc__product_object_id - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "metadata" - label: "metadata.threat.about.user_management_chain.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension product_object_id - -} # view entity_graph__metadata__threat__about__user_management_chain - -view: entity_graph__metadata__threat__action { - dimension: entity_graph__metadata__threat__action { - type: number - sql: ${TABLE} ;; - group_label: "metadata" - label: "metadata.threat.action" - view_label: "Entity" - description: "Actions taken for this event." - } # dimension entity_graph__metadata__threat__action -} # view entity_graph__metadata__threat__action - -view: entity_graph__metadata__threat__action_enum_name { - dimension: entity_graph__metadata__threat__action_enum_name { - type: string - suggestions: ["ALLOW", "ALLOW_WITH_MODIFICATION", "BLOCK", "CHALLENGE", "FAIL", "QUARANTINE", "UNKNOWN_ACTION"] - sql: CASE ${TABLE} WHEN 0 THEN 'UNKNOWN_ACTION' WHEN 1 THEN 'ALLOW' WHEN 2 THEN 'BLOCK' WHEN 3 THEN 'ALLOW_WITH_MODIFICATION' WHEN 4 THEN 'QUARANTINE' WHEN 5 THEN 'FAIL' WHEN 6 THEN 'CHALLENGE' END ;; - group_label: "metadata" - label: "metadata.threat.action_enum_name" - view_label: "Entity" - description: "Actions taken for this event." - } # dimension entity_graph__metadata__threat__action_enum_name -} # view entity_graph__metadata__threat__action_enum_name - -view: entity_graph__metadata__threat__category { - dimension: entity_graph__metadata__threat__category { - type: number - sql: ${TABLE} ;; - group_label: "metadata" - label: "metadata.threat.category" - view_label: "Entity" - description: "The security category." - } # dimension entity_graph__metadata__threat__category -} # view entity_graph__metadata__threat__category - -view: entity_graph__metadata__threat__category_enum_name { - dimension: entity_graph__metadata__threat__category_enum_name { - type: string - suggestions: ["ACL_VIOLATION", "AUTH_VIOLATION", "DATA_AT_REST", "DATA_DESTRUCTION", "DATA_EXFILTRATION", "EXPLOIT", "MAIL_PHISHING", "MAIL_SPAM", "MAIL_SPOOFING", "NETWORK_CATEGORIZED_CONTENT", "NETWORK_COMMAND_AND_CONTROL", "NETWORK_DENIAL_OF_SERVICE", "NETWORK_MALICIOUS", "NETWORK_RECON", "NETWORK_SUSPICIOUS", "PHISHING", "POLICY_VIOLATION", "SOCIAL_ENGINEERING", "SOFTWARE_MALICIOUS", "SOFTWARE_PUA", "SOFTWARE_SUSPICIOUS", "TOR_EXIT_NODE", "UNKNOWN_CATEGORY"] - sql: CASE ${TABLE} WHEN 0 THEN 'UNKNOWN_CATEGORY' WHEN 10000 THEN 'SOFTWARE_MALICIOUS' WHEN 10100 THEN 'SOFTWARE_SUSPICIOUS' WHEN 10200 THEN 'SOFTWARE_PUA' WHEN 20000 THEN 'NETWORK_MALICIOUS' WHEN 20100 THEN 'NETWORK_SUSPICIOUS' WHEN 20200 THEN 'NETWORK_CATEGORIZED_CONTENT' WHEN 20300 THEN 'NETWORK_DENIAL_OF_SERVICE' WHEN 20400 THEN 'NETWORK_RECON' WHEN 20500 THEN 'NETWORK_COMMAND_AND_CONTROL' WHEN 30000 THEN 'ACL_VIOLATION' WHEN 40000 THEN 'AUTH_VIOLATION' WHEN 50000 THEN 'EXPLOIT' WHEN 60000 THEN 'DATA_EXFILTRATION' WHEN 60100 THEN 'DATA_AT_REST' WHEN 60200 THEN 'DATA_DESTRUCTION' WHEN 60300 THEN 'TOR_EXIT_NODE' WHEN 70000 THEN 'MAIL_SPAM' WHEN 70100 THEN 'MAIL_PHISHING' WHEN 70200 THEN 'MAIL_SPOOFING' WHEN 80000 THEN 'POLICY_VIOLATION' WHEN 90001 THEN 'SOCIAL_ENGINEERING' WHEN 90002 THEN 'PHISHING' END ;; - group_label: "metadata" - label: "metadata.threat.category_enum_name" - view_label: "Entity" - description: "The security category." - } # dimension entity_graph__metadata__threat__category_enum_name -} # view entity_graph__metadata__threat__category_enum_name - -view: entity_graph__metadata__threat__category_details { - dimension: entity_graph__metadata__threat__category_details { - type: string - sql: ${TABLE} ;; - group_label: "metadata" - label: "metadata.threat.category_details" - view_label: "Entity" - description: "For vendor-specific categories. For web categorization, put type in here such as \"gambling\", \"porn\", etc." - } # dimension entity_graph__metadata__threat__category_details -} # view entity_graph__metadata__threat__category_details - -view: entity_graph__metadata__threat__detection_fields { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "metadata" - label: "metadata.threat.detection_fields.key" - view_label: "Entity" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "metadata" - label: "metadata.threat.detection_fields.value" - view_label: "Entity" - description: "The value." - } # dimension value - -} # view entity_graph__metadata__threat__detection_fields - -view: entity_graph__metadata__threat__rule_labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "metadata" - label: "metadata.threat.rule_labels.key" - view_label: "Entity" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "metadata" - label: "metadata.threat.rule_labels.value" - view_label: "Entity" - description: "The value." - } # dimension value - -} # view entity_graph__metadata__threat__rule_labels - -view: entity_graph__metadata__threat { - dimension: about { - hidden: yes - } # dimension about - - dimension: about__asset { - hidden: yes - } # dimension about__asset - - dimension: about__asset__attribute { - hidden: yes - } # dimension about__asset__attribute - - dimension: about__asset__attribute__cloud { - hidden: yes - } # dimension about__asset__attribute__cloud - - dimension: about__asset__attribute__cloud__project { - hidden: yes - } # dimension about__asset__attribute__cloud__project - - dimension: about__asset__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.project.product_object_id ;; - group_label: "metadata" - group_item_label: "metadata.threat.about.asset.attribute.cloud.project.product_object_id [D]" - label: "metadata.threat.about.asset.attribute.cloud.project.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension about__asset__attribute__cloud__project__product_object_id - - dimension: about__asset__attribute__cloud__vpc { - hidden: yes - } # dimension about__asset__attribute__cloud__vpc - - dimension: about__asset__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.vpc.product_object_id ;; - group_label: "metadata" - group_item_label: "metadata.threat.about.asset.attribute.cloud.vpc.product_object_id [D]" - label: "metadata.threat.about.asset.attribute.cloud.vpc.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension about__asset__attribute__cloud__vpc__product_object_id - - dimension: about__asset__hostname { - type: string - sql: ${TABLE}.about.asset.hostname ;; - group_label: "metadata" - label: "metadata.threat.about.asset.hostname" - view_label: "Entity" - description: "Asset hostname or domain name field." - } # dimension about__asset__hostname - - dimension: about__asset__product_object_id { - type: string - sql: ${TABLE}.about.asset.product_object_id ;; - group_label: "metadata" - label: "metadata.threat.about.asset.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension about__asset__product_object_id - - dimension: about__cloud { - hidden: yes - } # dimension about__cloud - - dimension: about__cloud__project { - hidden: yes - } # dimension about__cloud__project - - dimension: about__cloud__project__product_object_id { - type: string - sql: ${TABLE}.about.cloud.project.product_object_id ;; - group_label: "metadata" - group_item_label: "metadata.threat.about.cloud.project.product_object_id [D]" - label: "metadata.threat.about.cloud.project.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__project__product_object_id - - dimension: about__cloud__vpc { - hidden: yes - } # dimension about__cloud__vpc - - dimension: about__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.about.cloud.vpc.product_object_id ;; - group_label: "metadata" - group_item_label: "metadata.threat.about.cloud.vpc.product_object_id [D]" - label: "metadata.threat.about.cloud.vpc.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__vpc__product_object_id - - dimension: about__file { - hidden: yes - } # dimension about__file - - dimension: about__file__md5 { - type: string - sql: ${TABLE}.about.file.md5 ;; - group_label: "metadata" - label: "metadata.threat.about.file.md5" - view_label: "Entity" - description: "The MD5 hash of the file." - } # dimension about__file__md5 - - dimension: about__file__sha1 { - type: string - sql: ${TABLE}.about.file.sha1 ;; - group_label: "metadata" - label: "metadata.threat.about.file.sha1" - view_label: "Entity" - description: "The SHA1 hash of the file." - } # dimension about__file__sha1 - - dimension: about__file__sha256 { - type: string - sql: ${TABLE}.about.file.sha256 ;; - group_label: "metadata" - label: "metadata.threat.about.file.sha256" - view_label: "Entity" - description: "The SHA256 hash of the file." - } # dimension about__file__sha256 - - dimension: about__group { - hidden: yes - } # dimension about__group - - dimension: about__group__attribute { - hidden: yes - } # dimension about__group__attribute - - dimension: about__group__attribute__cloud { - hidden: yes - } # dimension about__group__attribute__cloud - - dimension: about__group__attribute__cloud__project { - hidden: yes - } # dimension about__group__attribute__cloud__project - - dimension: about__group__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.about.group.attribute.cloud.project.product_object_id ;; - group_label: "metadata" - group_item_label: "metadata.threat.about.group.attribute.cloud.project.product_object_id [D]" - label: "metadata.threat.about.group.attribute.cloud.project.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension about__group__attribute__cloud__project__product_object_id - - dimension: about__group__attribute__cloud__vpc { - hidden: yes - } # dimension about__group__attribute__cloud__vpc - - dimension: about__group__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.about.group.attribute.cloud.vpc.product_object_id ;; - group_label: "metadata" - group_item_label: "metadata.threat.about.group.attribute.cloud.vpc.product_object_id [D]" - label: "metadata.threat.about.group.attribute.cloud.vpc.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension about__group__attribute__cloud__vpc__product_object_id - - dimension: about__group__product_object_id { - type: string - sql: ${TABLE}.about.group.product_object_id ;; - group_label: "metadata" - label: "metadata.threat.about.group.product_object_id" - view_label: "Entity" - description: "Product globally unique user object identifier, such as an LDAP Object Identifier." - } # dimension about__group__product_object_id - - dimension: about__hostname { - type: string - sql: ${TABLE}.about.hostname ;; - group_label: "metadata" - label: "metadata.threat.about.hostname" - view_label: "Entity" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension about__hostname - - dimension: about__ip { - hidden: yes - } # dimension about__ip - - dimension: about__labels { - hidden: yes - } # dimension about__labels - - dimension: about__namespace { - type: string - sql: ${TABLE}.about.namespace ;; - group_label: "metadata" - label: "metadata.threat.about.namespace" - view_label: "Entity" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension about__namespace - - dimension: about__object_reference { - hidden: yes - } # dimension about__object_reference - - dimension: about__object_reference__id { - type: string - sql: ${TABLE}.about.object_reference.id ;; - group_label: "metadata" - label: "metadata.threat.about.object_reference.id" - view_label: "Entity" - description: "Full raw ID." - } # dimension about__object_reference__id - - dimension: about__object_reference__namespace { - type: number - sql: ${TABLE}.about.object_reference.namespace ;; - group_label: "metadata" - label: "metadata.threat.about.object_reference.namespace" - view_label: "Entity" - description: "Namespace the id belongs to." - } # dimension about__object_reference__namespace - - dimension: about__object_reference__namespace_enum_name { - type: string - suggestions: ["MACHINE_INTELLIGENCE", "NORMALIZED_TELEMETRY", "RAW_TELEMETRY", "RULE_DETECTIONS", "SECURITY_COMMAND_CENTER", "SOAR_ALERT", "UNSPECIFIED", "UPPERCASE"] - sql: CASE ${TABLE}.about.object_reference.namespace WHEN 0 THEN 'NORMALIZED_TELEMETRY' WHEN 1 THEN 'RAW_TELEMETRY' WHEN 2 THEN 'RULE_DETECTIONS' WHEN 3 THEN 'UPPERCASE' WHEN 4 THEN 'MACHINE_INTELLIGENCE' WHEN 5 THEN 'SECURITY_COMMAND_CENTER' WHEN 6 THEN 'UNSPECIFIED' WHEN 7 THEN 'SOAR_ALERT' END ;; - group_label: "metadata" - label: "metadata.threat.about.object_reference.namespace_enum_name" - view_label: "Entity" - description: "Namespace the id belongs to." - } # dimension about__object_reference__namespace_enum_name - - dimension: about__resource { - hidden: yes - } # dimension about__resource - - dimension: about__resource__product_object_id { - type: string - sql: ${TABLE}.about.resource.product_object_id ;; - group_label: "metadata" - label: "metadata.threat.about.resource.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension about__resource__product_object_id - - dimension: about__url { - type: string - sql: ${TABLE}.about.url ;; - group_label: "metadata" - label: "metadata.threat.about.url" - view_label: "Entity" - description: "The URL." - } # dimension about__url - - dimension: about__user { - hidden: yes - } # dimension about__user - - dimension: about__user__attribute { - hidden: yes - } # dimension about__user__attribute - - dimension: about__user__attribute__cloud { - hidden: yes - } # dimension about__user__attribute__cloud - - dimension: about__user__attribute__cloud__project { - hidden: yes - } # dimension about__user__attribute__cloud__project - - dimension: about__user__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.about.user.attribute.cloud.project.product_object_id ;; - group_label: "metadata" - group_item_label: "metadata.threat.about.user.attribute.cloud.project.product_object_id [D]" - label: "metadata.threat.about.user.attribute.cloud.project.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension about__user__attribute__cloud__project__product_object_id - - dimension: about__user__attribute__cloud__vpc { - hidden: yes - } # dimension about__user__attribute__cloud__vpc - - dimension: about__user__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.about.user.attribute.cloud.vpc.product_object_id ;; - group_label: "metadata" - group_item_label: "metadata.threat.about.user.attribute.cloud.vpc.product_object_id [D]" - label: "metadata.threat.about.user.attribute.cloud.vpc.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension about__user__attribute__cloud__vpc__product_object_id - - dimension: about__user__email_addresses { - hidden: yes - } # dimension about__user__email_addresses - - dimension: about__user__product_object_id { - type: string - sql: ${TABLE}.about.user.product_object_id ;; - group_label: "metadata" - label: "metadata.threat.about.user.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension about__user__product_object_id - - dimension: about__user__user_display_name { - type: string - sql: ${TABLE}.about.user.user_display_name ;; - group_label: "metadata" - label: "metadata.threat.about.user.user_display_name" - view_label: "Entity" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension about__user__user_display_name - - dimension: about__user_management_chain { - hidden: yes - } # dimension about__user_management_chain - - dimension: action { - hidden: yes - } # dimension action - - dimension: action_enum_name { - hidden: yes - } # dimension action_enum_name - - dimension: action_details { - type: string - sql: ${TABLE}.action_details ;; - group_label: "metadata" - label: "metadata.threat.action_details" - view_label: "Entity" - description: "The detail of the action taken as provided by the vendor." - } # dimension action_details - - dimension: category { - hidden: yes - } # dimension category - - dimension: category_enum_name { - hidden: yes - } # dimension category_enum_name - - dimension: category_details { - hidden: yes - } # dimension category_details - - dimension: confidence { - type: number - sql: ${TABLE}.confidence ;; - group_label: "metadata" - label: "metadata.threat.confidence" - view_label: "Entity" - description: "The confidence level of the result as estimated by the product." - } # dimension confidence - - dimension: confidence_enum_name { - type: string - suggestions: ["HIGH_CONFIDENCE", "LOW_CONFIDENCE", "MEDIUM_CONFIDENCE", "UNKNOWN_CONFIDENCE"] - sql: CASE ${TABLE}.confidence WHEN 0 THEN 'UNKNOWN_CONFIDENCE' WHEN 200 THEN 'LOW_CONFIDENCE' WHEN 300 THEN 'MEDIUM_CONFIDENCE' WHEN 400 THEN 'HIGH_CONFIDENCE' END ;; - group_label: "metadata" - label: "metadata.threat.confidence_enum_name" - view_label: "Entity" - description: "The confidence level of the result as estimated by the product." - } # dimension confidence_enum_name - - dimension: confidence_details { - type: string - sql: ${TABLE}.confidence_details ;; - group_label: "metadata" - label: "metadata.threat.confidence_details" - view_label: "Entity" - description: "Additional detail with regards to the confidence of a security event as estimated by the product vendor." - } # dimension confidence_details - - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "metadata" - label: "metadata.threat.description" - view_label: "Entity" - description: "A human readable description (e.g. \"user password was wrong\")" - } # dimension description - - dimension: detection_fields { - hidden: yes - } # dimension detection_fields - - dimension: rule_id { - type: string - sql: ${TABLE}.rule_id ;; - group_label: "metadata" - label: "metadata.threat.rule_id" - view_label: "Entity" - description: "A vendor-specific ID and name for a rule, varying by observerer type (e.g. \"08123\", \"5d2b44d0-5ef6-40f5-a704-47d61d3babbe\")." - } # dimension rule_id - - dimension: rule_labels { - hidden: yes - } # dimension rule_labels - - dimension: rule_name { - type: string - sql: ${TABLE}.rule_name ;; - group_label: "metadata" - label: "metadata.threat.rule_name" - view_label: "Entity" - description: "Name of the security rule (e.g. \"BlockInboundToOracle\")." - } # dimension rule_name - - dimension: rule_type { - type: string - sql: ${TABLE}.rule_type ;; - group_label: "metadata" - label: "metadata.threat.rule_type" - view_label: "Entity" - description: "The type of security rule." - } # dimension rule_type - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - group_label: "metadata" - label: "metadata.threat.severity" - view_label: "Entity" - description: "The severity of the result." - } # dimension severity - - dimension: severity_enum_name { - type: string - suggestions: ["CRITICAL", "ERROR", "HIGH", "INFORMATIONAL", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] - sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 100 THEN 'INFORMATIONAL' WHEN 150 THEN 'ERROR' WHEN 200 THEN 'LOW' WHEN 300 THEN 'MEDIUM' WHEN 400 THEN 'HIGH' WHEN 500 THEN 'CRITICAL' END ;; - group_label: "metadata" - label: "metadata.threat.severity_enum_name" - view_label: "Entity" - description: "The severity of the result." - } # dimension severity_enum_name - - dimension: severity_details { - type: string - sql: ${TABLE}.severity_details ;; - group_label: "metadata" - label: "metadata.threat.severity_details" - view_label: "Entity" - description: "Vendor-specific severity." - } # dimension severity_details - - dimension: summary { - type: string - sql: ${TABLE}.summary ;; - group_label: "metadata" - label: "metadata.threat.summary" - view_label: "Entity" - description: "A human readable summary (e.g. \"failed login occurred\")" - } # dimension summary - - dimension: threat_feed_name { - type: string - sql: ${TABLE}.threat_feed_name ;; - group_label: "metadata" - label: "metadata.threat.threat_feed_name" - view_label: "Entity" - description: "Vendor feed name for a threat indicator feed." - } # dimension threat_feed_name - - dimension: threat_id { - type: string - sql: ${TABLE}.threat_id ;; - group_label: "metadata" - label: "metadata.threat.threat_id" - view_label: "Entity" - description: "Vendor-specific ID for a threat." - } # dimension threat_id - - dimension: threat_name { - type: string - sql: ${TABLE}.threat_name ;; - group_label: "metadata" - label: "metadata.threat.threat_name" - view_label: "Entity" - description: "A vendor-assigned classification common across multiple customers (e.g. \"W32/File-A\", \"Slammer\")." - } # dimension threat_name - - dimension: threat_status { - type: number - sql: ${TABLE}.threat_status ;; - group_label: "metadata" - label: "metadata.threat.threat_status" - view_label: "Entity" - description: "Current status of the threat" - } # dimension threat_status - - dimension: threat_status_enum_name { - type: string - suggestions: ["ACTIVE", "CLEARED", "FALSE_POSITIVE", "THREAT_STATUS_UNSPECIFIED"] - sql: CASE ${TABLE}.threat_status WHEN 0 THEN 'THREAT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'CLEARED' WHEN 3 THEN 'FALSE_POSITIVE' END ;; - group_label: "metadata" - label: "metadata.threat.threat_status_enum_name" - view_label: "Entity" - description: "Current status of the threat" - } # dimension threat_status_enum_name - - dimension: url_back_to_product { - type: string - sql: ${TABLE}.url_back_to_product ;; - group_label: "metadata" - label: "metadata.threat.url_back_to_product" - view_label: "Entity" - description: "URL that takes the user to the source product console for this event." - } # dimension url_back_to_product - -} # view entity_graph__metadata__threat - -view: entity_graph__relations__entity__asset__hardware { - dimension: cpu_clock_speed { - type: number - sql: ${TABLE}.cpu_clock_speed ;; - group_label: "relations" - label: "relations.entity.asset.hardware.cpu_clock_speed" - view_label: "Entity" - description: "Clock speed of the hardware CPU in MHz." - } # dimension cpu_clock_speed - - dimension: cpu_model { - type: string - sql: ${TABLE}.cpu_model ;; - group_label: "relations" - label: "relations.entity.asset.hardware.cpu_model" - view_label: "Entity" - description: "Model description of the hardware CPU (e.g. \"2.8 GHz Quad-Core Intel Core i5\")." - } # dimension cpu_model - - dimension: cpu_number_cores { - type: number - sql: ${TABLE}.cpu_number_cores ;; - group_label: "relations" - label: "relations.entity.asset.hardware.cpu_number_cores" - view_label: "Entity" - description: "Number of CPU cores." - } # dimension cpu_number_cores - - dimension: cpu_platform { - type: string - sql: ${TABLE}.cpu_platform ;; - group_label: "relations" - label: "relations.entity.asset.hardware.cpu_platform" - view_label: "Entity" - description: "Platform of the hardware CPU (e.g. \"Intel Broadwell\")." - } # dimension cpu_platform - - dimension: manufacturer { - type: string - sql: ${TABLE}.manufacturer ;; - group_label: "relations" - label: "relations.entity.asset.hardware.manufacturer" - view_label: "Entity" - description: "Hardware manufacturer." - } # dimension manufacturer - - dimension: model { - type: string - sql: ${TABLE}.model ;; - group_label: "relations" - label: "relations.entity.asset.hardware.model" - view_label: "Entity" - description: "Hardware model." - } # dimension model - - dimension: ram { - type: number - sql: ${TABLE}.ram ;; - group_label: "relations" - label: "relations.entity.asset.hardware.ram" - view_label: "Entity" - description: "Amount of the hardware ramdom access memory (RAM) in Mb." - } # dimension ram - - dimension: serial_number { - type: string - sql: ${TABLE}.serial_number ;; - group_label: "relations" - label: "relations.entity.asset.hardware.serial_number" - view_label: "Entity" - description: "Hardware serial number." - } # dimension serial_number - -} # view entity_graph__relations__entity__asset__hardware - -view: entity_graph__relations__entity__asset__ip { - dimension: entity_graph__relations__entity__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "relations" - label: "relations.entity.asset.ip" - view_label: "Entity" - description: "A list of IP addresses associated with an asset." - } # dimension entity_graph__relations__entity__asset__ip -} # view entity_graph__relations__entity__asset__ip - -view: entity_graph__relations__entity__asset__mac { - dimension: entity_graph__relations__entity__asset__mac { - type: string - sql: ${TABLE} ;; - group_label: "relations" - label: "relations.entity.asset.mac" - view_label: "Entity" - description: "List of MAC addresses associated with an asset." - } # dimension entity_graph__relations__entity__asset__mac -} # view entity_graph__relations__entity__asset__mac - -view: entity_graph__relations__entity__asset__software { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "relations" - label: "relations.entity.asset.software.name" - view_label: "Entity" - description: "The name of the software." - } # dimension name - -} # view entity_graph__relations__entity__asset__software - -view: entity_graph__relations__entity__ip { - dimension: entity_graph__relations__entity__ip { - type: string - sql: ${TABLE} ;; - group_label: "relations" - label: "relations.entity.ip" - view_label: "Entity" - description: "A list of IP addresses associated with a network connection." - } # dimension entity_graph__relations__entity__ip -} # view entity_graph__relations__entity__ip - -view: entity_graph__relations__entity__ip_geo_artifact { - dimension: location { - hidden: yes - } # dimension location - - dimension: location__country_or_region { - type: string - sql: ${TABLE}.location.country_or_region ;; - group_label: "relations" - label: "relations.entity.ip_geo_artifact.location.country_or_region" - view_label: "Entity" - description: "The country or region." - } # dimension location__country_or_region - -} # view entity_graph__relations__entity__ip_geo_artifact - -view: entity_graph__relations__entity__ip_location { - dimension: country_or_region { - type: string - sql: ${TABLE}.country_or_region ;; - group_label: "relations" - group_item_label: "relations.entity.ip_location.country_or_region [D]" - label: "relations.entity.ip_location.country_or_region" - view_label: "Entity" - description: "The country or region. [D]: This field is deprecated and will be removed in a future release" - } # dimension country_or_region - -} # view entity_graph__relations__entity__ip_location - -view: entity_graph__relations__entity__resource__attribute__permissions { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "relations" - label: "relations.entity.resource.attribute.permissions.name" - view_label: "Entity" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view entity_graph__relations__entity__resource__attribute__permissions - -view: entity_graph__relations__entity__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "relations" - label: "relations.entity.user.attribute.labels.key" - view_label: "Entity" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "relations" - label: "relations.entity.user.attribute.labels.value" - view_label: "Entity" - description: "The value." - } # dimension value - -} # view entity_graph__relations__entity__user__attribute__labels - -view: entity_graph__relations__entity__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "relations" - label: "relations.entity.user.attribute.roles.description" - view_label: "Entity" - description: "System role description for user." - } # dimension description - -} # view entity_graph__relations__entity__user__attribute__roles - -view: entity_graph__relations__entity__user__email_addresses { - dimension: entity_graph__relations__entity__user__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "relations" - label: "relations.entity.user.email_addresses" - view_label: "Entity" - description: "Email addresses of the user." - } # dimension entity_graph__relations__entity__user__email_addresses -} # view entity_graph__relations__entity__user__email_addresses - -view: entity_graph__relations__entity__user__phone_numbers { - dimension: entity_graph__relations__entity__user__phone_numbers { - type: string - sql: ${TABLE} ;; - group_label: "relations" - label: "relations.entity.user.phone_numbers" - view_label: "Entity" - description: "Phone numbers for the user." - } # dimension entity_graph__relations__entity__user__phone_numbers -} # view entity_graph__relations__entity__user__phone_numbers - -view: entity_graph__relations__entity__user_management_chain__department { - dimension: entity_graph__relations__entity__user_management_chain__department { - type: string - sql: ${TABLE} ;; - group_label: "relations" - label: "relations.entity.user_management_chain.department" - view_label: "Entity" - description: "User job department" - } # dimension entity_graph__relations__entity__user_management_chain__department -} # view entity_graph__relations__entity__user_management_chain__department - -view: entity_graph__relations__entity__user_management_chain { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension: attribute__cloud { - hidden: yes - } # dimension attribute__cloud - - dimension: attribute__cloud__project { - hidden: yes - } # dimension attribute__cloud__project - - dimension: attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.project.product_object_id ;; - group_label: "relations" - group_item_label: "relations.entity.user_management_chain.attribute.cloud.project.product_object_id [D]" - label: "relations.entity.user_management_chain.attribute.cloud.project.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension attribute__cloud__project__product_object_id - - dimension: attribute__cloud__vpc { - hidden: yes - } # dimension attribute__cloud__vpc - - dimension: attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; - group_label: "relations" - group_item_label: "relations.entity.user_management_chain.attribute.cloud.vpc.product_object_id [D]" - label: "relations.entity.user_management_chain.attribute.cloud.vpc.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension attribute__cloud__vpc__product_object_id - - dimension: department { - hidden: yes - } # dimension department - - dimension: office_address { - hidden: yes - } # dimension office_address - - dimension: office_address__country_or_region { - type: string - sql: ${TABLE}.office_address.country_or_region ;; - group_label: "relations" - label: "relations.entity.user_management_chain.office_address.country_or_region" - view_label: "Entity" - description: "The country or region." - } # dimension office_address__country_or_region - - dimension: personal_address { - hidden: yes - } # dimension personal_address - - dimension: personal_address__country_or_region { - type: string - sql: ${TABLE}.personal_address.country_or_region ;; - group_label: "relations" - label: "relations.entity.user_management_chain.personal_address.country_or_region" - view_label: "Entity" - description: "The country or region." - } # dimension personal_address__country_or_region - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "relations" - label: "relations.entity.user_management_chain.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension product_object_id - -} # view entity_graph__relations__entity__user_management_chain - -view: entity_graph__relations { - dimension: direction { - type: number - sql: ${TABLE}.direction ;; - group_label: "relations" - label: "relations.direction" - view_label: "Entity" - description: "Directionality of relationship between primary entity (a) and the related entity (b)." - } # dimension direction - - dimension: direction_enum_name { - type: string - suggestions: ["BIDIRECTIONAL", "DIRECTIONALITY_UNSPECIFIED", "UNIDIRECTIONAL"] - sql: CASE ${TABLE}.direction WHEN 0 THEN 'DIRECTIONALITY_UNSPECIFIED' WHEN 1 THEN 'BIDIRECTIONAL' WHEN 2 THEN 'UNIDIRECTIONAL' END ;; - group_label: "relations" - label: "relations.direction_enum_name" - view_label: "Entity" - description: "Directionality of relationship between primary entity (a) and the related entity (b)." - } # dimension direction_enum_name - - dimension: entity { - hidden: yes - } # dimension entity - - dimension: entity__asset { - hidden: yes - } # dimension entity__asset - - dimension: entity__asset__asset_id { - type: string - sql: ${TABLE}.entity.asset.asset_id ;; - group_label: "relations" - label: "relations.entity.asset.asset_id" - view_label: "Entity" - description: "The asset ID." - } # dimension entity__asset__asset_id - - dimension: entity__asset__attribute { - hidden: yes - } # dimension entity__asset__attribute - - dimension: entity__asset__attribute__cloud { - hidden: yes - } # dimension entity__asset__attribute__cloud - - dimension: entity__asset__attribute__cloud__project { - hidden: yes - } # dimension entity__asset__attribute__cloud__project - - dimension: entity__asset__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.entity.asset.attribute.cloud.project.product_object_id ;; - group_label: "relations" - group_item_label: "relations.entity.asset.attribute.cloud.project.product_object_id [D]" - label: "relations.entity.asset.attribute.cloud.project.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__asset__attribute__cloud__project__product_object_id - - dimension: entity__asset__attribute__cloud__vpc { - hidden: yes - } # dimension entity__asset__attribute__cloud__vpc - - dimension: entity__asset__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.entity.asset.attribute.cloud.vpc.product_object_id ;; - group_label: "relations" - group_item_label: "relations.entity.asset.attribute.cloud.vpc.product_object_id [D]" - label: "relations.entity.asset.attribute.cloud.vpc.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__asset__attribute__cloud__vpc__product_object_id - - dimension_group: relations__entity__asset__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "relations" - label: "relations.entity.asset.attribute.creation_time" - view_label: "Entity" - description: "Time the resource or entity was created or provisioned." - } # dimension relations__entity__asset__attribute__creation_time - - dimension: entity__asset__category { - type: string - sql: ${TABLE}.entity.asset.category ;; - group_label: "relations" - label: "relations.entity.asset.category" - view_label: "Entity" - description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." - } # dimension entity__asset__category - - dimension_group: relations__entity__asset__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "relations" - group_item_label: "relations.entity.asset.creation_time [D]" - label: "relations.entity.asset.creation_time" - view_label: "Entity" - description: "Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. [D]: This field is deprecated and will be removed in a future release" - } # dimension relations__entity__asset__creation_time - - dimension: entity__asset__deployment_status { - type: number - sql: ${TABLE}.entity.asset.deployment_status ;; - group_label: "relations" - label: "relations.entity.asset.deployment_status" - view_label: "Entity" - description: "The deployment status of the asset for device lifecycle purposes." - } # dimension entity__asset__deployment_status - - dimension: entity__asset__deployment_status_enum_name { - type: string - suggestions: ["ACTIVE", "DECOMISSIONED", "DEPLOYMENT_STATUS_UNSPECIFIED", "PENDING_DECOMISSION"] - sql: CASE ${TABLE}.entity.asset.deployment_status WHEN 0 THEN 'DEPLOYMENT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'PENDING_DECOMISSION' WHEN 3 THEN 'DECOMISSIONED' END ;; - group_label: "relations" - label: "relations.entity.asset.deployment_status_enum_name" - view_label: "Entity" - description: "The deployment status of the asset for device lifecycle purposes." - } # dimension entity__asset__deployment_status_enum_name - - dimension_group: relations__entity__asset__first_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "relations" - label: "relations.entity.asset.first_discover_time" - view_label: "Entity" - description: "Time the asset was first discovered (by asset management/discoverability software)." - } # dimension relations__entity__asset__first_discover_time - - dimension: entity__asset__hardware { - hidden: yes - } # dimension entity__asset__hardware - - dimension: entity__asset__hostname { - type: string - sql: ${TABLE}.entity.asset.hostname ;; - group_label: "relations" - label: "relations.entity.asset.hostname" - view_label: "Entity" - description: "Asset hostname or domain name field." - } # dimension entity__asset__hostname - - dimension: entity__asset__ip { - hidden: yes - } # dimension entity__asset__ip - - dimension_group: relations__entity__asset__last_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.last_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.last_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "relations" - label: "relations.entity.asset.last_discover_time" - view_label: "Entity" - description: "Time the asset was last discovered (by asset management/discoverability software)." - } # dimension relations__entity__asset__last_discover_time - - dimension: entity__asset__mac { - hidden: yes - } # dimension entity__asset__mac - - dimension: entity__asset__network_domain { - type: string - sql: ${TABLE}.entity.asset.network_domain ;; - group_label: "relations" - label: "relations.entity.asset.network_domain" - view_label: "Entity" - description: "The network domain of the asset (e.g. \"corp.acme.com\")" - } # dimension entity__asset__network_domain - - dimension: entity__asset__platform_software { - hidden: yes - } # dimension entity__asset__platform_software - - dimension: entity__asset__platform_software__platform { - type: number - sql: ${TABLE}.entity.asset.platform_software.platform ;; - group_label: "relations" - label: "relations.entity.asset.platform_software.platform" - view_label: "Entity" - description: "The platform operating system." - } # dimension entity__asset__platform_software__platform - - dimension: entity__asset__platform_software__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.entity.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "relations" - label: "relations.entity.asset.platform_software.platform_enum_name" - view_label: "Entity" - description: "The platform operating system." - } # dimension entity__asset__platform_software__platform_enum_name - - dimension: entity__asset__platform_software__platform_patch_level { - type: string - sql: ${TABLE}.entity.asset.platform_software.platform_patch_level ;; - group_label: "relations" - label: "relations.entity.asset.platform_software.platform_patch_level" - view_label: "Entity" - description: "The platform software patch level ( e.g. \"Build 17134.48\", \"SP1\")." - } # dimension entity__asset__platform_software__platform_patch_level - - dimension: entity__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.entity.asset.platform_software.platform_version ;; - group_label: "relations" - label: "relations.entity.asset.platform_software.platform_version" - view_label: "Entity" - description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." - } # dimension entity__asset__platform_software__platform_version - - dimension: entity__asset__product_object_id { - type: string - sql: ${TABLE}.entity.asset.product_object_id ;; - group_label: "relations" - label: "relations.entity.asset.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension entity__asset__product_object_id - - dimension: entity__asset__software { - hidden: yes - } # dimension entity__asset__software - - dimension_group: relations__entity__asset__system_last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.entity.asset.system_last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.entity.asset.system_last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "relations" - label: "relations.entity.asset.system_last_update_time" - view_label: "Entity" - description: "Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time." - } # dimension relations__entity__asset__system_last_update_time - - dimension: entity__asset__type { - type: number - sql: ${TABLE}.entity.asset.type ;; - group_label: "relations" - label: "relations.entity.asset.type" - view_label: "Entity" - description: "The type of the asset (e.g. workstation or laptop or server)." - } # dimension entity__asset__type - - dimension: entity__asset__type_enum_name { - type: string - suggestions: ["IOT", "LAPTOP", "MOBILE", "NETWORK_ATTACHED_STORAGE", "PRINTER", "ROLE_UNSPECIFIED", "SCANNER", "SERVER", "TAPE_LIBRARY", "WORKSTATION"] - sql: CASE ${TABLE}.entity.asset.type WHEN 0 THEN 'ROLE_UNSPECIFIED' WHEN 1 THEN 'WORKSTATION' WHEN 2 THEN 'LAPTOP' WHEN 3 THEN 'IOT' WHEN 4 THEN 'NETWORK_ATTACHED_STORAGE' WHEN 5 THEN 'PRINTER' WHEN 6 THEN 'SCANNER' WHEN 7 THEN 'SERVER' WHEN 8 THEN 'TAPE_LIBRARY' WHEN 9 THEN 'MOBILE' END ;; - group_label: "relations" - label: "relations.entity.asset.type_enum_name" - view_label: "Entity" - description: "The type of the asset (e.g. workstation or laptop or server)." - } # dimension entity__asset__type_enum_name - - dimension: entity__cloud { - hidden: yes - } # dimension entity__cloud - - dimension: entity__cloud__project { - hidden: yes - } # dimension entity__cloud__project - - dimension: entity__cloud__project__product_object_id { - type: string - sql: ${TABLE}.entity.cloud.project.product_object_id ;; - group_label: "relations" - group_item_label: "relations.entity.cloud.project.product_object_id [D]" - label: "relations.entity.cloud.project.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__cloud__project__product_object_id - - dimension: entity__cloud__vpc { - hidden: yes - } # dimension entity__cloud__vpc - - dimension: entity__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.entity.cloud.vpc.product_object_id ;; - group_label: "relations" - group_item_label: "relations.entity.cloud.vpc.product_object_id [D]" - label: "relations.entity.cloud.vpc.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__cloud__vpc__product_object_id - - dimension: entity__group { - hidden: yes - } # dimension entity__group - - dimension: entity__group__attribute { - hidden: yes - } # dimension entity__group__attribute - - dimension: entity__group__attribute__cloud { - hidden: yes - } # dimension entity__group__attribute__cloud - - dimension: entity__group__attribute__cloud__project { - hidden: yes - } # dimension entity__group__attribute__cloud__project - - dimension: entity__group__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.entity.group.attribute.cloud.project.product_object_id ;; - group_label: "relations" - group_item_label: "relations.entity.group.attribute.cloud.project.product_object_id [D]" - label: "relations.entity.group.attribute.cloud.project.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__group__attribute__cloud__project__product_object_id - - dimension: entity__group__attribute__cloud__vpc { - hidden: yes - } # dimension entity__group__attribute__cloud__vpc - - dimension: entity__group__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.entity.group.attribute.cloud.vpc.product_object_id ;; - group_label: "relations" - group_item_label: "relations.entity.group.attribute.cloud.vpc.product_object_id [D]" - label: "relations.entity.group.attribute.cloud.vpc.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__group__attribute__cloud__vpc__product_object_id - - dimension: entity__group__group_display_name { - type: string - sql: ${TABLE}.entity.group.group_display_name ;; - group_label: "relations" - label: "relations.entity.group.group_display_name" - view_label: "Entity" - description: "Group display name. e.g. \"Finance\"." - } # dimension entity__group__group_display_name - - dimension: entity__group__product_object_id { - type: string - sql: ${TABLE}.entity.group.product_object_id ;; - group_label: "relations" - label: "relations.entity.group.product_object_id" - view_label: "Entity" - description: "Product globally unique user object identifier, such as an LDAP Object Identifier." - } # dimension entity__group__product_object_id - - dimension: entity__hostname { - type: string - sql: ${TABLE}.entity.hostname ;; - group_label: "relations" - label: "relations.entity.hostname" - view_label: "Entity" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension entity__hostname - - dimension: entity__ip { - hidden: yes - } # dimension entity__ip - - dimension: entity__ip_geo_artifact { - hidden: yes - } # dimension entity__ip_geo_artifact - - dimension: entity__ip_location { - hidden: yes - } # dimension entity__ip_location - - dimension: entity__location { - hidden: yes - } # dimension entity__location - - dimension: entity__location__name { - type: string - sql: ${TABLE}.entity.location.name ;; - group_label: "relations" - label: "relations.entity.location.name" - view_label: "Entity" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension entity__location__name - - dimension: entity__namespace { - type: string - sql: ${TABLE}.entity.namespace ;; - group_label: "relations" - label: "relations.entity.namespace" - view_label: "Entity" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension entity__namespace - - dimension: entity__object_reference { - hidden: yes - } # dimension entity__object_reference - - dimension: entity__object_reference__id { - type: string - sql: ${TABLE}.entity.object_reference.id ;; - group_label: "relations" - label: "relations.entity.object_reference.id" - view_label: "Entity" - description: "Full raw ID." - } # dimension entity__object_reference__id - - dimension: entity__object_reference__namespace { - type: number - sql: ${TABLE}.entity.object_reference.namespace ;; - group_label: "relations" - label: "relations.entity.object_reference.namespace" - view_label: "Entity" - description: "Namespace the id belongs to." - } # dimension entity__object_reference__namespace - - dimension: entity__object_reference__namespace_enum_name { - type: string - suggestions: ["MACHINE_INTELLIGENCE", "NORMALIZED_TELEMETRY", "RAW_TELEMETRY", "RULE_DETECTIONS", "SECURITY_COMMAND_CENTER", "SOAR_ALERT", "UNSPECIFIED", "UPPERCASE"] - sql: CASE ${TABLE}.entity.object_reference.namespace WHEN 0 THEN 'NORMALIZED_TELEMETRY' WHEN 1 THEN 'RAW_TELEMETRY' WHEN 2 THEN 'RULE_DETECTIONS' WHEN 3 THEN 'UPPERCASE' WHEN 4 THEN 'MACHINE_INTELLIGENCE' WHEN 5 THEN 'SECURITY_COMMAND_CENTER' WHEN 6 THEN 'UNSPECIFIED' WHEN 7 THEN 'SOAR_ALERT' END ;; - group_label: "relations" - label: "relations.entity.object_reference.namespace_enum_name" - view_label: "Entity" - description: "Namespace the id belongs to." - } # dimension entity__object_reference__namespace_enum_name - - dimension: entity__platform_patch_level { - type: string - sql: ${TABLE}.entity.platform_patch_level ;; - group_label: "relations" - label: "relations.entity.platform_patch_level" - view_label: "Entity" - description: "Platform patch level. For example, \"Build 17134.48\"" - } # dimension entity__platform_patch_level - - dimension: entity__platform_version { - type: string - sql: ${TABLE}.entity.platform_version ;; - group_label: "relations" - label: "relations.entity.platform_version" - view_label: "Entity" - description: "Platform version. For example, \"Microsoft Windows 1803\"." - } # dimension entity__platform_version - - dimension: entity__resource { - hidden: yes - } # dimension entity__resource - - dimension: entity__resource__attribute { - hidden: yes - } # dimension entity__resource__attribute - - dimension: entity__resource__attribute__cloud { - hidden: yes - } # dimension entity__resource__attribute__cloud - - dimension: entity__resource__attribute__cloud__environment { - type: number - sql: ${TABLE}.entity.resource.attribute.cloud.environment ;; - group_label: "relations" - label: "relations.entity.resource.attribute.cloud.environment" - view_label: "Entity" - description: "The Cloud environment." - } # dimension entity__resource__attribute__cloud__environment - - dimension: entity__resource__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.entity.resource.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "relations" - label: "relations.entity.resource.attribute.cloud.environment_enum_name" - view_label: "Entity" - description: "The Cloud environment." - } # dimension entity__resource__attribute__cloud__environment_enum_name - - dimension: entity__resource__attribute__permissions { - hidden: yes - } # dimension entity__resource__attribute__permissions - - dimension: entity__resource__name { - type: string - sql: ${TABLE}.entity.resource.name ;; - group_label: "relations" - label: "relations.entity.resource.name" - view_label: "Entity" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension entity__resource__name - - dimension: entity__resource__product_object_id { - type: string - sql: ${TABLE}.entity.resource.product_object_id ;; - group_label: "relations" - label: "relations.entity.resource.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension entity__resource__product_object_id - - dimension: entity__resource__resource_subtype { - type: string - sql: ${TABLE}.entity.resource.resource_subtype ;; - group_label: "relations" - label: "relations.entity.resource.resource_subtype" - view_label: "Entity" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension entity__resource__resource_subtype - - dimension: entity__resource__resource_type { - type: number - sql: ${TABLE}.entity.resource.resource_type ;; - group_label: "relations" - label: "relations.entity.resource.resource_type" - view_label: "Entity" - description: "Resource type." - } # dimension entity__resource__resource_type - - dimension: entity__resource__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.entity.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "relations" - label: "relations.entity.resource.resource_type_enum_name" - view_label: "Entity" - description: "Resource type." - } # dimension entity__resource__resource_type_enum_name - - dimension: entity__user { - hidden: yes - } # dimension entity__user - - dimension: entity__user__account_type { - type: number - sql: ${TABLE}.entity.user.account_type ;; - group_label: "relations" - label: "relations.entity.user.account_type" - view_label: "Entity" - description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" - } # dimension entity__user__account_type - - dimension: entity__user__account_type_enum_name { - type: string - suggestions: ["ACCOUNT_TYPE_UNSPECIFIED", "CLOUD_ACCOUNT_TYPE", "DEFAULT_ACCOUNT_TYPE", "DOMAIN_ACCOUNT_TYPE", "LOCAL_ACCOUNT_TYPE", "SERVICE_ACCOUNT_TYPE"] - sql: CASE ${TABLE}.entity.user.account_type WHEN 0 THEN 'ACCOUNT_TYPE_UNSPECIFIED' WHEN 1 THEN 'DOMAIN_ACCOUNT_TYPE' WHEN 2 THEN 'LOCAL_ACCOUNT_TYPE' WHEN 3 THEN 'CLOUD_ACCOUNT_TYPE' WHEN 4 THEN 'SERVICE_ACCOUNT_TYPE' WHEN 5 THEN 'DEFAULT_ACCOUNT_TYPE' END ;; - group_label: "relations" - label: "relations.entity.user.account_type_enum_name" - view_label: "Entity" - description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" - } # dimension entity__user__account_type_enum_name - - dimension: entity__user__attribute { - hidden: yes - } # dimension entity__user__attribute - - dimension: entity__user__attribute__cloud { - hidden: yes - } # dimension entity__user__attribute__cloud - - dimension: entity__user__attribute__cloud__environment { - type: number - sql: ${TABLE}.entity.user.attribute.cloud.environment ;; - group_label: "relations" - label: "relations.entity.user.attribute.cloud.environment" - view_label: "Entity" - description: "The Cloud environment." - } # dimension entity__user__attribute__cloud__environment - - dimension: entity__user__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.entity.user.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "relations" - label: "relations.entity.user.attribute.cloud.environment_enum_name" - view_label: "Entity" - description: "The Cloud environment." - } # dimension entity__user__attribute__cloud__environment_enum_name - - dimension: entity__user__attribute__cloud__project { - hidden: yes - } # dimension entity__user__attribute__cloud__project - - dimension: entity__user__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.entity.user.attribute.cloud.project.product_object_id ;; - group_label: "relations" - group_item_label: "relations.entity.user.attribute.cloud.project.product_object_id [D]" - label: "relations.entity.user.attribute.cloud.project.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__user__attribute__cloud__project__product_object_id - - dimension: entity__user__attribute__cloud__vpc { - hidden: yes - } # dimension entity__user__attribute__cloud__vpc - - dimension: entity__user__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.entity.user.attribute.cloud.vpc.product_object_id ;; - group_label: "relations" - group_item_label: "relations.entity.user.attribute.cloud.vpc.product_object_id [D]" - label: "relations.entity.user.attribute.cloud.vpc.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__user__attribute__cloud__vpc__product_object_id - - dimension: entity__user__attribute__labels { - hidden: yes - } # dimension entity__user__attribute__labels - - dimension: entity__user__attribute__roles { - hidden: yes - } # dimension entity__user__attribute__roles - - dimension: entity__user__company_name { - type: string - sql: ${TABLE}.entity.user.company_name ;; - group_label: "relations" - label: "relations.entity.user.company_name" - view_label: "Entity" - description: "User job company name." - } # dimension entity__user__company_name - - dimension: entity__user__email_addresses { - hidden: yes - } # dimension entity__user__email_addresses - - dimension: entity__user__first_name { - type: string - sql: ${TABLE}.entity.user.first_name ;; - group_label: "relations" - label: "relations.entity.user.first_name" - view_label: "Entity" - description: "First name of the user (e.g. \"John\")." - } # dimension entity__user__first_name - - dimension: entity__user__last_name { - type: string - sql: ${TABLE}.entity.user.last_name ;; - group_label: "relations" - label: "relations.entity.user.last_name" - view_label: "Entity" - description: "Last name of the user (e.g. \"Locke\")." - } # dimension entity__user__last_name - - dimension: entity__user__office_address { - hidden: yes - } # dimension entity__user__office_address - - dimension: entity__user__office_address__country_or_region { - type: string - sql: ${TABLE}.entity.user.office_address.country_or_region ;; - group_label: "relations" - label: "relations.entity.user.office_address.country_or_region" - view_label: "Entity" - description: "The country or region." - } # dimension entity__user__office_address__country_or_region - - dimension: entity__user__office_address__name { - type: string - sql: ${TABLE}.entity.user.office_address.name ;; - group_label: "relations" - label: "relations.entity.user.office_address.name" - view_label: "Entity" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension entity__user__office_address__name - - dimension: entity__user__office_address__state { - type: string - sql: ${TABLE}.entity.user.office_address.state ;; - group_label: "relations" - label: "relations.entity.user.office_address.state" - view_label: "Entity" - description: "The state." - } # dimension entity__user__office_address__state - - dimension: entity__user__phone_numbers { - hidden: yes - } # dimension entity__user__phone_numbers - - dimension: entity__user__product_object_id { - type: string - sql: ${TABLE}.entity.user.product_object_id ;; - group_label: "relations" - label: "relations.entity.user.product_object_id" - view_label: "Entity" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension entity__user__product_object_id - - dimension: entity__user__role_description { - type: string - sql: ${TABLE}.entity.user.role_description ;; - group_label: "relations" - group_item_label: "relations.entity.user.role_description [D]" - label: "relations.entity.user.role_description" - view_label: "Entity" - description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension entity__user__role_description - - dimension: entity__user__title { - type: string - sql: ${TABLE}.entity.user.title ;; - group_label: "relations" - label: "relations.entity.user.title" - view_label: "Entity" - description: "User job title." - } # dimension entity__user__title - - dimension: entity__user__user_authentication_status { - type: number - sql: ${TABLE}.entity.user.user_authentication_status ;; - group_label: "relations" - label: "relations.entity.user.user_authentication_status" - view_label: "Entity" - description: "System authentication status for user." - } # dimension entity__user__user_authentication_status - - dimension: entity__user__user_authentication_status_enum_name { - type: string - suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] - sql: CASE ${TABLE}.entity.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; - group_label: "relations" - label: "relations.entity.user.user_authentication_status_enum_name" - view_label: "Entity" - description: "System authentication status for user." - } # dimension entity__user__user_authentication_status_enum_name - - dimension: entity__user__user_display_name { - type: string - sql: ${TABLE}.entity.user.user_display_name ;; - group_label: "relations" - label: "relations.entity.user.user_display_name" - view_label: "Entity" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension entity__user__user_display_name - - dimension: entity__user__userid { - type: string - sql: ${TABLE}.entity.user.userid ;; - group_label: "relations" - label: "relations.entity.user.userid" - view_label: "Entity" - description: "The ID of the user." - } # dimension entity__user__userid - - dimension: entity__user__windows_sid { - type: string - sql: ${TABLE}.entity.user.windows_sid ;; - group_label: "relations" - label: "relations.entity.user.windows_sid" - view_label: "Entity" - description: "The Microsoft Windows SID of the user." - } # dimension entity__user__windows_sid - - dimension: entity__user_management_chain { - hidden: yes - } # dimension entity__user_management_chain - - dimension: entity_type { - type: number - sql: ${TABLE}.entity_type ;; - group_label: "relations" - label: "relations.entity_type" - view_label: "Entity" - description: "Type of the related entity (b) in this relationship." - } # dimension entity_type - - dimension: entity_type_enum_name { - type: string - suggestions: ["ASSET", "DOMAIN_NAME", "FILE", "GROUP", "IP_ADDRESS", "METRIC", "MUTEX", "RESOURCE", "UNKNOWN_ENTITYTYPE", "URL", "USER"] - sql: CASE ${TABLE}.entity_type WHEN 0 THEN 'UNKNOWN_ENTITYTYPE' WHEN 1 THEN 'ASSET' WHEN 10000 THEN 'USER' WHEN 10001 THEN 'GROUP' WHEN 2 THEN 'RESOURCE' WHEN 3 THEN 'IP_ADDRESS' WHEN 4 THEN 'FILE' WHEN 5 THEN 'DOMAIN_NAME' WHEN 6 THEN 'URL' WHEN 7 THEN 'MUTEX' WHEN 8 THEN 'METRIC' END ;; - group_label: "relations" - label: "relations.entity_type_enum_name" - view_label: "Entity" - description: "Type of the related entity (b) in this relationship." - } # dimension entity_type_enum_name - - dimension: relationship { - type: number - sql: ${TABLE}.relationship ;; - group_label: "relations" - label: "relations.relationship" - view_label: "Entity" - description: "Type of relationship." - } # dimension relationship - - dimension: relationship_enum_name { - type: string - suggestions: ["ADMINISTERS", "CONTACTS", "DOWNLOADED_FROM", "EXECUTES", "MEMBER", "OWNS", "RELATIONSHIP_UNSPECIFIED"] - sql: CASE ${TABLE}.relationship WHEN 0 THEN 'RELATIONSHIP_UNSPECIFIED' WHEN 1 THEN 'OWNS' WHEN 2 THEN 'ADMINISTERS' WHEN 3 THEN 'MEMBER' WHEN 4 THEN 'EXECUTES' WHEN 5 THEN 'DOWNLOADED_FROM' WHEN 6 THEN 'CONTACTS' END ;; - group_label: "relations" - label: "relations.relationship_enum_name" - view_label: "Entity" - description: "Type of relationship." - } # dimension relationship_enum_name - -} # view entity_graph__relations - -explore: entity_graph { - ### BEGIN googlex/security/malachite/dashboards/lookml/entity_graph/entity_graph_explore_preamble.lkml - label: "Entity Graph" - - required_access_grants: [ - has_chronicle_explores_enabled - ] - - conditionally_filter: { - filters: { - field: entity_graph.time_filter - value: "last 24 hours" - } - } - - fields: [ALL_FIELDS*,] - sql_always_where: {% condition entity_graph.time_filter %} _PARTITIONTIME {% endcondition %} - AND {% condition entity_graph.time_filter %} ${metadata__collected_timestamp_raw} {% endcondition %};; - - ### END googlex/security/malachite/dashboards/lookml/entity_graph/entity_graph_explore_preamble.lkml - join: entity_graph__additional__fields { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.additional}.fields) as entity_graph__additional__fields ;; - view_label: "Entity" - } # join entity_graph__additional__fields - - join: entity_graph__entity__artifact__network__email__to { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph.entity}.artifact.network.email.to) as entity_graph__entity__artifact__network__email__to ;; - view_label: "Entity" - } # join entity_graph__entity__artifact__network__email__to - - join: entity_graph__entity__asset__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.asset.attribute.labels) as entity_graph__entity__asset__attribute__labels ;; - view_label: "Entity" - } # join entity_graph__entity__asset__attribute__labels - - join: entity_graph__entity__asset__hardware { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.asset.hardware) as entity_graph__entity__asset__hardware ;; - view_label: "Entity" - } # join entity_graph__entity__asset__hardware - - join: entity_graph__entity__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph.entity}.asset.ip) as entity_graph__entity__asset__ip ;; - view_label: "Entity" - } # join entity_graph__entity__asset__ip - - join: entity_graph__entity__asset__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.asset.labels) as entity_graph__entity__asset__labels ;; - view_label: "Entity" - } # join entity_graph__entity__asset__labels - - join: entity_graph__entity__asset__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph.entity}.asset.mac) as entity_graph__entity__asset__mac ;; - view_label: "Entity" - } # join entity_graph__entity__asset__mac - - join: entity_graph__entity__asset__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph.entity}.asset.nat_ip) as entity_graph__entity__asset__nat_ip ;; - view_label: "Entity" - } # join entity_graph__entity__asset__nat_ip - - join: entity_graph__entity__asset__software { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.asset.software) as entity_graph__entity__asset__software ;; - view_label: "Entity" - } # join entity_graph__entity__asset__software - - join: entity_graph__entity__asset__software__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph__entity__asset__software.permissions}) as entity_graph__entity__asset__software__permissions ;; - view_label: "Entity" - } # join entity_graph__entity__asset__software__permissions - - join: entity_graph__entity__asset__vulnerabilities { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.asset.vulnerabilities) as entity_graph__entity__asset__vulnerabilities ;; - view_label: "Entity" - } # join entity_graph__entity__asset__vulnerabilities - - join: entity_graph__entity__asset__vulnerabilities__about__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph__entity__asset__vulnerabilities.about}.labels) as entity_graph__entity__asset__vulnerabilities__about__labels ;; - view_label: "Entity" - } # join entity_graph__entity__asset__vulnerabilities__about__labels - - join: entity_graph__entity__domain__admin__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.domain.admin.attribute.labels) as entity_graph__entity__domain__admin__attribute__labels ;; - view_label: "Entity" - } # join entity_graph__entity__domain__admin__attribute__labels - - join: entity_graph__entity__domain__billing__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.domain.billing.attribute.labels) as entity_graph__entity__domain__billing__attribute__labels ;; - view_label: "Entity" - } # join entity_graph__entity__domain__billing__attribute__labels - - join: entity_graph__entity__domain__name_server { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph.entity}.domain.name_server) as entity_graph__entity__domain__name_server ;; - view_label: "Entity" - } # join entity_graph__entity__domain__name_server - - join: entity_graph__entity__domain__registrant__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.domain.registrant.attribute.labels) as entity_graph__entity__domain__registrant__attribute__labels ;; - view_label: "Entity" - } # join entity_graph__entity__domain__registrant__attribute__labels - - join: entity_graph__entity__domain__registrant__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph.entity}.domain.registrant.email_addresses) as entity_graph__entity__domain__registrant__email_addresses ;; - view_label: "Entity" - } # join entity_graph__entity__domain__registrant__email_addresses - - join: entity_graph__entity__domain__tech__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.domain.tech.attribute.labels) as entity_graph__entity__domain__tech__attribute__labels ;; - view_label: "Entity" - } # join entity_graph__entity__domain__tech__attribute__labels - - join: entity_graph__entity__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph.entity}.file.names) as entity_graph__entity__file__names ;; - view_label: "Entity" - } # join entity_graph__entity__file__names - - join: entity_graph__entity__file__pe_file__resource { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.file.pe_file.resource) as entity_graph__entity__file__pe_file__resource ;; - view_label: "Entity" - } # join entity_graph__entity__file__pe_file__resource - - join: entity_graph__entity__group__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.group.attribute.labels) as entity_graph__entity__group__attribute__labels ;; - view_label: "Entity" - } # join entity_graph__entity__group__attribute__labels - - join: entity_graph__entity__group__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph.entity}.group.email_addresses) as entity_graph__entity__group__email_addresses ;; - view_label: "Entity" - } # join entity_graph__entity__group__email_addresses - - join: entity_graph__entity__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph.entity}.ip) as entity_graph__entity__ip ;; - view_label: "Entity" - } # join entity_graph__entity__ip - - join: entity_graph__entity__ip_geo_artifact { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.ip_geo_artifact) as entity_graph__entity__ip_geo_artifact ;; - view_label: "Entity" - } # join entity_graph__entity__ip_geo_artifact - - join: entity_graph__entity__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.labels) as entity_graph__entity__labels ;; - view_label: "Entity" - } # join entity_graph__entity__labels - - join: entity_graph__entity__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph.entity}.mac) as entity_graph__entity__mac ;; - view_label: "Entity" - } # join entity_graph__entity__mac - - join: entity_graph__entity__resource__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.resource.attribute.labels) as entity_graph__entity__resource__attribute__labels ;; - view_label: "Entity" - } # join entity_graph__entity__resource__attribute__labels - - join: entity_graph__entity__user__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.attribute.labels) as entity_graph__entity__user__attribute__labels ;; - view_label: "Entity" - } # join entity_graph__entity__user__attribute__labels - - join: entity_graph__entity__user__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.attribute.permissions) as entity_graph__entity__user__attribute__permissions ;; - view_label: "Entity" - } # join entity_graph__entity__user__attribute__permissions - - join: entity_graph__entity__user__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.attribute.roles) as entity_graph__entity__user__attribute__roles ;; - view_label: "Entity" - } # join entity_graph__entity__user__attribute__roles - - join: entity_graph__entity__user__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.department) as entity_graph__entity__user__department ;; - view_label: "Entity" - } # join entity_graph__entity__user__department - - join: entity_graph__entity__user__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.email_addresses) as entity_graph__entity__user__email_addresses ;; - view_label: "Entity" - } # join entity_graph__entity__user__email_addresses - - join: entity_graph__entity__user__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.group_identifiers) as entity_graph__entity__user__group_identifiers ;; - view_label: "Entity" - } # join entity_graph__entity__user__group_identifiers - - join: entity_graph__entity__user__managers { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.managers) as entity_graph__entity__user__managers ;; - view_label: "Entity" - } # join entity_graph__entity__user__managers - - join: entity_graph__entity__user__managers__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph__entity__user__managers.attribute}.labels) as entity_graph__entity__user__managers__attribute__labels ;; - view_label: "Entity" - } # join entity_graph__entity__user__managers__attribute__labels - - join: entity_graph__entity__user__managers__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph__entity__user__managers.attribute}.roles) as entity_graph__entity__user__managers__attribute__roles ;; - view_label: "Entity" - } # join entity_graph__entity__user__managers__attribute__roles - - join: entity_graph__entity__user__managers__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__entity__user__managers.department}) as entity_graph__entity__user__managers__department ;; - view_label: "Entity" - } # join entity_graph__entity__user__managers__department - - join: entity_graph__entity__user__managers__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__entity__user__managers.email_addresses}) as entity_graph__entity__user__managers__email_addresses ;; - view_label: "Entity" - } # join entity_graph__entity__user__managers__email_addresses - - join: entity_graph__entity__user__managers__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__entity__user__managers.group_identifiers}) as entity_graph__entity__user__managers__group_identifiers ;; - view_label: "Entity" - } # join entity_graph__entity__user__managers__group_identifiers - - join: entity_graph__entity__user__managers__phone_numbers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__entity__user__managers.phone_numbers}) as entity_graph__entity__user__managers__phone_numbers ;; - view_label: "Entity" - } # join entity_graph__entity__user__managers__phone_numbers - - join: entity_graph__entity__user__phone_numbers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.phone_numbers) as entity_graph__entity__user__phone_numbers ;; - view_label: "Entity" - } # join entity_graph__entity__user__phone_numbers - - join: entity_graph__entity__user__time_off { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.user.time_off) as entity_graph__entity__user__time_off ;; - view_label: "Entity" - } # join entity_graph__entity__user__time_off - - join: entity_graph__entity__user_management_chain { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.entity}.user_management_chain) as entity_graph__entity__user_management_chain ;; - view_label: "Entity" - } # join entity_graph__entity__user_management_chain - - join: entity_graph__entity__user_management_chain__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__entity__user_management_chain.department}) as entity_graph__entity__user_management_chain__department ;; - view_label: "Entity" - } # join entity_graph__entity__user_management_chain__department - - join: entity_graph__entity__user_management_chain__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__entity__user_management_chain.email_addresses}) as entity_graph__entity__user_management_chain__email_addresses ;; - view_label: "Entity" - } # join entity_graph__entity__user_management_chain__email_addresses - - join: entity_graph__metadata__event_metadata__base_labels__log_types { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph.metadata}.event_metadata.base_labels.log_types) as entity_graph__metadata__event_metadata__base_labels__log_types ;; - view_label: "Entity" - } # join entity_graph__metadata__event_metadata__base_labels__log_types - - join: entity_graph__metadata__event_metadata__base_labels__namespaces { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph.metadata}.event_metadata.base_labels.namespaces) as entity_graph__metadata__event_metadata__base_labels__namespaces ;; - view_label: "Entity" - } # join entity_graph__metadata__event_metadata__base_labels__namespaces - - join: entity_graph__metadata__source_labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.metadata}.source_labels) as entity_graph__metadata__source_labels ;; - view_label: "Entity" - } # join entity_graph__metadata__source_labels - - join: entity_graph__metadata__threat { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.metadata}.threat) as entity_graph__metadata__threat ;; - view_label: "Entity" - } # join entity_graph__metadata__threat - - join: entity_graph__metadata__threat__about__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.about}.ip) as entity_graph__metadata__threat__about__ip ;; - view_label: "Entity" - } # join entity_graph__metadata__threat__about__ip - - join: entity_graph__metadata__threat__about__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.about}.labels) as entity_graph__metadata__threat__about__labels ;; - view_label: "Entity" - } # join entity_graph__metadata__threat__about__labels - - join: entity_graph__metadata__threat__about__user__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.about}.user.email_addresses) as entity_graph__metadata__threat__about__user__email_addresses ;; - view_label: "Entity" - } # join entity_graph__metadata__threat__about__user__email_addresses - - join: entity_graph__metadata__threat__about__user_management_chain { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.about}.user_management_chain) as entity_graph__metadata__threat__about__user_management_chain ;; - view_label: "Entity" - } # join entity_graph__metadata__threat__about__user_management_chain - - join: entity_graph__metadata__threat__action { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.action}) as entity_graph__metadata__threat__action ;; - view_label: "Entity" - } # join entity_graph__metadata__threat__action - - join: entity_graph__metadata__threat__action_enum_name { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.action}) as entity_graph__metadata__threat__action_enum_name ;; - view_label: "Entity" - } # join entity_graph__metadata__threat__action_enum_name - - join: entity_graph__metadata__threat__category { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.category}) as entity_graph__metadata__threat__category ;; - view_label: "Entity" - } # join entity_graph__metadata__threat__category - - join: entity_graph__metadata__threat__category_enum_name { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.category}) as entity_graph__metadata__threat__category_enum_name ;; - view_label: "Entity" - } # join entity_graph__metadata__threat__category_enum_name - - join: entity_graph__metadata__threat__category_details { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.category_details}) as entity_graph__metadata__threat__category_details ;; - view_label: "Entity" - } # join entity_graph__metadata__threat__category_details - - join: entity_graph__metadata__threat__detection_fields { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.detection_fields}) as entity_graph__metadata__threat__detection_fields ;; - view_label: "Entity" - } # join entity_graph__metadata__threat__detection_fields - - join: entity_graph__metadata__threat__rule_labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph__metadata__threat.rule_labels}) as entity_graph__metadata__threat__rule_labels ;; - view_label: "Entity" - } # join entity_graph__metadata__threat__rule_labels - - join: entity_graph__relations { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph.relations}) as entity_graph__relations ;; - view_label: "Entity" - } # join entity_graph__relations - - join: entity_graph__relations__entity__asset__hardware { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.asset.hardware) as entity_graph__relations__entity__asset__hardware ;; - view_label: "Entity" - } # join entity_graph__relations__entity__asset__hardware - - join: entity_graph__relations__entity__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.asset.ip) as entity_graph__relations__entity__asset__ip ;; - view_label: "Entity" - } # join entity_graph__relations__entity__asset__ip - - join: entity_graph__relations__entity__asset__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.asset.mac) as entity_graph__relations__entity__asset__mac ;; - view_label: "Entity" - } # join entity_graph__relations__entity__asset__mac - - join: entity_graph__relations__entity__asset__software { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.asset.software) as entity_graph__relations__entity__asset__software ;; - view_label: "Entity" - } # join entity_graph__relations__entity__asset__software - - join: entity_graph__relations__entity__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.ip) as entity_graph__relations__entity__ip ;; - view_label: "Entity" - } # join entity_graph__relations__entity__ip - - join: entity_graph__relations__entity__ip_geo_artifact { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.ip_geo_artifact) as entity_graph__relations__entity__ip_geo_artifact ;; - view_label: "Entity" - } # join entity_graph__relations__entity__ip_geo_artifact - - join: entity_graph__relations__entity__ip_location { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.ip_location) as entity_graph__relations__entity__ip_location ;; - view_label: "Entity" - } # join entity_graph__relations__entity__ip_location - - join: entity_graph__relations__entity__resource__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.resource.attribute.permissions) as entity_graph__relations__entity__resource__attribute__permissions ;; - view_label: "Entity" - } # join entity_graph__relations__entity__resource__attribute__permissions - - join: entity_graph__relations__entity__user__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.user.attribute.labels) as entity_graph__relations__entity__user__attribute__labels ;; - view_label: "Entity" - } # join entity_graph__relations__entity__user__attribute__labels - - join: entity_graph__relations__entity__user__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.user.attribute.roles) as entity_graph__relations__entity__user__attribute__roles ;; - view_label: "Entity" - } # join entity_graph__relations__entity__user__attribute__roles - - join: entity_graph__relations__entity__user__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.user.email_addresses) as entity_graph__relations__entity__user__email_addresses ;; - view_label: "Entity" - } # join entity_graph__relations__entity__user__email_addresses - - join: entity_graph__relations__entity__user__phone_numbers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.user.phone_numbers) as entity_graph__relations__entity__user__phone_numbers ;; - view_label: "Entity" - } # join entity_graph__relations__entity__user__phone_numbers - - join: entity_graph__relations__entity__user_management_chain { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${entity_graph__relations.entity}.user_management_chain) as entity_graph__relations__entity__user_management_chain ;; - view_label: "Entity" - } # join entity_graph__relations__entity__user_management_chain - - join: entity_graph__relations__entity__user_management_chain__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${entity_graph__relations__entity__user_management_chain.department}) as entity_graph__relations__entity__user_management_chain__department ;; - view_label: "Entity" - } # join entity_graph__relations__entity__user_management_chain__department - -} # explore entity_graph - diff --git a/proto2lkml/events.lkml b/proto2lkml/events.lkml deleted file mode 100644 index 5938600..0000000 --- a/proto2lkml/events.lkml +++ /dev/null @@ -1,19328 +0,0 @@ -# Copyright Google Inc 2023 and onwards. -# This file was generated by proto2lkml. Do not modify it. -# Source: googlex/security/malachite/proto/external/udm.proto -### BEGIN googlex/security/malachite/dashboards/lookml/udm/events_preamble.lkml -include: "/chronicle_features.lkml" - -### END googlex/security/malachite/dashboards/lookml/udm/events_preamble.lkml -view: events { - ### BEGIN googlex/security/malachite/dashboards/lookml/udm/udm_view_preamble.lkml - sql_table_name: `@{EVENTS}`;; - - dimension: primary_key { - primary_key: yes - hidden: yes - sql: CONCAT(IFNULL(to_hex(${TABLE}.metadata.id), ""), - IFNULL(${TABLE}.metadata.product_log_id, ""), - IFNULL(${TABLE}.metadata.event_timestamp.seconds,0), - IFNULL(${TABLE}.metadata.event_timestamp.nanos,0), - IFNULL(${TABLE}.metadata.event_type,0), - IFNULL(${TABLE}.metadata.vendor_name,""), - IFNULL(${TABLE}.metadata.product_name,""));; - } - - measure: count { - description: "Count of UDM events; COUNT(DISTINCT ...) is used." - type: count - view_label: "UDM" - } - - measure: count_all { - description: "Count of all UDM events; COUNT(DISTINCT ...) is not used." - type: number - sql: count(*) ;; - label: "Count (all)" - view_label: "UDM" - } - - filter: time_filter { - label: "metadata.event_timestamp" - type: date_time - view_label: "UDM" - description: "Filter on the metadata.event_timestamp" - } - - #------------------------------------------------------------------------------- - # The following dimensions are here for backwards compatibility. - # Do not remove because it might break some old dashbaords that depend on it. - dimension_group: event_timestamp { - hidden: yes - type: time - timeframes: [ - raw, - time, - date, - week, - month, - hour, - minute, - year - ] - datatype: epoch - sql: ${TABLE}.metadata.event_timestamp.seconds ;; - } - - dimension: period { - hidden: yes - type: string - description: "The reporting period as selected by the Period Filter. Values - 'This Period' and 'Previous Period'. - Apply Filter 'This Period' to get values from current period." - sql: - CASE - WHEN {% date_start period_filter %} is not null AND {% date_end period_filter %} is not null /* date ranges or in the past x days */ - THEN - CASE - WHEN ${event_timestamp_raw} >= UNIX_SECONDS({% date_start period_filter %}) - AND ${event_timestamp_raw} <= UNIX_SECONDS({% date_end period_filter %}) - THEN 'This Period' - WHEN ${event_timestamp_raw} >= UNIX_SECONDS(TIMESTAMP_ADD({% date_start period_filter %}, INTERVAL 1 * (TIMESTAMP_DIFF({% date_start period_filter %},{% date_end period_filter %}, DAY)) DAY)) - AND ${event_timestamp_raw} <= UNIX_SECONDS(TIMESTAMP_ADD({% date_start period_filter %}, INTERVAL -1 DAY)) - THEN 'Previous Period' - END - END ;; - } - - dimension: domain { - hidden: yes - type: string - sql: REGEXP_EXTRACT(COALESCE(${TABLE}.network.dns.questions[SAFE_OFFSET(0)].name, ${TABLE}.target.hostname), r"^(?:[a-zA-Z0-9-]+\.)*([a-zA-Z0-9-]+\.[a-zA-Z0-9-]*[a-zA-Z-][a-zA-Z0-9-]*)$");; - } - - dimension: asset { - hidden: yes - type: string - label: "Asset" - sql: COALESCE(${TABLE}.principal.hostname, ${TABLE}.principal.ip[SAFE_OFFSET(0)]) ;; - } - - dimension: full_domain { - hidden: yes - type: string - sql: COALESCE(${TABLE}.network.dns.questions[SAFE_OFFSET(0)].name, ${TABLE}.target.hostname);; - } - - # This does not even exist in BQ, maybe it used to exist. - dimension_group: _partitiondate { - hidden: yes - type: time - timeframes: [ - raw, - date, - week, - month, - quarter, - year - ] - convert_tz: no - datatype: date - sql: ${TABLE}.hour_time_bucket ;; - } - - dimension_group: _partitiontime { - hidden: yes - type: time - timeframes: [ - raw, - date, - week, - month, - quarter, - year - ] - convert_tz: no - datatype: date - sql: ${TABLE}.hour_time_bucket ;; - } - - dimension_group: hour_time_bucket { - hidden: yes - type: time - timeframes: [ - raw, - time, - date, - week, - month, - quarter, - year - ] - sql: ${TABLE}.hour_time_bucket ;; - } - - dimension: prevalence { - hidden: yes - type: number - sql: COALESCE(${TABLE}.principal.hostname}, ${TABLE}.principal.ip}) ;; - } - - #------------------------------------------------------------------------------- - - ### END googlex/security/malachite/dashboards/lookml/udm/udm_view_preamble.lkml - filter: ip_grouped_field_filter { - label: "ip" - group_label: "Grouped Fields" - view_label: "UDM" - description: "IP address fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${events__principal__ip.events__principal__ip} {%endcondition%} or -{%condition%}${events__src__ip.events__src__ip} {%endcondition%} or -{%condition%}${events__target__ip.events__target__ip} {%endcondition%} or -{%condition%}${events__observer__ip.events__observer__ip} {%endcondition%} or -{%condition%}${events__intermediary__ip.events__intermediary__ip} {%endcondition%} or -{%condition%}${events.principal__artifact__ip} {%endcondition%} or -{%condition%}${events.src__artifact__ip} {%endcondition%} or -{%condition%}${events.target__artifact__ip} {%endcondition%} or -{%condition%}${events__principal__asset__ip.events__principal__asset__ip} {%endcondition%} or -{%condition%}${events__src__asset__ip.events__src__asset__ip} {%endcondition%} or -{%condition%}${events__target__asset__ip.events__target__asset__ip} {%endcondition%} -;; - } # ip - - filter: domain_grouped_field_filter { - label: "domain" - group_label: "Grouped Fields" - view_label: "UDM" - description: "Domain fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${events.network__dns_domain} {%endcondition%} or -{%condition%}${events__network__dns__questions.name} {%endcondition%} or -{%condition%}${events.principal__administrative_domain} {%endcondition%} or -{%condition%}${events.target__administrative_domain} {%endcondition%} or -{%condition%}${events__about.administrative_domain} {%endcondition%} or -{%condition%}${events.target__hostname} {%endcondition%} or -{%condition%}${events.target__asset__hostname} {%endcondition%} or -{%condition%}${events.principal__asset__network_domain} {%endcondition%} or -{%condition%}${events.target__asset__network_domain} {%endcondition%} -;; - } # domain - - filter: hostname_grouped_field_filter { - label: "hostname" - group_label: "Grouped Fields" - view_label: "UDM" - description: "Hostname fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${events.principal__hostname} {%endcondition%} or -{%condition%}${events.src__hostname} {%endcondition%} or -{%condition%}${events.target__hostname} {%endcondition%} or -{%condition%}${events__intermediary.hostname} {%endcondition%} or -{%condition%}${events.observer__hostname} {%endcondition%} or -{%condition%}${events.principal__asset__hostname} {%endcondition%} or -{%condition%}${events.src__asset__hostname} {%endcondition%} or -{%condition%}${events.target__asset__hostname} {%endcondition%} -;; - } # hostname - - filter: user_grouped_field_filter { - label: "user" - group_label: "Grouped Fields" - view_label: "UDM" - description: "User ID fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${events.principal__user__userid} {%endcondition%} or -{%condition%}${events.src__user__userid} {%endcondition%} or -{%condition%}${events.target__user__userid} {%endcondition%} or -{%condition%}${events.observer__user__userid} {%endcondition%} or -{%condition%}${events__about.user__userid} {%endcondition%} or -{%condition%}${events.principal__user__windows_sid} {%endcondition%} or -{%condition%}${events.target__user__windows_sid} {%endcondition%} or -{%condition%}${events.principal__user__user_display_name} {%endcondition%} or -{%condition%}${events.target__user__user_display_name} {%endcondition%} -;; - } # user - - filter: email_grouped_field_filter { - label: "email" - group_label: "Grouped Fields" - view_label: "UDM" - description: "Email address fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${events__principal__user__email_addresses.events__principal__user__email_addresses} {%endcondition%} or -{%condition%}${events__target__user__email_addresses.events__target__user__email_addresses} {%endcondition%} or -{%condition%}${events__intermediary__user__email_addresses.events__intermediary__user__email_addresses} {%endcondition%} or -{%condition%}${events__security_result__about__user__email_addresses.events__security_result__about__user__email_addresses} {%endcondition%} or -{%condition%}${events.network__email__from} {%endcondition%} or -{%condition%}${events__network__email__to.events__network__email__to} {%endcondition%} -;; - } # email - - filter: file_path_grouped_field_filter { - label: "file_path" - group_label: "Grouped Fields" - view_label: "UDM" - description: "File path fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${events.principal__file__full_path} {%endcondition%} or -{%condition%}${events.target__file__full_path} {%endcondition%} or -{%condition%}${events.principal__process__file__full_path} {%endcondition%} or -{%condition%}${events.target__process__file__full_path} {%endcondition%} -;; - } # file_path - - filter: hash_grouped_field_filter { - label: "hash" - group_label: "Grouped Fields" - view_label: "UDM" - description: "File hash fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${events.principal__process__file__md5} {%endcondition%} or -{%condition%}${events.target__process__file__md5} {%endcondition%} or -{%condition%}${events.principal__process__file__sha1} {%endcondition%} or -{%condition%}${events.target__process__file__sha1} {%endcondition%} or -{%condition%}${events.principal__process__file__sha256} {%endcondition%} or -{%condition%}${events.target__process__file__sha256} {%endcondition%} or -{%condition%}${events.target__file__md5} {%endcondition%} or -{%condition%}${events.target__file__sha1} {%endcondition%} or -{%condition%}${events.target__file__sha256} {%endcondition%} or -{%condition%}${events__about.file__md5} {%endcondition%} or -{%condition%}${events__about.file__sha256} {%endcondition%} or -{%condition%}${events__about.file__sha1} {%endcondition%} or -{%condition%}${events__security_result.about__file__sha256} {%endcondition%} -;; - } # hash - - filter: process_id_grouped_field_filter { - label: "process_id" - group_label: "Grouped Fields" - view_label: "UDM" - description: "Process ID fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${events.principal__process__pid} {%endcondition%} or -{%condition%}${events.target__process__pid} {%endcondition%} or -{%condition%}${events.principal__process__product_specific_process_id} {%endcondition%} or -{%condition%}${events.target__process__product_specific_process_id} {%endcondition%} -;; - } # process_id - - filter: namespace_grouped_field_filter { - label: "namespace" - group_label: "Grouped Fields" - view_label: "UDM" - description: "Namespace fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${events.principal__namespace} {%endcondition%} or -{%condition%}${events.src__namespace} {%endcondition%} or -{%condition%}${events.target__namespace} {%endcondition%} -;; - } # namespace - - dimension: about { - hidden: yes - } # dimension about - - dimension: additional { - hidden: yes - } # dimension additional - - dimension: additional__fields { - hidden: yes - } # dimension additional__fields - - dimension: extensions { - hidden: yes - } # dimension extensions - - dimension: extensions__auth { - hidden: yes - } # dimension extensions__auth - - dimension: extensions__auth__auth_details { - type: string - sql: ${TABLE}.extensions.auth.auth_details ;; - group_label: "extensions" - label: "extensions.auth.auth_details" - view_label: "UDM" - description: "The vendor defined details of the authentication." - } # dimension extensions__auth__auth_details - - dimension: extensions__auth__mechanism { - hidden: yes - } # dimension extensions__auth__mechanism - - dimension: extensions__auth__mechanism_enum_name { - hidden: yes - } # dimension extensions__auth__mechanism_enum_name - - dimension: extensions__auth__type { - type: number - sql: ${TABLE}.extensions.auth.type ;; - group_label: "extensions" - label: "extensions.auth.type" - view_label: "UDM" - description: "The type of authentication." - } # dimension extensions__auth__type - - dimension: extensions__auth__type_enum_name { - type: string - suggestions: ["AUTHTYPE_UNSPECIFIED", "MACHINE", "PHYSICAL", "SSO", "TACACS", "VPN"] - sql: CASE ${TABLE}.extensions.auth.type WHEN 0 THEN 'AUTHTYPE_UNSPECIFIED' WHEN 1 THEN 'MACHINE' WHEN 2 THEN 'SSO' WHEN 3 THEN 'VPN' WHEN 4 THEN 'PHYSICAL' WHEN 5 THEN 'TACACS' END ;; - group_label: "extensions" - label: "extensions.auth.type_enum_name" - view_label: "UDM" - description: "The type of authentication." - } # dimension extensions__auth__type_enum_name - - dimension: extensions__vulns { - hidden: yes - } # dimension extensions__vulns - - dimension: extensions__vulns__vulnerabilities { - hidden: yes - } # dimension extensions__vulns__vulnerabilities - - dimension: intermediary { - hidden: yes - } # dimension intermediary - - dimension: metadata { - hidden: yes - } # dimension metadata - - dimension: metadata__base_labels { - hidden: yes - } # dimension metadata__base_labels - - dimension: metadata__base_labels__log_types { - hidden: yes - } # dimension metadata__base_labels__log_types - - dimension: metadata__base_labels__namespaces { - hidden: yes - } # dimension metadata__base_labels__namespaces - - dimension_group: metadata__collected_timestamp { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.collected_timestamp.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.collected_timestamp.nanos, 0) / 1000) as INT64)) ;; - group_label: "metadata" - label: "metadata.collected_timestamp" - view_label: "UDM" - description: "The GMT timestamp when the event was collected by the vendor's local collection infrastructure." - } # dimension metadata__collected_timestamp - - dimension: metadata__description { - type: string - sql: ${TABLE}.metadata.description ;; - group_label: "metadata" - label: "metadata.description" - view_label: "UDM" - description: "A human-readable unparsable description of the event." - } # dimension metadata__description - - dimension: metadata__enrichment_state { - type: number - sql: ${TABLE}.metadata.enrichment_state ;; - group_label: "metadata" - label: "metadata.enrichment_state" - view_label: "UDM" - description: "The enrichment state." - } # dimension metadata__enrichment_state - - dimension: metadata__enrichment_state_enum_name { - type: string - suggestions: ["ENRICHED", "ENRICHMENT_STATE_UNSPECIFIED", "UNENRICHED"] - sql: CASE ${TABLE}.metadata.enrichment_state WHEN 0 THEN 'ENRICHMENT_STATE_UNSPECIFIED' WHEN 1 THEN 'ENRICHED' WHEN 2 THEN 'UNENRICHED' END ;; - group_label: "metadata" - label: "metadata.enrichment_state_enum_name" - view_label: "UDM" - description: "The enrichment state." - } # dimension metadata__enrichment_state_enum_name - - dimension_group: metadata__event_timestamp { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.event_timestamp.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.event_timestamp.nanos, 0) / 1000) as INT64)) ;; - group_label: "metadata" - label: "metadata.event_timestamp" - view_label: "UDM" - description: "The GMT timestamp when the event was generated." - } # dimension metadata__event_timestamp - - dimension: metadata__event_type { - type: number - sql: ${TABLE}.metadata.event_type ;; - group_label: "metadata" - label: "metadata.event_type" - view_label: "UDM" - description: "The event type. If an event has multiple possible types, this specifies the most specific type." - } # dimension metadata__event_type - - dimension: metadata__event_type_enum_name { - type: string - suggestions: ["ANALYST_ADD_COMMENT", "ANALYST_UPDATE_PRIORITY", "ANALYST_UPDATE_REASON", "ANALYST_UPDATE_REPUTATION", "ANALYST_UPDATE_RISK_SCORE", "ANALYST_UPDATE_ROOT_CAUSE", "ANALYST_UPDATE_SEVERITY_SCORE", "ANALYST_UPDATE_STATUS", "ANALYST_UPDATE_VERDICT", "DEVICE_CONFIG_UPDATE", "DEVICE_FIRMWARE_UPDATE", "DEVICE_PROGRAM_DOWNLOAD", "DEVICE_PROGRAM_UPLOAD", "EMAIL_TRANSACTION", "EMAIL_UNCATEGORIZED", "EMAIL_URL_CLICK", "EVENTTYPE_UNSPECIFIED", "FILE_COPY", "FILE_CREATION", "FILE_DELETION", "FILE_MODIFICATION", "FILE_MOVE", "FILE_OPEN", "FILE_READ", "FILE_SYNC", "FILE_UNCATEGORIZED", "GENERIC_EVENT", "GROUP_CREATION", "GROUP_DELETION", "GROUP_MODIFICATION", "GROUP_UNCATEGORIZED", "MUTEX_CREATION", "MUTEX_UNCATEGORIZED", "NETWORK_CONNECTION", "NETWORK_DHCP", "NETWORK_DNS", "NETWORK_FLOW", "NETWORK_FTP", "NETWORK_HTTP", "NETWORK_SMTP", "NETWORK_UNCATEGORIZED", "PROCESS_INJECTION", "PROCESS_LAUNCH", "PROCESS_MODULE_LOAD", "PROCESS_OPEN", "PROCESS_PRIVILEGE_ESCALATION", "PROCESS_TERMINATION", "PROCESS_UNCATEGORIZED", "REGISTRY_CREATION", "REGISTRY_DELETION", "REGISTRY_MODIFICATION", "REGISTRY_UNCATEGORIZED", "RESOURCE_CREATION", "RESOURCE_DELETION", "RESOURCE_PERMISSIONS_CHANGE", "RESOURCE_READ", "RESOURCE_WRITTEN", "SCAN_FILE", "SCAN_HOST", "SCAN_NETWORK", "SCAN_PROCESS", "SCAN_PROCESS_BEHAVIORS", "SCAN_UNCATEGORIZED", "SCAN_VULN_HOST", "SCAN_VULN_NETWORK", "SCHEDULED_TASK_CREATION", "SCHEDULED_TASK_DELETION", "SCHEDULED_TASK_DISABLE", "SCHEDULED_TASK_ENABLE", "SCHEDULED_TASK_MODIFICATION", "SCHEDULED_TASK_UNCATEGORIZED", "SERVICE_CREATION", "SERVICE_DELETION", "SERVICE_MODIFICATION", "SERVICE_START", "SERVICE_STOP", "SERVICE_UNSPECIFIED", "SETTING_CREATION", "SETTING_DELETION", "SETTING_MODIFICATION", "SETTING_UNCATEGORIZED", "STATUS_HEARTBEAT", "STATUS_SHUTDOWN", "STATUS_STARTUP", "STATUS_UNCATEGORIZED", "STATUS_UPDATE", "SYSTEM_AUDIT_LOG_UNCATEGORIZED", "SYSTEM_AUDIT_LOG_WIPE", "USER_BADGE_IN", "USER_CHANGE_PASSWORD", "USER_CHANGE_PERMISSIONS", "USER_COMMUNICATION", "USER_CREATION", "USER_DELETION", "USER_LOGIN", "USER_LOGOUT", "USER_RESOURCE_ACCESS", "USER_RESOURCE_CREATION", "USER_RESOURCE_DELETION", "USER_RESOURCE_UPDATE_CONTENT", "USER_RESOURCE_UPDATE_PERMISSIONS", "USER_STATS", "USER_UNCATEGORIZED"] - sql: CASE ${TABLE}.metadata.event_type WHEN 0 THEN 'EVENTTYPE_UNSPECIFIED' WHEN 10000 THEN 'PROCESS_UNCATEGORIZED' WHEN 10001 THEN 'PROCESS_LAUNCH' WHEN 10002 THEN 'PROCESS_INJECTION' WHEN 10003 THEN 'PROCESS_PRIVILEGE_ESCALATION' WHEN 10004 THEN 'PROCESS_TERMINATION' WHEN 10005 THEN 'PROCESS_OPEN' WHEN 10006 THEN 'PROCESS_MODULE_LOAD' WHEN 11000 THEN 'REGISTRY_UNCATEGORIZED' WHEN 11001 THEN 'REGISTRY_CREATION' WHEN 11002 THEN 'REGISTRY_MODIFICATION' WHEN 11003 THEN 'REGISTRY_DELETION' WHEN 12000 THEN 'SETTING_UNCATEGORIZED' WHEN 12001 THEN 'SETTING_CREATION' WHEN 12002 THEN 'SETTING_MODIFICATION' WHEN 12003 THEN 'SETTING_DELETION' WHEN 13000 THEN 'MUTEX_UNCATEGORIZED' WHEN 13001 THEN 'MUTEX_CREATION' WHEN 14000 THEN 'FILE_UNCATEGORIZED' WHEN 14001 THEN 'FILE_CREATION' WHEN 14002 THEN 'FILE_DELETION' WHEN 14003 THEN 'FILE_MODIFICATION' WHEN 14004 THEN 'FILE_READ' WHEN 14005 THEN 'FILE_COPY' WHEN 14006 THEN 'FILE_OPEN' WHEN 14007 THEN 'FILE_MOVE' WHEN 14008 THEN 'FILE_SYNC' WHEN 15000 THEN 'USER_UNCATEGORIZED' WHEN 15001 THEN 'USER_LOGIN' WHEN 15002 THEN 'USER_LOGOUT' WHEN 15003 THEN 'USER_CREATION' WHEN 15004 THEN 'USER_CHANGE_PASSWORD' WHEN 15005 THEN 'USER_CHANGE_PERMISSIONS' WHEN 15006 THEN 'USER_STATS' WHEN 15007 THEN 'USER_BADGE_IN' WHEN 15008 THEN 'USER_DELETION' WHEN 15009 THEN 'USER_RESOURCE_CREATION' WHEN 15010 THEN 'USER_RESOURCE_UPDATE_CONTENT' WHEN 15011 THEN 'USER_RESOURCE_UPDATE_PERMISSIONS' WHEN 15012 THEN 'USER_COMMUNICATION' WHEN 15013 THEN 'USER_RESOURCE_ACCESS' WHEN 15014 THEN 'USER_RESOURCE_DELETION' WHEN 23000 THEN 'GROUP_UNCATEGORIZED' WHEN 23001 THEN 'GROUP_CREATION' WHEN 23002 THEN 'GROUP_DELETION' WHEN 23003 THEN 'GROUP_MODIFICATION' WHEN 19000 THEN 'EMAIL_UNCATEGORIZED' WHEN 19001 THEN 'EMAIL_TRANSACTION' WHEN 19002 THEN 'EMAIL_URL_CLICK' WHEN 16000 THEN 'NETWORK_UNCATEGORIZED' WHEN 16001 THEN 'NETWORK_FLOW' WHEN 16002 THEN 'NETWORK_CONNECTION' WHEN 16003 THEN 'NETWORK_FTP' WHEN 16004 THEN 'NETWORK_DHCP' WHEN 16005 THEN 'NETWORK_DNS' WHEN 16006 THEN 'NETWORK_HTTP' WHEN 16007 THEN 'NETWORK_SMTP' WHEN 17000 THEN 'STATUS_UNCATEGORIZED' WHEN 17001 THEN 'STATUS_HEARTBEAT' WHEN 17002 THEN 'STATUS_STARTUP' WHEN 17003 THEN 'STATUS_SHUTDOWN' WHEN 17004 THEN 'STATUS_UPDATE' WHEN 18000 THEN 'SCAN_UNCATEGORIZED' WHEN 18001 THEN 'SCAN_FILE' WHEN 18002 THEN 'SCAN_PROCESS_BEHAVIORS' WHEN 18003 THEN 'SCAN_PROCESS' WHEN 18004 THEN 'SCAN_HOST' WHEN 18005 THEN 'SCAN_VULN_HOST' WHEN 18006 THEN 'SCAN_VULN_NETWORK' WHEN 18007 THEN 'SCAN_NETWORK' WHEN 20000 THEN 'SCHEDULED_TASK_UNCATEGORIZED' WHEN 20001 THEN 'SCHEDULED_TASK_CREATION' WHEN 20002 THEN 'SCHEDULED_TASK_DELETION' WHEN 20003 THEN 'SCHEDULED_TASK_ENABLE' WHEN 20004 THEN 'SCHEDULED_TASK_DISABLE' WHEN 20005 THEN 'SCHEDULED_TASK_MODIFICATION' WHEN 21000 THEN 'SYSTEM_AUDIT_LOG_UNCATEGORIZED' WHEN 21001 THEN 'SYSTEM_AUDIT_LOG_WIPE' WHEN 22000 THEN 'SERVICE_UNSPECIFIED' WHEN 22001 THEN 'SERVICE_CREATION' WHEN 22002 THEN 'SERVICE_DELETION' WHEN 22003 THEN 'SERVICE_START' WHEN 22004 THEN 'SERVICE_STOP' WHEN 22005 THEN 'SERVICE_MODIFICATION' WHEN 100000 THEN 'GENERIC_EVENT' WHEN 1 THEN 'RESOURCE_CREATION' WHEN 2 THEN 'RESOURCE_DELETION' WHEN 3 THEN 'RESOURCE_PERMISSIONS_CHANGE' WHEN 4 THEN 'RESOURCE_READ' WHEN 5 THEN 'RESOURCE_WRITTEN' WHEN 25000 THEN 'DEVICE_FIRMWARE_UPDATE' WHEN 25001 THEN 'DEVICE_CONFIG_UPDATE' WHEN 25002 THEN 'DEVICE_PROGRAM_UPLOAD' WHEN 25003 THEN 'DEVICE_PROGRAM_DOWNLOAD' WHEN 24000 THEN 'ANALYST_UPDATE_VERDICT' WHEN 24001 THEN 'ANALYST_UPDATE_REPUTATION' WHEN 24002 THEN 'ANALYST_UPDATE_SEVERITY_SCORE' WHEN 24007 THEN 'ANALYST_UPDATE_STATUS' WHEN 24008 THEN 'ANALYST_ADD_COMMENT' WHEN 24009 THEN 'ANALYST_UPDATE_PRIORITY' WHEN 24010 THEN 'ANALYST_UPDATE_ROOT_CAUSE' WHEN 24011 THEN 'ANALYST_UPDATE_REASON' WHEN 24012 THEN 'ANALYST_UPDATE_RISK_SCORE' END ;; - group_label: "metadata" - label: "metadata.event_type_enum_name" - view_label: "UDM" - description: "The event type. If an event has multiple possible types, this specifies the most specific type." - } # dimension metadata__event_type_enum_name - - dimension: metadata__id { - type: string - sql: ${TABLE}.metadata.id ;; - group_label: "metadata" - label: "metadata.id" - view_label: "UDM" - description: "ID of the UDM event. Can be used for raw and normalized event retrieval." - } # dimension metadata__id - - dimension_group: metadata__ingested_timestamp { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.ingested_timestamp.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.ingested_timestamp.nanos, 0) / 1000) as INT64)) ;; - group_label: "metadata" - label: "metadata.ingested_timestamp" - view_label: "UDM" - description: "The GMT timestamp when the event was ingested (received) by Chronicle." - } # dimension metadata__ingested_timestamp - - dimension: metadata__ingestion_labels { - hidden: yes - } # dimension metadata__ingestion_labels - - dimension: metadata__log_type { - type: string - sql: ${TABLE}.metadata.log_type ;; - group_label: "metadata" - label: "metadata.log_type" - view_label: "UDM" - description: "The string value of log type." - } # dimension metadata__log_type - - dimension: metadata__product_deployment_id { - type: string - sql: ${TABLE}.metadata.product_deployment_id ;; - group_label: "metadata" - label: "metadata.product_deployment_id" - view_label: "UDM" - description: "The deployment identifier assigned by the vendor for a product deployment." - } # dimension metadata__product_deployment_id - - dimension: metadata__product_event_type { - type: string - sql: ${TABLE}.metadata.product_event_type ;; - group_label: "metadata" - label: "metadata.product_event_type" - view_label: "UDM" - description: "A short, descriptive, human-readable, product-specific event name or type (e.g. \"Scanned X\", \"User account created\", \"process_start\")." - } # dimension metadata__product_event_type - - dimension: metadata__product_log_id { - type: string - sql: ${TABLE}.metadata.product_log_id ;; - group_label: "metadata" - label: "metadata.product_log_id" - view_label: "UDM" - description: "A vendor-specific event identifier to uniquely identify the event (e.g. a GUID)." - } # dimension metadata__product_log_id - - dimension: metadata__product_name { - type: string - sql: ${TABLE}.metadata.product_name ;; - group_label: "metadata" - label: "metadata.product_name" - view_label: "UDM" - description: "The name of the product." - } # dimension metadata__product_name - - dimension: metadata__product_version { - type: string - sql: ${TABLE}.metadata.product_version ;; - group_label: "metadata" - label: "metadata.product_version" - view_label: "UDM" - description: "The version of the product." - } # dimension metadata__product_version - - dimension: metadata__tags { - hidden: yes - } # dimension metadata__tags - - dimension: metadata__tags__data_tap_config_name { - hidden: yes - } # dimension metadata__tags__data_tap_config_name - - dimension: metadata__tags__tenant_id { - hidden: yes - } # dimension metadata__tags__tenant_id - - dimension: metadata__url_back_to_product { - type: string - sql: ${TABLE}.metadata.url_back_to_product ;; - group_label: "metadata" - label: "metadata.url_back_to_product" - view_label: "UDM" - description: "A URL that takes the user to the source product console for this event." - } # dimension metadata__url_back_to_product - - dimension: metadata__vendor_name { - type: string - sql: ${TABLE}.metadata.vendor_name ;; - group_label: "metadata" - label: "metadata.vendor_name" - view_label: "UDM" - description: "The name of the product vendor." - } # dimension metadata__vendor_name - - dimension: network { - hidden: yes - } # dimension network - - dimension: network__application_protocol { - type: number - sql: ${TABLE}.network.application_protocol ;; - group_label: "network" - label: "network.application_protocol" - view_label: "UDM" - description: "The application protocol." - } # dimension network__application_protocol - - dimension: network__application_protocol_enum_name { - type: string - suggestions: ["AFP", "AMQP", "APPC", "ATOM", "BEEP", "BITCOIN", "BIT_TORRENT", "CFDP", "CIP", "COAP", "COTP", "DCERPC", "DDS", "DEVICE_NET", "DHCP", "DICOM", "DNP3", "DNS", "ENRP", "E_DONKEY", "FAST_TRACK", "FINGER", "FREENET", "FTAM", "GOOSE", "GOPHER", "H323", "HL7", "HTTP", "HTTPS", "IEC104", "IRCP", "KADEMLIA", "KRB5", "LDAP", "LPD", "MIME", "MMS", "MODBUS", "MQTT", "NETCONF", "NFS", "NIS", "NNTP", "NTCIP", "NTP", "OSCAR", "PNRP", "PTP", "QUIC", "RDP", "RELP", "RIP", "RLOGIN", "RPC", "RTMP", "RTP", "RTPS", "RTSP", "SAP", "SDP", "SIP", "SLP", "SMB", "SMTP", "SNMP", "SNTP", "SSH", "SSMS", "STYX", "SV", "TCAP", "TDS", "TOR", "TSP", "UNKNOWN_APPLICATION_PROTOCOL", "VTP", "WEB_DAV", "WHOIS", "X400", "X500", "XMPP"] - sql: CASE ${TABLE}.network.application_protocol WHEN 0 THEN 'UNKNOWN_APPLICATION_PROTOCOL' WHEN 1 THEN 'AFP' WHEN 2 THEN 'APPC' WHEN 3 THEN 'AMQP' WHEN 4 THEN 'ATOM' WHEN 5 THEN 'BEEP' WHEN 6 THEN 'BITCOIN' WHEN 7 THEN 'BIT_TORRENT' WHEN 8 THEN 'CFDP' WHEN 67 THEN 'CIP' WHEN 9 THEN 'COAP' WHEN 68 THEN 'COTP' WHEN 66 THEN 'DCERPC' WHEN 10 THEN 'DDS' WHEN 11 THEN 'DEVICE_NET' WHEN 4000 THEN 'DHCP' WHEN 69 THEN 'DICOM' WHEN 70 THEN 'DNP3' WHEN 3000 THEN 'DNS' WHEN 12 THEN 'E_DONKEY' WHEN 13 THEN 'ENRP' WHEN 14 THEN 'FAST_TRACK' WHEN 15 THEN 'FINGER' WHEN 16 THEN 'FREENET' WHEN 17 THEN 'FTAM' WHEN 71 THEN 'GOOSE' WHEN 18 THEN 'GOPHER' WHEN 19 THEN 'HL7' WHEN 20 THEN 'H323' WHEN 2000 THEN 'HTTP' WHEN 2001 THEN 'HTTPS' WHEN 72 THEN 'IEC104' WHEN 21 THEN 'IRCP' WHEN 22 THEN 'KADEMLIA' WHEN 65 THEN 'KRB5' WHEN 23 THEN 'LDAP' WHEN 24 THEN 'LPD' WHEN 25 THEN 'MIME' WHEN 73 THEN 'MMS' WHEN 26 THEN 'MODBUS' WHEN 27 THEN 'MQTT' WHEN 28 THEN 'NETCONF' WHEN 29 THEN 'NFS' WHEN 30 THEN 'NIS' WHEN 31 THEN 'NNTP' WHEN 32 THEN 'NTCIP' WHEN 33 THEN 'NTP' WHEN 34 THEN 'OSCAR' WHEN 35 THEN 'PNRP' WHEN 74 THEN 'PTP' WHEN 1000 THEN 'QUIC' WHEN 36 THEN 'RDP' WHEN 37 THEN 'RELP' WHEN 38 THEN 'RIP' WHEN 39 THEN 'RLOGIN' WHEN 40 THEN 'RPC' WHEN 41 THEN 'RTMP' WHEN 42 THEN 'RTP' WHEN 43 THEN 'RTPS' WHEN 44 THEN 'RTSP' WHEN 45 THEN 'SAP' WHEN 46 THEN 'SDP' WHEN 47 THEN 'SIP' WHEN 48 THEN 'SLP' WHEN 49 THEN 'SMB' WHEN 50 THEN 'SMTP' WHEN 75 THEN 'SNMP' WHEN 51 THEN 'SNTP' WHEN 52 THEN 'SSH' WHEN 53 THEN 'SSMS' WHEN 54 THEN 'STYX' WHEN 76 THEN 'SV' WHEN 55 THEN 'TCAP' WHEN 56 THEN 'TDS' WHEN 57 THEN 'TOR' WHEN 58 THEN 'TSP' WHEN 59 THEN 'VTP' WHEN 60 THEN 'WHOIS' WHEN 61 THEN 'WEB_DAV' WHEN 62 THEN 'X400' WHEN 63 THEN 'X500' WHEN 64 THEN 'XMPP' END ;; - group_label: "network" - label: "network.application_protocol_enum_name" - view_label: "UDM" - description: "The application protocol." - } # dimension network__application_protocol_enum_name - - dimension: network__application_protocol_version { - type: string - sql: ${TABLE}.network.application_protocol_version ;; - group_label: "network" - label: "network.application_protocol_version" - view_label: "UDM" - description: "The version of the application protocol. e.g. \"1.1, 2.0\"" - } # dimension network__application_protocol_version - - dimension: network__asn { - type: string - sql: ${TABLE}.network.asn ;; - group_label: "network" - label: "network.asn" - view_label: "UDM" - description: "Autonomous system number." - } # dimension network__asn - - dimension: network__carrier_name { - type: string - sql: ${TABLE}.network.carrier_name ;; - group_label: "network" - label: "network.carrier_name" - view_label: "UDM" - description: "Carrier identification." - } # dimension network__carrier_name - - dimension: network__community_id { - type: string - sql: ${TABLE}.network.community_id ;; - group_label: "network" - label: "network.community_id" - view_label: "UDM" - description: "Community ID network flow hash." - } # dimension network__community_id - - dimension: network__dhcp { - hidden: yes - } # dimension network__dhcp - - dimension: network__dhcp__chaddr { - type: string - sql: ${TABLE}.network.dhcp.chaddr ;; - group_label: "network" - label: "network.dhcp.chaddr" - view_label: "UDM" - description: "Client hardware address (chaddr)." - } # dimension network__dhcp__chaddr - - dimension: network__dhcp__ciaddr { - type: string - sql: ${TABLE}.network.dhcp.ciaddr ;; - group_label: "network" - label: "network.dhcp.ciaddr" - view_label: "UDM" - description: "Client IP address (ciaddr)." - } # dimension network__dhcp__ciaddr - - dimension: network__dhcp__client_hostname { - type: string - sql: ${TABLE}.network.dhcp.client_hostname ;; - group_label: "network" - label: "network.dhcp.client_hostname" - view_label: "UDM" - description: "Client hostname. See RFC2132, section 3.14." - } # dimension network__dhcp__client_hostname - - dimension: network__dhcp__client_identifier { - type: string - sql: ${TABLE}.network.dhcp.client_identifier ;; - group_label: "network" - label: "network.dhcp.client_identifier" - view_label: "UDM" - description: "Client identifier. See RFC2132, section 9.14." - } # dimension network__dhcp__client_identifier - - dimension: network__dhcp__file { - type: string - sql: ${TABLE}.network.dhcp.file ;; - group_label: "network" - label: "network.dhcp.file" - view_label: "UDM" - description: "Boot image filename." - } # dimension network__dhcp__file - - dimension: network__dhcp__flags { - type: number - sql: ${TABLE}.network.dhcp.flags ;; - group_label: "network" - label: "network.dhcp.flags" - view_label: "UDM" - description: "Flags." - } # dimension network__dhcp__flags - - dimension: network__dhcp__giaddr { - type: string - sql: ${TABLE}.network.dhcp.giaddr ;; - group_label: "network" - label: "network.dhcp.giaddr" - view_label: "UDM" - description: "Relay agent IP address (giaddr)." - } # dimension network__dhcp__giaddr - - dimension: network__dhcp__hlen { - type: number - sql: ${TABLE}.network.dhcp.hlen ;; - group_label: "network" - label: "network.dhcp.hlen" - view_label: "UDM" - description: "Hardware address length." - } # dimension network__dhcp__hlen - - dimension: network__dhcp__hops { - type: number - sql: ${TABLE}.network.dhcp.hops ;; - group_label: "network" - label: "network.dhcp.hops" - view_label: "UDM" - description: "Hardware ops." - } # dimension network__dhcp__hops - - dimension: network__dhcp__htype { - type: number - sql: ${TABLE}.network.dhcp.htype ;; - group_label: "network" - label: "network.dhcp.htype" - view_label: "UDM" - description: "Hardware address type." - } # dimension network__dhcp__htype - - dimension: network__dhcp__lease_time_seconds { - type: number - sql: ${TABLE}.network.dhcp.lease_time_seconds ;; - group_label: "network" - label: "network.dhcp.lease_time_seconds" - view_label: "UDM" - description: "Lease time in seconds. See RFC2132, section 9.2." - } # dimension network__dhcp__lease_time_seconds - - dimension: network__dhcp__opcode { - type: number - sql: ${TABLE}.network.dhcp.opcode ;; - group_label: "network" - label: "network.dhcp.opcode" - view_label: "UDM" - description: "The BOOTP op code." - } # dimension network__dhcp__opcode - - dimension: network__dhcp__opcode_enum_name { - type: string - suggestions: ["BOOTREPLY", "BOOTREQUEST", "UNKNOWN_OPCODE"] - sql: CASE ${TABLE}.network.dhcp.opcode WHEN 0 THEN 'UNKNOWN_OPCODE' WHEN 1 THEN 'BOOTREQUEST' WHEN 2 THEN 'BOOTREPLY' END ;; - group_label: "network" - label: "network.dhcp.opcode_enum_name" - view_label: "UDM" - description: "The BOOTP op code." - } # dimension network__dhcp__opcode_enum_name - - dimension: network__dhcp__options { - hidden: yes - } # dimension network__dhcp__options - - dimension: network__dhcp__requested_address { - type: string - sql: ${TABLE}.network.dhcp.requested_address ;; - group_label: "network" - label: "network.dhcp.requested_address" - view_label: "UDM" - description: "Requested IP address. See RFC2132, section 9.1." - } # dimension network__dhcp__requested_address - - dimension: network__dhcp__seconds { - type: number - sql: ${TABLE}.network.dhcp.seconds ;; - group_label: "network" - label: "network.dhcp.seconds" - view_label: "UDM" - description: "Seconds elapsed since client began address acquisition/renewal process." - } # dimension network__dhcp__seconds - - dimension: network__dhcp__siaddr { - type: string - sql: ${TABLE}.network.dhcp.siaddr ;; - group_label: "network" - label: "network.dhcp.siaddr" - view_label: "UDM" - description: "IP address of the next bootstrap server." - } # dimension network__dhcp__siaddr - - dimension: network__dhcp__sname { - type: string - sql: ${TABLE}.network.dhcp.sname ;; - group_label: "network" - label: "network.dhcp.sname" - view_label: "UDM" - description: "Server name that the client wishes to boot from." - } # dimension network__dhcp__sname - - dimension: network__dhcp__transaction_id { - type: number - sql: ${TABLE}.network.dhcp.transaction_id ;; - group_label: "network" - label: "network.dhcp.transaction_id" - view_label: "UDM" - description: "Transaction ID." - } # dimension network__dhcp__transaction_id - - dimension: network__dhcp__type { - type: number - sql: ${TABLE}.network.dhcp.type ;; - group_label: "network" - label: "network.dhcp.type" - view_label: "UDM" - description: "DHCP message type." - } # dimension network__dhcp__type - - dimension: network__dhcp__type_enum_name { - type: string - suggestions: ["ACK", "DECLINE", "DISCOVER", "INFORM", "NAK", "OFFER", "RELEASE", "REQUEST", "UNKNOWN_MESSAGE_TYPE", "WIN_DELETED", "WIN_EXPIRED"] - sql: CASE ${TABLE}.network.dhcp.type WHEN 0 THEN 'UNKNOWN_MESSAGE_TYPE' WHEN 1 THEN 'DISCOVER' WHEN 2 THEN 'OFFER' WHEN 3 THEN 'REQUEST' WHEN 4 THEN 'DECLINE' WHEN 5 THEN 'ACK' WHEN 6 THEN 'NAK' WHEN 7 THEN 'RELEASE' WHEN 8 THEN 'INFORM' WHEN 100 THEN 'WIN_DELETED' WHEN 101 THEN 'WIN_EXPIRED' END ;; - group_label: "network" - label: "network.dhcp.type_enum_name" - view_label: "UDM" - description: "DHCP message type." - } # dimension network__dhcp__type_enum_name - - dimension: network__dhcp__yiaddr { - type: string - sql: ${TABLE}.network.dhcp.yiaddr ;; - group_label: "network" - label: "network.dhcp.yiaddr" - view_label: "UDM" - description: "Your IP address (yiaddr)." - } # dimension network__dhcp__yiaddr - - dimension: network__direction { - type: number - sql: ${TABLE}.network.direction ;; - group_label: "network" - label: "network.direction" - view_label: "UDM" - description: "The direction of network traffic." - } # dimension network__direction - - dimension: network__direction_enum_name { - type: string - suggestions: ["BROADCAST", "INBOUND", "OUTBOUND", "UNKNOWN_DIRECTION"] - sql: CASE ${TABLE}.network.direction WHEN 0 THEN 'UNKNOWN_DIRECTION' WHEN 1 THEN 'INBOUND' WHEN 2 THEN 'OUTBOUND' WHEN 3 THEN 'BROADCAST' END ;; - group_label: "network" - label: "network.direction_enum_name" - view_label: "UDM" - description: "The direction of network traffic." - } # dimension network__direction_enum_name - - dimension: network__dns { - hidden: yes - } # dimension network__dns - - dimension: network__dns__additional { - hidden: yes - } # dimension network__dns__additional - - dimension: network__dns__answers { - hidden: yes - } # dimension network__dns__answers - - dimension: network__dns__authoritative { - type: yesno - sql: ${TABLE}.network.dns.authoritative ;; - group_label: "network" - label: "network.dns.authoritative" - view_label: "UDM" - description: "Other DNS header flags. See RFC1035, section 4.1.1." - } # dimension network__dns__authoritative - - dimension: network__dns__authority { - hidden: yes - } # dimension network__dns__authority - - dimension: network__dns__id { - type: number - sql: ${TABLE}.network.dns.id ;; - group_label: "network" - label: "network.dns.id" - view_label: "UDM" - description: "DNS query id." - } # dimension network__dns__id - - dimension: network__dns__opcode { - type: number - sql: ${TABLE}.network.dns.opcode ;; - group_label: "network" - label: "network.dns.opcode" - view_label: "UDM" - description: "The DNS OpCode used to specify the type of DNS query (e.g. QUERY, IQUERY, STATUS, etc.)." - } # dimension network__dns__opcode - - dimension: network__dns__questions { - hidden: yes - } # dimension network__dns__questions - - dimension: network__dns__recursion_available { - type: yesno - sql: ${TABLE}.network.dns.recursion_available ;; - group_label: "network" - label: "network.dns.recursion_available" - view_label: "UDM" - description: "Whether a recursive DNS lookup is available." - } # dimension network__dns__recursion_available - - dimension: network__dns__recursion_desired { - type: yesno - sql: ${TABLE}.network.dns.recursion_desired ;; - group_label: "network" - label: "network.dns.recursion_desired" - view_label: "UDM" - description: "Whether a recursive DNS lookup is desired." - } # dimension network__dns__recursion_desired - - dimension: network__dns__response { - type: yesno - sql: ${TABLE}.network.dns.response ;; - group_label: "network" - label: "network.dns.response" - view_label: "UDM" - description: "Set to true if the event is a DNS response. See QR field from RFC1035." - } # dimension network__dns__response - - dimension: network__dns__response_code { - type: number - sql: ${TABLE}.network.dns.response_code ;; - group_label: "network" - label: "network.dns.response_code" - view_label: "UDM" - description: "Response code. See RCODE from RFC1035." - } # dimension network__dns__response_code - - dimension: network__dns__truncated { - type: yesno - sql: ${TABLE}.network.dns.truncated ;; - group_label: "network" - label: "network.dns.truncated" - view_label: "UDM" - description: "Whether the DNS response was truncated." - } # dimension network__dns__truncated - - dimension: network__dns_domain { - type: string - sql: ${TABLE}.network.dns_domain ;; - group_label: "network" - label: "network.dns_domain" - view_label: "UDM" - description: "DNS domain name." - } # dimension network__dns_domain - - dimension: network__email { - hidden: yes - } # dimension network__email - - dimension: network__email__bcc { - hidden: yes - } # dimension network__email__bcc - - dimension: network__email__bounce_address { - type: string - sql: ${TABLE}.network.email.bounce_address ;; - group_label: "network" - label: "network.email.bounce_address" - view_label: "UDM" - description: "The envelope from address. https://en.wikipedia.org/wiki/Bounce_address" - } # dimension network__email__bounce_address - - dimension: network__email__cc { - hidden: yes - } # dimension network__email__cc - - dimension: network__email__from { - type: string - sql: ${TABLE}.network.email.from ;; - group_label: "network" - label: "network.email.from" - view_label: "UDM" - description: "The 'from' address." - } # dimension network__email__from - - dimension: network__email__mail_id { - type: string - sql: ${TABLE}.network.email.mail_id ;; - group_label: "network" - label: "network.email.mail_id" - view_label: "UDM" - description: "The mail (or message) ID." - } # dimension network__email__mail_id - - dimension: network__email__reply_to { - type: string - sql: ${TABLE}.network.email.reply_to ;; - group_label: "network" - label: "network.email.reply_to" - view_label: "UDM" - description: "The 'reply to' address." - } # dimension network__email__reply_to - - dimension: network__email__subject { - hidden: yes - } # dimension network__email__subject - - dimension: network__email__to { - hidden: yes - } # dimension network__email__to - - dimension: network__ftp { - hidden: yes - } # dimension network__ftp - - dimension: network__ftp__command { - type: string - sql: ${TABLE}.network.ftp.command ;; - group_label: "network" - label: "network.ftp.command" - view_label: "UDM" - description: "The FTP command." - } # dimension network__ftp__command - - dimension: network__http { - hidden: yes - } # dimension network__http - - dimension: network__http__method { - type: string - sql: ${TABLE}.network.http.method ;; - group_label: "network" - label: "network.http.method" - view_label: "UDM" - description: "The HTTP request method (e.g. \"GET\", \"POST\", \"PATCH\", \"DELETE\")." - } # dimension network__http__method - - dimension: network__http__parsed_user_agent { - hidden: yes - } # dimension network__http__parsed_user_agent - - dimension: network__http__parsed_user_agent__annotation { - hidden: yes - } # dimension network__http__parsed_user_agent__annotation - - dimension: network__http__parsed_user_agent__browser { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.browser ;; - group_label: "network" - label: "network.http.parsed_user_agent.browser" - view_label: "UDM" - description: "Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents." - } # dimension network__http__parsed_user_agent__browser - - dimension: network__http__parsed_user_agent__browser_engine_version { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.browser_engine_version ;; - group_label: "network" - label: "network.http.parsed_user_agent.browser_engine_version" - view_label: "UDM" - description: "Version of the rendering engine e.g. \"8.01\" for \"Opera/8.01\"" - } # dimension network__http__parsed_user_agent__browser_engine_version - - dimension: network__http__parsed_user_agent__browser_version { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.browser_version ;; - group_label: "network" - label: "network.http.parsed_user_agent.browser_version" - view_label: "UDM" - description: "Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." - } # dimension network__http__parsed_user_agent__browser_version - - dimension: network__http__parsed_user_agent__carrier { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.carrier ;; - group_label: "network" - label: "network.http.parsed_user_agent.carrier" - view_label: "UDM" - description: "Mobile specific: name of mobile carrier" - } # dimension network__http__parsed_user_agent__carrier - - dimension: network__http__parsed_user_agent__device { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.device ;; - group_label: "network" - label: "network.http.parsed_user_agent.device" - view_label: "UDM" - description: "(Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to \"K\" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." - } # dimension network__http__parsed_user_agent__device - - dimension: network__http__parsed_user_agent__device_version { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.device_version ;; - group_label: "network" - label: "network.http.parsed_user_agent.device_version" - view_label: "UDM" - description: "(Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." - } # dimension network__http__parsed_user_agent__device_version - - dimension: network__http__parsed_user_agent__family { - type: number - sql: ${TABLE}.network.http.parsed_user_agent.family ;; - group_label: "network" - label: "network.http.parsed_user_agent.family" - view_label: "UDM" - description: "User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.." - } # dimension network__http__parsed_user_agent__family - - dimension: network__http__parsed_user_agent__family_enum_name { - type: string - suggestions: ["APPLE", "APPLEWEBKIT", "BLACKBERRY", "CLIENT_HINTS", "DOCOMO", "GECKO", "GOOGLE", "KHTML", "KOREAN", "MICROSOFT", "MSIE", "NETFRONT", "NOKIA", "OBIGO", "OPENWAVE", "OPERA", "OTHER", "POLARIS", "SEMC", "SMIT", "TELECA", "USER_DEFINED"] - sql: CASE ${TABLE}.network.http.parsed_user_agent.family WHEN 0 THEN 'USER_DEFINED' WHEN 1 THEN 'MSIE' WHEN 2 THEN 'GECKO' WHEN 3 THEN 'APPLEWEBKIT' WHEN 4 THEN 'OPERA' WHEN 5 THEN 'KHTML' WHEN 10 THEN 'OTHER' WHEN 11 THEN 'APPLE' WHEN 12 THEN 'BLACKBERRY' WHEN 13 THEN 'DOCOMO' WHEN 14 THEN 'GOOGLE' WHEN 15 THEN 'OPENWAVE' WHEN 16 THEN 'POLARIS' WHEN 17 THEN 'OBIGO' WHEN 18 THEN 'TELECA' WHEN 19 THEN 'MICROSOFT' WHEN 20 THEN 'NOKIA' WHEN 21 THEN 'NETFRONT' WHEN 22 THEN 'SEMC' WHEN 23 THEN 'SMIT' WHEN 24 THEN 'KOREAN' WHEN 25 THEN 'CLIENT_HINTS' END ;; - group_label: "network" - label: "network.http.parsed_user_agent.family_enum_name" - view_label: "UDM" - description: "User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.." - } # dimension network__http__parsed_user_agent__family_enum_name - - dimension: network__http__parsed_user_agent__google_toolbar_version { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.google_toolbar_version ;; - group_label: "network" - label: "network.http.parsed_user_agent.google_toolbar_version" - view_label: "UDM" - description: "Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time." - } # dimension network__http__parsed_user_agent__google_toolbar_version - - dimension: network__http__parsed_user_agent__java_configuration { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.java_configuration ;; - group_label: "network" - label: "network.http.parsed_user_agent.java_configuration" - view_label: "UDM" - description: "Mobile specific: e.g. Configuration/CLDC-1.1" - } # dimension network__http__parsed_user_agent__java_configuration - - dimension: network__http__parsed_user_agent__java_configuration_version { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.java_configuration_version ;; - group_label: "network" - label: "network.http.parsed_user_agent.java_configuration_version" - view_label: "UDM" - } # dimension network__http__parsed_user_agent__java_configuration_version - - dimension: network__http__parsed_user_agent__java_profile { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.java_profile ;; - group_label: "network" - label: "network.http.parsed_user_agent.java_profile" - view_label: "UDM" - description: "Mobile specific: e.g. Profile/MIDP-2.0" - } # dimension network__http__parsed_user_agent__java_profile - - dimension: network__http__parsed_user_agent__java_profile_version { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.java_profile_version ;; - group_label: "network" - label: "network.http.parsed_user_agent.java_profile_version" - view_label: "UDM" - } # dimension network__http__parsed_user_agent__java_profile_version - - dimension: network__http__parsed_user_agent__locale { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.locale ;; - group_label: "network" - label: "network.http.parsed_user_agent.locale" - view_label: "UDM" - description: "Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." - } # dimension network__http__parsed_user_agent__locale - - dimension: network__http__parsed_user_agent__messaging { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.messaging ;; - group_label: "network" - label: "network.http.parsed_user_agent.messaging" - view_label: "UDM" - description: "Mobile specific: e.g. MMP/2.0" - } # dimension network__http__parsed_user_agent__messaging - - dimension: network__http__parsed_user_agent__messaging_version { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.messaging_version ;; - group_label: "network" - label: "network.http.parsed_user_agent.messaging_version" - view_label: "UDM" - } # dimension network__http__parsed_user_agent__messaging_version - - dimension: network__http__parsed_user_agent__os { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.os ;; - group_label: "network" - label: "network.http.parsed_user_agent.os" - view_label: "UDM" - description: "Full name of the operating system e.g. \"Darwin/9.7.0\", \"Android 1.5\", \"Windows 98\" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." - } # dimension network__http__parsed_user_agent__os - - dimension: network__http__parsed_user_agent__os_variant { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.os_variant ;; - group_label: "network" - label: "network.http.parsed_user_agent.os_variant" - view_label: "UDM" - description: "Extra qualifier for the OS e.g. \"(i386)\", \"Build/CUPCAKE\", \"PalmSource/Palm-D061\" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." - } # dimension network__http__parsed_user_agent__os_variant - - dimension: network__http__parsed_user_agent__platform { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.platform ;; - group_label: "network" - label: "network.http.parsed_user_agent.platform" - view_label: "UDM" - description: "The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm." - } # dimension network__http__parsed_user_agent__platform - - dimension: network__http__parsed_user_agent__security { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.security ;; - group_label: "network" - label: "network.http.parsed_user_agent.security" - view_label: "UDM" - description: "Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." - } # dimension network__http__parsed_user_agent__security - - dimension: network__http__parsed_user_agent__sub_family { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.sub_family ;; - group_label: "network" - label: "network.http.parsed_user_agent.sub_family" - view_label: "UDM" - description: "Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier." - } # dimension network__http__parsed_user_agent__sub_family - - dimension: network__http__referral_url { - type: string - sql: ${TABLE}.network.http.referral_url ;; - group_label: "network" - label: "network.http.referral_url" - view_label: "UDM" - description: "The URL for the HTTP referer." - } # dimension network__http__referral_url - - dimension: network__http__response_code { - type: number - sql: ${TABLE}.network.http.response_code ;; - group_label: "network" - label: "network.http.response_code" - view_label: "UDM" - description: "The response status code. e.g. 200, 302, 404, 500, etc." - } # dimension network__http__response_code - - dimension: network__http__user_agent { - type: string - sql: ${TABLE}.network.http.user_agent ;; - group_label: "network" - label: "network.http.user_agent" - view_label: "UDM" - description: "The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent." - } # dimension network__http__user_agent - - dimension: network__ip_protocol { - type: number - sql: ${TABLE}.network.ip_protocol ;; - group_label: "network" - label: "network.ip_protocol" - view_label: "UDM" - description: "The IP protocol." - } # dimension network__ip_protocol - - dimension: network__ip_protocol_enum_name { - type: string - suggestions: ["EIGRP", "ESP", "ETHERIP", "GRE", "ICMP", "ICMP6", "IGMP", "IP6IN4", "PIM", "SCTP", "TCP", "UDP", "UNKNOWN_IP_PROTOCOL", "VRRP"] - sql: CASE ${TABLE}.network.ip_protocol WHEN 0 THEN 'UNKNOWN_IP_PROTOCOL' WHEN 1 THEN 'ICMP' WHEN 2 THEN 'IGMP' WHEN 6 THEN 'TCP' WHEN 17 THEN 'UDP' WHEN 41 THEN 'IP6IN4' WHEN 47 THEN 'GRE' WHEN 50 THEN 'ESP' WHEN 58 THEN 'ICMP6' WHEN 88 THEN 'EIGRP' WHEN 97 THEN 'ETHERIP' WHEN 103 THEN 'PIM' WHEN 112 THEN 'VRRP' WHEN 132 THEN 'SCTP' END ;; - group_label: "network" - label: "network.ip_protocol_enum_name" - view_label: "UDM" - description: "The IP protocol." - } # dimension network__ip_protocol_enum_name - - dimension: network__organization_name { - type: string - sql: ${TABLE}.network.organization_name ;; - group_label: "network" - label: "network.organization_name" - view_label: "UDM" - description: "Organization name (e.g Google)." - } # dimension network__organization_name - - dimension: network__parent_session_id { - type: string - sql: ${TABLE}.network.parent_session_id ;; - group_label: "network" - label: "network.parent_session_id" - view_label: "UDM" - description: "The ID of the parent network session." - } # dimension network__parent_session_id - - dimension: network__received_bytes { - type: number - sql: ${TABLE}.network.received_bytes ;; - group_label: "network" - label: "network.received_bytes" - view_label: "UDM" - description: "The number of bytes received." - } # dimension network__received_bytes - - dimension: network__received_packets { - type: number - sql: ${TABLE}.network.received_packets ;; - group_label: "network" - label: "network.received_packets" - view_label: "UDM" - description: "The number of packets received." - } # dimension network__received_packets - - dimension: network__sent_bytes { - type: number - sql: ${TABLE}.network.sent_bytes ;; - group_label: "network" - label: "network.sent_bytes" - view_label: "UDM" - description: "The number of bytes sent." - } # dimension network__sent_bytes - - dimension: network__sent_packets { - type: number - sql: ${TABLE}.network.sent_packets ;; - group_label: "network" - label: "network.sent_packets" - view_label: "UDM" - description: "The number of packets sent." - } # dimension network__sent_packets - - dimension_group: network__session_duration { - type: duration - intervals: [ second, minute, hour ] - sql_start: TIMESTAMP_MICROS(0) ;; - sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.session_duration.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.session_duration.nanos, 0) / 1000) as INT64)) ;; - group_label: "network" - label: "network.session_duration" - view_label: "UDM" - description: "The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer." - } # dimension network__session_duration - - dimension: network__session_id { - type: string - sql: ${TABLE}.network.session_id ;; - group_label: "network" - label: "network.session_id" - view_label: "UDM" - description: "The ID of the network session." - } # dimension network__session_id - - dimension: network__smtp { - hidden: yes - } # dimension network__smtp - - dimension: network__smtp__helo { - type: string - sql: ${TABLE}.network.smtp.helo ;; - group_label: "network" - label: "network.smtp.helo" - view_label: "UDM" - description: "The client's 'HELO'/'EHLO' string." - } # dimension network__smtp__helo - - dimension: network__tls { - hidden: yes - } # dimension network__tls - - dimension: network__tls__cipher { - type: string - sql: ${TABLE}.network.tls.cipher ;; - group_label: "network" - label: "network.tls.cipher" - view_label: "UDM" - description: "Cipher used during the connection." - } # dimension network__tls__cipher - - dimension: network__tls__client { - hidden: yes - } # dimension network__tls__client - - dimension: network__tls__client__certificate { - hidden: yes - } # dimension network__tls__client__certificate - - dimension: network__tls__client__certificate__issuer { - type: string - sql: ${TABLE}.network.tls.client.certificate.issuer ;; - group_label: "network" - label: "network.tls.client.certificate.issuer" - view_label: "UDM" - description: "Issuer of the certificate." - } # dimension network__tls__client__certificate__issuer - - dimension_group: network__tls__client__certificate__not_after { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.tls.client.certificate.not_after.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.tls.client.certificate.not_after.nanos, 0) / 1000) as INT64)) ;; - group_label: "network" - label: "network.tls.client.certificate.not_after" - view_label: "UDM" - description: "Indicates when the certificate is no longer valid." - } # dimension network__tls__client__certificate__not_after - - dimension_group: network__tls__client__certificate__not_before { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.tls.client.certificate.not_before.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.tls.client.certificate.not_before.nanos, 0) / 1000) as INT64)) ;; - group_label: "network" - label: "network.tls.client.certificate.not_before" - view_label: "UDM" - description: "Indicates when the certificate is first valid." - } # dimension network__tls__client__certificate__not_before - - dimension: network__tls__client__certificate__serial { - type: string - sql: ${TABLE}.network.tls.client.certificate.serial ;; - group_label: "network" - label: "network.tls.client.certificate.serial" - view_label: "UDM" - description: "Certificate serial number." - } # dimension network__tls__client__certificate__serial - - dimension: network__tls__client__certificate__sha1 { - type: string - sql: ${TABLE}.network.tls.client.certificate.sha1 ;; - group_label: "network" - label: "network.tls.client.certificate.sha1" - view_label: "UDM" - description: "The SHA1 hash of the certificate." - } # dimension network__tls__client__certificate__sha1 - - dimension: network__tls__client__certificate__sha256 { - type: string - sql: ${TABLE}.network.tls.client.certificate.sha256 ;; - group_label: "network" - label: "network.tls.client.certificate.sha256" - view_label: "UDM" - description: "The SHA256 hash of the certificate." - } # dimension network__tls__client__certificate__sha256 - - dimension: network__tls__client__certificate__subject { - type: string - sql: ${TABLE}.network.tls.client.certificate.subject ;; - group_label: "network" - label: "network.tls.client.certificate.subject" - view_label: "UDM" - description: "Subject of the certificate." - } # dimension network__tls__client__certificate__subject - - dimension: network__tls__client__certificate__version { - type: string - sql: ${TABLE}.network.tls.client.certificate.version ;; - group_label: "network" - label: "network.tls.client.certificate.version" - view_label: "UDM" - description: "Certificate version." - } # dimension network__tls__client__certificate__version - - dimension: network__tls__client__ja3 { - type: string - sql: ${TABLE}.network.tls.client.ja3 ;; - group_label: "network" - label: "network.tls.client.ja3" - view_label: "UDM" - description: "JA3 hash from client hello." - } # dimension network__tls__client__ja3 - - dimension: network__tls__client__server_name { - type: string - sql: ${TABLE}.network.tls.client.server_name ;; - group_label: "network" - label: "network.tls.client.server_name" - view_label: "UDM" - description: "Host name of the server, that the client is connecting to." - } # dimension network__tls__client__server_name - - dimension: network__tls__client__supported_ciphers { - hidden: yes - } # dimension network__tls__client__supported_ciphers - - dimension: network__tls__curve { - type: string - sql: ${TABLE}.network.tls.curve ;; - group_label: "network" - label: "network.tls.curve" - view_label: "UDM" - description: "Elliptical curve used for a given cipher." - } # dimension network__tls__curve - - dimension: network__tls__established { - type: yesno - sql: ${TABLE}.network.tls.established ;; - group_label: "network" - label: "network.tls.established" - view_label: "UDM" - description: "Indicates whether the TLS negotiation was successful." - } # dimension network__tls__established - - dimension: network__tls__next_protocol { - type: string - sql: ${TABLE}.network.tls.next_protocol ;; - group_label: "network" - label: "network.tls.next_protocol" - view_label: "UDM" - description: "Protocol to be used for tunnel." - } # dimension network__tls__next_protocol - - dimension: network__tls__resumed { - type: yesno - sql: ${TABLE}.network.tls.resumed ;; - group_label: "network" - label: "network.tls.resumed" - view_label: "UDM" - description: "Indicates whether the TLS connection was resumed from a previous TLS negotiation." - } # dimension network__tls__resumed - - dimension: network__tls__server { - hidden: yes - } # dimension network__tls__server - - dimension: network__tls__server__certificate { - hidden: yes - } # dimension network__tls__server__certificate - - dimension: network__tls__server__certificate__issuer { - type: string - sql: ${TABLE}.network.tls.server.certificate.issuer ;; - group_label: "network" - label: "network.tls.server.certificate.issuer" - view_label: "UDM" - description: "Issuer of the certificate." - } # dimension network__tls__server__certificate__issuer - - dimension: network__tls__server__certificate__md5 { - type: string - sql: ${TABLE}.network.tls.server.certificate.md5 ;; - group_label: "network" - label: "network.tls.server.certificate.md5" - view_label: "UDM" - description: "The MD5 hash of the certificate." - } # dimension network__tls__server__certificate__md5 - - dimension_group: network__tls__server__certificate__not_after { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.tls.server.certificate.not_after.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.tls.server.certificate.not_after.nanos, 0) / 1000) as INT64)) ;; - group_label: "network" - label: "network.tls.server.certificate.not_after" - view_label: "UDM" - description: "Indicates when the certificate is no longer valid." - } # dimension network__tls__server__certificate__not_after - - dimension_group: network__tls__server__certificate__not_before { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.tls.server.certificate.not_before.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.tls.server.certificate.not_before.nanos, 0) / 1000) as INT64)) ;; - group_label: "network" - label: "network.tls.server.certificate.not_before" - view_label: "UDM" - description: "Indicates when the certificate is first valid." - } # dimension network__tls__server__certificate__not_before - - dimension: network__tls__server__certificate__serial { - type: string - sql: ${TABLE}.network.tls.server.certificate.serial ;; - group_label: "network" - label: "network.tls.server.certificate.serial" - view_label: "UDM" - description: "Certificate serial number." - } # dimension network__tls__server__certificate__serial - - dimension: network__tls__server__certificate__sha1 { - type: string - sql: ${TABLE}.network.tls.server.certificate.sha1 ;; - group_label: "network" - label: "network.tls.server.certificate.sha1" - view_label: "UDM" - description: "The SHA1 hash of the certificate." - } # dimension network__tls__server__certificate__sha1 - - dimension: network__tls__server__certificate__sha256 { - type: string - sql: ${TABLE}.network.tls.server.certificate.sha256 ;; - group_label: "network" - label: "network.tls.server.certificate.sha256" - view_label: "UDM" - description: "The SHA256 hash of the certificate." - } # dimension network__tls__server__certificate__sha256 - - dimension: network__tls__server__certificate__subject { - type: string - sql: ${TABLE}.network.tls.server.certificate.subject ;; - group_label: "network" - label: "network.tls.server.certificate.subject" - view_label: "UDM" - description: "Subject of the certificate." - } # dimension network__tls__server__certificate__subject - - dimension: network__tls__server__certificate__version { - type: string - sql: ${TABLE}.network.tls.server.certificate.version ;; - group_label: "network" - label: "network.tls.server.certificate.version" - view_label: "UDM" - description: "Certificate version." - } # dimension network__tls__server__certificate__version - - dimension: network__tls__server__ja3s { - type: string - sql: ${TABLE}.network.tls.server.ja3s ;; - group_label: "network" - label: "network.tls.server.ja3s" - view_label: "UDM" - description: "JA3 hash from server hello." - } # dimension network__tls__server__ja3s - - dimension: network__tls__version { - type: string - sql: ${TABLE}.network.tls.version ;; - group_label: "network" - label: "network.tls.version" - view_label: "UDM" - description: "TLS version." - } # dimension network__tls__version - - dimension: network__tls__version_protocol { - type: string - sql: ${TABLE}.network.tls.version_protocol ;; - group_label: "network" - label: "network.tls.version_protocol" - view_label: "UDM" - description: "Protocol." - } # dimension network__tls__version_protocol - - dimension: observer { - hidden: yes - } # dimension observer - - dimension: observer__administrative_domain { - type: string - sql: ${TABLE}.observer.administrative_domain ;; - group_label: "observer" - label: "observer.administrative_domain" - view_label: "UDM" - description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." - } # dimension observer__administrative_domain - - dimension: observer__application { - type: string - sql: ${TABLE}.observer.application ;; - group_label: "observer" - label: "observer.application" - view_label: "UDM" - description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." - } # dimension observer__application - - dimension: observer__artifact { - hidden: yes - } # dimension observer__artifact - - dimension: observer__artifact__location { - hidden: yes - } # dimension observer__artifact__location - - dimension: observer__artifact__location__name { - type: string - sql: ${TABLE}.observer.artifact.location.name ;; - group_label: "observer" - label: "observer.artifact.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension observer__artifact__location__name - - dimension: observer__artifact__location__state { - type: string - sql: ${TABLE}.observer.artifact.location.state ;; - group_label: "observer" - label: "observer.artifact.location.state" - view_label: "UDM" - description: "The state." - } # dimension observer__artifact__location__state - - dimension: observer__asset { - hidden: yes - } # dimension observer__asset - - dimension: observer__asset__attribute { - hidden: yes - } # dimension observer__asset__attribute - - dimension: observer__asset__attribute__labels { - hidden: yes - } # dimension observer__asset__attribute__labels - - dimension: observer__asset__category { - type: string - sql: ${TABLE}.observer.asset.category ;; - group_label: "observer" - label: "observer.asset.category" - view_label: "UDM" - description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." - } # dimension observer__asset__category - - dimension: observer__asset__hostname { - type: string - sql: ${TABLE}.observer.asset.hostname ;; - group_label: "observer" - label: "observer.asset.hostname" - view_label: "UDM" - description: "Asset hostname or domain name field." - } # dimension observer__asset__hostname - - dimension: observer__asset__ip { - hidden: yes - } # dimension observer__asset__ip - - dimension: observer__asset__location { - hidden: yes - } # dimension observer__asset__location - - dimension: observer__asset__location__name { - type: string - sql: ${TABLE}.observer.asset.location.name ;; - group_label: "observer" - label: "observer.asset.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension observer__asset__location__name - - dimension: observer__asset__network_domain { - type: string - sql: ${TABLE}.observer.asset.network_domain ;; - group_label: "observer" - label: "observer.asset.network_domain" - view_label: "UDM" - description: "The network domain of the asset (e.g. \"corp.acme.com\")" - } # dimension observer__asset__network_domain - - dimension: observer__asset__platform_software { - hidden: yes - } # dimension observer__asset__platform_software - - dimension: observer__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.observer.asset.platform_software.platform_version ;; - group_label: "observer" - label: "observer.asset.platform_software.platform_version" - view_label: "UDM" - description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." - } # dimension observer__asset__platform_software__platform_version - - dimension: observer__asset__product_object_id { - type: string - sql: ${TABLE}.observer.asset.product_object_id ;; - group_label: "observer" - label: "observer.asset.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension observer__asset__product_object_id - - dimension: observer__asset__software { - hidden: yes - } # dimension observer__asset__software - - dimension: observer__asset__vulnerabilities { - hidden: yes - } # dimension observer__asset__vulnerabilities - - dimension: observer__asset_id { - type: string - sql: ${TABLE}.observer.asset_id ;; - group_label: "observer" - label: "observer.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension observer__asset_id - - dimension: observer__cloud { - hidden: yes - } # dimension observer__cloud - - dimension: observer__cloud__environment { - type: number - sql: ${TABLE}.observer.cloud.environment ;; - group_label: "observer" - group_item_label: "observer.cloud.environment [D]" - label: "observer.cloud.environment" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension observer__cloud__environment - - dimension: observer__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.observer.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "observer" - group_item_label: "observer.cloud.environment_enum_name [D]" - label: "observer.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension observer__cloud__environment_enum_name - - dimension: observer__cloud__project { - hidden: yes - } # dimension observer__cloud__project - - dimension: observer__cloud__project__id { - type: string - sql: ${TABLE}.observer.cloud.project.id ;; - group_label: "observer" - group_item_label: "observer.cloud.project.id [D]" - label: "observer.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension observer__cloud__project__id - - dimension: observer__cloud__project__name { - type: string - sql: ${TABLE}.observer.cloud.project.name ;; - group_label: "observer" - group_item_label: "observer.cloud.project.name [D]" - label: "observer.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension observer__cloud__project__name - - dimension: observer__domain { - hidden: yes - } # dimension observer__domain - - dimension: observer__domain__name { - type: string - sql: ${TABLE}.observer.domain.name ;; - group_label: "observer" - label: "observer.domain.name" - view_label: "UDM" - description: "The domain name." - } # dimension observer__domain__name - - dimension: observer__file { - hidden: yes - } # dimension observer__file - - dimension: observer__file__full_path { - type: string - sql: ${TABLE}.observer.file.full_path ;; - group_label: "observer" - label: "observer.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension observer__file__full_path - - dimension: observer__file__sha256 { - type: string - sql: ${TABLE}.observer.file.sha256 ;; - group_label: "observer" - label: "observer.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension observer__file__sha256 - - dimension: observer__group { - hidden: yes - } # dimension observer__group - - dimension: observer__group__group_display_name { - type: string - sql: ${TABLE}.observer.group.group_display_name ;; - group_label: "observer" - label: "observer.group.group_display_name" - view_label: "UDM" - description: "Group display name. e.g. \"Finance\"." - } # dimension observer__group__group_display_name - - dimension: observer__hostname { - type: string - sql: ${TABLE}.observer.hostname ;; - group_label: "observer" - label: "observer.hostname" - view_label: "UDM" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension observer__hostname - - dimension: observer__ip { - hidden: yes - } # dimension observer__ip - - dimension: observer__labels { - hidden: yes - } # dimension observer__labels - - dimension: observer__location { - hidden: yes - } # dimension observer__location - - dimension: observer__location__country_or_region { - type: string - sql: ${TABLE}.observer.location.country_or_region ;; - group_label: "observer" - label: "observer.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension observer__location__country_or_region - - dimension: observer__location__name { - type: string - sql: ${TABLE}.observer.location.name ;; - group_label: "observer" - label: "observer.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension observer__location__name - - dimension: observer__mac { - hidden: yes - } # dimension observer__mac - - dimension: observer__namespace { - type: string - sql: ${TABLE}.observer.namespace ;; - group_label: "observer" - label: "observer.namespace" - view_label: "UDM" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension observer__namespace - - dimension: observer__platform { - type: number - sql: ${TABLE}.observer.platform ;; - group_label: "observer" - label: "observer.platform" - view_label: "UDM" - description: "Platform." - } # dimension observer__platform - - dimension: observer__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.observer.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "observer" - label: "observer.platform_enum_name" - view_label: "UDM" - description: "Platform." - } # dimension observer__platform_enum_name - - dimension: observer__platform_version { - type: string - sql: ${TABLE}.observer.platform_version ;; - group_label: "observer" - label: "observer.platform_version" - view_label: "UDM" - description: "Platform version. For example, \"Microsoft Windows 1803\"." - } # dimension observer__platform_version - - dimension: observer__port { - type: number - value_format: "#" - sql: ${TABLE}.observer.port ;; - group_label: "observer" - label: "observer.port" - view_label: "UDM" - description: "Source or destination network port number when a specific network connection is described within an event." - } # dimension observer__port - - dimension: observer__process { - hidden: yes - } # dimension observer__process - - dimension: observer__process__file { - hidden: yes - } # dimension observer__process__file - - dimension: observer__process__file__full_path { - type: string - sql: ${TABLE}.observer.process.file.full_path ;; - group_label: "observer" - label: "observer.process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension observer__process__file__full_path - - dimension: observer__process__parent_pid { - type: string - sql: ${TABLE}.observer.process.parent_pid ;; - group_label: "observer" - group_item_label: "observer.process.parent_pid [D]" - label: "observer.process.parent_pid" - view_label: "UDM" - description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension observer__process__parent_pid - - dimension: observer__process__pid { - type: string - sql: ${TABLE}.observer.process.pid ;; - group_label: "observer" - label: "observer.process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension observer__process__pid - - dimension: observer__resource { - hidden: yes - } # dimension observer__resource - - dimension: observer__resource__attribute { - hidden: yes - } # dimension observer__resource__attribute - - dimension: observer__resource__attribute__cloud { - hidden: yes - } # dimension observer__resource__attribute__cloud - - dimension: observer__resource__attribute__cloud__environment { - type: number - sql: ${TABLE}.observer.resource.attribute.cloud.environment ;; - group_label: "observer" - label: "observer.resource.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension observer__resource__attribute__cloud__environment - - dimension: observer__resource__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.observer.resource.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "observer" - label: "observer.resource.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension observer__resource__attribute__cloud__environment_enum_name - - dimension: observer__resource__attribute__labels { - hidden: yes - } # dimension observer__resource__attribute__labels - - dimension: observer__resource__name { - type: string - sql: ${TABLE}.observer.resource.name ;; - group_label: "observer" - label: "observer.resource.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension observer__resource__name - - dimension: observer__resource__parent { - type: string - sql: ${TABLE}.observer.resource.parent ;; - group_label: "observer" - group_item_label: "observer.resource.parent [D]" - label: "observer.resource.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension observer__resource__parent - - dimension: observer__resource__product_object_id { - type: string - sql: ${TABLE}.observer.resource.product_object_id ;; - group_label: "observer" - label: "observer.resource.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension observer__resource__product_object_id - - dimension: observer__resource__resource_subtype { - type: string - sql: ${TABLE}.observer.resource.resource_subtype ;; - group_label: "observer" - label: "observer.resource.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension observer__resource__resource_subtype - - dimension: observer__resource__resource_type { - type: number - sql: ${TABLE}.observer.resource.resource_type ;; - group_label: "observer" - label: "observer.resource.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension observer__resource__resource_type - - dimension: observer__resource__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.observer.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "observer" - label: "observer.resource.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension observer__resource__resource_type_enum_name - - dimension: observer__resource__type { - type: string - sql: ${TABLE}.observer.resource.type ;; - group_label: "observer" - group_item_label: "observer.resource.type [D]" - label: "observer.resource.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension observer__resource__type - - dimension: observer__url { - type: string - sql: ${TABLE}.observer.url ;; - group_label: "observer" - label: "observer.url" - view_label: "UDM" - description: "The URL." - } # dimension observer__url - - dimension: observer__user { - hidden: yes - } # dimension observer__user - - dimension: observer__user__company_name { - type: string - sql: ${TABLE}.observer.user.company_name ;; - group_label: "observer" - label: "observer.user.company_name" - view_label: "UDM" - description: "User job company name." - } # dimension observer__user__company_name - - dimension: observer__user__email_addresses { - hidden: yes - } # dimension observer__user__email_addresses - - dimension: observer__user__group_identifiers { - hidden: yes - } # dimension observer__user__group_identifiers - - dimension: observer__user__product_object_id { - type: string - sql: ${TABLE}.observer.user.product_object_id ;; - group_label: "observer" - label: "observer.user.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension observer__user__product_object_id - - dimension: observer__user__user_display_name { - type: string - sql: ${TABLE}.observer.user.user_display_name ;; - group_label: "observer" - label: "observer.user.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension observer__user__user_display_name - - dimension: observer__user__userid { - type: string - sql: ${TABLE}.observer.user.userid ;; - group_label: "observer" - label: "observer.user.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension observer__user__userid - - dimension: principal { - hidden: yes - } # dimension principal - - dimension: principal__administrative_domain { - type: string - sql: ${TABLE}.principal.administrative_domain ;; - group_label: "principal" - label: "principal.administrative_domain" - view_label: "UDM" - description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." - } # dimension principal__administrative_domain - - dimension: principal__application { - type: string - sql: ${TABLE}.principal.application ;; - group_label: "principal" - label: "principal.application" - view_label: "UDM" - description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." - } # dimension principal__application - - dimension: principal__artifact { - hidden: yes - } # dimension principal__artifact - - dimension: principal__artifact__ip { - type: string - sql: ${TABLE}.principal.artifact.ip ;; - group_label: "principal" - label: "principal.artifact.ip" - view_label: "UDM" - description: "IP address of the artifact." - } # dimension principal__artifact__ip - - dimension: principal__artifact__network { - hidden: yes - } # dimension principal__artifact__network - - dimension: principal__artifact__network__dns { - hidden: yes - } # dimension principal__artifact__network__dns - - dimension: principal__artifact__network__dns__answers { - hidden: yes - } # dimension principal__artifact__network__dns__answers - - dimension: principal__artifact__network__http { - hidden: yes - } # dimension principal__artifact__network__http - - dimension: principal__artifact__network__http__method { - type: string - sql: ${TABLE}.principal.artifact.network.http.method ;; - group_label: "principal" - label: "principal.artifact.network.http.method" - view_label: "UDM" - description: "The HTTP request method (e.g. \"GET\", \"POST\", \"PATCH\", \"DELETE\")." - } # dimension principal__artifact__network__http__method - - dimension: principal__artifact__prevalence { - hidden: yes - } # dimension principal__artifact__prevalence - - dimension: principal__artifact__prevalence__day_count { - type: number - sql: ${TABLE}.principal.artifact.prevalence.day_count ;; - group_label: "principal" - label: "principal.artifact.prevalence.day_count" - view_label: "UDM" - description: "The number of days over which rolling_max is calculated." - } # dimension principal__artifact__prevalence__day_count - - dimension: principal__asset { - hidden: yes - } # dimension principal__asset - - dimension: principal__asset__asset_id { - type: string - sql: ${TABLE}.principal.asset.asset_id ;; - group_label: "principal" - label: "principal.asset.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension principal__asset__asset_id - - dimension: principal__asset__attribute { - hidden: yes - } # dimension principal__asset__attribute - - dimension: principal__asset__attribute__cloud { - hidden: yes - } # dimension principal__asset__attribute__cloud - - dimension: principal__asset__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.principal.asset.attribute.cloud.availability_zone ;; - group_label: "principal" - label: "principal.asset.attribute.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name)." - } # dimension principal__asset__attribute__cloud__availability_zone - - dimension: principal__asset__attribute__cloud__environment { - type: number - sql: ${TABLE}.principal.asset.attribute.cloud.environment ;; - group_label: "principal" - label: "principal.asset.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension principal__asset__attribute__cloud__environment - - dimension: principal__asset__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.principal.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "principal" - label: "principal.asset.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension principal__asset__attribute__cloud__environment_enum_name - - dimension: principal__asset__attribute__cloud__project { - hidden: yes - } # dimension principal__asset__attribute__cloud__project - - dimension: principal__asset__attribute__cloud__project__name { - type: string - sql: ${TABLE}.principal.asset.attribute.cloud.project.name ;; - group_label: "principal" - group_item_label: "principal.asset.attribute.cloud.project.name [D]" - label: "principal.asset.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__attribute__cloud__project__name - - dimension: principal__asset__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.principal.asset.attribute.cloud.project.resource_type ;; - group_label: "principal" - group_item_label: "principal.asset.attribute.cloud.project.resource_type [D]" - label: "principal.asset.attribute.cloud.project.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__attribute__cloud__project__resource_type - - dimension: principal__asset__attribute__cloud__project__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.principal.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "principal" - group_item_label: "principal.asset.attribute.cloud.project.resource_type_enum_name [D]" - label: "principal.asset.attribute.cloud.project.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__attribute__cloud__project__resource_type_enum_name - - dimension: principal__asset__attribute__cloud__vpc { - hidden: yes - } # dimension principal__asset__attribute__cloud__vpc - - dimension: principal__asset__attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.principal.asset.attribute.cloud.vpc.name ;; - group_label: "principal" - group_item_label: "principal.asset.attribute.cloud.vpc.name [D]" - label: "principal.asset.attribute.cloud.vpc.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__attribute__cloud__vpc__name - - dimension: principal__asset__attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.principal.asset.attribute.cloud.vpc.resource_type ;; - group_label: "principal" - group_item_label: "principal.asset.attribute.cloud.vpc.resource_type [D]" - label: "principal.asset.attribute.cloud.vpc.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__attribute__cloud__vpc__resource_type - - dimension: principal__asset__attribute__cloud__vpc__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.principal.asset.attribute.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "principal" - group_item_label: "principal.asset.attribute.cloud.vpc.resource_type_enum_name [D]" - label: "principal.asset.attribute.cloud.vpc.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__attribute__cloud__vpc__resource_type_enum_name - - dimension_group: principal__asset__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension principal__asset__attribute__creation_time - - dimension: principal__asset__attribute__labels { - hidden: yes - } # dimension principal__asset__attribute__labels - - dimension_group: principal__asset__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension principal__asset__attribute__last_update_time - - dimension: principal__asset__attribute__roles { - hidden: yes - } # dimension principal__asset__attribute__roles - - dimension: principal__asset__category { - type: string - sql: ${TABLE}.principal.asset.category ;; - group_label: "principal" - label: "principal.asset.category" - view_label: "UDM" - description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." - } # dimension principal__asset__category - - dimension_group: principal__asset__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - group_item_label: "principal.asset.creation_time [D]" - label: "principal.asset.creation_time" - view_label: "UDM" - description: "Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__creation_time - - dimension: principal__asset__deployment_status { - type: number - sql: ${TABLE}.principal.asset.deployment_status ;; - group_label: "principal" - label: "principal.asset.deployment_status" - view_label: "UDM" - description: "The deployment status of the asset for device lifecycle purposes." - } # dimension principal__asset__deployment_status - - dimension: principal__asset__deployment_status_enum_name { - type: string - suggestions: ["ACTIVE", "DECOMISSIONED", "DEPLOYMENT_STATUS_UNSPECIFIED", "PENDING_DECOMISSION"] - sql: CASE ${TABLE}.principal.asset.deployment_status WHEN 0 THEN 'DEPLOYMENT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'PENDING_DECOMISSION' WHEN 3 THEN 'DECOMISSIONED' END ;; - group_label: "principal" - label: "principal.asset.deployment_status_enum_name" - view_label: "UDM" - description: "The deployment status of the asset for device lifecycle purposes." - } # dimension principal__asset__deployment_status_enum_name - - dimension_group: principal__asset__first_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.first_discover_time" - view_label: "UDM" - description: "Time the asset was first discovered (by asset management/discoverability software)." - } # dimension principal__asset__first_discover_time - - dimension_group: principal__asset__first_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.first_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.first_seen_time" - view_label: "UDM" - description: "The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed." - } # dimension principal__asset__first_seen_time - - dimension: principal__asset__hardware { - hidden: yes - } # dimension principal__asset__hardware - - dimension: principal__asset__hostname { - type: string - sql: ${TABLE}.principal.asset.hostname ;; - group_label: "principal" - label: "principal.asset.hostname" - view_label: "UDM" - description: "Asset hostname or domain name field." - } # dimension principal__asset__hostname - - dimension: principal__asset__ip { - hidden: yes - } # dimension principal__asset__ip - - dimension: principal__asset__labels { - hidden: yes - } # dimension principal__asset__labels - - dimension_group: principal__asset__last_boot_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.last_boot_time" - view_label: "UDM" - description: "Time the asset was last boot started." - } # dimension principal__asset__last_boot_time - - dimension_group: principal__asset__last_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.last_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.last_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.last_discover_time" - view_label: "UDM" - description: "Time the asset was last discovered (by asset management/discoverability software)." - } # dimension principal__asset__last_discover_time - - dimension: principal__asset__location { - hidden: yes - } # dimension principal__asset__location - - dimension: principal__asset__location__city { - type: string - sql: ${TABLE}.principal.asset.location.city ;; - group_label: "principal" - label: "principal.asset.location.city" - view_label: "UDM" - description: "The city." - } # dimension principal__asset__location__city - - dimension: principal__asset__location__country_or_region { - type: string - sql: ${TABLE}.principal.asset.location.country_or_region ;; - group_label: "principal" - label: "principal.asset.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension principal__asset__location__country_or_region - - dimension: principal__asset__location__desk_name { - type: string - sql: ${TABLE}.principal.asset.location.desk_name ;; - group_label: "principal" - label: "principal.asset.location.desk_name" - view_label: "UDM" - description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." - } # dimension principal__asset__location__desk_name - - dimension: principal__asset__location__floor_name { - type: string - sql: ${TABLE}.principal.asset.location.floor_name ;; - group_label: "principal" - label: "principal.asset.location.floor_name" - view_label: "UDM" - description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." - } # dimension principal__asset__location__floor_name - - dimension: principal__asset__location__name { - type: string - sql: ${TABLE}.principal.asset.location.name ;; - group_label: "principal" - label: "principal.asset.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension principal__asset__location__name - - dimension: principal__asset__location__region_coordinates { - type: location - sql_latitude: ${TABLE}.principal.asset.location.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.principal.asset.location.region_coordinates.longitude ;; - group_label: "principal" - group_item_label: "principal.asset.location.region_coordinates [L]" - label: "principal.asset.location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." - } # dimension principal__asset__location__region_coordinates - - dimension: principal__asset__location__region_latitude { - type: number - sql: ${TABLE}.principal.asset.location.region_latitude ;; - group_label: "principal" - group_item_label: "principal.asset.location.region_latitude [D]" - label: "principal.asset.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__location__region_latitude - - dimension: principal__asset__location__region_longitude { - type: number - sql: ${TABLE}.principal.asset.location.region_longitude ;; - group_label: "principal" - group_item_label: "principal.asset.location.region_longitude [D]" - label: "principal.asset.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__location__region_longitude - - dimension: principal__asset__location__location { - type: location - sql_latitude: ${TABLE}.principal.asset.location.region_latitude ;; - sql_longitude: ${TABLE}.principal.asset.location.region_longitude ;; - group_label: "principal" - group_item_label: "principal.asset.location.location [D][L]" - label: "principal.asset.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension principal__asset__location__location - - dimension: principal__asset__location__state { - type: string - sql: ${TABLE}.principal.asset.location.state ;; - group_label: "principal" - label: "principal.asset.location.state" - view_label: "UDM" - description: "The state." - } # dimension principal__asset__location__state - - dimension: principal__asset__mac { - hidden: yes - } # dimension principal__asset__mac - - dimension: principal__asset__nat_ip { - hidden: yes - } # dimension principal__asset__nat_ip - - dimension: principal__asset__network_domain { - type: string - sql: ${TABLE}.principal.asset.network_domain ;; - group_label: "principal" - label: "principal.asset.network_domain" - view_label: "UDM" - description: "The network domain of the asset (e.g. \"corp.acme.com\")" - } # dimension principal__asset__network_domain - - dimension: principal__asset__platform_software { - hidden: yes - } # dimension principal__asset__platform_software - - dimension: principal__asset__platform_software__platform { - type: number - sql: ${TABLE}.principal.asset.platform_software.platform ;; - group_label: "principal" - label: "principal.asset.platform_software.platform" - view_label: "UDM" - description: "The platform operating system." - } # dimension principal__asset__platform_software__platform - - dimension: principal__asset__platform_software__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.principal.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "principal" - label: "principal.asset.platform_software.platform_enum_name" - view_label: "UDM" - description: "The platform operating system." - } # dimension principal__asset__platform_software__platform_enum_name - - dimension: principal__asset__platform_software__platform_patch_level { - type: string - sql: ${TABLE}.principal.asset.platform_software.platform_patch_level ;; - group_label: "principal" - label: "principal.asset.platform_software.platform_patch_level" - view_label: "UDM" - description: "The platform software patch level ( e.g. \"Build 17134.48\", \"SP1\")." - } # dimension principal__asset__platform_software__platform_patch_level - - dimension: principal__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.principal.asset.platform_software.platform_version ;; - group_label: "principal" - label: "principal.asset.platform_software.platform_version" - view_label: "UDM" - description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." - } # dimension principal__asset__platform_software__platform_version - - dimension: principal__asset__product_object_id { - type: string - sql: ${TABLE}.principal.asset.product_object_id ;; - group_label: "principal" - label: "principal.asset.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension principal__asset__product_object_id - - dimension: principal__asset__software { - hidden: yes - } # dimension principal__asset__software - - dimension_group: principal__asset__system_last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.system_last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.system_last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.system_last_update_time" - view_label: "UDM" - description: "Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time." - } # dimension principal__asset__system_last_update_time - - dimension: principal__asset__type { - type: number - sql: ${TABLE}.principal.asset.type ;; - group_label: "principal" - label: "principal.asset.type" - view_label: "UDM" - description: "The type of the asset (e.g. workstation or laptop or server)." - } # dimension principal__asset__type - - dimension: principal__asset__type_enum_name { - type: string - suggestions: ["IOT", "LAPTOP", "MOBILE", "NETWORK_ATTACHED_STORAGE", "PRINTER", "ROLE_UNSPECIFIED", "SCANNER", "SERVER", "TAPE_LIBRARY", "WORKSTATION"] - sql: CASE ${TABLE}.principal.asset.type WHEN 0 THEN 'ROLE_UNSPECIFIED' WHEN 1 THEN 'WORKSTATION' WHEN 2 THEN 'LAPTOP' WHEN 3 THEN 'IOT' WHEN 4 THEN 'NETWORK_ATTACHED_STORAGE' WHEN 5 THEN 'PRINTER' WHEN 6 THEN 'SCANNER' WHEN 7 THEN 'SERVER' WHEN 8 THEN 'TAPE_LIBRARY' WHEN 9 THEN 'MOBILE' END ;; - group_label: "principal" - label: "principal.asset.type_enum_name" - view_label: "UDM" - description: "The type of the asset (e.g. workstation or laptop or server)." - } # dimension principal__asset__type_enum_name - - dimension: principal__asset__vulnerabilities { - hidden: yes - } # dimension principal__asset__vulnerabilities - - dimension: principal__asset_id { - type: string - sql: ${TABLE}.principal.asset_id ;; - group_label: "principal" - label: "principal.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension principal__asset_id - - dimension: principal__cloud { - hidden: yes - } # dimension principal__cloud - - dimension: principal__cloud__availability_zone { - type: string - sql: ${TABLE}.principal.cloud.availability_zone ;; - group_label: "principal" - group_item_label: "principal.cloud.availability_zone [D]" - label: "principal.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__availability_zone - - dimension: principal__cloud__environment { - type: number - sql: ${TABLE}.principal.cloud.environment ;; - group_label: "principal" - group_item_label: "principal.cloud.environment [D]" - label: "principal.cloud.environment" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__environment - - dimension: principal__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.principal.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "principal" - group_item_label: "principal.cloud.environment_enum_name [D]" - label: "principal.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__environment_enum_name - - dimension: principal__cloud__project { - hidden: yes - } # dimension principal__cloud__project - - dimension: principal__cloud__project__id { - type: string - sql: ${TABLE}.principal.cloud.project.id ;; - group_label: "principal" - group_item_label: "principal.cloud.project.id [D]" - label: "principal.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__project__id - - dimension: principal__cloud__project__name { - type: string - sql: ${TABLE}.principal.cloud.project.name ;; - group_label: "principal" - group_item_label: "principal.cloud.project.name [D]" - label: "principal.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__project__name - - dimension: principal__cloud__project__parent { - type: string - sql: ${TABLE}.principal.cloud.project.parent ;; - group_label: "principal" - group_item_label: "principal.cloud.project.parent [D]" - label: "principal.cloud.project.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__project__parent - - dimension: principal__cloud__project__product_object_id { - type: string - sql: ${TABLE}.principal.cloud.project.product_object_id ;; - group_label: "principal" - group_item_label: "principal.cloud.project.product_object_id [D]" - label: "principal.cloud.project.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__project__product_object_id - - dimension: principal__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.principal.cloud.project.resource_subtype ;; - group_label: "principal" - group_item_label: "principal.cloud.project.resource_subtype [D]" - label: "principal.cloud.project.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__project__resource_subtype - - dimension: principal__cloud__project__type { - type: string - sql: ${TABLE}.principal.cloud.project.type ;; - group_label: "principal" - group_item_label: "principal.cloud.project.type [D]" - label: "principal.cloud.project.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__project__type - - dimension: principal__cloud__vpc { - hidden: yes - } # dimension principal__cloud__vpc - - dimension: principal__cloud__vpc__id { - type: string - sql: ${TABLE}.principal.cloud.vpc.id ;; - group_label: "principal" - group_item_label: "principal.cloud.vpc.id [D]" - label: "principal.cloud.vpc.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__vpc__id - - dimension: principal__cloud__vpc__name { - type: string - sql: ${TABLE}.principal.cloud.vpc.name ;; - group_label: "principal" - group_item_label: "principal.cloud.vpc.name [D]" - label: "principal.cloud.vpc.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__vpc__name - - dimension: principal__cloud__vpc__parent { - type: string - sql: ${TABLE}.principal.cloud.vpc.parent ;; - group_label: "principal" - group_item_label: "principal.cloud.vpc.parent [D]" - label: "principal.cloud.vpc.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__vpc__parent - - dimension: principal__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.principal.cloud.vpc.product_object_id ;; - group_label: "principal" - group_item_label: "principal.cloud.vpc.product_object_id [D]" - label: "principal.cloud.vpc.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__vpc__product_object_id - - dimension: principal__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.principal.cloud.vpc.resource_subtype ;; - group_label: "principal" - group_item_label: "principal.cloud.vpc.resource_subtype [D]" - label: "principal.cloud.vpc.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__vpc__resource_subtype - - dimension: principal__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.principal.cloud.vpc.resource_type ;; - group_label: "principal" - group_item_label: "principal.cloud.vpc.resource_type [D]" - label: "principal.cloud.vpc.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__vpc__resource_type - - dimension: principal__cloud__vpc__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.principal.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "principal" - group_item_label: "principal.cloud.vpc.resource_type_enum_name [D]" - label: "principal.cloud.vpc.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__vpc__resource_type_enum_name - - dimension: principal__cloud__vpc__type { - type: string - sql: ${TABLE}.principal.cloud.vpc.type ;; - group_label: "principal" - group_item_label: "principal.cloud.vpc.type [D]" - label: "principal.cloud.vpc.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__vpc__type - - dimension: principal__domain { - hidden: yes - } # dimension principal__domain - - dimension: principal__domain__admin { - hidden: yes - } # dimension principal__domain__admin - - dimension: principal__domain__admin__userid { - type: string - sql: ${TABLE}.principal.domain.admin.userid ;; - group_label: "principal" - label: "principal.domain.admin.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension principal__domain__admin__userid - - dimension: principal__domain__billing { - hidden: yes - } # dimension principal__domain__billing - - dimension: principal__domain__billing__userid { - type: string - sql: ${TABLE}.principal.domain.billing.userid ;; - group_label: "principal" - label: "principal.domain.billing.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension principal__domain__billing__userid - - dimension_group: principal__domain__first_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.domain.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.domain.first_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.domain.first_seen_time" - view_label: "UDM" - description: "First seen timestamp of the domain in the customer's environment." - } # dimension principal__domain__first_seen_time - - dimension_group: principal__domain__last_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.domain.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.domain.last_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.domain.last_seen_time" - view_label: "UDM" - description: "Last seen timestamp of the domain in the customer's environment." - } # dimension principal__domain__last_seen_time - - dimension: principal__domain__name { - type: string - sql: ${TABLE}.principal.domain.name ;; - group_label: "principal" - label: "principal.domain.name" - view_label: "UDM" - description: "The domain name." - } # dimension principal__domain__name - - dimension: principal__domain__name_server { - hidden: yes - } # dimension principal__domain__name_server - - dimension: principal__domain__prevalence { - hidden: yes - } # dimension principal__domain__prevalence - - dimension: principal__domain__prevalence__day_count { - type: number - sql: ${TABLE}.principal.domain.prevalence.day_count ;; - group_label: "principal" - label: "principal.domain.prevalence.day_count" - view_label: "UDM" - description: "The number of days over which rolling_max is calculated." - } # dimension principal__domain__prevalence__day_count - - dimension: principal__domain__prevalence__rolling_max { - type: number - sql: ${TABLE}.principal.domain.prevalence.rolling_max ;; - group_label: "principal" - label: "principal.domain.prevalence.rolling_max" - view_label: "UDM" - description: "The maximum number of assets per day accessing the resource over the trailing day_count days." - } # dimension principal__domain__prevalence__rolling_max - - dimension: principal__domain__tech { - hidden: yes - } # dimension principal__domain__tech - - dimension: principal__domain__tech__group_identifiers { - hidden: yes - } # dimension principal__domain__tech__group_identifiers - - dimension: principal__domain__tech__product_object_id { - type: string - sql: ${TABLE}.principal.domain.tech.product_object_id ;; - group_label: "principal" - label: "principal.domain.tech.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension principal__domain__tech__product_object_id - - dimension: principal__domain__whois_server { - type: string - sql: ${TABLE}.principal.domain.whois_server ;; - group_label: "principal" - label: "principal.domain.whois_server" - view_label: "UDM" - description: "Whois server name." - } # dimension principal__domain__whois_server - - dimension: principal__email { - type: string - sql: ${TABLE}.principal.email ;; - group_label: "principal" - label: "principal.email" - view_label: "UDM" - description: "Email address. Only filled in for security_result.about" - } # dimension principal__email - - dimension: principal__file { - hidden: yes - } # dimension principal__file - - dimension: principal__file__authentihash { - type: string - sql: ${TABLE}.principal.file.authentihash ;; - group_label: "principal" - label: "principal.file.authentihash" - view_label: "UDM" - description: "Authentihash of the file." - } # dimension principal__file__authentihash - - dimension: principal__file__full_path { - type: string - sql: ${TABLE}.principal.file.full_path ;; - group_label: "principal" - label: "principal.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension principal__file__full_path - - dimension: principal__file__md5 { - type: string - sql: ${TABLE}.principal.file.md5 ;; - group_label: "principal" - label: "principal.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension principal__file__md5 - - dimension: principal__file__names { - hidden: yes - } # dimension principal__file__names - - dimension: principal__file__sha1 { - type: string - sql: ${TABLE}.principal.file.sha1 ;; - group_label: "principal" - label: "principal.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension principal__file__sha1 - - dimension: principal__file__sha256 { - type: string - sql: ${TABLE}.principal.file.sha256 ;; - group_label: "principal" - label: "principal.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension principal__file__sha256 - - dimension: principal__file__size { - type: number - sql: ${TABLE}.principal.file.size ;; - group_label: "principal" - label: "principal.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension principal__file__size - - dimension: principal__group { - hidden: yes - } # dimension principal__group - - dimension: principal__group__attribute { - hidden: yes - } # dimension principal__group__attribute - - dimension: principal__group__attribute__labels { - hidden: yes - } # dimension principal__group__attribute__labels - - dimension: principal__group__attribute__roles { - hidden: yes - } # dimension principal__group__attribute__roles - - dimension: principal__group__email_addresses { - hidden: yes - } # dimension principal__group__email_addresses - - dimension: principal__group__group_display_name { - type: string - sql: ${TABLE}.principal.group.group_display_name ;; - group_label: "principal" - label: "principal.group.group_display_name" - view_label: "UDM" - description: "Group display name. e.g. \"Finance\"." - } # dimension principal__group__group_display_name - - dimension: principal__group__product_object_id { - type: string - sql: ${TABLE}.principal.group.product_object_id ;; - group_label: "principal" - label: "principal.group.product_object_id" - view_label: "UDM" - description: "Product globally unique user object identifier, such as an LDAP Object Identifier." - } # dimension principal__group__product_object_id - - dimension: principal__group__windows_sid { - type: string - sql: ${TABLE}.principal.group.windows_sid ;; - group_label: "principal" - label: "principal.group.windows_sid" - view_label: "UDM" - description: "Microsoft Windows SID of the group." - } # dimension principal__group__windows_sid - - dimension: principal__hostname { - type: string - sql: ${TABLE}.principal.hostname ;; - group_label: "principal" - label: "principal.hostname" - view_label: "UDM" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension principal__hostname - - dimension: principal__investigation { - hidden: yes - } # dimension principal__investigation - - dimension: principal__investigation__comments { - hidden: yes - } # dimension principal__investigation__comments - - dimension: principal__investigation__risk_score { - type: number - sql: ${TABLE}.principal.investigation.risk_score ;; - group_label: "principal" - label: "principal.investigation.risk_score" - view_label: "UDM" - description: "Risk score for a finding set by an analyst." - } # dimension principal__investigation__risk_score - - dimension: principal__investigation__root_cause { - type: string - sql: ${TABLE}.principal.investigation.root_cause ;; - group_label: "principal" - label: "principal.investigation.root_cause" - view_label: "UDM" - description: "Root cause of the Alert or Finding set by analyst." - } # dimension principal__investigation__root_cause - - dimension: principal__investigation__status { - type: number - sql: ${TABLE}.principal.investigation.status ;; - group_label: "principal" - label: "principal.investigation.status" - view_label: "UDM" - description: "Describes the workflow status of a finding." - } # dimension principal__investigation__status - - dimension: principal__investigation__status_enum_name { - type: string - suggestions: ["CLOSED", "NEW", "OPEN", "REVIEWED", "STATUS_UNSPECIFIED"] - sql: CASE ${TABLE}.principal.investigation.status WHEN 0 THEN 'STATUS_UNSPECIFIED' WHEN 1 THEN 'NEW' WHEN 2 THEN 'REVIEWED' WHEN 3 THEN 'CLOSED' WHEN 4 THEN 'OPEN' END ;; - group_label: "principal" - label: "principal.investigation.status_enum_name" - view_label: "UDM" - description: "Describes the workflow status of a finding." - } # dimension principal__investigation__status_enum_name - - dimension: principal__investigation__verdict { - type: number - sql: ${TABLE}.principal.investigation.verdict ;; - group_label: "principal" - label: "principal.investigation.verdict" - view_label: "UDM" - description: "Describes reason a finding investigation was resolved." - } # dimension principal__investigation__verdict - - dimension: principal__investigation__verdict_enum_name { - type: string - suggestions: ["FALSE_POSITIVE", "TRUE_POSITIVE", "VERDICT_UNSPECIFIED"] - sql: CASE ${TABLE}.principal.investigation.verdict WHEN 0 THEN 'VERDICT_UNSPECIFIED' WHEN 1 THEN 'TRUE_POSITIVE' WHEN 2 THEN 'FALSE_POSITIVE' END ;; - group_label: "principal" - label: "principal.investigation.verdict_enum_name" - view_label: "UDM" - description: "Describes reason a finding investigation was resolved." - } # dimension principal__investigation__verdict_enum_name - - dimension: principal__ip { - hidden: yes - } # dimension principal__ip - - dimension: principal__ip_geo_artifact { - hidden: yes - } # dimension principal__ip_geo_artifact - - dimension: principal__ip_location { - hidden: yes - } # dimension principal__ip_location - - dimension: principal__labels { - hidden: yes - } # dimension principal__labels - - dimension: principal__location { - hidden: yes - } # dimension principal__location - - dimension: principal__location__city { - type: string - sql: ${TABLE}.principal.location.city ;; - group_label: "principal" - label: "principal.location.city" - view_label: "UDM" - description: "The city." - } # dimension principal__location__city - - dimension: principal__location__country_or_region { - type: string - sql: ${TABLE}.principal.location.country_or_region ;; - group_label: "principal" - label: "principal.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension principal__location__country_or_region - - dimension: principal__location__floor_name { - type: string - sql: ${TABLE}.principal.location.floor_name ;; - group_label: "principal" - label: "principal.location.floor_name" - view_label: "UDM" - description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." - } # dimension principal__location__floor_name - - dimension: principal__location__name { - type: string - sql: ${TABLE}.principal.location.name ;; - group_label: "principal" - label: "principal.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension principal__location__name - - dimension: principal__location__region_coordinates { - type: location - sql_latitude: ${TABLE}.principal.location.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.principal.location.region_coordinates.longitude ;; - group_label: "principal" - group_item_label: "principal.location.region_coordinates [L]" - label: "principal.location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." - } # dimension principal__location__region_coordinates - - dimension: principal__location__region_latitude { - type: number - sql: ${TABLE}.principal.location.region_latitude ;; - group_label: "principal" - group_item_label: "principal.location.region_latitude [D]" - label: "principal.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__location__region_latitude - - dimension: principal__location__region_longitude { - type: number - sql: ${TABLE}.principal.location.region_longitude ;; - group_label: "principal" - group_item_label: "principal.location.region_longitude [D]" - label: "principal.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__location__region_longitude - - dimension: principal__location__location { - type: location - sql_latitude: ${TABLE}.principal.location.region_latitude ;; - sql_longitude: ${TABLE}.principal.location.region_longitude ;; - group_label: "principal" - group_item_label: "principal.location.location [D][L]" - label: "principal.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension principal__location__location - - dimension: principal__location__state { - type: string - sql: ${TABLE}.principal.location.state ;; - group_label: "principal" - label: "principal.location.state" - view_label: "UDM" - description: "The state." - } # dimension principal__location__state - - dimension: principal__mac { - hidden: yes - } # dimension principal__mac - - dimension: principal__namespace { - type: string - sql: ${TABLE}.principal.namespace ;; - group_label: "principal" - label: "principal.namespace" - view_label: "UDM" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension principal__namespace - - dimension: principal__nat_ip { - hidden: yes - } # dimension principal__nat_ip - - dimension: principal__nat_port { - type: number - value_format: "#" - sql: ${TABLE}.principal.nat_port ;; - group_label: "principal" - label: "principal.nat_port" - view_label: "UDM" - description: "NAT external network port number when a specific network connection is described within an event." - } # dimension principal__nat_port - - dimension: principal__network { - hidden: yes - } # dimension principal__network - - dimension: principal__platform { - type: number - sql: ${TABLE}.principal.platform ;; - group_label: "principal" - label: "principal.platform" - view_label: "UDM" - description: "Platform." - } # dimension principal__platform - - dimension: principal__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.principal.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "principal" - label: "principal.platform_enum_name" - view_label: "UDM" - description: "Platform." - } # dimension principal__platform_enum_name - - dimension: principal__platform_patch_level { - type: string - sql: ${TABLE}.principal.platform_patch_level ;; - group_label: "principal" - label: "principal.platform_patch_level" - view_label: "UDM" - description: "Platform patch level. For example, \"Build 17134.48\"" - } # dimension principal__platform_patch_level - - dimension: principal__platform_version { - type: string - sql: ${TABLE}.principal.platform_version ;; - group_label: "principal" - label: "principal.platform_version" - view_label: "UDM" - description: "Platform version. For example, \"Microsoft Windows 1803\"." - } # dimension principal__platform_version - - dimension: principal__port { - type: number - value_format: "#" - sql: ${TABLE}.principal.port ;; - group_label: "principal" - label: "principal.port" - view_label: "UDM" - description: "Source or destination network port number when a specific network connection is described within an event." - } # dimension principal__port - - dimension: principal__process { - hidden: yes - } # dimension principal__process - - dimension: principal__process__access_mask { - type: number - sql: ${TABLE}.principal.process.access_mask ;; - group_label: "principal" - label: "principal.process.access_mask" - view_label: "UDM" - description: "A bit mask representing the level of access." - } # dimension principal__process__access_mask - - dimension: principal__process__command_line { - type: string - sql: ${TABLE}.principal.process.command_line ;; - group_label: "principal" - label: "principal.process.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension principal__process__command_line - - dimension: principal__process__command_line_history { - hidden: yes - } # dimension principal__process__command_line_history - - dimension: principal__process__file { - hidden: yes - } # dimension principal__process__file - - dimension: principal__process__file__capabilities_tags { - hidden: yes - } # dimension principal__process__file__capabilities_tags - - dimension: principal__process__file__file_metadata { - hidden: yes - } # dimension principal__process__file__file_metadata - - dimension: principal__process__file__file_metadata__pe { - hidden: yes - } # dimension principal__process__file__file_metadata__pe - - dimension: principal__process__file__file_metadata__pe__import_hash { - type: string - sql: ${TABLE}.principal.process.file.file_metadata.pe.import_hash ;; - group_label: "principal" - group_item_label: "principal.process.file.file_metadata.pe.import_hash [D]" - label: "principal.process.file.file_metadata.pe.import_hash" - view_label: "UDM" - description: "Hash of PE imports. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__process__file__file_metadata__pe__import_hash - - dimension: principal__process__file__file_type { - type: number - sql: ${TABLE}.principal.process.file.file_type ;; - group_label: "principal" - label: "principal.process.file.file_type" - view_label: "UDM" - description: "FileType field." - } # dimension principal__process__file__file_type - - dimension: principal__process__file__file_type_enum_name { - type: string - suggestions: ["FILE_TYPE_ACE", "FILE_TYPE_ANDROID", "FILE_TYPE_APPLE", "FILE_TYPE_APPLEDOUBLE", "FILE_TYPE_APPLESCRIPT", "FILE_TYPE_APPLESCRIPT_COMPILED", "FILE_TYPE_APPLESINGLE", "FILE_TYPE_APPLE_PLIST", "FILE_TYPE_ARC", "FILE_TYPE_ARJ", "FILE_TYPE_ASD", "FILE_TYPE_ASF", "FILE_TYPE_AVI", "FILE_TYPE_AWK", "FILE_TYPE_BLACKHOLE", "FILE_TYPE_BMP", "FILE_TYPE_BZIP", "FILE_TYPE_C", "FILE_TYPE_CAB", "FILE_TYPE_CAP", "FILE_TYPE_CHM", "FILE_TYPE_COFF", "FILE_TYPE_COOKIE", "FILE_TYPE_CPP", "FILE_TYPE_CRX", "FILE_TYPE_DEB", "FILE_TYPE_DIB", "FILE_TYPE_DIVX", "FILE_TYPE_DMG", "FILE_TYPE_DOC", "FILE_TYPE_DOCX", "FILE_TYPE_DOS_COM", "FILE_TYPE_DOS_EXE", "FILE_TYPE_DYALOG", "FILE_TYPE_DZIP", "FILE_TYPE_EBOOK", "FILE_TYPE_ELF", "FILE_TYPE_EMAIL_TYPE", "FILE_TYPE_EMF", "FILE_TYPE_EOT", "FILE_TYPE_EPS", "FILE_TYPE_FLA", "FILE_TYPE_FLAC", "FILE_TYPE_FLC", "FILE_TYPE_FLI", "FILE_TYPE_FLV", "FILE_TYPE_FORTRAN", "FILE_TYPE_FPX", "FILE_TYPE_GIF", "FILE_TYPE_GIMP", "FILE_TYPE_GUL", "FILE_TYPE_GZIP", "FILE_TYPE_HTML", "FILE_TYPE_HWP", "FILE_TYPE_ICO", "FILE_TYPE_IN_DESIGN", "FILE_TYPE_IPHONE", "FILE_TYPE_ISOIMAGE", "FILE_TYPE_JAR", "FILE_TYPE_JAVA", "FILE_TYPE_JAVASCRIPT", "FILE_TYPE_JAVA_BYTECODE", "FILE_TYPE_JNG", "FILE_TYPE_JPEG", "FILE_TYPE_KGB", "FILE_TYPE_LATEX", "FILE_TYPE_LINUX", "FILE_TYPE_LINUX_KERNEL", "FILE_TYPE_LNK", "FILE_TYPE_MACH_O", "FILE_TYPE_MACINTOSH", "FILE_TYPE_MACINTOSH_HFS", "FILE_TYPE_MACINTOSH_LIB", "FILE_TYPE_MIDI", "FILE_TYPE_MOV", "FILE_TYPE_MP3", "FILE_TYPE_MP4", "FILE_TYPE_MPEG", "FILE_TYPE_MSCOMPRESS", "FILE_TYPE_MSI", "FILE_TYPE_NE_DLL", "FILE_TYPE_NE_EXE", "FILE_TYPE_ODF", "FILE_TYPE_ODG", "FILE_TYPE_ODP", "FILE_TYPE_ODS", "FILE_TYPE_ODT", "FILE_TYPE_OGG", "FILE_TYPE_OUTLOOK", "FILE_TYPE_PALMOS", "FILE_TYPE_PASCAL", "FILE_TYPE_PDF", "FILE_TYPE_PERL", "FILE_TYPE_PE_DLL", "FILE_TYPE_PE_EXE", "FILE_TYPE_PHP", "FILE_TYPE_PKG", "FILE_TYPE_PNG", "FILE_TYPE_POWERSHELL", "FILE_TYPE_PPSX", "FILE_TYPE_PPT", "FILE_TYPE_PPTX", "FILE_TYPE_PS", "FILE_TYPE_PSD", "FILE_TYPE_PYTHON", "FILE_TYPE_QUICKTIME", "FILE_TYPE_RAR", "FILE_TYPE_RM", "FILE_TYPE_ROM", "FILE_TYPE_RPM", "FILE_TYPE_RTF", "FILE_TYPE_RUBY", "FILE_TYPE_RZIP", "FILE_TYPE_SCRIPT", "FILE_TYPE_SEVENZIP", "FILE_TYPE_SHELLSCRIPT", "FILE_TYPE_SVG", "FILE_TYPE_SWF", "FILE_TYPE_SYMBIAN", "FILE_TYPE_T3GP", "FILE_TYPE_TAR", "FILE_TYPE_TARGA", "FILE_TYPE_TEXT", "FILE_TYPE_TIFF", "FILE_TYPE_TORRENT", "FILE_TYPE_TTF", "FILE_TYPE_UNSPECIFIED", "FILE_TYPE_VBA", "FILE_TYPE_WAV", "FILE_TYPE_WEBP", "FILE_TYPE_WINCE", "FILE_TYPE_WMA", "FILE_TYPE_WMV", "FILE_TYPE_WOFF", "FILE_TYPE_XLS", "FILE_TYPE_XLSX", "FILE_TYPE_XML", "FILE_TYPE_XPI", "FILE_TYPE_XWD", "FILE_TYPE_ZIP", "FILE_TYPE_ZLIB"] - sql: CASE ${TABLE}.principal.process.file.file_type WHEN 0 THEN 'FILE_TYPE_UNSPECIFIED' WHEN 1 THEN 'FILE_TYPE_PE_EXE' WHEN 2 THEN 'FILE_TYPE_PE_DLL' WHEN 3 THEN 'FILE_TYPE_MSI' WHEN 10 THEN 'FILE_TYPE_NE_EXE' WHEN 11 THEN 'FILE_TYPE_NE_DLL' WHEN 20 THEN 'FILE_TYPE_DOS_EXE' WHEN 21 THEN 'FILE_TYPE_DOS_COM' WHEN 30 THEN 'FILE_TYPE_COFF' WHEN 31 THEN 'FILE_TYPE_ELF' WHEN 32 THEN 'FILE_TYPE_LINUX_KERNEL' WHEN 33 THEN 'FILE_TYPE_RPM' WHEN 34 THEN 'FILE_TYPE_LINUX' WHEN 35 THEN 'FILE_TYPE_MACH_O' WHEN 36 THEN 'FILE_TYPE_JAVA_BYTECODE' WHEN 37 THEN 'FILE_TYPE_DMG' WHEN 38 THEN 'FILE_TYPE_DEB' WHEN 39 THEN 'FILE_TYPE_PKG' WHEN 50 THEN 'FILE_TYPE_LNK' WHEN 100 THEN 'FILE_TYPE_JPEG' WHEN 101 THEN 'FILE_TYPE_TIFF' WHEN 102 THEN 'FILE_TYPE_GIF' WHEN 103 THEN 'FILE_TYPE_PNG' WHEN 104 THEN 'FILE_TYPE_BMP' WHEN 105 THEN 'FILE_TYPE_GIMP' WHEN 106 THEN 'FILE_TYPE_IN_DESIGN' WHEN 107 THEN 'FILE_TYPE_PSD' WHEN 108 THEN 'FILE_TYPE_TARGA' WHEN 109 THEN 'FILE_TYPE_XWD' WHEN 110 THEN 'FILE_TYPE_DIB' WHEN 111 THEN 'FILE_TYPE_JNG' WHEN 112 THEN 'FILE_TYPE_ICO' WHEN 113 THEN 'FILE_TYPE_FPX' WHEN 114 THEN 'FILE_TYPE_EPS' WHEN 115 THEN 'FILE_TYPE_SVG' WHEN 116 THEN 'FILE_TYPE_EMF' WHEN 117 THEN 'FILE_TYPE_WEBP' WHEN 150 THEN 'FILE_TYPE_OGG' WHEN 151 THEN 'FILE_TYPE_FLC' WHEN 152 THEN 'FILE_TYPE_FLI' WHEN 153 THEN 'FILE_TYPE_MP3' WHEN 154 THEN 'FILE_TYPE_FLAC' WHEN 155 THEN 'FILE_TYPE_WAV' WHEN 156 THEN 'FILE_TYPE_MIDI' WHEN 157 THEN 'FILE_TYPE_AVI' WHEN 158 THEN 'FILE_TYPE_MPEG' WHEN 159 THEN 'FILE_TYPE_QUICKTIME' WHEN 160 THEN 'FILE_TYPE_ASF' WHEN 161 THEN 'FILE_TYPE_DIVX' WHEN 162 THEN 'FILE_TYPE_FLV' WHEN 163 THEN 'FILE_TYPE_WMA' WHEN 164 THEN 'FILE_TYPE_WMV' WHEN 165 THEN 'FILE_TYPE_RM' WHEN 166 THEN 'FILE_TYPE_MOV' WHEN 167 THEN 'FILE_TYPE_MP4' WHEN 168 THEN 'FILE_TYPE_T3GP' WHEN 200 THEN 'FILE_TYPE_PDF' WHEN 201 THEN 'FILE_TYPE_PS' WHEN 202 THEN 'FILE_TYPE_DOC' WHEN 203 THEN 'FILE_TYPE_DOCX' WHEN 204 THEN 'FILE_TYPE_PPT' WHEN 205 THEN 'FILE_TYPE_PPTX' WHEN 209 THEN 'FILE_TYPE_PPSX' WHEN 206 THEN 'FILE_TYPE_XLS' WHEN 207 THEN 'FILE_TYPE_XLSX' WHEN 208 THEN 'FILE_TYPE_RTF' WHEN 250 THEN 'FILE_TYPE_ODP' WHEN 251 THEN 'FILE_TYPE_ODS' WHEN 252 THEN 'FILE_TYPE_ODT' WHEN 253 THEN 'FILE_TYPE_HWP' WHEN 254 THEN 'FILE_TYPE_GUL' WHEN 255 THEN 'FILE_TYPE_ODF' WHEN 256 THEN 'FILE_TYPE_ODG' WHEN 260 THEN 'FILE_TYPE_EBOOK' WHEN 261 THEN 'FILE_TYPE_LATEX' WHEN 262 THEN 'FILE_TYPE_TTF' WHEN 263 THEN 'FILE_TYPE_EOT' WHEN 264 THEN 'FILE_TYPE_WOFF' WHEN 265 THEN 'FILE_TYPE_CHM' WHEN 300 THEN 'FILE_TYPE_ZIP' WHEN 301 THEN 'FILE_TYPE_GZIP' WHEN 302 THEN 'FILE_TYPE_BZIP' WHEN 303 THEN 'FILE_TYPE_RZIP' WHEN 304 THEN 'FILE_TYPE_DZIP' WHEN 305 THEN 'FILE_TYPE_SEVENZIP' WHEN 306 THEN 'FILE_TYPE_CAB' WHEN 307 THEN 'FILE_TYPE_JAR' WHEN 308 THEN 'FILE_TYPE_RAR' WHEN 309 THEN 'FILE_TYPE_MSCOMPRESS' WHEN 310 THEN 'FILE_TYPE_ACE' WHEN 311 THEN 'FILE_TYPE_ARC' WHEN 312 THEN 'FILE_TYPE_ARJ' WHEN 313 THEN 'FILE_TYPE_ASD' WHEN 314 THEN 'FILE_TYPE_BLACKHOLE' WHEN 315 THEN 'FILE_TYPE_KGB' WHEN 316 THEN 'FILE_TYPE_ZLIB' WHEN 317 THEN 'FILE_TYPE_TAR' WHEN 400 THEN 'FILE_TYPE_TEXT' WHEN 401 THEN 'FILE_TYPE_SCRIPT' WHEN 402 THEN 'FILE_TYPE_PHP' WHEN 403 THEN 'FILE_TYPE_PYTHON' WHEN 404 THEN 'FILE_TYPE_PERL' WHEN 405 THEN 'FILE_TYPE_RUBY' WHEN 406 THEN 'FILE_TYPE_C' WHEN 407 THEN 'FILE_TYPE_CPP' WHEN 408 THEN 'FILE_TYPE_JAVA' WHEN 409 THEN 'FILE_TYPE_SHELLSCRIPT' WHEN 410 THEN 'FILE_TYPE_PASCAL' WHEN 411 THEN 'FILE_TYPE_AWK' WHEN 412 THEN 'FILE_TYPE_DYALOG' WHEN 413 THEN 'FILE_TYPE_FORTRAN' WHEN 414 THEN 'FILE_TYPE_JAVASCRIPT' WHEN 415 THEN 'FILE_TYPE_POWERSHELL' WHEN 416 THEN 'FILE_TYPE_VBA' WHEN 500 THEN 'FILE_TYPE_SYMBIAN' WHEN 501 THEN 'FILE_TYPE_PALMOS' WHEN 502 THEN 'FILE_TYPE_WINCE' WHEN 503 THEN 'FILE_TYPE_ANDROID' WHEN 504 THEN 'FILE_TYPE_IPHONE' WHEN 600 THEN 'FILE_TYPE_HTML' WHEN 601 THEN 'FILE_TYPE_XML' WHEN 602 THEN 'FILE_TYPE_SWF' WHEN 603 THEN 'FILE_TYPE_FLA' WHEN 604 THEN 'FILE_TYPE_COOKIE' WHEN 605 THEN 'FILE_TYPE_TORRENT' WHEN 606 THEN 'FILE_TYPE_EMAIL_TYPE' WHEN 607 THEN 'FILE_TYPE_OUTLOOK' WHEN 700 THEN 'FILE_TYPE_CAP' WHEN 800 THEN 'FILE_TYPE_ISOIMAGE' WHEN 1000 THEN 'FILE_TYPE_APPLE' WHEN 1001 THEN 'FILE_TYPE_MACINTOSH' WHEN 1002 THEN 'FILE_TYPE_APPLESINGLE' WHEN 1003 THEN 'FILE_TYPE_APPLEDOUBLE' WHEN 1004 THEN 'FILE_TYPE_MACINTOSH_HFS' WHEN 1005 THEN 'FILE_TYPE_APPLE_PLIST' WHEN 1006 THEN 'FILE_TYPE_MACINTOSH_LIB' WHEN 1007 THEN 'FILE_TYPE_APPLESCRIPT' WHEN 1008 THEN 'FILE_TYPE_APPLESCRIPT_COMPILED' WHEN 1100 THEN 'FILE_TYPE_CRX' WHEN 1101 THEN 'FILE_TYPE_XPI' WHEN 1200 THEN 'FILE_TYPE_ROM' END ;; - group_label: "principal" - label: "principal.process.file.file_type_enum_name" - view_label: "UDM" - description: "FileType field." - } # dimension principal__process__file__file_type_enum_name - - dimension: principal__process__file__full_path { - type: string - sql: ${TABLE}.principal.process.file.full_path ;; - group_label: "principal" - label: "principal.process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension principal__process__file__full_path - - dimension: principal__process__file__md5 { - type: string - sql: ${TABLE}.principal.process.file.md5 ;; - group_label: "principal" - label: "principal.process.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension principal__process__file__md5 - - dimension: principal__process__file__mime_type { - type: string - sql: ${TABLE}.principal.process.file.mime_type ;; - group_label: "principal" - label: "principal.process.file.mime_type" - view_label: "UDM" - description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." - } # dimension principal__process__file__mime_type - - dimension: principal__process__file__names { - hidden: yes - } # dimension principal__process__file__names - - dimension: principal__process__file__pe_file { - hidden: yes - } # dimension principal__process__file__pe_file - - dimension: principal__process__file__pe_file__signature_info { - hidden: yes - } # dimension principal__process__file__pe_file__signature_info - - dimension: principal__process__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.principal.process.file.pe_file.signature_info.verification_message ;; - group_label: "principal" - group_item_label: "principal.process.file.pe_file.signature_info.verification_message [D]" - label: "principal.process.file.pe_file.signature_info.verification_message" - view_label: "UDM" - description: "Status of the certificate. Valid values are \"Signed\", \"Unsigned\" or a description of the certificate anomaly, if found. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__process__file__pe_file__signature_info__verification_message - - dimension: principal__process__file__sha1 { - type: string - sql: ${TABLE}.principal.process.file.sha1 ;; - group_label: "principal" - label: "principal.process.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension principal__process__file__sha1 - - dimension: principal__process__file__sha256 { - type: string - sql: ${TABLE}.principal.process.file.sha256 ;; - group_label: "principal" - label: "principal.process.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension principal__process__file__sha256 - - dimension: principal__process__file__size { - type: number - sql: ${TABLE}.principal.process.file.size ;; - group_label: "principal" - label: "principal.process.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension principal__process__file__size - - dimension: principal__process__parent_pid { - type: string - sql: ${TABLE}.principal.process.parent_pid ;; - group_label: "principal" - group_item_label: "principal.process.parent_pid [D]" - label: "principal.process.parent_pid" - view_label: "UDM" - description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__process__parent_pid - - dimension: principal__process__parent_process { - hidden: yes - } # dimension principal__process__parent_process - - dimension: principal__process__parent_process__command_line { - type: string - sql: ${TABLE}.principal.process.parent_process.command_line ;; - group_label: "principal" - label: "principal.process.parent_process.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension principal__process__parent_process__command_line - - dimension: principal__process__parent_process__file { - hidden: yes - } # dimension principal__process__parent_process__file - - dimension: principal__process__parent_process__file__file_metadata { - hidden: yes - } # dimension principal__process__parent_process__file__file_metadata - - dimension: principal__process__parent_process__file__file_metadata__pe { - hidden: yes - } # dimension principal__process__parent_process__file__file_metadata__pe - - dimension: principal__process__parent_process__file__file_metadata__pe__import_hash { - type: string - sql: ${TABLE}.principal.process.parent_process.file.file_metadata.pe.import_hash ;; - group_label: "principal" - group_item_label: "principal.process.parent_process.file.file_metadata.pe.import_hash [D]" - label: "principal.process.parent_process.file.file_metadata.pe.import_hash" - view_label: "UDM" - description: "Hash of PE imports. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__process__parent_process__file__file_metadata__pe__import_hash - - dimension: principal__process__parent_process__file__full_path { - type: string - sql: ${TABLE}.principal.process.parent_process.file.full_path ;; - group_label: "principal" - label: "principal.process.parent_process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension principal__process__parent_process__file__full_path - - dimension: principal__process__parent_process__file__md5 { - type: string - sql: ${TABLE}.principal.process.parent_process.file.md5 ;; - group_label: "principal" - label: "principal.process.parent_process.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension principal__process__parent_process__file__md5 - - dimension: principal__process__parent_process__file__mime_type { - type: string - sql: ${TABLE}.principal.process.parent_process.file.mime_type ;; - group_label: "principal" - label: "principal.process.parent_process.file.mime_type" - view_label: "UDM" - description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." - } # dimension principal__process__parent_process__file__mime_type - - dimension: principal__process__parent_process__file__sha1 { - type: string - sql: ${TABLE}.principal.process.parent_process.file.sha1 ;; - group_label: "principal" - label: "principal.process.parent_process.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension principal__process__parent_process__file__sha1 - - dimension: principal__process__parent_process__file__sha256 { - type: string - sql: ${TABLE}.principal.process.parent_process.file.sha256 ;; - group_label: "principal" - label: "principal.process.parent_process.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension principal__process__parent_process__file__sha256 - - dimension: principal__process__parent_process__file__size { - type: number - sql: ${TABLE}.principal.process.parent_process.file.size ;; - group_label: "principal" - label: "principal.process.parent_process.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension principal__process__parent_process__file__size - - dimension: principal__process__parent_process__parent_pid { - type: string - sql: ${TABLE}.principal.process.parent_process.parent_pid ;; - group_label: "principal" - group_item_label: "principal.process.parent_process.parent_pid [D]" - label: "principal.process.parent_process.parent_pid" - view_label: "UDM" - description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__process__parent_process__parent_pid - - dimension: principal__process__parent_process__pid { - type: string - sql: ${TABLE}.principal.process.parent_process.pid ;; - group_label: "principal" - label: "principal.process.parent_process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension principal__process__parent_process__pid - - dimension: principal__process__parent_process__product_specific_process_id { - type: string - sql: ${TABLE}.principal.process.parent_process.product_specific_process_id ;; - group_label: "principal" - label: "principal.process.parent_process.product_specific_process_id" - view_label: "UDM" - description: "A product specific process id." - } # dimension principal__process__parent_process__product_specific_process_id - - dimension: principal__process__pid { - type: string - sql: ${TABLE}.principal.process.pid ;; - group_label: "principal" - label: "principal.process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension principal__process__pid - - dimension: principal__process__product_specific_parent_process_id { - type: string - sql: ${TABLE}.principal.process.product_specific_parent_process_id ;; - group_label: "principal" - group_item_label: "principal.process.product_specific_parent_process_id [D]" - label: "principal.process.product_specific_parent_process_id" - view_label: "UDM" - description: "A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__process__product_specific_parent_process_id - - dimension: principal__process__product_specific_process_id { - type: string - sql: ${TABLE}.principal.process.product_specific_process_id ;; - group_label: "principal" - label: "principal.process.product_specific_process_id" - view_label: "UDM" - description: "A product specific process id." - } # dimension principal__process__product_specific_process_id - - dimension: principal__process_ancestors { - hidden: yes - } # dimension principal__process_ancestors - - dimension: principal__registry { - hidden: yes - } # dimension principal__registry - - dimension: principal__registry__registry_key { - type: string - sql: ${TABLE}.principal.registry.registry_key ;; - group_label: "principal" - label: "principal.registry.registry_key" - view_label: "UDM" - description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." - } # dimension principal__registry__registry_key - - dimension: principal__registry__registry_value_data { - type: string - sql: ${TABLE}.principal.registry.registry_value_data ;; - group_label: "principal" - label: "principal.registry.registry_value_data" - view_label: "UDM" - description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." - } # dimension principal__registry__registry_value_data - - dimension: principal__registry__registry_value_name { - type: string - sql: ${TABLE}.principal.registry.registry_value_name ;; - group_label: "principal" - label: "principal.registry.registry_value_name" - view_label: "UDM" - description: "Name of the registry value associated with an application or system component (e.g. TEMP)." - } # dimension principal__registry__registry_value_name - - dimension: principal__resource { - hidden: yes - } # dimension principal__resource - - dimension: principal__resource__attribute { - hidden: yes - } # dimension principal__resource__attribute - - dimension: principal__resource__attribute__cloud { - hidden: yes - } # dimension principal__resource__attribute__cloud - - dimension: principal__resource__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.principal.resource.attribute.cloud.availability_zone ;; - group_label: "principal" - label: "principal.resource.attribute.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name)." - } # dimension principal__resource__attribute__cloud__availability_zone - - dimension: principal__resource__attribute__cloud__environment { - type: number - sql: ${TABLE}.principal.resource.attribute.cloud.environment ;; - group_label: "principal" - label: "principal.resource.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension principal__resource__attribute__cloud__environment - - dimension: principal__resource__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.principal.resource.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "principal" - label: "principal.resource.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension principal__resource__attribute__cloud__environment_enum_name - - dimension: principal__resource__attribute__cloud__project { - hidden: yes - } # dimension principal__resource__attribute__cloud__project - - dimension: principal__resource__attribute__cloud__project__name { - type: string - sql: ${TABLE}.principal.resource.attribute.cloud.project.name ;; - group_label: "principal" - group_item_label: "principal.resource.attribute.cloud.project.name [D]" - label: "principal.resource.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__resource__attribute__cloud__project__name - - dimension: principal__resource__attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.principal.resource.attribute.cloud.project.resource_subtype ;; - group_label: "principal" - group_item_label: "principal.resource.attribute.cloud.project.resource_subtype [D]" - label: "principal.resource.attribute.cloud.project.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__resource__attribute__cloud__project__resource_subtype - - dimension_group: principal__resource__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.resource.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension principal__resource__attribute__creation_time - - dimension: principal__resource__attribute__labels { - hidden: yes - } # dimension principal__resource__attribute__labels - - dimension_group: principal__resource__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.resource.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension principal__resource__attribute__last_update_time - - dimension: principal__resource__attribute__permissions { - hidden: yes - } # dimension principal__resource__attribute__permissions - - dimension: principal__resource__attribute__roles { - hidden: yes - } # dimension principal__resource__attribute__roles - - dimension: principal__resource__id { - type: string - sql: ${TABLE}.principal.resource.id ;; - group_label: "principal" - group_item_label: "principal.resource.id [D]" - label: "principal.resource.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__resource__id - - dimension: principal__resource__name { - type: string - sql: ${TABLE}.principal.resource.name ;; - group_label: "principal" - label: "principal.resource.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension principal__resource__name - - dimension: principal__resource__parent { - type: string - sql: ${TABLE}.principal.resource.parent ;; - group_label: "principal" - group_item_label: "principal.resource.parent [D]" - label: "principal.resource.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__resource__parent - - dimension: principal__resource__product_object_id { - type: string - sql: ${TABLE}.principal.resource.product_object_id ;; - group_label: "principal" - label: "principal.resource.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension principal__resource__product_object_id - - dimension: principal__resource__resource_subtype { - type: string - sql: ${TABLE}.principal.resource.resource_subtype ;; - group_label: "principal" - label: "principal.resource.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension principal__resource__resource_subtype - - dimension: principal__resource__resource_type { - type: number - sql: ${TABLE}.principal.resource.resource_type ;; - group_label: "principal" - label: "principal.resource.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension principal__resource__resource_type - - dimension: principal__resource__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.principal.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "principal" - label: "principal.resource.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension principal__resource__resource_type_enum_name - - dimension: principal__resource__type { - type: string - sql: ${TABLE}.principal.resource.type ;; - group_label: "principal" - group_item_label: "principal.resource.type [D]" - label: "principal.resource.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__resource__type - - dimension: principal__resource_ancestors { - hidden: yes - } # dimension principal__resource_ancestors - - dimension: principal__url { - type: string - sql: ${TABLE}.principal.url ;; - group_label: "principal" - label: "principal.url" - view_label: "UDM" - description: "The URL." - } # dimension principal__url - - dimension: principal__user { - hidden: yes - } # dimension principal__user - - dimension: principal__user__account_type { - type: number - sql: ${TABLE}.principal.user.account_type ;; - group_label: "principal" - label: "principal.user.account_type" - view_label: "UDM" - description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" - } # dimension principal__user__account_type - - dimension: principal__user__account_type_enum_name { - type: string - suggestions: ["ACCOUNT_TYPE_UNSPECIFIED", "CLOUD_ACCOUNT_TYPE", "DEFAULT_ACCOUNT_TYPE", "DOMAIN_ACCOUNT_TYPE", "LOCAL_ACCOUNT_TYPE", "SERVICE_ACCOUNT_TYPE"] - sql: CASE ${TABLE}.principal.user.account_type WHEN 0 THEN 'ACCOUNT_TYPE_UNSPECIFIED' WHEN 1 THEN 'DOMAIN_ACCOUNT_TYPE' WHEN 2 THEN 'LOCAL_ACCOUNT_TYPE' WHEN 3 THEN 'CLOUD_ACCOUNT_TYPE' WHEN 4 THEN 'SERVICE_ACCOUNT_TYPE' WHEN 5 THEN 'DEFAULT_ACCOUNT_TYPE' END ;; - group_label: "principal" - label: "principal.user.account_type_enum_name" - view_label: "UDM" - description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" - } # dimension principal__user__account_type_enum_name - - dimension: principal__user__attribute { - hidden: yes - } # dimension principal__user__attribute - - dimension: principal__user__attribute__cloud { - hidden: yes - } # dimension principal__user__attribute__cloud - - dimension: principal__user__attribute__cloud__environment { - type: number - sql: ${TABLE}.principal.user.attribute.cloud.environment ;; - group_label: "principal" - label: "principal.user.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension principal__user__attribute__cloud__environment - - dimension: principal__user__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.principal.user.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "principal" - label: "principal.user.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension principal__user__attribute__cloud__environment_enum_name - - dimension: principal__user__attribute__cloud__project { - hidden: yes - } # dimension principal__user__attribute__cloud__project - - dimension: principal__user__attribute__cloud__project__id { - type: string - sql: ${TABLE}.principal.user.attribute.cloud.project.id ;; - group_label: "principal" - group_item_label: "principal.user.attribute.cloud.project.id [D]" - label: "principal.user.attribute.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__user__attribute__cloud__project__id - - dimension_group: principal__user__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.user.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension principal__user__attribute__creation_time - - dimension: principal__user__attribute__labels { - hidden: yes - } # dimension principal__user__attribute__labels - - dimension_group: principal__user__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.user.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension principal__user__attribute__last_update_time - - dimension: principal__user__attribute__permissions { - hidden: yes - } # dimension principal__user__attribute__permissions - - dimension: principal__user__attribute__roles { - hidden: yes - } # dimension principal__user__attribute__roles - - dimension: principal__user__company_name { - type: string - sql: ${TABLE}.principal.user.company_name ;; - group_label: "principal" - label: "principal.user.company_name" - view_label: "UDM" - description: "User job company name." - } # dimension principal__user__company_name - - dimension: principal__user__department { - hidden: yes - } # dimension principal__user__department - - dimension: principal__user__email_addresses { - hidden: yes - } # dimension principal__user__email_addresses - - dimension: principal__user__employee_id { - type: string - sql: ${TABLE}.principal.user.employee_id ;; - group_label: "principal" - label: "principal.user.employee_id" - view_label: "UDM" - description: "Human capital management identifier." - } # dimension principal__user__employee_id - - dimension: principal__user__first_name { - type: string - sql: ${TABLE}.principal.user.first_name ;; - group_label: "principal" - label: "principal.user.first_name" - view_label: "UDM" - description: "First name of the user (e.g. \"John\")." - } # dimension principal__user__first_name - - dimension: principal__user__group_identifiers { - hidden: yes - } # dimension principal__user__group_identifiers - - dimension: principal__user__groupid { - type: string - sql: ${TABLE}.principal.user.groupid ;; - group_label: "principal" - group_item_label: "principal.user.groupid [D]" - label: "principal.user.groupid" - view_label: "UDM" - description: "The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__user__groupid - - dimension_group: principal__user__hire_date { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.user.hire_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.user.hire_date.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.user.hire_date" - view_label: "UDM" - description: "User job employment hire date." - } # dimension principal__user__hire_date - - dimension: principal__user__last_name { - type: string - sql: ${TABLE}.principal.user.last_name ;; - group_label: "principal" - label: "principal.user.last_name" - view_label: "UDM" - description: "Last name of the user (e.g. \"Locke\")." - } # dimension principal__user__last_name - - dimension: principal__user__managers { - hidden: yes - } # dimension principal__user__managers - - dimension: principal__user__office_address { - hidden: yes - } # dimension principal__user__office_address - - dimension: principal__user__office_address__city { - type: string - sql: ${TABLE}.principal.user.office_address.city ;; - group_label: "principal" - label: "principal.user.office_address.city" - view_label: "UDM" - description: "The city." - } # dimension principal__user__office_address__city - - dimension: principal__user__office_address__country_or_region { - type: string - sql: ${TABLE}.principal.user.office_address.country_or_region ;; - group_label: "principal" - label: "principal.user.office_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension principal__user__office_address__country_or_region - - dimension: principal__user__office_address__desk_name { - type: string - sql: ${TABLE}.principal.user.office_address.desk_name ;; - group_label: "principal" - label: "principal.user.office_address.desk_name" - view_label: "UDM" - description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." - } # dimension principal__user__office_address__desk_name - - dimension: principal__user__office_address__floor_name { - type: string - sql: ${TABLE}.principal.user.office_address.floor_name ;; - group_label: "principal" - label: "principal.user.office_address.floor_name" - view_label: "UDM" - description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." - } # dimension principal__user__office_address__floor_name - - dimension: principal__user__office_address__name { - type: string - sql: ${TABLE}.principal.user.office_address.name ;; - group_label: "principal" - label: "principal.user.office_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension principal__user__office_address__name - - dimension: principal__user__office_address__state { - type: string - sql: ${TABLE}.principal.user.office_address.state ;; - group_label: "principal" - label: "principal.user.office_address.state" - view_label: "UDM" - description: "The state." - } # dimension principal__user__office_address__state - - dimension: principal__user__personal_address { - hidden: yes - } # dimension principal__user__personal_address - - dimension: principal__user__personal_address__city { - type: string - sql: ${TABLE}.principal.user.personal_address.city ;; - group_label: "principal" - label: "principal.user.personal_address.city" - view_label: "UDM" - description: "The city." - } # dimension principal__user__personal_address__city - - dimension: principal__user__personal_address__country_or_region { - type: string - sql: ${TABLE}.principal.user.personal_address.country_or_region ;; - group_label: "principal" - label: "principal.user.personal_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension principal__user__personal_address__country_or_region - - dimension: principal__user__personal_address__name { - type: string - sql: ${TABLE}.principal.user.personal_address.name ;; - group_label: "principal" - label: "principal.user.personal_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension principal__user__personal_address__name - - dimension: principal__user__personal_address__state { - type: string - sql: ${TABLE}.principal.user.personal_address.state ;; - group_label: "principal" - label: "principal.user.personal_address.state" - view_label: "UDM" - description: "The state." - } # dimension principal__user__personal_address__state - - dimension: principal__user__phone_numbers { - hidden: yes - } # dimension principal__user__phone_numbers - - dimension: principal__user__product_object_id { - type: string - sql: ${TABLE}.principal.user.product_object_id ;; - group_label: "principal" - label: "principal.user.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension principal__user__product_object_id - - dimension: principal__user__role_description { - type: string - sql: ${TABLE}.principal.user.role_description ;; - group_label: "principal" - group_item_label: "principal.user.role_description [D]" - label: "principal.user.role_description" - view_label: "UDM" - description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__user__role_description - - dimension: principal__user__role_name { - type: string - sql: ${TABLE}.principal.user.role_name ;; - group_label: "principal" - group_item_label: "principal.user.role_name [D]" - label: "principal.user.role_name" - view_label: "UDM" - description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__user__role_name - - dimension_group: principal__user__termination_date { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.user.termination_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.user.termination_date.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.user.termination_date" - view_label: "UDM" - description: "User job employment termination date." - } # dimension principal__user__termination_date - - dimension: principal__user__time_off { - hidden: yes - } # dimension principal__user__time_off - - dimension: principal__user__title { - type: string - sql: ${TABLE}.principal.user.title ;; - group_label: "principal" - label: "principal.user.title" - view_label: "UDM" - description: "User job title." - } # dimension principal__user__title - - dimension: principal__user__user_authentication_status { - type: number - sql: ${TABLE}.principal.user.user_authentication_status ;; - group_label: "principal" - label: "principal.user.user_authentication_status" - view_label: "UDM" - description: "System authentication status for user." - } # dimension principal__user__user_authentication_status - - dimension: principal__user__user_authentication_status_enum_name { - type: string - suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] - sql: CASE ${TABLE}.principal.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; - group_label: "principal" - label: "principal.user.user_authentication_status_enum_name" - view_label: "UDM" - description: "System authentication status for user." - } # dimension principal__user__user_authentication_status_enum_name - - dimension: principal__user__user_display_name { - type: string - sql: ${TABLE}.principal.user.user_display_name ;; - group_label: "principal" - label: "principal.user.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension principal__user__user_display_name - - dimension: principal__user__user_role { - type: number - sql: ${TABLE}.principal.user.user_role ;; - group_label: "principal" - group_item_label: "principal.user.user_role [D]" - label: "principal.user.user_role" - view_label: "UDM" - description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__user__user_role - - dimension: principal__user__user_role_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "UNKNOWN_ROLE"] - sql: CASE ${TABLE}.principal.user.user_role WHEN 0 THEN 'UNKNOWN_ROLE' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "principal" - group_item_label: "principal.user.user_role_enum_name [D]" - label: "principal.user.user_role_enum_name" - view_label: "UDM" - description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__user__user_role_enum_name - - dimension: principal__user__userid { - type: string - sql: ${TABLE}.principal.user.userid ;; - group_label: "principal" - label: "principal.user.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension principal__user__userid - - dimension: principal__user__windows_sid { - type: string - sql: ${TABLE}.principal.user.windows_sid ;; - group_label: "principal" - label: "principal.user.windows_sid" - view_label: "UDM" - description: "The Microsoft Windows SID of the user." - } # dimension principal__user__windows_sid - - dimension: security_result { - hidden: yes - } # dimension security_result - - dimension: src { - hidden: yes - } # dimension src - - dimension: src__administrative_domain { - type: string - sql: ${TABLE}.src.administrative_domain ;; - group_label: "src" - label: "src.administrative_domain" - view_label: "UDM" - description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." - } # dimension src__administrative_domain - - dimension: src__application { - type: string - sql: ${TABLE}.src.application ;; - group_label: "src" - label: "src.application" - view_label: "UDM" - description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." - } # dimension src__application - - dimension: src__artifact { - hidden: yes - } # dimension src__artifact - - dimension: src__artifact__ip { - type: string - sql: ${TABLE}.src.artifact.ip ;; - group_label: "src" - label: "src.artifact.ip" - view_label: "UDM" - description: "IP address of the artifact." - } # dimension src__artifact__ip - - dimension: src__artifact__network { - hidden: yes - } # dimension src__artifact__network - - dimension: src__artifact__network__dns { - hidden: yes - } # dimension src__artifact__network__dns - - dimension: src__artifact__network__dns__questions { - hidden: yes - } # dimension src__artifact__network__dns__questions - - dimension: src__artifact__network__http { - hidden: yes - } # dimension src__artifact__network__http - - dimension: src__artifact__network__http__parsed_user_agent { - hidden: yes - } # dimension src__artifact__network__http__parsed_user_agent - - dimension: src__artifact__network__http__parsed_user_agent__browser { - type: string - sql: ${TABLE}.src.artifact.network.http.parsed_user_agent.browser ;; - group_label: "src" - label: "src.artifact.network.http.parsed_user_agent.browser" - view_label: "UDM" - description: "Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents." - } # dimension src__artifact__network__http__parsed_user_agent__browser - - dimension: src__asset { - hidden: yes - } # dimension src__asset - - dimension: src__asset__asset_id { - type: string - sql: ${TABLE}.src.asset.asset_id ;; - group_label: "src" - label: "src.asset.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension src__asset__asset_id - - dimension: src__asset__attribute { - hidden: yes - } # dimension src__asset__attribute - - dimension: src__asset__attribute__cloud { - hidden: yes - } # dimension src__asset__attribute__cloud - - dimension: src__asset__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.src.asset.attribute.cloud.availability_zone ;; - group_label: "src" - label: "src.asset.attribute.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name)." - } # dimension src__asset__attribute__cloud__availability_zone - - dimension: src__asset__attribute__cloud__environment { - type: number - sql: ${TABLE}.src.asset.attribute.cloud.environment ;; - group_label: "src" - label: "src.asset.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension src__asset__attribute__cloud__environment - - dimension: src__asset__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.src.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "src" - label: "src.asset.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension src__asset__attribute__cloud__environment_enum_name - - dimension: src__asset__attribute__cloud__project { - hidden: yes - } # dimension src__asset__attribute__cloud__project - - dimension: src__asset__attribute__cloud__project__name { - type: string - sql: ${TABLE}.src.asset.attribute.cloud.project.name ;; - group_label: "src" - group_item_label: "src.asset.attribute.cloud.project.name [D]" - label: "src.asset.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__asset__attribute__cloud__project__name - - dimension: src__asset__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.src.asset.attribute.cloud.project.resource_type ;; - group_label: "src" - group_item_label: "src.asset.attribute.cloud.project.resource_type [D]" - label: "src.asset.attribute.cloud.project.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__asset__attribute__cloud__project__resource_type - - dimension: src__asset__attribute__cloud__project__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.src.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "src" - group_item_label: "src.asset.attribute.cloud.project.resource_type_enum_name [D]" - label: "src.asset.attribute.cloud.project.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__asset__attribute__cloud__project__resource_type_enum_name - - dimension: src__asset__attribute__cloud__vpc { - hidden: yes - } # dimension src__asset__attribute__cloud__vpc - - dimension: src__asset__attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.src.asset.attribute.cloud.vpc.name ;; - group_label: "src" - group_item_label: "src.asset.attribute.cloud.vpc.name [D]" - label: "src.asset.attribute.cloud.vpc.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__asset__attribute__cloud__vpc__name - - dimension: src__asset__attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.src.asset.attribute.cloud.vpc.resource_type ;; - group_label: "src" - group_item_label: "src.asset.attribute.cloud.vpc.resource_type [D]" - label: "src.asset.attribute.cloud.vpc.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__asset__attribute__cloud__vpc__resource_type - - dimension: src__asset__attribute__cloud__vpc__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.src.asset.attribute.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "src" - group_item_label: "src.asset.attribute.cloud.vpc.resource_type_enum_name [D]" - label: "src.asset.attribute.cloud.vpc.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__asset__attribute__cloud__vpc__resource_type_enum_name - - dimension_group: src__asset__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension src__asset__attribute__creation_time - - dimension: src__asset__attribute__labels { - hidden: yes - } # dimension src__asset__attribute__labels - - dimension_group: src__asset__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension src__asset__attribute__last_update_time - - dimension: src__asset__category { - type: string - sql: ${TABLE}.src.asset.category ;; - group_label: "src" - label: "src.asset.category" - view_label: "UDM" - description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." - } # dimension src__asset__category - - dimension: src__asset__deployment_status { - type: number - sql: ${TABLE}.src.asset.deployment_status ;; - group_label: "src" - label: "src.asset.deployment_status" - view_label: "UDM" - description: "The deployment status of the asset for device lifecycle purposes." - } # dimension src__asset__deployment_status - - dimension: src__asset__deployment_status_enum_name { - type: string - suggestions: ["ACTIVE", "DECOMISSIONED", "DEPLOYMENT_STATUS_UNSPECIFIED", "PENDING_DECOMISSION"] - sql: CASE ${TABLE}.src.asset.deployment_status WHEN 0 THEN 'DEPLOYMENT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'PENDING_DECOMISSION' WHEN 3 THEN 'DECOMISSIONED' END ;; - group_label: "src" - label: "src.asset.deployment_status_enum_name" - view_label: "UDM" - description: "The deployment status of the asset for device lifecycle purposes." - } # dimension src__asset__deployment_status_enum_name - - dimension_group: src__asset__first_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.first_discover_time" - view_label: "UDM" - description: "Time the asset was first discovered (by asset management/discoverability software)." - } # dimension src__asset__first_discover_time - - dimension_group: src__asset__first_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.first_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.first_seen_time" - view_label: "UDM" - description: "The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed." - } # dimension src__asset__first_seen_time - - dimension: src__asset__hardware { - hidden: yes - } # dimension src__asset__hardware - - dimension: src__asset__hostname { - type: string - sql: ${TABLE}.src.asset.hostname ;; - group_label: "src" - label: "src.asset.hostname" - view_label: "UDM" - description: "Asset hostname or domain name field." - } # dimension src__asset__hostname - - dimension: src__asset__ip { - hidden: yes - } # dimension src__asset__ip - - dimension: src__asset__labels { - hidden: yes - } # dimension src__asset__labels - - dimension_group: src__asset__last_boot_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.last_boot_time" - view_label: "UDM" - description: "Time the asset was last boot started." - } # dimension src__asset__last_boot_time - - dimension_group: src__asset__last_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.last_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.last_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.last_discover_time" - view_label: "UDM" - description: "Time the asset was last discovered (by asset management/discoverability software)." - } # dimension src__asset__last_discover_time - - dimension: src__asset__location { - hidden: yes - } # dimension src__asset__location - - dimension: src__asset__location__city { - type: string - sql: ${TABLE}.src.asset.location.city ;; - group_label: "src" - label: "src.asset.location.city" - view_label: "UDM" - description: "The city." - } # dimension src__asset__location__city - - dimension: src__asset__location__country_or_region { - type: string - sql: ${TABLE}.src.asset.location.country_or_region ;; - group_label: "src" - label: "src.asset.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension src__asset__location__country_or_region - - dimension: src__asset__location__floor_name { - type: string - sql: ${TABLE}.src.asset.location.floor_name ;; - group_label: "src" - label: "src.asset.location.floor_name" - view_label: "UDM" - description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." - } # dimension src__asset__location__floor_name - - dimension: src__asset__location__name { - type: string - sql: ${TABLE}.src.asset.location.name ;; - group_label: "src" - label: "src.asset.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension src__asset__location__name - - dimension: src__asset__location__region_latitude { - type: number - sql: ${TABLE}.src.asset.location.region_latitude ;; - group_label: "src" - group_item_label: "src.asset.location.region_latitude [D]" - label: "src.asset.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__asset__location__region_latitude - - dimension: src__asset__location__region_longitude { - type: number - sql: ${TABLE}.src.asset.location.region_longitude ;; - group_label: "src" - group_item_label: "src.asset.location.region_longitude [D]" - label: "src.asset.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__asset__location__region_longitude - - dimension: src__asset__location__location { - type: location - sql_latitude: ${TABLE}.src.asset.location.region_latitude ;; - sql_longitude: ${TABLE}.src.asset.location.region_longitude ;; - group_label: "src" - group_item_label: "src.asset.location.location [D][L]" - label: "src.asset.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension src__asset__location__location - - dimension: src__asset__location__state { - type: string - sql: ${TABLE}.src.asset.location.state ;; - group_label: "src" - label: "src.asset.location.state" - view_label: "UDM" - description: "The state." - } # dimension src__asset__location__state - - dimension: src__asset__mac { - hidden: yes - } # dimension src__asset__mac - - dimension: src__asset__nat_ip { - hidden: yes - } # dimension src__asset__nat_ip - - dimension: src__asset__network_domain { - type: string - sql: ${TABLE}.src.asset.network_domain ;; - group_label: "src" - label: "src.asset.network_domain" - view_label: "UDM" - description: "The network domain of the asset (e.g. \"corp.acme.com\")" - } # dimension src__asset__network_domain - - dimension: src__asset__platform_software { - hidden: yes - } # dimension src__asset__platform_software - - dimension: src__asset__platform_software__platform { - type: number - sql: ${TABLE}.src.asset.platform_software.platform ;; - group_label: "src" - label: "src.asset.platform_software.platform" - view_label: "UDM" - description: "The platform operating system." - } # dimension src__asset__platform_software__platform - - dimension: src__asset__platform_software__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.src.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "src" - label: "src.asset.platform_software.platform_enum_name" - view_label: "UDM" - description: "The platform operating system." - } # dimension src__asset__platform_software__platform_enum_name - - dimension: src__asset__platform_software__platform_patch_level { - type: string - sql: ${TABLE}.src.asset.platform_software.platform_patch_level ;; - group_label: "src" - label: "src.asset.platform_software.platform_patch_level" - view_label: "UDM" - description: "The platform software patch level ( e.g. \"Build 17134.48\", \"SP1\")." - } # dimension src__asset__platform_software__platform_patch_level - - dimension: src__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.src.asset.platform_software.platform_version ;; - group_label: "src" - label: "src.asset.platform_software.platform_version" - view_label: "UDM" - description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." - } # dimension src__asset__platform_software__platform_version - - dimension: src__asset__product_object_id { - type: string - sql: ${TABLE}.src.asset.product_object_id ;; - group_label: "src" - label: "src.asset.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension src__asset__product_object_id - - dimension: src__asset__software { - hidden: yes - } # dimension src__asset__software - - dimension_group: src__asset__system_last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.system_last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.system_last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.system_last_update_time" - view_label: "UDM" - description: "Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time." - } # dimension src__asset__system_last_update_time - - dimension: src__asset__type { - type: number - sql: ${TABLE}.src.asset.type ;; - group_label: "src" - label: "src.asset.type" - view_label: "UDM" - description: "The type of the asset (e.g. workstation or laptop or server)." - } # dimension src__asset__type - - dimension: src__asset__type_enum_name { - type: string - suggestions: ["IOT", "LAPTOP", "MOBILE", "NETWORK_ATTACHED_STORAGE", "PRINTER", "ROLE_UNSPECIFIED", "SCANNER", "SERVER", "TAPE_LIBRARY", "WORKSTATION"] - sql: CASE ${TABLE}.src.asset.type WHEN 0 THEN 'ROLE_UNSPECIFIED' WHEN 1 THEN 'WORKSTATION' WHEN 2 THEN 'LAPTOP' WHEN 3 THEN 'IOT' WHEN 4 THEN 'NETWORK_ATTACHED_STORAGE' WHEN 5 THEN 'PRINTER' WHEN 6 THEN 'SCANNER' WHEN 7 THEN 'SERVER' WHEN 8 THEN 'TAPE_LIBRARY' WHEN 9 THEN 'MOBILE' END ;; - group_label: "src" - label: "src.asset.type_enum_name" - view_label: "UDM" - description: "The type of the asset (e.g. workstation or laptop or server)." - } # dimension src__asset__type_enum_name - - dimension: src__asset__vulnerabilities { - hidden: yes - } # dimension src__asset__vulnerabilities - - dimension: src__asset_id { - type: string - sql: ${TABLE}.src.asset_id ;; - group_label: "src" - label: "src.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension src__asset_id - - dimension: src__cloud { - hidden: yes - } # dimension src__cloud - - dimension: src__cloud__availability_zone { - type: string - sql: ${TABLE}.src.cloud.availability_zone ;; - group_label: "src" - group_item_label: "src.cloud.availability_zone [D]" - label: "src.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" - } # dimension src__cloud__availability_zone - - dimension: src__cloud__project { - hidden: yes - } # dimension src__cloud__project - - dimension: src__cloud__project__id { - type: string - sql: ${TABLE}.src.cloud.project.id ;; - group_label: "src" - group_item_label: "src.cloud.project.id [D]" - label: "src.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__cloud__project__id - - dimension: src__domain { - hidden: yes - } # dimension src__domain - - dimension: src__domain__name { - type: string - sql: ${TABLE}.src.domain.name ;; - group_label: "src" - label: "src.domain.name" - view_label: "UDM" - description: "The domain name." - } # dimension src__domain__name - - dimension: src__domain__status { - type: string - sql: ${TABLE}.src.domain.status ;; - group_label: "src" - label: "src.domain.status" - view_label: "UDM" - description: "Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values" - } # dimension src__domain__status - - dimension: src__email { - type: string - sql: ${TABLE}.src.email ;; - group_label: "src" - label: "src.email" - view_label: "UDM" - description: "Email address. Only filled in for security_result.about" - } # dimension src__email - - dimension: src__file { - hidden: yes - } # dimension src__file - - dimension: src__file__ahash { - type: string - sql: ${TABLE}.src.file.ahash ;; - group_label: "src" - group_item_label: "src.file.ahash [D]" - label: "src.file.ahash" - view_label: "UDM" - description: "Deprecated. Use authentihash instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__file__ahash - - dimension: src__file__capabilities_tags { - hidden: yes - } # dimension src__file__capabilities_tags - - dimension: src__file__embedded_domains { - hidden: yes - } # dimension src__file__embedded_domains - - dimension: src__file__embedded_ips { - hidden: yes - } # dimension src__file__embedded_ips - - dimension: src__file__embedded_urls { - hidden: yes - } # dimension src__file__embedded_urls - - dimension: src__file__file_type { - type: number - sql: ${TABLE}.src.file.file_type ;; - group_label: "src" - label: "src.file.file_type" - view_label: "UDM" - description: "FileType field." - } # dimension src__file__file_type - - dimension: src__file__file_type_enum_name { - type: string - suggestions: ["FILE_TYPE_ACE", "FILE_TYPE_ANDROID", "FILE_TYPE_APPLE", "FILE_TYPE_APPLEDOUBLE", "FILE_TYPE_APPLESCRIPT", "FILE_TYPE_APPLESCRIPT_COMPILED", "FILE_TYPE_APPLESINGLE", "FILE_TYPE_APPLE_PLIST", "FILE_TYPE_ARC", "FILE_TYPE_ARJ", "FILE_TYPE_ASD", "FILE_TYPE_ASF", "FILE_TYPE_AVI", "FILE_TYPE_AWK", "FILE_TYPE_BLACKHOLE", "FILE_TYPE_BMP", "FILE_TYPE_BZIP", "FILE_TYPE_C", "FILE_TYPE_CAB", "FILE_TYPE_CAP", "FILE_TYPE_CHM", "FILE_TYPE_COFF", "FILE_TYPE_COOKIE", "FILE_TYPE_CPP", "FILE_TYPE_CRX", "FILE_TYPE_DEB", "FILE_TYPE_DIB", "FILE_TYPE_DIVX", "FILE_TYPE_DMG", "FILE_TYPE_DOC", "FILE_TYPE_DOCX", "FILE_TYPE_DOS_COM", "FILE_TYPE_DOS_EXE", "FILE_TYPE_DYALOG", "FILE_TYPE_DZIP", "FILE_TYPE_EBOOK", "FILE_TYPE_ELF", "FILE_TYPE_EMAIL_TYPE", "FILE_TYPE_EMF", "FILE_TYPE_EOT", "FILE_TYPE_EPS", "FILE_TYPE_FLA", "FILE_TYPE_FLAC", "FILE_TYPE_FLC", "FILE_TYPE_FLI", "FILE_TYPE_FLV", "FILE_TYPE_FORTRAN", "FILE_TYPE_FPX", "FILE_TYPE_GIF", "FILE_TYPE_GIMP", "FILE_TYPE_GUL", "FILE_TYPE_GZIP", "FILE_TYPE_HTML", "FILE_TYPE_HWP", "FILE_TYPE_ICO", "FILE_TYPE_IN_DESIGN", "FILE_TYPE_IPHONE", "FILE_TYPE_ISOIMAGE", "FILE_TYPE_JAR", "FILE_TYPE_JAVA", "FILE_TYPE_JAVASCRIPT", "FILE_TYPE_JAVA_BYTECODE", "FILE_TYPE_JNG", "FILE_TYPE_JPEG", "FILE_TYPE_KGB", "FILE_TYPE_LATEX", "FILE_TYPE_LINUX", "FILE_TYPE_LINUX_KERNEL", "FILE_TYPE_LNK", "FILE_TYPE_MACH_O", "FILE_TYPE_MACINTOSH", "FILE_TYPE_MACINTOSH_HFS", "FILE_TYPE_MACINTOSH_LIB", "FILE_TYPE_MIDI", "FILE_TYPE_MOV", "FILE_TYPE_MP3", "FILE_TYPE_MP4", "FILE_TYPE_MPEG", "FILE_TYPE_MSCOMPRESS", "FILE_TYPE_MSI", "FILE_TYPE_NE_DLL", "FILE_TYPE_NE_EXE", "FILE_TYPE_ODF", "FILE_TYPE_ODG", "FILE_TYPE_ODP", "FILE_TYPE_ODS", "FILE_TYPE_ODT", "FILE_TYPE_OGG", "FILE_TYPE_OUTLOOK", "FILE_TYPE_PALMOS", "FILE_TYPE_PASCAL", "FILE_TYPE_PDF", "FILE_TYPE_PERL", "FILE_TYPE_PE_DLL", "FILE_TYPE_PE_EXE", "FILE_TYPE_PHP", "FILE_TYPE_PKG", "FILE_TYPE_PNG", "FILE_TYPE_POWERSHELL", "FILE_TYPE_PPSX", "FILE_TYPE_PPT", "FILE_TYPE_PPTX", "FILE_TYPE_PS", "FILE_TYPE_PSD", "FILE_TYPE_PYTHON", "FILE_TYPE_QUICKTIME", "FILE_TYPE_RAR", "FILE_TYPE_RM", "FILE_TYPE_ROM", "FILE_TYPE_RPM", "FILE_TYPE_RTF", "FILE_TYPE_RUBY", "FILE_TYPE_RZIP", "FILE_TYPE_SCRIPT", "FILE_TYPE_SEVENZIP", "FILE_TYPE_SHELLSCRIPT", "FILE_TYPE_SVG", "FILE_TYPE_SWF", "FILE_TYPE_SYMBIAN", "FILE_TYPE_T3GP", "FILE_TYPE_TAR", "FILE_TYPE_TARGA", "FILE_TYPE_TEXT", "FILE_TYPE_TIFF", "FILE_TYPE_TORRENT", "FILE_TYPE_TTF", "FILE_TYPE_UNSPECIFIED", "FILE_TYPE_VBA", "FILE_TYPE_WAV", "FILE_TYPE_WEBP", "FILE_TYPE_WINCE", "FILE_TYPE_WMA", "FILE_TYPE_WMV", "FILE_TYPE_WOFF", "FILE_TYPE_XLS", "FILE_TYPE_XLSX", "FILE_TYPE_XML", "FILE_TYPE_XPI", "FILE_TYPE_XWD", "FILE_TYPE_ZIP", "FILE_TYPE_ZLIB"] - sql: CASE ${TABLE}.src.file.file_type WHEN 0 THEN 'FILE_TYPE_UNSPECIFIED' WHEN 1 THEN 'FILE_TYPE_PE_EXE' WHEN 2 THEN 'FILE_TYPE_PE_DLL' WHEN 3 THEN 'FILE_TYPE_MSI' WHEN 10 THEN 'FILE_TYPE_NE_EXE' WHEN 11 THEN 'FILE_TYPE_NE_DLL' WHEN 20 THEN 'FILE_TYPE_DOS_EXE' WHEN 21 THEN 'FILE_TYPE_DOS_COM' WHEN 30 THEN 'FILE_TYPE_COFF' WHEN 31 THEN 'FILE_TYPE_ELF' WHEN 32 THEN 'FILE_TYPE_LINUX_KERNEL' WHEN 33 THEN 'FILE_TYPE_RPM' WHEN 34 THEN 'FILE_TYPE_LINUX' WHEN 35 THEN 'FILE_TYPE_MACH_O' WHEN 36 THEN 'FILE_TYPE_JAVA_BYTECODE' WHEN 37 THEN 'FILE_TYPE_DMG' WHEN 38 THEN 'FILE_TYPE_DEB' WHEN 39 THEN 'FILE_TYPE_PKG' WHEN 50 THEN 'FILE_TYPE_LNK' WHEN 100 THEN 'FILE_TYPE_JPEG' WHEN 101 THEN 'FILE_TYPE_TIFF' WHEN 102 THEN 'FILE_TYPE_GIF' WHEN 103 THEN 'FILE_TYPE_PNG' WHEN 104 THEN 'FILE_TYPE_BMP' WHEN 105 THEN 'FILE_TYPE_GIMP' WHEN 106 THEN 'FILE_TYPE_IN_DESIGN' WHEN 107 THEN 'FILE_TYPE_PSD' WHEN 108 THEN 'FILE_TYPE_TARGA' WHEN 109 THEN 'FILE_TYPE_XWD' WHEN 110 THEN 'FILE_TYPE_DIB' WHEN 111 THEN 'FILE_TYPE_JNG' WHEN 112 THEN 'FILE_TYPE_ICO' WHEN 113 THEN 'FILE_TYPE_FPX' WHEN 114 THEN 'FILE_TYPE_EPS' WHEN 115 THEN 'FILE_TYPE_SVG' WHEN 116 THEN 'FILE_TYPE_EMF' WHEN 117 THEN 'FILE_TYPE_WEBP' WHEN 150 THEN 'FILE_TYPE_OGG' WHEN 151 THEN 'FILE_TYPE_FLC' WHEN 152 THEN 'FILE_TYPE_FLI' WHEN 153 THEN 'FILE_TYPE_MP3' WHEN 154 THEN 'FILE_TYPE_FLAC' WHEN 155 THEN 'FILE_TYPE_WAV' WHEN 156 THEN 'FILE_TYPE_MIDI' WHEN 157 THEN 'FILE_TYPE_AVI' WHEN 158 THEN 'FILE_TYPE_MPEG' WHEN 159 THEN 'FILE_TYPE_QUICKTIME' WHEN 160 THEN 'FILE_TYPE_ASF' WHEN 161 THEN 'FILE_TYPE_DIVX' WHEN 162 THEN 'FILE_TYPE_FLV' WHEN 163 THEN 'FILE_TYPE_WMA' WHEN 164 THEN 'FILE_TYPE_WMV' WHEN 165 THEN 'FILE_TYPE_RM' WHEN 166 THEN 'FILE_TYPE_MOV' WHEN 167 THEN 'FILE_TYPE_MP4' WHEN 168 THEN 'FILE_TYPE_T3GP' WHEN 200 THEN 'FILE_TYPE_PDF' WHEN 201 THEN 'FILE_TYPE_PS' WHEN 202 THEN 'FILE_TYPE_DOC' WHEN 203 THEN 'FILE_TYPE_DOCX' WHEN 204 THEN 'FILE_TYPE_PPT' WHEN 205 THEN 'FILE_TYPE_PPTX' WHEN 209 THEN 'FILE_TYPE_PPSX' WHEN 206 THEN 'FILE_TYPE_XLS' WHEN 207 THEN 'FILE_TYPE_XLSX' WHEN 208 THEN 'FILE_TYPE_RTF' WHEN 250 THEN 'FILE_TYPE_ODP' WHEN 251 THEN 'FILE_TYPE_ODS' WHEN 252 THEN 'FILE_TYPE_ODT' WHEN 253 THEN 'FILE_TYPE_HWP' WHEN 254 THEN 'FILE_TYPE_GUL' WHEN 255 THEN 'FILE_TYPE_ODF' WHEN 256 THEN 'FILE_TYPE_ODG' WHEN 260 THEN 'FILE_TYPE_EBOOK' WHEN 261 THEN 'FILE_TYPE_LATEX' WHEN 262 THEN 'FILE_TYPE_TTF' WHEN 263 THEN 'FILE_TYPE_EOT' WHEN 264 THEN 'FILE_TYPE_WOFF' WHEN 265 THEN 'FILE_TYPE_CHM' WHEN 300 THEN 'FILE_TYPE_ZIP' WHEN 301 THEN 'FILE_TYPE_GZIP' WHEN 302 THEN 'FILE_TYPE_BZIP' WHEN 303 THEN 'FILE_TYPE_RZIP' WHEN 304 THEN 'FILE_TYPE_DZIP' WHEN 305 THEN 'FILE_TYPE_SEVENZIP' WHEN 306 THEN 'FILE_TYPE_CAB' WHEN 307 THEN 'FILE_TYPE_JAR' WHEN 308 THEN 'FILE_TYPE_RAR' WHEN 309 THEN 'FILE_TYPE_MSCOMPRESS' WHEN 310 THEN 'FILE_TYPE_ACE' WHEN 311 THEN 'FILE_TYPE_ARC' WHEN 312 THEN 'FILE_TYPE_ARJ' WHEN 313 THEN 'FILE_TYPE_ASD' WHEN 314 THEN 'FILE_TYPE_BLACKHOLE' WHEN 315 THEN 'FILE_TYPE_KGB' WHEN 316 THEN 'FILE_TYPE_ZLIB' WHEN 317 THEN 'FILE_TYPE_TAR' WHEN 400 THEN 'FILE_TYPE_TEXT' WHEN 401 THEN 'FILE_TYPE_SCRIPT' WHEN 402 THEN 'FILE_TYPE_PHP' WHEN 403 THEN 'FILE_TYPE_PYTHON' WHEN 404 THEN 'FILE_TYPE_PERL' WHEN 405 THEN 'FILE_TYPE_RUBY' WHEN 406 THEN 'FILE_TYPE_C' WHEN 407 THEN 'FILE_TYPE_CPP' WHEN 408 THEN 'FILE_TYPE_JAVA' WHEN 409 THEN 'FILE_TYPE_SHELLSCRIPT' WHEN 410 THEN 'FILE_TYPE_PASCAL' WHEN 411 THEN 'FILE_TYPE_AWK' WHEN 412 THEN 'FILE_TYPE_DYALOG' WHEN 413 THEN 'FILE_TYPE_FORTRAN' WHEN 414 THEN 'FILE_TYPE_JAVASCRIPT' WHEN 415 THEN 'FILE_TYPE_POWERSHELL' WHEN 416 THEN 'FILE_TYPE_VBA' WHEN 500 THEN 'FILE_TYPE_SYMBIAN' WHEN 501 THEN 'FILE_TYPE_PALMOS' WHEN 502 THEN 'FILE_TYPE_WINCE' WHEN 503 THEN 'FILE_TYPE_ANDROID' WHEN 504 THEN 'FILE_TYPE_IPHONE' WHEN 600 THEN 'FILE_TYPE_HTML' WHEN 601 THEN 'FILE_TYPE_XML' WHEN 602 THEN 'FILE_TYPE_SWF' WHEN 603 THEN 'FILE_TYPE_FLA' WHEN 604 THEN 'FILE_TYPE_COOKIE' WHEN 605 THEN 'FILE_TYPE_TORRENT' WHEN 606 THEN 'FILE_TYPE_EMAIL_TYPE' WHEN 607 THEN 'FILE_TYPE_OUTLOOK' WHEN 700 THEN 'FILE_TYPE_CAP' WHEN 800 THEN 'FILE_TYPE_ISOIMAGE' WHEN 1000 THEN 'FILE_TYPE_APPLE' WHEN 1001 THEN 'FILE_TYPE_MACINTOSH' WHEN 1002 THEN 'FILE_TYPE_APPLESINGLE' WHEN 1003 THEN 'FILE_TYPE_APPLEDOUBLE' WHEN 1004 THEN 'FILE_TYPE_MACINTOSH_HFS' WHEN 1005 THEN 'FILE_TYPE_APPLE_PLIST' WHEN 1006 THEN 'FILE_TYPE_MACINTOSH_LIB' WHEN 1007 THEN 'FILE_TYPE_APPLESCRIPT' WHEN 1008 THEN 'FILE_TYPE_APPLESCRIPT_COMPILED' WHEN 1100 THEN 'FILE_TYPE_CRX' WHEN 1101 THEN 'FILE_TYPE_XPI' WHEN 1200 THEN 'FILE_TYPE_ROM' END ;; - group_label: "src" - label: "src.file.file_type_enum_name" - view_label: "UDM" - description: "FileType field." - } # dimension src__file__file_type_enum_name - - dimension_group: src__file__first_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.first_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.file.first_seen_time" - view_label: "UDM" - description: "Timestamp the file was first seen in the customer's environment." - } # dimension src__file__first_seen_time - - dimension: src__file__full_path { - type: string - sql: ${TABLE}.src.file.full_path ;; - group_label: "src" - label: "src.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension src__file__full_path - - dimension_group: src__file__last_analysis_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.last_analysis_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.last_analysis_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.file.last_analysis_time" - view_label: "UDM" - description: "Timestamp the file was last analysed." - } # dimension src__file__last_analysis_time - - dimension_group: src__file__last_modification_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.last_modification_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.last_modification_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.file.last_modification_time" - view_label: "UDM" - description: "Timestamp when the file was last updated." - } # dimension src__file__last_modification_time - - dimension_group: src__file__last_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.last_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.file.last_seen_time" - view_label: "UDM" - description: "Timestamp the file was last seen in the customer's environment." - } # dimension src__file__last_seen_time - - dimension: src__file__md5 { - type: string - sql: ${TABLE}.src.file.md5 ;; - group_label: "src" - label: "src.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension src__file__md5 - - dimension: src__file__mime_type { - type: string - sql: ${TABLE}.src.file.mime_type ;; - group_label: "src" - label: "src.file.mime_type" - view_label: "UDM" - description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." - } # dimension src__file__mime_type - - dimension: src__file__names { - hidden: yes - } # dimension src__file__names - - dimension: src__file__sha1 { - type: string - sql: ${TABLE}.src.file.sha1 ;; - group_label: "src" - label: "src.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension src__file__sha1 - - dimension: src__file__sha256 { - type: string - sql: ${TABLE}.src.file.sha256 ;; - group_label: "src" - label: "src.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension src__file__sha256 - - dimension: src__file__signature_info { - hidden: yes - } # dimension src__file__signature_info - - dimension: src__file__signature_info__codesign { - hidden: yes - } # dimension src__file__signature_info__codesign - - dimension_group: src__file__signature_info__codesign__compilation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.signature_info.codesign.compilation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.signature_info.codesign.compilation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.file.signature_info.codesign.compilation_time" - view_label: "UDM" - description: "Code sign timestamp" - } # dimension src__file__signature_info__codesign__compilation_time - - dimension: src__file__signature_info__codesign__format { - type: string - sql: ${TABLE}.src.file.signature_info.codesign.format ;; - group_label: "src" - label: "src.file.signature_info.codesign.format" - view_label: "UDM" - description: "Code sign format." - } # dimension src__file__signature_info__codesign__format - - dimension: src__file__signature_info__codesign__id { - type: string - sql: ${TABLE}.src.file.signature_info.codesign.id ;; - group_label: "src" - label: "src.file.signature_info.codesign.id" - view_label: "UDM" - description: "Code sign identifier." - } # dimension src__file__signature_info__codesign__id - - dimension: src__file__signature_info__sigcheck { - hidden: yes - } # dimension src__file__signature_info__sigcheck - - dimension: src__file__signature_info__sigcheck__signers { - hidden: yes - } # dimension src__file__signature_info__sigcheck__signers - - dimension: src__file__signature_info__sigcheck__verification_message { - type: string - sql: ${TABLE}.src.file.signature_info.sigcheck.verification_message ;; - group_label: "src" - label: "src.file.signature_info.sigcheck.verification_message" - view_label: "UDM" - description: "Status of the certificate. Valid values are \"Signed\", \"Unsigned\" or a description of the certificate anomaly, if found." - } # dimension src__file__signature_info__sigcheck__verification_message - - dimension: src__file__signature_info__sigcheck__verified { - type: yesno - sql: ${TABLE}.src.file.signature_info.sigcheck.verified ;; - group_label: "src" - label: "src.file.signature_info.sigcheck.verified" - view_label: "UDM" - description: "True iff verification_message == \"Signed\"" - } # dimension src__file__signature_info__sigcheck__verified - - dimension: src__file__size { - type: number - sql: ${TABLE}.src.file.size ;; - group_label: "src" - label: "src.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension src__file__size - - dimension: src__file__ssdeep { - type: string - sql: ${TABLE}.src.file.ssdeep ;; - group_label: "src" - label: "src.file.ssdeep" - view_label: "UDM" - description: "Ssdeep of the file" - } # dimension src__file__ssdeep - - dimension: src__file__tags { - hidden: yes - } # dimension src__file__tags - - dimension: src__file__vhash { - type: string - sql: ${TABLE}.src.file.vhash ;; - group_label: "src" - label: "src.file.vhash" - view_label: "UDM" - description: "Vhash of the file." - } # dimension src__file__vhash - - dimension: src__group { - hidden: yes - } # dimension src__group - - dimension: src__group__group_display_name { - type: string - sql: ${TABLE}.src.group.group_display_name ;; - group_label: "src" - label: "src.group.group_display_name" - view_label: "UDM" - description: "Group display name. e.g. \"Finance\"." - } # dimension src__group__group_display_name - - dimension: src__group__product_object_id { - type: string - sql: ${TABLE}.src.group.product_object_id ;; - group_label: "src" - label: "src.group.product_object_id" - view_label: "UDM" - description: "Product globally unique user object identifier, such as an LDAP Object Identifier." - } # dimension src__group__product_object_id - - dimension: src__hostname { - type: string - sql: ${TABLE}.src.hostname ;; - group_label: "src" - label: "src.hostname" - view_label: "UDM" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension src__hostname - - dimension: src__investigation { - hidden: yes - } # dimension src__investigation - - dimension: src__investigation__risk_score { - type: number - sql: ${TABLE}.src.investigation.risk_score ;; - group_label: "src" - label: "src.investigation.risk_score" - view_label: "UDM" - description: "Risk score for a finding set by an analyst." - } # dimension src__investigation__risk_score - - dimension: src__ip { - hidden: yes - } # dimension src__ip - - dimension: src__ip_geo_artifact { - hidden: yes - } # dimension src__ip_geo_artifact - - dimension: src__ip_location { - hidden: yes - } # dimension src__ip_location - - dimension: src__labels { - hidden: yes - } # dimension src__labels - - dimension: src__location { - hidden: yes - } # dimension src__location - - dimension: src__location__city { - type: string - sql: ${TABLE}.src.location.city ;; - group_label: "src" - label: "src.location.city" - view_label: "UDM" - description: "The city." - } # dimension src__location__city - - dimension: src__location__country_or_region { - type: string - sql: ${TABLE}.src.location.country_or_region ;; - group_label: "src" - label: "src.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension src__location__country_or_region - - dimension: src__location__name { - type: string - sql: ${TABLE}.src.location.name ;; - group_label: "src" - label: "src.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension src__location__name - - dimension: src__location__region_coordinates { - type: location - sql_latitude: ${TABLE}.src.location.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.src.location.region_coordinates.longitude ;; - group_label: "src" - group_item_label: "src.location.region_coordinates [L]" - label: "src.location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." - } # dimension src__location__region_coordinates - - dimension: src__location__region_latitude { - type: number - sql: ${TABLE}.src.location.region_latitude ;; - group_label: "src" - group_item_label: "src.location.region_latitude [D]" - label: "src.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__location__region_latitude - - dimension: src__location__region_longitude { - type: number - sql: ${TABLE}.src.location.region_longitude ;; - group_label: "src" - group_item_label: "src.location.region_longitude [D]" - label: "src.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__location__region_longitude - - dimension: src__location__location { - type: location - sql_latitude: ${TABLE}.src.location.region_latitude ;; - sql_longitude: ${TABLE}.src.location.region_longitude ;; - group_label: "src" - group_item_label: "src.location.location [D][L]" - label: "src.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension src__location__location - - dimension: src__location__state { - type: string - sql: ${TABLE}.src.location.state ;; - group_label: "src" - label: "src.location.state" - view_label: "UDM" - description: "The state." - } # dimension src__location__state - - dimension: src__mac { - hidden: yes - } # dimension src__mac - - dimension: src__namespace { - type: string - sql: ${TABLE}.src.namespace ;; - group_label: "src" - label: "src.namespace" - view_label: "UDM" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension src__namespace - - dimension: src__nat_ip { - hidden: yes - } # dimension src__nat_ip - - dimension: src__network { - hidden: yes - } # dimension src__network - - dimension: src__network__application_protocol_version { - type: string - sql: ${TABLE}.src.network.application_protocol_version ;; - group_label: "src" - label: "src.network.application_protocol_version" - view_label: "UDM" - description: "The version of the application protocol. e.g. \"1.1, 2.0\"" - } # dimension src__network__application_protocol_version - - dimension: src__platform_version { - type: string - sql: ${TABLE}.src.platform_version ;; - group_label: "src" - label: "src.platform_version" - view_label: "UDM" - description: "Platform version. For example, \"Microsoft Windows 1803\"." - } # dimension src__platform_version - - dimension: src__port { - type: number - value_format: "#" - sql: ${TABLE}.src.port ;; - group_label: "src" - label: "src.port" - view_label: "UDM" - description: "Source or destination network port number when a specific network connection is described within an event." - } # dimension src__port - - dimension: src__process { - hidden: yes - } # dimension src__process - - dimension: src__process__command_line { - type: string - sql: ${TABLE}.src.process.command_line ;; - group_label: "src" - label: "src.process.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension src__process__command_line - - dimension: src__process__file { - hidden: yes - } # dimension src__process__file - - dimension: src__process__file__full_path { - type: string - sql: ${TABLE}.src.process.file.full_path ;; - group_label: "src" - label: "src.process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension src__process__file__full_path - - dimension: src__process__file__md5 { - type: string - sql: ${TABLE}.src.process.file.md5 ;; - group_label: "src" - label: "src.process.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension src__process__file__md5 - - dimension: src__process__file__names { - hidden: yes - } # dimension src__process__file__names - - dimension: src__process__file__sha1 { - type: string - sql: ${TABLE}.src.process.file.sha1 ;; - group_label: "src" - label: "src.process.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension src__process__file__sha1 - - dimension: src__process__file__sha256 { - type: string - sql: ${TABLE}.src.process.file.sha256 ;; - group_label: "src" - label: "src.process.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension src__process__file__sha256 - - dimension: src__process__file__size { - type: number - sql: ${TABLE}.src.process.file.size ;; - group_label: "src" - label: "src.process.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension src__process__file__size - - dimension: src__process__parent_process { - hidden: yes - } # dimension src__process__parent_process - - dimension: src__process__parent_process__file { - hidden: yes - } # dimension src__process__parent_process__file - - dimension: src__process__parent_process__file__full_path { - type: string - sql: ${TABLE}.src.process.parent_process.file.full_path ;; - group_label: "src" - label: "src.process.parent_process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension src__process__parent_process__file__full_path - - dimension: src__process__pid { - type: string - sql: ${TABLE}.src.process.pid ;; - group_label: "src" - label: "src.process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension src__process__pid - - dimension: src__process_ancestors { - hidden: yes - } # dimension src__process_ancestors - - dimension: src__registry { - hidden: yes - } # dimension src__registry - - dimension: src__registry__registry_key { - type: string - sql: ${TABLE}.src.registry.registry_key ;; - group_label: "src" - label: "src.registry.registry_key" - view_label: "UDM" - description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." - } # dimension src__registry__registry_key - - dimension: src__registry__registry_value_data { - type: string - sql: ${TABLE}.src.registry.registry_value_data ;; - group_label: "src" - label: "src.registry.registry_value_data" - view_label: "UDM" - description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." - } # dimension src__registry__registry_value_data - - dimension: src__registry__registry_value_name { - type: string - sql: ${TABLE}.src.registry.registry_value_name ;; - group_label: "src" - label: "src.registry.registry_value_name" - view_label: "UDM" - description: "Name of the registry value associated with an application or system component (e.g. TEMP)." - } # dimension src__registry__registry_value_name - - dimension: src__resource { - hidden: yes - } # dimension src__resource - - dimension: src__resource__attribute { - hidden: yes - } # dimension src__resource__attribute - - dimension_group: src__resource__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.resource.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension src__resource__attribute__creation_time - - dimension: src__resource__attribute__labels { - hidden: yes - } # dimension src__resource__attribute__labels - - dimension_group: src__resource__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.resource.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension src__resource__attribute__last_update_time - - dimension: src__resource__attribute__permissions { - hidden: yes - } # dimension src__resource__attribute__permissions - - dimension: src__resource__id { - type: string - sql: ${TABLE}.src.resource.id ;; - group_label: "src" - group_item_label: "src.resource.id [D]" - label: "src.resource.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__resource__id - - dimension: src__resource__name { - type: string - sql: ${TABLE}.src.resource.name ;; - group_label: "src" - label: "src.resource.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension src__resource__name - - dimension: src__resource__parent { - type: string - sql: ${TABLE}.src.resource.parent ;; - group_label: "src" - group_item_label: "src.resource.parent [D]" - label: "src.resource.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__resource__parent - - dimension: src__resource__product_object_id { - type: string - sql: ${TABLE}.src.resource.product_object_id ;; - group_label: "src" - label: "src.resource.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension src__resource__product_object_id - - dimension: src__resource__resource_subtype { - type: string - sql: ${TABLE}.src.resource.resource_subtype ;; - group_label: "src" - label: "src.resource.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension src__resource__resource_subtype - - dimension: src__resource__resource_type { - type: number - sql: ${TABLE}.src.resource.resource_type ;; - group_label: "src" - label: "src.resource.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension src__resource__resource_type - - dimension: src__resource__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.src.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "src" - label: "src.resource.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension src__resource__resource_type_enum_name - - dimension: src__resource__type { - type: string - sql: ${TABLE}.src.resource.type ;; - group_label: "src" - group_item_label: "src.resource.type [D]" - label: "src.resource.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__resource__type - - dimension: src__resource_ancestors { - hidden: yes - } # dimension src__resource_ancestors - - dimension: src__url { - type: string - sql: ${TABLE}.src.url ;; - group_label: "src" - label: "src.url" - view_label: "UDM" - description: "The URL." - } # dimension src__url - - dimension: src__user { - hidden: yes - } # dimension src__user - - dimension: src__user__account_type { - type: number - sql: ${TABLE}.src.user.account_type ;; - group_label: "src" - label: "src.user.account_type" - view_label: "UDM" - description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" - } # dimension src__user__account_type - - dimension: src__user__account_type_enum_name { - type: string - suggestions: ["ACCOUNT_TYPE_UNSPECIFIED", "CLOUD_ACCOUNT_TYPE", "DEFAULT_ACCOUNT_TYPE", "DOMAIN_ACCOUNT_TYPE", "LOCAL_ACCOUNT_TYPE", "SERVICE_ACCOUNT_TYPE"] - sql: CASE ${TABLE}.src.user.account_type WHEN 0 THEN 'ACCOUNT_TYPE_UNSPECIFIED' WHEN 1 THEN 'DOMAIN_ACCOUNT_TYPE' WHEN 2 THEN 'LOCAL_ACCOUNT_TYPE' WHEN 3 THEN 'CLOUD_ACCOUNT_TYPE' WHEN 4 THEN 'SERVICE_ACCOUNT_TYPE' WHEN 5 THEN 'DEFAULT_ACCOUNT_TYPE' END ;; - group_label: "src" - label: "src.user.account_type_enum_name" - view_label: "UDM" - description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" - } # dimension src__user__account_type_enum_name - - dimension: src__user__attribute { - hidden: yes - } # dimension src__user__attribute - - dimension: src__user__attribute__cloud { - hidden: yes - } # dimension src__user__attribute__cloud - - dimension: src__user__attribute__cloud__project { - hidden: yes - } # dimension src__user__attribute__cloud__project - - dimension: src__user__attribute__cloud__project__name { - type: string - sql: ${TABLE}.src.user.attribute.cloud.project.name ;; - group_label: "src" - group_item_label: "src.user.attribute.cloud.project.name [D]" - label: "src.user.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__user__attribute__cloud__project__name - - dimension_group: src__user__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.user.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension src__user__attribute__creation_time - - dimension: src__user__attribute__labels { - hidden: yes - } # dimension src__user__attribute__labels - - dimension_group: src__user__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.user.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension src__user__attribute__last_update_time - - dimension: src__user__attribute__roles { - hidden: yes - } # dimension src__user__attribute__roles - - dimension: src__user__company_name { - type: string - sql: ${TABLE}.src.user.company_name ;; - group_label: "src" - label: "src.user.company_name" - view_label: "UDM" - description: "User job company name." - } # dimension src__user__company_name - - dimension: src__user__department { - hidden: yes - } # dimension src__user__department - - dimension: src__user__email_addresses { - hidden: yes - } # dimension src__user__email_addresses - - dimension: src__user__employee_id { - type: string - sql: ${TABLE}.src.user.employee_id ;; - group_label: "src" - label: "src.user.employee_id" - view_label: "UDM" - description: "Human capital management identifier." - } # dimension src__user__employee_id - - dimension: src__user__first_name { - type: string - sql: ${TABLE}.src.user.first_name ;; - group_label: "src" - label: "src.user.first_name" - view_label: "UDM" - description: "First name of the user (e.g. \"John\")." - } # dimension src__user__first_name - - dimension: src__user__group_identifiers { - hidden: yes - } # dimension src__user__group_identifiers - - dimension: src__user__groupid { - type: string - sql: ${TABLE}.src.user.groupid ;; - group_label: "src" - group_item_label: "src.user.groupid [D]" - label: "src.user.groupid" - view_label: "UDM" - description: "The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__user__groupid - - dimension_group: src__user__hire_date { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.user.hire_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.user.hire_date.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.user.hire_date" - view_label: "UDM" - description: "User job employment hire date." - } # dimension src__user__hire_date - - dimension: src__user__last_name { - type: string - sql: ${TABLE}.src.user.last_name ;; - group_label: "src" - label: "src.user.last_name" - view_label: "UDM" - description: "Last name of the user (e.g. \"Locke\")." - } # dimension src__user__last_name - - dimension: src__user__managers { - hidden: yes - } # dimension src__user__managers - - dimension: src__user__middle_name { - type: string - sql: ${TABLE}.src.user.middle_name ;; - group_label: "src" - label: "src.user.middle_name" - view_label: "UDM" - description: "Middle name of the user." - } # dimension src__user__middle_name - - dimension: src__user__office_address { - hidden: yes - } # dimension src__user__office_address - - dimension: src__user__office_address__city { - type: string - sql: ${TABLE}.src.user.office_address.city ;; - group_label: "src" - label: "src.user.office_address.city" - view_label: "UDM" - description: "The city." - } # dimension src__user__office_address__city - - dimension: src__user__office_address__country_or_region { - type: string - sql: ${TABLE}.src.user.office_address.country_or_region ;; - group_label: "src" - label: "src.user.office_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension src__user__office_address__country_or_region - - dimension: src__user__office_address__desk_name { - type: string - sql: ${TABLE}.src.user.office_address.desk_name ;; - group_label: "src" - label: "src.user.office_address.desk_name" - view_label: "UDM" - description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." - } # dimension src__user__office_address__desk_name - - dimension: src__user__office_address__floor_name { - type: string - sql: ${TABLE}.src.user.office_address.floor_name ;; - group_label: "src" - label: "src.user.office_address.floor_name" - view_label: "UDM" - description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." - } # dimension src__user__office_address__floor_name - - dimension: src__user__office_address__name { - type: string - sql: ${TABLE}.src.user.office_address.name ;; - group_label: "src" - label: "src.user.office_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension src__user__office_address__name - - dimension: src__user__office_address__state { - type: string - sql: ${TABLE}.src.user.office_address.state ;; - group_label: "src" - label: "src.user.office_address.state" - view_label: "UDM" - description: "The state." - } # dimension src__user__office_address__state - - dimension: src__user__personal_address { - hidden: yes - } # dimension src__user__personal_address - - dimension: src__user__personal_address__city { - type: string - sql: ${TABLE}.src.user.personal_address.city ;; - group_label: "src" - label: "src.user.personal_address.city" - view_label: "UDM" - description: "The city." - } # dimension src__user__personal_address__city - - dimension: src__user__personal_address__country_or_region { - type: string - sql: ${TABLE}.src.user.personal_address.country_or_region ;; - group_label: "src" - label: "src.user.personal_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension src__user__personal_address__country_or_region - - dimension: src__user__personal_address__name { - type: string - sql: ${TABLE}.src.user.personal_address.name ;; - group_label: "src" - label: "src.user.personal_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension src__user__personal_address__name - - dimension: src__user__personal_address__state { - type: string - sql: ${TABLE}.src.user.personal_address.state ;; - group_label: "src" - label: "src.user.personal_address.state" - view_label: "UDM" - description: "The state." - } # dimension src__user__personal_address__state - - dimension: src__user__phone_numbers { - hidden: yes - } # dimension src__user__phone_numbers - - dimension: src__user__product_object_id { - type: string - sql: ${TABLE}.src.user.product_object_id ;; - group_label: "src" - label: "src.user.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension src__user__product_object_id - - dimension: src__user__role_name { - type: string - sql: ${TABLE}.src.user.role_name ;; - group_label: "src" - group_item_label: "src.user.role_name [D]" - label: "src.user.role_name" - view_label: "UDM" - description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__user__role_name - - dimension_group: src__user__termination_date { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.user.termination_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.user.termination_date.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.user.termination_date" - view_label: "UDM" - description: "User job employment termination date." - } # dimension src__user__termination_date - - dimension: src__user__time_off { - hidden: yes - } # dimension src__user__time_off - - dimension: src__user__title { - type: string - sql: ${TABLE}.src.user.title ;; - group_label: "src" - label: "src.user.title" - view_label: "UDM" - description: "User job title." - } # dimension src__user__title - - dimension: src__user__user_authentication_status { - type: number - sql: ${TABLE}.src.user.user_authentication_status ;; - group_label: "src" - label: "src.user.user_authentication_status" - view_label: "UDM" - description: "System authentication status for user." - } # dimension src__user__user_authentication_status - - dimension: src__user__user_authentication_status_enum_name { - type: string - suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] - sql: CASE ${TABLE}.src.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; - group_label: "src" - label: "src.user.user_authentication_status_enum_name" - view_label: "UDM" - description: "System authentication status for user." - } # dimension src__user__user_authentication_status_enum_name - - dimension: src__user__user_display_name { - type: string - sql: ${TABLE}.src.user.user_display_name ;; - group_label: "src" - label: "src.user.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension src__user__user_display_name - - dimension: src__user__userid { - type: string - sql: ${TABLE}.src.user.userid ;; - group_label: "src" - label: "src.user.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension src__user__userid - - dimension: src__user__windows_sid { - type: string - sql: ${TABLE}.src.user.windows_sid ;; - group_label: "src" - label: "src.user.windows_sid" - view_label: "UDM" - description: "The Microsoft Windows SID of the user." - } # dimension src__user__windows_sid - - dimension: target { - hidden: yes - } # dimension target - - dimension: target__administrative_domain { - type: string - sql: ${TABLE}.target.administrative_domain ;; - group_label: "target" - label: "target.administrative_domain" - view_label: "UDM" - description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." - } # dimension target__administrative_domain - - dimension: target__application { - type: string - sql: ${TABLE}.target.application ;; - group_label: "target" - label: "target.application" - view_label: "UDM" - description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." - } # dimension target__application - - dimension: target__artifact { - hidden: yes - } # dimension target__artifact - - dimension: target__artifact__ip { - type: string - sql: ${TABLE}.target.artifact.ip ;; - group_label: "target" - label: "target.artifact.ip" - view_label: "UDM" - description: "IP address of the artifact." - } # dimension target__artifact__ip - - dimension: target__artifact__network { - hidden: yes - } # dimension target__artifact__network - - dimension: target__artifact__network__email { - hidden: yes - } # dimension target__artifact__network__email - - dimension: target__artifact__network__email__subject { - hidden: yes - } # dimension target__artifact__network__email__subject - - dimension: target__artifact__network__sent_bytes { - type: number - sql: ${TABLE}.target.artifact.network.sent_bytes ;; - group_label: "target" - label: "target.artifact.network.sent_bytes" - view_label: "UDM" - description: "The number of bytes sent." - } # dimension target__artifact__network__sent_bytes - - dimension: target__asset { - hidden: yes - } # dimension target__asset - - dimension: target__asset__asset_id { - type: string - sql: ${TABLE}.target.asset.asset_id ;; - group_label: "target" - label: "target.asset.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension target__asset__asset_id - - dimension: target__asset__attribute { - hidden: yes - } # dimension target__asset__attribute - - dimension: target__asset__attribute__cloud { - hidden: yes - } # dimension target__asset__attribute__cloud - - dimension: target__asset__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.target.asset.attribute.cloud.availability_zone ;; - group_label: "target" - label: "target.asset.attribute.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name)." - } # dimension target__asset__attribute__cloud__availability_zone - - dimension: target__asset__attribute__cloud__environment { - type: number - sql: ${TABLE}.target.asset.attribute.cloud.environment ;; - group_label: "target" - label: "target.asset.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension target__asset__attribute__cloud__environment - - dimension: target__asset__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.target.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "target" - label: "target.asset.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension target__asset__attribute__cloud__environment_enum_name - - dimension: target__asset__attribute__cloud__project { - hidden: yes - } # dimension target__asset__attribute__cloud__project - - dimension: target__asset__attribute__cloud__project__id { - type: string - sql: ${TABLE}.target.asset.attribute.cloud.project.id ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.project.id [D]" - label: "target.asset.attribute.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__project__id - - dimension: target__asset__attribute__cloud__project__name { - type: string - sql: ${TABLE}.target.asset.attribute.cloud.project.name ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.project.name [D]" - label: "target.asset.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__project__name - - dimension: target__asset__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.target.asset.attribute.cloud.project.product_object_id ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.project.product_object_id [D]" - label: "target.asset.attribute.cloud.project.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__project__product_object_id - - dimension: target__asset__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.target.asset.attribute.cloud.project.resource_type ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.project.resource_type [D]" - label: "target.asset.attribute.cloud.project.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__project__resource_type - - dimension: target__asset__attribute__cloud__project__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.target.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.project.resource_type_enum_name [D]" - label: "target.asset.attribute.cloud.project.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__project__resource_type_enum_name - - dimension: target__asset__attribute__cloud__project__type { - type: string - sql: ${TABLE}.target.asset.attribute.cloud.project.type ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.project.type [D]" - label: "target.asset.attribute.cloud.project.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__project__type - - dimension: target__asset__attribute__cloud__vpc { - hidden: yes - } # dimension target__asset__attribute__cloud__vpc - - dimension: target__asset__attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.target.asset.attribute.cloud.vpc.id ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.vpc.id [D]" - label: "target.asset.attribute.cloud.vpc.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__vpc__id - - dimension: target__asset__attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.target.asset.attribute.cloud.vpc.name ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.vpc.name [D]" - label: "target.asset.attribute.cloud.vpc.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__vpc__name - - dimension: target__asset__attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.target.asset.attribute.cloud.vpc.resource_type ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.vpc.resource_type [D]" - label: "target.asset.attribute.cloud.vpc.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__vpc__resource_type - - dimension: target__asset__attribute__cloud__vpc__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.target.asset.attribute.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.vpc.resource_type_enum_name [D]" - label: "target.asset.attribute.cloud.vpc.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__vpc__resource_type_enum_name - - dimension_group: target__asset__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension target__asset__attribute__creation_time - - dimension: target__asset__attribute__labels { - hidden: yes - } # dimension target__asset__attribute__labels - - dimension_group: target__asset__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension target__asset__attribute__last_update_time - - dimension: target__asset__attribute__permissions { - hidden: yes - } # dimension target__asset__attribute__permissions - - dimension: target__asset__attribute__roles { - hidden: yes - } # dimension target__asset__attribute__roles - - dimension: target__asset__category { - type: string - sql: ${TABLE}.target.asset.category ;; - group_label: "target" - label: "target.asset.category" - view_label: "UDM" - description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." - } # dimension target__asset__category - - dimension_group: target__asset__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - group_item_label: "target.asset.creation_time [D]" - label: "target.asset.creation_time" - view_label: "UDM" - description: "Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__creation_time - - dimension: target__asset__deployment_status { - type: number - sql: ${TABLE}.target.asset.deployment_status ;; - group_label: "target" - label: "target.asset.deployment_status" - view_label: "UDM" - description: "The deployment status of the asset for device lifecycle purposes." - } # dimension target__asset__deployment_status - - dimension: target__asset__deployment_status_enum_name { - type: string - suggestions: ["ACTIVE", "DECOMISSIONED", "DEPLOYMENT_STATUS_UNSPECIFIED", "PENDING_DECOMISSION"] - sql: CASE ${TABLE}.target.asset.deployment_status WHEN 0 THEN 'DEPLOYMENT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'PENDING_DECOMISSION' WHEN 3 THEN 'DECOMISSIONED' END ;; - group_label: "target" - label: "target.asset.deployment_status_enum_name" - view_label: "UDM" - description: "The deployment status of the asset for device lifecycle purposes." - } # dimension target__asset__deployment_status_enum_name - - dimension_group: target__asset__first_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.first_discover_time" - view_label: "UDM" - description: "Time the asset was first discovered (by asset management/discoverability software)." - } # dimension target__asset__first_discover_time - - dimension_group: target__asset__first_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.first_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.first_seen_time" - view_label: "UDM" - description: "The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed." - } # dimension target__asset__first_seen_time - - dimension: target__asset__hardware { - hidden: yes - } # dimension target__asset__hardware - - dimension: target__asset__hostname { - type: string - sql: ${TABLE}.target.asset.hostname ;; - group_label: "target" - label: "target.asset.hostname" - view_label: "UDM" - description: "Asset hostname or domain name field." - } # dimension target__asset__hostname - - dimension: target__asset__ip { - hidden: yes - } # dimension target__asset__ip - - dimension: target__asset__labels { - hidden: yes - } # dimension target__asset__labels - - dimension_group: target__asset__last_boot_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.last_boot_time" - view_label: "UDM" - description: "Time the asset was last boot started." - } # dimension target__asset__last_boot_time - - dimension_group: target__asset__last_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.last_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.last_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.last_discover_time" - view_label: "UDM" - description: "Time the asset was last discovered (by asset management/discoverability software)." - } # dimension target__asset__last_discover_time - - dimension: target__asset__location { - hidden: yes - } # dimension target__asset__location - - dimension: target__asset__location__city { - type: string - sql: ${TABLE}.target.asset.location.city ;; - group_label: "target" - label: "target.asset.location.city" - view_label: "UDM" - description: "The city." - } # dimension target__asset__location__city - - dimension: target__asset__location__country_or_region { - type: string - sql: ${TABLE}.target.asset.location.country_or_region ;; - group_label: "target" - label: "target.asset.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension target__asset__location__country_or_region - - dimension: target__asset__location__floor_name { - type: string - sql: ${TABLE}.target.asset.location.floor_name ;; - group_label: "target" - label: "target.asset.location.floor_name" - view_label: "UDM" - description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." - } # dimension target__asset__location__floor_name - - dimension: target__asset__location__name { - type: string - sql: ${TABLE}.target.asset.location.name ;; - group_label: "target" - label: "target.asset.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension target__asset__location__name - - dimension: target__asset__location__region_latitude { - type: number - sql: ${TABLE}.target.asset.location.region_latitude ;; - group_label: "target" - group_item_label: "target.asset.location.region_latitude [D]" - label: "target.asset.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__location__region_latitude - - dimension: target__asset__location__region_longitude { - type: number - sql: ${TABLE}.target.asset.location.region_longitude ;; - group_label: "target" - group_item_label: "target.asset.location.region_longitude [D]" - label: "target.asset.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__location__region_longitude - - dimension: target__asset__location__location { - type: location - sql_latitude: ${TABLE}.target.asset.location.region_latitude ;; - sql_longitude: ${TABLE}.target.asset.location.region_longitude ;; - group_label: "target" - group_item_label: "target.asset.location.location [D][L]" - label: "target.asset.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension target__asset__location__location - - dimension: target__asset__location__state { - type: string - sql: ${TABLE}.target.asset.location.state ;; - group_label: "target" - label: "target.asset.location.state" - view_label: "UDM" - description: "The state." - } # dimension target__asset__location__state - - dimension: target__asset__mac { - hidden: yes - } # dimension target__asset__mac - - dimension: target__asset__nat_ip { - hidden: yes - } # dimension target__asset__nat_ip - - dimension: target__asset__network_domain { - type: string - sql: ${TABLE}.target.asset.network_domain ;; - group_label: "target" - label: "target.asset.network_domain" - view_label: "UDM" - description: "The network domain of the asset (e.g. \"corp.acme.com\")" - } # dimension target__asset__network_domain - - dimension: target__asset__platform_software { - hidden: yes - } # dimension target__asset__platform_software - - dimension: target__asset__platform_software__platform { - type: number - sql: ${TABLE}.target.asset.platform_software.platform ;; - group_label: "target" - label: "target.asset.platform_software.platform" - view_label: "UDM" - description: "The platform operating system." - } # dimension target__asset__platform_software__platform - - dimension: target__asset__platform_software__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.target.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "target" - label: "target.asset.platform_software.platform_enum_name" - view_label: "UDM" - description: "The platform operating system." - } # dimension target__asset__platform_software__platform_enum_name - - dimension: target__asset__platform_software__platform_patch_level { - type: string - sql: ${TABLE}.target.asset.platform_software.platform_patch_level ;; - group_label: "target" - label: "target.asset.platform_software.platform_patch_level" - view_label: "UDM" - description: "The platform software patch level ( e.g. \"Build 17134.48\", \"SP1\")." - } # dimension target__asset__platform_software__platform_patch_level - - dimension: target__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.target.asset.platform_software.platform_version ;; - group_label: "target" - label: "target.asset.platform_software.platform_version" - view_label: "UDM" - description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." - } # dimension target__asset__platform_software__platform_version - - dimension: target__asset__product_object_id { - type: string - sql: ${TABLE}.target.asset.product_object_id ;; - group_label: "target" - label: "target.asset.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension target__asset__product_object_id - - dimension: target__asset__software { - hidden: yes - } # dimension target__asset__software - - dimension_group: target__asset__system_last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.system_last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.system_last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.system_last_update_time" - view_label: "UDM" - description: "Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time." - } # dimension target__asset__system_last_update_time - - dimension: target__asset__type { - type: number - sql: ${TABLE}.target.asset.type ;; - group_label: "target" - label: "target.asset.type" - view_label: "UDM" - description: "The type of the asset (e.g. workstation or laptop or server)." - } # dimension target__asset__type - - dimension: target__asset__type_enum_name { - type: string - suggestions: ["IOT", "LAPTOP", "MOBILE", "NETWORK_ATTACHED_STORAGE", "PRINTER", "ROLE_UNSPECIFIED", "SCANNER", "SERVER", "TAPE_LIBRARY", "WORKSTATION"] - sql: CASE ${TABLE}.target.asset.type WHEN 0 THEN 'ROLE_UNSPECIFIED' WHEN 1 THEN 'WORKSTATION' WHEN 2 THEN 'LAPTOP' WHEN 3 THEN 'IOT' WHEN 4 THEN 'NETWORK_ATTACHED_STORAGE' WHEN 5 THEN 'PRINTER' WHEN 6 THEN 'SCANNER' WHEN 7 THEN 'SERVER' WHEN 8 THEN 'TAPE_LIBRARY' WHEN 9 THEN 'MOBILE' END ;; - group_label: "target" - label: "target.asset.type_enum_name" - view_label: "UDM" - description: "The type of the asset (e.g. workstation or laptop or server)." - } # dimension target__asset__type_enum_name - - dimension: target__asset__vulnerabilities { - hidden: yes - } # dimension target__asset__vulnerabilities - - dimension: target__asset_id { - type: string - sql: ${TABLE}.target.asset_id ;; - group_label: "target" - label: "target.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension target__asset_id - - dimension: target__cloud { - hidden: yes - } # dimension target__cloud - - dimension: target__cloud__availability_zone { - type: string - sql: ${TABLE}.target.cloud.availability_zone ;; - group_label: "target" - group_item_label: "target.cloud.availability_zone [D]" - label: "target.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__availability_zone - - dimension: target__cloud__environment { - type: number - sql: ${TABLE}.target.cloud.environment ;; - group_label: "target" - group_item_label: "target.cloud.environment [D]" - label: "target.cloud.environment" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__environment - - dimension: target__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.target.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "target" - group_item_label: "target.cloud.environment_enum_name [D]" - label: "target.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__environment_enum_name - - dimension: target__cloud__project { - hidden: yes - } # dimension target__cloud__project - - dimension: target__cloud__project__attribute { - hidden: yes - } # dimension target__cloud__project__attribute - - dimension: target__cloud__project__attribute__labels { - hidden: yes - } # dimension target__cloud__project__attribute__labels - - dimension: target__cloud__project__id { - type: string - sql: ${TABLE}.target.cloud.project.id ;; - group_label: "target" - group_item_label: "target.cloud.project.id [D]" - label: "target.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__project__id - - dimension: target__cloud__project__name { - type: string - sql: ${TABLE}.target.cloud.project.name ;; - group_label: "target" - group_item_label: "target.cloud.project.name [D]" - label: "target.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__project__name - - dimension: target__cloud__project__product_object_id { - type: string - sql: ${TABLE}.target.cloud.project.product_object_id ;; - group_label: "target" - group_item_label: "target.cloud.project.product_object_id [D]" - label: "target.cloud.project.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__project__product_object_id - - dimension: target__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.target.cloud.project.resource_subtype ;; - group_label: "target" - group_item_label: "target.cloud.project.resource_subtype [D]" - label: "target.cloud.project.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__project__resource_subtype - - dimension: target__cloud__project__type { - type: string - sql: ${TABLE}.target.cloud.project.type ;; - group_label: "target" - group_item_label: "target.cloud.project.type [D]" - label: "target.cloud.project.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__project__type - - dimension: target__cloud__vpc { - hidden: yes - } # dimension target__cloud__vpc - - dimension: target__cloud__vpc__id { - type: string - sql: ${TABLE}.target.cloud.vpc.id ;; - group_label: "target" - group_item_label: "target.cloud.vpc.id [D]" - label: "target.cloud.vpc.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__vpc__id - - dimension: target__cloud__vpc__name { - type: string - sql: ${TABLE}.target.cloud.vpc.name ;; - group_label: "target" - group_item_label: "target.cloud.vpc.name [D]" - label: "target.cloud.vpc.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__vpc__name - - dimension: target__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.target.cloud.vpc.product_object_id ;; - group_label: "target" - group_item_label: "target.cloud.vpc.product_object_id [D]" - label: "target.cloud.vpc.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__vpc__product_object_id - - dimension: target__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.target.cloud.vpc.resource_subtype ;; - group_label: "target" - group_item_label: "target.cloud.vpc.resource_subtype [D]" - label: "target.cloud.vpc.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__vpc__resource_subtype - - dimension: target__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.target.cloud.vpc.resource_type ;; - group_label: "target" - group_item_label: "target.cloud.vpc.resource_type [D]" - label: "target.cloud.vpc.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__vpc__resource_type - - dimension: target__cloud__vpc__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.target.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "target" - group_item_label: "target.cloud.vpc.resource_type_enum_name [D]" - label: "target.cloud.vpc.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__vpc__resource_type_enum_name - - dimension: target__domain { - hidden: yes - } # dimension target__domain - - dimension: target__domain__contact_email { - type: string - sql: ${TABLE}.target.domain.contact_email ;; - group_label: "target" - label: "target.domain.contact_email" - view_label: "UDM" - description: "Contact email address." - } # dimension target__domain__contact_email - - dimension_group: target__domain__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.domain.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.domain.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.domain.creation_time" - view_label: "UDM" - description: "Domain creation time." - } # dimension target__domain__creation_time - - dimension_group: target__domain__expiration_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.domain.expiration_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.domain.expiration_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.domain.expiration_time" - view_label: "UDM" - description: "Expiration time." - } # dimension target__domain__expiration_time - - dimension_group: target__domain__last_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.domain.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.domain.last_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.domain.last_seen_time" - view_label: "UDM" - description: "Last seen timestamp of the domain in the customer's environment." - } # dimension target__domain__last_seen_time - - dimension: target__domain__name { - type: string - sql: ${TABLE}.target.domain.name ;; - group_label: "target" - label: "target.domain.name" - view_label: "UDM" - description: "The domain name." - } # dimension target__domain__name - - dimension: target__domain__name_server { - hidden: yes - } # dimension target__domain__name_server - - dimension: target__domain__prevalence { - hidden: yes - } # dimension target__domain__prevalence - - dimension: target__domain__prevalence__day_count { - type: number - sql: ${TABLE}.target.domain.prevalence.day_count ;; - group_label: "target" - label: "target.domain.prevalence.day_count" - view_label: "UDM" - description: "The number of days over which rolling_max is calculated." - } # dimension target__domain__prevalence__day_count - - dimension: target__domain__prevalence__rolling_max { - type: number - sql: ${TABLE}.target.domain.prevalence.rolling_max ;; - group_label: "target" - label: "target.domain.prevalence.rolling_max" - view_label: "UDM" - description: "The maximum number of assets per day accessing the resource over the trailing day_count days." - } # dimension target__domain__prevalence__rolling_max - - dimension: target__domain__private_registration { - type: yesno - sql: ${TABLE}.target.domain.private_registration ;; - group_label: "target" - label: "target.domain.private_registration" - view_label: "UDM" - description: "Indicates whether the domain appears to be using a private registration service to mask the owner's contact information." - } # dimension target__domain__private_registration - - dimension: target__domain__registrar { - type: string - sql: ${TABLE}.target.domain.registrar ;; - group_label: "target" - label: "target.domain.registrar" - view_label: "UDM" - description: "Registrar name - e.g. \"Wild West Domains, Inc. (R120-LROR)\", \"GoDaddy.com, LLC\", \"PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM\", etc." - } # dimension target__domain__registrar - - dimension: target__domain__status { - type: string - sql: ${TABLE}.target.domain.status ;; - group_label: "target" - label: "target.domain.status" - view_label: "UDM" - description: "Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values" - } # dimension target__domain__status - - dimension: target__domain__tech { - hidden: yes - } # dimension target__domain__tech - - dimension: target__domain__tech__company_name { - type: string - sql: ${TABLE}.target.domain.tech.company_name ;; - group_label: "target" - label: "target.domain.tech.company_name" - view_label: "UDM" - description: "User job company name." - } # dimension target__domain__tech__company_name - - dimension_group: target__domain__update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.domain.update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.domain.update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.domain.update_time" - view_label: "UDM" - description: "Last updated time." - } # dimension target__domain__update_time - - dimension: target__domain__whois_server { - type: string - sql: ${TABLE}.target.domain.whois_server ;; - group_label: "target" - label: "target.domain.whois_server" - view_label: "UDM" - description: "Whois server name." - } # dimension target__domain__whois_server - - dimension: target__email { - type: string - sql: ${TABLE}.target.email ;; - group_label: "target" - label: "target.email" - view_label: "UDM" - description: "Email address. Only filled in for security_result.about" - } # dimension target__email - - dimension: target__file { - hidden: yes - } # dimension target__file - - dimension: target__file__authentihash { - type: string - sql: ${TABLE}.target.file.authentihash ;; - group_label: "target" - label: "target.file.authentihash" - view_label: "UDM" - description: "Authentihash of the file." - } # dimension target__file__authentihash - - dimension: target__file__capabilities_tags { - hidden: yes - } # dimension target__file__capabilities_tags - - dimension: target__file__embedded_domains { - hidden: yes - } # dimension target__file__embedded_domains - - dimension: target__file__embedded_ips { - hidden: yes - } # dimension target__file__embedded_ips - - dimension: target__file__embedded_urls { - hidden: yes - } # dimension target__file__embedded_urls - - dimension: target__file__exif_info { - hidden: yes - } # dimension target__file__exif_info - - dimension: target__file__exif_info__company { - type: string - sql: ${TABLE}.target.file.exif_info.company ;; - group_label: "target" - label: "target.file.exif_info.company" - view_label: "UDM" - description: "company name." - } # dimension target__file__exif_info__company - - dimension_group: target__file__exif_info__compilation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.exif_info.compilation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.exif_info.compilation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.file.exif_info.compilation_time" - view_label: "UDM" - description: "Compilation time." - } # dimension target__file__exif_info__compilation_time - - dimension: target__file__exif_info__entry_point { - type: number - sql: ${TABLE}.target.file.exif_info.entry_point ;; - group_label: "target" - label: "target.file.exif_info.entry_point" - view_label: "UDM" - description: "entry point." - } # dimension target__file__exif_info__entry_point - - dimension: target__file__exif_info__file_description { - type: string - sql: ${TABLE}.target.file.exif_info.file_description ;; - group_label: "target" - label: "target.file.exif_info.file_description" - view_label: "UDM" - description: "description of a file." - } # dimension target__file__exif_info__file_description - - dimension: target__file__exif_info__original_file { - type: string - sql: ${TABLE}.target.file.exif_info.original_file ;; - group_label: "target" - label: "target.file.exif_info.original_file" - view_label: "UDM" - description: "original file name." - } # dimension target__file__exif_info__original_file - - dimension: target__file__exif_info__product { - type: string - sql: ${TABLE}.target.file.exif_info.product ;; - group_label: "target" - label: "target.file.exif_info.product" - view_label: "UDM" - description: "product name." - } # dimension target__file__exif_info__product - - dimension: target__file__file_metadata { - hidden: yes - } # dimension target__file__file_metadata - - dimension: target__file__file_metadata__pe { - hidden: yes - } # dimension target__file__file_metadata__pe - - dimension: target__file__file_metadata__pe__import_hash { - type: string - sql: ${TABLE}.target.file.file_metadata.pe.import_hash ;; - group_label: "target" - group_item_label: "target.file.file_metadata.pe.import_hash [D]" - label: "target.file.file_metadata.pe.import_hash" - view_label: "UDM" - description: "Hash of PE imports. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__file__file_metadata__pe__import_hash - - dimension: target__file__file_type { - type: number - sql: ${TABLE}.target.file.file_type ;; - group_label: "target" - label: "target.file.file_type" - view_label: "UDM" - description: "FileType field." - } # dimension target__file__file_type - - dimension: target__file__file_type_enum_name { - type: string - suggestions: ["FILE_TYPE_ACE", "FILE_TYPE_ANDROID", "FILE_TYPE_APPLE", "FILE_TYPE_APPLEDOUBLE", "FILE_TYPE_APPLESCRIPT", "FILE_TYPE_APPLESCRIPT_COMPILED", "FILE_TYPE_APPLESINGLE", "FILE_TYPE_APPLE_PLIST", "FILE_TYPE_ARC", "FILE_TYPE_ARJ", "FILE_TYPE_ASD", "FILE_TYPE_ASF", "FILE_TYPE_AVI", "FILE_TYPE_AWK", "FILE_TYPE_BLACKHOLE", "FILE_TYPE_BMP", "FILE_TYPE_BZIP", "FILE_TYPE_C", "FILE_TYPE_CAB", "FILE_TYPE_CAP", "FILE_TYPE_CHM", "FILE_TYPE_COFF", "FILE_TYPE_COOKIE", "FILE_TYPE_CPP", "FILE_TYPE_CRX", "FILE_TYPE_DEB", "FILE_TYPE_DIB", "FILE_TYPE_DIVX", "FILE_TYPE_DMG", "FILE_TYPE_DOC", "FILE_TYPE_DOCX", "FILE_TYPE_DOS_COM", "FILE_TYPE_DOS_EXE", "FILE_TYPE_DYALOG", "FILE_TYPE_DZIP", "FILE_TYPE_EBOOK", "FILE_TYPE_ELF", "FILE_TYPE_EMAIL_TYPE", "FILE_TYPE_EMF", "FILE_TYPE_EOT", "FILE_TYPE_EPS", "FILE_TYPE_FLA", "FILE_TYPE_FLAC", "FILE_TYPE_FLC", "FILE_TYPE_FLI", "FILE_TYPE_FLV", "FILE_TYPE_FORTRAN", "FILE_TYPE_FPX", "FILE_TYPE_GIF", "FILE_TYPE_GIMP", "FILE_TYPE_GUL", "FILE_TYPE_GZIP", "FILE_TYPE_HTML", "FILE_TYPE_HWP", "FILE_TYPE_ICO", "FILE_TYPE_IN_DESIGN", "FILE_TYPE_IPHONE", "FILE_TYPE_ISOIMAGE", "FILE_TYPE_JAR", "FILE_TYPE_JAVA", "FILE_TYPE_JAVASCRIPT", "FILE_TYPE_JAVA_BYTECODE", "FILE_TYPE_JNG", "FILE_TYPE_JPEG", "FILE_TYPE_KGB", "FILE_TYPE_LATEX", "FILE_TYPE_LINUX", "FILE_TYPE_LINUX_KERNEL", "FILE_TYPE_LNK", "FILE_TYPE_MACH_O", "FILE_TYPE_MACINTOSH", "FILE_TYPE_MACINTOSH_HFS", "FILE_TYPE_MACINTOSH_LIB", "FILE_TYPE_MIDI", "FILE_TYPE_MOV", "FILE_TYPE_MP3", "FILE_TYPE_MP4", "FILE_TYPE_MPEG", "FILE_TYPE_MSCOMPRESS", "FILE_TYPE_MSI", "FILE_TYPE_NE_DLL", "FILE_TYPE_NE_EXE", "FILE_TYPE_ODF", "FILE_TYPE_ODG", "FILE_TYPE_ODP", "FILE_TYPE_ODS", "FILE_TYPE_ODT", "FILE_TYPE_OGG", "FILE_TYPE_OUTLOOK", "FILE_TYPE_PALMOS", "FILE_TYPE_PASCAL", "FILE_TYPE_PDF", "FILE_TYPE_PERL", "FILE_TYPE_PE_DLL", "FILE_TYPE_PE_EXE", "FILE_TYPE_PHP", "FILE_TYPE_PKG", "FILE_TYPE_PNG", "FILE_TYPE_POWERSHELL", "FILE_TYPE_PPSX", "FILE_TYPE_PPT", "FILE_TYPE_PPTX", "FILE_TYPE_PS", "FILE_TYPE_PSD", "FILE_TYPE_PYTHON", "FILE_TYPE_QUICKTIME", "FILE_TYPE_RAR", "FILE_TYPE_RM", "FILE_TYPE_ROM", "FILE_TYPE_RPM", "FILE_TYPE_RTF", "FILE_TYPE_RUBY", "FILE_TYPE_RZIP", "FILE_TYPE_SCRIPT", "FILE_TYPE_SEVENZIP", "FILE_TYPE_SHELLSCRIPT", "FILE_TYPE_SVG", "FILE_TYPE_SWF", "FILE_TYPE_SYMBIAN", "FILE_TYPE_T3GP", "FILE_TYPE_TAR", "FILE_TYPE_TARGA", "FILE_TYPE_TEXT", "FILE_TYPE_TIFF", "FILE_TYPE_TORRENT", "FILE_TYPE_TTF", "FILE_TYPE_UNSPECIFIED", "FILE_TYPE_VBA", "FILE_TYPE_WAV", "FILE_TYPE_WEBP", "FILE_TYPE_WINCE", "FILE_TYPE_WMA", "FILE_TYPE_WMV", "FILE_TYPE_WOFF", "FILE_TYPE_XLS", "FILE_TYPE_XLSX", "FILE_TYPE_XML", "FILE_TYPE_XPI", "FILE_TYPE_XWD", "FILE_TYPE_ZIP", "FILE_TYPE_ZLIB"] - sql: CASE ${TABLE}.target.file.file_type WHEN 0 THEN 'FILE_TYPE_UNSPECIFIED' WHEN 1 THEN 'FILE_TYPE_PE_EXE' WHEN 2 THEN 'FILE_TYPE_PE_DLL' WHEN 3 THEN 'FILE_TYPE_MSI' WHEN 10 THEN 'FILE_TYPE_NE_EXE' WHEN 11 THEN 'FILE_TYPE_NE_DLL' WHEN 20 THEN 'FILE_TYPE_DOS_EXE' WHEN 21 THEN 'FILE_TYPE_DOS_COM' WHEN 30 THEN 'FILE_TYPE_COFF' WHEN 31 THEN 'FILE_TYPE_ELF' WHEN 32 THEN 'FILE_TYPE_LINUX_KERNEL' WHEN 33 THEN 'FILE_TYPE_RPM' WHEN 34 THEN 'FILE_TYPE_LINUX' WHEN 35 THEN 'FILE_TYPE_MACH_O' WHEN 36 THEN 'FILE_TYPE_JAVA_BYTECODE' WHEN 37 THEN 'FILE_TYPE_DMG' WHEN 38 THEN 'FILE_TYPE_DEB' WHEN 39 THEN 'FILE_TYPE_PKG' WHEN 50 THEN 'FILE_TYPE_LNK' WHEN 100 THEN 'FILE_TYPE_JPEG' WHEN 101 THEN 'FILE_TYPE_TIFF' WHEN 102 THEN 'FILE_TYPE_GIF' WHEN 103 THEN 'FILE_TYPE_PNG' WHEN 104 THEN 'FILE_TYPE_BMP' WHEN 105 THEN 'FILE_TYPE_GIMP' WHEN 106 THEN 'FILE_TYPE_IN_DESIGN' WHEN 107 THEN 'FILE_TYPE_PSD' WHEN 108 THEN 'FILE_TYPE_TARGA' WHEN 109 THEN 'FILE_TYPE_XWD' WHEN 110 THEN 'FILE_TYPE_DIB' WHEN 111 THEN 'FILE_TYPE_JNG' WHEN 112 THEN 'FILE_TYPE_ICO' WHEN 113 THEN 'FILE_TYPE_FPX' WHEN 114 THEN 'FILE_TYPE_EPS' WHEN 115 THEN 'FILE_TYPE_SVG' WHEN 116 THEN 'FILE_TYPE_EMF' WHEN 117 THEN 'FILE_TYPE_WEBP' WHEN 150 THEN 'FILE_TYPE_OGG' WHEN 151 THEN 'FILE_TYPE_FLC' WHEN 152 THEN 'FILE_TYPE_FLI' WHEN 153 THEN 'FILE_TYPE_MP3' WHEN 154 THEN 'FILE_TYPE_FLAC' WHEN 155 THEN 'FILE_TYPE_WAV' WHEN 156 THEN 'FILE_TYPE_MIDI' WHEN 157 THEN 'FILE_TYPE_AVI' WHEN 158 THEN 'FILE_TYPE_MPEG' WHEN 159 THEN 'FILE_TYPE_QUICKTIME' WHEN 160 THEN 'FILE_TYPE_ASF' WHEN 161 THEN 'FILE_TYPE_DIVX' WHEN 162 THEN 'FILE_TYPE_FLV' WHEN 163 THEN 'FILE_TYPE_WMA' WHEN 164 THEN 'FILE_TYPE_WMV' WHEN 165 THEN 'FILE_TYPE_RM' WHEN 166 THEN 'FILE_TYPE_MOV' WHEN 167 THEN 'FILE_TYPE_MP4' WHEN 168 THEN 'FILE_TYPE_T3GP' WHEN 200 THEN 'FILE_TYPE_PDF' WHEN 201 THEN 'FILE_TYPE_PS' WHEN 202 THEN 'FILE_TYPE_DOC' WHEN 203 THEN 'FILE_TYPE_DOCX' WHEN 204 THEN 'FILE_TYPE_PPT' WHEN 205 THEN 'FILE_TYPE_PPTX' WHEN 209 THEN 'FILE_TYPE_PPSX' WHEN 206 THEN 'FILE_TYPE_XLS' WHEN 207 THEN 'FILE_TYPE_XLSX' WHEN 208 THEN 'FILE_TYPE_RTF' WHEN 250 THEN 'FILE_TYPE_ODP' WHEN 251 THEN 'FILE_TYPE_ODS' WHEN 252 THEN 'FILE_TYPE_ODT' WHEN 253 THEN 'FILE_TYPE_HWP' WHEN 254 THEN 'FILE_TYPE_GUL' WHEN 255 THEN 'FILE_TYPE_ODF' WHEN 256 THEN 'FILE_TYPE_ODG' WHEN 260 THEN 'FILE_TYPE_EBOOK' WHEN 261 THEN 'FILE_TYPE_LATEX' WHEN 262 THEN 'FILE_TYPE_TTF' WHEN 263 THEN 'FILE_TYPE_EOT' WHEN 264 THEN 'FILE_TYPE_WOFF' WHEN 265 THEN 'FILE_TYPE_CHM' WHEN 300 THEN 'FILE_TYPE_ZIP' WHEN 301 THEN 'FILE_TYPE_GZIP' WHEN 302 THEN 'FILE_TYPE_BZIP' WHEN 303 THEN 'FILE_TYPE_RZIP' WHEN 304 THEN 'FILE_TYPE_DZIP' WHEN 305 THEN 'FILE_TYPE_SEVENZIP' WHEN 306 THEN 'FILE_TYPE_CAB' WHEN 307 THEN 'FILE_TYPE_JAR' WHEN 308 THEN 'FILE_TYPE_RAR' WHEN 309 THEN 'FILE_TYPE_MSCOMPRESS' WHEN 310 THEN 'FILE_TYPE_ACE' WHEN 311 THEN 'FILE_TYPE_ARC' WHEN 312 THEN 'FILE_TYPE_ARJ' WHEN 313 THEN 'FILE_TYPE_ASD' WHEN 314 THEN 'FILE_TYPE_BLACKHOLE' WHEN 315 THEN 'FILE_TYPE_KGB' WHEN 316 THEN 'FILE_TYPE_ZLIB' WHEN 317 THEN 'FILE_TYPE_TAR' WHEN 400 THEN 'FILE_TYPE_TEXT' WHEN 401 THEN 'FILE_TYPE_SCRIPT' WHEN 402 THEN 'FILE_TYPE_PHP' WHEN 403 THEN 'FILE_TYPE_PYTHON' WHEN 404 THEN 'FILE_TYPE_PERL' WHEN 405 THEN 'FILE_TYPE_RUBY' WHEN 406 THEN 'FILE_TYPE_C' WHEN 407 THEN 'FILE_TYPE_CPP' WHEN 408 THEN 'FILE_TYPE_JAVA' WHEN 409 THEN 'FILE_TYPE_SHELLSCRIPT' WHEN 410 THEN 'FILE_TYPE_PASCAL' WHEN 411 THEN 'FILE_TYPE_AWK' WHEN 412 THEN 'FILE_TYPE_DYALOG' WHEN 413 THEN 'FILE_TYPE_FORTRAN' WHEN 414 THEN 'FILE_TYPE_JAVASCRIPT' WHEN 415 THEN 'FILE_TYPE_POWERSHELL' WHEN 416 THEN 'FILE_TYPE_VBA' WHEN 500 THEN 'FILE_TYPE_SYMBIAN' WHEN 501 THEN 'FILE_TYPE_PALMOS' WHEN 502 THEN 'FILE_TYPE_WINCE' WHEN 503 THEN 'FILE_TYPE_ANDROID' WHEN 504 THEN 'FILE_TYPE_IPHONE' WHEN 600 THEN 'FILE_TYPE_HTML' WHEN 601 THEN 'FILE_TYPE_XML' WHEN 602 THEN 'FILE_TYPE_SWF' WHEN 603 THEN 'FILE_TYPE_FLA' WHEN 604 THEN 'FILE_TYPE_COOKIE' WHEN 605 THEN 'FILE_TYPE_TORRENT' WHEN 606 THEN 'FILE_TYPE_EMAIL_TYPE' WHEN 607 THEN 'FILE_TYPE_OUTLOOK' WHEN 700 THEN 'FILE_TYPE_CAP' WHEN 800 THEN 'FILE_TYPE_ISOIMAGE' WHEN 1000 THEN 'FILE_TYPE_APPLE' WHEN 1001 THEN 'FILE_TYPE_MACINTOSH' WHEN 1002 THEN 'FILE_TYPE_APPLESINGLE' WHEN 1003 THEN 'FILE_TYPE_APPLEDOUBLE' WHEN 1004 THEN 'FILE_TYPE_MACINTOSH_HFS' WHEN 1005 THEN 'FILE_TYPE_APPLE_PLIST' WHEN 1006 THEN 'FILE_TYPE_MACINTOSH_LIB' WHEN 1007 THEN 'FILE_TYPE_APPLESCRIPT' WHEN 1008 THEN 'FILE_TYPE_APPLESCRIPT_COMPILED' WHEN 1100 THEN 'FILE_TYPE_CRX' WHEN 1101 THEN 'FILE_TYPE_XPI' WHEN 1200 THEN 'FILE_TYPE_ROM' END ;; - group_label: "target" - label: "target.file.file_type_enum_name" - view_label: "UDM" - description: "FileType field." - } # dimension target__file__file_type_enum_name - - dimension_group: target__file__first_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.first_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.file.first_seen_time" - view_label: "UDM" - description: "Timestamp the file was first seen in the customer's environment." - } # dimension target__file__first_seen_time - - dimension: target__file__full_path { - type: string - sql: ${TABLE}.target.file.full_path ;; - group_label: "target" - label: "target.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension target__file__full_path - - dimension_group: target__file__last_analysis_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.last_analysis_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.last_analysis_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.file.last_analysis_time" - view_label: "UDM" - description: "Timestamp the file was last analysed." - } # dimension target__file__last_analysis_time - - dimension_group: target__file__last_modification_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.last_modification_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.last_modification_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.file.last_modification_time" - view_label: "UDM" - description: "Timestamp when the file was last updated." - } # dimension target__file__last_modification_time - - dimension_group: target__file__last_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.last_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.file.last_seen_time" - view_label: "UDM" - description: "Timestamp the file was last seen in the customer's environment." - } # dimension target__file__last_seen_time - - dimension: target__file__md5 { - type: string - sql: ${TABLE}.target.file.md5 ;; - group_label: "target" - label: "target.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension target__file__md5 - - dimension: target__file__mime_type { - type: string - sql: ${TABLE}.target.file.mime_type ;; - group_label: "target" - label: "target.file.mime_type" - view_label: "UDM" - description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." - } # dimension target__file__mime_type - - dimension: target__file__names { - hidden: yes - } # dimension target__file__names - - dimension: target__file__pe_file { - hidden: yes - } # dimension target__file__pe_file - - dimension_group: target__file__pe_file__compilation_exiftool_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.pe_file.compilation_exiftool_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.pe_file.compilation_exiftool_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.file.pe_file.compilation_exiftool_time" - view_label: "UDM" - description: "info.exiftool.TimeStamp." - } # dimension target__file__pe_file__compilation_exiftool_time - - dimension_group: target__file__pe_file__compilation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.pe_file.compilation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.pe_file.compilation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.file.pe_file.compilation_time" - view_label: "UDM" - description: "info.pe-timestamp." - } # dimension target__file__pe_file__compilation_time - - dimension: target__file__pe_file__entry_point { - type: number - sql: ${TABLE}.target.file.pe_file.entry_point ;; - group_label: "target" - label: "target.file.pe_file.entry_point" - view_label: "UDM" - description: "info.pe-entry-point." - } # dimension target__file__pe_file__entry_point - - dimension: target__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.target.file.pe_file.entry_point_exiftool ;; - group_label: "target" - label: "target.file.pe_file.entry_point_exiftool" - view_label: "UDM" - description: "info.exiftool.EntryPoint." - } # dimension target__file__pe_file__entry_point_exiftool - - dimension: target__file__pe_file__imphash { - type: string - sql: ${TABLE}.target.file.pe_file.imphash ;; - group_label: "target" - label: "target.file.pe_file.imphash" - view_label: "UDM" - description: "Imphash of the file." - } # dimension target__file__pe_file__imphash - - dimension: target__file__pe_file__imports { - hidden: yes - } # dimension target__file__pe_file__imports - - dimension: target__file__pe_file__resource { - hidden: yes - } # dimension target__file__pe_file__resource - - dimension: target__file__pe_file__resources_language_count_str { - hidden: yes - } # dimension target__file__pe_file__resources_language_count_str - - dimension: target__file__pe_file__resources_type_count_str { - hidden: yes - } # dimension target__file__pe_file__resources_type_count_str - - dimension: target__file__pe_file__section { - hidden: yes - } # dimension target__file__pe_file__section - - dimension: target__file__sha1 { - type: string - sql: ${TABLE}.target.file.sha1 ;; - group_label: "target" - label: "target.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension target__file__sha1 - - dimension: target__file__sha256 { - type: string - sql: ${TABLE}.target.file.sha256 ;; - group_label: "target" - label: "target.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension target__file__sha256 - - dimension: target__file__signature_info { - hidden: yes - } # dimension target__file__signature_info - - dimension: target__file__signature_info__codesign { - hidden: yes - } # dimension target__file__signature_info__codesign - - dimension_group: target__file__signature_info__codesign__compilation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.signature_info.codesign.compilation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.signature_info.codesign.compilation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.file.signature_info.codesign.compilation_time" - view_label: "UDM" - description: "Code sign timestamp" - } # dimension target__file__signature_info__codesign__compilation_time - - dimension: target__file__signature_info__codesign__format { - type: string - sql: ${TABLE}.target.file.signature_info.codesign.format ;; - group_label: "target" - label: "target.file.signature_info.codesign.format" - view_label: "UDM" - description: "Code sign format." - } # dimension target__file__signature_info__codesign__format - - dimension: target__file__signature_info__codesign__id { - type: string - sql: ${TABLE}.target.file.signature_info.codesign.id ;; - group_label: "target" - label: "target.file.signature_info.codesign.id" - view_label: "UDM" - description: "Code sign identifier." - } # dimension target__file__signature_info__codesign__id - - dimension: target__file__signature_info__sigcheck { - hidden: yes - } # dimension target__file__signature_info__sigcheck - - dimension: target__file__signature_info__sigcheck__signers { - hidden: yes - } # dimension target__file__signature_info__sigcheck__signers - - dimension: target__file__signature_info__sigcheck__verification_message { - type: string - sql: ${TABLE}.target.file.signature_info.sigcheck.verification_message ;; - group_label: "target" - label: "target.file.signature_info.sigcheck.verification_message" - view_label: "UDM" - description: "Status of the certificate. Valid values are \"Signed\", \"Unsigned\" or a description of the certificate anomaly, if found." - } # dimension target__file__signature_info__sigcheck__verification_message - - dimension: target__file__signature_info__sigcheck__verified { - type: yesno - sql: ${TABLE}.target.file.signature_info.sigcheck.verified ;; - group_label: "target" - label: "target.file.signature_info.sigcheck.verified" - view_label: "UDM" - description: "True iff verification_message == \"Signed\"" - } # dimension target__file__signature_info__sigcheck__verified - - dimension: target__file__signature_info__sigcheck__x509 { - hidden: yes - } # dimension target__file__signature_info__sigcheck__x509 - - dimension: target__file__size { - type: number - sql: ${TABLE}.target.file.size ;; - group_label: "target" - label: "target.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension target__file__size - - dimension: target__file__ssdeep { - type: string - sql: ${TABLE}.target.file.ssdeep ;; - group_label: "target" - label: "target.file.ssdeep" - view_label: "UDM" - description: "Ssdeep of the file" - } # dimension target__file__ssdeep - - dimension: target__file__tags { - hidden: yes - } # dimension target__file__tags - - dimension: target__file__vhash { - type: string - sql: ${TABLE}.target.file.vhash ;; - group_label: "target" - label: "target.file.vhash" - view_label: "UDM" - description: "Vhash of the file." - } # dimension target__file__vhash - - dimension: target__group { - hidden: yes - } # dimension target__group - - dimension: target__group__attribute { - hidden: yes - } # dimension target__group__attribute - - dimension: target__group__attribute__labels { - hidden: yes - } # dimension target__group__attribute__labels - - dimension: target__group__attribute__permissions { - hidden: yes - } # dimension target__group__attribute__permissions - - dimension: target__group__attribute__roles { - hidden: yes - } # dimension target__group__attribute__roles - - dimension_group: target__group__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.group.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.group.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - group_item_label: "target.group.creation_time [D]" - label: "target.group.creation_time" - view_label: "UDM" - description: "Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__group__creation_time - - dimension: target__group__email_addresses { - hidden: yes - } # dimension target__group__email_addresses - - dimension: target__group__group_display_name { - type: string - sql: ${TABLE}.target.group.group_display_name ;; - group_label: "target" - label: "target.group.group_display_name" - view_label: "UDM" - description: "Group display name. e.g. \"Finance\"." - } # dimension target__group__group_display_name - - dimension: target__group__product_object_id { - type: string - sql: ${TABLE}.target.group.product_object_id ;; - group_label: "target" - label: "target.group.product_object_id" - view_label: "UDM" - description: "Product globally unique user object identifier, such as an LDAP Object Identifier." - } # dimension target__group__product_object_id - - dimension: target__group__windows_sid { - type: string - sql: ${TABLE}.target.group.windows_sid ;; - group_label: "target" - label: "target.group.windows_sid" - view_label: "UDM" - description: "Microsoft Windows SID of the group." - } # dimension target__group__windows_sid - - dimension: target__hostname { - type: string - sql: ${TABLE}.target.hostname ;; - group_label: "target" - label: "target.hostname" - view_label: "UDM" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension target__hostname - - dimension: target__investigation { - hidden: yes - } # dimension target__investigation - - dimension: target__investigation__comments { - hidden: yes - } # dimension target__investigation__comments - - dimension: target__investigation__severity_score { - type: number - sql: ${TABLE}.target.investigation.severity_score ;; - group_label: "target" - label: "target.investigation.severity_score" - view_label: "UDM" - description: "Severity score for a finding set by an analyst." - } # dimension target__investigation__severity_score - - dimension: target__ip { - hidden: yes - } # dimension target__ip - - dimension: target__ip_geo_artifact { - hidden: yes - } # dimension target__ip_geo_artifact - - dimension: target__ip_location { - hidden: yes - } # dimension target__ip_location - - dimension: target__labels { - hidden: yes - } # dimension target__labels - - dimension: target__location { - hidden: yes - } # dimension target__location - - dimension: target__location__city { - type: string - sql: ${TABLE}.target.location.city ;; - group_label: "target" - label: "target.location.city" - view_label: "UDM" - description: "The city." - } # dimension target__location__city - - dimension: target__location__country_or_region { - type: string - sql: ${TABLE}.target.location.country_or_region ;; - group_label: "target" - label: "target.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension target__location__country_or_region - - dimension: target__location__name { - type: string - sql: ${TABLE}.target.location.name ;; - group_label: "target" - label: "target.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension target__location__name - - dimension: target__location__region_coordinates { - type: location - sql_latitude: ${TABLE}.target.location.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.target.location.region_coordinates.longitude ;; - group_label: "target" - group_item_label: "target.location.region_coordinates [L]" - label: "target.location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." - } # dimension target__location__region_coordinates - - dimension: target__location__region_latitude { - type: number - sql: ${TABLE}.target.location.region_latitude ;; - group_label: "target" - group_item_label: "target.location.region_latitude [D]" - label: "target.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__location__region_latitude - - dimension: target__location__region_longitude { - type: number - sql: ${TABLE}.target.location.region_longitude ;; - group_label: "target" - group_item_label: "target.location.region_longitude [D]" - label: "target.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__location__region_longitude - - dimension: target__location__location { - type: location - sql_latitude: ${TABLE}.target.location.region_latitude ;; - sql_longitude: ${TABLE}.target.location.region_longitude ;; - group_label: "target" - group_item_label: "target.location.location [D][L]" - label: "target.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension target__location__location - - dimension: target__location__state { - type: string - sql: ${TABLE}.target.location.state ;; - group_label: "target" - label: "target.location.state" - view_label: "UDM" - description: "The state." - } # dimension target__location__state - - dimension: target__mac { - hidden: yes - } # dimension target__mac - - dimension: target__namespace { - type: string - sql: ${TABLE}.target.namespace ;; - group_label: "target" - label: "target.namespace" - view_label: "UDM" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension target__namespace - - dimension: target__nat_ip { - hidden: yes - } # dimension target__nat_ip - - dimension: target__nat_port { - type: number - value_format: "#" - sql: ${TABLE}.target.nat_port ;; - group_label: "target" - label: "target.nat_port" - view_label: "UDM" - description: "NAT external network port number when a specific network connection is described within an event." - } # dimension target__nat_port - - dimension: target__network { - hidden: yes - } # dimension target__network - - dimension: target__network__http { - hidden: yes - } # dimension target__network__http - - dimension: target__network__http__method { - type: string - sql: ${TABLE}.target.network.http.method ;; - group_label: "target" - label: "target.network.http.method" - view_label: "UDM" - description: "The HTTP request method (e.g. \"GET\", \"POST\", \"PATCH\", \"DELETE\")." - } # dimension target__network__http__method - - dimension: target__network__http__referral_url { - type: string - sql: ${TABLE}.target.network.http.referral_url ;; - group_label: "target" - label: "target.network.http.referral_url" - view_label: "UDM" - description: "The URL for the HTTP referer." - } # dimension target__network__http__referral_url - - dimension: target__platform { - type: number - sql: ${TABLE}.target.platform ;; - group_label: "target" - label: "target.platform" - view_label: "UDM" - description: "Platform." - } # dimension target__platform - - dimension: target__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.target.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "target" - label: "target.platform_enum_name" - view_label: "UDM" - description: "Platform." - } # dimension target__platform_enum_name - - dimension: target__platform_patch_level { - type: string - sql: ${TABLE}.target.platform_patch_level ;; - group_label: "target" - label: "target.platform_patch_level" - view_label: "UDM" - description: "Platform patch level. For example, \"Build 17134.48\"" - } # dimension target__platform_patch_level - - dimension: target__platform_version { - type: string - sql: ${TABLE}.target.platform_version ;; - group_label: "target" - label: "target.platform_version" - view_label: "UDM" - description: "Platform version. For example, \"Microsoft Windows 1803\"." - } # dimension target__platform_version - - dimension: target__port { - type: number - value_format: "#" - sql: ${TABLE}.target.port ;; - group_label: "target" - label: "target.port" - view_label: "UDM" - description: "Source or destination network port number when a specific network connection is described within an event." - } # dimension target__port - - dimension: target__process { - hidden: yes - } # dimension target__process - - dimension: target__process__access_mask { - type: number - sql: ${TABLE}.target.process.access_mask ;; - group_label: "target" - label: "target.process.access_mask" - view_label: "UDM" - description: "A bit mask representing the level of access." - } # dimension target__process__access_mask - - dimension: target__process__command_line { - type: string - sql: ${TABLE}.target.process.command_line ;; - group_label: "target" - label: "target.process.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension target__process__command_line - - dimension: target__process__command_line_history { - hidden: yes - } # dimension target__process__command_line_history - - dimension: target__process__file { - hidden: yes - } # dimension target__process__file - - dimension: target__process__file__capabilities_tags { - hidden: yes - } # dimension target__process__file__capabilities_tags - - dimension: target__process__file__file_metadata { - hidden: yes - } # dimension target__process__file__file_metadata - - dimension: target__process__file__file_metadata__pe { - hidden: yes - } # dimension target__process__file__file_metadata__pe - - dimension: target__process__file__file_metadata__pe__import_hash { - type: string - sql: ${TABLE}.target.process.file.file_metadata.pe.import_hash ;; - group_label: "target" - group_item_label: "target.process.file.file_metadata.pe.import_hash [D]" - label: "target.process.file.file_metadata.pe.import_hash" - view_label: "UDM" - description: "Hash of PE imports. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__process__file__file_metadata__pe__import_hash - - dimension: target__process__file__file_type { - type: number - sql: ${TABLE}.target.process.file.file_type ;; - group_label: "target" - label: "target.process.file.file_type" - view_label: "UDM" - description: "FileType field." - } # dimension target__process__file__file_type - - dimension: target__process__file__file_type_enum_name { - type: string - suggestions: ["FILE_TYPE_ACE", "FILE_TYPE_ANDROID", "FILE_TYPE_APPLE", "FILE_TYPE_APPLEDOUBLE", "FILE_TYPE_APPLESCRIPT", "FILE_TYPE_APPLESCRIPT_COMPILED", "FILE_TYPE_APPLESINGLE", "FILE_TYPE_APPLE_PLIST", "FILE_TYPE_ARC", "FILE_TYPE_ARJ", "FILE_TYPE_ASD", "FILE_TYPE_ASF", "FILE_TYPE_AVI", "FILE_TYPE_AWK", "FILE_TYPE_BLACKHOLE", "FILE_TYPE_BMP", "FILE_TYPE_BZIP", "FILE_TYPE_C", "FILE_TYPE_CAB", "FILE_TYPE_CAP", "FILE_TYPE_CHM", "FILE_TYPE_COFF", "FILE_TYPE_COOKIE", "FILE_TYPE_CPP", "FILE_TYPE_CRX", "FILE_TYPE_DEB", "FILE_TYPE_DIB", "FILE_TYPE_DIVX", "FILE_TYPE_DMG", "FILE_TYPE_DOC", "FILE_TYPE_DOCX", "FILE_TYPE_DOS_COM", "FILE_TYPE_DOS_EXE", "FILE_TYPE_DYALOG", "FILE_TYPE_DZIP", "FILE_TYPE_EBOOK", "FILE_TYPE_ELF", "FILE_TYPE_EMAIL_TYPE", "FILE_TYPE_EMF", "FILE_TYPE_EOT", "FILE_TYPE_EPS", "FILE_TYPE_FLA", "FILE_TYPE_FLAC", "FILE_TYPE_FLC", "FILE_TYPE_FLI", "FILE_TYPE_FLV", "FILE_TYPE_FORTRAN", "FILE_TYPE_FPX", "FILE_TYPE_GIF", "FILE_TYPE_GIMP", "FILE_TYPE_GUL", "FILE_TYPE_GZIP", "FILE_TYPE_HTML", "FILE_TYPE_HWP", "FILE_TYPE_ICO", "FILE_TYPE_IN_DESIGN", "FILE_TYPE_IPHONE", "FILE_TYPE_ISOIMAGE", "FILE_TYPE_JAR", "FILE_TYPE_JAVA", "FILE_TYPE_JAVASCRIPT", "FILE_TYPE_JAVA_BYTECODE", "FILE_TYPE_JNG", "FILE_TYPE_JPEG", "FILE_TYPE_KGB", "FILE_TYPE_LATEX", "FILE_TYPE_LINUX", "FILE_TYPE_LINUX_KERNEL", "FILE_TYPE_LNK", "FILE_TYPE_MACH_O", "FILE_TYPE_MACINTOSH", "FILE_TYPE_MACINTOSH_HFS", "FILE_TYPE_MACINTOSH_LIB", "FILE_TYPE_MIDI", "FILE_TYPE_MOV", "FILE_TYPE_MP3", "FILE_TYPE_MP4", "FILE_TYPE_MPEG", "FILE_TYPE_MSCOMPRESS", "FILE_TYPE_MSI", "FILE_TYPE_NE_DLL", "FILE_TYPE_NE_EXE", "FILE_TYPE_ODF", "FILE_TYPE_ODG", "FILE_TYPE_ODP", "FILE_TYPE_ODS", "FILE_TYPE_ODT", "FILE_TYPE_OGG", "FILE_TYPE_OUTLOOK", "FILE_TYPE_PALMOS", "FILE_TYPE_PASCAL", "FILE_TYPE_PDF", "FILE_TYPE_PERL", "FILE_TYPE_PE_DLL", "FILE_TYPE_PE_EXE", "FILE_TYPE_PHP", "FILE_TYPE_PKG", "FILE_TYPE_PNG", "FILE_TYPE_POWERSHELL", "FILE_TYPE_PPSX", "FILE_TYPE_PPT", "FILE_TYPE_PPTX", "FILE_TYPE_PS", "FILE_TYPE_PSD", "FILE_TYPE_PYTHON", "FILE_TYPE_QUICKTIME", "FILE_TYPE_RAR", "FILE_TYPE_RM", "FILE_TYPE_ROM", "FILE_TYPE_RPM", "FILE_TYPE_RTF", "FILE_TYPE_RUBY", "FILE_TYPE_RZIP", "FILE_TYPE_SCRIPT", "FILE_TYPE_SEVENZIP", "FILE_TYPE_SHELLSCRIPT", "FILE_TYPE_SVG", "FILE_TYPE_SWF", "FILE_TYPE_SYMBIAN", "FILE_TYPE_T3GP", "FILE_TYPE_TAR", "FILE_TYPE_TARGA", "FILE_TYPE_TEXT", "FILE_TYPE_TIFF", "FILE_TYPE_TORRENT", "FILE_TYPE_TTF", "FILE_TYPE_UNSPECIFIED", "FILE_TYPE_VBA", "FILE_TYPE_WAV", "FILE_TYPE_WEBP", "FILE_TYPE_WINCE", "FILE_TYPE_WMA", "FILE_TYPE_WMV", "FILE_TYPE_WOFF", "FILE_TYPE_XLS", "FILE_TYPE_XLSX", "FILE_TYPE_XML", "FILE_TYPE_XPI", "FILE_TYPE_XWD", "FILE_TYPE_ZIP", "FILE_TYPE_ZLIB"] - sql: CASE ${TABLE}.target.process.file.file_type WHEN 0 THEN 'FILE_TYPE_UNSPECIFIED' WHEN 1 THEN 'FILE_TYPE_PE_EXE' WHEN 2 THEN 'FILE_TYPE_PE_DLL' WHEN 3 THEN 'FILE_TYPE_MSI' WHEN 10 THEN 'FILE_TYPE_NE_EXE' WHEN 11 THEN 'FILE_TYPE_NE_DLL' WHEN 20 THEN 'FILE_TYPE_DOS_EXE' WHEN 21 THEN 'FILE_TYPE_DOS_COM' WHEN 30 THEN 'FILE_TYPE_COFF' WHEN 31 THEN 'FILE_TYPE_ELF' WHEN 32 THEN 'FILE_TYPE_LINUX_KERNEL' WHEN 33 THEN 'FILE_TYPE_RPM' WHEN 34 THEN 'FILE_TYPE_LINUX' WHEN 35 THEN 'FILE_TYPE_MACH_O' WHEN 36 THEN 'FILE_TYPE_JAVA_BYTECODE' WHEN 37 THEN 'FILE_TYPE_DMG' WHEN 38 THEN 'FILE_TYPE_DEB' WHEN 39 THEN 'FILE_TYPE_PKG' WHEN 50 THEN 'FILE_TYPE_LNK' WHEN 100 THEN 'FILE_TYPE_JPEG' WHEN 101 THEN 'FILE_TYPE_TIFF' WHEN 102 THEN 'FILE_TYPE_GIF' WHEN 103 THEN 'FILE_TYPE_PNG' WHEN 104 THEN 'FILE_TYPE_BMP' WHEN 105 THEN 'FILE_TYPE_GIMP' WHEN 106 THEN 'FILE_TYPE_IN_DESIGN' WHEN 107 THEN 'FILE_TYPE_PSD' WHEN 108 THEN 'FILE_TYPE_TARGA' WHEN 109 THEN 'FILE_TYPE_XWD' WHEN 110 THEN 'FILE_TYPE_DIB' WHEN 111 THEN 'FILE_TYPE_JNG' WHEN 112 THEN 'FILE_TYPE_ICO' WHEN 113 THEN 'FILE_TYPE_FPX' WHEN 114 THEN 'FILE_TYPE_EPS' WHEN 115 THEN 'FILE_TYPE_SVG' WHEN 116 THEN 'FILE_TYPE_EMF' WHEN 117 THEN 'FILE_TYPE_WEBP' WHEN 150 THEN 'FILE_TYPE_OGG' WHEN 151 THEN 'FILE_TYPE_FLC' WHEN 152 THEN 'FILE_TYPE_FLI' WHEN 153 THEN 'FILE_TYPE_MP3' WHEN 154 THEN 'FILE_TYPE_FLAC' WHEN 155 THEN 'FILE_TYPE_WAV' WHEN 156 THEN 'FILE_TYPE_MIDI' WHEN 157 THEN 'FILE_TYPE_AVI' WHEN 158 THEN 'FILE_TYPE_MPEG' WHEN 159 THEN 'FILE_TYPE_QUICKTIME' WHEN 160 THEN 'FILE_TYPE_ASF' WHEN 161 THEN 'FILE_TYPE_DIVX' WHEN 162 THEN 'FILE_TYPE_FLV' WHEN 163 THEN 'FILE_TYPE_WMA' WHEN 164 THEN 'FILE_TYPE_WMV' WHEN 165 THEN 'FILE_TYPE_RM' WHEN 166 THEN 'FILE_TYPE_MOV' WHEN 167 THEN 'FILE_TYPE_MP4' WHEN 168 THEN 'FILE_TYPE_T3GP' WHEN 200 THEN 'FILE_TYPE_PDF' WHEN 201 THEN 'FILE_TYPE_PS' WHEN 202 THEN 'FILE_TYPE_DOC' WHEN 203 THEN 'FILE_TYPE_DOCX' WHEN 204 THEN 'FILE_TYPE_PPT' WHEN 205 THEN 'FILE_TYPE_PPTX' WHEN 209 THEN 'FILE_TYPE_PPSX' WHEN 206 THEN 'FILE_TYPE_XLS' WHEN 207 THEN 'FILE_TYPE_XLSX' WHEN 208 THEN 'FILE_TYPE_RTF' WHEN 250 THEN 'FILE_TYPE_ODP' WHEN 251 THEN 'FILE_TYPE_ODS' WHEN 252 THEN 'FILE_TYPE_ODT' WHEN 253 THEN 'FILE_TYPE_HWP' WHEN 254 THEN 'FILE_TYPE_GUL' WHEN 255 THEN 'FILE_TYPE_ODF' WHEN 256 THEN 'FILE_TYPE_ODG' WHEN 260 THEN 'FILE_TYPE_EBOOK' WHEN 261 THEN 'FILE_TYPE_LATEX' WHEN 262 THEN 'FILE_TYPE_TTF' WHEN 263 THEN 'FILE_TYPE_EOT' WHEN 264 THEN 'FILE_TYPE_WOFF' WHEN 265 THEN 'FILE_TYPE_CHM' WHEN 300 THEN 'FILE_TYPE_ZIP' WHEN 301 THEN 'FILE_TYPE_GZIP' WHEN 302 THEN 'FILE_TYPE_BZIP' WHEN 303 THEN 'FILE_TYPE_RZIP' WHEN 304 THEN 'FILE_TYPE_DZIP' WHEN 305 THEN 'FILE_TYPE_SEVENZIP' WHEN 306 THEN 'FILE_TYPE_CAB' WHEN 307 THEN 'FILE_TYPE_JAR' WHEN 308 THEN 'FILE_TYPE_RAR' WHEN 309 THEN 'FILE_TYPE_MSCOMPRESS' WHEN 310 THEN 'FILE_TYPE_ACE' WHEN 311 THEN 'FILE_TYPE_ARC' WHEN 312 THEN 'FILE_TYPE_ARJ' WHEN 313 THEN 'FILE_TYPE_ASD' WHEN 314 THEN 'FILE_TYPE_BLACKHOLE' WHEN 315 THEN 'FILE_TYPE_KGB' WHEN 316 THEN 'FILE_TYPE_ZLIB' WHEN 317 THEN 'FILE_TYPE_TAR' WHEN 400 THEN 'FILE_TYPE_TEXT' WHEN 401 THEN 'FILE_TYPE_SCRIPT' WHEN 402 THEN 'FILE_TYPE_PHP' WHEN 403 THEN 'FILE_TYPE_PYTHON' WHEN 404 THEN 'FILE_TYPE_PERL' WHEN 405 THEN 'FILE_TYPE_RUBY' WHEN 406 THEN 'FILE_TYPE_C' WHEN 407 THEN 'FILE_TYPE_CPP' WHEN 408 THEN 'FILE_TYPE_JAVA' WHEN 409 THEN 'FILE_TYPE_SHELLSCRIPT' WHEN 410 THEN 'FILE_TYPE_PASCAL' WHEN 411 THEN 'FILE_TYPE_AWK' WHEN 412 THEN 'FILE_TYPE_DYALOG' WHEN 413 THEN 'FILE_TYPE_FORTRAN' WHEN 414 THEN 'FILE_TYPE_JAVASCRIPT' WHEN 415 THEN 'FILE_TYPE_POWERSHELL' WHEN 416 THEN 'FILE_TYPE_VBA' WHEN 500 THEN 'FILE_TYPE_SYMBIAN' WHEN 501 THEN 'FILE_TYPE_PALMOS' WHEN 502 THEN 'FILE_TYPE_WINCE' WHEN 503 THEN 'FILE_TYPE_ANDROID' WHEN 504 THEN 'FILE_TYPE_IPHONE' WHEN 600 THEN 'FILE_TYPE_HTML' WHEN 601 THEN 'FILE_TYPE_XML' WHEN 602 THEN 'FILE_TYPE_SWF' WHEN 603 THEN 'FILE_TYPE_FLA' WHEN 604 THEN 'FILE_TYPE_COOKIE' WHEN 605 THEN 'FILE_TYPE_TORRENT' WHEN 606 THEN 'FILE_TYPE_EMAIL_TYPE' WHEN 607 THEN 'FILE_TYPE_OUTLOOK' WHEN 700 THEN 'FILE_TYPE_CAP' WHEN 800 THEN 'FILE_TYPE_ISOIMAGE' WHEN 1000 THEN 'FILE_TYPE_APPLE' WHEN 1001 THEN 'FILE_TYPE_MACINTOSH' WHEN 1002 THEN 'FILE_TYPE_APPLESINGLE' WHEN 1003 THEN 'FILE_TYPE_APPLEDOUBLE' WHEN 1004 THEN 'FILE_TYPE_MACINTOSH_HFS' WHEN 1005 THEN 'FILE_TYPE_APPLE_PLIST' WHEN 1006 THEN 'FILE_TYPE_MACINTOSH_LIB' WHEN 1007 THEN 'FILE_TYPE_APPLESCRIPT' WHEN 1008 THEN 'FILE_TYPE_APPLESCRIPT_COMPILED' WHEN 1100 THEN 'FILE_TYPE_CRX' WHEN 1101 THEN 'FILE_TYPE_XPI' WHEN 1200 THEN 'FILE_TYPE_ROM' END ;; - group_label: "target" - label: "target.process.file.file_type_enum_name" - view_label: "UDM" - description: "FileType field." - } # dimension target__process__file__file_type_enum_name - - dimension: target__process__file__full_path { - type: string - sql: ${TABLE}.target.process.file.full_path ;; - group_label: "target" - label: "target.process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension target__process__file__full_path - - dimension: target__process__file__md5 { - type: string - sql: ${TABLE}.target.process.file.md5 ;; - group_label: "target" - label: "target.process.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension target__process__file__md5 - - dimension: target__process__file__mime_type { - type: string - sql: ${TABLE}.target.process.file.mime_type ;; - group_label: "target" - label: "target.process.file.mime_type" - view_label: "UDM" - description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." - } # dimension target__process__file__mime_type - - dimension: target__process__file__names { - hidden: yes - } # dimension target__process__file__names - - dimension: target__process__file__pe_file { - hidden: yes - } # dimension target__process__file__pe_file - - dimension: target__process__file__pe_file__signature_info { - hidden: yes - } # dimension target__process__file__pe_file__signature_info - - dimension: target__process__file__pe_file__signature_info__signer { - hidden: yes - } # dimension target__process__file__pe_file__signature_info__signer - - dimension: target__process__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.target.process.file.pe_file.signature_info.verification_message ;; - group_label: "target" - group_item_label: "target.process.file.pe_file.signature_info.verification_message [D]" - label: "target.process.file.pe_file.signature_info.verification_message" - view_label: "UDM" - description: "Status of the certificate. Valid values are \"Signed\", \"Unsigned\" or a description of the certificate anomaly, if found. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__process__file__pe_file__signature_info__verification_message - - dimension: target__process__file__sha1 { - type: string - sql: ${TABLE}.target.process.file.sha1 ;; - group_label: "target" - label: "target.process.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension target__process__file__sha1 - - dimension: target__process__file__sha256 { - type: string - sql: ${TABLE}.target.process.file.sha256 ;; - group_label: "target" - label: "target.process.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension target__process__file__sha256 - - dimension: target__process__file__size { - type: number - sql: ${TABLE}.target.process.file.size ;; - group_label: "target" - label: "target.process.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension target__process__file__size - - dimension: target__process__parent_pid { - type: string - sql: ${TABLE}.target.process.parent_pid ;; - group_label: "target" - group_item_label: "target.process.parent_pid [D]" - label: "target.process.parent_pid" - view_label: "UDM" - description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__process__parent_pid - - dimension: target__process__parent_process { - hidden: yes - } # dimension target__process__parent_process - - dimension: target__process__parent_process__command_line { - type: string - sql: ${TABLE}.target.process.parent_process.command_line ;; - group_label: "target" - label: "target.process.parent_process.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension target__process__parent_process__command_line - - dimension: target__process__parent_process__file { - hidden: yes - } # dimension target__process__parent_process__file - - dimension: target__process__parent_process__file__capabilities_tags { - hidden: yes - } # dimension target__process__parent_process__file__capabilities_tags - - dimension: target__process__parent_process__file__full_path { - type: string - sql: ${TABLE}.target.process.parent_process.file.full_path ;; - group_label: "target" - label: "target.process.parent_process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension target__process__parent_process__file__full_path - - dimension: target__process__parent_process__file__md5 { - type: string - sql: ${TABLE}.target.process.parent_process.file.md5 ;; - group_label: "target" - label: "target.process.parent_process.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension target__process__parent_process__file__md5 - - dimension: target__process__parent_process__file__names { - hidden: yes - } # dimension target__process__parent_process__file__names - - dimension: target__process__parent_process__file__sha1 { - type: string - sql: ${TABLE}.target.process.parent_process.file.sha1 ;; - group_label: "target" - label: "target.process.parent_process.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension target__process__parent_process__file__sha1 - - dimension: target__process__parent_process__file__sha256 { - type: string - sql: ${TABLE}.target.process.parent_process.file.sha256 ;; - group_label: "target" - label: "target.process.parent_process.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension target__process__parent_process__file__sha256 - - dimension: target__process__parent_process__parent_pid { - type: string - sql: ${TABLE}.target.process.parent_process.parent_pid ;; - group_label: "target" - group_item_label: "target.process.parent_process.parent_pid [D]" - label: "target.process.parent_process.parent_pid" - view_label: "UDM" - description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__process__parent_process__parent_pid - - dimension: target__process__parent_process__pid { - type: string - sql: ${TABLE}.target.process.parent_process.pid ;; - group_label: "target" - label: "target.process.parent_process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension target__process__parent_process__pid - - dimension: target__process__parent_process__product_specific_process_id { - type: string - sql: ${TABLE}.target.process.parent_process.product_specific_process_id ;; - group_label: "target" - label: "target.process.parent_process.product_specific_process_id" - view_label: "UDM" - description: "A product specific process id." - } # dimension target__process__parent_process__product_specific_process_id - - dimension: target__process__pid { - type: string - sql: ${TABLE}.target.process.pid ;; - group_label: "target" - label: "target.process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension target__process__pid - - dimension: target__process__product_specific_parent_process_id { - type: string - sql: ${TABLE}.target.process.product_specific_parent_process_id ;; - group_label: "target" - group_item_label: "target.process.product_specific_parent_process_id [D]" - label: "target.process.product_specific_parent_process_id" - view_label: "UDM" - description: "A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__process__product_specific_parent_process_id - - dimension: target__process__product_specific_process_id { - type: string - sql: ${TABLE}.target.process.product_specific_process_id ;; - group_label: "target" - label: "target.process.product_specific_process_id" - view_label: "UDM" - description: "A product specific process id." - } # dimension target__process__product_specific_process_id - - dimension: target__process_ancestors { - hidden: yes - } # dimension target__process_ancestors - - dimension: target__registry { - hidden: yes - } # dimension target__registry - - dimension: target__registry__registry_key { - type: string - sql: ${TABLE}.target.registry.registry_key ;; - group_label: "target" - label: "target.registry.registry_key" - view_label: "UDM" - description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." - } # dimension target__registry__registry_key - - dimension: target__registry__registry_value_data { - type: string - sql: ${TABLE}.target.registry.registry_value_data ;; - group_label: "target" - label: "target.registry.registry_value_data" - view_label: "UDM" - description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." - } # dimension target__registry__registry_value_data - - dimension: target__registry__registry_value_name { - type: string - sql: ${TABLE}.target.registry.registry_value_name ;; - group_label: "target" - label: "target.registry.registry_value_name" - view_label: "UDM" - description: "Name of the registry value associated with an application or system component (e.g. TEMP)." - } # dimension target__registry__registry_value_name - - dimension: target__resource { - hidden: yes - } # dimension target__resource - - dimension: target__resource__attribute { - hidden: yes - } # dimension target__resource__attribute - - dimension: target__resource__attribute__cloud { - hidden: yes - } # dimension target__resource__attribute__cloud - - dimension: target__resource__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.target.resource.attribute.cloud.availability_zone ;; - group_label: "target" - label: "target.resource.attribute.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name)." - } # dimension target__resource__attribute__cloud__availability_zone - - dimension: target__resource__attribute__cloud__environment { - type: number - sql: ${TABLE}.target.resource.attribute.cloud.environment ;; - group_label: "target" - label: "target.resource.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension target__resource__attribute__cloud__environment - - dimension: target__resource__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.target.resource.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "target" - label: "target.resource.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension target__resource__attribute__cloud__environment_enum_name - - dimension: target__resource__attribute__cloud__project { - hidden: yes - } # dimension target__resource__attribute__cloud__project - - dimension: target__resource__attribute__cloud__project__id { - type: string - sql: ${TABLE}.target.resource.attribute.cloud.project.id ;; - group_label: "target" - group_item_label: "target.resource.attribute.cloud.project.id [D]" - label: "target.resource.attribute.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__resource__attribute__cloud__project__id - - dimension: target__resource__attribute__cloud__project__name { - type: string - sql: ${TABLE}.target.resource.attribute.cloud.project.name ;; - group_label: "target" - group_item_label: "target.resource.attribute.cloud.project.name [D]" - label: "target.resource.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__resource__attribute__cloud__project__name - - dimension_group: target__resource__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.resource.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension target__resource__attribute__creation_time - - dimension: target__resource__attribute__labels { - hidden: yes - } # dimension target__resource__attribute__labels - - dimension_group: target__resource__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.resource.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension target__resource__attribute__last_update_time - - dimension: target__resource__attribute__permissions { - hidden: yes - } # dimension target__resource__attribute__permissions - - dimension: target__resource__attribute__roles { - hidden: yes - } # dimension target__resource__attribute__roles - - dimension: target__resource__id { - type: string - sql: ${TABLE}.target.resource.id ;; - group_label: "target" - group_item_label: "target.resource.id [D]" - label: "target.resource.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__resource__id - - dimension: target__resource__name { - type: string - sql: ${TABLE}.target.resource.name ;; - group_label: "target" - label: "target.resource.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension target__resource__name - - dimension: target__resource__parent { - type: string - sql: ${TABLE}.target.resource.parent ;; - group_label: "target" - group_item_label: "target.resource.parent [D]" - label: "target.resource.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__resource__parent - - dimension: target__resource__product_object_id { - type: string - sql: ${TABLE}.target.resource.product_object_id ;; - group_label: "target" - label: "target.resource.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension target__resource__product_object_id - - dimension: target__resource__resource_subtype { - type: string - sql: ${TABLE}.target.resource.resource_subtype ;; - group_label: "target" - label: "target.resource.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension target__resource__resource_subtype - - dimension: target__resource__resource_type { - type: number - sql: ${TABLE}.target.resource.resource_type ;; - group_label: "target" - label: "target.resource.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension target__resource__resource_type - - dimension: target__resource__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.target.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "target" - label: "target.resource.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension target__resource__resource_type_enum_name - - dimension: target__resource__type { - type: string - sql: ${TABLE}.target.resource.type ;; - group_label: "target" - group_item_label: "target.resource.type [D]" - label: "target.resource.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__resource__type - - dimension: target__resource_ancestors { - hidden: yes - } # dimension target__resource_ancestors - - dimension: target__url { - type: string - sql: ${TABLE}.target.url ;; - group_label: "target" - label: "target.url" - view_label: "UDM" - description: "The URL." - } # dimension target__url - - dimension: target__user { - hidden: yes - } # dimension target__user - - dimension: target__user__account_type { - type: number - sql: ${TABLE}.target.user.account_type ;; - group_label: "target" - label: "target.user.account_type" - view_label: "UDM" - description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" - } # dimension target__user__account_type - - dimension: target__user__account_type_enum_name { - type: string - suggestions: ["ACCOUNT_TYPE_UNSPECIFIED", "CLOUD_ACCOUNT_TYPE", "DEFAULT_ACCOUNT_TYPE", "DOMAIN_ACCOUNT_TYPE", "LOCAL_ACCOUNT_TYPE", "SERVICE_ACCOUNT_TYPE"] - sql: CASE ${TABLE}.target.user.account_type WHEN 0 THEN 'ACCOUNT_TYPE_UNSPECIFIED' WHEN 1 THEN 'DOMAIN_ACCOUNT_TYPE' WHEN 2 THEN 'LOCAL_ACCOUNT_TYPE' WHEN 3 THEN 'CLOUD_ACCOUNT_TYPE' WHEN 4 THEN 'SERVICE_ACCOUNT_TYPE' WHEN 5 THEN 'DEFAULT_ACCOUNT_TYPE' END ;; - group_label: "target" - label: "target.user.account_type_enum_name" - view_label: "UDM" - description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" - } # dimension target__user__account_type_enum_name - - dimension: target__user__attribute { - hidden: yes - } # dimension target__user__attribute - - dimension: target__user__attribute__cloud { - hidden: yes - } # dimension target__user__attribute__cloud - - dimension: target__user__attribute__cloud__environment { - type: number - sql: ${TABLE}.target.user.attribute.cloud.environment ;; - group_label: "target" - label: "target.user.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension target__user__attribute__cloud__environment - - dimension: target__user__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.target.user.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "target" - label: "target.user.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension target__user__attribute__cloud__environment_enum_name - - dimension: target__user__attribute__cloud__project { - hidden: yes - } # dimension target__user__attribute__cloud__project - - dimension: target__user__attribute__cloud__project__id { - type: string - sql: ${TABLE}.target.user.attribute.cloud.project.id ;; - group_label: "target" - group_item_label: "target.user.attribute.cloud.project.id [D]" - label: "target.user.attribute.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__attribute__cloud__project__id - - dimension: target__user__attribute__cloud__vpc { - hidden: yes - } # dimension target__user__attribute__cloud__vpc - - dimension: target__user__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.target.user.attribute.cloud.vpc.product_object_id ;; - group_label: "target" - group_item_label: "target.user.attribute.cloud.vpc.product_object_id [D]" - label: "target.user.attribute.cloud.vpc.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__attribute__cloud__vpc__product_object_id - - dimension_group: target__user__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.user.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension target__user__attribute__creation_time - - dimension: target__user__attribute__labels { - hidden: yes - } # dimension target__user__attribute__labels - - dimension_group: target__user__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.user.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension target__user__attribute__last_update_time - - dimension: target__user__attribute__permissions { - hidden: yes - } # dimension target__user__attribute__permissions - - dimension: target__user__attribute__roles { - hidden: yes - } # dimension target__user__attribute__roles - - dimension: target__user__company_name { - type: string - sql: ${TABLE}.target.user.company_name ;; - group_label: "target" - label: "target.user.company_name" - view_label: "UDM" - description: "User job company name." - } # dimension target__user__company_name - - dimension: target__user__department { - hidden: yes - } # dimension target__user__department - - dimension: target__user__email_addresses { - hidden: yes - } # dimension target__user__email_addresses - - dimension: target__user__employee_id { - type: string - sql: ${TABLE}.target.user.employee_id ;; - group_label: "target" - label: "target.user.employee_id" - view_label: "UDM" - description: "Human capital management identifier." - } # dimension target__user__employee_id - - dimension: target__user__first_name { - type: string - sql: ${TABLE}.target.user.first_name ;; - group_label: "target" - label: "target.user.first_name" - view_label: "UDM" - description: "First name of the user (e.g. \"John\")." - } # dimension target__user__first_name - - dimension: target__user__group_identifiers { - hidden: yes - } # dimension target__user__group_identifiers - - dimension: target__user__groupid { - type: string - sql: ${TABLE}.target.user.groupid ;; - group_label: "target" - group_item_label: "target.user.groupid [D]" - label: "target.user.groupid" - view_label: "UDM" - description: "The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__groupid - - dimension_group: target__user__hire_date { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.user.hire_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.user.hire_date.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.user.hire_date" - view_label: "UDM" - description: "User job employment hire date." - } # dimension target__user__hire_date - - dimension: target__user__last_name { - type: string - sql: ${TABLE}.target.user.last_name ;; - group_label: "target" - label: "target.user.last_name" - view_label: "UDM" - description: "Last name of the user (e.g. \"Locke\")." - } # dimension target__user__last_name - - dimension: target__user__managers { - hidden: yes - } # dimension target__user__managers - - dimension: target__user__middle_name { - type: string - sql: ${TABLE}.target.user.middle_name ;; - group_label: "target" - label: "target.user.middle_name" - view_label: "UDM" - description: "Middle name of the user." - } # dimension target__user__middle_name - - dimension: target__user__office_address { - hidden: yes - } # dimension target__user__office_address - - dimension: target__user__office_address__city { - type: string - sql: ${TABLE}.target.user.office_address.city ;; - group_label: "target" - label: "target.user.office_address.city" - view_label: "UDM" - description: "The city." - } # dimension target__user__office_address__city - - dimension: target__user__office_address__country_or_region { - type: string - sql: ${TABLE}.target.user.office_address.country_or_region ;; - group_label: "target" - label: "target.user.office_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension target__user__office_address__country_or_region - - dimension: target__user__office_address__desk_name { - type: string - sql: ${TABLE}.target.user.office_address.desk_name ;; - group_label: "target" - label: "target.user.office_address.desk_name" - view_label: "UDM" - description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." - } # dimension target__user__office_address__desk_name - - dimension: target__user__office_address__floor_name { - type: string - sql: ${TABLE}.target.user.office_address.floor_name ;; - group_label: "target" - label: "target.user.office_address.floor_name" - view_label: "UDM" - description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." - } # dimension target__user__office_address__floor_name - - dimension: target__user__office_address__name { - type: string - sql: ${TABLE}.target.user.office_address.name ;; - group_label: "target" - label: "target.user.office_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension target__user__office_address__name - - dimension: target__user__office_address__state { - type: string - sql: ${TABLE}.target.user.office_address.state ;; - group_label: "target" - label: "target.user.office_address.state" - view_label: "UDM" - description: "The state." - } # dimension target__user__office_address__state - - dimension: target__user__personal_address { - hidden: yes - } # dimension target__user__personal_address - - dimension: target__user__personal_address__city { - type: string - sql: ${TABLE}.target.user.personal_address.city ;; - group_label: "target" - label: "target.user.personal_address.city" - view_label: "UDM" - description: "The city." - } # dimension target__user__personal_address__city - - dimension: target__user__personal_address__country_or_region { - type: string - sql: ${TABLE}.target.user.personal_address.country_or_region ;; - group_label: "target" - label: "target.user.personal_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension target__user__personal_address__country_or_region - - dimension: target__user__personal_address__name { - type: string - sql: ${TABLE}.target.user.personal_address.name ;; - group_label: "target" - label: "target.user.personal_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension target__user__personal_address__name - - dimension: target__user__personal_address__region_latitude { - type: number - sql: ${TABLE}.target.user.personal_address.region_latitude ;; - group_label: "target" - group_item_label: "target.user.personal_address.region_latitude [D]" - label: "target.user.personal_address.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__personal_address__region_latitude - - dimension: target__user__personal_address__region_longitude { - type: number - sql: ${TABLE}.target.user.personal_address.region_longitude ;; - group_label: "target" - group_item_label: "target.user.personal_address.region_longitude [D]" - label: "target.user.personal_address.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__personal_address__region_longitude - - dimension: target__user__personal_address__location { - type: location - sql_latitude: ${TABLE}.target.user.personal_address.region_latitude ;; - sql_longitude: ${TABLE}.target.user.personal_address.region_longitude ;; - group_label: "target" - group_item_label: "target.user.personal_address.location [D][L]" - label: "target.user.personal_address.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension target__user__personal_address__location - - dimension: target__user__personal_address__state { - type: string - sql: ${TABLE}.target.user.personal_address.state ;; - group_label: "target" - label: "target.user.personal_address.state" - view_label: "UDM" - description: "The state." - } # dimension target__user__personal_address__state - - dimension: target__user__phone_numbers { - hidden: yes - } # dimension target__user__phone_numbers - - dimension: target__user__product_object_id { - type: string - sql: ${TABLE}.target.user.product_object_id ;; - group_label: "target" - label: "target.user.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension target__user__product_object_id - - dimension: target__user__role_description { - type: string - sql: ${TABLE}.target.user.role_description ;; - group_label: "target" - group_item_label: "target.user.role_description [D]" - label: "target.user.role_description" - view_label: "UDM" - description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__role_description - - dimension: target__user__role_name { - type: string - sql: ${TABLE}.target.user.role_name ;; - group_label: "target" - group_item_label: "target.user.role_name [D]" - label: "target.user.role_name" - view_label: "UDM" - description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__role_name - - dimension_group: target__user__termination_date { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.user.termination_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.user.termination_date.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.user.termination_date" - view_label: "UDM" - description: "User job employment termination date." - } # dimension target__user__termination_date - - dimension: target__user__time_off { - hidden: yes - } # dimension target__user__time_off - - dimension: target__user__title { - type: string - sql: ${TABLE}.target.user.title ;; - group_label: "target" - label: "target.user.title" - view_label: "UDM" - description: "User job title." - } # dimension target__user__title - - dimension: target__user__user_authentication_status { - type: number - sql: ${TABLE}.target.user.user_authentication_status ;; - group_label: "target" - label: "target.user.user_authentication_status" - view_label: "UDM" - description: "System authentication status for user." - } # dimension target__user__user_authentication_status - - dimension: target__user__user_authentication_status_enum_name { - type: string - suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] - sql: CASE ${TABLE}.target.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; - group_label: "target" - label: "target.user.user_authentication_status_enum_name" - view_label: "UDM" - description: "System authentication status for user." - } # dimension target__user__user_authentication_status_enum_name - - dimension: target__user__user_display_name { - type: string - sql: ${TABLE}.target.user.user_display_name ;; - group_label: "target" - label: "target.user.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension target__user__user_display_name - - dimension: target__user__user_role { - type: number - sql: ${TABLE}.target.user.user_role ;; - group_label: "target" - group_item_label: "target.user.user_role [D]" - label: "target.user.user_role" - view_label: "UDM" - description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__user_role - - dimension: target__user__user_role_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "UNKNOWN_ROLE"] - sql: CASE ${TABLE}.target.user.user_role WHEN 0 THEN 'UNKNOWN_ROLE' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "target" - group_item_label: "target.user.user_role_enum_name [D]" - label: "target.user.user_role_enum_name" - view_label: "UDM" - description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__user_role_enum_name - - dimension: target__user__userid { - type: string - sql: ${TABLE}.target.user.userid ;; - group_label: "target" - label: "target.user.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension target__user__userid - - dimension: target__user__windows_sid { - type: string - sql: ${TABLE}.target.user.windows_sid ;; - group_label: "target" - label: "target.user.windows_sid" - view_label: "UDM" - description: "The Microsoft Windows SID of the user." - } # dimension target__user__windows_sid - - dimension: target__user_management_chain { - hidden: yes - } # dimension target__user_management_chain - -} # view events - -view: events__about__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "about" - label: "about.asset.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "about" - label: "about.asset.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__about__asset__attribute__labels - -view: events__about__asset__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "about" - label: "about.asset.attribute.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - -} # view events__about__asset__attribute__permissions - -view: events__about__asset__hardware { - dimension: manufacturer { - type: string - sql: ${TABLE}.manufacturer ;; - group_label: "about" - label: "about.asset.hardware.manufacturer" - view_label: "UDM" - description: "Hardware manufacturer." - } # dimension manufacturer - - dimension: model { - type: string - sql: ${TABLE}.model ;; - group_label: "about" - label: "about.asset.hardware.model" - view_label: "UDM" - description: "Hardware model." - } # dimension model - - dimension: serial_number { - type: string - sql: ${TABLE}.serial_number ;; - group_label: "about" - label: "about.asset.hardware.serial_number" - view_label: "UDM" - description: "Hardware serial number." - } # dimension serial_number - -} # view events__about__asset__hardware - -view: events__about__asset__ip { - dimension: events__about__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.asset.ip" - view_label: "UDM" - description: "A list of IP addresses associated with an asset." - } # dimension events__about__asset__ip -} # view events__about__asset__ip - -view: events__about__asset__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "about" - group_item_label: "about.asset.labels.key [D]" - label: "about.asset.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "about" - group_item_label: "about.asset.labels.value [D]" - label: "about.asset.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view events__about__asset__labels - -view: events__about__asset__vulnerabilities { - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - group_label: "about" - label: "about.asset.vulnerabilities.severity" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity - - dimension: severity_enum_name { - type: string - suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] - sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; - group_label: "about" - label: "about.asset.vulnerabilities.severity_enum_name" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity_enum_name - -} # view events__about__asset__vulnerabilities - -view: events__about__file__capabilities_tags { - dimension: events__about__file__capabilities_tags { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.file.capabilities_tags" - view_label: "UDM" - description: "Capabilities tags." - } # dimension events__about__file__capabilities_tags -} # view events__about__file__capabilities_tags - -view: events__about__file__names { - dimension: events__about__file__names { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension events__about__file__names -} # view events__about__file__names - -view: events__about__investigation__comments { - dimension: events__about__investigation__comments { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.investigation.comments" - view_label: "UDM" - description: "Comment added by the Analyst." - } # dimension events__about__investigation__comments -} # view events__about__investigation__comments - -view: events__about__ip { - dimension: events__about__ip { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.ip" - view_label: "UDM" - description: "A list of IP addresses associated with a network connection." - } # dimension events__about__ip -} # view events__about__ip - -view: events__about__ip_location { - dimension: country_or_region { - type: string - sql: ${TABLE}.country_or_region ;; - group_label: "about" - group_item_label: "about.ip_location.country_or_region [D]" - label: "about.ip_location.country_or_region" - view_label: "UDM" - description: "The country or region. [D]: This field is deprecated and will be removed in a future release" - } # dimension country_or_region - -} # view events__about__ip_location - -view: events__about__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "about" - group_item_label: "about.labels.key [D]" - label: "about.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "about" - group_item_label: "about.labels.value [D]" - label: "about.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view events__about__labels - -view: events__about__mac { - dimension: events__about__mac { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.mac" - view_label: "UDM" - description: "List of MAC addresses associated with a device." - } # dimension events__about__mac -} # view events__about__mac - -view: events__about__nat_ip { - dimension: events__about__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.nat_ip" - view_label: "UDM" - description: "A list of NAT translated IP addresses associated with a network connection." - } # dimension events__about__nat_ip -} # view events__about__nat_ip - -view: events__about__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "about" - label: "about.resource.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "about" - label: "about.resource.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__about__resource__attribute__labels - -view: events__about__resource__attribute__permissions { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "about" - label: "about.resource.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view events__about__resource__attribute__permissions - -view: events__about__resource_ancestors__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "about" - label: "about.resource_ancestors.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "about" - label: "about.resource_ancestors.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__about__resource_ancestors__attribute__labels - -view: events__about__resource_ancestors { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension_group: about__resource_ancestors__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "about" - label: "about.resource_ancestors.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension about__resource_ancestors__attribute__creation_time - - dimension: attribute__labels { - hidden: yes - } # dimension attribute__labels - - dimension_group: about__resource_ancestors__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "about" - label: "about.resource_ancestors.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension about__resource_ancestors__attribute__last_update_time - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "about" - label: "about.resource_ancestors.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension name - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "about" - label: "about.resource_ancestors.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension product_object_id - -} # view events__about__resource_ancestors - -view: events__about__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "about" - label: "about.user.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "about" - label: "about.user.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__about__user__attribute__labels - -view: events__about__user__attribute__permissions { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "about" - label: "about.user.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view events__about__user__attribute__permissions - -view: events__about__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "about" - label: "about.user.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "about" - label: "about.user.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - -} # view events__about__user__attribute__roles - -view: events__about__user__department { - dimension: events__about__user__department { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.user.department" - view_label: "UDM" - description: "User job department" - } # dimension events__about__user__department -} # view events__about__user__department - -view: events__about__user__email_addresses { - dimension: events__about__user__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.user.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension events__about__user__email_addresses -} # view events__about__user__email_addresses - -view: events__about__user__group_identifiers { - dimension: events__about__user__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.user.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension events__about__user__group_identifiers -} # view events__about__user__group_identifiers - -view: events__about { - dimension: administrative_domain { - type: string - sql: ${TABLE}.administrative_domain ;; - group_label: "about" - label: "about.administrative_domain" - view_label: "UDM" - description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." - } # dimension administrative_domain - - dimension: application { - type: string - sql: ${TABLE}.application ;; - group_label: "about" - label: "about.application" - view_label: "UDM" - description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." - } # dimension application - - dimension: artifact { - hidden: yes - } # dimension artifact - - dimension: artifact__prevalence { - hidden: yes - } # dimension artifact__prevalence - - dimension: artifact__prevalence__day_count { - type: number - sql: ${TABLE}.artifact.prevalence.day_count ;; - group_label: "about" - label: "about.artifact.prevalence.day_count" - view_label: "UDM" - description: "The number of days over which rolling_max is calculated." - } # dimension artifact__prevalence__day_count - - dimension: artifact__prevalence__day_max { - type: number - sql: ${TABLE}.artifact.prevalence.day_max ;; - group_label: "about" - label: "about.artifact.prevalence.day_max" - view_label: "UDM" - description: "The max prevalence score in a day interval window." - } # dimension artifact__prevalence__day_max - - dimension: asset { - hidden: yes - } # dimension asset - - dimension: asset__asset_id { - type: string - sql: ${TABLE}.asset.asset_id ;; - group_label: "about" - label: "about.asset.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension asset__asset_id - - dimension: asset__attribute { - hidden: yes - } # dimension asset__attribute - - dimension: asset__attribute__labels { - hidden: yes - } # dimension asset__attribute__labels - - dimension: asset__attribute__permissions { - hidden: yes - } # dimension asset__attribute__permissions - - dimension: asset__category { - type: string - sql: ${TABLE}.asset.category ;; - group_label: "about" - label: "about.asset.category" - view_label: "UDM" - description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." - } # dimension asset__category - - dimension_group: about__asset__first_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "about" - label: "about.asset.first_discover_time" - view_label: "UDM" - description: "Time the asset was first discovered (by asset management/discoverability software)." - } # dimension about__asset__first_discover_time - - dimension: asset__hardware { - hidden: yes - } # dimension asset__hardware - - dimension: asset__hostname { - type: string - sql: ${TABLE}.asset.hostname ;; - group_label: "about" - label: "about.asset.hostname" - view_label: "UDM" - description: "Asset hostname or domain name field." - } # dimension asset__hostname - - dimension: asset__ip { - hidden: yes - } # dimension asset__ip - - dimension: asset__labels { - hidden: yes - } # dimension asset__labels - - dimension_group: about__asset__last_boot_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "about" - label: "about.asset.last_boot_time" - view_label: "UDM" - description: "Time the asset was last boot started." - } # dimension about__asset__last_boot_time - - dimension: asset__location { - hidden: yes - } # dimension asset__location - - dimension: asset__location__name { - type: string - sql: ${TABLE}.asset.location.name ;; - group_label: "about" - label: "about.asset.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension asset__location__name - - dimension: asset__product_object_id { - type: string - sql: ${TABLE}.asset.product_object_id ;; - group_label: "about" - label: "about.asset.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension asset__product_object_id - - dimension: asset__vulnerabilities { - hidden: yes - } # dimension asset__vulnerabilities - - dimension: asset_id { - type: string - sql: ${TABLE}.asset_id ;; - group_label: "about" - label: "about.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension asset_id - - dimension: cloud { - hidden: yes - } # dimension cloud - - dimension: cloud__vpc { - hidden: yes - } # dimension cloud__vpc - - dimension: cloud__vpc__id { - type: string - sql: ${TABLE}.cloud.vpc.id ;; - group_label: "about" - group_item_label: "about.cloud.vpc.id [D]" - label: "about.cloud.vpc.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension cloud__vpc__id - - dimension: domain { - hidden: yes - } # dimension domain - - dimension: domain__billing { - hidden: yes - } # dimension domain__billing - - dimension: domain__billing__title { - type: string - sql: ${TABLE}.domain.billing.title ;; - group_label: "about" - label: "about.domain.billing.title" - view_label: "UDM" - description: "User job title." - } # dimension domain__billing__title - - dimension: domain__name { - type: string - sql: ${TABLE}.domain.name ;; - group_label: "about" - label: "about.domain.name" - view_label: "UDM" - description: "The domain name." - } # dimension domain__name - - dimension: email { - type: string - sql: ${TABLE}.email ;; - group_label: "about" - label: "about.email" - view_label: "UDM" - description: "Email address. Only filled in for security_result.about" - } # dimension email - - dimension: file { - hidden: yes - } # dimension file - - dimension: file__capabilities_tags { - hidden: yes - } # dimension file__capabilities_tags - - dimension: file__full_path { - type: string - sql: ${TABLE}.file.full_path ;; - group_label: "about" - label: "about.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension file__full_path - - dimension_group: about__file__last_modification_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.file.last_modification_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.file.last_modification_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "about" - label: "about.file.last_modification_time" - view_label: "UDM" - description: "Timestamp when the file was last updated." - } # dimension about__file__last_modification_time - - dimension: file__md5 { - type: string - sql: ${TABLE}.file.md5 ;; - group_label: "about" - label: "about.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension file__md5 - - dimension: file__mime_type { - type: string - sql: ${TABLE}.file.mime_type ;; - group_label: "about" - label: "about.file.mime_type" - view_label: "UDM" - description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." - } # dimension file__mime_type - - dimension: file__names { - hidden: yes - } # dimension file__names - - dimension: file__sha1 { - type: string - sql: ${TABLE}.file.sha1 ;; - group_label: "about" - label: "about.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension file__sha1 - - dimension: file__sha256 { - type: string - sql: ${TABLE}.file.sha256 ;; - group_label: "about" - label: "about.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension file__sha256 - - dimension: file__size { - type: number - sql: ${TABLE}.file.size ;; - group_label: "about" - label: "about.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension file__size - - dimension: group { - hidden: yes - } # dimension group - - dimension: group__group_display_name { - type: string - sql: ${TABLE}.group.group_display_name ;; - group_label: "about" - label: "about.group.group_display_name" - view_label: "UDM" - description: "Group display name. e.g. \"Finance\"." - } # dimension group__group_display_name - - dimension: group__product_object_id { - type: string - sql: ${TABLE}.group.product_object_id ;; - group_label: "about" - label: "about.group.product_object_id" - view_label: "UDM" - description: "Product globally unique user object identifier, such as an LDAP Object Identifier." - } # dimension group__product_object_id - - dimension: hostname { - type: string - sql: ${TABLE}.hostname ;; - group_label: "about" - label: "about.hostname" - view_label: "UDM" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension hostname - - dimension: investigation { - hidden: yes - } # dimension investigation - - dimension: investigation__comments { - hidden: yes - } # dimension investigation__comments - - dimension: investigation__root_cause { - type: string - sql: ${TABLE}.investigation.root_cause ;; - group_label: "about" - label: "about.investigation.root_cause" - view_label: "UDM" - description: "Root cause of the Alert or Finding set by analyst." - } # dimension investigation__root_cause - - dimension: ip { - hidden: yes - } # dimension ip - - dimension: ip_location { - hidden: yes - } # dimension ip_location - - dimension: labels { - hidden: yes - } # dimension labels - - dimension: location { - hidden: yes - } # dimension location - - dimension: location__city { - type: string - sql: ${TABLE}.location.city ;; - group_label: "about" - label: "about.location.city" - view_label: "UDM" - description: "The city." - } # dimension location__city - - dimension: location__country_or_region { - type: string - sql: ${TABLE}.location.country_or_region ;; - group_label: "about" - label: "about.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension location__country_or_region - - dimension: location__state { - type: string - sql: ${TABLE}.location.state ;; - group_label: "about" - label: "about.location.state" - view_label: "UDM" - description: "The state." - } # dimension location__state - - dimension: mac { - hidden: yes - } # dimension mac - - dimension: namespace { - type: string - sql: ${TABLE}.namespace ;; - group_label: "about" - label: "about.namespace" - view_label: "UDM" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension namespace - - dimension: nat_ip { - hidden: yes - } # dimension nat_ip - - dimension: platform_patch_level { - type: string - sql: ${TABLE}.platform_patch_level ;; - group_label: "about" - label: "about.platform_patch_level" - view_label: "UDM" - description: "Platform patch level. For example, \"Build 17134.48\"" - } # dimension platform_patch_level - - dimension: platform_version { - type: string - sql: ${TABLE}.platform_version ;; - group_label: "about" - label: "about.platform_version" - view_label: "UDM" - description: "Platform version. For example, \"Microsoft Windows 1803\"." - } # dimension platform_version - - dimension: port { - type: number - value_format: "#" - sql: ${TABLE}.port ;; - group_label: "about" - label: "about.port" - view_label: "UDM" - description: "Source or destination network port number when a specific network connection is described within an event." - } # dimension port - - dimension: process { - hidden: yes - } # dimension process - - dimension: process__access_mask { - type: number - sql: ${TABLE}.process.access_mask ;; - group_label: "about" - label: "about.process.access_mask" - view_label: "UDM" - description: "A bit mask representing the level of access." - } # dimension process__access_mask - - dimension: process__command_line { - type: string - sql: ${TABLE}.process.command_line ;; - group_label: "about" - label: "about.process.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension process__command_line - - dimension: process__file { - hidden: yes - } # dimension process__file - - dimension: process__file__full_path { - type: string - sql: ${TABLE}.process.file.full_path ;; - group_label: "about" - label: "about.process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension process__file__full_path - - dimension: process__parent_pid { - type: string - sql: ${TABLE}.process.parent_pid ;; - group_label: "about" - group_item_label: "about.process.parent_pid [D]" - label: "about.process.parent_pid" - view_label: "UDM" - description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension process__parent_pid - - dimension: process__pid { - type: string - sql: ${TABLE}.process.pid ;; - group_label: "about" - label: "about.process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension process__pid - - dimension: registry { - hidden: yes - } # dimension registry - - dimension: registry__registry_key { - type: string - sql: ${TABLE}.registry.registry_key ;; - group_label: "about" - label: "about.registry.registry_key" - view_label: "UDM" - description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." - } # dimension registry__registry_key - - dimension: resource { - hidden: yes - } # dimension resource - - dimension: resource__attribute { - hidden: yes - } # dimension resource__attribute - - dimension: resource__attribute__cloud { - hidden: yes - } # dimension resource__attribute__cloud - - dimension: resource__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.resource.attribute.cloud.availability_zone ;; - group_label: "about" - label: "about.resource.attribute.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name)." - } # dimension resource__attribute__cloud__availability_zone - - dimension_group: about__resource__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "about" - label: "about.resource.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension about__resource__attribute__creation_time - - dimension: resource__attribute__labels { - hidden: yes - } # dimension resource__attribute__labels - - dimension_group: about__resource__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "about" - label: "about.resource.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension about__resource__attribute__last_update_time - - dimension: resource__attribute__permissions { - hidden: yes - } # dimension resource__attribute__permissions - - dimension: resource__id { - type: string - sql: ${TABLE}.resource.id ;; - group_label: "about" - group_item_label: "about.resource.id [D]" - label: "about.resource.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension resource__id - - dimension: resource__name { - type: string - sql: ${TABLE}.resource.name ;; - group_label: "about" - label: "about.resource.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension resource__name - - dimension: resource__parent { - type: string - sql: ${TABLE}.resource.parent ;; - group_label: "about" - group_item_label: "about.resource.parent [D]" - label: "about.resource.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension resource__parent - - dimension: resource__product_object_id { - type: string - sql: ${TABLE}.resource.product_object_id ;; - group_label: "about" - label: "about.resource.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension resource__product_object_id - - dimension: resource__resource_subtype { - type: string - sql: ${TABLE}.resource.resource_subtype ;; - group_label: "about" - label: "about.resource.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension resource__resource_subtype - - dimension: resource__resource_type { - type: number - sql: ${TABLE}.resource.resource_type ;; - group_label: "about" - label: "about.resource.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension resource__resource_type - - dimension: resource__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "about" - label: "about.resource.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension resource__resource_type_enum_name - - dimension: resource__type { - type: string - sql: ${TABLE}.resource.type ;; - group_label: "about" - group_item_label: "about.resource.type [D]" - label: "about.resource.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension resource__type - - dimension: resource_ancestors { - hidden: yes - } # dimension resource_ancestors - - dimension: url { - type: string - sql: ${TABLE}.url ;; - group_label: "about" - label: "about.url" - view_label: "UDM" - description: "The URL." - } # dimension url - - dimension: user { - hidden: yes - } # dimension user - - dimension: user__attribute { - hidden: yes - } # dimension user__attribute - - dimension: user__attribute__labels { - hidden: yes - } # dimension user__attribute__labels - - dimension: user__attribute__permissions { - hidden: yes - } # dimension user__attribute__permissions - - dimension: user__attribute__roles { - hidden: yes - } # dimension user__attribute__roles - - dimension: user__department { - hidden: yes - } # dimension user__department - - dimension: user__email_addresses { - hidden: yes - } # dimension user__email_addresses - - dimension: user__group_identifiers { - hidden: yes - } # dimension user__group_identifiers - - dimension: user__groupid { - type: string - sql: ${TABLE}.user.groupid ;; - group_label: "about" - group_item_label: "about.user.groupid [D]" - label: "about.user.groupid" - view_label: "UDM" - description: "The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. [D]: This field is deprecated and will be removed in a future release" - } # dimension user__groupid - - dimension: user__product_object_id { - type: string - sql: ${TABLE}.user.product_object_id ;; - group_label: "about" - label: "about.user.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension user__product_object_id - - dimension: user__role_description { - type: string - sql: ${TABLE}.user.role_description ;; - group_label: "about" - group_item_label: "about.user.role_description [D]" - label: "about.user.role_description" - view_label: "UDM" - description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension user__role_description - - dimension: user__role_name { - type: string - sql: ${TABLE}.user.role_name ;; - group_label: "about" - group_item_label: "about.user.role_name [D]" - label: "about.user.role_name" - view_label: "UDM" - description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension user__role_name - - dimension: user__user_authentication_status { - type: number - sql: ${TABLE}.user.user_authentication_status ;; - group_label: "about" - label: "about.user.user_authentication_status" - view_label: "UDM" - description: "System authentication status for user." - } # dimension user__user_authentication_status - - dimension: user__user_authentication_status_enum_name { - type: string - suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] - sql: CASE ${TABLE}.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; - group_label: "about" - label: "about.user.user_authentication_status_enum_name" - view_label: "UDM" - description: "System authentication status for user." - } # dimension user__user_authentication_status_enum_name - - dimension: user__user_display_name { - type: string - sql: ${TABLE}.user.user_display_name ;; - group_label: "about" - label: "about.user.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension user__user_display_name - - dimension: user__userid { - type: string - sql: ${TABLE}.user.userid ;; - group_label: "about" - label: "about.user.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension user__userid - - dimension: user__windows_sid { - type: string - sql: ${TABLE}.user.windows_sid ;; - group_label: "about" - label: "about.user.windows_sid" - view_label: "UDM" - description: "The Microsoft Windows SID of the user." - } # dimension user__windows_sid - -} # view events__about - -view: events__additional__fields__value__list_value__values__struct_value__fields { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "additional" - label: "additional.fields.value.list_value.values.struct_value.fields.key" - view_label: "UDM" - } # dimension key - -} # view events__additional__fields__value__list_value__values__struct_value__fields - -view: events__additional__fields__value__list_value__values { - dimension: string_value { - type: string - sql: ${TABLE}.string_value ;; - group_label: "additional" - label: "additional.fields.value.list_value.values.string_value" - view_label: "UDM" - } # dimension string_value - - dimension: struct_value { - hidden: yes - } # dimension struct_value - - dimension: struct_value__fields { - hidden: yes - } # dimension struct_value__fields - -} # view events__additional__fields__value__list_value__values - -view: events__additional__fields__value__struct_value__fields { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "additional" - label: "additional.fields.value.struct_value.fields.key" - view_label: "UDM" - } # dimension key - -} # view events__additional__fields__value__struct_value__fields - -view: events__additional__fields { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "additional" - label: "additional.fields.key" - view_label: "UDM" - } # dimension key - - dimension: value { - hidden: yes - } # dimension value - - dimension: value__bool_value { - type: yesno - sql: ${TABLE}.value.bool_value ;; - group_label: "additional" - label: "additional.fields.value.bool_value" - view_label: "UDM" - } # dimension value__bool_value - - dimension: value__list_value { - hidden: yes - } # dimension value__list_value - - dimension: value__list_value__values { - hidden: yes - } # dimension value__list_value__values - - dimension: value__null_value { - type: number - sql: ${TABLE}.value.null_value ;; - group_label: "additional" - label: "additional.fields.value.null_value" - view_label: "UDM" - } # dimension value__null_value - - dimension: value__null_value_enum_name { - type: string - suggestions: ["NULL_VALUE"] - sql: CASE ${TABLE}.value.null_value WHEN 0 THEN 'NULL_VALUE' END ;; - group_label: "additional" - label: "additional.fields.value.null_value_enum_name" - view_label: "UDM" - } # dimension value__null_value_enum_name - - dimension: value__number_value { - type: number - sql: ${TABLE}.value.number_value ;; - group_label: "additional" - label: "additional.fields.value.number_value" - view_label: "UDM" - } # dimension value__number_value - - dimension: value__string_value { - type: string - sql: ${TABLE}.value.string_value ;; - group_label: "additional" - label: "additional.fields.value.string_value" - view_label: "UDM" - } # dimension value__string_value - - dimension: value__struct_value { - hidden: yes - } # dimension value__struct_value - - dimension: value__struct_value__fields { - hidden: yes - } # dimension value__struct_value__fields - -} # view events__additional__fields - -view: events__extensions__auth__mechanism { - dimension: events__extensions__auth__mechanism { - type: number - sql: ${TABLE} ;; - group_label: "extensions" - label: "extensions.auth.mechanism" - view_label: "UDM" - description: "The authentication mechanism." - } # dimension events__extensions__auth__mechanism -} # view events__extensions__auth__mechanism - -view: events__extensions__auth__mechanism_enum_name { - dimension: events__extensions__auth__mechanism_enum_name { - type: string - suggestions: ["BADGE_READER", "BATCH", "CACHED_INTERACTIVE", "CACHED_REMOTE_INTERACTIVE", "CACHED_UNLOCK", "HARDWARE_KEY", "INTERACTIVE", "LOCAL", "MECHANISM_OTHER", "MECHANISM_UNSPECIFIED", "NETWORK", "NETWORK_CLEAR_TEXT", "NEW_CREDENTIALS", "OTP", "REMOTE", "REMOTE_INTERACTIVE", "SERVICE", "UNLOCK", "USERNAME_PASSWORD"] - sql: CASE ${TABLE} WHEN 0 THEN 'MECHANISM_UNSPECIFIED' WHEN 1 THEN 'USERNAME_PASSWORD' WHEN 2 THEN 'OTP' WHEN 3 THEN 'HARDWARE_KEY' WHEN 4 THEN 'LOCAL' WHEN 5 THEN 'REMOTE' WHEN 6 THEN 'REMOTE_INTERACTIVE' WHEN 7 THEN 'MECHANISM_OTHER' WHEN 8 THEN 'BADGE_READER' WHEN 9 THEN 'NETWORK' WHEN 10 THEN 'BATCH' WHEN 11 THEN 'SERVICE' WHEN 12 THEN 'UNLOCK' WHEN 13 THEN 'NETWORK_CLEAR_TEXT' WHEN 14 THEN 'NEW_CREDENTIALS' WHEN 15 THEN 'INTERACTIVE' WHEN 16 THEN 'CACHED_INTERACTIVE' WHEN 17 THEN 'CACHED_REMOTE_INTERACTIVE' WHEN 18 THEN 'CACHED_UNLOCK' END ;; - group_label: "extensions" - label: "extensions.auth.mechanism_enum_name" - view_label: "UDM" - description: "The authentication mechanism." - } # dimension events__extensions__auth__mechanism_enum_name -} # view events__extensions__auth__mechanism_enum_name - -view: events__extensions__vulns__vulnerabilities__about__asset__ip { - dimension: events__extensions__vulns__vulnerabilities__about__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.asset.ip" - view_label: "UDM" - description: "A list of IP addresses associated with an asset." - } # dimension events__extensions__vulns__vulnerabilities__about__asset__ip -} # view events__extensions__vulns__vulnerabilities__about__asset__ip - -view: events__extensions__vulns__vulnerabilities__about__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "extensions" - group_item_label: "extensions.vulns.vulnerabilities.about.labels.key [D]" - label: "extensions.vulns.vulnerabilities.about.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "extensions" - group_item_label: "extensions.vulns.vulnerabilities.about.labels.value [D]" - label: "extensions.vulns.vulnerabilities.about.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view events__extensions__vulns__vulnerabilities__about__labels - -view: events__extensions__vulns__vulnerabilities__about__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.resource.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.resource.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__extensions__vulns__vulnerabilities__about__resource__attribute__labels - -view: events__extensions__vulns__vulnerabilities { - dimension: about { - hidden: yes - } # dimension about - - dimension: about__asset { - hidden: yes - } # dimension about__asset - - dimension: about__asset__hostname { - type: string - sql: ${TABLE}.about.asset.hostname ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.asset.hostname" - view_label: "UDM" - description: "Asset hostname or domain name field." - } # dimension about__asset__hostname - - dimension: about__asset__ip { - hidden: yes - } # dimension about__asset__ip - - dimension: about__asset__platform_software { - hidden: yes - } # dimension about__asset__platform_software - - dimension: about__asset__platform_software__platform { - type: number - sql: ${TABLE}.about.asset.platform_software.platform ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.asset.platform_software.platform" - view_label: "UDM" - description: "The platform operating system." - } # dimension about__asset__platform_software__platform - - dimension: about__asset__platform_software__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.about.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.asset.platform_software.platform_enum_name" - view_label: "UDM" - description: "The platform operating system." - } # dimension about__asset__platform_software__platform_enum_name - - dimension: about__asset__product_object_id { - type: string - sql: ${TABLE}.about.asset.product_object_id ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.asset.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension about__asset__product_object_id - - dimension: about__cloud { - hidden: yes - } # dimension about__cloud - - dimension: about__cloud__availability_zone { - type: string - sql: ${TABLE}.about.cloud.availability_zone ;; - group_label: "extensions" - group_item_label: "extensions.vulns.vulnerabilities.about.cloud.availability_zone [D]" - label: "extensions.vulns.vulnerabilities.about.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__availability_zone - - dimension: about__cloud__environment { - type: number - sql: ${TABLE}.about.cloud.environment ;; - group_label: "extensions" - group_item_label: "extensions.vulns.vulnerabilities.about.cloud.environment [D]" - label: "extensions.vulns.vulnerabilities.about.cloud.environment" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__environment - - dimension: about__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.about.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "extensions" - group_item_label: "extensions.vulns.vulnerabilities.about.cloud.environment_enum_name [D]" - label: "extensions.vulns.vulnerabilities.about.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__environment_enum_name - - dimension: about__cloud__project { - hidden: yes - } # dimension about__cloud__project - - dimension: about__cloud__project__name { - type: string - sql: ${TABLE}.about.cloud.project.name ;; - group_label: "extensions" - group_item_label: "extensions.vulns.vulnerabilities.about.cloud.project.name [D]" - label: "extensions.vulns.vulnerabilities.about.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__project__name - - dimension: about__group { - hidden: yes - } # dimension about__group - - dimension: about__group__attribute { - hidden: yes - } # dimension about__group__attribute - - dimension: about__group__attribute__cloud { - hidden: yes - } # dimension about__group__attribute__cloud - - dimension: about__group__attribute__cloud__project { - hidden: yes - } # dimension about__group__attribute__cloud__project - - dimension: about__group__attribute__cloud__project__name { - type: string - sql: ${TABLE}.about.group.attribute.cloud.project.name ;; - group_label: "extensions" - group_item_label: "extensions.vulns.vulnerabilities.about.group.attribute.cloud.project.name [D]" - label: "extensions.vulns.vulnerabilities.about.group.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__group__attribute__cloud__project__name - - dimension: about__hostname { - type: string - sql: ${TABLE}.about.hostname ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.hostname" - view_label: "UDM" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension about__hostname - - dimension: about__labels { - hidden: yes - } # dimension about__labels - - dimension: about__namespace { - type: string - sql: ${TABLE}.about.namespace ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.namespace" - view_label: "UDM" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension about__namespace - - dimension: about__platform { - type: number - sql: ${TABLE}.about.platform ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.platform" - view_label: "UDM" - description: "Platform." - } # dimension about__platform - - dimension: about__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.about.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.platform_enum_name" - view_label: "UDM" - description: "Platform." - } # dimension about__platform_enum_name - - dimension: about__resource { - hidden: yes - } # dimension about__resource - - dimension: about__resource__attribute { - hidden: yes - } # dimension about__resource__attribute - - dimension: about__resource__attribute__labels { - hidden: yes - } # dimension about__resource__attribute__labels - - dimension: about__resource__product_object_id { - type: string - sql: ${TABLE}.about.resource.product_object_id ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.resource.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension about__resource__product_object_id - - dimension: cve_description { - type: string - sql: ${TABLE}.cve_description ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.cve_description" - view_label: "UDM" - description: "Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record" - } # dimension cve_description - - dimension: cve_id { - type: string - sql: ${TABLE}.cve_id ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.cve_id" - view_label: "UDM" - description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" - } # dimension cve_id - - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.cvss_base_score" - view_label: "UDM" - description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." - } # dimension cvss_base_score - - dimension: cvss_vector { - type: string - sql: ${TABLE}.cvss_vector ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.cvss_vector" - view_label: "UDM" - description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" - } # dimension cvss_vector - - dimension: cvss_version { - type: string - sql: ${TABLE}.cvss_version ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.cvss_version" - view_label: "UDM" - description: "Version of CVSS Vector/Score." - } # dimension cvss_version - - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.description" - view_label: "UDM" - description: "Description of the vulnerability." - } # dimension description - - dimension_group: extensions__vulns__vulnerabilities__first_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.first_found" - view_label: "UDM" - description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." - } # dimension extensions__vulns__vulnerabilities__first_found - - dimension_group: extensions__vulns__vulnerabilities__last_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.last_found" - view_label: "UDM" - description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." - } # dimension extensions__vulns__vulnerabilities__last_found - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.name" - view_label: "UDM" - description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." - } # dimension name - - dimension_group: extensions__vulns__vulnerabilities__scan_end_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.scan_end_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." - } # dimension extensions__vulns__vulnerabilities__scan_end_time - - dimension_group: extensions__vulns__vulnerabilities__scan_start_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.scan_start_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." - } # dimension extensions__vulns__vulnerabilities__scan_start_time - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.severity" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity - - dimension: severity_enum_name { - type: string - suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] - sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.severity_enum_name" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity_enum_name - - dimension: severity_details { - type: string - sql: ${TABLE}.severity_details ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.severity_details" - view_label: "UDM" - description: "Vendor-specific severity" - } # dimension severity_details - - dimension: vendor { - type: string - sql: ${TABLE}.vendor ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.vendor" - view_label: "UDM" - description: "Vendor of scan that discovered vulnerability." - } # dimension vendor - - dimension: vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.vendor_knowledge_base_article_id ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.vendor_knowledge_base_article_id" - view_label: "UDM" - description: "Vendor specific knowledge base article (e.g. \"KBXXXXXX\" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase" - } # dimension vendor_knowledge_base_article_id - - dimension: vendor_vulnerability_id { - type: string - sql: ${TABLE}.vendor_vulnerability_id ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.vendor_vulnerability_id" - view_label: "UDM" - description: "Vendor specific vulnerability id (e.g. Microsoft security bulletin id)." - } # dimension vendor_vulnerability_id - -} # view events__extensions__vulns__vulnerabilities - -view: events__intermediary__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "intermediary" - label: "intermediary.asset.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "intermediary" - label: "intermediary.asset.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__intermediary__asset__attribute__labels - -view: events__intermediary__asset__hardware { - dimension: model { - type: string - sql: ${TABLE}.model ;; - group_label: "intermediary" - label: "intermediary.asset.hardware.model" - view_label: "UDM" - description: "Hardware model." - } # dimension model - - dimension: serial_number { - type: string - sql: ${TABLE}.serial_number ;; - group_label: "intermediary" - label: "intermediary.asset.hardware.serial_number" - view_label: "UDM" - description: "Hardware serial number." - } # dimension serial_number - -} # view events__intermediary__asset__hardware - -view: events__intermediary__asset__ip { - dimension: events__intermediary__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "intermediary" - label: "intermediary.asset.ip" - view_label: "UDM" - description: "A list of IP addresses associated with an asset." - } # dimension events__intermediary__asset__ip -} # view events__intermediary__asset__ip - -view: events__intermediary__asset__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "intermediary" - group_item_label: "intermediary.asset.labels.key [D]" - label: "intermediary.asset.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "intermediary" - group_item_label: "intermediary.asset.labels.value [D]" - label: "intermediary.asset.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view events__intermediary__asset__labels - -view: events__intermediary__asset__mac { - dimension: events__intermediary__asset__mac { - type: string - sql: ${TABLE} ;; - group_label: "intermediary" - label: "intermediary.asset.mac" - view_label: "UDM" - description: "List of MAC addresses associated with an asset." - } # dimension events__intermediary__asset__mac -} # view events__intermediary__asset__mac - -view: events__intermediary__asset__software { - dimension: version { - type: string - sql: ${TABLE}.version ;; - group_label: "intermediary" - label: "intermediary.asset.software.version" - view_label: "UDM" - description: "The version of the software." - } # dimension version - -} # view events__intermediary__asset__software - -view: events__intermediary__ip { - dimension: events__intermediary__ip { - type: string - sql: ${TABLE} ;; - group_label: "intermediary" - label: "intermediary.ip" - view_label: "UDM" - description: "A list of IP addresses associated with a network connection." - } # dimension events__intermediary__ip -} # view events__intermediary__ip - -view: events__intermediary__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "intermediary" - group_item_label: "intermediary.labels.key [D]" - label: "intermediary.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "intermediary" - group_item_label: "intermediary.labels.value [D]" - label: "intermediary.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view events__intermediary__labels - -view: events__intermediary__mac { - dimension: events__intermediary__mac { - type: string - sql: ${TABLE} ;; - group_label: "intermediary" - label: "intermediary.mac" - view_label: "UDM" - description: "List of MAC addresses associated with a device." - } # dimension events__intermediary__mac -} # view events__intermediary__mac - -view: events__intermediary__nat_ip { - dimension: events__intermediary__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "intermediary" - label: "intermediary.nat_ip" - view_label: "UDM" - description: "A list of NAT translated IP addresses associated with a network connection." - } # dimension events__intermediary__nat_ip -} # view events__intermediary__nat_ip - -view: events__intermediary__process__file__names { - dimension: events__intermediary__process__file__names { - type: string - sql: ${TABLE} ;; - group_label: "intermediary" - label: "intermediary.process.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension events__intermediary__process__file__names -} # view events__intermediary__process__file__names - -view: events__intermediary__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "intermediary" - label: "intermediary.resource.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "intermediary" - label: "intermediary.resource.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__intermediary__resource__attribute__labels - -view: events__intermediary__user__email_addresses { - dimension: events__intermediary__user__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "intermediary" - label: "intermediary.user.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension events__intermediary__user__email_addresses -} # view events__intermediary__user__email_addresses - -view: events__intermediary__user__group_identifiers { - dimension: events__intermediary__user__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "intermediary" - label: "intermediary.user.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension events__intermediary__user__group_identifiers -} # view events__intermediary__user__group_identifiers - -view: events__intermediary { - dimension: administrative_domain { - type: string - sql: ${TABLE}.administrative_domain ;; - group_label: "intermediary" - label: "intermediary.administrative_domain" - view_label: "UDM" - description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." - } # dimension administrative_domain - - dimension: application { - type: string - sql: ${TABLE}.application ;; - group_label: "intermediary" - label: "intermediary.application" - view_label: "UDM" - description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." - } # dimension application - - dimension: asset { - hidden: yes - } # dimension asset - - dimension: asset__asset_id { - type: string - sql: ${TABLE}.asset.asset_id ;; - group_label: "intermediary" - label: "intermediary.asset.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension asset__asset_id - - dimension: asset__attribute { - hidden: yes - } # dimension asset__attribute - - dimension: asset__attribute__labels { - hidden: yes - } # dimension asset__attribute__labels - - dimension: asset__category { - type: string - sql: ${TABLE}.asset.category ;; - group_label: "intermediary" - label: "intermediary.asset.category" - view_label: "UDM" - description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." - } # dimension asset__category - - dimension: asset__hardware { - hidden: yes - } # dimension asset__hardware - - dimension: asset__hostname { - type: string - sql: ${TABLE}.asset.hostname ;; - group_label: "intermediary" - label: "intermediary.asset.hostname" - view_label: "UDM" - description: "Asset hostname or domain name field." - } # dimension asset__hostname - - dimension: asset__ip { - hidden: yes - } # dimension asset__ip - - dimension: asset__labels { - hidden: yes - } # dimension asset__labels - - dimension: asset__location { - hidden: yes - } # dimension asset__location - - dimension: asset__location__country_or_region { - type: string - sql: ${TABLE}.asset.location.country_or_region ;; - group_label: "intermediary" - label: "intermediary.asset.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension asset__location__country_or_region - - dimension: asset__mac { - hidden: yes - } # dimension asset__mac - - dimension: asset__network_domain { - type: string - sql: ${TABLE}.asset.network_domain ;; - group_label: "intermediary" - label: "intermediary.asset.network_domain" - view_label: "UDM" - description: "The network domain of the asset (e.g. \"corp.acme.com\")" - } # dimension asset__network_domain - - dimension: asset__platform_software { - hidden: yes - } # dimension asset__platform_software - - dimension: asset__platform_software__platform_version { - type: string - sql: ${TABLE}.asset.platform_software.platform_version ;; - group_label: "intermediary" - label: "intermediary.asset.platform_software.platform_version" - view_label: "UDM" - description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." - } # dimension asset__platform_software__platform_version - - dimension: asset__product_object_id { - type: string - sql: ${TABLE}.asset.product_object_id ;; - group_label: "intermediary" - label: "intermediary.asset.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension asset__product_object_id - - dimension: asset__software { - hidden: yes - } # dimension asset__software - - dimension: asset_id { - type: string - sql: ${TABLE}.asset_id ;; - group_label: "intermediary" - label: "intermediary.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension asset_id - - dimension: cloud { - hidden: yes - } # dimension cloud - - dimension: cloud__environment { - type: number - sql: ${TABLE}.cloud.environment ;; - group_label: "intermediary" - group_item_label: "intermediary.cloud.environment [D]" - label: "intermediary.cloud.environment" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension cloud__environment - - dimension: cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "intermediary" - group_item_label: "intermediary.cloud.environment_enum_name [D]" - label: "intermediary.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension cloud__environment_enum_name - - dimension: domain { - hidden: yes - } # dimension domain - - dimension: domain__name { - type: string - sql: ${TABLE}.domain.name ;; - group_label: "intermediary" - label: "intermediary.domain.name" - view_label: "UDM" - description: "The domain name." - } # dimension domain__name - - dimension: email { - type: string - sql: ${TABLE}.email ;; - group_label: "intermediary" - label: "intermediary.email" - view_label: "UDM" - description: "Email address. Only filled in for security_result.about" - } # dimension email - - dimension: file { - hidden: yes - } # dimension file - - dimension: file__full_path { - type: string - sql: ${TABLE}.file.full_path ;; - group_label: "intermediary" - label: "intermediary.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension file__full_path - - dimension: file__md5 { - type: string - sql: ${TABLE}.file.md5 ;; - group_label: "intermediary" - label: "intermediary.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension file__md5 - - dimension: file__mime_type { - type: string - sql: ${TABLE}.file.mime_type ;; - group_label: "intermediary" - label: "intermediary.file.mime_type" - view_label: "UDM" - description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." - } # dimension file__mime_type - - dimension: file__sha1 { - type: string - sql: ${TABLE}.file.sha1 ;; - group_label: "intermediary" - label: "intermediary.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension file__sha1 - - dimension: file__sha256 { - type: string - sql: ${TABLE}.file.sha256 ;; - group_label: "intermediary" - label: "intermediary.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension file__sha256 - - dimension: file__size { - type: number - sql: ${TABLE}.file.size ;; - group_label: "intermediary" - label: "intermediary.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension file__size - - dimension: group { - hidden: yes - } # dimension group - - dimension: group__group_display_name { - type: string - sql: ${TABLE}.group.group_display_name ;; - group_label: "intermediary" - label: "intermediary.group.group_display_name" - view_label: "UDM" - description: "Group display name. e.g. \"Finance\"." - } # dimension group__group_display_name - - dimension: group__product_object_id { - type: string - sql: ${TABLE}.group.product_object_id ;; - group_label: "intermediary" - label: "intermediary.group.product_object_id" - view_label: "UDM" - description: "Product globally unique user object identifier, such as an LDAP Object Identifier." - } # dimension group__product_object_id - - dimension: hostname { - type: string - sql: ${TABLE}.hostname ;; - group_label: "intermediary" - label: "intermediary.hostname" - view_label: "UDM" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension hostname - - dimension: ip { - hidden: yes - } # dimension ip - - dimension: labels { - hidden: yes - } # dimension labels - - dimension: location { - hidden: yes - } # dimension location - - dimension: location__city { - type: string - sql: ${TABLE}.location.city ;; - group_label: "intermediary" - label: "intermediary.location.city" - view_label: "UDM" - description: "The city." - } # dimension location__city - - dimension: location__country_or_region { - type: string - sql: ${TABLE}.location.country_or_region ;; - group_label: "intermediary" - label: "intermediary.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension location__country_or_region - - dimension: location__name { - type: string - sql: ${TABLE}.location.name ;; - group_label: "intermediary" - label: "intermediary.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension location__name - - dimension: location__region_latitude { - type: number - sql: ${TABLE}.location.region_latitude ;; - group_label: "intermediary" - group_item_label: "intermediary.location.region_latitude [D]" - label: "intermediary.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension location__region_latitude - - dimension: location__region_longitude { - type: number - sql: ${TABLE}.location.region_longitude ;; - group_label: "intermediary" - group_item_label: "intermediary.location.region_longitude [D]" - label: "intermediary.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension location__region_longitude - - dimension: location__location { - type: location - sql_latitude: ${TABLE}.location.region_latitude ;; - sql_longitude: ${TABLE}.location.region_longitude ;; - group_label: "intermediary" - group_item_label: "intermediary.location.location [D][L]" - label: "intermediary.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension location__location - - dimension: location__state { - type: string - sql: ${TABLE}.location.state ;; - group_label: "intermediary" - label: "intermediary.location.state" - view_label: "UDM" - description: "The state." - } # dimension location__state - - dimension: mac { - hidden: yes - } # dimension mac - - dimension: namespace { - type: string - sql: ${TABLE}.namespace ;; - group_label: "intermediary" - label: "intermediary.namespace" - view_label: "UDM" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension namespace - - dimension: nat_ip { - hidden: yes - } # dimension nat_ip - - dimension: platform { - type: number - sql: ${TABLE}.platform ;; - group_label: "intermediary" - label: "intermediary.platform" - view_label: "UDM" - description: "Platform." - } # dimension platform - - dimension: platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "intermediary" - label: "intermediary.platform_enum_name" - view_label: "UDM" - description: "Platform." - } # dimension platform_enum_name - - dimension: platform_version { - type: string - sql: ${TABLE}.platform_version ;; - group_label: "intermediary" - label: "intermediary.platform_version" - view_label: "UDM" - description: "Platform version. For example, \"Microsoft Windows 1803\"." - } # dimension platform_version - - dimension: port { - type: number - value_format: "#" - sql: ${TABLE}.port ;; - group_label: "intermediary" - label: "intermediary.port" - view_label: "UDM" - description: "Source or destination network port number when a specific network connection is described within an event." - } # dimension port - - dimension: process { - hidden: yes - } # dimension process - - dimension: process__command_line { - type: string - sql: ${TABLE}.process.command_line ;; - group_label: "intermediary" - label: "intermediary.process.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension process__command_line - - dimension: process__file { - hidden: yes - } # dimension process__file - - dimension: process__file__full_path { - type: string - sql: ${TABLE}.process.file.full_path ;; - group_label: "intermediary" - label: "intermediary.process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension process__file__full_path - - dimension: process__file__names { - hidden: yes - } # dimension process__file__names - - dimension: process__file__sha1 { - type: string - sql: ${TABLE}.process.file.sha1 ;; - group_label: "intermediary" - label: "intermediary.process.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension process__file__sha1 - - dimension: process__file__sha256 { - type: string - sql: ${TABLE}.process.file.sha256 ;; - group_label: "intermediary" - label: "intermediary.process.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension process__file__sha256 - - dimension: process__file__size { - type: number - sql: ${TABLE}.process.file.size ;; - group_label: "intermediary" - label: "intermediary.process.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension process__file__size - - dimension: process__parent_process { - hidden: yes - } # dimension process__parent_process - - dimension: process__parent_process__file { - hidden: yes - } # dimension process__parent_process__file - - dimension: process__parent_process__file__full_path { - type: string - sql: ${TABLE}.process.parent_process.file.full_path ;; - group_label: "intermediary" - label: "intermediary.process.parent_process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension process__parent_process__file__full_path - - dimension: process__parent_process__file__size { - type: number - sql: ${TABLE}.process.parent_process.file.size ;; - group_label: "intermediary" - label: "intermediary.process.parent_process.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension process__parent_process__file__size - - dimension: process__parent_process__pid { - type: string - sql: ${TABLE}.process.parent_process.pid ;; - group_label: "intermediary" - label: "intermediary.process.parent_process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension process__parent_process__pid - - dimension: process__pid { - type: string - sql: ${TABLE}.process.pid ;; - group_label: "intermediary" - label: "intermediary.process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension process__pid - - dimension: registry { - hidden: yes - } # dimension registry - - dimension: registry__registry_key { - type: string - sql: ${TABLE}.registry.registry_key ;; - group_label: "intermediary" - label: "intermediary.registry.registry_key" - view_label: "UDM" - description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." - } # dimension registry__registry_key - - dimension: registry__registry_value_data { - type: string - sql: ${TABLE}.registry.registry_value_data ;; - group_label: "intermediary" - label: "intermediary.registry.registry_value_data" - view_label: "UDM" - description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." - } # dimension registry__registry_value_data - - dimension: registry__registry_value_name { - type: string - sql: ${TABLE}.registry.registry_value_name ;; - group_label: "intermediary" - label: "intermediary.registry.registry_value_name" - view_label: "UDM" - description: "Name of the registry value associated with an application or system component (e.g. TEMP)." - } # dimension registry__registry_value_name - - dimension: resource { - hidden: yes - } # dimension resource - - dimension: resource__attribute { - hidden: yes - } # dimension resource__attribute - - dimension: resource__attribute__labels { - hidden: yes - } # dimension resource__attribute__labels - - dimension: resource__id { - type: string - sql: ${TABLE}.resource.id ;; - group_label: "intermediary" - group_item_label: "intermediary.resource.id [D]" - label: "intermediary.resource.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension resource__id - - dimension: resource__name { - type: string - sql: ${TABLE}.resource.name ;; - group_label: "intermediary" - label: "intermediary.resource.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension resource__name - - dimension: resource__parent { - type: string - sql: ${TABLE}.resource.parent ;; - group_label: "intermediary" - group_item_label: "intermediary.resource.parent [D]" - label: "intermediary.resource.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension resource__parent - - dimension: resource__product_object_id { - type: string - sql: ${TABLE}.resource.product_object_id ;; - group_label: "intermediary" - label: "intermediary.resource.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension resource__product_object_id - - dimension: resource__resource_subtype { - type: string - sql: ${TABLE}.resource.resource_subtype ;; - group_label: "intermediary" - label: "intermediary.resource.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension resource__resource_subtype - - dimension: resource__resource_type { - type: number - sql: ${TABLE}.resource.resource_type ;; - group_label: "intermediary" - label: "intermediary.resource.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension resource__resource_type - - dimension: resource__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "intermediary" - label: "intermediary.resource.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension resource__resource_type_enum_name - - dimension: resource__type { - type: string - sql: ${TABLE}.resource.type ;; - group_label: "intermediary" - group_item_label: "intermediary.resource.type [D]" - label: "intermediary.resource.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension resource__type - - dimension: url { - type: string - sql: ${TABLE}.url ;; - group_label: "intermediary" - label: "intermediary.url" - view_label: "UDM" - description: "The URL." - } # dimension url - - dimension: user { - hidden: yes - } # dimension user - - dimension: user__email_addresses { - hidden: yes - } # dimension user__email_addresses - - dimension: user__group_identifiers { - hidden: yes - } # dimension user__group_identifiers - - dimension: user__product_object_id { - type: string - sql: ${TABLE}.user.product_object_id ;; - group_label: "intermediary" - label: "intermediary.user.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension user__product_object_id - - dimension: user__user_display_name { - type: string - sql: ${TABLE}.user.user_display_name ;; - group_label: "intermediary" - label: "intermediary.user.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension user__user_display_name - - dimension: user__userid { - type: string - sql: ${TABLE}.user.userid ;; - group_label: "intermediary" - label: "intermediary.user.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension user__userid - - dimension: user__windows_sid { - type: string - sql: ${TABLE}.user.windows_sid ;; - group_label: "intermediary" - label: "intermediary.user.windows_sid" - view_label: "UDM" - description: "The Microsoft Windows SID of the user." - } # dimension user__windows_sid - -} # view events__intermediary - -view: events__metadata__base_labels__log_types { - dimension: events__metadata__base_labels__log_types { - type: string - sql: ${TABLE} ;; - group_label: "metadata" - label: "metadata.base_labels.log_types" - view_label: "UDM" - description: "All the LogType labels. We use string to log types to avoid moving LogType proto, which contains customer info, to external." - } # dimension events__metadata__base_labels__log_types -} # view events__metadata__base_labels__log_types - -view: events__metadata__base_labels__namespaces { - dimension: events__metadata__base_labels__namespaces { - type: string - sql: ${TABLE} ;; - group_label: "metadata" - label: "metadata.base_labels.namespaces" - view_label: "UDM" - description: "All the namespaces." - } # dimension events__metadata__base_labels__namespaces -} # view events__metadata__base_labels__namespaces - -view: events__metadata__ingestion_labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "metadata" - label: "metadata.ingestion_labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: source { - type: string - sql: ${TABLE}.source ;; - group_label: "metadata" - label: "metadata.ingestion_labels.source" - view_label: "UDM" - description: "@hide_from_doc" - } # dimension source - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "metadata" - label: "metadata.ingestion_labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__metadata__ingestion_labels - -view: events__metadata__tags__data_tap_config_name { - dimension: events__metadata__tags__data_tap_config_name { - type: string - sql: ${TABLE} ;; - group_label: "metadata" - label: "metadata.tags.data_tap_config_name" - view_label: "UDM" - description: "A list of sink name values defined in DataTap configurations." - } # dimension events__metadata__tags__data_tap_config_name -} # view events__metadata__tags__data_tap_config_name - -view: events__metadata__tags__tenant_id { - dimension: events__metadata__tags__tenant_id { - type: string - sql: ${TABLE} ;; - group_label: "metadata" - label: "metadata.tags.tenant_id" - view_label: "UDM" - description: "A list of subtenant ids that this event belongs to." - } # dimension events__metadata__tags__tenant_id -} # view events__metadata__tags__tenant_id - -view: events__network__dhcp__options { - dimension: code { - type: number - sql: ${TABLE}.code ;; - group_label: "network" - label: "network.dhcp.options.code" - view_label: "UDM" - description: "Code. See RFC1533." - } # dimension code - -} # view events__network__dhcp__options - -view: events__network__dns__additional { - dimension: class { - type: number - sql: ${TABLE}.class ;; - group_label: "network" - label: "network.dns.additional.class" - view_label: "UDM" - description: "The code specifying the class of the resource record." - } # dimension class - - dimension: data { - type: string - sql: ${TABLE}.data ;; - group_label: "network" - label: "network.dns.additional.data" - view_label: "UDM" - description: "The payload or response to the DNS question for all responses encoded in UTF-8 format" - } # dimension data - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "network" - label: "network.dns.additional.name" - view_label: "UDM" - description: "The name of the owner of the resource record." - } # dimension name - - dimension: ttl { - type: number - sql: ${TABLE}.ttl ;; - group_label: "network" - label: "network.dns.additional.ttl" - view_label: "UDM" - description: "The time interval for which the resource record can be cached before the source of the information should again be queried." - } # dimension ttl - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "network" - label: "network.dns.additional.type" - view_label: "UDM" - description: "The code specifying the type of the resource record." - } # dimension type - -} # view events__network__dns__additional - -view: events__network__dns__answers { - dimension: binary_data { - type: string - sql: ${TABLE}.binary_data ;; - group_label: "network" - label: "network.dns.answers.binary_data" - view_label: "UDM" - description: "The raw bytes of any non-UTF8 strings that might be included as part of a DNS response." - } # dimension binary_data - - dimension: class { - type: number - sql: ${TABLE}.class ;; - group_label: "network" - label: "network.dns.answers.class" - view_label: "UDM" - description: "The code specifying the class of the resource record." - } # dimension class - - dimension: data { - type: string - sql: ${TABLE}.data ;; - group_label: "network" - label: "network.dns.answers.data" - view_label: "UDM" - description: "The payload or response to the DNS question for all responses encoded in UTF-8 format" - } # dimension data - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "network" - label: "network.dns.answers.name" - view_label: "UDM" - description: "The name of the owner of the resource record." - } # dimension name - - dimension: ttl { - type: number - sql: ${TABLE}.ttl ;; - group_label: "network" - label: "network.dns.answers.ttl" - view_label: "UDM" - description: "The time interval for which the resource record can be cached before the source of the information should again be queried." - } # dimension ttl - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "network" - label: "network.dns.answers.type" - view_label: "UDM" - description: "The code specifying the type of the resource record." - } # dimension type - -} # view events__network__dns__answers - -view: events__network__dns__authority { - dimension: class { - type: number - sql: ${TABLE}.class ;; - group_label: "network" - label: "network.dns.authority.class" - view_label: "UDM" - description: "The code specifying the class of the resource record." - } # dimension class - - dimension: data { - type: string - sql: ${TABLE}.data ;; - group_label: "network" - label: "network.dns.authority.data" - view_label: "UDM" - description: "The payload or response to the DNS question for all responses encoded in UTF-8 format" - } # dimension data - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "network" - label: "network.dns.authority.name" - view_label: "UDM" - description: "The name of the owner of the resource record." - } # dimension name - - dimension: ttl { - type: number - sql: ${TABLE}.ttl ;; - group_label: "network" - label: "network.dns.authority.ttl" - view_label: "UDM" - description: "The time interval for which the resource record can be cached before the source of the information should again be queried." - } # dimension ttl - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "network" - label: "network.dns.authority.type" - view_label: "UDM" - description: "The code specifying the type of the resource record." - } # dimension type - -} # view events__network__dns__authority - -view: events__network__dns__questions { - dimension: class { - type: number - sql: ${TABLE}.class ;; - group_label: "network" - label: "network.dns.questions.class" - view_label: "UDM" - description: "The code specifying the class of the query." - } # dimension class - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "network" - label: "network.dns.questions.name" - view_label: "UDM" - description: "The domain name." - } # dimension name - - dimension: prevalence { - hidden: yes - } # dimension prevalence - - dimension: prevalence__day_count { - type: number - sql: ${TABLE}.prevalence.day_count ;; - group_label: "network" - label: "network.dns.questions.prevalence.day_count" - view_label: "UDM" - description: "The number of days over which rolling_max is calculated." - } # dimension prevalence__day_count - - dimension: prevalence__rolling_max { - type: number - sql: ${TABLE}.prevalence.rolling_max ;; - group_label: "network" - label: "network.dns.questions.prevalence.rolling_max" - view_label: "UDM" - description: "The maximum number of assets per day accessing the resource over the trailing day_count days." - } # dimension prevalence__rolling_max - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "network" - label: "network.dns.questions.type" - view_label: "UDM" - description: "The code specifying the type of the query." - } # dimension type - -} # view events__network__dns__questions - -view: events__network__email__bcc { - dimension: events__network__email__bcc { - type: string - sql: ${TABLE} ;; - group_label: "network" - label: "network.email.bcc" - view_label: "UDM" - description: "A list of 'bcc' addresses." - } # dimension events__network__email__bcc -} # view events__network__email__bcc - -view: events__network__email__cc { - dimension: events__network__email__cc { - type: string - sql: ${TABLE} ;; - group_label: "network" - label: "network.email.cc" - view_label: "UDM" - description: "A list of 'cc' addresses." - } # dimension events__network__email__cc -} # view events__network__email__cc - -view: events__network__email__subject { - dimension: events__network__email__subject { - type: string - sql: ${TABLE} ;; - group_label: "network" - label: "network.email.subject" - view_label: "UDM" - description: "The subject line(s) of the email." - } # dimension events__network__email__subject -} # view events__network__email__subject - -view: events__network__email__to { - dimension: events__network__email__to { - type: string - sql: ${TABLE} ;; - group_label: "network" - label: "network.email.to" - view_label: "UDM" - description: "A list of 'to' addresses." - } # dimension events__network__email__to -} # view events__network__email__to - -view: events__network__http__parsed_user_agent__annotation { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "network" - label: "network.http.parsed_user_agent.annotation.key" - view_label: "UDM" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "network" - label: "network.http.parsed_user_agent.annotation.value" - view_label: "UDM" - } # dimension value - -} # view events__network__http__parsed_user_agent__annotation - -view: events__network__tls__client__supported_ciphers { - dimension: events__network__tls__client__supported_ciphers { - type: string - sql: ${TABLE} ;; - group_label: "network" - label: "network.tls.client.supported_ciphers" - view_label: "UDM" - description: "Ciphers supported by the client during client hello." - } # dimension events__network__tls__client__supported_ciphers -} # view events__network__tls__client__supported_ciphers - -view: events__observer__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "observer" - label: "observer.asset.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "observer" - label: "observer.asset.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__observer__asset__attribute__labels - -view: events__observer__asset__ip { - dimension: events__observer__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "observer" - label: "observer.asset.ip" - view_label: "UDM" - description: "A list of IP addresses associated with an asset." - } # dimension events__observer__asset__ip -} # view events__observer__asset__ip - -view: events__observer__asset__software { - dimension: version { - type: string - sql: ${TABLE}.version ;; - group_label: "observer" - label: "observer.asset.software.version" - view_label: "UDM" - description: "The version of the software." - } # dimension version - -} # view events__observer__asset__software - -view: events__observer__asset__vulnerabilities { - dimension_group: observer__asset__vulnerabilities__scan_start_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "observer" - label: "observer.asset.vulnerabilities.scan_start_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." - } # dimension observer__asset__vulnerabilities__scan_start_time - -} # view events__observer__asset__vulnerabilities - -view: events__observer__ip { - dimension: events__observer__ip { - type: string - sql: ${TABLE} ;; - group_label: "observer" - label: "observer.ip" - view_label: "UDM" - description: "A list of IP addresses associated with a network connection." - } # dimension events__observer__ip -} # view events__observer__ip - -view: events__observer__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "observer" - group_item_label: "observer.labels.key [D]" - label: "observer.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "observer" - group_item_label: "observer.labels.value [D]" - label: "observer.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view events__observer__labels - -view: events__observer__mac { - dimension: events__observer__mac { - type: string - sql: ${TABLE} ;; - group_label: "observer" - label: "observer.mac" - view_label: "UDM" - description: "List of MAC addresses associated with a device." - } # dimension events__observer__mac -} # view events__observer__mac - -view: events__observer__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "observer" - label: "observer.resource.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "observer" - label: "observer.resource.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__observer__resource__attribute__labels - -view: events__observer__user__email_addresses { - dimension: events__observer__user__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "observer" - label: "observer.user.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension events__observer__user__email_addresses -} # view events__observer__user__email_addresses - -view: events__observer__user__group_identifiers { - dimension: events__observer__user__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "observer" - label: "observer.user.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension events__observer__user__group_identifiers -} # view events__observer__user__group_identifiers - -view: events__principal__artifact__network__dns__answers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.artifact.network.dns.answers.name" - view_label: "UDM" - description: "The name of the owner of the resource record." - } # dimension name - -} # view events__principal__artifact__network__dns__answers - -view: events__principal__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "principal" - label: "principal.asset.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "principal" - label: "principal.asset.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__principal__asset__attribute__labels - -view: events__principal__asset__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.asset.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.asset.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "principal" - label: "principal.asset.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "principal" - label: "principal.asset.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view events__principal__asset__attribute__roles - -view: events__principal__asset__hardware { - dimension: cpu_model { - type: string - sql: ${TABLE}.cpu_model ;; - group_label: "principal" - label: "principal.asset.hardware.cpu_model" - view_label: "UDM" - description: "Model description of the hardware CPU (e.g. \"2.8 GHz Quad-Core Intel Core i5\")." - } # dimension cpu_model - - dimension: cpu_platform { - type: string - sql: ${TABLE}.cpu_platform ;; - group_label: "principal" - label: "principal.asset.hardware.cpu_platform" - view_label: "UDM" - description: "Platform of the hardware CPU (e.g. \"Intel Broadwell\")." - } # dimension cpu_platform - - dimension: manufacturer { - type: string - sql: ${TABLE}.manufacturer ;; - group_label: "principal" - label: "principal.asset.hardware.manufacturer" - view_label: "UDM" - description: "Hardware manufacturer." - } # dimension manufacturer - - dimension: model { - type: string - sql: ${TABLE}.model ;; - group_label: "principal" - label: "principal.asset.hardware.model" - view_label: "UDM" - description: "Hardware model." - } # dimension model - - dimension: ram { - type: number - sql: ${TABLE}.ram ;; - group_label: "principal" - label: "principal.asset.hardware.ram" - view_label: "UDM" - description: "Amount of the hardware ramdom access memory (RAM) in Mb." - } # dimension ram - - dimension: serial_number { - type: string - sql: ${TABLE}.serial_number ;; - group_label: "principal" - label: "principal.asset.hardware.serial_number" - view_label: "UDM" - description: "Hardware serial number." - } # dimension serial_number - -} # view events__principal__asset__hardware - -view: events__principal__asset__ip { - dimension: events__principal__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.asset.ip" - view_label: "UDM" - description: "A list of IP addresses associated with an asset." - } # dimension events__principal__asset__ip -} # view events__principal__asset__ip - -view: events__principal__asset__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "principal" - group_item_label: "principal.asset.labels.key [D]" - label: "principal.asset.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "principal" - group_item_label: "principal.asset.labels.value [D]" - label: "principal.asset.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view events__principal__asset__labels - -view: events__principal__asset__mac { - dimension: events__principal__asset__mac { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.asset.mac" - view_label: "UDM" - description: "List of MAC addresses associated with an asset." - } # dimension events__principal__asset__mac -} # view events__principal__asset__mac - -view: events__principal__asset__nat_ip { - dimension: events__principal__asset__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.asset.nat_ip" - view_label: "UDM" - description: "List of NAT IP addresses associated with an asset." - } # dimension events__principal__asset__nat_ip -} # view events__principal__asset__nat_ip - -view: events__principal__asset__software__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.asset.software.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.asset.software.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view events__principal__asset__software__permissions - -view: events__principal__asset__software { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.asset.software.description" - view_label: "UDM" - description: "The description of the software." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.asset.software.name" - view_label: "UDM" - description: "The name of the software." - } # dimension name - - dimension: permissions { - hidden: yes - } # dimension permissions - - dimension: vendor_name { - type: string - sql: ${TABLE}.vendor_name ;; - group_label: "principal" - label: "principal.asset.software.vendor_name" - view_label: "UDM" - description: "The name of the software vendor." - } # dimension vendor_name - - dimension: version { - type: string - sql: ${TABLE}.version ;; - group_label: "principal" - label: "principal.asset.software.version" - view_label: "UDM" - description: "The version of the software." - } # dimension version - -} # view events__principal__asset__software - -view: events__principal__asset__vulnerabilities { - dimension: cve_description { - type: string - sql: ${TABLE}.cve_description ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.cve_description" - view_label: "UDM" - description: "Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record" - } # dimension cve_description - - dimension: cve_id { - type: string - sql: ${TABLE}.cve_id ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.cve_id" - view_label: "UDM" - description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" - } # dimension cve_id - - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.cvss_base_score" - view_label: "UDM" - description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." - } # dimension cvss_base_score - - dimension: cvss_vector { - type: string - sql: ${TABLE}.cvss_vector ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.cvss_vector" - view_label: "UDM" - description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" - } # dimension cvss_vector - - dimension: cvss_version { - type: string - sql: ${TABLE}.cvss_version ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.cvss_version" - view_label: "UDM" - description: "Version of CVSS Vector/Score." - } # dimension cvss_version - - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.description" - view_label: "UDM" - description: "Description of the vulnerability." - } # dimension description - - dimension_group: principal__asset__vulnerabilities__first_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.first_found" - view_label: "UDM" - description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." - } # dimension principal__asset__vulnerabilities__first_found - - dimension_group: principal__asset__vulnerabilities__last_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.last_found" - view_label: "UDM" - description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." - } # dimension principal__asset__vulnerabilities__last_found - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.name" - view_label: "UDM" - description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." - } # dimension name - - dimension_group: principal__asset__vulnerabilities__scan_end_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.scan_end_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." - } # dimension principal__asset__vulnerabilities__scan_end_time - - dimension_group: principal__asset__vulnerabilities__scan_start_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.scan_start_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." - } # dimension principal__asset__vulnerabilities__scan_start_time - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.severity" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity - - dimension: severity_enum_name { - type: string - suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] - sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.severity_enum_name" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity_enum_name - - dimension: severity_details { - type: string - sql: ${TABLE}.severity_details ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.severity_details" - view_label: "UDM" - description: "Vendor-specific severity" - } # dimension severity_details - - dimension: vendor { - type: string - sql: ${TABLE}.vendor ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.vendor" - view_label: "UDM" - description: "Vendor of scan that discovered vulnerability." - } # dimension vendor - - dimension: vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.vendor_knowledge_base_article_id ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.vendor_knowledge_base_article_id" - view_label: "UDM" - description: "Vendor specific knowledge base article (e.g. \"KBXXXXXX\" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase" - } # dimension vendor_knowledge_base_article_id - - dimension: vendor_vulnerability_id { - type: string - sql: ${TABLE}.vendor_vulnerability_id ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.vendor_vulnerability_id" - view_label: "UDM" - description: "Vendor specific vulnerability id (e.g. Microsoft security bulletin id)." - } # dimension vendor_vulnerability_id - -} # view events__principal__asset__vulnerabilities - -view: events__principal__domain__name_server { - dimension: events__principal__domain__name_server { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.domain.name_server" - view_label: "UDM" - description: "Repeated list of name servers." - } # dimension events__principal__domain__name_server -} # view events__principal__domain__name_server - -view: events__principal__domain__tech__group_identifiers { - dimension: events__principal__domain__tech__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.domain.tech.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension events__principal__domain__tech__group_identifiers -} # view events__principal__domain__tech__group_identifiers - -view: events__principal__file__names { - dimension: events__principal__file__names { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension events__principal__file__names -} # view events__principal__file__names - -view: events__principal__group__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "principal" - label: "principal.group.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "principal" - label: "principal.group.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__principal__group__attribute__labels - -view: events__principal__group__attribute__roles { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.group.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - -} # view events__principal__group__attribute__roles - -view: events__principal__group__email_addresses { - dimension: events__principal__group__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.group.email_addresses" - view_label: "UDM" - description: "Email addresses of the group." - } # dimension events__principal__group__email_addresses -} # view events__principal__group__email_addresses - -view: events__principal__investigation__comments { - dimension: events__principal__investigation__comments { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.investigation.comments" - view_label: "UDM" - description: "Comment added by the Analyst." - } # dimension events__principal__investigation__comments -} # view events__principal__investigation__comments - -view: events__principal__ip { - dimension: events__principal__ip { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.ip" - view_label: "UDM" - description: "A list of IP addresses associated with a network connection." - } # dimension events__principal__ip -} # view events__principal__ip - -view: events__principal__ip_geo_artifact { - dimension: ip { - type: string - sql: ${TABLE}.ip ;; - group_label: "principal" - label: "principal.ip_geo_artifact.ip" - view_label: "UDM" - description: "IP address of the artifact." - } # dimension ip - - dimension: location { - hidden: yes - } # dimension location - - dimension: location__country_or_region { - type: string - sql: ${TABLE}.location.country_or_region ;; - group_label: "principal" - label: "principal.ip_geo_artifact.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension location__country_or_region - - dimension: location__region_coordinates { - type: location - sql_latitude: ${TABLE}.location.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.location.region_coordinates.longitude ;; - group_label: "principal" - group_item_label: "principal.ip_geo_artifact.location.region_coordinates [L]" - label: "principal.ip_geo_artifact.location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." - } # dimension location__region_coordinates - - dimension: location__region_latitude { - type: number - sql: ${TABLE}.location.region_latitude ;; - group_label: "principal" - group_item_label: "principal.ip_geo_artifact.location.region_latitude [D]" - label: "principal.ip_geo_artifact.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension location__region_latitude - - dimension: location__region_longitude { - type: number - sql: ${TABLE}.location.region_longitude ;; - group_label: "principal" - group_item_label: "principal.ip_geo_artifact.location.region_longitude [D]" - label: "principal.ip_geo_artifact.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension location__region_longitude - - dimension: location__location { - type: location - sql_latitude: ${TABLE}.location.region_latitude ;; - sql_longitude: ${TABLE}.location.region_longitude ;; - group_label: "principal" - group_item_label: "principal.ip_geo_artifact.location.location [D][L]" - label: "principal.ip_geo_artifact.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension location__location - - dimension: location__state { - type: string - sql: ${TABLE}.location.state ;; - group_label: "principal" - label: "principal.ip_geo_artifact.location.state" - view_label: "UDM" - description: "The state." - } # dimension location__state - - dimension: network { - hidden: yes - } # dimension network - - dimension: network__asn { - type: string - sql: ${TABLE}.network.asn ;; - group_label: "principal" - label: "principal.ip_geo_artifact.network.asn" - view_label: "UDM" - description: "Autonomous system number." - } # dimension network__asn - - dimension: network__carrier_name { - type: string - sql: ${TABLE}.network.carrier_name ;; - group_label: "principal" - label: "principal.ip_geo_artifact.network.carrier_name" - view_label: "UDM" - description: "Carrier identification." - } # dimension network__carrier_name - - dimension: network__dns_domain { - type: string - sql: ${TABLE}.network.dns_domain ;; - group_label: "principal" - label: "principal.ip_geo_artifact.network.dns_domain" - view_label: "UDM" - description: "DNS domain name." - } # dimension network__dns_domain - - dimension: network__organization_name { - type: string - sql: ${TABLE}.network.organization_name ;; - group_label: "principal" - label: "principal.ip_geo_artifact.network.organization_name" - view_label: "UDM" - description: "Organization name (e.g Google)." - } # dimension network__organization_name - -} # view events__principal__ip_geo_artifact - -view: events__principal__ip_location { - dimension: city { - type: string - sql: ${TABLE}.city ;; - group_label: "principal" - group_item_label: "principal.ip_location.city [D]" - label: "principal.ip_location.city" - view_label: "UDM" - description: "The city. [D]: This field is deprecated and will be removed in a future release" - } # dimension city - - dimension: country_or_region { - type: string - sql: ${TABLE}.country_or_region ;; - group_label: "principal" - group_item_label: "principal.ip_location.country_or_region [D]" - label: "principal.ip_location.country_or_region" - view_label: "UDM" - description: "The country or region. [D]: This field is deprecated and will be removed in a future release" - } # dimension country_or_region - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - group_item_label: "principal.ip_location.name [D]" - label: "principal.ip_location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\"). [D]: This field is deprecated and will be removed in a future release" - } # dimension name - - dimension: region_coordinates { - type: location - sql_latitude: ${TABLE}.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.region_coordinates.longitude ;; - group_label: "principal" - group_item_label: "principal.ip_location.region_coordinates [D][L]" - label: "principal.ip_location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension region_coordinates - - dimension: region_latitude { - type: number - sql: ${TABLE}.region_latitude ;; - group_label: "principal" - group_item_label: "principal.ip_location.region_latitude [D]" - label: "principal.ip_location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension region_latitude - - dimension: region_longitude { - type: number - sql: ${TABLE}.region_longitude ;; - group_label: "principal" - group_item_label: "principal.ip_location.region_longitude [D]" - label: "principal.ip_location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension region_longitude - - dimension: location { - type: location - sql_latitude: ${TABLE}.region_latitude ;; - sql_longitude: ${TABLE}.region_longitude ;; - group_label: "principal" - group_item_label: "principal.ip_location.location [D][L]" - label: "principal.ip_location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension location - - dimension: state { - type: string - sql: ${TABLE}.state ;; - group_label: "principal" - group_item_label: "principal.ip_location.state [D]" - label: "principal.ip_location.state" - view_label: "UDM" - description: "The state. [D]: This field is deprecated and will be removed in a future release" - } # dimension state - -} # view events__principal__ip_location - -view: events__principal__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "principal" - group_item_label: "principal.labels.key [D]" - label: "principal.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "principal" - group_item_label: "principal.labels.value [D]" - label: "principal.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view events__principal__labels - -view: events__principal__mac { - dimension: events__principal__mac { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.mac" - view_label: "UDM" - description: "List of MAC addresses associated with a device." - } # dimension events__principal__mac -} # view events__principal__mac - -view: events__principal__nat_ip { - dimension: events__principal__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.nat_ip" - view_label: "UDM" - description: "A list of NAT translated IP addresses associated with a network connection." - } # dimension events__principal__nat_ip -} # view events__principal__nat_ip - -view: events__principal__process__command_line_history { - dimension: events__principal__process__command_line_history { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.process.command_line_history" - view_label: "UDM" - description: "The command line history of the process." - } # dimension events__principal__process__command_line_history -} # view events__principal__process__command_line_history - -view: events__principal__process__file__capabilities_tags { - dimension: events__principal__process__file__capabilities_tags { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.process.file.capabilities_tags" - view_label: "UDM" - description: "Capabilities tags." - } # dimension events__principal__process__file__capabilities_tags -} # view events__principal__process__file__capabilities_tags - -view: events__principal__process__file__names { - dimension: events__principal__process__file__names { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.process.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension events__principal__process__file__names -} # view events__principal__process__file__names - -view: events__principal__process_ancestors { - dimension: file { - hidden: yes - } # dimension file - - dimension: file__full_path { - type: string - sql: ${TABLE}.file.full_path ;; - group_label: "principal" - label: "principal.process_ancestors.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension file__full_path - - dimension: pid { - type: string - sql: ${TABLE}.pid ;; - group_label: "principal" - label: "principal.process_ancestors.pid" - view_label: "UDM" - description: "The process ID." - } # dimension pid - -} # view events__principal__process_ancestors - -view: events__principal__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "principal" - label: "principal.resource.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "principal" - label: "principal.resource.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__principal__resource__attribute__labels - -view: events__principal__resource__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.resource.attribute.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.resource.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "principal" - label: "principal.resource.attribute.permissions.type" - view_label: "UDM" - description: "Type of the permission." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; - group_label: "principal" - label: "principal.resource.attribute.permissions.type_enum_name" - view_label: "UDM" - description: "Type of the permission." - } # dimension type_enum_name - -} # view events__principal__resource__attribute__permissions - -view: events__principal__resource__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.resource.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.resource.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "principal" - label: "principal.resource.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "principal" - label: "principal.resource.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view events__principal__resource__attribute__roles - -view: events__principal__resource_ancestors__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "principal" - label: "principal.resource_ancestors.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "principal" - label: "principal.resource_ancestors.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__principal__resource_ancestors__attribute__labels - -view: events__principal__resource_ancestors { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension: attribute__labels { - hidden: yes - } # dimension attribute__labels - - dimension: id { - type: string - sql: ${TABLE}.id ;; - group_label: "principal" - group_item_label: "principal.resource_ancestors.id [D]" - label: "principal.resource_ancestors.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension id - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.resource_ancestors.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension name - - dimension: parent { - type: string - sql: ${TABLE}.parent ;; - group_label: "principal" - group_item_label: "principal.resource_ancestors.parent [D]" - label: "principal.resource_ancestors.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension parent - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "principal" - label: "principal.resource_ancestors.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension product_object_id - - dimension: resource_type { - type: number - sql: ${TABLE}.resource_type ;; - group_label: "principal" - label: "principal.resource_ancestors.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension resource_type - - dimension: resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "principal" - label: "principal.resource_ancestors.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension resource_type_enum_name - -} # view events__principal__resource_ancestors - -view: events__principal__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "principal" - label: "principal.user.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "principal" - label: "principal.user.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__principal__user__attribute__labels - -view: events__principal__user__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.user.attribute.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.user.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "principal" - label: "principal.user.attribute.permissions.type" - view_label: "UDM" - description: "Type of the permission." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; - group_label: "principal" - label: "principal.user.attribute.permissions.type_enum_name" - view_label: "UDM" - description: "Type of the permission." - } # dimension type_enum_name - -} # view events__principal__user__attribute__permissions - -view: events__principal__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.user.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.user.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "principal" - label: "principal.user.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "principal" - label: "principal.user.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view events__principal__user__attribute__roles - -view: events__principal__user__department { - dimension: events__principal__user__department { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.user.department" - view_label: "UDM" - description: "User job department" - } # dimension events__principal__user__department -} # view events__principal__user__department - -view: events__principal__user__email_addresses { - dimension: events__principal__user__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.user.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension events__principal__user__email_addresses -} # view events__principal__user__email_addresses - -view: events__principal__user__group_identifiers { - dimension: events__principal__user__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.user.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension events__principal__user__group_identifiers -} # view events__principal__user__group_identifiers - -view: events__principal__user__managers__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "principal" - label: "principal.user.managers.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "principal" - label: "principal.user.managers.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__principal__user__managers__attribute__labels - -view: events__principal__user__managers__attribute__roles { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.user.managers.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "principal" - label: "principal.user.managers.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "principal" - label: "principal.user.managers.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view events__principal__user__managers__attribute__roles - -view: events__principal__user__managers__department { - dimension: events__principal__user__managers__department { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.user.managers.department" - view_label: "UDM" - description: "User job department" - } # dimension events__principal__user__managers__department -} # view events__principal__user__managers__department - -view: events__principal__user__managers__email_addresses { - dimension: events__principal__user__managers__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.user.managers.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension events__principal__user__managers__email_addresses -} # view events__principal__user__managers__email_addresses - -view: events__principal__user__managers__group_identifiers { - dimension: events__principal__user__managers__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.user.managers.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension events__principal__user__managers__group_identifiers -} # view events__principal__user__managers__group_identifiers - -view: events__principal__user__managers__phone_numbers { - dimension: events__principal__user__managers__phone_numbers { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.user.managers.phone_numbers" - view_label: "UDM" - description: "Phone numbers for the user." - } # dimension events__principal__user__managers__phone_numbers -} # view events__principal__user__managers__phone_numbers - -view: events__principal__user__managers { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension: attribute__labels { - hidden: yes - } # dimension attribute__labels - - dimension: attribute__roles { - hidden: yes - } # dimension attribute__roles - - dimension: company_name { - type: string - sql: ${TABLE}.company_name ;; - group_label: "principal" - label: "principal.user.managers.company_name" - view_label: "UDM" - description: "User job company name." - } # dimension company_name - - dimension: department { - hidden: yes - } # dimension department - - dimension: email_addresses { - hidden: yes - } # dimension email_addresses - - dimension: employee_id { - type: string - sql: ${TABLE}.employee_id ;; - group_label: "principal" - label: "principal.user.managers.employee_id" - view_label: "UDM" - description: "Human capital management identifier." - } # dimension employee_id - - dimension: first_name { - type: string - sql: ${TABLE}.first_name ;; - group_label: "principal" - label: "principal.user.managers.first_name" - view_label: "UDM" - description: "First name of the user (e.g. \"John\")." - } # dimension first_name - - dimension: group_identifiers { - hidden: yes - } # dimension group_identifiers - - dimension: last_name { - type: string - sql: ${TABLE}.last_name ;; - group_label: "principal" - label: "principal.user.managers.last_name" - view_label: "UDM" - description: "Last name of the user (e.g. \"Locke\")." - } # dimension last_name - - dimension: personal_address { - hidden: yes - } # dimension personal_address - - dimension: personal_address__city { - type: string - sql: ${TABLE}.personal_address.city ;; - group_label: "principal" - label: "principal.user.managers.personal_address.city" - view_label: "UDM" - description: "The city." - } # dimension personal_address__city - - dimension: personal_address__country_or_region { - type: string - sql: ${TABLE}.personal_address.country_or_region ;; - group_label: "principal" - label: "principal.user.managers.personal_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension personal_address__country_or_region - - dimension: personal_address__name { - type: string - sql: ${TABLE}.personal_address.name ;; - group_label: "principal" - label: "principal.user.managers.personal_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension personal_address__name - - dimension: personal_address__state { - type: string - sql: ${TABLE}.personal_address.state ;; - group_label: "principal" - label: "principal.user.managers.personal_address.state" - view_label: "UDM" - description: "The state." - } # dimension personal_address__state - - dimension: phone_numbers { - hidden: yes - } # dimension phone_numbers - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "principal" - label: "principal.user.managers.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension product_object_id - - dimension: title { - type: string - sql: ${TABLE}.title ;; - group_label: "principal" - label: "principal.user.managers.title" - view_label: "UDM" - description: "User job title." - } # dimension title - - dimension: user_display_name { - type: string - sql: ${TABLE}.user_display_name ;; - group_label: "principal" - label: "principal.user.managers.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension user_display_name - - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - group_label: "principal" - label: "principal.user.managers.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension userid - - dimension: windows_sid { - type: string - sql: ${TABLE}.windows_sid ;; - group_label: "principal" - label: "principal.user.managers.windows_sid" - view_label: "UDM" - description: "The Microsoft Windows SID of the user." - } # dimension windows_sid - -} # view events__principal__user__managers - -view: events__principal__user__phone_numbers { - dimension: events__principal__user__phone_numbers { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.user.phone_numbers" - view_label: "UDM" - description: "Phone numbers for the user." - } # dimension events__principal__user__phone_numbers -} # view events__principal__user__phone_numbers - -view: events__principal__user__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.user.time_off.description" - view_label: "UDM" - description: "Description of the leave if available (e.g. 'Vacation')." - } # dimension description - - dimension_group: principal__user__time_off__interval { - type: duration - intervals: [ second, minute, hour ] - sql_start: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.start_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.start_time.nanos,0) / 1000) as INT64)) ;; - sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.end_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.end_time.nanos,0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.user.time_off.interval" - view_label: "UDM" - description: "Interval duration of the leave." - } # dimension principal__user__time_off__interval - -} # view events__principal__user__time_off - -view: events__security_result__about__asset__attribute__permissions { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "security_result" - label: "security_result.about.asset.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view events__security_result__about__asset__attribute__permissions - -view: events__security_result__about__asset__ip { - dimension: events__security_result__about__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.asset.ip" - view_label: "UDM" - description: "A list of IP addresses associated with an asset." - } # dimension events__security_result__about__asset__ip -} # view events__security_result__about__asset__ip - -view: events__security_result__about__asset__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "security_result" - group_item_label: "security_result.about.asset.labels.key [D]" - label: "security_result.about.asset.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "security_result" - group_item_label: "security_result.about.asset.labels.value [D]" - label: "security_result.about.asset.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view events__security_result__about__asset__labels - -view: events__security_result__about__asset__mac { - dimension: events__security_result__about__asset__mac { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.asset.mac" - view_label: "UDM" - description: "List of MAC addresses associated with an asset." - } # dimension events__security_result__about__asset__mac -} # view events__security_result__about__asset__mac - -view: events__security_result__about__asset__software__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "security_result" - label: "security_result.about.asset.software.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "security_result" - label: "security_result.about.asset.software.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view events__security_result__about__asset__software__permissions - -view: events__security_result__about__asset__software { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "security_result" - label: "security_result.about.asset.software.name" - view_label: "UDM" - description: "The name of the software." - } # dimension name - - dimension: permissions { - hidden: yes - } # dimension permissions - - dimension: version { - type: string - sql: ${TABLE}.version ;; - group_label: "security_result" - label: "security_result.about.asset.software.version" - view_label: "UDM" - description: "The version of the software." - } # dimension version - -} # view events__security_result__about__asset__software - -view: events__security_result__about__asset__vulnerabilities { - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - group_label: "security_result" - label: "security_result.about.asset.vulnerabilities.cvss_base_score" - view_label: "UDM" - description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." - } # dimension cvss_base_score - -} # view events__security_result__about__asset__vulnerabilities - -view: events__security_result__about__domain__tech__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "security_result" - label: "security_result.about.domain.tech.attribute.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - -} # view events__security_result__about__domain__tech__attribute__permissions - -view: events__security_result__about__file__capabilities_tags { - dimension: events__security_result__about__file__capabilities_tags { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.file.capabilities_tags" - view_label: "UDM" - description: "Capabilities tags." - } # dimension events__security_result__about__file__capabilities_tags -} # view events__security_result__about__file__capabilities_tags - -view: events__security_result__about__file__names { - dimension: events__security_result__about__file__names { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension events__security_result__about__file__names -} # view events__security_result__about__file__names - -view: events__security_result__about__investigation__comments { - dimension: events__security_result__about__investigation__comments { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.investigation.comments" - view_label: "UDM" - description: "Comment added by the Analyst." - } # dimension events__security_result__about__investigation__comments -} # view events__security_result__about__investigation__comments - -view: events__security_result__about__ip { - dimension: events__security_result__about__ip { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.ip" - view_label: "UDM" - description: "A list of IP addresses associated with a network connection." - } # dimension events__security_result__about__ip -} # view events__security_result__about__ip - -view: events__security_result__about__ip_location { - dimension: country_or_region { - type: string - sql: ${TABLE}.country_or_region ;; - group_label: "security_result" - group_item_label: "security_result.about.ip_location.country_or_region [D]" - label: "security_result.about.ip_location.country_or_region" - view_label: "UDM" - description: "The country or region. [D]: This field is deprecated and will be removed in a future release" - } # dimension country_or_region - -} # view events__security_result__about__ip_location - -view: events__security_result__about__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "security_result" - group_item_label: "security_result.about.labels.key [D]" - label: "security_result.about.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "security_result" - group_item_label: "security_result.about.labels.value [D]" - label: "security_result.about.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view events__security_result__about__labels - -view: events__security_result__about__mac { - dimension: events__security_result__about__mac { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.mac" - view_label: "UDM" - description: "List of MAC addresses associated with a device." - } # dimension events__security_result__about__mac -} # view events__security_result__about__mac - -view: events__security_result__about__nat_ip { - dimension: events__security_result__about__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.nat_ip" - view_label: "UDM" - description: "A list of NAT translated IP addresses associated with a network connection." - } # dimension events__security_result__about__nat_ip -} # view events__security_result__about__nat_ip - -view: events__security_result__about__process__command_line_history { - dimension: events__security_result__about__process__command_line_history { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.process.command_line_history" - view_label: "UDM" - description: "The command line history of the process." - } # dimension events__security_result__about__process__command_line_history -} # view events__security_result__about__process__command_line_history - -view: events__security_result__about__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "security_result" - label: "security_result.about.resource.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "security_result" - label: "security_result.about.resource.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__security_result__about__resource__attribute__labels - -view: events__security_result__about__resource_ancestors { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "security_result" - label: "security_result.about.resource_ancestors.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension name - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "security_result" - label: "security_result.about.resource_ancestors.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension product_object_id - - dimension: resource_type { - type: number - sql: ${TABLE}.resource_type ;; - group_label: "security_result" - label: "security_result.about.resource_ancestors.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension resource_type - - dimension: resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "security_result" - label: "security_result.about.resource_ancestors.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension resource_type_enum_name - -} # view events__security_result__about__resource_ancestors - -view: events__security_result__about__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "security_result" - label: "security_result.about.user.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "security_result" - label: "security_result.about.user.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__security_result__about__user__attribute__labels - -view: events__security_result__about__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "security_result" - label: "security_result.about.user.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "security_result" - label: "security_result.about.user.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - -} # view events__security_result__about__user__attribute__roles - -view: events__security_result__about__user__email_addresses { - dimension: events__security_result__about__user__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.user.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension events__security_result__about__user__email_addresses -} # view events__security_result__about__user__email_addresses - -view: events__security_result__about__user__group_identifiers { - dimension: events__security_result__about__user__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.user.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension events__security_result__about__user__group_identifiers -} # view events__security_result__about__user__group_identifiers - -view: events__security_result__about__user_management_chain { - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - group_label: "security_result" - label: "security_result.about.user_management_chain.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension userid - -} # view events__security_result__about__user_management_chain - -view: events__security_result__action { - dimension: events__security_result__action { - type: number - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.action" - view_label: "UDM" - description: "Actions taken for this event." - } # dimension events__security_result__action -} # view events__security_result__action - -view: events__security_result__action_enum_name { - dimension: events__security_result__action_enum_name { - type: string - suggestions: ["ALLOW", "ALLOW_WITH_MODIFICATION", "BLOCK", "CHALLENGE", "FAIL", "QUARANTINE", "UNKNOWN_ACTION"] - sql: CASE ${TABLE} WHEN 0 THEN 'UNKNOWN_ACTION' WHEN 1 THEN 'ALLOW' WHEN 2 THEN 'BLOCK' WHEN 3 THEN 'ALLOW_WITH_MODIFICATION' WHEN 4 THEN 'QUARANTINE' WHEN 5 THEN 'FAIL' WHEN 6 THEN 'CHALLENGE' END ;; - group_label: "security_result" - label: "security_result.action_enum_name" - view_label: "UDM" - description: "Actions taken for this event." - } # dimension events__security_result__action_enum_name -} # view events__security_result__action_enum_name - -view: events__security_result__attack_details__tactics { - dimension: id { - type: string - sql: ${TABLE}.id ;; - group_label: "security_result" - label: "security_result.attack_details.tactics.id" - view_label: "UDM" - description: "Tactic ID (e.g. \"TA0043\")." - } # dimension id - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "security_result" - label: "security_result.attack_details.tactics.name" - view_label: "UDM" - description: "Tactic Name (e.g. \"Reconnaissance\")" - } # dimension name - -} # view events__security_result__attack_details__tactics - -view: events__security_result__attack_details__techniques { - dimension: id { - type: string - sql: ${TABLE}.id ;; - group_label: "security_result" - label: "security_result.attack_details.techniques.id" - view_label: "UDM" - description: "Technique ID (e.g. \"T1595\")." - } # dimension id - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "security_result" - label: "security_result.attack_details.techniques.name" - view_label: "UDM" - description: "Technique Name (e.g. \"Active Scanning\")." - } # dimension name - - dimension: subtechnique_id { - type: string - sql: ${TABLE}.subtechnique_id ;; - group_label: "security_result" - label: "security_result.attack_details.techniques.subtechnique_id" - view_label: "UDM" - description: "Subtechnique ID (e.g. \"T1595.001\")." - } # dimension subtechnique_id - - dimension: subtechnique_name { - type: string - sql: ${TABLE}.subtechnique_name ;; - group_label: "security_result" - label: "security_result.attack_details.techniques.subtechnique_name" - view_label: "UDM" - description: "Subtechnique Name (e.g. \"Scanning IP Blocks\")." - } # dimension subtechnique_name - -} # view events__security_result__attack_details__techniques - -view: events__security_result__category { - dimension: events__security_result__category { - type: number - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.category" - view_label: "UDM" - description: "The security category." - } # dimension events__security_result__category -} # view events__security_result__category - -view: events__security_result__category_enum_name { - dimension: events__security_result__category_enum_name { - type: string - suggestions: ["ACL_VIOLATION", "AUTH_VIOLATION", "DATA_AT_REST", "DATA_DESTRUCTION", "DATA_EXFILTRATION", "EXPLOIT", "MAIL_PHISHING", "MAIL_SPAM", "MAIL_SPOOFING", "NETWORK_CATEGORIZED_CONTENT", "NETWORK_COMMAND_AND_CONTROL", "NETWORK_DENIAL_OF_SERVICE", "NETWORK_MALICIOUS", "NETWORK_RECON", "NETWORK_SUSPICIOUS", "PHISHING", "POLICY_VIOLATION", "SOCIAL_ENGINEERING", "SOFTWARE_MALICIOUS", "SOFTWARE_PUA", "SOFTWARE_SUSPICIOUS", "TOR_EXIT_NODE", "UNKNOWN_CATEGORY"] - sql: CASE ${TABLE} WHEN 0 THEN 'UNKNOWN_CATEGORY' WHEN 10000 THEN 'SOFTWARE_MALICIOUS' WHEN 10100 THEN 'SOFTWARE_SUSPICIOUS' WHEN 10200 THEN 'SOFTWARE_PUA' WHEN 20000 THEN 'NETWORK_MALICIOUS' WHEN 20100 THEN 'NETWORK_SUSPICIOUS' WHEN 20200 THEN 'NETWORK_CATEGORIZED_CONTENT' WHEN 20300 THEN 'NETWORK_DENIAL_OF_SERVICE' WHEN 20400 THEN 'NETWORK_RECON' WHEN 20500 THEN 'NETWORK_COMMAND_AND_CONTROL' WHEN 30000 THEN 'ACL_VIOLATION' WHEN 40000 THEN 'AUTH_VIOLATION' WHEN 50000 THEN 'EXPLOIT' WHEN 60000 THEN 'DATA_EXFILTRATION' WHEN 60100 THEN 'DATA_AT_REST' WHEN 60200 THEN 'DATA_DESTRUCTION' WHEN 60300 THEN 'TOR_EXIT_NODE' WHEN 70000 THEN 'MAIL_SPAM' WHEN 70100 THEN 'MAIL_PHISHING' WHEN 70200 THEN 'MAIL_SPOOFING' WHEN 80000 THEN 'POLICY_VIOLATION' WHEN 90001 THEN 'SOCIAL_ENGINEERING' WHEN 90002 THEN 'PHISHING' END ;; - group_label: "security_result" - label: "security_result.category_enum_name" - view_label: "UDM" - description: "The security category." - } # dimension events__security_result__category_enum_name -} # view events__security_result__category_enum_name - -view: events__security_result__category_details { - dimension: events__security_result__category_details { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.category_details" - view_label: "UDM" - description: "For vendor-specific categories. For web categorization, put type in here such as \"gambling\", \"porn\", etc." - } # dimension events__security_result__category_details -} # view events__security_result__category_details - -view: events__security_result__detection_fields { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "security_result" - label: "security_result.detection_fields.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: source { - type: string - sql: ${TABLE}.source ;; - group_label: "security_result" - label: "security_result.detection_fields.source" - view_label: "UDM" - description: "@hide_from_doc" - } # dimension source - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "security_result" - label: "security_result.detection_fields.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__security_result__detection_fields - -view: events__security_result__outcomes { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "security_result" - label: "security_result.outcomes.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "security_result" - label: "security_result.outcomes.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__security_result__outcomes - -view: events__security_result__rule_labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "security_result" - label: "security_result.rule_labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "security_result" - label: "security_result.rule_labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__security_result__rule_labels - -view: events__security_result { - dimension: about { - hidden: yes - } # dimension about - - dimension: about__administrative_domain { - type: string - sql: ${TABLE}.about.administrative_domain ;; - group_label: "security_result" - label: "security_result.about.administrative_domain" - view_label: "UDM" - description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." - } # dimension about__administrative_domain - - dimension: about__application { - type: string - sql: ${TABLE}.about.application ;; - group_label: "security_result" - label: "security_result.about.application" - view_label: "UDM" - description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." - } # dimension about__application - - dimension: about__artifact { - hidden: yes - } # dimension about__artifact - - dimension_group: security_result__about__artifact__first_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.artifact.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.artifact.first_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.artifact.first_seen_time" - view_label: "UDM" - description: "First seen timestamp of the IP in the customer's environment." - } # dimension security_result__about__artifact__first_seen_time - - dimension_group: security_result__about__artifact__last_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.artifact.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.artifact.last_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.artifact.last_seen_time" - view_label: "UDM" - description: "Last seen timestamp of the IP address in the customer's environment." - } # dimension security_result__about__artifact__last_seen_time - - dimension: about__asset { - hidden: yes - } # dimension about__asset - - dimension: about__asset__asset_id { - type: string - sql: ${TABLE}.about.asset.asset_id ;; - group_label: "security_result" - label: "security_result.about.asset.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension about__asset__asset_id - - dimension: about__asset__attribute { - hidden: yes - } # dimension about__asset__attribute - - dimension: about__asset__attribute__cloud { - hidden: yes - } # dimension about__asset__attribute__cloud - - dimension: about__asset__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.availability_zone ;; - group_label: "security_result" - label: "security_result.about.asset.attribute.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name)." - } # dimension about__asset__attribute__cloud__availability_zone - - dimension: about__asset__attribute__cloud__environment { - type: number - sql: ${TABLE}.about.asset.attribute.cloud.environment ;; - group_label: "security_result" - label: "security_result.about.asset.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension about__asset__attribute__cloud__environment - - dimension: about__asset__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.about.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "security_result" - label: "security_result.about.asset.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension about__asset__attribute__cloud__environment_enum_name - - dimension: about__asset__attribute__cloud__project { - hidden: yes - } # dimension about__asset__attribute__cloud__project - - dimension: about__asset__attribute__cloud__project__id { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.project.id ;; - group_label: "security_result" - group_item_label: "security_result.about.asset.attribute.cloud.project.id [D]" - label: "security_result.about.asset.attribute.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__asset__attribute__cloud__project__id - - dimension: about__asset__attribute__cloud__project__name { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.project.name ;; - group_label: "security_result" - group_item_label: "security_result.about.asset.attribute.cloud.project.name [D]" - label: "security_result.about.asset.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__asset__attribute__cloud__project__name - - dimension: about__asset__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.project.product_object_id ;; - group_label: "security_result" - group_item_label: "security_result.about.asset.attribute.cloud.project.product_object_id [D]" - label: "security_result.about.asset.attribute.cloud.project.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension about__asset__attribute__cloud__project__product_object_id - - dimension: about__asset__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.about.asset.attribute.cloud.project.resource_type ;; - group_label: "security_result" - group_item_label: "security_result.about.asset.attribute.cloud.project.resource_type [D]" - label: "security_result.about.asset.attribute.cloud.project.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__asset__attribute__cloud__project__resource_type - - dimension: about__asset__attribute__cloud__project__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.about.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "security_result" - group_item_label: "security_result.about.asset.attribute.cloud.project.resource_type_enum_name [D]" - label: "security_result.about.asset.attribute.cloud.project.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__asset__attribute__cloud__project__resource_type_enum_name - - dimension_group: security_result__about__asset__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.asset.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension security_result__about__asset__attribute__creation_time - - dimension_group: security_result__about__asset__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.asset.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension security_result__about__asset__attribute__last_update_time - - dimension: about__asset__attribute__permissions { - hidden: yes - } # dimension about__asset__attribute__permissions - - dimension: about__asset__category { - type: string - sql: ${TABLE}.about.asset.category ;; - group_label: "security_result" - label: "security_result.about.asset.category" - view_label: "UDM" - description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." - } # dimension about__asset__category - - dimension: about__asset__hostname { - type: string - sql: ${TABLE}.about.asset.hostname ;; - group_label: "security_result" - label: "security_result.about.asset.hostname" - view_label: "UDM" - description: "Asset hostname or domain name field." - } # dimension about__asset__hostname - - dimension: about__asset__ip { - hidden: yes - } # dimension about__asset__ip - - dimension: about__asset__labels { - hidden: yes - } # dimension about__asset__labels - - dimension: about__asset__location { - hidden: yes - } # dimension about__asset__location - - dimension: about__asset__location__city { - type: string - sql: ${TABLE}.about.asset.location.city ;; - group_label: "security_result" - label: "security_result.about.asset.location.city" - view_label: "UDM" - description: "The city." - } # dimension about__asset__location__city - - dimension: about__asset__location__country_or_region { - type: string - sql: ${TABLE}.about.asset.location.country_or_region ;; - group_label: "security_result" - label: "security_result.about.asset.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension about__asset__location__country_or_region - - dimension: about__asset__location__state { - type: string - sql: ${TABLE}.about.asset.location.state ;; - group_label: "security_result" - label: "security_result.about.asset.location.state" - view_label: "UDM" - description: "The state." - } # dimension about__asset__location__state - - dimension: about__asset__mac { - hidden: yes - } # dimension about__asset__mac - - dimension: about__asset__product_object_id { - type: string - sql: ${TABLE}.about.asset.product_object_id ;; - group_label: "security_result" - label: "security_result.about.asset.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension about__asset__product_object_id - - dimension: about__asset__software { - hidden: yes - } # dimension about__asset__software - - dimension: about__asset__vulnerabilities { - hidden: yes - } # dimension about__asset__vulnerabilities - - dimension: about__asset_id { - type: string - sql: ${TABLE}.about.asset_id ;; - group_label: "security_result" - label: "security_result.about.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension about__asset_id - - dimension: about__cloud { - hidden: yes - } # dimension about__cloud - - dimension: about__cloud__availability_zone { - type: string - sql: ${TABLE}.about.cloud.availability_zone ;; - group_label: "security_result" - group_item_label: "security_result.about.cloud.availability_zone [D]" - label: "security_result.about.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__availability_zone - - dimension: about__cloud__project { - hidden: yes - } # dimension about__cloud__project - - dimension: about__cloud__project__id { - type: string - sql: ${TABLE}.about.cloud.project.id ;; - group_label: "security_result" - group_item_label: "security_result.about.cloud.project.id [D]" - label: "security_result.about.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__project__id - - dimension: about__cloud__project__name { - type: string - sql: ${TABLE}.about.cloud.project.name ;; - group_label: "security_result" - group_item_label: "security_result.about.cloud.project.name [D]" - label: "security_result.about.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__project__name - - dimension: about__cloud__project__parent { - type: string - sql: ${TABLE}.about.cloud.project.parent ;; - group_label: "security_result" - group_item_label: "security_result.about.cloud.project.parent [D]" - label: "security_result.about.cloud.project.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__project__parent - - dimension: about__cloud__project__product_object_id { - type: string - sql: ${TABLE}.about.cloud.project.product_object_id ;; - group_label: "security_result" - group_item_label: "security_result.about.cloud.project.product_object_id [D]" - label: "security_result.about.cloud.project.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__project__product_object_id - - dimension: about__domain { - hidden: yes - } # dimension about__domain - - dimension: about__domain__admin { - hidden: yes - } # dimension about__domain__admin - - dimension: about__domain__admin__userid { - type: string - sql: ${TABLE}.about.domain.admin.userid ;; - group_label: "security_result" - label: "security_result.about.domain.admin.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension about__domain__admin__userid - - dimension: about__domain__registrant { - hidden: yes - } # dimension about__domain__registrant - - dimension: about__domain__registrant__role_description { - type: string - sql: ${TABLE}.about.domain.registrant.role_description ;; - group_label: "security_result" - group_item_label: "security_result.about.domain.registrant.role_description [D]" - label: "security_result.about.domain.registrant.role_description" - view_label: "UDM" - description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__domain__registrant__role_description - - dimension: about__domain__tech { - hidden: yes - } # dimension about__domain__tech - - dimension: about__domain__tech__attribute { - hidden: yes - } # dimension about__domain__tech__attribute - - dimension: about__domain__tech__attribute__permissions { - hidden: yes - } # dimension about__domain__tech__attribute__permissions - - dimension: about__email { - type: string - sql: ${TABLE}.about.email ;; - group_label: "security_result" - label: "security_result.about.email" - view_label: "UDM" - description: "Email address. Only filled in for security_result.about" - } # dimension about__email - - dimension: about__file { - hidden: yes - } # dimension about__file - - dimension: about__file__ahash { - type: string - sql: ${TABLE}.about.file.ahash ;; - group_label: "security_result" - group_item_label: "security_result.about.file.ahash [D]" - label: "security_result.about.file.ahash" - view_label: "UDM" - description: "Deprecated. Use authentihash instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__file__ahash - - dimension: about__file__capabilities_tags { - hidden: yes - } # dimension about__file__capabilities_tags - - dimension: about__file__full_path { - type: string - sql: ${TABLE}.about.file.full_path ;; - group_label: "security_result" - label: "security_result.about.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension about__file__full_path - - dimension_group: security_result__about__file__last_modification_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.file.last_modification_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.file.last_modification_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.file.last_modification_time" - view_label: "UDM" - description: "Timestamp when the file was last updated." - } # dimension security_result__about__file__last_modification_time - - dimension: about__file__md5 { - type: string - sql: ${TABLE}.about.file.md5 ;; - group_label: "security_result" - label: "security_result.about.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension about__file__md5 - - dimension: about__file__mime_type { - type: string - sql: ${TABLE}.about.file.mime_type ;; - group_label: "security_result" - label: "security_result.about.file.mime_type" - view_label: "UDM" - description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." - } # dimension about__file__mime_type - - dimension: about__file__names { - hidden: yes - } # dimension about__file__names - - dimension: about__file__sha1 { - type: string - sql: ${TABLE}.about.file.sha1 ;; - group_label: "security_result" - label: "security_result.about.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension about__file__sha1 - - dimension: about__file__sha256 { - type: string - sql: ${TABLE}.about.file.sha256 ;; - group_label: "security_result" - label: "security_result.about.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension about__file__sha256 - - dimension: about__file__size { - type: number - sql: ${TABLE}.about.file.size ;; - group_label: "security_result" - label: "security_result.about.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension about__file__size - - dimension: about__file__ssdeep { - type: string - sql: ${TABLE}.about.file.ssdeep ;; - group_label: "security_result" - label: "security_result.about.file.ssdeep" - view_label: "UDM" - description: "Ssdeep of the file" - } # dimension about__file__ssdeep - - dimension: about__group { - hidden: yes - } # dimension about__group - - dimension: about__group__group_display_name { - type: string - sql: ${TABLE}.about.group.group_display_name ;; - group_label: "security_result" - label: "security_result.about.group.group_display_name" - view_label: "UDM" - description: "Group display name. e.g. \"Finance\"." - } # dimension about__group__group_display_name - - dimension: about__group__product_object_id { - type: string - sql: ${TABLE}.about.group.product_object_id ;; - group_label: "security_result" - label: "security_result.about.group.product_object_id" - view_label: "UDM" - description: "Product globally unique user object identifier, such as an LDAP Object Identifier." - } # dimension about__group__product_object_id - - dimension: about__hostname { - type: string - sql: ${TABLE}.about.hostname ;; - group_label: "security_result" - label: "security_result.about.hostname" - view_label: "UDM" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension about__hostname - - dimension: about__investigation { - hidden: yes - } # dimension about__investigation - - dimension: about__investigation__comments { - hidden: yes - } # dimension about__investigation__comments - - dimension: about__investigation__risk_score { - type: number - sql: ${TABLE}.about.investigation.risk_score ;; - group_label: "security_result" - label: "security_result.about.investigation.risk_score" - view_label: "UDM" - description: "Risk score for a finding set by an analyst." - } # dimension about__investigation__risk_score - - dimension: about__investigation__root_cause { - type: string - sql: ${TABLE}.about.investigation.root_cause ;; - group_label: "security_result" - label: "security_result.about.investigation.root_cause" - view_label: "UDM" - description: "Root cause of the Alert or Finding set by analyst." - } # dimension about__investigation__root_cause - - dimension: about__investigation__severity_score { - type: number - sql: ${TABLE}.about.investigation.severity_score ;; - group_label: "security_result" - label: "security_result.about.investigation.severity_score" - view_label: "UDM" - description: "Severity score for a finding set by an analyst." - } # dimension about__investigation__severity_score - - dimension: about__investigation__status { - type: number - sql: ${TABLE}.about.investigation.status ;; - group_label: "security_result" - label: "security_result.about.investigation.status" - view_label: "UDM" - description: "Describes the workflow status of a finding." - } # dimension about__investigation__status - - dimension: about__investigation__status_enum_name { - type: string - suggestions: ["CLOSED", "NEW", "OPEN", "REVIEWED", "STATUS_UNSPECIFIED"] - sql: CASE ${TABLE}.about.investigation.status WHEN 0 THEN 'STATUS_UNSPECIFIED' WHEN 1 THEN 'NEW' WHEN 2 THEN 'REVIEWED' WHEN 3 THEN 'CLOSED' WHEN 4 THEN 'OPEN' END ;; - group_label: "security_result" - label: "security_result.about.investigation.status_enum_name" - view_label: "UDM" - description: "Describes the workflow status of a finding." - } # dimension about__investigation__status_enum_name - - dimension: about__investigation__verdict { - type: number - sql: ${TABLE}.about.investigation.verdict ;; - group_label: "security_result" - label: "security_result.about.investigation.verdict" - view_label: "UDM" - description: "Describes reason a finding investigation was resolved." - } # dimension about__investigation__verdict - - dimension: about__investigation__verdict_enum_name { - type: string - suggestions: ["FALSE_POSITIVE", "TRUE_POSITIVE", "VERDICT_UNSPECIFIED"] - sql: CASE ${TABLE}.about.investigation.verdict WHEN 0 THEN 'VERDICT_UNSPECIFIED' WHEN 1 THEN 'TRUE_POSITIVE' WHEN 2 THEN 'FALSE_POSITIVE' END ;; - group_label: "security_result" - label: "security_result.about.investigation.verdict_enum_name" - view_label: "UDM" - description: "Describes reason a finding investigation was resolved." - } # dimension about__investigation__verdict_enum_name - - dimension: about__ip { - hidden: yes - } # dimension about__ip - - dimension: about__ip_location { - hidden: yes - } # dimension about__ip_location - - dimension: about__labels { - hidden: yes - } # dimension about__labels - - dimension: about__location { - hidden: yes - } # dimension about__location - - dimension: about__location__city { - type: string - sql: ${TABLE}.about.location.city ;; - group_label: "security_result" - label: "security_result.about.location.city" - view_label: "UDM" - description: "The city." - } # dimension about__location__city - - dimension: about__location__country_or_region { - type: string - sql: ${TABLE}.about.location.country_or_region ;; - group_label: "security_result" - label: "security_result.about.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension about__location__country_or_region - - dimension: about__location__name { - type: string - sql: ${TABLE}.about.location.name ;; - group_label: "security_result" - label: "security_result.about.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension about__location__name - - dimension: about__location__state { - type: string - sql: ${TABLE}.about.location.state ;; - group_label: "security_result" - label: "security_result.about.location.state" - view_label: "UDM" - description: "The state." - } # dimension about__location__state - - dimension: about__mac { - hidden: yes - } # dimension about__mac - - dimension: about__namespace { - type: string - sql: ${TABLE}.about.namespace ;; - group_label: "security_result" - label: "security_result.about.namespace" - view_label: "UDM" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension about__namespace - - dimension: about__nat_ip { - hidden: yes - } # dimension about__nat_ip - - dimension: about__object_reference { - hidden: yes - } # dimension about__object_reference - - dimension: about__object_reference__id { - type: string - sql: ${TABLE}.about.object_reference.id ;; - group_label: "security_result" - label: "security_result.about.object_reference.id" - view_label: "UDM" - description: "Full raw ID." - } # dimension about__object_reference__id - - dimension: about__platform { - type: number - sql: ${TABLE}.about.platform ;; - group_label: "security_result" - label: "security_result.about.platform" - view_label: "UDM" - description: "Platform." - } # dimension about__platform - - dimension: about__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.about.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "security_result" - label: "security_result.about.platform_enum_name" - view_label: "UDM" - description: "Platform." - } # dimension about__platform_enum_name - - dimension: about__platform_version { - type: string - sql: ${TABLE}.about.platform_version ;; - group_label: "security_result" - label: "security_result.about.platform_version" - view_label: "UDM" - description: "Platform version. For example, \"Microsoft Windows 1803\"." - } # dimension about__platform_version - - dimension: about__port { - type: number - value_format: "#" - sql: ${TABLE}.about.port ;; - group_label: "security_result" - label: "security_result.about.port" - view_label: "UDM" - description: "Source or destination network port number when a specific network connection is described within an event." - } # dimension about__port - - dimension: about__process { - hidden: yes - } # dimension about__process - - dimension: about__process__command_line { - type: string - sql: ${TABLE}.about.process.command_line ;; - group_label: "security_result" - label: "security_result.about.process.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension about__process__command_line - - dimension: about__process__command_line_history { - hidden: yes - } # dimension about__process__command_line_history - - dimension: about__process__file { - hidden: yes - } # dimension about__process__file - - dimension: about__process__file__full_path { - type: string - sql: ${TABLE}.about.process.file.full_path ;; - group_label: "security_result" - label: "security_result.about.process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension about__process__file__full_path - - dimension: about__process__file__md5 { - type: string - sql: ${TABLE}.about.process.file.md5 ;; - group_label: "security_result" - label: "security_result.about.process.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension about__process__file__md5 - - dimension: about__process__file__sha256 { - type: string - sql: ${TABLE}.about.process.file.sha256 ;; - group_label: "security_result" - label: "security_result.about.process.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension about__process__file__sha256 - - dimension: about__process__parent_pid { - type: string - sql: ${TABLE}.about.process.parent_pid ;; - group_label: "security_result" - group_item_label: "security_result.about.process.parent_pid [D]" - label: "security_result.about.process.parent_pid" - view_label: "UDM" - description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__process__parent_pid - - dimension: about__process__parent_process { - hidden: yes - } # dimension about__process__parent_process - - dimension: about__process__parent_process__pid { - type: string - sql: ${TABLE}.about.process.parent_process.pid ;; - group_label: "security_result" - label: "security_result.about.process.parent_process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension about__process__parent_process__pid - - dimension: about__process__pid { - type: string - sql: ${TABLE}.about.process.pid ;; - group_label: "security_result" - label: "security_result.about.process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension about__process__pid - - dimension: about__process__product_specific_process_id { - type: string - sql: ${TABLE}.about.process.product_specific_process_id ;; - group_label: "security_result" - label: "security_result.about.process.product_specific_process_id" - view_label: "UDM" - description: "A product specific process id." - } # dimension about__process__product_specific_process_id - - dimension: about__registry { - hidden: yes - } # dimension about__registry - - dimension: about__registry__registry_key { - type: string - sql: ${TABLE}.about.registry.registry_key ;; - group_label: "security_result" - label: "security_result.about.registry.registry_key" - view_label: "UDM" - description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." - } # dimension about__registry__registry_key - - dimension: about__registry__registry_value_data { - type: string - sql: ${TABLE}.about.registry.registry_value_data ;; - group_label: "security_result" - label: "security_result.about.registry.registry_value_data" - view_label: "UDM" - description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." - } # dimension about__registry__registry_value_data - - dimension: about__resource { - hidden: yes - } # dimension about__resource - - dimension: about__resource__attribute { - hidden: yes - } # dimension about__resource__attribute - - dimension_group: security_result__about__resource__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.resource.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension security_result__about__resource__attribute__creation_time - - dimension: about__resource__attribute__labels { - hidden: yes - } # dimension about__resource__attribute__labels - - dimension_group: security_result__about__resource__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.resource.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension security_result__about__resource__attribute__last_update_time - - dimension: about__resource__id { - type: string - sql: ${TABLE}.about.resource.id ;; - group_label: "security_result" - group_item_label: "security_result.about.resource.id [D]" - label: "security_result.about.resource.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__resource__id - - dimension: about__resource__name { - type: string - sql: ${TABLE}.about.resource.name ;; - group_label: "security_result" - label: "security_result.about.resource.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension about__resource__name - - dimension: about__resource__parent { - type: string - sql: ${TABLE}.about.resource.parent ;; - group_label: "security_result" - group_item_label: "security_result.about.resource.parent [D]" - label: "security_result.about.resource.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__resource__parent - - dimension: about__resource__product_object_id { - type: string - sql: ${TABLE}.about.resource.product_object_id ;; - group_label: "security_result" - label: "security_result.about.resource.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension about__resource__product_object_id - - dimension: about__resource__resource_subtype { - type: string - sql: ${TABLE}.about.resource.resource_subtype ;; - group_label: "security_result" - label: "security_result.about.resource.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension about__resource__resource_subtype - - dimension: about__resource__resource_type { - type: number - sql: ${TABLE}.about.resource.resource_type ;; - group_label: "security_result" - label: "security_result.about.resource.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension about__resource__resource_type - - dimension: about__resource__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.about.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "security_result" - label: "security_result.about.resource.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension about__resource__resource_type_enum_name - - dimension: about__resource__type { - type: string - sql: ${TABLE}.about.resource.type ;; - group_label: "security_result" - group_item_label: "security_result.about.resource.type [D]" - label: "security_result.about.resource.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__resource__type - - dimension: about__resource_ancestors { - hidden: yes - } # dimension about__resource_ancestors - - dimension: about__url { - type: string - sql: ${TABLE}.about.url ;; - group_label: "security_result" - label: "security_result.about.url" - view_label: "UDM" - description: "The URL." - } # dimension about__url - - dimension: about__user { - hidden: yes - } # dimension about__user - - dimension: about__user__attribute { - hidden: yes - } # dimension about__user__attribute - - dimension: about__user__attribute__cloud { - hidden: yes - } # dimension about__user__attribute__cloud - - dimension: about__user__attribute__cloud__environment { - type: number - sql: ${TABLE}.about.user.attribute.cloud.environment ;; - group_label: "security_result" - label: "security_result.about.user.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension about__user__attribute__cloud__environment - - dimension: about__user__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.about.user.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "security_result" - label: "security_result.about.user.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension about__user__attribute__cloud__environment_enum_name - - dimension: about__user__attribute__cloud__project { - hidden: yes - } # dimension about__user__attribute__cloud__project - - dimension: about__user__attribute__cloud__project__id { - type: string - sql: ${TABLE}.about.user.attribute.cloud.project.id ;; - group_label: "security_result" - group_item_label: "security_result.about.user.attribute.cloud.project.id [D]" - label: "security_result.about.user.attribute.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__user__attribute__cloud__project__id - - dimension: about__user__attribute__cloud__project__name { - type: string - sql: ${TABLE}.about.user.attribute.cloud.project.name ;; - group_label: "security_result" - group_item_label: "security_result.about.user.attribute.cloud.project.name [D]" - label: "security_result.about.user.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__user__attribute__cloud__project__name - - dimension: about__user__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.about.user.attribute.cloud.project.resource_type ;; - group_label: "security_result" - group_item_label: "security_result.about.user.attribute.cloud.project.resource_type [D]" - label: "security_result.about.user.attribute.cloud.project.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__user__attribute__cloud__project__resource_type - - dimension: about__user__attribute__cloud__project__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.about.user.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "security_result" - group_item_label: "security_result.about.user.attribute.cloud.project.resource_type_enum_name [D]" - label: "security_result.about.user.attribute.cloud.project.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__user__attribute__cloud__project__resource_type_enum_name - - dimension_group: security_result__about__user__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.user.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension security_result__about__user__attribute__creation_time - - dimension: about__user__attribute__labels { - hidden: yes - } # dimension about__user__attribute__labels - - dimension_group: security_result__about__user__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.user.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension security_result__about__user__attribute__last_update_time - - dimension: about__user__attribute__roles { - hidden: yes - } # dimension about__user__attribute__roles - - dimension: about__user__email_addresses { - hidden: yes - } # dimension about__user__email_addresses - - dimension: about__user__group_identifiers { - hidden: yes - } # dimension about__user__group_identifiers - - dimension: about__user__product_object_id { - type: string - sql: ${TABLE}.about.user.product_object_id ;; - group_label: "security_result" - label: "security_result.about.user.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension about__user__product_object_id - - dimension: about__user__role_description { - type: string - sql: ${TABLE}.about.user.role_description ;; - group_label: "security_result" - group_item_label: "security_result.about.user.role_description [D]" - label: "security_result.about.user.role_description" - view_label: "UDM" - description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__user__role_description - - dimension: about__user__user_authentication_status { - type: number - sql: ${TABLE}.about.user.user_authentication_status ;; - group_label: "security_result" - label: "security_result.about.user.user_authentication_status" - view_label: "UDM" - description: "System authentication status for user." - } # dimension about__user__user_authentication_status - - dimension: about__user__user_authentication_status_enum_name { - type: string - suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] - sql: CASE ${TABLE}.about.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; - group_label: "security_result" - label: "security_result.about.user.user_authentication_status_enum_name" - view_label: "UDM" - description: "System authentication status for user." - } # dimension about__user__user_authentication_status_enum_name - - dimension: about__user__user_display_name { - type: string - sql: ${TABLE}.about.user.user_display_name ;; - group_label: "security_result" - label: "security_result.about.user.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension about__user__user_display_name - - dimension: about__user__userid { - type: string - sql: ${TABLE}.about.user.userid ;; - group_label: "security_result" - label: "security_result.about.user.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension about__user__userid - - dimension: about__user_management_chain { - hidden: yes - } # dimension about__user_management_chain - - dimension: action { - hidden: yes - } # dimension action - - dimension: action_enum_name { - hidden: yes - } # dimension action_enum_name - - dimension: action_details { - type: string - sql: ${TABLE}.action_details ;; - group_label: "security_result" - label: "security_result.action_details" - view_label: "UDM" - description: "The detail of the action taken as provided by the vendor." - } # dimension action_details - - dimension: alert_state { - type: number - sql: ${TABLE}.alert_state ;; - group_label: "security_result" - label: "security_result.alert_state" - view_label: "UDM" - description: "The alerting types of this security result." - } # dimension alert_state - - dimension: alert_state_enum_name { - type: string - suggestions: ["ALERTING", "NOT_ALERTING", "UNSPECIFIED"] - sql: CASE ${TABLE}.alert_state WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'NOT_ALERTING' WHEN 2 THEN 'ALERTING' END ;; - group_label: "security_result" - label: "security_result.alert_state_enum_name" - view_label: "UDM" - description: "The alerting types of this security result." - } # dimension alert_state_enum_name - - dimension: attack_details { - hidden: yes - } # dimension attack_details - - dimension: attack_details__tactics { - hidden: yes - } # dimension attack_details__tactics - - dimension: attack_details__techniques { - hidden: yes - } # dimension attack_details__techniques - - dimension: attack_details__version { - type: string - sql: ${TABLE}.attack_details.version ;; - group_label: "security_result" - label: "security_result.attack_details.version" - view_label: "UDM" - description: "ATT&CK version (e.g. 12.1)." - } # dimension attack_details__version - - dimension: category { - hidden: yes - } # dimension category - - dimension: category_enum_name { - hidden: yes - } # dimension category_enum_name - - dimension: category_details { - hidden: yes - } # dimension category_details - - dimension: confidence { - type: number - sql: ${TABLE}.confidence ;; - group_label: "security_result" - label: "security_result.confidence" - view_label: "UDM" - description: "The confidence level of the result as estimated by the product." - } # dimension confidence - - dimension: confidence_enum_name { - type: string - suggestions: ["HIGH_CONFIDENCE", "LOW_CONFIDENCE", "MEDIUM_CONFIDENCE", "UNKNOWN_CONFIDENCE"] - sql: CASE ${TABLE}.confidence WHEN 0 THEN 'UNKNOWN_CONFIDENCE' WHEN 200 THEN 'LOW_CONFIDENCE' WHEN 300 THEN 'MEDIUM_CONFIDENCE' WHEN 400 THEN 'HIGH_CONFIDENCE' END ;; - group_label: "security_result" - label: "security_result.confidence_enum_name" - view_label: "UDM" - description: "The confidence level of the result as estimated by the product." - } # dimension confidence_enum_name - - dimension: confidence_details { - type: string - sql: ${TABLE}.confidence_details ;; - group_label: "security_result" - label: "security_result.confidence_details" - view_label: "UDM" - description: "Additional detail with regards to the confidence of a security event as estimated by the product vendor." - } # dimension confidence_details - - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "security_result" - label: "security_result.description" - view_label: "UDM" - description: "A human readable description (e.g. \"user password was wrong\")" - } # dimension description - - dimension: detection_fields { - hidden: yes - } # dimension detection_fields - - dimension: outcomes { - hidden: yes - } # dimension outcomes - - dimension: priority { - type: number - sql: ${TABLE}.priority ;; - group_label: "security_result" - label: "security_result.priority" - view_label: "UDM" - description: "The priority of the result." - } # dimension priority - - dimension: priority_enum_name { - type: string - suggestions: ["HIGH_PRIORITY", "LOW_PRIORITY", "MEDIUM_PRIORITY", "UNKNOWN_PRIORITY"] - sql: CASE ${TABLE}.priority WHEN 0 THEN 'UNKNOWN_PRIORITY' WHEN 200 THEN 'LOW_PRIORITY' WHEN 300 THEN 'MEDIUM_PRIORITY' WHEN 400 THEN 'HIGH_PRIORITY' END ;; - group_label: "security_result" - label: "security_result.priority_enum_name" - view_label: "UDM" - description: "The priority of the result." - } # dimension priority_enum_name - - dimension: priority_details { - type: string - sql: ${TABLE}.priority_details ;; - group_label: "security_result" - label: "security_result.priority_details" - view_label: "UDM" - description: "Vendor-specific information about the security result priority." - } # dimension priority_details - - dimension: rule_author { - type: string - sql: ${TABLE}.rule_author ;; - group_label: "security_result" - label: "security_result.rule_author" - view_label: "UDM" - description: "Author of the security rule." - } # dimension rule_author - - dimension: rule_id { - type: string - sql: ${TABLE}.rule_id ;; - group_label: "security_result" - label: "security_result.rule_id" - view_label: "UDM" - description: "A vendor-specific ID and name for a rule, varying by observerer type (e.g. \"08123\", \"5d2b44d0-5ef6-40f5-a704-47d61d3babbe\")." - } # dimension rule_id - - dimension: rule_labels { - hidden: yes - } # dimension rule_labels - - dimension: rule_name { - type: string - sql: ${TABLE}.rule_name ;; - group_label: "security_result" - label: "security_result.rule_name" - view_label: "UDM" - description: "Name of the security rule (e.g. \"BlockInboundToOracle\")." - } # dimension rule_name - - dimension: rule_set { - type: string - sql: ${TABLE}.rule_set ;; - group_label: "security_result" - label: "security_result.rule_set" - view_label: "UDM" - description: "The result's rule set identifier. (e.g. \"windows-threats\")" - } # dimension rule_set - - dimension: rule_set_display_name { - type: string - sql: ${TABLE}.rule_set_display_name ;; - group_label: "security_result" - label: "security_result.rule_set_display_name" - view_label: "UDM" - description: "The result's rule set display name. (e.g. \"Windows Threats\")" - } # dimension rule_set_display_name - - dimension: rule_type { - type: string - sql: ${TABLE}.rule_type ;; - group_label: "security_result" - label: "security_result.rule_type" - view_label: "UDM" - description: "The type of security rule." - } # dimension rule_type - - dimension: rule_version { - type: string - sql: ${TABLE}.rule_version ;; - group_label: "security_result" - label: "security_result.rule_version" - view_label: "UDM" - description: "Version of the security rule. (e.g. \"v1.1\", \"00001\", \"1604709794\", \"2020-11-16T23:04:19+00:00\"). Note that rule versions are source-dependant and lexical ordering should not be assumed." - } # dimension rule_version - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - group_label: "security_result" - label: "security_result.severity" - view_label: "UDM" - description: "The severity of the result." - } # dimension severity - - dimension: severity_enum_name { - type: string - suggestions: ["CRITICAL", "ERROR", "HIGH", "INFORMATIONAL", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] - sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 100 THEN 'INFORMATIONAL' WHEN 150 THEN 'ERROR' WHEN 200 THEN 'LOW' WHEN 300 THEN 'MEDIUM' WHEN 400 THEN 'HIGH' WHEN 500 THEN 'CRITICAL' END ;; - group_label: "security_result" - label: "security_result.severity_enum_name" - view_label: "UDM" - description: "The severity of the result." - } # dimension severity_enum_name - - dimension: severity_details { - type: string - sql: ${TABLE}.severity_details ;; - group_label: "security_result" - label: "security_result.severity_details" - view_label: "UDM" - description: "Vendor-specific severity." - } # dimension severity_details - - dimension: summary { - type: string - sql: ${TABLE}.summary ;; - group_label: "security_result" - label: "security_result.summary" - view_label: "UDM" - description: "A human readable summary (e.g. \"failed login occurred\")" - } # dimension summary - - dimension: threat_feed_name { - type: string - sql: ${TABLE}.threat_feed_name ;; - group_label: "security_result" - label: "security_result.threat_feed_name" - view_label: "UDM" - description: "Vendor feed name for a threat indicator feed." - } # dimension threat_feed_name - - dimension: threat_id { - type: string - sql: ${TABLE}.threat_id ;; - group_label: "security_result" - label: "security_result.threat_id" - view_label: "UDM" - description: "Vendor-specific ID for a threat." - } # dimension threat_id - - dimension: threat_id_namespace { - type: number - sql: ${TABLE}.threat_id_namespace ;; - group_label: "security_result" - label: "security_result.threat_id_namespace" - view_label: "UDM" - description: "The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id." - } # dimension threat_id_namespace - - dimension: threat_id_namespace_enum_name { - type: string - suggestions: ["MACHINE_INTELLIGENCE", "NORMALIZED_TELEMETRY", "RAW_TELEMETRY", "RULE_DETECTIONS", "SECURITY_COMMAND_CENTER", "SOAR_ALERT", "UNSPECIFIED", "UPPERCASE"] - sql: CASE ${TABLE}.threat_id_namespace WHEN 0 THEN 'NORMALIZED_TELEMETRY' WHEN 1 THEN 'RAW_TELEMETRY' WHEN 2 THEN 'RULE_DETECTIONS' WHEN 3 THEN 'UPPERCASE' WHEN 4 THEN 'MACHINE_INTELLIGENCE' WHEN 5 THEN 'SECURITY_COMMAND_CENTER' WHEN 6 THEN 'UNSPECIFIED' WHEN 7 THEN 'SOAR_ALERT' END ;; - group_label: "security_result" - label: "security_result.threat_id_namespace_enum_name" - view_label: "UDM" - description: "The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id." - } # dimension threat_id_namespace_enum_name - - dimension: threat_name { - type: string - sql: ${TABLE}.threat_name ;; - group_label: "security_result" - label: "security_result.threat_name" - view_label: "UDM" - description: "A vendor-assigned classification common across multiple customers (e.g. \"W32/File-A\", \"Slammer\")." - } # dimension threat_name - - dimension: threat_status { - type: number - sql: ${TABLE}.threat_status ;; - group_label: "security_result" - label: "security_result.threat_status" - view_label: "UDM" - description: "Current status of the threat" - } # dimension threat_status - - dimension: threat_status_enum_name { - type: string - suggestions: ["ACTIVE", "CLEARED", "FALSE_POSITIVE", "THREAT_STATUS_UNSPECIFIED"] - sql: CASE ${TABLE}.threat_status WHEN 0 THEN 'THREAT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'CLEARED' WHEN 3 THEN 'FALSE_POSITIVE' END ;; - group_label: "security_result" - label: "security_result.threat_status_enum_name" - view_label: "UDM" - description: "Current status of the threat" - } # dimension threat_status_enum_name - - dimension: url_back_to_product { - type: string - sql: ${TABLE}.url_back_to_product ;; - group_label: "security_result" - label: "security_result.url_back_to_product" - view_label: "UDM" - description: "URL that takes the user to the source product console for this event." - } # dimension url_back_to_product - -} # view events__security_result - -view: events__src__artifact__network__dns__questions { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.artifact.network.dns.questions.name" - view_label: "UDM" - description: "The domain name." - } # dimension name - -} # view events__src__artifact__network__dns__questions - -view: events__src__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "src" - label: "src.asset.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "src" - label: "src.asset.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__src__asset__attribute__labels - -view: events__src__asset__hardware { - dimension: cpu_model { - type: string - sql: ${TABLE}.cpu_model ;; - group_label: "src" - label: "src.asset.hardware.cpu_model" - view_label: "UDM" - description: "Model description of the hardware CPU (e.g. \"2.8 GHz Quad-Core Intel Core i5\")." - } # dimension cpu_model - - dimension: cpu_platform { - type: string - sql: ${TABLE}.cpu_platform ;; - group_label: "src" - label: "src.asset.hardware.cpu_platform" - view_label: "UDM" - description: "Platform of the hardware CPU (e.g. \"Intel Broadwell\")." - } # dimension cpu_platform - - dimension: manufacturer { - type: string - sql: ${TABLE}.manufacturer ;; - group_label: "src" - label: "src.asset.hardware.manufacturer" - view_label: "UDM" - description: "Hardware manufacturer." - } # dimension manufacturer - - dimension: model { - type: string - sql: ${TABLE}.model ;; - group_label: "src" - label: "src.asset.hardware.model" - view_label: "UDM" - description: "Hardware model." - } # dimension model - - dimension: ram { - type: number - sql: ${TABLE}.ram ;; - group_label: "src" - label: "src.asset.hardware.ram" - view_label: "UDM" - description: "Amount of the hardware ramdom access memory (RAM) in Mb." - } # dimension ram - - dimension: serial_number { - type: string - sql: ${TABLE}.serial_number ;; - group_label: "src" - label: "src.asset.hardware.serial_number" - view_label: "UDM" - description: "Hardware serial number." - } # dimension serial_number - -} # view events__src__asset__hardware - -view: events__src__asset__ip { - dimension: events__src__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.asset.ip" - view_label: "UDM" - description: "A list of IP addresses associated with an asset." - } # dimension events__src__asset__ip -} # view events__src__asset__ip - -view: events__src__asset__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "src" - group_item_label: "src.asset.labels.key [D]" - label: "src.asset.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "src" - group_item_label: "src.asset.labels.value [D]" - label: "src.asset.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view events__src__asset__labels - -view: events__src__asset__mac { - dimension: events__src__asset__mac { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.asset.mac" - view_label: "UDM" - description: "List of MAC addresses associated with an asset." - } # dimension events__src__asset__mac -} # view events__src__asset__mac - -view: events__src__asset__nat_ip { - dimension: events__src__asset__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.asset.nat_ip" - view_label: "UDM" - description: "List of NAT IP addresses associated with an asset." - } # dimension events__src__asset__nat_ip -} # view events__src__asset__nat_ip - -view: events__src__asset__software__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "src" - label: "src.asset.software.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.asset.software.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view events__src__asset__software__permissions - -view: events__src__asset__software { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.asset.software.name" - view_label: "UDM" - description: "The name of the software." - } # dimension name - - dimension: permissions { - hidden: yes - } # dimension permissions - - dimension: version { - type: string - sql: ${TABLE}.version ;; - group_label: "src" - label: "src.asset.software.version" - view_label: "UDM" - description: "The version of the software." - } # dimension version - -} # view events__src__asset__software - -view: events__src__asset__vulnerabilities { - dimension: cve_id { - type: string - sql: ${TABLE}.cve_id ;; - group_label: "src" - label: "src.asset.vulnerabilities.cve_id" - view_label: "UDM" - description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" - } # dimension cve_id - - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - group_label: "src" - label: "src.asset.vulnerabilities.cvss_base_score" - view_label: "UDM" - description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." - } # dimension cvss_base_score - - dimension: cvss_vector { - type: string - sql: ${TABLE}.cvss_vector ;; - group_label: "src" - label: "src.asset.vulnerabilities.cvss_vector" - view_label: "UDM" - description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" - } # dimension cvss_vector - - dimension: cvss_version { - type: string - sql: ${TABLE}.cvss_version ;; - group_label: "src" - label: "src.asset.vulnerabilities.cvss_version" - view_label: "UDM" - description: "Version of CVSS Vector/Score." - } # dimension cvss_version - - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "src" - label: "src.asset.vulnerabilities.description" - view_label: "UDM" - description: "Description of the vulnerability." - } # dimension description - - dimension_group: src__asset__vulnerabilities__first_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.vulnerabilities.first_found" - view_label: "UDM" - description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." - } # dimension src__asset__vulnerabilities__first_found - - dimension_group: src__asset__vulnerabilities__last_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.vulnerabilities.last_found" - view_label: "UDM" - description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." - } # dimension src__asset__vulnerabilities__last_found - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.asset.vulnerabilities.name" - view_label: "UDM" - description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." - } # dimension name - - dimension_group: src__asset__vulnerabilities__scan_end_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.vulnerabilities.scan_end_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." - } # dimension src__asset__vulnerabilities__scan_end_time - - dimension_group: src__asset__vulnerabilities__scan_start_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.vulnerabilities.scan_start_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." - } # dimension src__asset__vulnerabilities__scan_start_time - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - group_label: "src" - label: "src.asset.vulnerabilities.severity" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity - - dimension: severity_enum_name { - type: string - suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] - sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; - group_label: "src" - label: "src.asset.vulnerabilities.severity_enum_name" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity_enum_name - -} # view events__src__asset__vulnerabilities - -view: events__src__file__capabilities_tags { - dimension: events__src__file__capabilities_tags { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.file.capabilities_tags" - view_label: "UDM" - description: "Capabilities tags." - } # dimension events__src__file__capabilities_tags -} # view events__src__file__capabilities_tags - -view: events__src__file__embedded_domains { - dimension: events__src__file__embedded_domains { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.file.embedded_domains" - view_label: "UDM" - description: "Embedded domains found in the file." - } # dimension events__src__file__embedded_domains -} # view events__src__file__embedded_domains - -view: events__src__file__embedded_ips { - dimension: events__src__file__embedded_ips { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.file.embedded_ips" - view_label: "UDM" - description: "Embedded IP addresses found in the file." - } # dimension events__src__file__embedded_ips -} # view events__src__file__embedded_ips - -view: events__src__file__embedded_urls { - dimension: events__src__file__embedded_urls { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.file.embedded_urls" - view_label: "UDM" - description: "Embedded urls found in the file." - } # dimension events__src__file__embedded_urls -} # view events__src__file__embedded_urls - -view: events__src__file__names { - dimension: events__src__file__names { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension events__src__file__names -} # view events__src__file__names - -view: events__src__file__signature_info__sigcheck__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.file.signature_info.sigcheck.signers.name" - view_label: "UDM" - description: "Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority." - } # dimension name - -} # view events__src__file__signature_info__sigcheck__signers - -view: events__src__file__tags { - dimension: events__src__file__tags { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.file.tags" - view_label: "UDM" - description: "Tags for the file." - } # dimension events__src__file__tags -} # view events__src__file__tags - -view: events__src__ip { - dimension: events__src__ip { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.ip" - view_label: "UDM" - description: "A list of IP addresses associated with a network connection." - } # dimension events__src__ip -} # view events__src__ip - -view: events__src__ip_geo_artifact { - dimension: ip { - type: string - sql: ${TABLE}.ip ;; - group_label: "src" - label: "src.ip_geo_artifact.ip" - view_label: "UDM" - description: "IP address of the artifact." - } # dimension ip - - dimension: location { - hidden: yes - } # dimension location - - dimension: location__country_or_region { - type: string - sql: ${TABLE}.location.country_or_region ;; - group_label: "src" - label: "src.ip_geo_artifact.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension location__country_or_region - - dimension: location__region_coordinates { - type: location - sql_latitude: ${TABLE}.location.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.location.region_coordinates.longitude ;; - group_label: "src" - group_item_label: "src.ip_geo_artifact.location.region_coordinates [L]" - label: "src.ip_geo_artifact.location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." - } # dimension location__region_coordinates - - dimension: location__region_latitude { - type: number - sql: ${TABLE}.location.region_latitude ;; - group_label: "src" - group_item_label: "src.ip_geo_artifact.location.region_latitude [D]" - label: "src.ip_geo_artifact.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension location__region_latitude - - dimension: location__region_longitude { - type: number - sql: ${TABLE}.location.region_longitude ;; - group_label: "src" - group_item_label: "src.ip_geo_artifact.location.region_longitude [D]" - label: "src.ip_geo_artifact.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension location__region_longitude - - dimension: location__location { - type: location - sql_latitude: ${TABLE}.location.region_latitude ;; - sql_longitude: ${TABLE}.location.region_longitude ;; - group_label: "src" - group_item_label: "src.ip_geo_artifact.location.location [D][L]" - label: "src.ip_geo_artifact.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension location__location - - dimension: location__state { - type: string - sql: ${TABLE}.location.state ;; - group_label: "src" - label: "src.ip_geo_artifact.location.state" - view_label: "UDM" - description: "The state." - } # dimension location__state - - dimension: network { - hidden: yes - } # dimension network - - dimension: network__asn { - type: string - sql: ${TABLE}.network.asn ;; - group_label: "src" - label: "src.ip_geo_artifact.network.asn" - view_label: "UDM" - description: "Autonomous system number." - } # dimension network__asn - - dimension: network__carrier_name { - type: string - sql: ${TABLE}.network.carrier_name ;; - group_label: "src" - label: "src.ip_geo_artifact.network.carrier_name" - view_label: "UDM" - description: "Carrier identification." - } # dimension network__carrier_name - - dimension: network__dns_domain { - type: string - sql: ${TABLE}.network.dns_domain ;; - group_label: "src" - label: "src.ip_geo_artifact.network.dns_domain" - view_label: "UDM" - description: "DNS domain name." - } # dimension network__dns_domain - - dimension: network__organization_name { - type: string - sql: ${TABLE}.network.organization_name ;; - group_label: "src" - label: "src.ip_geo_artifact.network.organization_name" - view_label: "UDM" - description: "Organization name (e.g Google)." - } # dimension network__organization_name - -} # view events__src__ip_geo_artifact - -view: events__src__ip_location { - dimension: country_or_region { - type: string - sql: ${TABLE}.country_or_region ;; - group_label: "src" - group_item_label: "src.ip_location.country_or_region [D]" - label: "src.ip_location.country_or_region" - view_label: "UDM" - description: "The country or region. [D]: This field is deprecated and will be removed in a future release" - } # dimension country_or_region - - dimension: region_coordinates { - type: location - sql_latitude: ${TABLE}.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.region_coordinates.longitude ;; - group_label: "src" - group_item_label: "src.ip_location.region_coordinates [D][L]" - label: "src.ip_location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension region_coordinates - - dimension: region_latitude { - type: number - sql: ${TABLE}.region_latitude ;; - group_label: "src" - group_item_label: "src.ip_location.region_latitude [D]" - label: "src.ip_location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension region_latitude - - dimension: region_longitude { - type: number - sql: ${TABLE}.region_longitude ;; - group_label: "src" - group_item_label: "src.ip_location.region_longitude [D]" - label: "src.ip_location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension region_longitude - - dimension: location { - type: location - sql_latitude: ${TABLE}.region_latitude ;; - sql_longitude: ${TABLE}.region_longitude ;; - group_label: "src" - group_item_label: "src.ip_location.location [D][L]" - label: "src.ip_location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension location - - dimension: state { - type: string - sql: ${TABLE}.state ;; - group_label: "src" - group_item_label: "src.ip_location.state [D]" - label: "src.ip_location.state" - view_label: "UDM" - description: "The state. [D]: This field is deprecated and will be removed in a future release" - } # dimension state - -} # view events__src__ip_location - -view: events__src__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "src" - group_item_label: "src.labels.key [D]" - label: "src.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "src" - group_item_label: "src.labels.value [D]" - label: "src.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view events__src__labels - -view: events__src__mac { - dimension: events__src__mac { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.mac" - view_label: "UDM" - description: "List of MAC addresses associated with a device." - } # dimension events__src__mac -} # view events__src__mac - -view: events__src__nat_ip { - dimension: events__src__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.nat_ip" - view_label: "UDM" - description: "A list of NAT translated IP addresses associated with a network connection." - } # dimension events__src__nat_ip -} # view events__src__nat_ip - -view: events__src__process__file__names { - dimension: events__src__process__file__names { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.process.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension events__src__process__file__names -} # view events__src__process__file__names - -view: events__src__process_ancestors { - dimension: file { - hidden: yes - } # dimension file - - dimension: file__full_path { - type: string - sql: ${TABLE}.file.full_path ;; - group_label: "src" - label: "src.process_ancestors.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension file__full_path - -} # view events__src__process_ancestors - -view: events__src__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "src" - label: "src.resource.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: source { - type: string - sql: ${TABLE}.source ;; - group_label: "src" - label: "src.resource.attribute.labels.source" - view_label: "UDM" - description: "@hide_from_doc" - } # dimension source - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "src" - label: "src.resource.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__src__resource__attribute__labels - -view: events__src__resource__attribute__permissions { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.resource.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view events__src__resource__attribute__permissions - -view: events__src__resource_ancestors__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "src" - label: "src.resource_ancestors.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "src" - label: "src.resource_ancestors.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__src__resource_ancestors__attribute__labels - -view: events__src__resource_ancestors { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension: attribute__labels { - hidden: yes - } # dimension attribute__labels - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.resource_ancestors.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension name - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "src" - label: "src.resource_ancestors.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension product_object_id - - dimension: resource_type { - type: number - sql: ${TABLE}.resource_type ;; - group_label: "src" - label: "src.resource_ancestors.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension resource_type - - dimension: resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "src" - label: "src.resource_ancestors.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension resource_type_enum_name - -} # view events__src__resource_ancestors - -view: events__src__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "src" - label: "src.user.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "src" - label: "src.user.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__src__user__attribute__labels - -view: events__src__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "src" - label: "src.user.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.user.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "src" - label: "src.user.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "src" - label: "src.user.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view events__src__user__attribute__roles - -view: events__src__user__department { - dimension: events__src__user__department { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.user.department" - view_label: "UDM" - description: "User job department" - } # dimension events__src__user__department -} # view events__src__user__department - -view: events__src__user__email_addresses { - dimension: events__src__user__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.user.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension events__src__user__email_addresses -} # view events__src__user__email_addresses - -view: events__src__user__group_identifiers { - dimension: events__src__user__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.user.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension events__src__user__group_identifiers -} # view events__src__user__group_identifiers - -view: events__src__user__managers__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "src" - label: "src.user.managers.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "src" - label: "src.user.managers.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__src__user__managers__attribute__labels - -view: events__src__user__managers__attribute__roles { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.user.managers.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "src" - label: "src.user.managers.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "src" - label: "src.user.managers.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view events__src__user__managers__attribute__roles - -view: events__src__user__managers__department { - dimension: events__src__user__managers__department { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.user.managers.department" - view_label: "UDM" - description: "User job department" - } # dimension events__src__user__managers__department -} # view events__src__user__managers__department - -view: events__src__user__managers__email_addresses { - dimension: events__src__user__managers__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.user.managers.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension events__src__user__managers__email_addresses -} # view events__src__user__managers__email_addresses - -view: events__src__user__managers__group_identifiers { - dimension: events__src__user__managers__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.user.managers.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension events__src__user__managers__group_identifiers -} # view events__src__user__managers__group_identifiers - -view: events__src__user__managers__phone_numbers { - dimension: events__src__user__managers__phone_numbers { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.user.managers.phone_numbers" - view_label: "UDM" - description: "Phone numbers for the user." - } # dimension events__src__user__managers__phone_numbers -} # view events__src__user__managers__phone_numbers - -view: events__src__user__managers { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension: attribute__labels { - hidden: yes - } # dimension attribute__labels - - dimension: attribute__roles { - hidden: yes - } # dimension attribute__roles - - dimension: company_name { - type: string - sql: ${TABLE}.company_name ;; - group_label: "src" - label: "src.user.managers.company_name" - view_label: "UDM" - description: "User job company name." - } # dimension company_name - - dimension: department { - hidden: yes - } # dimension department - - dimension: email_addresses { - hidden: yes - } # dimension email_addresses - - dimension: employee_id { - type: string - sql: ${TABLE}.employee_id ;; - group_label: "src" - label: "src.user.managers.employee_id" - view_label: "UDM" - description: "Human capital management identifier." - } # dimension employee_id - - dimension: first_name { - type: string - sql: ${TABLE}.first_name ;; - group_label: "src" - label: "src.user.managers.first_name" - view_label: "UDM" - description: "First name of the user (e.g. \"John\")." - } # dimension first_name - - dimension: group_identifiers { - hidden: yes - } # dimension group_identifiers - - dimension: last_name { - type: string - sql: ${TABLE}.last_name ;; - group_label: "src" - label: "src.user.managers.last_name" - view_label: "UDM" - description: "Last name of the user (e.g. \"Locke\")." - } # dimension last_name - - dimension: personal_address { - hidden: yes - } # dimension personal_address - - dimension: personal_address__city { - type: string - sql: ${TABLE}.personal_address.city ;; - group_label: "src" - label: "src.user.managers.personal_address.city" - view_label: "UDM" - description: "The city." - } # dimension personal_address__city - - dimension: personal_address__country_or_region { - type: string - sql: ${TABLE}.personal_address.country_or_region ;; - group_label: "src" - label: "src.user.managers.personal_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension personal_address__country_or_region - - dimension: personal_address__name { - type: string - sql: ${TABLE}.personal_address.name ;; - group_label: "src" - label: "src.user.managers.personal_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension personal_address__name - - dimension: personal_address__state { - type: string - sql: ${TABLE}.personal_address.state ;; - group_label: "src" - label: "src.user.managers.personal_address.state" - view_label: "UDM" - description: "The state." - } # dimension personal_address__state - - dimension: phone_numbers { - hidden: yes - } # dimension phone_numbers - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "src" - label: "src.user.managers.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension product_object_id - - dimension: title { - type: string - sql: ${TABLE}.title ;; - group_label: "src" - label: "src.user.managers.title" - view_label: "UDM" - description: "User job title." - } # dimension title - - dimension: user_display_name { - type: string - sql: ${TABLE}.user_display_name ;; - group_label: "src" - label: "src.user.managers.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension user_display_name - - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - group_label: "src" - label: "src.user.managers.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension userid - - dimension: windows_sid { - type: string - sql: ${TABLE}.windows_sid ;; - group_label: "src" - label: "src.user.managers.windows_sid" - view_label: "UDM" - description: "The Microsoft Windows SID of the user." - } # dimension windows_sid - -} # view events__src__user__managers - -view: events__src__user__phone_numbers { - dimension: events__src__user__phone_numbers { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.user.phone_numbers" - view_label: "UDM" - description: "Phone numbers for the user." - } # dimension events__src__user__phone_numbers -} # view events__src__user__phone_numbers - -view: events__src__user__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "src" - label: "src.user.time_off.description" - view_label: "UDM" - description: "Description of the leave if available (e.g. 'Vacation')." - } # dimension description - - dimension_group: src__user__time_off__interval { - type: duration - intervals: [ second, minute, hour ] - sql_start: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.start_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.start_time.nanos,0) / 1000) as INT64)) ;; - sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.end_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.end_time.nanos,0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.user.time_off.interval" - view_label: "UDM" - description: "Interval duration of the leave." - } # dimension src__user__time_off__interval - -} # view events__src__user__time_off - -view: events__target__artifact__network__email__subject { - dimension: events__target__artifact__network__email__subject { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.artifact.network.email.subject" - view_label: "UDM" - description: "The subject line(s) of the email." - } # dimension events__target__artifact__network__email__subject -} # view events__target__artifact__network__email__subject - -view: events__target__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - label: "target.asset.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - label: "target.asset.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__target__asset__attribute__labels - -view: events__target__asset__attribute__permissions { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.asset.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view events__target__asset__attribute__permissions - -view: events__target__asset__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.asset.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.asset.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - -} # view events__target__asset__attribute__roles - -view: events__target__asset__hardware { - dimension: cpu_model { - type: string - sql: ${TABLE}.cpu_model ;; - group_label: "target" - label: "target.asset.hardware.cpu_model" - view_label: "UDM" - description: "Model description of the hardware CPU (e.g. \"2.8 GHz Quad-Core Intel Core i5\")." - } # dimension cpu_model - - dimension: cpu_number_cores { - type: number - sql: ${TABLE}.cpu_number_cores ;; - group_label: "target" - label: "target.asset.hardware.cpu_number_cores" - view_label: "UDM" - description: "Number of CPU cores." - } # dimension cpu_number_cores - - dimension: cpu_platform { - type: string - sql: ${TABLE}.cpu_platform ;; - group_label: "target" - label: "target.asset.hardware.cpu_platform" - view_label: "UDM" - description: "Platform of the hardware CPU (e.g. \"Intel Broadwell\")." - } # dimension cpu_platform - - dimension: manufacturer { - type: string - sql: ${TABLE}.manufacturer ;; - group_label: "target" - label: "target.asset.hardware.manufacturer" - view_label: "UDM" - description: "Hardware manufacturer." - } # dimension manufacturer - - dimension: model { - type: string - sql: ${TABLE}.model ;; - group_label: "target" - label: "target.asset.hardware.model" - view_label: "UDM" - description: "Hardware model." - } # dimension model - - dimension: ram { - type: number - sql: ${TABLE}.ram ;; - group_label: "target" - label: "target.asset.hardware.ram" - view_label: "UDM" - description: "Amount of the hardware ramdom access memory (RAM) in Mb." - } # dimension ram - - dimension: serial_number { - type: string - sql: ${TABLE}.serial_number ;; - group_label: "target" - label: "target.asset.hardware.serial_number" - view_label: "UDM" - description: "Hardware serial number." - } # dimension serial_number - -} # view events__target__asset__hardware - -view: events__target__asset__ip { - dimension: events__target__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.asset.ip" - view_label: "UDM" - description: "A list of IP addresses associated with an asset." - } # dimension events__target__asset__ip -} # view events__target__asset__ip - -view: events__target__asset__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - group_item_label: "target.asset.labels.key [D]" - label: "target.asset.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - group_item_label: "target.asset.labels.value [D]" - label: "target.asset.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view events__target__asset__labels - -view: events__target__asset__mac { - dimension: events__target__asset__mac { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.asset.mac" - view_label: "UDM" - description: "List of MAC addresses associated with an asset." - } # dimension events__target__asset__mac -} # view events__target__asset__mac - -view: events__target__asset__nat_ip { - dimension: events__target__asset__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.asset.nat_ip" - view_label: "UDM" - description: "List of NAT IP addresses associated with an asset." - } # dimension events__target__asset__nat_ip -} # view events__target__asset__nat_ip - -view: events__target__asset__software__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.asset.software.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.asset.software.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view events__target__asset__software__permissions - -view: events__target__asset__software { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.asset.software.name" - view_label: "UDM" - description: "The name of the software." - } # dimension name - - dimension: permissions { - hidden: yes - } # dimension permissions - - dimension: version { - type: string - sql: ${TABLE}.version ;; - group_label: "target" - label: "target.asset.software.version" - view_label: "UDM" - description: "The version of the software." - } # dimension version - -} # view events__target__asset__software - -view: events__target__asset__vulnerabilities { - dimension: cve_id { - type: string - sql: ${TABLE}.cve_id ;; - group_label: "target" - label: "target.asset.vulnerabilities.cve_id" - view_label: "UDM" - description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" - } # dimension cve_id - - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - group_label: "target" - label: "target.asset.vulnerabilities.cvss_base_score" - view_label: "UDM" - description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." - } # dimension cvss_base_score - - dimension: cvss_vector { - type: string - sql: ${TABLE}.cvss_vector ;; - group_label: "target" - label: "target.asset.vulnerabilities.cvss_vector" - view_label: "UDM" - description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" - } # dimension cvss_vector - - dimension: cvss_version { - type: string - sql: ${TABLE}.cvss_version ;; - group_label: "target" - label: "target.asset.vulnerabilities.cvss_version" - view_label: "UDM" - description: "Version of CVSS Vector/Score." - } # dimension cvss_version - - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.asset.vulnerabilities.description" - view_label: "UDM" - description: "Description of the vulnerability." - } # dimension description - - dimension_group: target__asset__vulnerabilities__first_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.vulnerabilities.first_found" - view_label: "UDM" - description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." - } # dimension target__asset__vulnerabilities__first_found - - dimension_group: target__asset__vulnerabilities__last_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.vulnerabilities.last_found" - view_label: "UDM" - description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." - } # dimension target__asset__vulnerabilities__last_found - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.asset.vulnerabilities.name" - view_label: "UDM" - description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." - } # dimension name - - dimension_group: target__asset__vulnerabilities__scan_end_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.vulnerabilities.scan_end_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." - } # dimension target__asset__vulnerabilities__scan_end_time - - dimension_group: target__asset__vulnerabilities__scan_start_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.vulnerabilities.scan_start_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." - } # dimension target__asset__vulnerabilities__scan_start_time - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - group_label: "target" - label: "target.asset.vulnerabilities.severity" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity - - dimension: severity_enum_name { - type: string - suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] - sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; - group_label: "target" - label: "target.asset.vulnerabilities.severity_enum_name" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity_enum_name - -} # view events__target__asset__vulnerabilities - -view: events__target__cloud__project__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - group_item_label: "target.cloud.project.attribute.labels.key [D]" - label: "target.cloud.project.attribute.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - group_item_label: "target.cloud.project.attribute.labels.value [D]" - label: "target.cloud.project.attribute.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view events__target__cloud__project__attribute__labels - -view: events__target__domain__name_server { - dimension: events__target__domain__name_server { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.domain.name_server" - view_label: "UDM" - description: "Repeated list of name servers." - } # dimension events__target__domain__name_server -} # view events__target__domain__name_server - -view: events__target__file__capabilities_tags { - dimension: events__target__file__capabilities_tags { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.file.capabilities_tags" - view_label: "UDM" - description: "Capabilities tags." - } # dimension events__target__file__capabilities_tags -} # view events__target__file__capabilities_tags - -view: events__target__file__embedded_domains { - dimension: events__target__file__embedded_domains { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.file.embedded_domains" - view_label: "UDM" - description: "Embedded domains found in the file." - } # dimension events__target__file__embedded_domains -} # view events__target__file__embedded_domains - -view: events__target__file__embedded_ips { - dimension: events__target__file__embedded_ips { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.file.embedded_ips" - view_label: "UDM" - description: "Embedded IP addresses found in the file." - } # dimension events__target__file__embedded_ips -} # view events__target__file__embedded_ips - -view: events__target__file__embedded_urls { - dimension: events__target__file__embedded_urls { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.file.embedded_urls" - view_label: "UDM" - description: "Embedded urls found in the file." - } # dimension events__target__file__embedded_urls -} # view events__target__file__embedded_urls - -view: events__target__file__names { - dimension: events__target__file__names { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension events__target__file__names -} # view events__target__file__names - -view: events__target__file__pe_file__imports__functions { - dimension: events__target__file__pe_file__imports__functions { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.file.pe_file.imports.functions" - view_label: "UDM" - description: "Function field." - } # dimension events__target__file__pe_file__imports__functions -} # view events__target__file__pe_file__imports__functions - -view: events__target__file__pe_file__imports { - dimension: functions { - hidden: yes - } # dimension functions - - dimension: library { - type: string - sql: ${TABLE}.library ;; - group_label: "target" - label: "target.file.pe_file.imports.library" - view_label: "UDM" - description: "Library field." - } # dimension library - -} # view events__target__file__pe_file__imports - -view: events__target__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - group_label: "target" - label: "target.file.pe_file.resource.entropy" - view_label: "UDM" - description: "Entropy of the resource." - } # dimension entropy - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - group_label: "target" - label: "target.file.pe_file.resource.file_type" - view_label: "UDM" - description: "File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum." - } # dimension file_type - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - group_label: "target" - label: "target.file.pe_file.resource.filetype_magic" - view_label: "UDM" - description: "Type of resource content, as identified by the magic Python module. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/magic.py END GOOGLE-INTERNAL" - } # dimension filetype_magic - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - group_label: "target" - label: "target.file.pe_file.resource.language_code" - view_label: "UDM" - description: "Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/toolpefile.py?l=419&rcl=df1fcff7c5e82a39875359608b47669d5aff82c7 END GOOGLE-INTERNAL Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |" - } # dimension language_code - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - group_label: "target" - label: "target.file.pe_file.resource.sha256_hex" - view_label: "UDM" - description: "SHA256_hex field.." - } # dimension sha256_hex - -} # view events__target__file__pe_file__resource - -view: events__target__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - label: "target.file.pe_file.resources_language_count_str.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - label: "target.file.pe_file.resources_language_count_str.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__target__file__pe_file__resources_language_count_str - -view: events__target__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - label: "target.file.pe_file.resources_type_count_str.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - label: "target.file.pe_file.resources_type_count_str.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__target__file__pe_file__resources_type_count_str - -view: events__target__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - group_label: "target" - label: "target.file.pe_file.section.entropy" - view_label: "UDM" - description: "Entropy of the section." - } # dimension entropy - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - group_label: "target" - label: "target.file.pe_file.section.md5_hex" - view_label: "UDM" - description: "MD5 hex of the file." - } # dimension md5_hex - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.file.pe_file.section.name" - view_label: "UDM" - description: "Name of the section." - } # dimension name - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - group_label: "target" - label: "target.file.pe_file.section.raw_size_bytes" - view_label: "UDM" - description: "Raw file size in bytes." - } # dimension raw_size_bytes - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - group_label: "target" - label: "target.file.pe_file.section.virtual_size_bytes" - view_label: "UDM" - description: "Virtual file size in bytes." - } # dimension virtual_size_bytes - -} # view events__target__file__pe_file__section - -view: events__target__file__signature_info__sigcheck__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.file.signature_info.sigcheck.signers.name" - view_label: "UDM" - description: "Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority." - } # dimension name - -} # view events__target__file__signature_info__sigcheck__signers - -view: events__target__file__signature_info__sigcheck__x509 { - dimension: algorithm { - type: string - sql: ${TABLE}.algorithm ;; - group_label: "target" - label: "target.file.signature_info.sigcheck.x509.algorithm" - view_label: "UDM" - description: "Certificate algorithm." - } # dimension algorithm - - dimension: cert_issuer { - type: string - sql: ${TABLE}.cert_issuer ;; - group_label: "target" - label: "target.file.signature_info.sigcheck.x509.cert_issuer" - view_label: "UDM" - description: "Issuer of the certificate." - } # dimension cert_issuer - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.file.signature_info.sigcheck.x509.name" - view_label: "UDM" - description: "Certificate name." - } # dimension name - - dimension: serial_number { - type: string - sql: ${TABLE}.serial_number ;; - group_label: "target" - label: "target.file.signature_info.sigcheck.x509.serial_number" - view_label: "UDM" - description: "Certificate serial number." - } # dimension serial_number - - dimension: thumbprint { - type: string - sql: ${TABLE}.thumbprint ;; - group_label: "target" - label: "target.file.signature_info.sigcheck.x509.thumbprint" - view_label: "UDM" - description: "Certificate thumbprint." - } # dimension thumbprint - -} # view events__target__file__signature_info__sigcheck__x509 - -view: events__target__file__tags { - dimension: events__target__file__tags { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.file.tags" - view_label: "UDM" - description: "Tags for the file." - } # dimension events__target__file__tags -} # view events__target__file__tags - -view: events__target__group__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - label: "target.group.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - label: "target.group.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__target__group__attribute__labels - -view: events__target__group__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.group.attribute.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.group.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view events__target__group__attribute__permissions - -view: events__target__group__attribute__roles { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.group.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - -} # view events__target__group__attribute__roles - -view: events__target__group__email_addresses { - dimension: events__target__group__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.group.email_addresses" - view_label: "UDM" - description: "Email addresses of the group." - } # dimension events__target__group__email_addresses -} # view events__target__group__email_addresses - -view: events__target__investigation__comments { - dimension: events__target__investigation__comments { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.investigation.comments" - view_label: "UDM" - description: "Comment added by the Analyst." - } # dimension events__target__investigation__comments -} # view events__target__investigation__comments - -view: events__target__ip { - dimension: events__target__ip { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.ip" - view_label: "UDM" - description: "A list of IP addresses associated with a network connection." - } # dimension events__target__ip -} # view events__target__ip - -view: events__target__ip_geo_artifact { - dimension: ip { - type: string - sql: ${TABLE}.ip ;; - group_label: "target" - label: "target.ip_geo_artifact.ip" - view_label: "UDM" - description: "IP address of the artifact." - } # dimension ip - - dimension: location { - hidden: yes - } # dimension location - - dimension: location__country_or_region { - type: string - sql: ${TABLE}.location.country_or_region ;; - group_label: "target" - label: "target.ip_geo_artifact.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension location__country_or_region - - dimension: location__region_coordinates { - type: location - sql_latitude: ${TABLE}.location.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.location.region_coordinates.longitude ;; - group_label: "target" - group_item_label: "target.ip_geo_artifact.location.region_coordinates [L]" - label: "target.ip_geo_artifact.location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." - } # dimension location__region_coordinates - - dimension: location__region_latitude { - type: number - sql: ${TABLE}.location.region_latitude ;; - group_label: "target" - group_item_label: "target.ip_geo_artifact.location.region_latitude [D]" - label: "target.ip_geo_artifact.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension location__region_latitude - - dimension: location__region_longitude { - type: number - sql: ${TABLE}.location.region_longitude ;; - group_label: "target" - group_item_label: "target.ip_geo_artifact.location.region_longitude [D]" - label: "target.ip_geo_artifact.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension location__region_longitude - - dimension: location__location { - type: location - sql_latitude: ${TABLE}.location.region_latitude ;; - sql_longitude: ${TABLE}.location.region_longitude ;; - group_label: "target" - group_item_label: "target.ip_geo_artifact.location.location [D][L]" - label: "target.ip_geo_artifact.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension location__location - - dimension: location__state { - type: string - sql: ${TABLE}.location.state ;; - group_label: "target" - label: "target.ip_geo_artifact.location.state" - view_label: "UDM" - description: "The state." - } # dimension location__state - - dimension: network { - hidden: yes - } # dimension network - - dimension: network__asn { - type: string - sql: ${TABLE}.network.asn ;; - group_label: "target" - label: "target.ip_geo_artifact.network.asn" - view_label: "UDM" - description: "Autonomous system number." - } # dimension network__asn - - dimension: network__carrier_name { - type: string - sql: ${TABLE}.network.carrier_name ;; - group_label: "target" - label: "target.ip_geo_artifact.network.carrier_name" - view_label: "UDM" - description: "Carrier identification." - } # dimension network__carrier_name - - dimension: network__dns_domain { - type: string - sql: ${TABLE}.network.dns_domain ;; - group_label: "target" - label: "target.ip_geo_artifact.network.dns_domain" - view_label: "UDM" - description: "DNS domain name." - } # dimension network__dns_domain - - dimension: network__organization_name { - type: string - sql: ${TABLE}.network.organization_name ;; - group_label: "target" - label: "target.ip_geo_artifact.network.organization_name" - view_label: "UDM" - description: "Organization name (e.g Google)." - } # dimension network__organization_name - -} # view events__target__ip_geo_artifact - -view: events__target__ip_location { - dimension: city { - type: string - sql: ${TABLE}.city ;; - group_label: "target" - group_item_label: "target.ip_location.city [D]" - label: "target.ip_location.city" - view_label: "UDM" - description: "The city. [D]: This field is deprecated and will be removed in a future release" - } # dimension city - - dimension: country_or_region { - type: string - sql: ${TABLE}.country_or_region ;; - group_label: "target" - group_item_label: "target.ip_location.country_or_region [D]" - label: "target.ip_location.country_or_region" - view_label: "UDM" - description: "The country or region. [D]: This field is deprecated and will be removed in a future release" - } # dimension country_or_region - - dimension: desk_name { - type: string - sql: ${TABLE}.desk_name ;; - group_label: "target" - group_item_label: "target.ip_location.desk_name [D]" - label: "target.ip_location.desk_name" - view_label: "UDM" - description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\"). [D]: This field is deprecated and will be removed in a future release" - } # dimension desk_name - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - group_item_label: "target.ip_location.name [D]" - label: "target.ip_location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\"). [D]: This field is deprecated and will be removed in a future release" - } # dimension name - - dimension: region_coordinates { - type: location - sql_latitude: ${TABLE}.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.region_coordinates.longitude ;; - group_label: "target" - group_item_label: "target.ip_location.region_coordinates [D][L]" - label: "target.ip_location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension region_coordinates - - dimension: region_latitude { - type: number - sql: ${TABLE}.region_latitude ;; - group_label: "target" - group_item_label: "target.ip_location.region_latitude [D]" - label: "target.ip_location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension region_latitude - - dimension: region_longitude { - type: number - sql: ${TABLE}.region_longitude ;; - group_label: "target" - group_item_label: "target.ip_location.region_longitude [D]" - label: "target.ip_location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension region_longitude - - dimension: location { - type: location - sql_latitude: ${TABLE}.region_latitude ;; - sql_longitude: ${TABLE}.region_longitude ;; - group_label: "target" - group_item_label: "target.ip_location.location [D][L]" - label: "target.ip_location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension location - - dimension: state { - type: string - sql: ${TABLE}.state ;; - group_label: "target" - group_item_label: "target.ip_location.state [D]" - label: "target.ip_location.state" - view_label: "UDM" - description: "The state. [D]: This field is deprecated and will be removed in a future release" - } # dimension state - -} # view events__target__ip_location - -view: events__target__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - group_item_label: "target.labels.key [D]" - label: "target.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: source { - type: string - sql: ${TABLE}.source ;; - group_label: "target" - group_item_label: "target.labels.source [D]" - label: "target.labels.source" - view_label: "UDM" - description: "@hide_from_doc [D]: This field is deprecated and will be removed in a future release" - } # dimension source - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - group_item_label: "target.labels.value [D]" - label: "target.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view events__target__labels - -view: events__target__mac { - dimension: events__target__mac { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.mac" - view_label: "UDM" - description: "List of MAC addresses associated with a device." - } # dimension events__target__mac -} # view events__target__mac - -view: events__target__nat_ip { - dimension: events__target__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.nat_ip" - view_label: "UDM" - description: "A list of NAT translated IP addresses associated with a network connection." - } # dimension events__target__nat_ip -} # view events__target__nat_ip - -view: events__target__process__command_line_history { - dimension: events__target__process__command_line_history { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.process.command_line_history" - view_label: "UDM" - description: "The command line history of the process." - } # dimension events__target__process__command_line_history -} # view events__target__process__command_line_history - -view: events__target__process__file__capabilities_tags { - dimension: events__target__process__file__capabilities_tags { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.process.file.capabilities_tags" - view_label: "UDM" - description: "Capabilities tags." - } # dimension events__target__process__file__capabilities_tags -} # view events__target__process__file__capabilities_tags - -view: events__target__process__file__names { - dimension: events__target__process__file__names { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.process.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension events__target__process__file__names -} # view events__target__process__file__names - -view: events__target__process__file__pe_file__signature_info__signer { - dimension: events__target__process__file__pe_file__signature_info__signer { - type: string - sql: ${TABLE} ;; - group_label: "target" - group_item_label: "target.process.file.pe_file.signature_info.signer [D]" - label: "target.process.file.pe_file.signature_info.signer" - view_label: "UDM" - description: "Deprecated: use signers field. [D]: This field is deprecated and will be removed in a future release" - } # dimension events__target__process__file__pe_file__signature_info__signer -} # view events__target__process__file__pe_file__signature_info__signer - -view: events__target__process__parent_process__file__capabilities_tags { - dimension: events__target__process__parent_process__file__capabilities_tags { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.process.parent_process.file.capabilities_tags" - view_label: "UDM" - description: "Capabilities tags." - } # dimension events__target__process__parent_process__file__capabilities_tags -} # view events__target__process__parent_process__file__capabilities_tags - -view: events__target__process__parent_process__file__names { - dimension: events__target__process__parent_process__file__names { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.process.parent_process.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension events__target__process__parent_process__file__names -} # view events__target__process__parent_process__file__names - -view: events__target__process_ancestors { - dimension: command_line { - type: string - sql: ${TABLE}.command_line ;; - group_label: "target" - label: "target.process_ancestors.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension command_line - - dimension: file { - hidden: yes - } # dimension file - - dimension: file__full_path { - type: string - sql: ${TABLE}.file.full_path ;; - group_label: "target" - label: "target.process_ancestors.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension file__full_path - -} # view events__target__process_ancestors - -view: events__target__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - label: "target.resource.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: source { - type: string - sql: ${TABLE}.source ;; - group_label: "target" - label: "target.resource.attribute.labels.source" - view_label: "UDM" - description: "@hide_from_doc" - } # dimension source - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - label: "target.resource.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__target__resource__attribute__labels - -view: events__target__resource__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.resource.attribute.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.resource.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "target" - label: "target.resource.attribute.permissions.type" - view_label: "UDM" - description: "Type of the permission." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; - group_label: "target" - label: "target.resource.attribute.permissions.type_enum_name" - view_label: "UDM" - description: "Type of the permission." - } # dimension type_enum_name - -} # view events__target__resource__attribute__permissions - -view: events__target__resource__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.resource.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.resource.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "target" - label: "target.resource.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "target" - label: "target.resource.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view events__target__resource__attribute__roles - -view: events__target__resource_ancestors__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - label: "target.resource_ancestors.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - label: "target.resource_ancestors.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__target__resource_ancestors__attribute__labels - -view: events__target__resource_ancestors__attribute__permissions { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.resource_ancestors.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view events__target__resource_ancestors__attribute__permissions - -view: events__target__resource_ancestors { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension_group: target__resource_ancestors__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.resource_ancestors.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension target__resource_ancestors__attribute__creation_time - - dimension: attribute__labels { - hidden: yes - } # dimension attribute__labels - - dimension: attribute__permissions { - hidden: yes - } # dimension attribute__permissions - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.resource_ancestors.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension name - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "target" - label: "target.resource_ancestors.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension product_object_id - - dimension: resource_subtype { - type: string - sql: ${TABLE}.resource_subtype ;; - group_label: "target" - label: "target.resource_ancestors.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension resource_subtype - - dimension: resource_type { - type: number - sql: ${TABLE}.resource_type ;; - group_label: "target" - label: "target.resource_ancestors.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension resource_type - - dimension: resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "target" - label: "target.resource_ancestors.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension resource_type_enum_name - -} # view events__target__resource_ancestors - -view: events__target__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - label: "target.user.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - label: "target.user.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__target__user__attribute__labels - -view: events__target__user__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.user.attribute.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.user.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "target" - label: "target.user.attribute.permissions.type" - view_label: "UDM" - description: "Type of the permission." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; - group_label: "target" - label: "target.user.attribute.permissions.type_enum_name" - view_label: "UDM" - description: "Type of the permission." - } # dimension type_enum_name - -} # view events__target__user__attribute__permissions - -view: events__target__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.user.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.user.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "target" - label: "target.user.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "target" - label: "target.user.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view events__target__user__attribute__roles - -view: events__target__user__department { - dimension: events__target__user__department { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.user.department" - view_label: "UDM" - description: "User job department" - } # dimension events__target__user__department -} # view events__target__user__department - -view: events__target__user__email_addresses { - dimension: events__target__user__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.user.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension events__target__user__email_addresses -} # view events__target__user__email_addresses - -view: events__target__user__group_identifiers { - dimension: events__target__user__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.user.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension events__target__user__group_identifiers -} # view events__target__user__group_identifiers - -view: events__target__user__managers__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - label: "target.user.managers.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - label: "target.user.managers.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view events__target__user__managers__attribute__labels - -view: events__target__user__managers__attribute__roles { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.user.managers.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "target" - label: "target.user.managers.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "target" - label: "target.user.managers.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view events__target__user__managers__attribute__roles - -view: events__target__user__managers__department { - dimension: events__target__user__managers__department { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.user.managers.department" - view_label: "UDM" - description: "User job department" - } # dimension events__target__user__managers__department -} # view events__target__user__managers__department - -view: events__target__user__managers__email_addresses { - dimension: events__target__user__managers__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.user.managers.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension events__target__user__managers__email_addresses -} # view events__target__user__managers__email_addresses - -view: events__target__user__managers__group_identifiers { - dimension: events__target__user__managers__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.user.managers.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension events__target__user__managers__group_identifiers -} # view events__target__user__managers__group_identifiers - -view: events__target__user__managers__phone_numbers { - dimension: events__target__user__managers__phone_numbers { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.user.managers.phone_numbers" - view_label: "UDM" - description: "Phone numbers for the user." - } # dimension events__target__user__managers__phone_numbers -} # view events__target__user__managers__phone_numbers - -view: events__target__user__managers { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension: attribute__labels { - hidden: yes - } # dimension attribute__labels - - dimension: attribute__roles { - hidden: yes - } # dimension attribute__roles - - dimension: company_name { - type: string - sql: ${TABLE}.company_name ;; - group_label: "target" - label: "target.user.managers.company_name" - view_label: "UDM" - description: "User job company name." - } # dimension company_name - - dimension: department { - hidden: yes - } # dimension department - - dimension: email_addresses { - hidden: yes - } # dimension email_addresses - - dimension: employee_id { - type: string - sql: ${TABLE}.employee_id ;; - group_label: "target" - label: "target.user.managers.employee_id" - view_label: "UDM" - description: "Human capital management identifier." - } # dimension employee_id - - dimension: first_name { - type: string - sql: ${TABLE}.first_name ;; - group_label: "target" - label: "target.user.managers.first_name" - view_label: "UDM" - description: "First name of the user (e.g. \"John\")." - } # dimension first_name - - dimension: group_identifiers { - hidden: yes - } # dimension group_identifiers - - dimension: last_name { - type: string - sql: ${TABLE}.last_name ;; - group_label: "target" - label: "target.user.managers.last_name" - view_label: "UDM" - description: "Last name of the user (e.g. \"Locke\")." - } # dimension last_name - - dimension: personal_address { - hidden: yes - } # dimension personal_address - - dimension: personal_address__city { - type: string - sql: ${TABLE}.personal_address.city ;; - group_label: "target" - label: "target.user.managers.personal_address.city" - view_label: "UDM" - description: "The city." - } # dimension personal_address__city - - dimension: personal_address__country_or_region { - type: string - sql: ${TABLE}.personal_address.country_or_region ;; - group_label: "target" - label: "target.user.managers.personal_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension personal_address__country_or_region - - dimension: personal_address__name { - type: string - sql: ${TABLE}.personal_address.name ;; - group_label: "target" - label: "target.user.managers.personal_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension personal_address__name - - dimension: personal_address__state { - type: string - sql: ${TABLE}.personal_address.state ;; - group_label: "target" - label: "target.user.managers.personal_address.state" - view_label: "UDM" - description: "The state." - } # dimension personal_address__state - - dimension: phone_numbers { - hidden: yes - } # dimension phone_numbers - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "target" - label: "target.user.managers.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension product_object_id - - dimension: title { - type: string - sql: ${TABLE}.title ;; - group_label: "target" - label: "target.user.managers.title" - view_label: "UDM" - description: "User job title." - } # dimension title - - dimension: user_display_name { - type: string - sql: ${TABLE}.user_display_name ;; - group_label: "target" - label: "target.user.managers.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension user_display_name - - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - group_label: "target" - label: "target.user.managers.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension userid - - dimension: windows_sid { - type: string - sql: ${TABLE}.windows_sid ;; - group_label: "target" - label: "target.user.managers.windows_sid" - view_label: "UDM" - description: "The Microsoft Windows SID of the user." - } # dimension windows_sid - -} # view events__target__user__managers - -view: events__target__user__phone_numbers { - dimension: events__target__user__phone_numbers { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.user.phone_numbers" - view_label: "UDM" - description: "Phone numbers for the user." - } # dimension events__target__user__phone_numbers -} # view events__target__user__phone_numbers - -view: events__target__user__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.user.time_off.description" - view_label: "UDM" - description: "Description of the leave if available (e.g. 'Vacation')." - } # dimension description - - dimension_group: target__user__time_off__interval { - type: duration - intervals: [ second, minute, hour ] - sql_start: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.start_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.start_time.nanos,0) / 1000) as INT64)) ;; - sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.end_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.end_time.nanos,0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.user.time_off.interval" - view_label: "UDM" - description: "Interval duration of the leave." - } # dimension target__user__time_off__interval - -} # view events__target__user__time_off - -view: events__target__user_management_chain { - dimension: user_display_name { - type: string - sql: ${TABLE}.user_display_name ;; - group_label: "target" - label: "target.user_management_chain.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension user_display_name - -} # view events__target__user_management_chain - -explore: events { - ### BEGIN googlex/security/malachite/dashboards/lookml/udm/events_explore_preamble.lkml - label: "UDM Events" - - required_access_grants: [ - has_chronicle_feature_bq_export_external_source_enabled, - has_chronicle_explores_enabled - ] - - conditionally_filter: { - filters: { - field: events.time_filter - value: "last 24 hours" - } - } - - fields: [ALL_FIELDS*,] - sql_always_where: {% condition events.time_filter %} hour_time_bucket {% endcondition %} - AND {% condition events.time_filter %} ${metadata__event_timestamp_raw} {% endcondition %};; - - ### END googlex/security/malachite/dashboards/lookml/udm/events_explore_preamble.lkml - join: events__about { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.about}) as events__about ;; - view_label: "UDM" - } # join events__about - - join: events__about__asset__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__about.asset}.attribute.labels) as events__about__asset__attribute__labels ;; - view_label: "UDM" - } # join events__about__asset__attribute__labels - - join: events__about__asset__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__about.asset}.attribute.permissions) as events__about__asset__attribute__permissions ;; - view_label: "UDM" - } # join events__about__asset__attribute__permissions - - join: events__about__asset__hardware { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__about.asset}.hardware) as events__about__asset__hardware ;; - view_label: "UDM" - } # join events__about__asset__hardware - - join: events__about__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__about.asset}.ip) as events__about__asset__ip ;; - view_label: "UDM" - } # join events__about__asset__ip - - join: events__about__asset__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__about.asset}.labels) as events__about__asset__labels ;; - view_label: "UDM" - } # join events__about__asset__labels - - join: events__about__asset__vulnerabilities { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__about.asset}.vulnerabilities) as events__about__asset__vulnerabilities ;; - view_label: "UDM" - } # join events__about__asset__vulnerabilities - - join: events__about__file__capabilities_tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__about.file}.capabilities_tags) as events__about__file__capabilities_tags ;; - view_label: "UDM" - } # join events__about__file__capabilities_tags - - join: events__about__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__about.file}.names) as events__about__file__names ;; - view_label: "UDM" - } # join events__about__file__names - - join: events__about__investigation__comments { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__about.investigation}.comments) as events__about__investigation__comments ;; - view_label: "UDM" - } # join events__about__investigation__comments - - join: events__about__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__about.ip}) as events__about__ip ;; - view_label: "UDM" - } # join events__about__ip - - join: events__about__ip_location { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__about.ip_location}) as events__about__ip_location ;; - view_label: "UDM" - } # join events__about__ip_location - - join: events__about__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__about.labels}) as events__about__labels ;; - view_label: "UDM" - } # join events__about__labels - - join: events__about__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__about.mac}) as events__about__mac ;; - view_label: "UDM" - } # join events__about__mac - - join: events__about__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__about.nat_ip}) as events__about__nat_ip ;; - view_label: "UDM" - } # join events__about__nat_ip - - join: events__about__resource__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__about.resource}.attribute.labels) as events__about__resource__attribute__labels ;; - view_label: "UDM" - } # join events__about__resource__attribute__labels - - join: events__about__resource__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__about.resource}.attribute.permissions) as events__about__resource__attribute__permissions ;; - view_label: "UDM" - } # join events__about__resource__attribute__permissions - - join: events__about__resource_ancestors { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__about.resource_ancestors}) as events__about__resource_ancestors ;; - view_label: "UDM" - } # join events__about__resource_ancestors - - join: events__about__resource_ancestors__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__about__resource_ancestors.attribute}.labels) as events__about__resource_ancestors__attribute__labels ;; - view_label: "UDM" - } # join events__about__resource_ancestors__attribute__labels - - join: events__about__user__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__about.user}.attribute.labels) as events__about__user__attribute__labels ;; - view_label: "UDM" - } # join events__about__user__attribute__labels - - join: events__about__user__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__about.user}.attribute.permissions) as events__about__user__attribute__permissions ;; - view_label: "UDM" - } # join events__about__user__attribute__permissions - - join: events__about__user__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__about.user}.attribute.roles) as events__about__user__attribute__roles ;; - view_label: "UDM" - } # join events__about__user__attribute__roles - - join: events__about__user__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__about.user}.department) as events__about__user__department ;; - view_label: "UDM" - } # join events__about__user__department - - join: events__about__user__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__about.user}.email_addresses) as events__about__user__email_addresses ;; - view_label: "UDM" - } # join events__about__user__email_addresses - - join: events__about__user__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__about.user}.group_identifiers) as events__about__user__group_identifiers ;; - view_label: "UDM" - } # join events__about__user__group_identifiers - - join: events__additional__fields { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.additional}.fields) as events__additional__fields ;; - view_label: "UDM" - } # join events__additional__fields - - join: events__additional__fields__value__list_value__values { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__additional__fields.value}.list_value.values) as events__additional__fields__value__list_value__values ;; - view_label: "UDM" - } # join events__additional__fields__value__list_value__values - - join: events__additional__fields__value__list_value__values__struct_value__fields { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__additional__fields__value__list_value__values.struct_value}.fields) as events__additional__fields__value__list_value__values__struct_value__fields ;; - view_label: "UDM" - } # join events__additional__fields__value__list_value__values__struct_value__fields - - join: events__additional__fields__value__struct_value__fields { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__additional__fields.value}.struct_value.fields) as events__additional__fields__value__struct_value__fields ;; - view_label: "UDM" - } # join events__additional__fields__value__struct_value__fields - - join: events__extensions__auth__mechanism { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.extensions}.auth.mechanism) as events__extensions__auth__mechanism ;; - view_label: "UDM" - } # join events__extensions__auth__mechanism - - join: events__extensions__auth__mechanism_enum_name { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.extensions}.auth.mechanism) as events__extensions__auth__mechanism_enum_name ;; - view_label: "UDM" - } # join events__extensions__auth__mechanism_enum_name - - join: events__extensions__vulns__vulnerabilities { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.extensions}.vulns.vulnerabilities) as events__extensions__vulns__vulnerabilities ;; - view_label: "UDM" - } # join events__extensions__vulns__vulnerabilities - - join: events__extensions__vulns__vulnerabilities__about__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__extensions__vulns__vulnerabilities.about}.asset.ip) as events__extensions__vulns__vulnerabilities__about__asset__ip ;; - view_label: "UDM" - } # join events__extensions__vulns__vulnerabilities__about__asset__ip - - join: events__extensions__vulns__vulnerabilities__about__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__extensions__vulns__vulnerabilities.about}.labels) as events__extensions__vulns__vulnerabilities__about__labels ;; - view_label: "UDM" - } # join events__extensions__vulns__vulnerabilities__about__labels - - join: events__extensions__vulns__vulnerabilities__about__resource__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__extensions__vulns__vulnerabilities.about}.resource.attribute.labels) as events__extensions__vulns__vulnerabilities__about__resource__attribute__labels ;; - view_label: "UDM" - } # join events__extensions__vulns__vulnerabilities__about__resource__attribute__labels - - join: events__intermediary { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.intermediary}) as events__intermediary ;; - view_label: "UDM" - } # join events__intermediary - - join: events__intermediary__asset__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__intermediary.asset}.attribute.labels) as events__intermediary__asset__attribute__labels ;; - view_label: "UDM" - } # join events__intermediary__asset__attribute__labels - - join: events__intermediary__asset__hardware { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__intermediary.asset}.hardware) as events__intermediary__asset__hardware ;; - view_label: "UDM" - } # join events__intermediary__asset__hardware - - join: events__intermediary__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__intermediary.asset}.ip) as events__intermediary__asset__ip ;; - view_label: "UDM" - } # join events__intermediary__asset__ip - - join: events__intermediary__asset__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__intermediary.asset}.labels) as events__intermediary__asset__labels ;; - view_label: "UDM" - } # join events__intermediary__asset__labels - - join: events__intermediary__asset__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__intermediary.asset}.mac) as events__intermediary__asset__mac ;; - view_label: "UDM" - } # join events__intermediary__asset__mac - - join: events__intermediary__asset__software { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__intermediary.asset}.software) as events__intermediary__asset__software ;; - view_label: "UDM" - } # join events__intermediary__asset__software - - join: events__intermediary__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__intermediary.ip}) as events__intermediary__ip ;; - view_label: "UDM" - } # join events__intermediary__ip - - join: events__intermediary__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__intermediary.labels}) as events__intermediary__labels ;; - view_label: "UDM" - } # join events__intermediary__labels - - join: events__intermediary__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__intermediary.mac}) as events__intermediary__mac ;; - view_label: "UDM" - } # join events__intermediary__mac - - join: events__intermediary__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__intermediary.nat_ip}) as events__intermediary__nat_ip ;; - view_label: "UDM" - } # join events__intermediary__nat_ip - - join: events__intermediary__process__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__intermediary.process}.file.names) as events__intermediary__process__file__names ;; - view_label: "UDM" - } # join events__intermediary__process__file__names - - join: events__intermediary__resource__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__intermediary.resource}.attribute.labels) as events__intermediary__resource__attribute__labels ;; - view_label: "UDM" - } # join events__intermediary__resource__attribute__labels - - join: events__intermediary__user__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__intermediary.user}.email_addresses) as events__intermediary__user__email_addresses ;; - view_label: "UDM" - } # join events__intermediary__user__email_addresses - - join: events__intermediary__user__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__intermediary.user}.group_identifiers) as events__intermediary__user__group_identifiers ;; - view_label: "UDM" - } # join events__intermediary__user__group_identifiers - - join: events__metadata__base_labels__log_types { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.metadata}.base_labels.log_types) as events__metadata__base_labels__log_types ;; - view_label: "UDM" - } # join events__metadata__base_labels__log_types - - join: events__metadata__base_labels__namespaces { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.metadata}.base_labels.namespaces) as events__metadata__base_labels__namespaces ;; - view_label: "UDM" - } # join events__metadata__base_labels__namespaces - - join: events__metadata__ingestion_labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.metadata}.ingestion_labels) as events__metadata__ingestion_labels ;; - view_label: "UDM" - } # join events__metadata__ingestion_labels - - join: events__metadata__tags__data_tap_config_name { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.metadata}.tags.data_tap_config_name) as events__metadata__tags__data_tap_config_name ;; - view_label: "UDM" - } # join events__metadata__tags__data_tap_config_name - - join: events__metadata__tags__tenant_id { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.metadata}.tags.tenant_id) as events__metadata__tags__tenant_id ;; - view_label: "UDM" - } # join events__metadata__tags__tenant_id - - join: events__network__dhcp__options { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.network}.dhcp.options) as events__network__dhcp__options ;; - view_label: "UDM" - } # join events__network__dhcp__options - - join: events__network__dns__additional { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.network}.dns.additional) as events__network__dns__additional ;; - view_label: "UDM" - } # join events__network__dns__additional - - join: events__network__dns__answers { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.network}.dns.answers) as events__network__dns__answers ;; - view_label: "UDM" - } # join events__network__dns__answers - - join: events__network__dns__authority { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.network}.dns.authority) as events__network__dns__authority ;; - view_label: "UDM" - } # join events__network__dns__authority - - join: events__network__dns__questions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.network}.dns.questions) as events__network__dns__questions ;; - view_label: "UDM" - } # join events__network__dns__questions - - join: events__network__email__bcc { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.network}.email.bcc) as events__network__email__bcc ;; - view_label: "UDM" - } # join events__network__email__bcc - - join: events__network__email__cc { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.network}.email.cc) as events__network__email__cc ;; - view_label: "UDM" - } # join events__network__email__cc - - join: events__network__email__subject { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.network}.email.subject) as events__network__email__subject ;; - view_label: "UDM" - } # join events__network__email__subject - - join: events__network__email__to { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.network}.email.to) as events__network__email__to ;; - view_label: "UDM" - } # join events__network__email__to - - join: events__network__http__parsed_user_agent__annotation { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.network}.http.parsed_user_agent.annotation) as events__network__http__parsed_user_agent__annotation ;; - view_label: "UDM" - } # join events__network__http__parsed_user_agent__annotation - - join: events__network__tls__client__supported_ciphers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.network}.tls.client.supported_ciphers) as events__network__tls__client__supported_ciphers ;; - view_label: "UDM" - } # join events__network__tls__client__supported_ciphers - - join: events__observer__asset__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.observer}.asset.attribute.labels) as events__observer__asset__attribute__labels ;; - view_label: "UDM" - } # join events__observer__asset__attribute__labels - - join: events__observer__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.observer}.asset.ip) as events__observer__asset__ip ;; - view_label: "UDM" - } # join events__observer__asset__ip - - join: events__observer__asset__software { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.observer}.asset.software) as events__observer__asset__software ;; - view_label: "UDM" - } # join events__observer__asset__software - - join: events__observer__asset__vulnerabilities { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.observer}.asset.vulnerabilities) as events__observer__asset__vulnerabilities ;; - view_label: "UDM" - } # join events__observer__asset__vulnerabilities - - join: events__observer__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.observer}.ip) as events__observer__ip ;; - view_label: "UDM" - } # join events__observer__ip - - join: events__observer__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.observer}.labels) as events__observer__labels ;; - view_label: "UDM" - } # join events__observer__labels - - join: events__observer__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.observer}.mac) as events__observer__mac ;; - view_label: "UDM" - } # join events__observer__mac - - join: events__observer__resource__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.observer}.resource.attribute.labels) as events__observer__resource__attribute__labels ;; - view_label: "UDM" - } # join events__observer__resource__attribute__labels - - join: events__observer__user__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.observer}.user.email_addresses) as events__observer__user__email_addresses ;; - view_label: "UDM" - } # join events__observer__user__email_addresses - - join: events__observer__user__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.observer}.user.group_identifiers) as events__observer__user__group_identifiers ;; - view_label: "UDM" - } # join events__observer__user__group_identifiers - - join: events__principal__artifact__network__dns__answers { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.artifact.network.dns.answers) as events__principal__artifact__network__dns__answers ;; - view_label: "UDM" - } # join events__principal__artifact__network__dns__answers - - join: events__principal__asset__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.asset.attribute.labels) as events__principal__asset__attribute__labels ;; - view_label: "UDM" - } # join events__principal__asset__attribute__labels - - join: events__principal__asset__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.asset.attribute.roles) as events__principal__asset__attribute__roles ;; - view_label: "UDM" - } # join events__principal__asset__attribute__roles - - join: events__principal__asset__hardware { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.asset.hardware) as events__principal__asset__hardware ;; - view_label: "UDM" - } # join events__principal__asset__hardware - - join: events__principal__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.asset.ip) as events__principal__asset__ip ;; - view_label: "UDM" - } # join events__principal__asset__ip - - join: events__principal__asset__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.asset.labels) as events__principal__asset__labels ;; - view_label: "UDM" - } # join events__principal__asset__labels - - join: events__principal__asset__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.asset.mac) as events__principal__asset__mac ;; - view_label: "UDM" - } # join events__principal__asset__mac - - join: events__principal__asset__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.asset.nat_ip) as events__principal__asset__nat_ip ;; - view_label: "UDM" - } # join events__principal__asset__nat_ip - - join: events__principal__asset__software { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.asset.software) as events__principal__asset__software ;; - view_label: "UDM" - } # join events__principal__asset__software - - join: events__principal__asset__software__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__principal__asset__software.permissions}) as events__principal__asset__software__permissions ;; - view_label: "UDM" - } # join events__principal__asset__software__permissions - - join: events__principal__asset__vulnerabilities { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.asset.vulnerabilities) as events__principal__asset__vulnerabilities ;; - view_label: "UDM" - } # join events__principal__asset__vulnerabilities - - join: events__principal__domain__name_server { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.domain.name_server) as events__principal__domain__name_server ;; - view_label: "UDM" - } # join events__principal__domain__name_server - - join: events__principal__domain__tech__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.domain.tech.group_identifiers) as events__principal__domain__tech__group_identifiers ;; - view_label: "UDM" - } # join events__principal__domain__tech__group_identifiers - - join: events__principal__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.file.names) as events__principal__file__names ;; - view_label: "UDM" - } # join events__principal__file__names - - join: events__principal__group__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.group.attribute.labels) as events__principal__group__attribute__labels ;; - view_label: "UDM" - } # join events__principal__group__attribute__labels - - join: events__principal__group__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.group.attribute.roles) as events__principal__group__attribute__roles ;; - view_label: "UDM" - } # join events__principal__group__attribute__roles - - join: events__principal__group__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.group.email_addresses) as events__principal__group__email_addresses ;; - view_label: "UDM" - } # join events__principal__group__email_addresses - - join: events__principal__investigation__comments { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.investigation.comments) as events__principal__investigation__comments ;; - view_label: "UDM" - } # join events__principal__investigation__comments - - join: events__principal__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.ip) as events__principal__ip ;; - view_label: "UDM" - } # join events__principal__ip - - join: events__principal__ip_geo_artifact { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.ip_geo_artifact) as events__principal__ip_geo_artifact ;; - view_label: "UDM" - } # join events__principal__ip_geo_artifact - - join: events__principal__ip_location { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.ip_location) as events__principal__ip_location ;; - view_label: "UDM" - } # join events__principal__ip_location - - join: events__principal__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.labels) as events__principal__labels ;; - view_label: "UDM" - } # join events__principal__labels - - join: events__principal__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.mac) as events__principal__mac ;; - view_label: "UDM" - } # join events__principal__mac - - join: events__principal__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.nat_ip) as events__principal__nat_ip ;; - view_label: "UDM" - } # join events__principal__nat_ip - - join: events__principal__process__command_line_history { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.process.command_line_history) as events__principal__process__command_line_history ;; - view_label: "UDM" - } # join events__principal__process__command_line_history - - join: events__principal__process__file__capabilities_tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.process.file.capabilities_tags) as events__principal__process__file__capabilities_tags ;; - view_label: "UDM" - } # join events__principal__process__file__capabilities_tags - - join: events__principal__process__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.process.file.names) as events__principal__process__file__names ;; - view_label: "UDM" - } # join events__principal__process__file__names - - join: events__principal__process_ancestors { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.process_ancestors) as events__principal__process_ancestors ;; - view_label: "UDM" - } # join events__principal__process_ancestors - - join: events__principal__resource__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.resource.attribute.labels) as events__principal__resource__attribute__labels ;; - view_label: "UDM" - } # join events__principal__resource__attribute__labels - - join: events__principal__resource__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.resource.attribute.permissions) as events__principal__resource__attribute__permissions ;; - view_label: "UDM" - } # join events__principal__resource__attribute__permissions - - join: events__principal__resource__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.resource.attribute.roles) as events__principal__resource__attribute__roles ;; - view_label: "UDM" - } # join events__principal__resource__attribute__roles - - join: events__principal__resource_ancestors { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.resource_ancestors) as events__principal__resource_ancestors ;; - view_label: "UDM" - } # join events__principal__resource_ancestors - - join: events__principal__resource_ancestors__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__principal__resource_ancestors.attribute}.labels) as events__principal__resource_ancestors__attribute__labels ;; - view_label: "UDM" - } # join events__principal__resource_ancestors__attribute__labels - - join: events__principal__user__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.user.attribute.labels) as events__principal__user__attribute__labels ;; - view_label: "UDM" - } # join events__principal__user__attribute__labels - - join: events__principal__user__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.user.attribute.permissions) as events__principal__user__attribute__permissions ;; - view_label: "UDM" - } # join events__principal__user__attribute__permissions - - join: events__principal__user__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.user.attribute.roles) as events__principal__user__attribute__roles ;; - view_label: "UDM" - } # join events__principal__user__attribute__roles - - join: events__principal__user__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.user.department) as events__principal__user__department ;; - view_label: "UDM" - } # join events__principal__user__department - - join: events__principal__user__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.user.email_addresses) as events__principal__user__email_addresses ;; - view_label: "UDM" - } # join events__principal__user__email_addresses - - join: events__principal__user__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.user.group_identifiers) as events__principal__user__group_identifiers ;; - view_label: "UDM" - } # join events__principal__user__group_identifiers - - join: events__principal__user__managers { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.user.managers) as events__principal__user__managers ;; - view_label: "UDM" - } # join events__principal__user__managers - - join: events__principal__user__managers__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__principal__user__managers.attribute}.labels) as events__principal__user__managers__attribute__labels ;; - view_label: "UDM" - } # join events__principal__user__managers__attribute__labels - - join: events__principal__user__managers__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__principal__user__managers.attribute}.roles) as events__principal__user__managers__attribute__roles ;; - view_label: "UDM" - } # join events__principal__user__managers__attribute__roles - - join: events__principal__user__managers__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__principal__user__managers.department}) as events__principal__user__managers__department ;; - view_label: "UDM" - } # join events__principal__user__managers__department - - join: events__principal__user__managers__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__principal__user__managers.email_addresses}) as events__principal__user__managers__email_addresses ;; - view_label: "UDM" - } # join events__principal__user__managers__email_addresses - - join: events__principal__user__managers__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__principal__user__managers.group_identifiers}) as events__principal__user__managers__group_identifiers ;; - view_label: "UDM" - } # join events__principal__user__managers__group_identifiers - - join: events__principal__user__managers__phone_numbers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__principal__user__managers.phone_numbers}) as events__principal__user__managers__phone_numbers ;; - view_label: "UDM" - } # join events__principal__user__managers__phone_numbers - - join: events__principal__user__phone_numbers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.principal}.user.phone_numbers) as events__principal__user__phone_numbers ;; - view_label: "UDM" - } # join events__principal__user__phone_numbers - - join: events__principal__user__time_off { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.principal}.user.time_off) as events__principal__user__time_off ;; - view_label: "UDM" - } # join events__principal__user__time_off - - join: events__security_result { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.security_result}) as events__security_result ;; - view_label: "UDM" - } # join events__security_result - - join: events__security_result__about__asset__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result.about}.asset.attribute.permissions) as events__security_result__about__asset__attribute__permissions ;; - view_label: "UDM" - } # join events__security_result__about__asset__attribute__permissions - - join: events__security_result__about__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__security_result.about}.asset.ip) as events__security_result__about__asset__ip ;; - view_label: "UDM" - } # join events__security_result__about__asset__ip - - join: events__security_result__about__asset__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result.about}.asset.labels) as events__security_result__about__asset__labels ;; - view_label: "UDM" - } # join events__security_result__about__asset__labels - - join: events__security_result__about__asset__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__security_result.about}.asset.mac) as events__security_result__about__asset__mac ;; - view_label: "UDM" - } # join events__security_result__about__asset__mac - - join: events__security_result__about__asset__software { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result.about}.asset.software) as events__security_result__about__asset__software ;; - view_label: "UDM" - } # join events__security_result__about__asset__software - - join: events__security_result__about__asset__software__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result__about__asset__software.permissions}) as events__security_result__about__asset__software__permissions ;; - view_label: "UDM" - } # join events__security_result__about__asset__software__permissions - - join: events__security_result__about__asset__vulnerabilities { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result.about}.asset.vulnerabilities) as events__security_result__about__asset__vulnerabilities ;; - view_label: "UDM" - } # join events__security_result__about__asset__vulnerabilities - - join: events__security_result__about__domain__tech__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result.about}.domain.tech.attribute.permissions) as events__security_result__about__domain__tech__attribute__permissions ;; - view_label: "UDM" - } # join events__security_result__about__domain__tech__attribute__permissions - - join: events__security_result__about__file__capabilities_tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__security_result.about}.file.capabilities_tags) as events__security_result__about__file__capabilities_tags ;; - view_label: "UDM" - } # join events__security_result__about__file__capabilities_tags - - join: events__security_result__about__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__security_result.about}.file.names) as events__security_result__about__file__names ;; - view_label: "UDM" - } # join events__security_result__about__file__names - - join: events__security_result__about__investigation__comments { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__security_result.about}.investigation.comments) as events__security_result__about__investigation__comments ;; - view_label: "UDM" - } # join events__security_result__about__investigation__comments - - join: events__security_result__about__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__security_result.about}.ip) as events__security_result__about__ip ;; - view_label: "UDM" - } # join events__security_result__about__ip - - join: events__security_result__about__ip_location { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result.about}.ip_location) as events__security_result__about__ip_location ;; - view_label: "UDM" - } # join events__security_result__about__ip_location - - join: events__security_result__about__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result.about}.labels) as events__security_result__about__labels ;; - view_label: "UDM" - } # join events__security_result__about__labels - - join: events__security_result__about__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__security_result.about}.mac) as events__security_result__about__mac ;; - view_label: "UDM" - } # join events__security_result__about__mac - - join: events__security_result__about__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__security_result.about}.nat_ip) as events__security_result__about__nat_ip ;; - view_label: "UDM" - } # join events__security_result__about__nat_ip - - join: events__security_result__about__process__command_line_history { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__security_result.about}.process.command_line_history) as events__security_result__about__process__command_line_history ;; - view_label: "UDM" - } # join events__security_result__about__process__command_line_history - - join: events__security_result__about__resource__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result.about}.resource.attribute.labels) as events__security_result__about__resource__attribute__labels ;; - view_label: "UDM" - } # join events__security_result__about__resource__attribute__labels - - join: events__security_result__about__resource_ancestors { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result.about}.resource_ancestors) as events__security_result__about__resource_ancestors ;; - view_label: "UDM" - } # join events__security_result__about__resource_ancestors - - join: events__security_result__about__user__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result.about}.user.attribute.labels) as events__security_result__about__user__attribute__labels ;; - view_label: "UDM" - } # join events__security_result__about__user__attribute__labels - - join: events__security_result__about__user__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result.about}.user.attribute.roles) as events__security_result__about__user__attribute__roles ;; - view_label: "UDM" - } # join events__security_result__about__user__attribute__roles - - join: events__security_result__about__user__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__security_result.about}.user.email_addresses) as events__security_result__about__user__email_addresses ;; - view_label: "UDM" - } # join events__security_result__about__user__email_addresses - - join: events__security_result__about__user__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__security_result.about}.user.group_identifiers) as events__security_result__about__user__group_identifiers ;; - view_label: "UDM" - } # join events__security_result__about__user__group_identifiers - - join: events__security_result__about__user_management_chain { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result.about}.user_management_chain) as events__security_result__about__user_management_chain ;; - view_label: "UDM" - } # join events__security_result__about__user_management_chain - - join: events__security_result__action { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__security_result.action}) as events__security_result__action ;; - view_label: "UDM" - } # join events__security_result__action - - join: events__security_result__action_enum_name { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__security_result.action}) as events__security_result__action_enum_name ;; - view_label: "UDM" - } # join events__security_result__action_enum_name - - join: events__security_result__attack_details__tactics { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result.attack_details}.tactics) as events__security_result__attack_details__tactics ;; - view_label: "UDM" - } # join events__security_result__attack_details__tactics - - join: events__security_result__attack_details__techniques { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result.attack_details}.techniques) as events__security_result__attack_details__techniques ;; - view_label: "UDM" - } # join events__security_result__attack_details__techniques - - join: events__security_result__category { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__security_result.category}) as events__security_result__category ;; - view_label: "UDM" - } # join events__security_result__category - - join: events__security_result__category_enum_name { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__security_result.category}) as events__security_result__category_enum_name ;; - view_label: "UDM" - } # join events__security_result__category_enum_name - - join: events__security_result__category_details { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__security_result.category_details}) as events__security_result__category_details ;; - view_label: "UDM" - } # join events__security_result__category_details - - join: events__security_result__detection_fields { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result.detection_fields}) as events__security_result__detection_fields ;; - view_label: "UDM" - } # join events__security_result__detection_fields - - join: events__security_result__outcomes { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result.outcomes}) as events__security_result__outcomes ;; - view_label: "UDM" - } # join events__security_result__outcomes - - join: events__security_result__rule_labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__security_result.rule_labels}) as events__security_result__rule_labels ;; - view_label: "UDM" - } # join events__security_result__rule_labels - - join: events__src__artifact__network__dns__questions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.artifact.network.dns.questions) as events__src__artifact__network__dns__questions ;; - view_label: "UDM" - } # join events__src__artifact__network__dns__questions - - join: events__src__asset__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.asset.attribute.labels) as events__src__asset__attribute__labels ;; - view_label: "UDM" - } # join events__src__asset__attribute__labels - - join: events__src__asset__hardware { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.asset.hardware) as events__src__asset__hardware ;; - view_label: "UDM" - } # join events__src__asset__hardware - - join: events__src__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.src}.asset.ip) as events__src__asset__ip ;; - view_label: "UDM" - } # join events__src__asset__ip - - join: events__src__asset__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.asset.labels) as events__src__asset__labels ;; - view_label: "UDM" - } # join events__src__asset__labels - - join: events__src__asset__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.src}.asset.mac) as events__src__asset__mac ;; - view_label: "UDM" - } # join events__src__asset__mac - - join: events__src__asset__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.src}.asset.nat_ip) as events__src__asset__nat_ip ;; - view_label: "UDM" - } # join events__src__asset__nat_ip - - join: events__src__asset__software { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.asset.software) as events__src__asset__software ;; - view_label: "UDM" - } # join events__src__asset__software - - join: events__src__asset__software__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__src__asset__software.permissions}) as events__src__asset__software__permissions ;; - view_label: "UDM" - } # join events__src__asset__software__permissions - - join: events__src__asset__vulnerabilities { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.asset.vulnerabilities) as events__src__asset__vulnerabilities ;; - view_label: "UDM" - } # join events__src__asset__vulnerabilities - - join: events__src__file__capabilities_tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.src}.file.capabilities_tags) as events__src__file__capabilities_tags ;; - view_label: "UDM" - } # join events__src__file__capabilities_tags - - join: events__src__file__embedded_domains { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.src}.file.embedded_domains) as events__src__file__embedded_domains ;; - view_label: "UDM" - } # join events__src__file__embedded_domains - - join: events__src__file__embedded_ips { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.src}.file.embedded_ips) as events__src__file__embedded_ips ;; - view_label: "UDM" - } # join events__src__file__embedded_ips - - join: events__src__file__embedded_urls { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.src}.file.embedded_urls) as events__src__file__embedded_urls ;; - view_label: "UDM" - } # join events__src__file__embedded_urls - - join: events__src__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.src}.file.names) as events__src__file__names ;; - view_label: "UDM" - } # join events__src__file__names - - join: events__src__file__signature_info__sigcheck__signers { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.file.signature_info.sigcheck.signers) as events__src__file__signature_info__sigcheck__signers ;; - view_label: "UDM" - } # join events__src__file__signature_info__sigcheck__signers - - join: events__src__file__tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.src}.file.tags) as events__src__file__tags ;; - view_label: "UDM" - } # join events__src__file__tags - - join: events__src__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.src}.ip) as events__src__ip ;; - view_label: "UDM" - } # join events__src__ip - - join: events__src__ip_geo_artifact { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.ip_geo_artifact) as events__src__ip_geo_artifact ;; - view_label: "UDM" - } # join events__src__ip_geo_artifact - - join: events__src__ip_location { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.ip_location) as events__src__ip_location ;; - view_label: "UDM" - } # join events__src__ip_location - - join: events__src__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.labels) as events__src__labels ;; - view_label: "UDM" - } # join events__src__labels - - join: events__src__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.src}.mac) as events__src__mac ;; - view_label: "UDM" - } # join events__src__mac - - join: events__src__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.src}.nat_ip) as events__src__nat_ip ;; - view_label: "UDM" - } # join events__src__nat_ip - - join: events__src__process__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.src}.process.file.names) as events__src__process__file__names ;; - view_label: "UDM" - } # join events__src__process__file__names - - join: events__src__process_ancestors { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.process_ancestors) as events__src__process_ancestors ;; - view_label: "UDM" - } # join events__src__process_ancestors - - join: events__src__resource__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.resource.attribute.labels) as events__src__resource__attribute__labels ;; - view_label: "UDM" - } # join events__src__resource__attribute__labels - - join: events__src__resource__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.resource.attribute.permissions) as events__src__resource__attribute__permissions ;; - view_label: "UDM" - } # join events__src__resource__attribute__permissions - - join: events__src__resource_ancestors { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.resource_ancestors) as events__src__resource_ancestors ;; - view_label: "UDM" - } # join events__src__resource_ancestors - - join: events__src__resource_ancestors__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__src__resource_ancestors.attribute}.labels) as events__src__resource_ancestors__attribute__labels ;; - view_label: "UDM" - } # join events__src__resource_ancestors__attribute__labels - - join: events__src__user__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.user.attribute.labels) as events__src__user__attribute__labels ;; - view_label: "UDM" - } # join events__src__user__attribute__labels - - join: events__src__user__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.user.attribute.roles) as events__src__user__attribute__roles ;; - view_label: "UDM" - } # join events__src__user__attribute__roles - - join: events__src__user__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.src}.user.department) as events__src__user__department ;; - view_label: "UDM" - } # join events__src__user__department - - join: events__src__user__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.src}.user.email_addresses) as events__src__user__email_addresses ;; - view_label: "UDM" - } # join events__src__user__email_addresses - - join: events__src__user__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.src}.user.group_identifiers) as events__src__user__group_identifiers ;; - view_label: "UDM" - } # join events__src__user__group_identifiers - - join: events__src__user__managers { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.user.managers) as events__src__user__managers ;; - view_label: "UDM" - } # join events__src__user__managers - - join: events__src__user__managers__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__src__user__managers.attribute}.labels) as events__src__user__managers__attribute__labels ;; - view_label: "UDM" - } # join events__src__user__managers__attribute__labels - - join: events__src__user__managers__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__src__user__managers.attribute}.roles) as events__src__user__managers__attribute__roles ;; - view_label: "UDM" - } # join events__src__user__managers__attribute__roles - - join: events__src__user__managers__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__src__user__managers.department}) as events__src__user__managers__department ;; - view_label: "UDM" - } # join events__src__user__managers__department - - join: events__src__user__managers__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__src__user__managers.email_addresses}) as events__src__user__managers__email_addresses ;; - view_label: "UDM" - } # join events__src__user__managers__email_addresses - - join: events__src__user__managers__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__src__user__managers.group_identifiers}) as events__src__user__managers__group_identifiers ;; - view_label: "UDM" - } # join events__src__user__managers__group_identifiers - - join: events__src__user__managers__phone_numbers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__src__user__managers.phone_numbers}) as events__src__user__managers__phone_numbers ;; - view_label: "UDM" - } # join events__src__user__managers__phone_numbers - - join: events__src__user__phone_numbers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.src}.user.phone_numbers) as events__src__user__phone_numbers ;; - view_label: "UDM" - } # join events__src__user__phone_numbers - - join: events__src__user__time_off { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.src}.user.time_off) as events__src__user__time_off ;; - view_label: "UDM" - } # join events__src__user__time_off - - join: events__target__artifact__network__email__subject { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.artifact.network.email.subject) as events__target__artifact__network__email__subject ;; - view_label: "UDM" - } # join events__target__artifact__network__email__subject - - join: events__target__asset__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.asset.attribute.labels) as events__target__asset__attribute__labels ;; - view_label: "UDM" - } # join events__target__asset__attribute__labels - - join: events__target__asset__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.asset.attribute.permissions) as events__target__asset__attribute__permissions ;; - view_label: "UDM" - } # join events__target__asset__attribute__permissions - - join: events__target__asset__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.asset.attribute.roles) as events__target__asset__attribute__roles ;; - view_label: "UDM" - } # join events__target__asset__attribute__roles - - join: events__target__asset__hardware { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.asset.hardware) as events__target__asset__hardware ;; - view_label: "UDM" - } # join events__target__asset__hardware - - join: events__target__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.asset.ip) as events__target__asset__ip ;; - view_label: "UDM" - } # join events__target__asset__ip - - join: events__target__asset__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.asset.labels) as events__target__asset__labels ;; - view_label: "UDM" - } # join events__target__asset__labels - - join: events__target__asset__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.asset.mac) as events__target__asset__mac ;; - view_label: "UDM" - } # join events__target__asset__mac - - join: events__target__asset__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.asset.nat_ip) as events__target__asset__nat_ip ;; - view_label: "UDM" - } # join events__target__asset__nat_ip - - join: events__target__asset__software { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.asset.software) as events__target__asset__software ;; - view_label: "UDM" - } # join events__target__asset__software - - join: events__target__asset__software__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__target__asset__software.permissions}) as events__target__asset__software__permissions ;; - view_label: "UDM" - } # join events__target__asset__software__permissions - - join: events__target__asset__vulnerabilities { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.asset.vulnerabilities) as events__target__asset__vulnerabilities ;; - view_label: "UDM" - } # join events__target__asset__vulnerabilities - - join: events__target__cloud__project__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.cloud.project.attribute.labels) as events__target__cloud__project__attribute__labels ;; - view_label: "UDM" - } # join events__target__cloud__project__attribute__labels - - join: events__target__domain__name_server { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.domain.name_server) as events__target__domain__name_server ;; - view_label: "UDM" - } # join events__target__domain__name_server - - join: events__target__file__capabilities_tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.file.capabilities_tags) as events__target__file__capabilities_tags ;; - view_label: "UDM" - } # join events__target__file__capabilities_tags - - join: events__target__file__embedded_domains { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.file.embedded_domains) as events__target__file__embedded_domains ;; - view_label: "UDM" - } # join events__target__file__embedded_domains - - join: events__target__file__embedded_ips { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.file.embedded_ips) as events__target__file__embedded_ips ;; - view_label: "UDM" - } # join events__target__file__embedded_ips - - join: events__target__file__embedded_urls { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.file.embedded_urls) as events__target__file__embedded_urls ;; - view_label: "UDM" - } # join events__target__file__embedded_urls - - join: events__target__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.file.names) as events__target__file__names ;; - view_label: "UDM" - } # join events__target__file__names - - join: events__target__file__pe_file__imports { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.file.pe_file.imports) as events__target__file__pe_file__imports ;; - view_label: "UDM" - } # join events__target__file__pe_file__imports - - join: events__target__file__pe_file__imports__functions { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__target__file__pe_file__imports.functions}) as events__target__file__pe_file__imports__functions ;; - view_label: "UDM" - } # join events__target__file__pe_file__imports__functions - - join: events__target__file__pe_file__resource { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.file.pe_file.resource) as events__target__file__pe_file__resource ;; - view_label: "UDM" - } # join events__target__file__pe_file__resource - - join: events__target__file__pe_file__resources_language_count_str { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.file.pe_file.resources_language_count_str) as events__target__file__pe_file__resources_language_count_str ;; - view_label: "UDM" - } # join events__target__file__pe_file__resources_language_count_str - - join: events__target__file__pe_file__resources_type_count_str { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.file.pe_file.resources_type_count_str) as events__target__file__pe_file__resources_type_count_str ;; - view_label: "UDM" - } # join events__target__file__pe_file__resources_type_count_str - - join: events__target__file__pe_file__section { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.file.pe_file.section) as events__target__file__pe_file__section ;; - view_label: "UDM" - } # join events__target__file__pe_file__section - - join: events__target__file__signature_info__sigcheck__signers { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.file.signature_info.sigcheck.signers) as events__target__file__signature_info__sigcheck__signers ;; - view_label: "UDM" - } # join events__target__file__signature_info__sigcheck__signers - - join: events__target__file__signature_info__sigcheck__x509 { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.file.signature_info.sigcheck.x509) as events__target__file__signature_info__sigcheck__x509 ;; - view_label: "UDM" - } # join events__target__file__signature_info__sigcheck__x509 - - join: events__target__file__tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.file.tags) as events__target__file__tags ;; - view_label: "UDM" - } # join events__target__file__tags - - join: events__target__group__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.group.attribute.labels) as events__target__group__attribute__labels ;; - view_label: "UDM" - } # join events__target__group__attribute__labels - - join: events__target__group__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.group.attribute.permissions) as events__target__group__attribute__permissions ;; - view_label: "UDM" - } # join events__target__group__attribute__permissions - - join: events__target__group__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.group.attribute.roles) as events__target__group__attribute__roles ;; - view_label: "UDM" - } # join events__target__group__attribute__roles - - join: events__target__group__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.group.email_addresses) as events__target__group__email_addresses ;; - view_label: "UDM" - } # join events__target__group__email_addresses - - join: events__target__investigation__comments { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.investigation.comments) as events__target__investigation__comments ;; - view_label: "UDM" - } # join events__target__investigation__comments - - join: events__target__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.ip) as events__target__ip ;; - view_label: "UDM" - } # join events__target__ip - - join: events__target__ip_geo_artifact { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.ip_geo_artifact) as events__target__ip_geo_artifact ;; - view_label: "UDM" - } # join events__target__ip_geo_artifact - - join: events__target__ip_location { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.ip_location) as events__target__ip_location ;; - view_label: "UDM" - } # join events__target__ip_location - - join: events__target__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.labels) as events__target__labels ;; - view_label: "UDM" - } # join events__target__labels - - join: events__target__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.mac) as events__target__mac ;; - view_label: "UDM" - } # join events__target__mac - - join: events__target__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.nat_ip) as events__target__nat_ip ;; - view_label: "UDM" - } # join events__target__nat_ip - - join: events__target__process__command_line_history { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.process.command_line_history) as events__target__process__command_line_history ;; - view_label: "UDM" - } # join events__target__process__command_line_history - - join: events__target__process__file__capabilities_tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.process.file.capabilities_tags) as events__target__process__file__capabilities_tags ;; - view_label: "UDM" - } # join events__target__process__file__capabilities_tags - - join: events__target__process__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.process.file.names) as events__target__process__file__names ;; - view_label: "UDM" - } # join events__target__process__file__names - - join: events__target__process__file__pe_file__signature_info__signer { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.process.file.pe_file.signature_info.signer) as events__target__process__file__pe_file__signature_info__signer ;; - view_label: "UDM" - } # join events__target__process__file__pe_file__signature_info__signer - - join: events__target__process__parent_process__file__capabilities_tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.process.parent_process.file.capabilities_tags) as events__target__process__parent_process__file__capabilities_tags ;; - view_label: "UDM" - } # join events__target__process__parent_process__file__capabilities_tags - - join: events__target__process__parent_process__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.process.parent_process.file.names) as events__target__process__parent_process__file__names ;; - view_label: "UDM" - } # join events__target__process__parent_process__file__names - - join: events__target__process_ancestors { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.process_ancestors) as events__target__process_ancestors ;; - view_label: "UDM" - } # join events__target__process_ancestors - - join: events__target__resource__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.resource.attribute.labels) as events__target__resource__attribute__labels ;; - view_label: "UDM" - } # join events__target__resource__attribute__labels - - join: events__target__resource__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.resource.attribute.permissions) as events__target__resource__attribute__permissions ;; - view_label: "UDM" - } # join events__target__resource__attribute__permissions - - join: events__target__resource__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.resource.attribute.roles) as events__target__resource__attribute__roles ;; - view_label: "UDM" - } # join events__target__resource__attribute__roles - - join: events__target__resource_ancestors { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.resource_ancestors) as events__target__resource_ancestors ;; - view_label: "UDM" - } # join events__target__resource_ancestors - - join: events__target__resource_ancestors__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__target__resource_ancestors.attribute}.labels) as events__target__resource_ancestors__attribute__labels ;; - view_label: "UDM" - } # join events__target__resource_ancestors__attribute__labels - - join: events__target__resource_ancestors__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__target__resource_ancestors.attribute}.permissions) as events__target__resource_ancestors__attribute__permissions ;; - view_label: "UDM" - } # join events__target__resource_ancestors__attribute__permissions - - join: events__target__user__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.user.attribute.labels) as events__target__user__attribute__labels ;; - view_label: "UDM" - } # join events__target__user__attribute__labels - - join: events__target__user__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.user.attribute.permissions) as events__target__user__attribute__permissions ;; - view_label: "UDM" - } # join events__target__user__attribute__permissions - - join: events__target__user__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.user.attribute.roles) as events__target__user__attribute__roles ;; - view_label: "UDM" - } # join events__target__user__attribute__roles - - join: events__target__user__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.user.department) as events__target__user__department ;; - view_label: "UDM" - } # join events__target__user__department - - join: events__target__user__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.user.email_addresses) as events__target__user__email_addresses ;; - view_label: "UDM" - } # join events__target__user__email_addresses - - join: events__target__user__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.user.group_identifiers) as events__target__user__group_identifiers ;; - view_label: "UDM" - } # join events__target__user__group_identifiers - - join: events__target__user__managers { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.user.managers) as events__target__user__managers ;; - view_label: "UDM" - } # join events__target__user__managers - - join: events__target__user__managers__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__target__user__managers.attribute}.labels) as events__target__user__managers__attribute__labels ;; - view_label: "UDM" - } # join events__target__user__managers__attribute__labels - - join: events__target__user__managers__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events__target__user__managers.attribute}.roles) as events__target__user__managers__attribute__roles ;; - view_label: "UDM" - } # join events__target__user__managers__attribute__roles - - join: events__target__user__managers__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__target__user__managers.department}) as events__target__user__managers__department ;; - view_label: "UDM" - } # join events__target__user__managers__department - - join: events__target__user__managers__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__target__user__managers.email_addresses}) as events__target__user__managers__email_addresses ;; - view_label: "UDM" - } # join events__target__user__managers__email_addresses - - join: events__target__user__managers__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__target__user__managers.group_identifiers}) as events__target__user__managers__group_identifiers ;; - view_label: "UDM" - } # join events__target__user__managers__group_identifiers - - join: events__target__user__managers__phone_numbers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events__target__user__managers.phone_numbers}) as events__target__user__managers__phone_numbers ;; - view_label: "UDM" - } # join events__target__user__managers__phone_numbers - - join: events__target__user__phone_numbers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${events.target}.user.phone_numbers) as events__target__user__phone_numbers ;; - view_label: "UDM" - } # join events__target__user__phone_numbers - - join: events__target__user__time_off { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.user.time_off) as events__target__user__time_off ;; - view_label: "UDM" - } # join events__target__user__time_off - - join: events__target__user_management_chain { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${events.target}.user_management_chain) as events__target__user_management_chain ;; - view_label: "UDM" - } # join events__target__user_management_chain - -} # explore events - diff --git a/proto2lkml/udm_events.lkml b/proto2lkml/udm_events.lkml deleted file mode 100644 index 50cdbbb..0000000 --- a/proto2lkml/udm_events.lkml +++ /dev/null @@ -1,19325 +0,0 @@ -# Copyright Google Inc 2023 and onwards. -# This file was generated by proto2lkml. Do not modify it. -# Source: googlex/security/malachite/proto/external/udm.proto -### BEGIN googlex/security/malachite/dashboards/lookml/udm/udm_events_preamble.lkml -include: "/chronicle_features.lkml" - -### END googlex/security/malachite/dashboards/lookml/udm/udm_events_preamble.lkml -view: udm_events { - ### BEGIN googlex/security/malachite/dashboards/lookml/udm/udm_view_preamble.lkml - sql_table_name: `@{EVENTS}`;; - - dimension: primary_key { - primary_key: yes - hidden: yes - sql: CONCAT(IFNULL(to_hex(${TABLE}.metadata.id), ""), - IFNULL(${TABLE}.metadata.product_log_id, ""), - IFNULL(${TABLE}.metadata.event_timestamp.seconds,0), - IFNULL(${TABLE}.metadata.event_timestamp.nanos,0), - IFNULL(${TABLE}.metadata.event_type,0), - IFNULL(${TABLE}.metadata.vendor_name,""), - IFNULL(${TABLE}.metadata.product_name,""));; - } - - measure: count { - description: "Count of UDM events; COUNT(DISTINCT ...) is used." - type: count - view_label: "UDM" - } - - measure: count_all { - description: "Count of all UDM events; COUNT(DISTINCT ...) is not used." - type: number - sql: count(*) ;; - label: "Count (all)" - view_label: "UDM" - } - - filter: time_filter { - label: "metadata.event_timestamp" - type: date_time - view_label: "UDM" - description: "Filter on the metadata.event_timestamp" - } - - #------------------------------------------------------------------------------- - # The following dimensions are here for backwards compatibility. - # Do not remove because it might break some old dashbaords that depend on it. - dimension_group: event_timestamp { - hidden: yes - type: time - timeframes: [ - raw, - time, - date, - week, - month, - hour, - minute, - year - ] - datatype: epoch - sql: ${TABLE}.metadata.event_timestamp.seconds ;; - } - - dimension: period { - hidden: yes - type: string - description: "The reporting period as selected by the Period Filter. Values - 'This Period' and 'Previous Period'. - Apply Filter 'This Period' to get values from current period." - sql: - CASE - WHEN {% date_start period_filter %} is not null AND {% date_end period_filter %} is not null /* date ranges or in the past x days */ - THEN - CASE - WHEN ${event_timestamp_raw} >= UNIX_SECONDS({% date_start period_filter %}) - AND ${event_timestamp_raw} <= UNIX_SECONDS({% date_end period_filter %}) - THEN 'This Period' - WHEN ${event_timestamp_raw} >= UNIX_SECONDS(TIMESTAMP_ADD({% date_start period_filter %}, INTERVAL 1 * (TIMESTAMP_DIFF({% date_start period_filter %},{% date_end period_filter %}, DAY)) DAY)) - AND ${event_timestamp_raw} <= UNIX_SECONDS(TIMESTAMP_ADD({% date_start period_filter %}, INTERVAL -1 DAY)) - THEN 'Previous Period' - END - END ;; - } - - dimension: domain { - hidden: yes - type: string - sql: REGEXP_EXTRACT(COALESCE(${TABLE}.network.dns.questions[SAFE_OFFSET(0)].name, ${TABLE}.target.hostname), r"^(?:[a-zA-Z0-9-]+\.)*([a-zA-Z0-9-]+\.[a-zA-Z0-9-]*[a-zA-Z-][a-zA-Z0-9-]*)$");; - } - - dimension: asset { - hidden: yes - type: string - label: "Asset" - sql: COALESCE(${TABLE}.principal.hostname, ${TABLE}.principal.ip[SAFE_OFFSET(0)]) ;; - } - - dimension: full_domain { - hidden: yes - type: string - sql: COALESCE(${TABLE}.network.dns.questions[SAFE_OFFSET(0)].name, ${TABLE}.target.hostname);; - } - - # This does not even exist in BQ, maybe it used to exist. - dimension_group: _partitiondate { - hidden: yes - type: time - timeframes: [ - raw, - date, - week, - month, - quarter, - year - ] - convert_tz: no - datatype: date - sql: ${TABLE}.hour_time_bucket ;; - } - - dimension_group: _partitiontime { - hidden: yes - type: time - timeframes: [ - raw, - date, - week, - month, - quarter, - year - ] - convert_tz: no - datatype: date - sql: ${TABLE}.hour_time_bucket ;; - } - - dimension_group: hour_time_bucket { - hidden: yes - type: time - timeframes: [ - raw, - time, - date, - week, - month, - quarter, - year - ] - sql: ${TABLE}.hour_time_bucket ;; - } - - dimension: prevalence { - hidden: yes - type: number - sql: COALESCE(${TABLE}.principal.hostname}, ${TABLE}.principal.ip}) ;; - } - - #------------------------------------------------------------------------------- - - ### END googlex/security/malachite/dashboards/lookml/udm/udm_view_preamble.lkml - filter: ip_grouped_field_filter { - label: "ip" - group_label: "Grouped Fields" - view_label: "UDM" - description: "IP address fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${udm_events__principal__ip.udm_events__principal__ip} {%endcondition%} or -{%condition%}${udm_events__src__ip.udm_events__src__ip} {%endcondition%} or -{%condition%}${udm_events__target__ip.udm_events__target__ip} {%endcondition%} or -{%condition%}${udm_events__observer__ip.udm_events__observer__ip} {%endcondition%} or -{%condition%}${udm_events__intermediary__ip.udm_events__intermediary__ip} {%endcondition%} or -{%condition%}${udm_events.principal__artifact__ip} {%endcondition%} or -{%condition%}${udm_events.src__artifact__ip} {%endcondition%} or -{%condition%}${udm_events.target__artifact__ip} {%endcondition%} or -{%condition%}${udm_events__principal__asset__ip.udm_events__principal__asset__ip} {%endcondition%} or -{%condition%}${udm_events__src__asset__ip.udm_events__src__asset__ip} {%endcondition%} or -{%condition%}${udm_events__target__asset__ip.udm_events__target__asset__ip} {%endcondition%} -;; - } # ip - - filter: domain_grouped_field_filter { - label: "domain" - group_label: "Grouped Fields" - view_label: "UDM" - description: "Domain fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${udm_events.network__dns_domain} {%endcondition%} or -{%condition%}${udm_events__network__dns__questions.name} {%endcondition%} or -{%condition%}${udm_events.principal__administrative_domain} {%endcondition%} or -{%condition%}${udm_events.target__administrative_domain} {%endcondition%} or -{%condition%}${udm_events__about.administrative_domain} {%endcondition%} or -{%condition%}${udm_events.target__hostname} {%endcondition%} or -{%condition%}${udm_events.target__asset__hostname} {%endcondition%} or -{%condition%}${udm_events.principal__asset__network_domain} {%endcondition%} or -{%condition%}${udm_events.target__asset__network_domain} {%endcondition%} -;; - } # domain - - filter: hostname_grouped_field_filter { - label: "hostname" - group_label: "Grouped Fields" - view_label: "UDM" - description: "Hostname fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${udm_events.principal__hostname} {%endcondition%} or -{%condition%}${udm_events.src__hostname} {%endcondition%} or -{%condition%}${udm_events.target__hostname} {%endcondition%} or -{%condition%}${udm_events__intermediary.hostname} {%endcondition%} or -{%condition%}${udm_events.observer__hostname} {%endcondition%} or -{%condition%}${udm_events.principal__asset__hostname} {%endcondition%} or -{%condition%}${udm_events.src__asset__hostname} {%endcondition%} or -{%condition%}${udm_events.target__asset__hostname} {%endcondition%} -;; - } # hostname - - filter: user_grouped_field_filter { - label: "user" - group_label: "Grouped Fields" - view_label: "UDM" - description: "User ID fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${udm_events.principal__user__userid} {%endcondition%} or -{%condition%}${udm_events.src__user__userid} {%endcondition%} or -{%condition%}${udm_events.target__user__userid} {%endcondition%} or -{%condition%}${udm_events.observer__user__userid} {%endcondition%} or -{%condition%}${udm_events__about.user__userid} {%endcondition%} or -{%condition%}${udm_events.principal__user__windows_sid} {%endcondition%} or -{%condition%}${udm_events.target__user__windows_sid} {%endcondition%} or -{%condition%}${udm_events.principal__user__user_display_name} {%endcondition%} or -{%condition%}${udm_events.target__user__user_display_name} {%endcondition%} -;; - } # user - - filter: email_grouped_field_filter { - label: "email" - group_label: "Grouped Fields" - view_label: "UDM" - description: "Email address fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${udm_events__principal__user__email_addresses.udm_events__principal__user__email_addresses} {%endcondition%} or -{%condition%}${udm_events__target__user__email_addresses.udm_events__target__user__email_addresses} {%endcondition%} or -{%condition%}${udm_events__intermediary__user__email_addresses.udm_events__intermediary__user__email_addresses} {%endcondition%} or -{%condition%}${udm_events__security_result__about__user__email_addresses.udm_events__security_result__about__user__email_addresses} {%endcondition%} or -{%condition%}${udm_events.network__email__from} {%endcondition%} or -{%condition%}${udm_events__network__email__to.udm_events__network__email__to} {%endcondition%} -;; - } # email - - filter: file_path_grouped_field_filter { - label: "file_path" - group_label: "Grouped Fields" - view_label: "UDM" - description: "File path fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${udm_events.principal__file__full_path} {%endcondition%} or -{%condition%}${udm_events.target__file__full_path} {%endcondition%} or -{%condition%}${udm_events.principal__process__file__full_path} {%endcondition%} or -{%condition%}${udm_events.target__process__file__full_path} {%endcondition%} -;; - } # file_path - - filter: hash_grouped_field_filter { - label: "hash" - group_label: "Grouped Fields" - view_label: "UDM" - description: "File hash fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${udm_events.principal__process__file__md5} {%endcondition%} or -{%condition%}${udm_events.target__process__file__md5} {%endcondition%} or -{%condition%}${udm_events.principal__process__file__sha1} {%endcondition%} or -{%condition%}${udm_events.target__process__file__sha1} {%endcondition%} or -{%condition%}${udm_events.principal__process__file__sha256} {%endcondition%} or -{%condition%}${udm_events.target__process__file__sha256} {%endcondition%} or -{%condition%}${udm_events.target__file__md5} {%endcondition%} or -{%condition%}${udm_events.target__file__sha1} {%endcondition%} or -{%condition%}${udm_events.target__file__sha256} {%endcondition%} or -{%condition%}${udm_events__about.file__md5} {%endcondition%} or -{%condition%}${udm_events__about.file__sha256} {%endcondition%} or -{%condition%}${udm_events__about.file__sha1} {%endcondition%} or -{%condition%}${udm_events__security_result.about__file__sha256} {%endcondition%} -;; - } # hash - - filter: process_id_grouped_field_filter { - label: "process_id" - group_label: "Grouped Fields" - view_label: "UDM" - description: "Process ID fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${udm_events.principal__process__pid} {%endcondition%} or -{%condition%}${udm_events.target__process__pid} {%endcondition%} or -{%condition%}${udm_events.principal__process__product_specific_process_id} {%endcondition%} or -{%condition%}${udm_events.target__process__product_specific_process_id} {%endcondition%} -;; - } # process_id - - filter: namespace_grouped_field_filter { - label: "namespace" - group_label: "Grouped Fields" - view_label: "UDM" - description: "Namespace fields. Grouped Fields filter based on multiple UDM fields." - sql: {%condition%} ${udm_events.principal__namespace} {%endcondition%} or -{%condition%}${udm_events.src__namespace} {%endcondition%} or -{%condition%}${udm_events.target__namespace} {%endcondition%} -;; - } # namespace - - dimension: about { - hidden: yes - } # dimension about - - dimension: additional { - hidden: yes - } # dimension additional - - dimension: additional__fields { - hidden: yes - } # dimension additional__fields - - dimension: extensions { - hidden: yes - } # dimension extensions - - dimension: extensions__auth { - hidden: yes - } # dimension extensions__auth - - dimension: extensions__auth__auth_details { - type: string - sql: ${TABLE}.extensions.auth.auth_details ;; - group_label: "extensions" - label: "extensions.auth.auth_details" - view_label: "UDM" - description: "The vendor defined details of the authentication." - } # dimension extensions__auth__auth_details - - dimension: extensions__auth__mechanism { - hidden: yes - } # dimension extensions__auth__mechanism - - dimension: extensions__auth__mechanism_enum_name { - hidden: yes - } # dimension extensions__auth__mechanism_enum_name - - dimension: extensions__auth__type { - type: number - sql: ${TABLE}.extensions.auth.type ;; - group_label: "extensions" - label: "extensions.auth.type" - view_label: "UDM" - description: "The type of authentication." - } # dimension extensions__auth__type - - dimension: extensions__auth__type_enum_name { - type: string - suggestions: ["AUTHTYPE_UNSPECIFIED", "MACHINE", "PHYSICAL", "SSO", "TACACS", "VPN"] - sql: CASE ${TABLE}.extensions.auth.type WHEN 0 THEN 'AUTHTYPE_UNSPECIFIED' WHEN 1 THEN 'MACHINE' WHEN 2 THEN 'SSO' WHEN 3 THEN 'VPN' WHEN 4 THEN 'PHYSICAL' WHEN 5 THEN 'TACACS' END ;; - group_label: "extensions" - label: "extensions.auth.type_enum_name" - view_label: "UDM" - description: "The type of authentication." - } # dimension extensions__auth__type_enum_name - - dimension: extensions__vulns { - hidden: yes - } # dimension extensions__vulns - - dimension: extensions__vulns__vulnerabilities { - hidden: yes - } # dimension extensions__vulns__vulnerabilities - - dimension: intermediary { - hidden: yes - } # dimension intermediary - - dimension: metadata { - hidden: yes - } # dimension metadata - - dimension: metadata__base_labels { - hidden: yes - } # dimension metadata__base_labels - - dimension: metadata__base_labels__log_types { - hidden: yes - } # dimension metadata__base_labels__log_types - - dimension: metadata__base_labels__namespaces { - hidden: yes - } # dimension metadata__base_labels__namespaces - - dimension_group: metadata__collected_timestamp { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.collected_timestamp.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.collected_timestamp.nanos, 0) / 1000) as INT64)) ;; - group_label: "metadata" - label: "metadata.collected_timestamp" - view_label: "UDM" - description: "The GMT timestamp when the event was collected by the vendor's local collection infrastructure." - } # dimension metadata__collected_timestamp - - dimension: metadata__description { - type: string - sql: ${TABLE}.metadata.description ;; - group_label: "metadata" - label: "metadata.description" - view_label: "UDM" - description: "A human-readable unparsable description of the event." - } # dimension metadata__description - - dimension: metadata__enrichment_state { - type: number - sql: ${TABLE}.metadata.enrichment_state ;; - group_label: "metadata" - label: "metadata.enrichment_state" - view_label: "UDM" - description: "The enrichment state." - } # dimension metadata__enrichment_state - - dimension: metadata__enrichment_state_enum_name { - type: string - suggestions: ["ENRICHED", "ENRICHMENT_STATE_UNSPECIFIED", "UNENRICHED"] - sql: CASE ${TABLE}.metadata.enrichment_state WHEN 0 THEN 'ENRICHMENT_STATE_UNSPECIFIED' WHEN 1 THEN 'ENRICHED' WHEN 2 THEN 'UNENRICHED' END ;; - group_label: "metadata" - label: "metadata.enrichment_state_enum_name" - view_label: "UDM" - description: "The enrichment state." - } # dimension metadata__enrichment_state_enum_name - - dimension_group: metadata__event_timestamp { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.event_timestamp.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.event_timestamp.nanos, 0) / 1000) as INT64)) ;; - group_label: "metadata" - label: "metadata.event_timestamp" - view_label: "UDM" - description: "The GMT timestamp when the event was generated." - } # dimension metadata__event_timestamp - - dimension: metadata__event_type { - type: number - sql: ${TABLE}.metadata.event_type ;; - group_label: "metadata" - label: "metadata.event_type" - view_label: "UDM" - description: "The event type. If an event has multiple possible types, this specifies the most specific type." - } # dimension metadata__event_type - - dimension: metadata__event_type_enum_name { - type: string - suggestions: ["ANALYST_ADD_COMMENT", "ANALYST_UPDATE_PRIORITY", "ANALYST_UPDATE_REASON", "ANALYST_UPDATE_REPUTATION", "ANALYST_UPDATE_RISK_SCORE", "ANALYST_UPDATE_ROOT_CAUSE", "ANALYST_UPDATE_SEVERITY_SCORE", "ANALYST_UPDATE_STATUS", "ANALYST_UPDATE_VERDICT", "DEVICE_CONFIG_UPDATE", "DEVICE_FIRMWARE_UPDATE", "DEVICE_PROGRAM_DOWNLOAD", "DEVICE_PROGRAM_UPLOAD", "EMAIL_TRANSACTION", "EMAIL_UNCATEGORIZED", "EMAIL_URL_CLICK", "EVENTTYPE_UNSPECIFIED", "FILE_COPY", "FILE_CREATION", "FILE_DELETION", "FILE_MODIFICATION", "FILE_MOVE", "FILE_OPEN", "FILE_READ", "FILE_SYNC", "FILE_UNCATEGORIZED", "GENERIC_EVENT", "GROUP_CREATION", "GROUP_DELETION", "GROUP_MODIFICATION", "GROUP_UNCATEGORIZED", "MUTEX_CREATION", "MUTEX_UNCATEGORIZED", "NETWORK_CONNECTION", "NETWORK_DHCP", "NETWORK_DNS", "NETWORK_FLOW", "NETWORK_FTP", "NETWORK_HTTP", "NETWORK_SMTP", "NETWORK_UNCATEGORIZED", "PROCESS_INJECTION", "PROCESS_LAUNCH", "PROCESS_MODULE_LOAD", "PROCESS_OPEN", "PROCESS_PRIVILEGE_ESCALATION", "PROCESS_TERMINATION", "PROCESS_UNCATEGORIZED", "REGISTRY_CREATION", "REGISTRY_DELETION", "REGISTRY_MODIFICATION", "REGISTRY_UNCATEGORIZED", "RESOURCE_CREATION", "RESOURCE_DELETION", "RESOURCE_PERMISSIONS_CHANGE", "RESOURCE_READ", "RESOURCE_WRITTEN", "SCAN_FILE", "SCAN_HOST", "SCAN_NETWORK", "SCAN_PROCESS", "SCAN_PROCESS_BEHAVIORS", "SCAN_UNCATEGORIZED", "SCAN_VULN_HOST", "SCAN_VULN_NETWORK", "SCHEDULED_TASK_CREATION", "SCHEDULED_TASK_DELETION", "SCHEDULED_TASK_DISABLE", "SCHEDULED_TASK_ENABLE", "SCHEDULED_TASK_MODIFICATION", "SCHEDULED_TASK_UNCATEGORIZED", "SERVICE_CREATION", "SERVICE_DELETION", "SERVICE_MODIFICATION", "SERVICE_START", "SERVICE_STOP", "SERVICE_UNSPECIFIED", "SETTING_CREATION", "SETTING_DELETION", "SETTING_MODIFICATION", "SETTING_UNCATEGORIZED", "STATUS_HEARTBEAT", "STATUS_SHUTDOWN", "STATUS_STARTUP", "STATUS_UNCATEGORIZED", "STATUS_UPDATE", "SYSTEM_AUDIT_LOG_UNCATEGORIZED", "SYSTEM_AUDIT_LOG_WIPE", "USER_BADGE_IN", "USER_CHANGE_PASSWORD", "USER_CHANGE_PERMISSIONS", "USER_COMMUNICATION", "USER_CREATION", "USER_DELETION", "USER_LOGIN", "USER_LOGOUT", "USER_RESOURCE_ACCESS", "USER_RESOURCE_CREATION", "USER_RESOURCE_DELETION", "USER_RESOURCE_UPDATE_CONTENT", "USER_RESOURCE_UPDATE_PERMISSIONS", "USER_STATS", "USER_UNCATEGORIZED"] - sql: CASE ${TABLE}.metadata.event_type WHEN 0 THEN 'EVENTTYPE_UNSPECIFIED' WHEN 10000 THEN 'PROCESS_UNCATEGORIZED' WHEN 10001 THEN 'PROCESS_LAUNCH' WHEN 10002 THEN 'PROCESS_INJECTION' WHEN 10003 THEN 'PROCESS_PRIVILEGE_ESCALATION' WHEN 10004 THEN 'PROCESS_TERMINATION' WHEN 10005 THEN 'PROCESS_OPEN' WHEN 10006 THEN 'PROCESS_MODULE_LOAD' WHEN 11000 THEN 'REGISTRY_UNCATEGORIZED' WHEN 11001 THEN 'REGISTRY_CREATION' WHEN 11002 THEN 'REGISTRY_MODIFICATION' WHEN 11003 THEN 'REGISTRY_DELETION' WHEN 12000 THEN 'SETTING_UNCATEGORIZED' WHEN 12001 THEN 'SETTING_CREATION' WHEN 12002 THEN 'SETTING_MODIFICATION' WHEN 12003 THEN 'SETTING_DELETION' WHEN 13000 THEN 'MUTEX_UNCATEGORIZED' WHEN 13001 THEN 'MUTEX_CREATION' WHEN 14000 THEN 'FILE_UNCATEGORIZED' WHEN 14001 THEN 'FILE_CREATION' WHEN 14002 THEN 'FILE_DELETION' WHEN 14003 THEN 'FILE_MODIFICATION' WHEN 14004 THEN 'FILE_READ' WHEN 14005 THEN 'FILE_COPY' WHEN 14006 THEN 'FILE_OPEN' WHEN 14007 THEN 'FILE_MOVE' WHEN 14008 THEN 'FILE_SYNC' WHEN 15000 THEN 'USER_UNCATEGORIZED' WHEN 15001 THEN 'USER_LOGIN' WHEN 15002 THEN 'USER_LOGOUT' WHEN 15003 THEN 'USER_CREATION' WHEN 15004 THEN 'USER_CHANGE_PASSWORD' WHEN 15005 THEN 'USER_CHANGE_PERMISSIONS' WHEN 15006 THEN 'USER_STATS' WHEN 15007 THEN 'USER_BADGE_IN' WHEN 15008 THEN 'USER_DELETION' WHEN 15009 THEN 'USER_RESOURCE_CREATION' WHEN 15010 THEN 'USER_RESOURCE_UPDATE_CONTENT' WHEN 15011 THEN 'USER_RESOURCE_UPDATE_PERMISSIONS' WHEN 15012 THEN 'USER_COMMUNICATION' WHEN 15013 THEN 'USER_RESOURCE_ACCESS' WHEN 15014 THEN 'USER_RESOURCE_DELETION' WHEN 23000 THEN 'GROUP_UNCATEGORIZED' WHEN 23001 THEN 'GROUP_CREATION' WHEN 23002 THEN 'GROUP_DELETION' WHEN 23003 THEN 'GROUP_MODIFICATION' WHEN 19000 THEN 'EMAIL_UNCATEGORIZED' WHEN 19001 THEN 'EMAIL_TRANSACTION' WHEN 19002 THEN 'EMAIL_URL_CLICK' WHEN 16000 THEN 'NETWORK_UNCATEGORIZED' WHEN 16001 THEN 'NETWORK_FLOW' WHEN 16002 THEN 'NETWORK_CONNECTION' WHEN 16003 THEN 'NETWORK_FTP' WHEN 16004 THEN 'NETWORK_DHCP' WHEN 16005 THEN 'NETWORK_DNS' WHEN 16006 THEN 'NETWORK_HTTP' WHEN 16007 THEN 'NETWORK_SMTP' WHEN 17000 THEN 'STATUS_UNCATEGORIZED' WHEN 17001 THEN 'STATUS_HEARTBEAT' WHEN 17002 THEN 'STATUS_STARTUP' WHEN 17003 THEN 'STATUS_SHUTDOWN' WHEN 17004 THEN 'STATUS_UPDATE' WHEN 18000 THEN 'SCAN_UNCATEGORIZED' WHEN 18001 THEN 'SCAN_FILE' WHEN 18002 THEN 'SCAN_PROCESS_BEHAVIORS' WHEN 18003 THEN 'SCAN_PROCESS' WHEN 18004 THEN 'SCAN_HOST' WHEN 18005 THEN 'SCAN_VULN_HOST' WHEN 18006 THEN 'SCAN_VULN_NETWORK' WHEN 18007 THEN 'SCAN_NETWORK' WHEN 20000 THEN 'SCHEDULED_TASK_UNCATEGORIZED' WHEN 20001 THEN 'SCHEDULED_TASK_CREATION' WHEN 20002 THEN 'SCHEDULED_TASK_DELETION' WHEN 20003 THEN 'SCHEDULED_TASK_ENABLE' WHEN 20004 THEN 'SCHEDULED_TASK_DISABLE' WHEN 20005 THEN 'SCHEDULED_TASK_MODIFICATION' WHEN 21000 THEN 'SYSTEM_AUDIT_LOG_UNCATEGORIZED' WHEN 21001 THEN 'SYSTEM_AUDIT_LOG_WIPE' WHEN 22000 THEN 'SERVICE_UNSPECIFIED' WHEN 22001 THEN 'SERVICE_CREATION' WHEN 22002 THEN 'SERVICE_DELETION' WHEN 22003 THEN 'SERVICE_START' WHEN 22004 THEN 'SERVICE_STOP' WHEN 22005 THEN 'SERVICE_MODIFICATION' WHEN 100000 THEN 'GENERIC_EVENT' WHEN 1 THEN 'RESOURCE_CREATION' WHEN 2 THEN 'RESOURCE_DELETION' WHEN 3 THEN 'RESOURCE_PERMISSIONS_CHANGE' WHEN 4 THEN 'RESOURCE_READ' WHEN 5 THEN 'RESOURCE_WRITTEN' WHEN 25000 THEN 'DEVICE_FIRMWARE_UPDATE' WHEN 25001 THEN 'DEVICE_CONFIG_UPDATE' WHEN 25002 THEN 'DEVICE_PROGRAM_UPLOAD' WHEN 25003 THEN 'DEVICE_PROGRAM_DOWNLOAD' WHEN 24000 THEN 'ANALYST_UPDATE_VERDICT' WHEN 24001 THEN 'ANALYST_UPDATE_REPUTATION' WHEN 24002 THEN 'ANALYST_UPDATE_SEVERITY_SCORE' WHEN 24007 THEN 'ANALYST_UPDATE_STATUS' WHEN 24008 THEN 'ANALYST_ADD_COMMENT' WHEN 24009 THEN 'ANALYST_UPDATE_PRIORITY' WHEN 24010 THEN 'ANALYST_UPDATE_ROOT_CAUSE' WHEN 24011 THEN 'ANALYST_UPDATE_REASON' WHEN 24012 THEN 'ANALYST_UPDATE_RISK_SCORE' END ;; - group_label: "metadata" - label: "metadata.event_type_enum_name" - view_label: "UDM" - description: "The event type. If an event has multiple possible types, this specifies the most specific type." - } # dimension metadata__event_type_enum_name - - dimension: metadata__id { - type: string - sql: ${TABLE}.metadata.id ;; - group_label: "metadata" - label: "metadata.id" - view_label: "UDM" - description: "ID of the UDM event. Can be used for raw and normalized event retrieval." - } # dimension metadata__id - - dimension_group: metadata__ingested_timestamp { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.metadata.ingested_timestamp.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.metadata.ingested_timestamp.nanos, 0) / 1000) as INT64)) ;; - group_label: "metadata" - label: "metadata.ingested_timestamp" - view_label: "UDM" - description: "The GMT timestamp when the event was ingested (received) by Chronicle." - } # dimension metadata__ingested_timestamp - - dimension: metadata__ingestion_labels { - hidden: yes - } # dimension metadata__ingestion_labels - - dimension: metadata__log_type { - type: string - sql: ${TABLE}.metadata.log_type ;; - group_label: "metadata" - label: "metadata.log_type" - view_label: "UDM" - description: "The string value of log type." - } # dimension metadata__log_type - - dimension: metadata__product_deployment_id { - type: string - sql: ${TABLE}.metadata.product_deployment_id ;; - group_label: "metadata" - label: "metadata.product_deployment_id" - view_label: "UDM" - description: "The deployment identifier assigned by the vendor for a product deployment." - } # dimension metadata__product_deployment_id - - dimension: metadata__product_event_type { - type: string - sql: ${TABLE}.metadata.product_event_type ;; - group_label: "metadata" - label: "metadata.product_event_type" - view_label: "UDM" - description: "A short, descriptive, human-readable, product-specific event name or type (e.g. \"Scanned X\", \"User account created\", \"process_start\")." - } # dimension metadata__product_event_type - - dimension: metadata__product_log_id { - type: string - sql: ${TABLE}.metadata.product_log_id ;; - group_label: "metadata" - label: "metadata.product_log_id" - view_label: "UDM" - description: "A vendor-specific event identifier to uniquely identify the event (e.g. a GUID)." - } # dimension metadata__product_log_id - - dimension: metadata__product_name { - type: string - sql: ${TABLE}.metadata.product_name ;; - group_label: "metadata" - label: "metadata.product_name" - view_label: "UDM" - description: "The name of the product." - } # dimension metadata__product_name - - dimension: metadata__product_version { - type: string - sql: ${TABLE}.metadata.product_version ;; - group_label: "metadata" - label: "metadata.product_version" - view_label: "UDM" - description: "The version of the product." - } # dimension metadata__product_version - - dimension: metadata__tags { - hidden: yes - } # dimension metadata__tags - - dimension: metadata__tags__data_tap_config_name { - hidden: yes - } # dimension metadata__tags__data_tap_config_name - - dimension: metadata__tags__tenant_id { - hidden: yes - } # dimension metadata__tags__tenant_id - - dimension: metadata__url_back_to_product { - type: string - sql: ${TABLE}.metadata.url_back_to_product ;; - group_label: "metadata" - label: "metadata.url_back_to_product" - view_label: "UDM" - description: "A URL that takes the user to the source product console for this event." - } # dimension metadata__url_back_to_product - - dimension: metadata__vendor_name { - type: string - sql: ${TABLE}.metadata.vendor_name ;; - group_label: "metadata" - label: "metadata.vendor_name" - view_label: "UDM" - description: "The name of the product vendor." - } # dimension metadata__vendor_name - - dimension: network { - hidden: yes - } # dimension network - - dimension: network__application_protocol { - type: number - sql: ${TABLE}.network.application_protocol ;; - group_label: "network" - label: "network.application_protocol" - view_label: "UDM" - description: "The application protocol." - } # dimension network__application_protocol - - dimension: network__application_protocol_enum_name { - type: string - suggestions: ["AFP", "AMQP", "APPC", "ATOM", "BEEP", "BITCOIN", "BIT_TORRENT", "CFDP", "CIP", "COAP", "COTP", "DCERPC", "DDS", "DEVICE_NET", "DHCP", "DICOM", "DNP3", "DNS", "ENRP", "E_DONKEY", "FAST_TRACK", "FINGER", "FREENET", "FTAM", "GOOSE", "GOPHER", "H323", "HL7", "HTTP", "HTTPS", "IEC104", "IRCP", "KADEMLIA", "KRB5", "LDAP", "LPD", "MIME", "MMS", "MODBUS", "MQTT", "NETCONF", "NFS", "NIS", "NNTP", "NTCIP", "NTP", "OSCAR", "PNRP", "PTP", "QUIC", "RDP", "RELP", "RIP", "RLOGIN", "RPC", "RTMP", "RTP", "RTPS", "RTSP", "SAP", "SDP", "SIP", "SLP", "SMB", "SMTP", "SNMP", "SNTP", "SSH", "SSMS", "STYX", "SV", "TCAP", "TDS", "TOR", "TSP", "UNKNOWN_APPLICATION_PROTOCOL", "VTP", "WEB_DAV", "WHOIS", "X400", "X500", "XMPP"] - sql: CASE ${TABLE}.network.application_protocol WHEN 0 THEN 'UNKNOWN_APPLICATION_PROTOCOL' WHEN 1 THEN 'AFP' WHEN 2 THEN 'APPC' WHEN 3 THEN 'AMQP' WHEN 4 THEN 'ATOM' WHEN 5 THEN 'BEEP' WHEN 6 THEN 'BITCOIN' WHEN 7 THEN 'BIT_TORRENT' WHEN 8 THEN 'CFDP' WHEN 67 THEN 'CIP' WHEN 9 THEN 'COAP' WHEN 68 THEN 'COTP' WHEN 66 THEN 'DCERPC' WHEN 10 THEN 'DDS' WHEN 11 THEN 'DEVICE_NET' WHEN 4000 THEN 'DHCP' WHEN 69 THEN 'DICOM' WHEN 70 THEN 'DNP3' WHEN 3000 THEN 'DNS' WHEN 12 THEN 'E_DONKEY' WHEN 13 THEN 'ENRP' WHEN 14 THEN 'FAST_TRACK' WHEN 15 THEN 'FINGER' WHEN 16 THEN 'FREENET' WHEN 17 THEN 'FTAM' WHEN 71 THEN 'GOOSE' WHEN 18 THEN 'GOPHER' WHEN 19 THEN 'HL7' WHEN 20 THEN 'H323' WHEN 2000 THEN 'HTTP' WHEN 2001 THEN 'HTTPS' WHEN 72 THEN 'IEC104' WHEN 21 THEN 'IRCP' WHEN 22 THEN 'KADEMLIA' WHEN 65 THEN 'KRB5' WHEN 23 THEN 'LDAP' WHEN 24 THEN 'LPD' WHEN 25 THEN 'MIME' WHEN 73 THEN 'MMS' WHEN 26 THEN 'MODBUS' WHEN 27 THEN 'MQTT' WHEN 28 THEN 'NETCONF' WHEN 29 THEN 'NFS' WHEN 30 THEN 'NIS' WHEN 31 THEN 'NNTP' WHEN 32 THEN 'NTCIP' WHEN 33 THEN 'NTP' WHEN 34 THEN 'OSCAR' WHEN 35 THEN 'PNRP' WHEN 74 THEN 'PTP' WHEN 1000 THEN 'QUIC' WHEN 36 THEN 'RDP' WHEN 37 THEN 'RELP' WHEN 38 THEN 'RIP' WHEN 39 THEN 'RLOGIN' WHEN 40 THEN 'RPC' WHEN 41 THEN 'RTMP' WHEN 42 THEN 'RTP' WHEN 43 THEN 'RTPS' WHEN 44 THEN 'RTSP' WHEN 45 THEN 'SAP' WHEN 46 THEN 'SDP' WHEN 47 THEN 'SIP' WHEN 48 THEN 'SLP' WHEN 49 THEN 'SMB' WHEN 50 THEN 'SMTP' WHEN 75 THEN 'SNMP' WHEN 51 THEN 'SNTP' WHEN 52 THEN 'SSH' WHEN 53 THEN 'SSMS' WHEN 54 THEN 'STYX' WHEN 76 THEN 'SV' WHEN 55 THEN 'TCAP' WHEN 56 THEN 'TDS' WHEN 57 THEN 'TOR' WHEN 58 THEN 'TSP' WHEN 59 THEN 'VTP' WHEN 60 THEN 'WHOIS' WHEN 61 THEN 'WEB_DAV' WHEN 62 THEN 'X400' WHEN 63 THEN 'X500' WHEN 64 THEN 'XMPP' END ;; - group_label: "network" - label: "network.application_protocol_enum_name" - view_label: "UDM" - description: "The application protocol." - } # dimension network__application_protocol_enum_name - - dimension: network__application_protocol_version { - type: string - sql: ${TABLE}.network.application_protocol_version ;; - group_label: "network" - label: "network.application_protocol_version" - view_label: "UDM" - description: "The version of the application protocol. e.g. \"1.1, 2.0\"" - } # dimension network__application_protocol_version - - dimension: network__asn { - type: string - sql: ${TABLE}.network.asn ;; - group_label: "network" - label: "network.asn" - view_label: "UDM" - description: "Autonomous system number." - } # dimension network__asn - - dimension: network__carrier_name { - type: string - sql: ${TABLE}.network.carrier_name ;; - group_label: "network" - label: "network.carrier_name" - view_label: "UDM" - description: "Carrier identification." - } # dimension network__carrier_name - - dimension: network__community_id { - type: string - sql: ${TABLE}.network.community_id ;; - group_label: "network" - label: "network.community_id" - view_label: "UDM" - description: "Community ID network flow hash." - } # dimension network__community_id - - dimension: network__dhcp { - hidden: yes - } # dimension network__dhcp - - dimension: network__dhcp__chaddr { - type: string - sql: ${TABLE}.network.dhcp.chaddr ;; - group_label: "network" - label: "network.dhcp.chaddr" - view_label: "UDM" - description: "Client hardware address (chaddr)." - } # dimension network__dhcp__chaddr - - dimension: network__dhcp__ciaddr { - type: string - sql: ${TABLE}.network.dhcp.ciaddr ;; - group_label: "network" - label: "network.dhcp.ciaddr" - view_label: "UDM" - description: "Client IP address (ciaddr)." - } # dimension network__dhcp__ciaddr - - dimension: network__dhcp__client_hostname { - type: string - sql: ${TABLE}.network.dhcp.client_hostname ;; - group_label: "network" - label: "network.dhcp.client_hostname" - view_label: "UDM" - description: "Client hostname. See RFC2132, section 3.14." - } # dimension network__dhcp__client_hostname - - dimension: network__dhcp__client_identifier { - type: string - sql: ${TABLE}.network.dhcp.client_identifier ;; - group_label: "network" - label: "network.dhcp.client_identifier" - view_label: "UDM" - description: "Client identifier. See RFC2132, section 9.14." - } # dimension network__dhcp__client_identifier - - dimension: network__dhcp__file { - type: string - sql: ${TABLE}.network.dhcp.file ;; - group_label: "network" - label: "network.dhcp.file" - view_label: "UDM" - description: "Boot image filename." - } # dimension network__dhcp__file - - dimension: network__dhcp__flags { - type: number - sql: ${TABLE}.network.dhcp.flags ;; - group_label: "network" - label: "network.dhcp.flags" - view_label: "UDM" - description: "Flags." - } # dimension network__dhcp__flags - - dimension: network__dhcp__giaddr { - type: string - sql: ${TABLE}.network.dhcp.giaddr ;; - group_label: "network" - label: "network.dhcp.giaddr" - view_label: "UDM" - description: "Relay agent IP address (giaddr)." - } # dimension network__dhcp__giaddr - - dimension: network__dhcp__hlen { - type: number - sql: ${TABLE}.network.dhcp.hlen ;; - group_label: "network" - label: "network.dhcp.hlen" - view_label: "UDM" - description: "Hardware address length." - } # dimension network__dhcp__hlen - - dimension: network__dhcp__hops { - type: number - sql: ${TABLE}.network.dhcp.hops ;; - group_label: "network" - label: "network.dhcp.hops" - view_label: "UDM" - description: "Hardware ops." - } # dimension network__dhcp__hops - - dimension: network__dhcp__htype { - type: number - sql: ${TABLE}.network.dhcp.htype ;; - group_label: "network" - label: "network.dhcp.htype" - view_label: "UDM" - description: "Hardware address type." - } # dimension network__dhcp__htype - - dimension: network__dhcp__lease_time_seconds { - type: number - sql: ${TABLE}.network.dhcp.lease_time_seconds ;; - group_label: "network" - label: "network.dhcp.lease_time_seconds" - view_label: "UDM" - description: "Lease time in seconds. See RFC2132, section 9.2." - } # dimension network__dhcp__lease_time_seconds - - dimension: network__dhcp__opcode { - type: number - sql: ${TABLE}.network.dhcp.opcode ;; - group_label: "network" - label: "network.dhcp.opcode" - view_label: "UDM" - description: "The BOOTP op code." - } # dimension network__dhcp__opcode - - dimension: network__dhcp__opcode_enum_name { - type: string - suggestions: ["BOOTREPLY", "BOOTREQUEST", "UNKNOWN_OPCODE"] - sql: CASE ${TABLE}.network.dhcp.opcode WHEN 0 THEN 'UNKNOWN_OPCODE' WHEN 1 THEN 'BOOTREQUEST' WHEN 2 THEN 'BOOTREPLY' END ;; - group_label: "network" - label: "network.dhcp.opcode_enum_name" - view_label: "UDM" - description: "The BOOTP op code." - } # dimension network__dhcp__opcode_enum_name - - dimension: network__dhcp__options { - hidden: yes - } # dimension network__dhcp__options - - dimension: network__dhcp__requested_address { - type: string - sql: ${TABLE}.network.dhcp.requested_address ;; - group_label: "network" - label: "network.dhcp.requested_address" - view_label: "UDM" - description: "Requested IP address. See RFC2132, section 9.1." - } # dimension network__dhcp__requested_address - - dimension: network__dhcp__seconds { - type: number - sql: ${TABLE}.network.dhcp.seconds ;; - group_label: "network" - label: "network.dhcp.seconds" - view_label: "UDM" - description: "Seconds elapsed since client began address acquisition/renewal process." - } # dimension network__dhcp__seconds - - dimension: network__dhcp__siaddr { - type: string - sql: ${TABLE}.network.dhcp.siaddr ;; - group_label: "network" - label: "network.dhcp.siaddr" - view_label: "UDM" - description: "IP address of the next bootstrap server." - } # dimension network__dhcp__siaddr - - dimension: network__dhcp__sname { - type: string - sql: ${TABLE}.network.dhcp.sname ;; - group_label: "network" - label: "network.dhcp.sname" - view_label: "UDM" - description: "Server name that the client wishes to boot from." - } # dimension network__dhcp__sname - - dimension: network__dhcp__transaction_id { - type: number - sql: ${TABLE}.network.dhcp.transaction_id ;; - group_label: "network" - label: "network.dhcp.transaction_id" - view_label: "UDM" - description: "Transaction ID." - } # dimension network__dhcp__transaction_id - - dimension: network__dhcp__type { - type: number - sql: ${TABLE}.network.dhcp.type ;; - group_label: "network" - label: "network.dhcp.type" - view_label: "UDM" - description: "DHCP message type." - } # dimension network__dhcp__type - - dimension: network__dhcp__type_enum_name { - type: string - suggestions: ["ACK", "DECLINE", "DISCOVER", "INFORM", "NAK", "OFFER", "RELEASE", "REQUEST", "UNKNOWN_MESSAGE_TYPE", "WIN_DELETED", "WIN_EXPIRED"] - sql: CASE ${TABLE}.network.dhcp.type WHEN 0 THEN 'UNKNOWN_MESSAGE_TYPE' WHEN 1 THEN 'DISCOVER' WHEN 2 THEN 'OFFER' WHEN 3 THEN 'REQUEST' WHEN 4 THEN 'DECLINE' WHEN 5 THEN 'ACK' WHEN 6 THEN 'NAK' WHEN 7 THEN 'RELEASE' WHEN 8 THEN 'INFORM' WHEN 100 THEN 'WIN_DELETED' WHEN 101 THEN 'WIN_EXPIRED' END ;; - group_label: "network" - label: "network.dhcp.type_enum_name" - view_label: "UDM" - description: "DHCP message type." - } # dimension network__dhcp__type_enum_name - - dimension: network__dhcp__yiaddr { - type: string - sql: ${TABLE}.network.dhcp.yiaddr ;; - group_label: "network" - label: "network.dhcp.yiaddr" - view_label: "UDM" - description: "Your IP address (yiaddr)." - } # dimension network__dhcp__yiaddr - - dimension: network__direction { - type: number - sql: ${TABLE}.network.direction ;; - group_label: "network" - label: "network.direction" - view_label: "UDM" - description: "The direction of network traffic." - } # dimension network__direction - - dimension: network__direction_enum_name { - type: string - suggestions: ["BROADCAST", "INBOUND", "OUTBOUND", "UNKNOWN_DIRECTION"] - sql: CASE ${TABLE}.network.direction WHEN 0 THEN 'UNKNOWN_DIRECTION' WHEN 1 THEN 'INBOUND' WHEN 2 THEN 'OUTBOUND' WHEN 3 THEN 'BROADCAST' END ;; - group_label: "network" - label: "network.direction_enum_name" - view_label: "UDM" - description: "The direction of network traffic." - } # dimension network__direction_enum_name - - dimension: network__dns { - hidden: yes - } # dimension network__dns - - dimension: network__dns__additional { - hidden: yes - } # dimension network__dns__additional - - dimension: network__dns__answers { - hidden: yes - } # dimension network__dns__answers - - dimension: network__dns__authoritative { - type: yesno - sql: ${TABLE}.network.dns.authoritative ;; - group_label: "network" - label: "network.dns.authoritative" - view_label: "UDM" - description: "Other DNS header flags. See RFC1035, section 4.1.1." - } # dimension network__dns__authoritative - - dimension: network__dns__authority { - hidden: yes - } # dimension network__dns__authority - - dimension: network__dns__id { - type: number - sql: ${TABLE}.network.dns.id ;; - group_label: "network" - label: "network.dns.id" - view_label: "UDM" - description: "DNS query id." - } # dimension network__dns__id - - dimension: network__dns__opcode { - type: number - sql: ${TABLE}.network.dns.opcode ;; - group_label: "network" - label: "network.dns.opcode" - view_label: "UDM" - description: "The DNS OpCode used to specify the type of DNS query (e.g. QUERY, IQUERY, STATUS, etc.)." - } # dimension network__dns__opcode - - dimension: network__dns__questions { - hidden: yes - } # dimension network__dns__questions - - dimension: network__dns__recursion_available { - type: yesno - sql: ${TABLE}.network.dns.recursion_available ;; - group_label: "network" - label: "network.dns.recursion_available" - view_label: "UDM" - description: "Whether a recursive DNS lookup is available." - } # dimension network__dns__recursion_available - - dimension: network__dns__recursion_desired { - type: yesno - sql: ${TABLE}.network.dns.recursion_desired ;; - group_label: "network" - label: "network.dns.recursion_desired" - view_label: "UDM" - description: "Whether a recursive DNS lookup is desired." - } # dimension network__dns__recursion_desired - - dimension: network__dns__response { - type: yesno - sql: ${TABLE}.network.dns.response ;; - group_label: "network" - label: "network.dns.response" - view_label: "UDM" - description: "Set to true if the event is a DNS response. See QR field from RFC1035." - } # dimension network__dns__response - - dimension: network__dns__response_code { - type: number - sql: ${TABLE}.network.dns.response_code ;; - group_label: "network" - label: "network.dns.response_code" - view_label: "UDM" - description: "Response code. See RCODE from RFC1035." - } # dimension network__dns__response_code - - dimension: network__dns__truncated { - type: yesno - sql: ${TABLE}.network.dns.truncated ;; - group_label: "network" - label: "network.dns.truncated" - view_label: "UDM" - description: "Whether the DNS response was truncated." - } # dimension network__dns__truncated - - dimension: network__dns_domain { - type: string - sql: ${TABLE}.network.dns_domain ;; - group_label: "network" - label: "network.dns_domain" - view_label: "UDM" - description: "DNS domain name." - } # dimension network__dns_domain - - dimension: network__email { - hidden: yes - } # dimension network__email - - dimension: network__email__bcc { - hidden: yes - } # dimension network__email__bcc - - dimension: network__email__bounce_address { - type: string - sql: ${TABLE}.network.email.bounce_address ;; - group_label: "network" - label: "network.email.bounce_address" - view_label: "UDM" - description: "The envelope from address. https://en.wikipedia.org/wiki/Bounce_address" - } # dimension network__email__bounce_address - - dimension: network__email__cc { - hidden: yes - } # dimension network__email__cc - - dimension: network__email__from { - type: string - sql: ${TABLE}.network.email.from ;; - group_label: "network" - label: "network.email.from" - view_label: "UDM" - description: "The 'from' address." - } # dimension network__email__from - - dimension: network__email__mail_id { - type: string - sql: ${TABLE}.network.email.mail_id ;; - group_label: "network" - label: "network.email.mail_id" - view_label: "UDM" - description: "The mail (or message) ID." - } # dimension network__email__mail_id - - dimension: network__email__reply_to { - type: string - sql: ${TABLE}.network.email.reply_to ;; - group_label: "network" - label: "network.email.reply_to" - view_label: "UDM" - description: "The 'reply to' address." - } # dimension network__email__reply_to - - dimension: network__email__subject { - hidden: yes - } # dimension network__email__subject - - dimension: network__email__to { - hidden: yes - } # dimension network__email__to - - dimension: network__ftp { - hidden: yes - } # dimension network__ftp - - dimension: network__ftp__command { - type: string - sql: ${TABLE}.network.ftp.command ;; - group_label: "network" - label: "network.ftp.command" - view_label: "UDM" - description: "The FTP command." - } # dimension network__ftp__command - - dimension: network__http { - hidden: yes - } # dimension network__http - - dimension: network__http__method { - type: string - sql: ${TABLE}.network.http.method ;; - group_label: "network" - label: "network.http.method" - view_label: "UDM" - description: "The HTTP request method (e.g. \"GET\", \"POST\", \"PATCH\", \"DELETE\")." - } # dimension network__http__method - - dimension: network__http__parsed_user_agent { - hidden: yes - } # dimension network__http__parsed_user_agent - - dimension: network__http__parsed_user_agent__annotation { - hidden: yes - } # dimension network__http__parsed_user_agent__annotation - - dimension: network__http__parsed_user_agent__browser { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.browser ;; - group_label: "network" - label: "network.http.parsed_user_agent.browser" - view_label: "UDM" - description: "Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents." - } # dimension network__http__parsed_user_agent__browser - - dimension: network__http__parsed_user_agent__browser_engine_version { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.browser_engine_version ;; - group_label: "network" - label: "network.http.parsed_user_agent.browser_engine_version" - view_label: "UDM" - description: "Version of the rendering engine e.g. \"8.01\" for \"Opera/8.01\"" - } # dimension network__http__parsed_user_agent__browser_engine_version - - dimension: network__http__parsed_user_agent__browser_version { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.browser_version ;; - group_label: "network" - label: "network.http.parsed_user_agent.browser_version" - view_label: "UDM" - description: "Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." - } # dimension network__http__parsed_user_agent__browser_version - - dimension: network__http__parsed_user_agent__carrier { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.carrier ;; - group_label: "network" - label: "network.http.parsed_user_agent.carrier" - view_label: "UDM" - description: "Mobile specific: name of mobile carrier" - } # dimension network__http__parsed_user_agent__carrier - - dimension: network__http__parsed_user_agent__device { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.device ;; - group_label: "network" - label: "network.http.parsed_user_agent.device" - view_label: "UDM" - description: "(Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to \"K\" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." - } # dimension network__http__parsed_user_agent__device - - dimension: network__http__parsed_user_agent__device_version { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.device_version ;; - group_label: "network" - label: "network.http.parsed_user_agent.device_version" - view_label: "UDM" - description: "(Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." - } # dimension network__http__parsed_user_agent__device_version - - dimension: network__http__parsed_user_agent__family { - type: number - sql: ${TABLE}.network.http.parsed_user_agent.family ;; - group_label: "network" - label: "network.http.parsed_user_agent.family" - view_label: "UDM" - description: "User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.." - } # dimension network__http__parsed_user_agent__family - - dimension: network__http__parsed_user_agent__family_enum_name { - type: string - suggestions: ["APPLE", "APPLEWEBKIT", "BLACKBERRY", "CLIENT_HINTS", "DOCOMO", "GECKO", "GOOGLE", "KHTML", "KOREAN", "MICROSOFT", "MSIE", "NETFRONT", "NOKIA", "OBIGO", "OPENWAVE", "OPERA", "OTHER", "POLARIS", "SEMC", "SMIT", "TELECA", "USER_DEFINED"] - sql: CASE ${TABLE}.network.http.parsed_user_agent.family WHEN 0 THEN 'USER_DEFINED' WHEN 1 THEN 'MSIE' WHEN 2 THEN 'GECKO' WHEN 3 THEN 'APPLEWEBKIT' WHEN 4 THEN 'OPERA' WHEN 5 THEN 'KHTML' WHEN 10 THEN 'OTHER' WHEN 11 THEN 'APPLE' WHEN 12 THEN 'BLACKBERRY' WHEN 13 THEN 'DOCOMO' WHEN 14 THEN 'GOOGLE' WHEN 15 THEN 'OPENWAVE' WHEN 16 THEN 'POLARIS' WHEN 17 THEN 'OBIGO' WHEN 18 THEN 'TELECA' WHEN 19 THEN 'MICROSOFT' WHEN 20 THEN 'NOKIA' WHEN 21 THEN 'NETFRONT' WHEN 22 THEN 'SEMC' WHEN 23 THEN 'SMIT' WHEN 24 THEN 'KOREAN' WHEN 25 THEN 'CLIENT_HINTS' END ;; - group_label: "network" - label: "network.http.parsed_user_agent.family_enum_name" - view_label: "UDM" - description: "User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.." - } # dimension network__http__parsed_user_agent__family_enum_name - - dimension: network__http__parsed_user_agent__google_toolbar_version { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.google_toolbar_version ;; - group_label: "network" - label: "network.http.parsed_user_agent.google_toolbar_version" - view_label: "UDM" - description: "Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time." - } # dimension network__http__parsed_user_agent__google_toolbar_version - - dimension: network__http__parsed_user_agent__java_configuration { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.java_configuration ;; - group_label: "network" - label: "network.http.parsed_user_agent.java_configuration" - view_label: "UDM" - description: "Mobile specific: e.g. Configuration/CLDC-1.1" - } # dimension network__http__parsed_user_agent__java_configuration - - dimension: network__http__parsed_user_agent__java_configuration_version { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.java_configuration_version ;; - group_label: "network" - label: "network.http.parsed_user_agent.java_configuration_version" - view_label: "UDM" - } # dimension network__http__parsed_user_agent__java_configuration_version - - dimension: network__http__parsed_user_agent__java_profile { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.java_profile ;; - group_label: "network" - label: "network.http.parsed_user_agent.java_profile" - view_label: "UDM" - description: "Mobile specific: e.g. Profile/MIDP-2.0" - } # dimension network__http__parsed_user_agent__java_profile - - dimension: network__http__parsed_user_agent__java_profile_version { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.java_profile_version ;; - group_label: "network" - label: "network.http.parsed_user_agent.java_profile_version" - view_label: "UDM" - } # dimension network__http__parsed_user_agent__java_profile_version - - dimension: network__http__parsed_user_agent__locale { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.locale ;; - group_label: "network" - label: "network.http.parsed_user_agent.locale" - view_label: "UDM" - description: "Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." - } # dimension network__http__parsed_user_agent__locale - - dimension: network__http__parsed_user_agent__messaging { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.messaging ;; - group_label: "network" - label: "network.http.parsed_user_agent.messaging" - view_label: "UDM" - description: "Mobile specific: e.g. MMP/2.0" - } # dimension network__http__parsed_user_agent__messaging - - dimension: network__http__parsed_user_agent__messaging_version { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.messaging_version ;; - group_label: "network" - label: "network.http.parsed_user_agent.messaging_version" - view_label: "UDM" - } # dimension network__http__parsed_user_agent__messaging_version - - dimension: network__http__parsed_user_agent__os { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.os ;; - group_label: "network" - label: "network.http.parsed_user_agent.os" - view_label: "UDM" - description: "Full name of the operating system e.g. \"Darwin/9.7.0\", \"Android 1.5\", \"Windows 98\" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." - } # dimension network__http__parsed_user_agent__os - - dimension: network__http__parsed_user_agent__os_variant { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.os_variant ;; - group_label: "network" - label: "network.http.parsed_user_agent.os_variant" - view_label: "UDM" - description: "Extra qualifier for the OS e.g. \"(i386)\", \"Build/CUPCAKE\", \"PalmSource/Palm-D061\" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." - } # dimension network__http__parsed_user_agent__os_variant - - dimension: network__http__parsed_user_agent__platform { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.platform ;; - group_label: "network" - label: "network.http.parsed_user_agent.platform" - view_label: "UDM" - description: "The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm." - } # dimension network__http__parsed_user_agent__platform - - dimension: network__http__parsed_user_agent__security { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.security ;; - group_label: "network" - label: "network.http.parsed_user_agent.security" - view_label: "UDM" - description: "Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference)." - } # dimension network__http__parsed_user_agent__security - - dimension: network__http__parsed_user_agent__sub_family { - type: string - sql: ${TABLE}.network.http.parsed_user_agent.sub_family ;; - group_label: "network" - label: "network.http.parsed_user_agent.sub_family" - view_label: "UDM" - description: "Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier." - } # dimension network__http__parsed_user_agent__sub_family - - dimension: network__http__referral_url { - type: string - sql: ${TABLE}.network.http.referral_url ;; - group_label: "network" - label: "network.http.referral_url" - view_label: "UDM" - description: "The URL for the HTTP referer." - } # dimension network__http__referral_url - - dimension: network__http__response_code { - type: number - sql: ${TABLE}.network.http.response_code ;; - group_label: "network" - label: "network.http.response_code" - view_label: "UDM" - description: "The response status code. e.g. 200, 302, 404, 500, etc." - } # dimension network__http__response_code - - dimension: network__http__user_agent { - type: string - sql: ${TABLE}.network.http.user_agent ;; - group_label: "network" - label: "network.http.user_agent" - view_label: "UDM" - description: "The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent." - } # dimension network__http__user_agent - - dimension: network__ip_protocol { - type: number - sql: ${TABLE}.network.ip_protocol ;; - group_label: "network" - label: "network.ip_protocol" - view_label: "UDM" - description: "The IP protocol." - } # dimension network__ip_protocol - - dimension: network__ip_protocol_enum_name { - type: string - suggestions: ["EIGRP", "ESP", "ETHERIP", "GRE", "ICMP", "ICMP6", "IGMP", "IP6IN4", "PIM", "SCTP", "TCP", "UDP", "UNKNOWN_IP_PROTOCOL", "VRRP"] - sql: CASE ${TABLE}.network.ip_protocol WHEN 0 THEN 'UNKNOWN_IP_PROTOCOL' WHEN 1 THEN 'ICMP' WHEN 2 THEN 'IGMP' WHEN 6 THEN 'TCP' WHEN 17 THEN 'UDP' WHEN 41 THEN 'IP6IN4' WHEN 47 THEN 'GRE' WHEN 50 THEN 'ESP' WHEN 58 THEN 'ICMP6' WHEN 88 THEN 'EIGRP' WHEN 97 THEN 'ETHERIP' WHEN 103 THEN 'PIM' WHEN 112 THEN 'VRRP' WHEN 132 THEN 'SCTP' END ;; - group_label: "network" - label: "network.ip_protocol_enum_name" - view_label: "UDM" - description: "The IP protocol." - } # dimension network__ip_protocol_enum_name - - dimension: network__organization_name { - type: string - sql: ${TABLE}.network.organization_name ;; - group_label: "network" - label: "network.organization_name" - view_label: "UDM" - description: "Organization name (e.g Google)." - } # dimension network__organization_name - - dimension: network__parent_session_id { - type: string - sql: ${TABLE}.network.parent_session_id ;; - group_label: "network" - label: "network.parent_session_id" - view_label: "UDM" - description: "The ID of the parent network session." - } # dimension network__parent_session_id - - dimension: network__received_bytes { - type: number - sql: ${TABLE}.network.received_bytes ;; - group_label: "network" - label: "network.received_bytes" - view_label: "UDM" - description: "The number of bytes received." - } # dimension network__received_bytes - - dimension: network__received_packets { - type: number - sql: ${TABLE}.network.received_packets ;; - group_label: "network" - label: "network.received_packets" - view_label: "UDM" - description: "The number of packets received." - } # dimension network__received_packets - - dimension: network__sent_bytes { - type: number - sql: ${TABLE}.network.sent_bytes ;; - group_label: "network" - label: "network.sent_bytes" - view_label: "UDM" - description: "The number of bytes sent." - } # dimension network__sent_bytes - - dimension: network__sent_packets { - type: number - sql: ${TABLE}.network.sent_packets ;; - group_label: "network" - label: "network.sent_packets" - view_label: "UDM" - description: "The number of packets sent." - } # dimension network__sent_packets - - dimension_group: network__session_duration { - type: duration - intervals: [ second, minute, hour ] - sql_start: TIMESTAMP_MICROS(0) ;; - sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.session_duration.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.session_duration.nanos, 0) / 1000) as INT64)) ;; - group_label: "network" - label: "network.session_duration" - view_label: "UDM" - description: "The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer." - } # dimension network__session_duration - - dimension: network__session_id { - type: string - sql: ${TABLE}.network.session_id ;; - group_label: "network" - label: "network.session_id" - view_label: "UDM" - description: "The ID of the network session." - } # dimension network__session_id - - dimension: network__smtp { - hidden: yes - } # dimension network__smtp - - dimension: network__smtp__helo { - type: string - sql: ${TABLE}.network.smtp.helo ;; - group_label: "network" - label: "network.smtp.helo" - view_label: "UDM" - description: "The client's 'HELO'/'EHLO' string." - } # dimension network__smtp__helo - - dimension: network__tls { - hidden: yes - } # dimension network__tls - - dimension: network__tls__cipher { - type: string - sql: ${TABLE}.network.tls.cipher ;; - group_label: "network" - label: "network.tls.cipher" - view_label: "UDM" - description: "Cipher used during the connection." - } # dimension network__tls__cipher - - dimension: network__tls__client { - hidden: yes - } # dimension network__tls__client - - dimension: network__tls__client__certificate { - hidden: yes - } # dimension network__tls__client__certificate - - dimension: network__tls__client__certificate__issuer { - type: string - sql: ${TABLE}.network.tls.client.certificate.issuer ;; - group_label: "network" - label: "network.tls.client.certificate.issuer" - view_label: "UDM" - description: "Issuer of the certificate." - } # dimension network__tls__client__certificate__issuer - - dimension_group: network__tls__client__certificate__not_after { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.tls.client.certificate.not_after.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.tls.client.certificate.not_after.nanos, 0) / 1000) as INT64)) ;; - group_label: "network" - label: "network.tls.client.certificate.not_after" - view_label: "UDM" - description: "Indicates when the certificate is no longer valid." - } # dimension network__tls__client__certificate__not_after - - dimension_group: network__tls__client__certificate__not_before { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.tls.client.certificate.not_before.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.tls.client.certificate.not_before.nanos, 0) / 1000) as INT64)) ;; - group_label: "network" - label: "network.tls.client.certificate.not_before" - view_label: "UDM" - description: "Indicates when the certificate is first valid." - } # dimension network__tls__client__certificate__not_before - - dimension: network__tls__client__certificate__serial { - type: string - sql: ${TABLE}.network.tls.client.certificate.serial ;; - group_label: "network" - label: "network.tls.client.certificate.serial" - view_label: "UDM" - description: "Certificate serial number." - } # dimension network__tls__client__certificate__serial - - dimension: network__tls__client__certificate__sha1 { - type: string - sql: ${TABLE}.network.tls.client.certificate.sha1 ;; - group_label: "network" - label: "network.tls.client.certificate.sha1" - view_label: "UDM" - description: "The SHA1 hash of the certificate." - } # dimension network__tls__client__certificate__sha1 - - dimension: network__tls__client__certificate__sha256 { - type: string - sql: ${TABLE}.network.tls.client.certificate.sha256 ;; - group_label: "network" - label: "network.tls.client.certificate.sha256" - view_label: "UDM" - description: "The SHA256 hash of the certificate." - } # dimension network__tls__client__certificate__sha256 - - dimension: network__tls__client__certificate__subject { - type: string - sql: ${TABLE}.network.tls.client.certificate.subject ;; - group_label: "network" - label: "network.tls.client.certificate.subject" - view_label: "UDM" - description: "Subject of the certificate." - } # dimension network__tls__client__certificate__subject - - dimension: network__tls__client__certificate__version { - type: string - sql: ${TABLE}.network.tls.client.certificate.version ;; - group_label: "network" - label: "network.tls.client.certificate.version" - view_label: "UDM" - description: "Certificate version." - } # dimension network__tls__client__certificate__version - - dimension: network__tls__client__ja3 { - type: string - sql: ${TABLE}.network.tls.client.ja3 ;; - group_label: "network" - label: "network.tls.client.ja3" - view_label: "UDM" - description: "JA3 hash from client hello." - } # dimension network__tls__client__ja3 - - dimension: network__tls__client__server_name { - type: string - sql: ${TABLE}.network.tls.client.server_name ;; - group_label: "network" - label: "network.tls.client.server_name" - view_label: "UDM" - description: "Host name of the server, that the client is connecting to." - } # dimension network__tls__client__server_name - - dimension: network__tls__client__supported_ciphers { - hidden: yes - } # dimension network__tls__client__supported_ciphers - - dimension: network__tls__curve { - type: string - sql: ${TABLE}.network.tls.curve ;; - group_label: "network" - label: "network.tls.curve" - view_label: "UDM" - description: "Elliptical curve used for a given cipher." - } # dimension network__tls__curve - - dimension: network__tls__established { - type: yesno - sql: ${TABLE}.network.tls.established ;; - group_label: "network" - label: "network.tls.established" - view_label: "UDM" - description: "Indicates whether the TLS negotiation was successful." - } # dimension network__tls__established - - dimension: network__tls__next_protocol { - type: string - sql: ${TABLE}.network.tls.next_protocol ;; - group_label: "network" - label: "network.tls.next_protocol" - view_label: "UDM" - description: "Protocol to be used for tunnel." - } # dimension network__tls__next_protocol - - dimension: network__tls__resumed { - type: yesno - sql: ${TABLE}.network.tls.resumed ;; - group_label: "network" - label: "network.tls.resumed" - view_label: "UDM" - description: "Indicates whether the TLS connection was resumed from a previous TLS negotiation." - } # dimension network__tls__resumed - - dimension: network__tls__server { - hidden: yes - } # dimension network__tls__server - - dimension: network__tls__server__certificate { - hidden: yes - } # dimension network__tls__server__certificate - - dimension: network__tls__server__certificate__issuer { - type: string - sql: ${TABLE}.network.tls.server.certificate.issuer ;; - group_label: "network" - label: "network.tls.server.certificate.issuer" - view_label: "UDM" - description: "Issuer of the certificate." - } # dimension network__tls__server__certificate__issuer - - dimension: network__tls__server__certificate__md5 { - type: string - sql: ${TABLE}.network.tls.server.certificate.md5 ;; - group_label: "network" - label: "network.tls.server.certificate.md5" - view_label: "UDM" - description: "The MD5 hash of the certificate." - } # dimension network__tls__server__certificate__md5 - - dimension_group: network__tls__server__certificate__not_after { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.tls.server.certificate.not_after.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.tls.server.certificate.not_after.nanos, 0) / 1000) as INT64)) ;; - group_label: "network" - label: "network.tls.server.certificate.not_after" - view_label: "UDM" - description: "Indicates when the certificate is no longer valid." - } # dimension network__tls__server__certificate__not_after - - dimension_group: network__tls__server__certificate__not_before { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.network.tls.server.certificate.not_before.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.network.tls.server.certificate.not_before.nanos, 0) / 1000) as INT64)) ;; - group_label: "network" - label: "network.tls.server.certificate.not_before" - view_label: "UDM" - description: "Indicates when the certificate is first valid." - } # dimension network__tls__server__certificate__not_before - - dimension: network__tls__server__certificate__serial { - type: string - sql: ${TABLE}.network.tls.server.certificate.serial ;; - group_label: "network" - label: "network.tls.server.certificate.serial" - view_label: "UDM" - description: "Certificate serial number." - } # dimension network__tls__server__certificate__serial - - dimension: network__tls__server__certificate__sha1 { - type: string - sql: ${TABLE}.network.tls.server.certificate.sha1 ;; - group_label: "network" - label: "network.tls.server.certificate.sha1" - view_label: "UDM" - description: "The SHA1 hash of the certificate." - } # dimension network__tls__server__certificate__sha1 - - dimension: network__tls__server__certificate__sha256 { - type: string - sql: ${TABLE}.network.tls.server.certificate.sha256 ;; - group_label: "network" - label: "network.tls.server.certificate.sha256" - view_label: "UDM" - description: "The SHA256 hash of the certificate." - } # dimension network__tls__server__certificate__sha256 - - dimension: network__tls__server__certificate__subject { - type: string - sql: ${TABLE}.network.tls.server.certificate.subject ;; - group_label: "network" - label: "network.tls.server.certificate.subject" - view_label: "UDM" - description: "Subject of the certificate." - } # dimension network__tls__server__certificate__subject - - dimension: network__tls__server__certificate__version { - type: string - sql: ${TABLE}.network.tls.server.certificate.version ;; - group_label: "network" - label: "network.tls.server.certificate.version" - view_label: "UDM" - description: "Certificate version." - } # dimension network__tls__server__certificate__version - - dimension: network__tls__server__ja3s { - type: string - sql: ${TABLE}.network.tls.server.ja3s ;; - group_label: "network" - label: "network.tls.server.ja3s" - view_label: "UDM" - description: "JA3 hash from server hello." - } # dimension network__tls__server__ja3s - - dimension: network__tls__version { - type: string - sql: ${TABLE}.network.tls.version ;; - group_label: "network" - label: "network.tls.version" - view_label: "UDM" - description: "TLS version." - } # dimension network__tls__version - - dimension: network__tls__version_protocol { - type: string - sql: ${TABLE}.network.tls.version_protocol ;; - group_label: "network" - label: "network.tls.version_protocol" - view_label: "UDM" - description: "Protocol." - } # dimension network__tls__version_protocol - - dimension: observer { - hidden: yes - } # dimension observer - - dimension: observer__administrative_domain { - type: string - sql: ${TABLE}.observer.administrative_domain ;; - group_label: "observer" - label: "observer.administrative_domain" - view_label: "UDM" - description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." - } # dimension observer__administrative_domain - - dimension: observer__application { - type: string - sql: ${TABLE}.observer.application ;; - group_label: "observer" - label: "observer.application" - view_label: "UDM" - description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." - } # dimension observer__application - - dimension: observer__artifact { - hidden: yes - } # dimension observer__artifact - - dimension: observer__artifact__location { - hidden: yes - } # dimension observer__artifact__location - - dimension: observer__artifact__location__name { - type: string - sql: ${TABLE}.observer.artifact.location.name ;; - group_label: "observer" - label: "observer.artifact.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension observer__artifact__location__name - - dimension: observer__artifact__location__state { - type: string - sql: ${TABLE}.observer.artifact.location.state ;; - group_label: "observer" - label: "observer.artifact.location.state" - view_label: "UDM" - description: "The state." - } # dimension observer__artifact__location__state - - dimension: observer__asset { - hidden: yes - } # dimension observer__asset - - dimension: observer__asset__attribute { - hidden: yes - } # dimension observer__asset__attribute - - dimension: observer__asset__attribute__labels { - hidden: yes - } # dimension observer__asset__attribute__labels - - dimension: observer__asset__category { - type: string - sql: ${TABLE}.observer.asset.category ;; - group_label: "observer" - label: "observer.asset.category" - view_label: "UDM" - description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." - } # dimension observer__asset__category - - dimension: observer__asset__hostname { - type: string - sql: ${TABLE}.observer.asset.hostname ;; - group_label: "observer" - label: "observer.asset.hostname" - view_label: "UDM" - description: "Asset hostname or domain name field." - } # dimension observer__asset__hostname - - dimension: observer__asset__ip { - hidden: yes - } # dimension observer__asset__ip - - dimension: observer__asset__location { - hidden: yes - } # dimension observer__asset__location - - dimension: observer__asset__location__name { - type: string - sql: ${TABLE}.observer.asset.location.name ;; - group_label: "observer" - label: "observer.asset.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension observer__asset__location__name - - dimension: observer__asset__network_domain { - type: string - sql: ${TABLE}.observer.asset.network_domain ;; - group_label: "observer" - label: "observer.asset.network_domain" - view_label: "UDM" - description: "The network domain of the asset (e.g. \"corp.acme.com\")" - } # dimension observer__asset__network_domain - - dimension: observer__asset__platform_software { - hidden: yes - } # dimension observer__asset__platform_software - - dimension: observer__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.observer.asset.platform_software.platform_version ;; - group_label: "observer" - label: "observer.asset.platform_software.platform_version" - view_label: "UDM" - description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." - } # dimension observer__asset__platform_software__platform_version - - dimension: observer__asset__product_object_id { - type: string - sql: ${TABLE}.observer.asset.product_object_id ;; - group_label: "observer" - label: "observer.asset.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension observer__asset__product_object_id - - dimension: observer__asset__software { - hidden: yes - } # dimension observer__asset__software - - dimension: observer__asset__vulnerabilities { - hidden: yes - } # dimension observer__asset__vulnerabilities - - dimension: observer__asset_id { - type: string - sql: ${TABLE}.observer.asset_id ;; - group_label: "observer" - label: "observer.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension observer__asset_id - - dimension: observer__cloud { - hidden: yes - } # dimension observer__cloud - - dimension: observer__cloud__environment { - type: number - sql: ${TABLE}.observer.cloud.environment ;; - group_label: "observer" - group_item_label: "observer.cloud.environment [D]" - label: "observer.cloud.environment" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension observer__cloud__environment - - dimension: observer__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.observer.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "observer" - group_item_label: "observer.cloud.environment_enum_name [D]" - label: "observer.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension observer__cloud__environment_enum_name - - dimension: observer__cloud__project { - hidden: yes - } # dimension observer__cloud__project - - dimension: observer__cloud__project__id { - type: string - sql: ${TABLE}.observer.cloud.project.id ;; - group_label: "observer" - group_item_label: "observer.cloud.project.id [D]" - label: "observer.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension observer__cloud__project__id - - dimension: observer__cloud__project__name { - type: string - sql: ${TABLE}.observer.cloud.project.name ;; - group_label: "observer" - group_item_label: "observer.cloud.project.name [D]" - label: "observer.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension observer__cloud__project__name - - dimension: observer__domain { - hidden: yes - } # dimension observer__domain - - dimension: observer__domain__name { - type: string - sql: ${TABLE}.observer.domain.name ;; - group_label: "observer" - label: "observer.domain.name" - view_label: "UDM" - description: "The domain name." - } # dimension observer__domain__name - - dimension: observer__file { - hidden: yes - } # dimension observer__file - - dimension: observer__file__full_path { - type: string - sql: ${TABLE}.observer.file.full_path ;; - group_label: "observer" - label: "observer.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension observer__file__full_path - - dimension: observer__file__sha256 { - type: string - sql: ${TABLE}.observer.file.sha256 ;; - group_label: "observer" - label: "observer.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension observer__file__sha256 - - dimension: observer__group { - hidden: yes - } # dimension observer__group - - dimension: observer__group__group_display_name { - type: string - sql: ${TABLE}.observer.group.group_display_name ;; - group_label: "observer" - label: "observer.group.group_display_name" - view_label: "UDM" - description: "Group display name. e.g. \"Finance\"." - } # dimension observer__group__group_display_name - - dimension: observer__hostname { - type: string - sql: ${TABLE}.observer.hostname ;; - group_label: "observer" - label: "observer.hostname" - view_label: "UDM" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension observer__hostname - - dimension: observer__ip { - hidden: yes - } # dimension observer__ip - - dimension: observer__labels { - hidden: yes - } # dimension observer__labels - - dimension: observer__location { - hidden: yes - } # dimension observer__location - - dimension: observer__location__country_or_region { - type: string - sql: ${TABLE}.observer.location.country_or_region ;; - group_label: "observer" - label: "observer.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension observer__location__country_or_region - - dimension: observer__location__name { - type: string - sql: ${TABLE}.observer.location.name ;; - group_label: "observer" - label: "observer.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension observer__location__name - - dimension: observer__mac { - hidden: yes - } # dimension observer__mac - - dimension: observer__namespace { - type: string - sql: ${TABLE}.observer.namespace ;; - group_label: "observer" - label: "observer.namespace" - view_label: "UDM" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension observer__namespace - - dimension: observer__platform { - type: number - sql: ${TABLE}.observer.platform ;; - group_label: "observer" - label: "observer.platform" - view_label: "UDM" - description: "Platform." - } # dimension observer__platform - - dimension: observer__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.observer.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "observer" - label: "observer.platform_enum_name" - view_label: "UDM" - description: "Platform." - } # dimension observer__platform_enum_name - - dimension: observer__platform_version { - type: string - sql: ${TABLE}.observer.platform_version ;; - group_label: "observer" - label: "observer.platform_version" - view_label: "UDM" - description: "Platform version. For example, \"Microsoft Windows 1803\"." - } # dimension observer__platform_version - - dimension: observer__port { - type: number - value_format: "#" - sql: ${TABLE}.observer.port ;; - group_label: "observer" - label: "observer.port" - view_label: "UDM" - description: "Source or destination network port number when a specific network connection is described within an event." - } # dimension observer__port - - dimension: observer__process { - hidden: yes - } # dimension observer__process - - dimension: observer__process__file { - hidden: yes - } # dimension observer__process__file - - dimension: observer__process__file__full_path { - type: string - sql: ${TABLE}.observer.process.file.full_path ;; - group_label: "observer" - label: "observer.process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension observer__process__file__full_path - - dimension: observer__process__parent_pid { - type: string - sql: ${TABLE}.observer.process.parent_pid ;; - group_label: "observer" - group_item_label: "observer.process.parent_pid [D]" - label: "observer.process.parent_pid" - view_label: "UDM" - description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension observer__process__parent_pid - - dimension: observer__process__pid { - type: string - sql: ${TABLE}.observer.process.pid ;; - group_label: "observer" - label: "observer.process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension observer__process__pid - - dimension: observer__resource { - hidden: yes - } # dimension observer__resource - - dimension: observer__resource__attribute { - hidden: yes - } # dimension observer__resource__attribute - - dimension: observer__resource__attribute__cloud { - hidden: yes - } # dimension observer__resource__attribute__cloud - - dimension: observer__resource__attribute__cloud__environment { - type: number - sql: ${TABLE}.observer.resource.attribute.cloud.environment ;; - group_label: "observer" - label: "observer.resource.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension observer__resource__attribute__cloud__environment - - dimension: observer__resource__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.observer.resource.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "observer" - label: "observer.resource.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension observer__resource__attribute__cloud__environment_enum_name - - dimension: observer__resource__attribute__labels { - hidden: yes - } # dimension observer__resource__attribute__labels - - dimension: observer__resource__name { - type: string - sql: ${TABLE}.observer.resource.name ;; - group_label: "observer" - label: "observer.resource.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension observer__resource__name - - dimension: observer__resource__parent { - type: string - sql: ${TABLE}.observer.resource.parent ;; - group_label: "observer" - group_item_label: "observer.resource.parent [D]" - label: "observer.resource.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension observer__resource__parent - - dimension: observer__resource__product_object_id { - type: string - sql: ${TABLE}.observer.resource.product_object_id ;; - group_label: "observer" - label: "observer.resource.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension observer__resource__product_object_id - - dimension: observer__resource__resource_subtype { - type: string - sql: ${TABLE}.observer.resource.resource_subtype ;; - group_label: "observer" - label: "observer.resource.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension observer__resource__resource_subtype - - dimension: observer__resource__resource_type { - type: number - sql: ${TABLE}.observer.resource.resource_type ;; - group_label: "observer" - label: "observer.resource.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension observer__resource__resource_type - - dimension: observer__resource__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.observer.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "observer" - label: "observer.resource.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension observer__resource__resource_type_enum_name - - dimension: observer__resource__type { - type: string - sql: ${TABLE}.observer.resource.type ;; - group_label: "observer" - group_item_label: "observer.resource.type [D]" - label: "observer.resource.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension observer__resource__type - - dimension: observer__url { - type: string - sql: ${TABLE}.observer.url ;; - group_label: "observer" - label: "observer.url" - view_label: "UDM" - description: "The URL." - } # dimension observer__url - - dimension: observer__user { - hidden: yes - } # dimension observer__user - - dimension: observer__user__company_name { - type: string - sql: ${TABLE}.observer.user.company_name ;; - group_label: "observer" - label: "observer.user.company_name" - view_label: "UDM" - description: "User job company name." - } # dimension observer__user__company_name - - dimension: observer__user__email_addresses { - hidden: yes - } # dimension observer__user__email_addresses - - dimension: observer__user__group_identifiers { - hidden: yes - } # dimension observer__user__group_identifiers - - dimension: observer__user__product_object_id { - type: string - sql: ${TABLE}.observer.user.product_object_id ;; - group_label: "observer" - label: "observer.user.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension observer__user__product_object_id - - dimension: observer__user__user_display_name { - type: string - sql: ${TABLE}.observer.user.user_display_name ;; - group_label: "observer" - label: "observer.user.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension observer__user__user_display_name - - dimension: observer__user__userid { - type: string - sql: ${TABLE}.observer.user.userid ;; - group_label: "observer" - label: "observer.user.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension observer__user__userid - - dimension: principal { - hidden: yes - } # dimension principal - - dimension: principal__administrative_domain { - type: string - sql: ${TABLE}.principal.administrative_domain ;; - group_label: "principal" - label: "principal.administrative_domain" - view_label: "UDM" - description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." - } # dimension principal__administrative_domain - - dimension: principal__application { - type: string - sql: ${TABLE}.principal.application ;; - group_label: "principal" - label: "principal.application" - view_label: "UDM" - description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." - } # dimension principal__application - - dimension: principal__artifact { - hidden: yes - } # dimension principal__artifact - - dimension: principal__artifact__ip { - type: string - sql: ${TABLE}.principal.artifact.ip ;; - group_label: "principal" - label: "principal.artifact.ip" - view_label: "UDM" - description: "IP address of the artifact." - } # dimension principal__artifact__ip - - dimension: principal__artifact__network { - hidden: yes - } # dimension principal__artifact__network - - dimension: principal__artifact__network__dns { - hidden: yes - } # dimension principal__artifact__network__dns - - dimension: principal__artifact__network__dns__answers { - hidden: yes - } # dimension principal__artifact__network__dns__answers - - dimension: principal__artifact__network__http { - hidden: yes - } # dimension principal__artifact__network__http - - dimension: principal__artifact__network__http__method { - type: string - sql: ${TABLE}.principal.artifact.network.http.method ;; - group_label: "principal" - label: "principal.artifact.network.http.method" - view_label: "UDM" - description: "The HTTP request method (e.g. \"GET\", \"POST\", \"PATCH\", \"DELETE\")." - } # dimension principal__artifact__network__http__method - - dimension: principal__artifact__prevalence { - hidden: yes - } # dimension principal__artifact__prevalence - - dimension: principal__artifact__prevalence__day_count { - type: number - sql: ${TABLE}.principal.artifact.prevalence.day_count ;; - group_label: "principal" - label: "principal.artifact.prevalence.day_count" - view_label: "UDM" - description: "The number of days over which rolling_max is calculated." - } # dimension principal__artifact__prevalence__day_count - - dimension: principal__asset { - hidden: yes - } # dimension principal__asset - - dimension: principal__asset__asset_id { - type: string - sql: ${TABLE}.principal.asset.asset_id ;; - group_label: "principal" - label: "principal.asset.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension principal__asset__asset_id - - dimension: principal__asset__attribute { - hidden: yes - } # dimension principal__asset__attribute - - dimension: principal__asset__attribute__cloud { - hidden: yes - } # dimension principal__asset__attribute__cloud - - dimension: principal__asset__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.principal.asset.attribute.cloud.availability_zone ;; - group_label: "principal" - label: "principal.asset.attribute.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name)." - } # dimension principal__asset__attribute__cloud__availability_zone - - dimension: principal__asset__attribute__cloud__environment { - type: number - sql: ${TABLE}.principal.asset.attribute.cloud.environment ;; - group_label: "principal" - label: "principal.asset.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension principal__asset__attribute__cloud__environment - - dimension: principal__asset__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.principal.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "principal" - label: "principal.asset.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension principal__asset__attribute__cloud__environment_enum_name - - dimension: principal__asset__attribute__cloud__project { - hidden: yes - } # dimension principal__asset__attribute__cloud__project - - dimension: principal__asset__attribute__cloud__project__name { - type: string - sql: ${TABLE}.principal.asset.attribute.cloud.project.name ;; - group_label: "principal" - group_item_label: "principal.asset.attribute.cloud.project.name [D]" - label: "principal.asset.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__attribute__cloud__project__name - - dimension: principal__asset__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.principal.asset.attribute.cloud.project.resource_type ;; - group_label: "principal" - group_item_label: "principal.asset.attribute.cloud.project.resource_type [D]" - label: "principal.asset.attribute.cloud.project.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__attribute__cloud__project__resource_type - - dimension: principal__asset__attribute__cloud__project__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.principal.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "principal" - group_item_label: "principal.asset.attribute.cloud.project.resource_type_enum_name [D]" - label: "principal.asset.attribute.cloud.project.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__attribute__cloud__project__resource_type_enum_name - - dimension: principal__asset__attribute__cloud__vpc { - hidden: yes - } # dimension principal__asset__attribute__cloud__vpc - - dimension: principal__asset__attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.principal.asset.attribute.cloud.vpc.name ;; - group_label: "principal" - group_item_label: "principal.asset.attribute.cloud.vpc.name [D]" - label: "principal.asset.attribute.cloud.vpc.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__attribute__cloud__vpc__name - - dimension: principal__asset__attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.principal.asset.attribute.cloud.vpc.resource_type ;; - group_label: "principal" - group_item_label: "principal.asset.attribute.cloud.vpc.resource_type [D]" - label: "principal.asset.attribute.cloud.vpc.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__attribute__cloud__vpc__resource_type - - dimension: principal__asset__attribute__cloud__vpc__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.principal.asset.attribute.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "principal" - group_item_label: "principal.asset.attribute.cloud.vpc.resource_type_enum_name [D]" - label: "principal.asset.attribute.cloud.vpc.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__attribute__cloud__vpc__resource_type_enum_name - - dimension_group: principal__asset__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension principal__asset__attribute__creation_time - - dimension: principal__asset__attribute__labels { - hidden: yes - } # dimension principal__asset__attribute__labels - - dimension_group: principal__asset__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension principal__asset__attribute__last_update_time - - dimension: principal__asset__attribute__roles { - hidden: yes - } # dimension principal__asset__attribute__roles - - dimension: principal__asset__category { - type: string - sql: ${TABLE}.principal.asset.category ;; - group_label: "principal" - label: "principal.asset.category" - view_label: "UDM" - description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." - } # dimension principal__asset__category - - dimension_group: principal__asset__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - group_item_label: "principal.asset.creation_time [D]" - label: "principal.asset.creation_time" - view_label: "UDM" - description: "Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__creation_time - - dimension: principal__asset__deployment_status { - type: number - sql: ${TABLE}.principal.asset.deployment_status ;; - group_label: "principal" - label: "principal.asset.deployment_status" - view_label: "UDM" - description: "The deployment status of the asset for device lifecycle purposes." - } # dimension principal__asset__deployment_status - - dimension: principal__asset__deployment_status_enum_name { - type: string - suggestions: ["ACTIVE", "DECOMISSIONED", "DEPLOYMENT_STATUS_UNSPECIFIED", "PENDING_DECOMISSION"] - sql: CASE ${TABLE}.principal.asset.deployment_status WHEN 0 THEN 'DEPLOYMENT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'PENDING_DECOMISSION' WHEN 3 THEN 'DECOMISSIONED' END ;; - group_label: "principal" - label: "principal.asset.deployment_status_enum_name" - view_label: "UDM" - description: "The deployment status of the asset for device lifecycle purposes." - } # dimension principal__asset__deployment_status_enum_name - - dimension_group: principal__asset__first_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.first_discover_time" - view_label: "UDM" - description: "Time the asset was first discovered (by asset management/discoverability software)." - } # dimension principal__asset__first_discover_time - - dimension_group: principal__asset__first_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.first_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.first_seen_time" - view_label: "UDM" - description: "The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed." - } # dimension principal__asset__first_seen_time - - dimension: principal__asset__hardware { - hidden: yes - } # dimension principal__asset__hardware - - dimension: principal__asset__hostname { - type: string - sql: ${TABLE}.principal.asset.hostname ;; - group_label: "principal" - label: "principal.asset.hostname" - view_label: "UDM" - description: "Asset hostname or domain name field." - } # dimension principal__asset__hostname - - dimension: principal__asset__ip { - hidden: yes - } # dimension principal__asset__ip - - dimension: principal__asset__labels { - hidden: yes - } # dimension principal__asset__labels - - dimension_group: principal__asset__last_boot_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.last_boot_time" - view_label: "UDM" - description: "Time the asset was last boot started." - } # dimension principal__asset__last_boot_time - - dimension_group: principal__asset__last_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.last_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.last_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.last_discover_time" - view_label: "UDM" - description: "Time the asset was last discovered (by asset management/discoverability software)." - } # dimension principal__asset__last_discover_time - - dimension: principal__asset__location { - hidden: yes - } # dimension principal__asset__location - - dimension: principal__asset__location__city { - type: string - sql: ${TABLE}.principal.asset.location.city ;; - group_label: "principal" - label: "principal.asset.location.city" - view_label: "UDM" - description: "The city." - } # dimension principal__asset__location__city - - dimension: principal__asset__location__country_or_region { - type: string - sql: ${TABLE}.principal.asset.location.country_or_region ;; - group_label: "principal" - label: "principal.asset.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension principal__asset__location__country_or_region - - dimension: principal__asset__location__desk_name { - type: string - sql: ${TABLE}.principal.asset.location.desk_name ;; - group_label: "principal" - label: "principal.asset.location.desk_name" - view_label: "UDM" - description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." - } # dimension principal__asset__location__desk_name - - dimension: principal__asset__location__floor_name { - type: string - sql: ${TABLE}.principal.asset.location.floor_name ;; - group_label: "principal" - label: "principal.asset.location.floor_name" - view_label: "UDM" - description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." - } # dimension principal__asset__location__floor_name - - dimension: principal__asset__location__name { - type: string - sql: ${TABLE}.principal.asset.location.name ;; - group_label: "principal" - label: "principal.asset.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension principal__asset__location__name - - dimension: principal__asset__location__region_coordinates { - type: location - sql_latitude: ${TABLE}.principal.asset.location.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.principal.asset.location.region_coordinates.longitude ;; - group_label: "principal" - group_item_label: "principal.asset.location.region_coordinates [L]" - label: "principal.asset.location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." - } # dimension principal__asset__location__region_coordinates - - dimension: principal__asset__location__region_latitude { - type: number - sql: ${TABLE}.principal.asset.location.region_latitude ;; - group_label: "principal" - group_item_label: "principal.asset.location.region_latitude [D]" - label: "principal.asset.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__location__region_latitude - - dimension: principal__asset__location__region_longitude { - type: number - sql: ${TABLE}.principal.asset.location.region_longitude ;; - group_label: "principal" - group_item_label: "principal.asset.location.region_longitude [D]" - label: "principal.asset.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__asset__location__region_longitude - - dimension: principal__asset__location__location { - type: location - sql_latitude: ${TABLE}.principal.asset.location.region_latitude ;; - sql_longitude: ${TABLE}.principal.asset.location.region_longitude ;; - group_label: "principal" - group_item_label: "principal.asset.location.location [D][L]" - label: "principal.asset.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension principal__asset__location__location - - dimension: principal__asset__location__state { - type: string - sql: ${TABLE}.principal.asset.location.state ;; - group_label: "principal" - label: "principal.asset.location.state" - view_label: "UDM" - description: "The state." - } # dimension principal__asset__location__state - - dimension: principal__asset__mac { - hidden: yes - } # dimension principal__asset__mac - - dimension: principal__asset__nat_ip { - hidden: yes - } # dimension principal__asset__nat_ip - - dimension: principal__asset__network_domain { - type: string - sql: ${TABLE}.principal.asset.network_domain ;; - group_label: "principal" - label: "principal.asset.network_domain" - view_label: "UDM" - description: "The network domain of the asset (e.g. \"corp.acme.com\")" - } # dimension principal__asset__network_domain - - dimension: principal__asset__platform_software { - hidden: yes - } # dimension principal__asset__platform_software - - dimension: principal__asset__platform_software__platform { - type: number - sql: ${TABLE}.principal.asset.platform_software.platform ;; - group_label: "principal" - label: "principal.asset.platform_software.platform" - view_label: "UDM" - description: "The platform operating system." - } # dimension principal__asset__platform_software__platform - - dimension: principal__asset__platform_software__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.principal.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "principal" - label: "principal.asset.platform_software.platform_enum_name" - view_label: "UDM" - description: "The platform operating system." - } # dimension principal__asset__platform_software__platform_enum_name - - dimension: principal__asset__platform_software__platform_patch_level { - type: string - sql: ${TABLE}.principal.asset.platform_software.platform_patch_level ;; - group_label: "principal" - label: "principal.asset.platform_software.platform_patch_level" - view_label: "UDM" - description: "The platform software patch level ( e.g. \"Build 17134.48\", \"SP1\")." - } # dimension principal__asset__platform_software__platform_patch_level - - dimension: principal__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.principal.asset.platform_software.platform_version ;; - group_label: "principal" - label: "principal.asset.platform_software.platform_version" - view_label: "UDM" - description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." - } # dimension principal__asset__platform_software__platform_version - - dimension: principal__asset__product_object_id { - type: string - sql: ${TABLE}.principal.asset.product_object_id ;; - group_label: "principal" - label: "principal.asset.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension principal__asset__product_object_id - - dimension: principal__asset__software { - hidden: yes - } # dimension principal__asset__software - - dimension_group: principal__asset__system_last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.asset.system_last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.asset.system_last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.system_last_update_time" - view_label: "UDM" - description: "Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time." - } # dimension principal__asset__system_last_update_time - - dimension: principal__asset__type { - type: number - sql: ${TABLE}.principal.asset.type ;; - group_label: "principal" - label: "principal.asset.type" - view_label: "UDM" - description: "The type of the asset (e.g. workstation or laptop or server)." - } # dimension principal__asset__type - - dimension: principal__asset__type_enum_name { - type: string - suggestions: ["IOT", "LAPTOP", "MOBILE", "NETWORK_ATTACHED_STORAGE", "PRINTER", "ROLE_UNSPECIFIED", "SCANNER", "SERVER", "TAPE_LIBRARY", "WORKSTATION"] - sql: CASE ${TABLE}.principal.asset.type WHEN 0 THEN 'ROLE_UNSPECIFIED' WHEN 1 THEN 'WORKSTATION' WHEN 2 THEN 'LAPTOP' WHEN 3 THEN 'IOT' WHEN 4 THEN 'NETWORK_ATTACHED_STORAGE' WHEN 5 THEN 'PRINTER' WHEN 6 THEN 'SCANNER' WHEN 7 THEN 'SERVER' WHEN 8 THEN 'TAPE_LIBRARY' WHEN 9 THEN 'MOBILE' END ;; - group_label: "principal" - label: "principal.asset.type_enum_name" - view_label: "UDM" - description: "The type of the asset (e.g. workstation or laptop or server)." - } # dimension principal__asset__type_enum_name - - dimension: principal__asset__vulnerabilities { - hidden: yes - } # dimension principal__asset__vulnerabilities - - dimension: principal__asset_id { - type: string - sql: ${TABLE}.principal.asset_id ;; - group_label: "principal" - label: "principal.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension principal__asset_id - - dimension: principal__cloud { - hidden: yes - } # dimension principal__cloud - - dimension: principal__cloud__availability_zone { - type: string - sql: ${TABLE}.principal.cloud.availability_zone ;; - group_label: "principal" - group_item_label: "principal.cloud.availability_zone [D]" - label: "principal.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__availability_zone - - dimension: principal__cloud__environment { - type: number - sql: ${TABLE}.principal.cloud.environment ;; - group_label: "principal" - group_item_label: "principal.cloud.environment [D]" - label: "principal.cloud.environment" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__environment - - dimension: principal__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.principal.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "principal" - group_item_label: "principal.cloud.environment_enum_name [D]" - label: "principal.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__environment_enum_name - - dimension: principal__cloud__project { - hidden: yes - } # dimension principal__cloud__project - - dimension: principal__cloud__project__id { - type: string - sql: ${TABLE}.principal.cloud.project.id ;; - group_label: "principal" - group_item_label: "principal.cloud.project.id [D]" - label: "principal.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__project__id - - dimension: principal__cloud__project__name { - type: string - sql: ${TABLE}.principal.cloud.project.name ;; - group_label: "principal" - group_item_label: "principal.cloud.project.name [D]" - label: "principal.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__project__name - - dimension: principal__cloud__project__parent { - type: string - sql: ${TABLE}.principal.cloud.project.parent ;; - group_label: "principal" - group_item_label: "principal.cloud.project.parent [D]" - label: "principal.cloud.project.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__project__parent - - dimension: principal__cloud__project__product_object_id { - type: string - sql: ${TABLE}.principal.cloud.project.product_object_id ;; - group_label: "principal" - group_item_label: "principal.cloud.project.product_object_id [D]" - label: "principal.cloud.project.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__project__product_object_id - - dimension: principal__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.principal.cloud.project.resource_subtype ;; - group_label: "principal" - group_item_label: "principal.cloud.project.resource_subtype [D]" - label: "principal.cloud.project.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__project__resource_subtype - - dimension: principal__cloud__project__type { - type: string - sql: ${TABLE}.principal.cloud.project.type ;; - group_label: "principal" - group_item_label: "principal.cloud.project.type [D]" - label: "principal.cloud.project.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__project__type - - dimension: principal__cloud__vpc { - hidden: yes - } # dimension principal__cloud__vpc - - dimension: principal__cloud__vpc__id { - type: string - sql: ${TABLE}.principal.cloud.vpc.id ;; - group_label: "principal" - group_item_label: "principal.cloud.vpc.id [D]" - label: "principal.cloud.vpc.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__vpc__id - - dimension: principal__cloud__vpc__name { - type: string - sql: ${TABLE}.principal.cloud.vpc.name ;; - group_label: "principal" - group_item_label: "principal.cloud.vpc.name [D]" - label: "principal.cloud.vpc.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__vpc__name - - dimension: principal__cloud__vpc__parent { - type: string - sql: ${TABLE}.principal.cloud.vpc.parent ;; - group_label: "principal" - group_item_label: "principal.cloud.vpc.parent [D]" - label: "principal.cloud.vpc.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__vpc__parent - - dimension: principal__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.principal.cloud.vpc.product_object_id ;; - group_label: "principal" - group_item_label: "principal.cloud.vpc.product_object_id [D]" - label: "principal.cloud.vpc.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__vpc__product_object_id - - dimension: principal__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.principal.cloud.vpc.resource_subtype ;; - group_label: "principal" - group_item_label: "principal.cloud.vpc.resource_subtype [D]" - label: "principal.cloud.vpc.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__vpc__resource_subtype - - dimension: principal__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.principal.cloud.vpc.resource_type ;; - group_label: "principal" - group_item_label: "principal.cloud.vpc.resource_type [D]" - label: "principal.cloud.vpc.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__vpc__resource_type - - dimension: principal__cloud__vpc__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.principal.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "principal" - group_item_label: "principal.cloud.vpc.resource_type_enum_name [D]" - label: "principal.cloud.vpc.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__vpc__resource_type_enum_name - - dimension: principal__cloud__vpc__type { - type: string - sql: ${TABLE}.principal.cloud.vpc.type ;; - group_label: "principal" - group_item_label: "principal.cloud.vpc.type [D]" - label: "principal.cloud.vpc.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__cloud__vpc__type - - dimension: principal__domain { - hidden: yes - } # dimension principal__domain - - dimension: principal__domain__admin { - hidden: yes - } # dimension principal__domain__admin - - dimension: principal__domain__admin__userid { - type: string - sql: ${TABLE}.principal.domain.admin.userid ;; - group_label: "principal" - label: "principal.domain.admin.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension principal__domain__admin__userid - - dimension: principal__domain__billing { - hidden: yes - } # dimension principal__domain__billing - - dimension: principal__domain__billing__userid { - type: string - sql: ${TABLE}.principal.domain.billing.userid ;; - group_label: "principal" - label: "principal.domain.billing.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension principal__domain__billing__userid - - dimension_group: principal__domain__first_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.domain.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.domain.first_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.domain.first_seen_time" - view_label: "UDM" - description: "First seen timestamp of the domain in the customer's environment." - } # dimension principal__domain__first_seen_time - - dimension_group: principal__domain__last_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.domain.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.domain.last_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.domain.last_seen_time" - view_label: "UDM" - description: "Last seen timestamp of the domain in the customer's environment." - } # dimension principal__domain__last_seen_time - - dimension: principal__domain__name { - type: string - sql: ${TABLE}.principal.domain.name ;; - group_label: "principal" - label: "principal.domain.name" - view_label: "UDM" - description: "The domain name." - } # dimension principal__domain__name - - dimension: principal__domain__name_server { - hidden: yes - } # dimension principal__domain__name_server - - dimension: principal__domain__prevalence { - hidden: yes - } # dimension principal__domain__prevalence - - dimension: principal__domain__prevalence__day_count { - type: number - sql: ${TABLE}.principal.domain.prevalence.day_count ;; - group_label: "principal" - label: "principal.domain.prevalence.day_count" - view_label: "UDM" - description: "The number of days over which rolling_max is calculated." - } # dimension principal__domain__prevalence__day_count - - dimension: principal__domain__prevalence__rolling_max { - type: number - sql: ${TABLE}.principal.domain.prevalence.rolling_max ;; - group_label: "principal" - label: "principal.domain.prevalence.rolling_max" - view_label: "UDM" - description: "The maximum number of assets per day accessing the resource over the trailing day_count days." - } # dimension principal__domain__prevalence__rolling_max - - dimension: principal__domain__tech { - hidden: yes - } # dimension principal__domain__tech - - dimension: principal__domain__tech__group_identifiers { - hidden: yes - } # dimension principal__domain__tech__group_identifiers - - dimension: principal__domain__tech__product_object_id { - type: string - sql: ${TABLE}.principal.domain.tech.product_object_id ;; - group_label: "principal" - label: "principal.domain.tech.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension principal__domain__tech__product_object_id - - dimension: principal__domain__whois_server { - type: string - sql: ${TABLE}.principal.domain.whois_server ;; - group_label: "principal" - label: "principal.domain.whois_server" - view_label: "UDM" - description: "Whois server name." - } # dimension principal__domain__whois_server - - dimension: principal__email { - type: string - sql: ${TABLE}.principal.email ;; - group_label: "principal" - label: "principal.email" - view_label: "UDM" - description: "Email address. Only filled in for security_result.about" - } # dimension principal__email - - dimension: principal__file { - hidden: yes - } # dimension principal__file - - dimension: principal__file__authentihash { - type: string - sql: ${TABLE}.principal.file.authentihash ;; - group_label: "principal" - label: "principal.file.authentihash" - view_label: "UDM" - description: "Authentihash of the file." - } # dimension principal__file__authentihash - - dimension: principal__file__full_path { - type: string - sql: ${TABLE}.principal.file.full_path ;; - group_label: "principal" - label: "principal.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension principal__file__full_path - - dimension: principal__file__md5 { - type: string - sql: ${TABLE}.principal.file.md5 ;; - group_label: "principal" - label: "principal.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension principal__file__md5 - - dimension: principal__file__names { - hidden: yes - } # dimension principal__file__names - - dimension: principal__file__sha1 { - type: string - sql: ${TABLE}.principal.file.sha1 ;; - group_label: "principal" - label: "principal.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension principal__file__sha1 - - dimension: principal__file__sha256 { - type: string - sql: ${TABLE}.principal.file.sha256 ;; - group_label: "principal" - label: "principal.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension principal__file__sha256 - - dimension: principal__file__size { - type: number - sql: ${TABLE}.principal.file.size ;; - group_label: "principal" - label: "principal.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension principal__file__size - - dimension: principal__group { - hidden: yes - } # dimension principal__group - - dimension: principal__group__attribute { - hidden: yes - } # dimension principal__group__attribute - - dimension: principal__group__attribute__labels { - hidden: yes - } # dimension principal__group__attribute__labels - - dimension: principal__group__attribute__roles { - hidden: yes - } # dimension principal__group__attribute__roles - - dimension: principal__group__email_addresses { - hidden: yes - } # dimension principal__group__email_addresses - - dimension: principal__group__group_display_name { - type: string - sql: ${TABLE}.principal.group.group_display_name ;; - group_label: "principal" - label: "principal.group.group_display_name" - view_label: "UDM" - description: "Group display name. e.g. \"Finance\"." - } # dimension principal__group__group_display_name - - dimension: principal__group__product_object_id { - type: string - sql: ${TABLE}.principal.group.product_object_id ;; - group_label: "principal" - label: "principal.group.product_object_id" - view_label: "UDM" - description: "Product globally unique user object identifier, such as an LDAP Object Identifier." - } # dimension principal__group__product_object_id - - dimension: principal__group__windows_sid { - type: string - sql: ${TABLE}.principal.group.windows_sid ;; - group_label: "principal" - label: "principal.group.windows_sid" - view_label: "UDM" - description: "Microsoft Windows SID of the group." - } # dimension principal__group__windows_sid - - dimension: principal__hostname { - type: string - sql: ${TABLE}.principal.hostname ;; - group_label: "principal" - label: "principal.hostname" - view_label: "UDM" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension principal__hostname - - dimension: principal__investigation { - hidden: yes - } # dimension principal__investigation - - dimension: principal__investigation__comments { - hidden: yes - } # dimension principal__investigation__comments - - dimension: principal__investigation__risk_score { - type: number - sql: ${TABLE}.principal.investigation.risk_score ;; - group_label: "principal" - label: "principal.investigation.risk_score" - view_label: "UDM" - description: "Risk score for a finding set by an analyst." - } # dimension principal__investigation__risk_score - - dimension: principal__investigation__root_cause { - type: string - sql: ${TABLE}.principal.investigation.root_cause ;; - group_label: "principal" - label: "principal.investigation.root_cause" - view_label: "UDM" - description: "Root cause of the Alert or Finding set by analyst." - } # dimension principal__investigation__root_cause - - dimension: principal__investigation__status { - type: number - sql: ${TABLE}.principal.investigation.status ;; - group_label: "principal" - label: "principal.investigation.status" - view_label: "UDM" - description: "Describes the workflow status of a finding." - } # dimension principal__investigation__status - - dimension: principal__investigation__status_enum_name { - type: string - suggestions: ["CLOSED", "NEW", "OPEN", "REVIEWED", "STATUS_UNSPECIFIED"] - sql: CASE ${TABLE}.principal.investigation.status WHEN 0 THEN 'STATUS_UNSPECIFIED' WHEN 1 THEN 'NEW' WHEN 2 THEN 'REVIEWED' WHEN 3 THEN 'CLOSED' WHEN 4 THEN 'OPEN' END ;; - group_label: "principal" - label: "principal.investigation.status_enum_name" - view_label: "UDM" - description: "Describes the workflow status of a finding." - } # dimension principal__investigation__status_enum_name - - dimension: principal__investigation__verdict { - type: number - sql: ${TABLE}.principal.investigation.verdict ;; - group_label: "principal" - label: "principal.investigation.verdict" - view_label: "UDM" - description: "Describes reason a finding investigation was resolved." - } # dimension principal__investigation__verdict - - dimension: principal__investigation__verdict_enum_name { - type: string - suggestions: ["FALSE_POSITIVE", "TRUE_POSITIVE", "VERDICT_UNSPECIFIED"] - sql: CASE ${TABLE}.principal.investigation.verdict WHEN 0 THEN 'VERDICT_UNSPECIFIED' WHEN 1 THEN 'TRUE_POSITIVE' WHEN 2 THEN 'FALSE_POSITIVE' END ;; - group_label: "principal" - label: "principal.investigation.verdict_enum_name" - view_label: "UDM" - description: "Describes reason a finding investigation was resolved." - } # dimension principal__investigation__verdict_enum_name - - dimension: principal__ip { - hidden: yes - } # dimension principal__ip - - dimension: principal__ip_geo_artifact { - hidden: yes - } # dimension principal__ip_geo_artifact - - dimension: principal__ip_location { - hidden: yes - } # dimension principal__ip_location - - dimension: principal__labels { - hidden: yes - } # dimension principal__labels - - dimension: principal__location { - hidden: yes - } # dimension principal__location - - dimension: principal__location__city { - type: string - sql: ${TABLE}.principal.location.city ;; - group_label: "principal" - label: "principal.location.city" - view_label: "UDM" - description: "The city." - } # dimension principal__location__city - - dimension: principal__location__country_or_region { - type: string - sql: ${TABLE}.principal.location.country_or_region ;; - group_label: "principal" - label: "principal.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension principal__location__country_or_region - - dimension: principal__location__floor_name { - type: string - sql: ${TABLE}.principal.location.floor_name ;; - group_label: "principal" - label: "principal.location.floor_name" - view_label: "UDM" - description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." - } # dimension principal__location__floor_name - - dimension: principal__location__name { - type: string - sql: ${TABLE}.principal.location.name ;; - group_label: "principal" - label: "principal.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension principal__location__name - - dimension: principal__location__region_coordinates { - type: location - sql_latitude: ${TABLE}.principal.location.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.principal.location.region_coordinates.longitude ;; - group_label: "principal" - group_item_label: "principal.location.region_coordinates [L]" - label: "principal.location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." - } # dimension principal__location__region_coordinates - - dimension: principal__location__region_latitude { - type: number - sql: ${TABLE}.principal.location.region_latitude ;; - group_label: "principal" - group_item_label: "principal.location.region_latitude [D]" - label: "principal.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__location__region_latitude - - dimension: principal__location__region_longitude { - type: number - sql: ${TABLE}.principal.location.region_longitude ;; - group_label: "principal" - group_item_label: "principal.location.region_longitude [D]" - label: "principal.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__location__region_longitude - - dimension: principal__location__location { - type: location - sql_latitude: ${TABLE}.principal.location.region_latitude ;; - sql_longitude: ${TABLE}.principal.location.region_longitude ;; - group_label: "principal" - group_item_label: "principal.location.location [D][L]" - label: "principal.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension principal__location__location - - dimension: principal__location__state { - type: string - sql: ${TABLE}.principal.location.state ;; - group_label: "principal" - label: "principal.location.state" - view_label: "UDM" - description: "The state." - } # dimension principal__location__state - - dimension: principal__mac { - hidden: yes - } # dimension principal__mac - - dimension: principal__namespace { - type: string - sql: ${TABLE}.principal.namespace ;; - group_label: "principal" - label: "principal.namespace" - view_label: "UDM" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension principal__namespace - - dimension: principal__nat_ip { - hidden: yes - } # dimension principal__nat_ip - - dimension: principal__nat_port { - type: number - value_format: "#" - sql: ${TABLE}.principal.nat_port ;; - group_label: "principal" - label: "principal.nat_port" - view_label: "UDM" - description: "NAT external network port number when a specific network connection is described within an event." - } # dimension principal__nat_port - - dimension: principal__network { - hidden: yes - } # dimension principal__network - - dimension: principal__platform { - type: number - sql: ${TABLE}.principal.platform ;; - group_label: "principal" - label: "principal.platform" - view_label: "UDM" - description: "Platform." - } # dimension principal__platform - - dimension: principal__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.principal.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "principal" - label: "principal.platform_enum_name" - view_label: "UDM" - description: "Platform." - } # dimension principal__platform_enum_name - - dimension: principal__platform_patch_level { - type: string - sql: ${TABLE}.principal.platform_patch_level ;; - group_label: "principal" - label: "principal.platform_patch_level" - view_label: "UDM" - description: "Platform patch level. For example, \"Build 17134.48\"" - } # dimension principal__platform_patch_level - - dimension: principal__platform_version { - type: string - sql: ${TABLE}.principal.platform_version ;; - group_label: "principal" - label: "principal.platform_version" - view_label: "UDM" - description: "Platform version. For example, \"Microsoft Windows 1803\"." - } # dimension principal__platform_version - - dimension: principal__port { - type: number - value_format: "#" - sql: ${TABLE}.principal.port ;; - group_label: "principal" - label: "principal.port" - view_label: "UDM" - description: "Source or destination network port number when a specific network connection is described within an event." - } # dimension principal__port - - dimension: principal__process { - hidden: yes - } # dimension principal__process - - dimension: principal__process__access_mask { - type: number - sql: ${TABLE}.principal.process.access_mask ;; - group_label: "principal" - label: "principal.process.access_mask" - view_label: "UDM" - description: "A bit mask representing the level of access." - } # dimension principal__process__access_mask - - dimension: principal__process__command_line { - type: string - sql: ${TABLE}.principal.process.command_line ;; - group_label: "principal" - label: "principal.process.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension principal__process__command_line - - dimension: principal__process__command_line_history { - hidden: yes - } # dimension principal__process__command_line_history - - dimension: principal__process__file { - hidden: yes - } # dimension principal__process__file - - dimension: principal__process__file__capabilities_tags { - hidden: yes - } # dimension principal__process__file__capabilities_tags - - dimension: principal__process__file__file_metadata { - hidden: yes - } # dimension principal__process__file__file_metadata - - dimension: principal__process__file__file_metadata__pe { - hidden: yes - } # dimension principal__process__file__file_metadata__pe - - dimension: principal__process__file__file_metadata__pe__import_hash { - type: string - sql: ${TABLE}.principal.process.file.file_metadata.pe.import_hash ;; - group_label: "principal" - group_item_label: "principal.process.file.file_metadata.pe.import_hash [D]" - label: "principal.process.file.file_metadata.pe.import_hash" - view_label: "UDM" - description: "Hash of PE imports. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__process__file__file_metadata__pe__import_hash - - dimension: principal__process__file__file_type { - type: number - sql: ${TABLE}.principal.process.file.file_type ;; - group_label: "principal" - label: "principal.process.file.file_type" - view_label: "UDM" - description: "FileType field." - } # dimension principal__process__file__file_type - - dimension: principal__process__file__file_type_enum_name { - type: string - suggestions: ["FILE_TYPE_ACE", "FILE_TYPE_ANDROID", "FILE_TYPE_APPLE", "FILE_TYPE_APPLEDOUBLE", "FILE_TYPE_APPLESCRIPT", "FILE_TYPE_APPLESCRIPT_COMPILED", "FILE_TYPE_APPLESINGLE", "FILE_TYPE_APPLE_PLIST", "FILE_TYPE_ARC", "FILE_TYPE_ARJ", "FILE_TYPE_ASD", "FILE_TYPE_ASF", "FILE_TYPE_AVI", "FILE_TYPE_AWK", "FILE_TYPE_BLACKHOLE", "FILE_TYPE_BMP", "FILE_TYPE_BZIP", "FILE_TYPE_C", "FILE_TYPE_CAB", "FILE_TYPE_CAP", "FILE_TYPE_CHM", "FILE_TYPE_COFF", "FILE_TYPE_COOKIE", "FILE_TYPE_CPP", "FILE_TYPE_CRX", "FILE_TYPE_DEB", "FILE_TYPE_DIB", "FILE_TYPE_DIVX", "FILE_TYPE_DMG", "FILE_TYPE_DOC", "FILE_TYPE_DOCX", "FILE_TYPE_DOS_COM", "FILE_TYPE_DOS_EXE", "FILE_TYPE_DYALOG", "FILE_TYPE_DZIP", "FILE_TYPE_EBOOK", "FILE_TYPE_ELF", "FILE_TYPE_EMAIL_TYPE", "FILE_TYPE_EMF", "FILE_TYPE_EOT", "FILE_TYPE_EPS", "FILE_TYPE_FLA", "FILE_TYPE_FLAC", "FILE_TYPE_FLC", "FILE_TYPE_FLI", "FILE_TYPE_FLV", "FILE_TYPE_FORTRAN", "FILE_TYPE_FPX", "FILE_TYPE_GIF", "FILE_TYPE_GIMP", "FILE_TYPE_GUL", "FILE_TYPE_GZIP", "FILE_TYPE_HTML", "FILE_TYPE_HWP", "FILE_TYPE_ICO", "FILE_TYPE_IN_DESIGN", "FILE_TYPE_IPHONE", "FILE_TYPE_ISOIMAGE", "FILE_TYPE_JAR", "FILE_TYPE_JAVA", "FILE_TYPE_JAVASCRIPT", "FILE_TYPE_JAVA_BYTECODE", "FILE_TYPE_JNG", "FILE_TYPE_JPEG", "FILE_TYPE_KGB", "FILE_TYPE_LATEX", "FILE_TYPE_LINUX", "FILE_TYPE_LINUX_KERNEL", "FILE_TYPE_LNK", "FILE_TYPE_MACH_O", "FILE_TYPE_MACINTOSH", "FILE_TYPE_MACINTOSH_HFS", "FILE_TYPE_MACINTOSH_LIB", "FILE_TYPE_MIDI", "FILE_TYPE_MOV", "FILE_TYPE_MP3", "FILE_TYPE_MP4", "FILE_TYPE_MPEG", "FILE_TYPE_MSCOMPRESS", "FILE_TYPE_MSI", "FILE_TYPE_NE_DLL", "FILE_TYPE_NE_EXE", "FILE_TYPE_ODF", "FILE_TYPE_ODG", "FILE_TYPE_ODP", "FILE_TYPE_ODS", "FILE_TYPE_ODT", "FILE_TYPE_OGG", "FILE_TYPE_OUTLOOK", "FILE_TYPE_PALMOS", "FILE_TYPE_PASCAL", "FILE_TYPE_PDF", "FILE_TYPE_PERL", "FILE_TYPE_PE_DLL", "FILE_TYPE_PE_EXE", "FILE_TYPE_PHP", "FILE_TYPE_PKG", "FILE_TYPE_PNG", "FILE_TYPE_POWERSHELL", "FILE_TYPE_PPSX", "FILE_TYPE_PPT", "FILE_TYPE_PPTX", "FILE_TYPE_PS", "FILE_TYPE_PSD", "FILE_TYPE_PYTHON", "FILE_TYPE_QUICKTIME", "FILE_TYPE_RAR", "FILE_TYPE_RM", "FILE_TYPE_ROM", "FILE_TYPE_RPM", "FILE_TYPE_RTF", "FILE_TYPE_RUBY", "FILE_TYPE_RZIP", "FILE_TYPE_SCRIPT", "FILE_TYPE_SEVENZIP", "FILE_TYPE_SHELLSCRIPT", "FILE_TYPE_SVG", "FILE_TYPE_SWF", "FILE_TYPE_SYMBIAN", "FILE_TYPE_T3GP", "FILE_TYPE_TAR", "FILE_TYPE_TARGA", "FILE_TYPE_TEXT", "FILE_TYPE_TIFF", "FILE_TYPE_TORRENT", "FILE_TYPE_TTF", "FILE_TYPE_UNSPECIFIED", "FILE_TYPE_VBA", "FILE_TYPE_WAV", "FILE_TYPE_WEBP", "FILE_TYPE_WINCE", "FILE_TYPE_WMA", "FILE_TYPE_WMV", "FILE_TYPE_WOFF", "FILE_TYPE_XLS", "FILE_TYPE_XLSX", "FILE_TYPE_XML", "FILE_TYPE_XPI", "FILE_TYPE_XWD", "FILE_TYPE_ZIP", "FILE_TYPE_ZLIB"] - sql: CASE ${TABLE}.principal.process.file.file_type WHEN 0 THEN 'FILE_TYPE_UNSPECIFIED' WHEN 1 THEN 'FILE_TYPE_PE_EXE' WHEN 2 THEN 'FILE_TYPE_PE_DLL' WHEN 3 THEN 'FILE_TYPE_MSI' WHEN 10 THEN 'FILE_TYPE_NE_EXE' WHEN 11 THEN 'FILE_TYPE_NE_DLL' WHEN 20 THEN 'FILE_TYPE_DOS_EXE' WHEN 21 THEN 'FILE_TYPE_DOS_COM' WHEN 30 THEN 'FILE_TYPE_COFF' WHEN 31 THEN 'FILE_TYPE_ELF' WHEN 32 THEN 'FILE_TYPE_LINUX_KERNEL' WHEN 33 THEN 'FILE_TYPE_RPM' WHEN 34 THEN 'FILE_TYPE_LINUX' WHEN 35 THEN 'FILE_TYPE_MACH_O' WHEN 36 THEN 'FILE_TYPE_JAVA_BYTECODE' WHEN 37 THEN 'FILE_TYPE_DMG' WHEN 38 THEN 'FILE_TYPE_DEB' WHEN 39 THEN 'FILE_TYPE_PKG' WHEN 50 THEN 'FILE_TYPE_LNK' WHEN 100 THEN 'FILE_TYPE_JPEG' WHEN 101 THEN 'FILE_TYPE_TIFF' WHEN 102 THEN 'FILE_TYPE_GIF' WHEN 103 THEN 'FILE_TYPE_PNG' WHEN 104 THEN 'FILE_TYPE_BMP' WHEN 105 THEN 'FILE_TYPE_GIMP' WHEN 106 THEN 'FILE_TYPE_IN_DESIGN' WHEN 107 THEN 'FILE_TYPE_PSD' WHEN 108 THEN 'FILE_TYPE_TARGA' WHEN 109 THEN 'FILE_TYPE_XWD' WHEN 110 THEN 'FILE_TYPE_DIB' WHEN 111 THEN 'FILE_TYPE_JNG' WHEN 112 THEN 'FILE_TYPE_ICO' WHEN 113 THEN 'FILE_TYPE_FPX' WHEN 114 THEN 'FILE_TYPE_EPS' WHEN 115 THEN 'FILE_TYPE_SVG' WHEN 116 THEN 'FILE_TYPE_EMF' WHEN 117 THEN 'FILE_TYPE_WEBP' WHEN 150 THEN 'FILE_TYPE_OGG' WHEN 151 THEN 'FILE_TYPE_FLC' WHEN 152 THEN 'FILE_TYPE_FLI' WHEN 153 THEN 'FILE_TYPE_MP3' WHEN 154 THEN 'FILE_TYPE_FLAC' WHEN 155 THEN 'FILE_TYPE_WAV' WHEN 156 THEN 'FILE_TYPE_MIDI' WHEN 157 THEN 'FILE_TYPE_AVI' WHEN 158 THEN 'FILE_TYPE_MPEG' WHEN 159 THEN 'FILE_TYPE_QUICKTIME' WHEN 160 THEN 'FILE_TYPE_ASF' WHEN 161 THEN 'FILE_TYPE_DIVX' WHEN 162 THEN 'FILE_TYPE_FLV' WHEN 163 THEN 'FILE_TYPE_WMA' WHEN 164 THEN 'FILE_TYPE_WMV' WHEN 165 THEN 'FILE_TYPE_RM' WHEN 166 THEN 'FILE_TYPE_MOV' WHEN 167 THEN 'FILE_TYPE_MP4' WHEN 168 THEN 'FILE_TYPE_T3GP' WHEN 200 THEN 'FILE_TYPE_PDF' WHEN 201 THEN 'FILE_TYPE_PS' WHEN 202 THEN 'FILE_TYPE_DOC' WHEN 203 THEN 'FILE_TYPE_DOCX' WHEN 204 THEN 'FILE_TYPE_PPT' WHEN 205 THEN 'FILE_TYPE_PPTX' WHEN 209 THEN 'FILE_TYPE_PPSX' WHEN 206 THEN 'FILE_TYPE_XLS' WHEN 207 THEN 'FILE_TYPE_XLSX' WHEN 208 THEN 'FILE_TYPE_RTF' WHEN 250 THEN 'FILE_TYPE_ODP' WHEN 251 THEN 'FILE_TYPE_ODS' WHEN 252 THEN 'FILE_TYPE_ODT' WHEN 253 THEN 'FILE_TYPE_HWP' WHEN 254 THEN 'FILE_TYPE_GUL' WHEN 255 THEN 'FILE_TYPE_ODF' WHEN 256 THEN 'FILE_TYPE_ODG' WHEN 260 THEN 'FILE_TYPE_EBOOK' WHEN 261 THEN 'FILE_TYPE_LATEX' WHEN 262 THEN 'FILE_TYPE_TTF' WHEN 263 THEN 'FILE_TYPE_EOT' WHEN 264 THEN 'FILE_TYPE_WOFF' WHEN 265 THEN 'FILE_TYPE_CHM' WHEN 300 THEN 'FILE_TYPE_ZIP' WHEN 301 THEN 'FILE_TYPE_GZIP' WHEN 302 THEN 'FILE_TYPE_BZIP' WHEN 303 THEN 'FILE_TYPE_RZIP' WHEN 304 THEN 'FILE_TYPE_DZIP' WHEN 305 THEN 'FILE_TYPE_SEVENZIP' WHEN 306 THEN 'FILE_TYPE_CAB' WHEN 307 THEN 'FILE_TYPE_JAR' WHEN 308 THEN 'FILE_TYPE_RAR' WHEN 309 THEN 'FILE_TYPE_MSCOMPRESS' WHEN 310 THEN 'FILE_TYPE_ACE' WHEN 311 THEN 'FILE_TYPE_ARC' WHEN 312 THEN 'FILE_TYPE_ARJ' WHEN 313 THEN 'FILE_TYPE_ASD' WHEN 314 THEN 'FILE_TYPE_BLACKHOLE' WHEN 315 THEN 'FILE_TYPE_KGB' WHEN 316 THEN 'FILE_TYPE_ZLIB' WHEN 317 THEN 'FILE_TYPE_TAR' WHEN 400 THEN 'FILE_TYPE_TEXT' WHEN 401 THEN 'FILE_TYPE_SCRIPT' WHEN 402 THEN 'FILE_TYPE_PHP' WHEN 403 THEN 'FILE_TYPE_PYTHON' WHEN 404 THEN 'FILE_TYPE_PERL' WHEN 405 THEN 'FILE_TYPE_RUBY' WHEN 406 THEN 'FILE_TYPE_C' WHEN 407 THEN 'FILE_TYPE_CPP' WHEN 408 THEN 'FILE_TYPE_JAVA' WHEN 409 THEN 'FILE_TYPE_SHELLSCRIPT' WHEN 410 THEN 'FILE_TYPE_PASCAL' WHEN 411 THEN 'FILE_TYPE_AWK' WHEN 412 THEN 'FILE_TYPE_DYALOG' WHEN 413 THEN 'FILE_TYPE_FORTRAN' WHEN 414 THEN 'FILE_TYPE_JAVASCRIPT' WHEN 415 THEN 'FILE_TYPE_POWERSHELL' WHEN 416 THEN 'FILE_TYPE_VBA' WHEN 500 THEN 'FILE_TYPE_SYMBIAN' WHEN 501 THEN 'FILE_TYPE_PALMOS' WHEN 502 THEN 'FILE_TYPE_WINCE' WHEN 503 THEN 'FILE_TYPE_ANDROID' WHEN 504 THEN 'FILE_TYPE_IPHONE' WHEN 600 THEN 'FILE_TYPE_HTML' WHEN 601 THEN 'FILE_TYPE_XML' WHEN 602 THEN 'FILE_TYPE_SWF' WHEN 603 THEN 'FILE_TYPE_FLA' WHEN 604 THEN 'FILE_TYPE_COOKIE' WHEN 605 THEN 'FILE_TYPE_TORRENT' WHEN 606 THEN 'FILE_TYPE_EMAIL_TYPE' WHEN 607 THEN 'FILE_TYPE_OUTLOOK' WHEN 700 THEN 'FILE_TYPE_CAP' WHEN 800 THEN 'FILE_TYPE_ISOIMAGE' WHEN 1000 THEN 'FILE_TYPE_APPLE' WHEN 1001 THEN 'FILE_TYPE_MACINTOSH' WHEN 1002 THEN 'FILE_TYPE_APPLESINGLE' WHEN 1003 THEN 'FILE_TYPE_APPLEDOUBLE' WHEN 1004 THEN 'FILE_TYPE_MACINTOSH_HFS' WHEN 1005 THEN 'FILE_TYPE_APPLE_PLIST' WHEN 1006 THEN 'FILE_TYPE_MACINTOSH_LIB' WHEN 1007 THEN 'FILE_TYPE_APPLESCRIPT' WHEN 1008 THEN 'FILE_TYPE_APPLESCRIPT_COMPILED' WHEN 1100 THEN 'FILE_TYPE_CRX' WHEN 1101 THEN 'FILE_TYPE_XPI' WHEN 1200 THEN 'FILE_TYPE_ROM' END ;; - group_label: "principal" - label: "principal.process.file.file_type_enum_name" - view_label: "UDM" - description: "FileType field." - } # dimension principal__process__file__file_type_enum_name - - dimension: principal__process__file__full_path { - type: string - sql: ${TABLE}.principal.process.file.full_path ;; - group_label: "principal" - label: "principal.process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension principal__process__file__full_path - - dimension: principal__process__file__md5 { - type: string - sql: ${TABLE}.principal.process.file.md5 ;; - group_label: "principal" - label: "principal.process.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension principal__process__file__md5 - - dimension: principal__process__file__mime_type { - type: string - sql: ${TABLE}.principal.process.file.mime_type ;; - group_label: "principal" - label: "principal.process.file.mime_type" - view_label: "UDM" - description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." - } # dimension principal__process__file__mime_type - - dimension: principal__process__file__names { - hidden: yes - } # dimension principal__process__file__names - - dimension: principal__process__file__pe_file { - hidden: yes - } # dimension principal__process__file__pe_file - - dimension: principal__process__file__pe_file__signature_info { - hidden: yes - } # dimension principal__process__file__pe_file__signature_info - - dimension: principal__process__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.principal.process.file.pe_file.signature_info.verification_message ;; - group_label: "principal" - group_item_label: "principal.process.file.pe_file.signature_info.verification_message [D]" - label: "principal.process.file.pe_file.signature_info.verification_message" - view_label: "UDM" - description: "Status of the certificate. Valid values are \"Signed\", \"Unsigned\" or a description of the certificate anomaly, if found. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__process__file__pe_file__signature_info__verification_message - - dimension: principal__process__file__sha1 { - type: string - sql: ${TABLE}.principal.process.file.sha1 ;; - group_label: "principal" - label: "principal.process.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension principal__process__file__sha1 - - dimension: principal__process__file__sha256 { - type: string - sql: ${TABLE}.principal.process.file.sha256 ;; - group_label: "principal" - label: "principal.process.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension principal__process__file__sha256 - - dimension: principal__process__file__size { - type: number - sql: ${TABLE}.principal.process.file.size ;; - group_label: "principal" - label: "principal.process.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension principal__process__file__size - - dimension: principal__process__parent_pid { - type: string - sql: ${TABLE}.principal.process.parent_pid ;; - group_label: "principal" - group_item_label: "principal.process.parent_pid [D]" - label: "principal.process.parent_pid" - view_label: "UDM" - description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__process__parent_pid - - dimension: principal__process__parent_process { - hidden: yes - } # dimension principal__process__parent_process - - dimension: principal__process__parent_process__command_line { - type: string - sql: ${TABLE}.principal.process.parent_process.command_line ;; - group_label: "principal" - label: "principal.process.parent_process.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension principal__process__parent_process__command_line - - dimension: principal__process__parent_process__file { - hidden: yes - } # dimension principal__process__parent_process__file - - dimension: principal__process__parent_process__file__file_metadata { - hidden: yes - } # dimension principal__process__parent_process__file__file_metadata - - dimension: principal__process__parent_process__file__file_metadata__pe { - hidden: yes - } # dimension principal__process__parent_process__file__file_metadata__pe - - dimension: principal__process__parent_process__file__file_metadata__pe__import_hash { - type: string - sql: ${TABLE}.principal.process.parent_process.file.file_metadata.pe.import_hash ;; - group_label: "principal" - group_item_label: "principal.process.parent_process.file.file_metadata.pe.import_hash [D]" - label: "principal.process.parent_process.file.file_metadata.pe.import_hash" - view_label: "UDM" - description: "Hash of PE imports. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__process__parent_process__file__file_metadata__pe__import_hash - - dimension: principal__process__parent_process__file__full_path { - type: string - sql: ${TABLE}.principal.process.parent_process.file.full_path ;; - group_label: "principal" - label: "principal.process.parent_process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension principal__process__parent_process__file__full_path - - dimension: principal__process__parent_process__file__md5 { - type: string - sql: ${TABLE}.principal.process.parent_process.file.md5 ;; - group_label: "principal" - label: "principal.process.parent_process.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension principal__process__parent_process__file__md5 - - dimension: principal__process__parent_process__file__mime_type { - type: string - sql: ${TABLE}.principal.process.parent_process.file.mime_type ;; - group_label: "principal" - label: "principal.process.parent_process.file.mime_type" - view_label: "UDM" - description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." - } # dimension principal__process__parent_process__file__mime_type - - dimension: principal__process__parent_process__file__sha1 { - type: string - sql: ${TABLE}.principal.process.parent_process.file.sha1 ;; - group_label: "principal" - label: "principal.process.parent_process.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension principal__process__parent_process__file__sha1 - - dimension: principal__process__parent_process__file__sha256 { - type: string - sql: ${TABLE}.principal.process.parent_process.file.sha256 ;; - group_label: "principal" - label: "principal.process.parent_process.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension principal__process__parent_process__file__sha256 - - dimension: principal__process__parent_process__file__size { - type: number - sql: ${TABLE}.principal.process.parent_process.file.size ;; - group_label: "principal" - label: "principal.process.parent_process.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension principal__process__parent_process__file__size - - dimension: principal__process__parent_process__parent_pid { - type: string - sql: ${TABLE}.principal.process.parent_process.parent_pid ;; - group_label: "principal" - group_item_label: "principal.process.parent_process.parent_pid [D]" - label: "principal.process.parent_process.parent_pid" - view_label: "UDM" - description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__process__parent_process__parent_pid - - dimension: principal__process__parent_process__pid { - type: string - sql: ${TABLE}.principal.process.parent_process.pid ;; - group_label: "principal" - label: "principal.process.parent_process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension principal__process__parent_process__pid - - dimension: principal__process__parent_process__product_specific_process_id { - type: string - sql: ${TABLE}.principal.process.parent_process.product_specific_process_id ;; - group_label: "principal" - label: "principal.process.parent_process.product_specific_process_id" - view_label: "UDM" - description: "A product specific process id." - } # dimension principal__process__parent_process__product_specific_process_id - - dimension: principal__process__pid { - type: string - sql: ${TABLE}.principal.process.pid ;; - group_label: "principal" - label: "principal.process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension principal__process__pid - - dimension: principal__process__product_specific_parent_process_id { - type: string - sql: ${TABLE}.principal.process.product_specific_parent_process_id ;; - group_label: "principal" - group_item_label: "principal.process.product_specific_parent_process_id [D]" - label: "principal.process.product_specific_parent_process_id" - view_label: "UDM" - description: "A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__process__product_specific_parent_process_id - - dimension: principal__process__product_specific_process_id { - type: string - sql: ${TABLE}.principal.process.product_specific_process_id ;; - group_label: "principal" - label: "principal.process.product_specific_process_id" - view_label: "UDM" - description: "A product specific process id." - } # dimension principal__process__product_specific_process_id - - dimension: principal__process_ancestors { - hidden: yes - } # dimension principal__process_ancestors - - dimension: principal__registry { - hidden: yes - } # dimension principal__registry - - dimension: principal__registry__registry_key { - type: string - sql: ${TABLE}.principal.registry.registry_key ;; - group_label: "principal" - label: "principal.registry.registry_key" - view_label: "UDM" - description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." - } # dimension principal__registry__registry_key - - dimension: principal__registry__registry_value_data { - type: string - sql: ${TABLE}.principal.registry.registry_value_data ;; - group_label: "principal" - label: "principal.registry.registry_value_data" - view_label: "UDM" - description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." - } # dimension principal__registry__registry_value_data - - dimension: principal__registry__registry_value_name { - type: string - sql: ${TABLE}.principal.registry.registry_value_name ;; - group_label: "principal" - label: "principal.registry.registry_value_name" - view_label: "UDM" - description: "Name of the registry value associated with an application or system component (e.g. TEMP)." - } # dimension principal__registry__registry_value_name - - dimension: principal__resource { - hidden: yes - } # dimension principal__resource - - dimension: principal__resource__attribute { - hidden: yes - } # dimension principal__resource__attribute - - dimension: principal__resource__attribute__cloud { - hidden: yes - } # dimension principal__resource__attribute__cloud - - dimension: principal__resource__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.principal.resource.attribute.cloud.availability_zone ;; - group_label: "principal" - label: "principal.resource.attribute.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name)." - } # dimension principal__resource__attribute__cloud__availability_zone - - dimension: principal__resource__attribute__cloud__environment { - type: number - sql: ${TABLE}.principal.resource.attribute.cloud.environment ;; - group_label: "principal" - label: "principal.resource.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension principal__resource__attribute__cloud__environment - - dimension: principal__resource__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.principal.resource.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "principal" - label: "principal.resource.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension principal__resource__attribute__cloud__environment_enum_name - - dimension: principal__resource__attribute__cloud__project { - hidden: yes - } # dimension principal__resource__attribute__cloud__project - - dimension: principal__resource__attribute__cloud__project__name { - type: string - sql: ${TABLE}.principal.resource.attribute.cloud.project.name ;; - group_label: "principal" - group_item_label: "principal.resource.attribute.cloud.project.name [D]" - label: "principal.resource.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__resource__attribute__cloud__project__name - - dimension: principal__resource__attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.principal.resource.attribute.cloud.project.resource_subtype ;; - group_label: "principal" - group_item_label: "principal.resource.attribute.cloud.project.resource_subtype [D]" - label: "principal.resource.attribute.cloud.project.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__resource__attribute__cloud__project__resource_subtype - - dimension_group: principal__resource__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.resource.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension principal__resource__attribute__creation_time - - dimension: principal__resource__attribute__labels { - hidden: yes - } # dimension principal__resource__attribute__labels - - dimension_group: principal__resource__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.resource.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension principal__resource__attribute__last_update_time - - dimension: principal__resource__attribute__permissions { - hidden: yes - } # dimension principal__resource__attribute__permissions - - dimension: principal__resource__attribute__roles { - hidden: yes - } # dimension principal__resource__attribute__roles - - dimension: principal__resource__id { - type: string - sql: ${TABLE}.principal.resource.id ;; - group_label: "principal" - group_item_label: "principal.resource.id [D]" - label: "principal.resource.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__resource__id - - dimension: principal__resource__name { - type: string - sql: ${TABLE}.principal.resource.name ;; - group_label: "principal" - label: "principal.resource.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension principal__resource__name - - dimension: principal__resource__parent { - type: string - sql: ${TABLE}.principal.resource.parent ;; - group_label: "principal" - group_item_label: "principal.resource.parent [D]" - label: "principal.resource.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__resource__parent - - dimension: principal__resource__product_object_id { - type: string - sql: ${TABLE}.principal.resource.product_object_id ;; - group_label: "principal" - label: "principal.resource.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension principal__resource__product_object_id - - dimension: principal__resource__resource_subtype { - type: string - sql: ${TABLE}.principal.resource.resource_subtype ;; - group_label: "principal" - label: "principal.resource.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension principal__resource__resource_subtype - - dimension: principal__resource__resource_type { - type: number - sql: ${TABLE}.principal.resource.resource_type ;; - group_label: "principal" - label: "principal.resource.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension principal__resource__resource_type - - dimension: principal__resource__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.principal.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "principal" - label: "principal.resource.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension principal__resource__resource_type_enum_name - - dimension: principal__resource__type { - type: string - sql: ${TABLE}.principal.resource.type ;; - group_label: "principal" - group_item_label: "principal.resource.type [D]" - label: "principal.resource.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__resource__type - - dimension: principal__resource_ancestors { - hidden: yes - } # dimension principal__resource_ancestors - - dimension: principal__url { - type: string - sql: ${TABLE}.principal.url ;; - group_label: "principal" - label: "principal.url" - view_label: "UDM" - description: "The URL." - } # dimension principal__url - - dimension: principal__user { - hidden: yes - } # dimension principal__user - - dimension: principal__user__account_type { - type: number - sql: ${TABLE}.principal.user.account_type ;; - group_label: "principal" - label: "principal.user.account_type" - view_label: "UDM" - description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" - } # dimension principal__user__account_type - - dimension: principal__user__account_type_enum_name { - type: string - suggestions: ["ACCOUNT_TYPE_UNSPECIFIED", "CLOUD_ACCOUNT_TYPE", "DEFAULT_ACCOUNT_TYPE", "DOMAIN_ACCOUNT_TYPE", "LOCAL_ACCOUNT_TYPE", "SERVICE_ACCOUNT_TYPE"] - sql: CASE ${TABLE}.principal.user.account_type WHEN 0 THEN 'ACCOUNT_TYPE_UNSPECIFIED' WHEN 1 THEN 'DOMAIN_ACCOUNT_TYPE' WHEN 2 THEN 'LOCAL_ACCOUNT_TYPE' WHEN 3 THEN 'CLOUD_ACCOUNT_TYPE' WHEN 4 THEN 'SERVICE_ACCOUNT_TYPE' WHEN 5 THEN 'DEFAULT_ACCOUNT_TYPE' END ;; - group_label: "principal" - label: "principal.user.account_type_enum_name" - view_label: "UDM" - description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" - } # dimension principal__user__account_type_enum_name - - dimension: principal__user__attribute { - hidden: yes - } # dimension principal__user__attribute - - dimension: principal__user__attribute__cloud { - hidden: yes - } # dimension principal__user__attribute__cloud - - dimension: principal__user__attribute__cloud__environment { - type: number - sql: ${TABLE}.principal.user.attribute.cloud.environment ;; - group_label: "principal" - label: "principal.user.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension principal__user__attribute__cloud__environment - - dimension: principal__user__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.principal.user.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "principal" - label: "principal.user.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension principal__user__attribute__cloud__environment_enum_name - - dimension: principal__user__attribute__cloud__project { - hidden: yes - } # dimension principal__user__attribute__cloud__project - - dimension: principal__user__attribute__cloud__project__id { - type: string - sql: ${TABLE}.principal.user.attribute.cloud.project.id ;; - group_label: "principal" - group_item_label: "principal.user.attribute.cloud.project.id [D]" - label: "principal.user.attribute.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__user__attribute__cloud__project__id - - dimension_group: principal__user__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.user.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension principal__user__attribute__creation_time - - dimension: principal__user__attribute__labels { - hidden: yes - } # dimension principal__user__attribute__labels - - dimension_group: principal__user__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.user.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension principal__user__attribute__last_update_time - - dimension: principal__user__attribute__permissions { - hidden: yes - } # dimension principal__user__attribute__permissions - - dimension: principal__user__attribute__roles { - hidden: yes - } # dimension principal__user__attribute__roles - - dimension: principal__user__company_name { - type: string - sql: ${TABLE}.principal.user.company_name ;; - group_label: "principal" - label: "principal.user.company_name" - view_label: "UDM" - description: "User job company name." - } # dimension principal__user__company_name - - dimension: principal__user__department { - hidden: yes - } # dimension principal__user__department - - dimension: principal__user__email_addresses { - hidden: yes - } # dimension principal__user__email_addresses - - dimension: principal__user__employee_id { - type: string - sql: ${TABLE}.principal.user.employee_id ;; - group_label: "principal" - label: "principal.user.employee_id" - view_label: "UDM" - description: "Human capital management identifier." - } # dimension principal__user__employee_id - - dimension: principal__user__first_name { - type: string - sql: ${TABLE}.principal.user.first_name ;; - group_label: "principal" - label: "principal.user.first_name" - view_label: "UDM" - description: "First name of the user (e.g. \"John\")." - } # dimension principal__user__first_name - - dimension: principal__user__group_identifiers { - hidden: yes - } # dimension principal__user__group_identifiers - - dimension: principal__user__groupid { - type: string - sql: ${TABLE}.principal.user.groupid ;; - group_label: "principal" - group_item_label: "principal.user.groupid [D]" - label: "principal.user.groupid" - view_label: "UDM" - description: "The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__user__groupid - - dimension_group: principal__user__hire_date { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.user.hire_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.user.hire_date.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.user.hire_date" - view_label: "UDM" - description: "User job employment hire date." - } # dimension principal__user__hire_date - - dimension: principal__user__last_name { - type: string - sql: ${TABLE}.principal.user.last_name ;; - group_label: "principal" - label: "principal.user.last_name" - view_label: "UDM" - description: "Last name of the user (e.g. \"Locke\")." - } # dimension principal__user__last_name - - dimension: principal__user__managers { - hidden: yes - } # dimension principal__user__managers - - dimension: principal__user__office_address { - hidden: yes - } # dimension principal__user__office_address - - dimension: principal__user__office_address__city { - type: string - sql: ${TABLE}.principal.user.office_address.city ;; - group_label: "principal" - label: "principal.user.office_address.city" - view_label: "UDM" - description: "The city." - } # dimension principal__user__office_address__city - - dimension: principal__user__office_address__country_or_region { - type: string - sql: ${TABLE}.principal.user.office_address.country_or_region ;; - group_label: "principal" - label: "principal.user.office_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension principal__user__office_address__country_or_region - - dimension: principal__user__office_address__desk_name { - type: string - sql: ${TABLE}.principal.user.office_address.desk_name ;; - group_label: "principal" - label: "principal.user.office_address.desk_name" - view_label: "UDM" - description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." - } # dimension principal__user__office_address__desk_name - - dimension: principal__user__office_address__floor_name { - type: string - sql: ${TABLE}.principal.user.office_address.floor_name ;; - group_label: "principal" - label: "principal.user.office_address.floor_name" - view_label: "UDM" - description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." - } # dimension principal__user__office_address__floor_name - - dimension: principal__user__office_address__name { - type: string - sql: ${TABLE}.principal.user.office_address.name ;; - group_label: "principal" - label: "principal.user.office_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension principal__user__office_address__name - - dimension: principal__user__office_address__state { - type: string - sql: ${TABLE}.principal.user.office_address.state ;; - group_label: "principal" - label: "principal.user.office_address.state" - view_label: "UDM" - description: "The state." - } # dimension principal__user__office_address__state - - dimension: principal__user__personal_address { - hidden: yes - } # dimension principal__user__personal_address - - dimension: principal__user__personal_address__city { - type: string - sql: ${TABLE}.principal.user.personal_address.city ;; - group_label: "principal" - label: "principal.user.personal_address.city" - view_label: "UDM" - description: "The city." - } # dimension principal__user__personal_address__city - - dimension: principal__user__personal_address__country_or_region { - type: string - sql: ${TABLE}.principal.user.personal_address.country_or_region ;; - group_label: "principal" - label: "principal.user.personal_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension principal__user__personal_address__country_or_region - - dimension: principal__user__personal_address__name { - type: string - sql: ${TABLE}.principal.user.personal_address.name ;; - group_label: "principal" - label: "principal.user.personal_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension principal__user__personal_address__name - - dimension: principal__user__personal_address__state { - type: string - sql: ${TABLE}.principal.user.personal_address.state ;; - group_label: "principal" - label: "principal.user.personal_address.state" - view_label: "UDM" - description: "The state." - } # dimension principal__user__personal_address__state - - dimension: principal__user__phone_numbers { - hidden: yes - } # dimension principal__user__phone_numbers - - dimension: principal__user__product_object_id { - type: string - sql: ${TABLE}.principal.user.product_object_id ;; - group_label: "principal" - label: "principal.user.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension principal__user__product_object_id - - dimension: principal__user__role_description { - type: string - sql: ${TABLE}.principal.user.role_description ;; - group_label: "principal" - group_item_label: "principal.user.role_description [D]" - label: "principal.user.role_description" - view_label: "UDM" - description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__user__role_description - - dimension: principal__user__role_name { - type: string - sql: ${TABLE}.principal.user.role_name ;; - group_label: "principal" - group_item_label: "principal.user.role_name [D]" - label: "principal.user.role_name" - view_label: "UDM" - description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__user__role_name - - dimension_group: principal__user__termination_date { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.principal.user.termination_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.principal.user.termination_date.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.user.termination_date" - view_label: "UDM" - description: "User job employment termination date." - } # dimension principal__user__termination_date - - dimension: principal__user__time_off { - hidden: yes - } # dimension principal__user__time_off - - dimension: principal__user__title { - type: string - sql: ${TABLE}.principal.user.title ;; - group_label: "principal" - label: "principal.user.title" - view_label: "UDM" - description: "User job title." - } # dimension principal__user__title - - dimension: principal__user__user_authentication_status { - type: number - sql: ${TABLE}.principal.user.user_authentication_status ;; - group_label: "principal" - label: "principal.user.user_authentication_status" - view_label: "UDM" - description: "System authentication status for user." - } # dimension principal__user__user_authentication_status - - dimension: principal__user__user_authentication_status_enum_name { - type: string - suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] - sql: CASE ${TABLE}.principal.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; - group_label: "principal" - label: "principal.user.user_authentication_status_enum_name" - view_label: "UDM" - description: "System authentication status for user." - } # dimension principal__user__user_authentication_status_enum_name - - dimension: principal__user__user_display_name { - type: string - sql: ${TABLE}.principal.user.user_display_name ;; - group_label: "principal" - label: "principal.user.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension principal__user__user_display_name - - dimension: principal__user__user_role { - type: number - sql: ${TABLE}.principal.user.user_role ;; - group_label: "principal" - group_item_label: "principal.user.user_role [D]" - label: "principal.user.user_role" - view_label: "UDM" - description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__user__user_role - - dimension: principal__user__user_role_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "UNKNOWN_ROLE"] - sql: CASE ${TABLE}.principal.user.user_role WHEN 0 THEN 'UNKNOWN_ROLE' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "principal" - group_item_label: "principal.user.user_role_enum_name [D]" - label: "principal.user.user_role_enum_name" - view_label: "UDM" - description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension principal__user__user_role_enum_name - - dimension: principal__user__userid { - type: string - sql: ${TABLE}.principal.user.userid ;; - group_label: "principal" - label: "principal.user.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension principal__user__userid - - dimension: principal__user__windows_sid { - type: string - sql: ${TABLE}.principal.user.windows_sid ;; - group_label: "principal" - label: "principal.user.windows_sid" - view_label: "UDM" - description: "The Microsoft Windows SID of the user." - } # dimension principal__user__windows_sid - - dimension: security_result { - hidden: yes - } # dimension security_result - - dimension: src { - hidden: yes - } # dimension src - - dimension: src__administrative_domain { - type: string - sql: ${TABLE}.src.administrative_domain ;; - group_label: "src" - label: "src.administrative_domain" - view_label: "UDM" - description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." - } # dimension src__administrative_domain - - dimension: src__application { - type: string - sql: ${TABLE}.src.application ;; - group_label: "src" - label: "src.application" - view_label: "UDM" - description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." - } # dimension src__application - - dimension: src__artifact { - hidden: yes - } # dimension src__artifact - - dimension: src__artifact__ip { - type: string - sql: ${TABLE}.src.artifact.ip ;; - group_label: "src" - label: "src.artifact.ip" - view_label: "UDM" - description: "IP address of the artifact." - } # dimension src__artifact__ip - - dimension: src__artifact__network { - hidden: yes - } # dimension src__artifact__network - - dimension: src__artifact__network__dns { - hidden: yes - } # dimension src__artifact__network__dns - - dimension: src__artifact__network__dns__questions { - hidden: yes - } # dimension src__artifact__network__dns__questions - - dimension: src__artifact__network__http { - hidden: yes - } # dimension src__artifact__network__http - - dimension: src__artifact__network__http__parsed_user_agent { - hidden: yes - } # dimension src__artifact__network__http__parsed_user_agent - - dimension: src__artifact__network__http__parsed_user_agent__browser { - type: string - sql: ${TABLE}.src.artifact.network.http.parsed_user_agent.browser ;; - group_label: "src" - label: "src.artifact.network.http.parsed_user_agent.browser" - view_label: "UDM" - description: "Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents." - } # dimension src__artifact__network__http__parsed_user_agent__browser - - dimension: src__asset { - hidden: yes - } # dimension src__asset - - dimension: src__asset__asset_id { - type: string - sql: ${TABLE}.src.asset.asset_id ;; - group_label: "src" - label: "src.asset.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension src__asset__asset_id - - dimension: src__asset__attribute { - hidden: yes - } # dimension src__asset__attribute - - dimension: src__asset__attribute__cloud { - hidden: yes - } # dimension src__asset__attribute__cloud - - dimension: src__asset__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.src.asset.attribute.cloud.availability_zone ;; - group_label: "src" - label: "src.asset.attribute.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name)." - } # dimension src__asset__attribute__cloud__availability_zone - - dimension: src__asset__attribute__cloud__environment { - type: number - sql: ${TABLE}.src.asset.attribute.cloud.environment ;; - group_label: "src" - label: "src.asset.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension src__asset__attribute__cloud__environment - - dimension: src__asset__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.src.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "src" - label: "src.asset.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension src__asset__attribute__cloud__environment_enum_name - - dimension: src__asset__attribute__cloud__project { - hidden: yes - } # dimension src__asset__attribute__cloud__project - - dimension: src__asset__attribute__cloud__project__name { - type: string - sql: ${TABLE}.src.asset.attribute.cloud.project.name ;; - group_label: "src" - group_item_label: "src.asset.attribute.cloud.project.name [D]" - label: "src.asset.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__asset__attribute__cloud__project__name - - dimension: src__asset__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.src.asset.attribute.cloud.project.resource_type ;; - group_label: "src" - group_item_label: "src.asset.attribute.cloud.project.resource_type [D]" - label: "src.asset.attribute.cloud.project.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__asset__attribute__cloud__project__resource_type - - dimension: src__asset__attribute__cloud__project__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.src.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "src" - group_item_label: "src.asset.attribute.cloud.project.resource_type_enum_name [D]" - label: "src.asset.attribute.cloud.project.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__asset__attribute__cloud__project__resource_type_enum_name - - dimension: src__asset__attribute__cloud__vpc { - hidden: yes - } # dimension src__asset__attribute__cloud__vpc - - dimension: src__asset__attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.src.asset.attribute.cloud.vpc.name ;; - group_label: "src" - group_item_label: "src.asset.attribute.cloud.vpc.name [D]" - label: "src.asset.attribute.cloud.vpc.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__asset__attribute__cloud__vpc__name - - dimension: src__asset__attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.src.asset.attribute.cloud.vpc.resource_type ;; - group_label: "src" - group_item_label: "src.asset.attribute.cloud.vpc.resource_type [D]" - label: "src.asset.attribute.cloud.vpc.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__asset__attribute__cloud__vpc__resource_type - - dimension: src__asset__attribute__cloud__vpc__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.src.asset.attribute.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "src" - group_item_label: "src.asset.attribute.cloud.vpc.resource_type_enum_name [D]" - label: "src.asset.attribute.cloud.vpc.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__asset__attribute__cloud__vpc__resource_type_enum_name - - dimension_group: src__asset__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension src__asset__attribute__creation_time - - dimension: src__asset__attribute__labels { - hidden: yes - } # dimension src__asset__attribute__labels - - dimension_group: src__asset__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension src__asset__attribute__last_update_time - - dimension: src__asset__category { - type: string - sql: ${TABLE}.src.asset.category ;; - group_label: "src" - label: "src.asset.category" - view_label: "UDM" - description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." - } # dimension src__asset__category - - dimension: src__asset__deployment_status { - type: number - sql: ${TABLE}.src.asset.deployment_status ;; - group_label: "src" - label: "src.asset.deployment_status" - view_label: "UDM" - description: "The deployment status of the asset for device lifecycle purposes." - } # dimension src__asset__deployment_status - - dimension: src__asset__deployment_status_enum_name { - type: string - suggestions: ["ACTIVE", "DECOMISSIONED", "DEPLOYMENT_STATUS_UNSPECIFIED", "PENDING_DECOMISSION"] - sql: CASE ${TABLE}.src.asset.deployment_status WHEN 0 THEN 'DEPLOYMENT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'PENDING_DECOMISSION' WHEN 3 THEN 'DECOMISSIONED' END ;; - group_label: "src" - label: "src.asset.deployment_status_enum_name" - view_label: "UDM" - description: "The deployment status of the asset for device lifecycle purposes." - } # dimension src__asset__deployment_status_enum_name - - dimension_group: src__asset__first_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.first_discover_time" - view_label: "UDM" - description: "Time the asset was first discovered (by asset management/discoverability software)." - } # dimension src__asset__first_discover_time - - dimension_group: src__asset__first_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.first_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.first_seen_time" - view_label: "UDM" - description: "The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed." - } # dimension src__asset__first_seen_time - - dimension: src__asset__hardware { - hidden: yes - } # dimension src__asset__hardware - - dimension: src__asset__hostname { - type: string - sql: ${TABLE}.src.asset.hostname ;; - group_label: "src" - label: "src.asset.hostname" - view_label: "UDM" - description: "Asset hostname or domain name field." - } # dimension src__asset__hostname - - dimension: src__asset__ip { - hidden: yes - } # dimension src__asset__ip - - dimension: src__asset__labels { - hidden: yes - } # dimension src__asset__labels - - dimension_group: src__asset__last_boot_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.last_boot_time" - view_label: "UDM" - description: "Time the asset was last boot started." - } # dimension src__asset__last_boot_time - - dimension_group: src__asset__last_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.last_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.last_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.last_discover_time" - view_label: "UDM" - description: "Time the asset was last discovered (by asset management/discoverability software)." - } # dimension src__asset__last_discover_time - - dimension: src__asset__location { - hidden: yes - } # dimension src__asset__location - - dimension: src__asset__location__city { - type: string - sql: ${TABLE}.src.asset.location.city ;; - group_label: "src" - label: "src.asset.location.city" - view_label: "UDM" - description: "The city." - } # dimension src__asset__location__city - - dimension: src__asset__location__country_or_region { - type: string - sql: ${TABLE}.src.asset.location.country_or_region ;; - group_label: "src" - label: "src.asset.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension src__asset__location__country_or_region - - dimension: src__asset__location__floor_name { - type: string - sql: ${TABLE}.src.asset.location.floor_name ;; - group_label: "src" - label: "src.asset.location.floor_name" - view_label: "UDM" - description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." - } # dimension src__asset__location__floor_name - - dimension: src__asset__location__name { - type: string - sql: ${TABLE}.src.asset.location.name ;; - group_label: "src" - label: "src.asset.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension src__asset__location__name - - dimension: src__asset__location__region_latitude { - type: number - sql: ${TABLE}.src.asset.location.region_latitude ;; - group_label: "src" - group_item_label: "src.asset.location.region_latitude [D]" - label: "src.asset.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__asset__location__region_latitude - - dimension: src__asset__location__region_longitude { - type: number - sql: ${TABLE}.src.asset.location.region_longitude ;; - group_label: "src" - group_item_label: "src.asset.location.region_longitude [D]" - label: "src.asset.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__asset__location__region_longitude - - dimension: src__asset__location__location { - type: location - sql_latitude: ${TABLE}.src.asset.location.region_latitude ;; - sql_longitude: ${TABLE}.src.asset.location.region_longitude ;; - group_label: "src" - group_item_label: "src.asset.location.location [D][L]" - label: "src.asset.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension src__asset__location__location - - dimension: src__asset__location__state { - type: string - sql: ${TABLE}.src.asset.location.state ;; - group_label: "src" - label: "src.asset.location.state" - view_label: "UDM" - description: "The state." - } # dimension src__asset__location__state - - dimension: src__asset__mac { - hidden: yes - } # dimension src__asset__mac - - dimension: src__asset__nat_ip { - hidden: yes - } # dimension src__asset__nat_ip - - dimension: src__asset__network_domain { - type: string - sql: ${TABLE}.src.asset.network_domain ;; - group_label: "src" - label: "src.asset.network_domain" - view_label: "UDM" - description: "The network domain of the asset (e.g. \"corp.acme.com\")" - } # dimension src__asset__network_domain - - dimension: src__asset__platform_software { - hidden: yes - } # dimension src__asset__platform_software - - dimension: src__asset__platform_software__platform { - type: number - sql: ${TABLE}.src.asset.platform_software.platform ;; - group_label: "src" - label: "src.asset.platform_software.platform" - view_label: "UDM" - description: "The platform operating system." - } # dimension src__asset__platform_software__platform - - dimension: src__asset__platform_software__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.src.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "src" - label: "src.asset.platform_software.platform_enum_name" - view_label: "UDM" - description: "The platform operating system." - } # dimension src__asset__platform_software__platform_enum_name - - dimension: src__asset__platform_software__platform_patch_level { - type: string - sql: ${TABLE}.src.asset.platform_software.platform_patch_level ;; - group_label: "src" - label: "src.asset.platform_software.platform_patch_level" - view_label: "UDM" - description: "The platform software patch level ( e.g. \"Build 17134.48\", \"SP1\")." - } # dimension src__asset__platform_software__platform_patch_level - - dimension: src__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.src.asset.platform_software.platform_version ;; - group_label: "src" - label: "src.asset.platform_software.platform_version" - view_label: "UDM" - description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." - } # dimension src__asset__platform_software__platform_version - - dimension: src__asset__product_object_id { - type: string - sql: ${TABLE}.src.asset.product_object_id ;; - group_label: "src" - label: "src.asset.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension src__asset__product_object_id - - dimension: src__asset__software { - hidden: yes - } # dimension src__asset__software - - dimension_group: src__asset__system_last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.asset.system_last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.asset.system_last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.system_last_update_time" - view_label: "UDM" - description: "Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time." - } # dimension src__asset__system_last_update_time - - dimension: src__asset__type { - type: number - sql: ${TABLE}.src.asset.type ;; - group_label: "src" - label: "src.asset.type" - view_label: "UDM" - description: "The type of the asset (e.g. workstation or laptop or server)." - } # dimension src__asset__type - - dimension: src__asset__type_enum_name { - type: string - suggestions: ["IOT", "LAPTOP", "MOBILE", "NETWORK_ATTACHED_STORAGE", "PRINTER", "ROLE_UNSPECIFIED", "SCANNER", "SERVER", "TAPE_LIBRARY", "WORKSTATION"] - sql: CASE ${TABLE}.src.asset.type WHEN 0 THEN 'ROLE_UNSPECIFIED' WHEN 1 THEN 'WORKSTATION' WHEN 2 THEN 'LAPTOP' WHEN 3 THEN 'IOT' WHEN 4 THEN 'NETWORK_ATTACHED_STORAGE' WHEN 5 THEN 'PRINTER' WHEN 6 THEN 'SCANNER' WHEN 7 THEN 'SERVER' WHEN 8 THEN 'TAPE_LIBRARY' WHEN 9 THEN 'MOBILE' END ;; - group_label: "src" - label: "src.asset.type_enum_name" - view_label: "UDM" - description: "The type of the asset (e.g. workstation or laptop or server)." - } # dimension src__asset__type_enum_name - - dimension: src__asset__vulnerabilities { - hidden: yes - } # dimension src__asset__vulnerabilities - - dimension: src__asset_id { - type: string - sql: ${TABLE}.src.asset_id ;; - group_label: "src" - label: "src.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension src__asset_id - - dimension: src__cloud { - hidden: yes - } # dimension src__cloud - - dimension: src__cloud__availability_zone { - type: string - sql: ${TABLE}.src.cloud.availability_zone ;; - group_label: "src" - group_item_label: "src.cloud.availability_zone [D]" - label: "src.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" - } # dimension src__cloud__availability_zone - - dimension: src__cloud__project { - hidden: yes - } # dimension src__cloud__project - - dimension: src__cloud__project__id { - type: string - sql: ${TABLE}.src.cloud.project.id ;; - group_label: "src" - group_item_label: "src.cloud.project.id [D]" - label: "src.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__cloud__project__id - - dimension: src__domain { - hidden: yes - } # dimension src__domain - - dimension: src__domain__name { - type: string - sql: ${TABLE}.src.domain.name ;; - group_label: "src" - label: "src.domain.name" - view_label: "UDM" - description: "The domain name." - } # dimension src__domain__name - - dimension: src__domain__status { - type: string - sql: ${TABLE}.src.domain.status ;; - group_label: "src" - label: "src.domain.status" - view_label: "UDM" - description: "Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values" - } # dimension src__domain__status - - dimension: src__email { - type: string - sql: ${TABLE}.src.email ;; - group_label: "src" - label: "src.email" - view_label: "UDM" - description: "Email address. Only filled in for security_result.about" - } # dimension src__email - - dimension: src__file { - hidden: yes - } # dimension src__file - - dimension: src__file__ahash { - type: string - sql: ${TABLE}.src.file.ahash ;; - group_label: "src" - group_item_label: "src.file.ahash [D]" - label: "src.file.ahash" - view_label: "UDM" - description: "Deprecated. Use authentihash instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__file__ahash - - dimension: src__file__capabilities_tags { - hidden: yes - } # dimension src__file__capabilities_tags - - dimension: src__file__embedded_domains { - hidden: yes - } # dimension src__file__embedded_domains - - dimension: src__file__embedded_ips { - hidden: yes - } # dimension src__file__embedded_ips - - dimension: src__file__embedded_urls { - hidden: yes - } # dimension src__file__embedded_urls - - dimension: src__file__file_type { - type: number - sql: ${TABLE}.src.file.file_type ;; - group_label: "src" - label: "src.file.file_type" - view_label: "UDM" - description: "FileType field." - } # dimension src__file__file_type - - dimension: src__file__file_type_enum_name { - type: string - suggestions: ["FILE_TYPE_ACE", "FILE_TYPE_ANDROID", "FILE_TYPE_APPLE", "FILE_TYPE_APPLEDOUBLE", "FILE_TYPE_APPLESCRIPT", "FILE_TYPE_APPLESCRIPT_COMPILED", "FILE_TYPE_APPLESINGLE", "FILE_TYPE_APPLE_PLIST", "FILE_TYPE_ARC", "FILE_TYPE_ARJ", "FILE_TYPE_ASD", "FILE_TYPE_ASF", "FILE_TYPE_AVI", "FILE_TYPE_AWK", "FILE_TYPE_BLACKHOLE", "FILE_TYPE_BMP", "FILE_TYPE_BZIP", "FILE_TYPE_C", "FILE_TYPE_CAB", "FILE_TYPE_CAP", "FILE_TYPE_CHM", "FILE_TYPE_COFF", "FILE_TYPE_COOKIE", "FILE_TYPE_CPP", "FILE_TYPE_CRX", "FILE_TYPE_DEB", "FILE_TYPE_DIB", "FILE_TYPE_DIVX", "FILE_TYPE_DMG", "FILE_TYPE_DOC", "FILE_TYPE_DOCX", "FILE_TYPE_DOS_COM", "FILE_TYPE_DOS_EXE", "FILE_TYPE_DYALOG", "FILE_TYPE_DZIP", "FILE_TYPE_EBOOK", "FILE_TYPE_ELF", "FILE_TYPE_EMAIL_TYPE", "FILE_TYPE_EMF", "FILE_TYPE_EOT", "FILE_TYPE_EPS", "FILE_TYPE_FLA", "FILE_TYPE_FLAC", "FILE_TYPE_FLC", "FILE_TYPE_FLI", "FILE_TYPE_FLV", "FILE_TYPE_FORTRAN", "FILE_TYPE_FPX", "FILE_TYPE_GIF", "FILE_TYPE_GIMP", "FILE_TYPE_GUL", "FILE_TYPE_GZIP", "FILE_TYPE_HTML", "FILE_TYPE_HWP", "FILE_TYPE_ICO", "FILE_TYPE_IN_DESIGN", "FILE_TYPE_IPHONE", "FILE_TYPE_ISOIMAGE", "FILE_TYPE_JAR", "FILE_TYPE_JAVA", "FILE_TYPE_JAVASCRIPT", "FILE_TYPE_JAVA_BYTECODE", "FILE_TYPE_JNG", "FILE_TYPE_JPEG", "FILE_TYPE_KGB", "FILE_TYPE_LATEX", "FILE_TYPE_LINUX", "FILE_TYPE_LINUX_KERNEL", "FILE_TYPE_LNK", "FILE_TYPE_MACH_O", "FILE_TYPE_MACINTOSH", "FILE_TYPE_MACINTOSH_HFS", "FILE_TYPE_MACINTOSH_LIB", "FILE_TYPE_MIDI", "FILE_TYPE_MOV", "FILE_TYPE_MP3", "FILE_TYPE_MP4", "FILE_TYPE_MPEG", "FILE_TYPE_MSCOMPRESS", "FILE_TYPE_MSI", "FILE_TYPE_NE_DLL", "FILE_TYPE_NE_EXE", "FILE_TYPE_ODF", "FILE_TYPE_ODG", "FILE_TYPE_ODP", "FILE_TYPE_ODS", "FILE_TYPE_ODT", "FILE_TYPE_OGG", "FILE_TYPE_OUTLOOK", "FILE_TYPE_PALMOS", "FILE_TYPE_PASCAL", "FILE_TYPE_PDF", "FILE_TYPE_PERL", "FILE_TYPE_PE_DLL", "FILE_TYPE_PE_EXE", "FILE_TYPE_PHP", "FILE_TYPE_PKG", "FILE_TYPE_PNG", "FILE_TYPE_POWERSHELL", "FILE_TYPE_PPSX", "FILE_TYPE_PPT", "FILE_TYPE_PPTX", "FILE_TYPE_PS", "FILE_TYPE_PSD", "FILE_TYPE_PYTHON", "FILE_TYPE_QUICKTIME", "FILE_TYPE_RAR", "FILE_TYPE_RM", "FILE_TYPE_ROM", "FILE_TYPE_RPM", "FILE_TYPE_RTF", "FILE_TYPE_RUBY", "FILE_TYPE_RZIP", "FILE_TYPE_SCRIPT", "FILE_TYPE_SEVENZIP", "FILE_TYPE_SHELLSCRIPT", "FILE_TYPE_SVG", "FILE_TYPE_SWF", "FILE_TYPE_SYMBIAN", "FILE_TYPE_T3GP", "FILE_TYPE_TAR", "FILE_TYPE_TARGA", "FILE_TYPE_TEXT", "FILE_TYPE_TIFF", "FILE_TYPE_TORRENT", "FILE_TYPE_TTF", "FILE_TYPE_UNSPECIFIED", "FILE_TYPE_VBA", "FILE_TYPE_WAV", "FILE_TYPE_WEBP", "FILE_TYPE_WINCE", "FILE_TYPE_WMA", "FILE_TYPE_WMV", "FILE_TYPE_WOFF", "FILE_TYPE_XLS", "FILE_TYPE_XLSX", "FILE_TYPE_XML", "FILE_TYPE_XPI", "FILE_TYPE_XWD", "FILE_TYPE_ZIP", "FILE_TYPE_ZLIB"] - sql: CASE ${TABLE}.src.file.file_type WHEN 0 THEN 'FILE_TYPE_UNSPECIFIED' WHEN 1 THEN 'FILE_TYPE_PE_EXE' WHEN 2 THEN 'FILE_TYPE_PE_DLL' WHEN 3 THEN 'FILE_TYPE_MSI' WHEN 10 THEN 'FILE_TYPE_NE_EXE' WHEN 11 THEN 'FILE_TYPE_NE_DLL' WHEN 20 THEN 'FILE_TYPE_DOS_EXE' WHEN 21 THEN 'FILE_TYPE_DOS_COM' WHEN 30 THEN 'FILE_TYPE_COFF' WHEN 31 THEN 'FILE_TYPE_ELF' WHEN 32 THEN 'FILE_TYPE_LINUX_KERNEL' WHEN 33 THEN 'FILE_TYPE_RPM' WHEN 34 THEN 'FILE_TYPE_LINUX' WHEN 35 THEN 'FILE_TYPE_MACH_O' WHEN 36 THEN 'FILE_TYPE_JAVA_BYTECODE' WHEN 37 THEN 'FILE_TYPE_DMG' WHEN 38 THEN 'FILE_TYPE_DEB' WHEN 39 THEN 'FILE_TYPE_PKG' WHEN 50 THEN 'FILE_TYPE_LNK' WHEN 100 THEN 'FILE_TYPE_JPEG' WHEN 101 THEN 'FILE_TYPE_TIFF' WHEN 102 THEN 'FILE_TYPE_GIF' WHEN 103 THEN 'FILE_TYPE_PNG' WHEN 104 THEN 'FILE_TYPE_BMP' WHEN 105 THEN 'FILE_TYPE_GIMP' WHEN 106 THEN 'FILE_TYPE_IN_DESIGN' WHEN 107 THEN 'FILE_TYPE_PSD' WHEN 108 THEN 'FILE_TYPE_TARGA' WHEN 109 THEN 'FILE_TYPE_XWD' WHEN 110 THEN 'FILE_TYPE_DIB' WHEN 111 THEN 'FILE_TYPE_JNG' WHEN 112 THEN 'FILE_TYPE_ICO' WHEN 113 THEN 'FILE_TYPE_FPX' WHEN 114 THEN 'FILE_TYPE_EPS' WHEN 115 THEN 'FILE_TYPE_SVG' WHEN 116 THEN 'FILE_TYPE_EMF' WHEN 117 THEN 'FILE_TYPE_WEBP' WHEN 150 THEN 'FILE_TYPE_OGG' WHEN 151 THEN 'FILE_TYPE_FLC' WHEN 152 THEN 'FILE_TYPE_FLI' WHEN 153 THEN 'FILE_TYPE_MP3' WHEN 154 THEN 'FILE_TYPE_FLAC' WHEN 155 THEN 'FILE_TYPE_WAV' WHEN 156 THEN 'FILE_TYPE_MIDI' WHEN 157 THEN 'FILE_TYPE_AVI' WHEN 158 THEN 'FILE_TYPE_MPEG' WHEN 159 THEN 'FILE_TYPE_QUICKTIME' WHEN 160 THEN 'FILE_TYPE_ASF' WHEN 161 THEN 'FILE_TYPE_DIVX' WHEN 162 THEN 'FILE_TYPE_FLV' WHEN 163 THEN 'FILE_TYPE_WMA' WHEN 164 THEN 'FILE_TYPE_WMV' WHEN 165 THEN 'FILE_TYPE_RM' WHEN 166 THEN 'FILE_TYPE_MOV' WHEN 167 THEN 'FILE_TYPE_MP4' WHEN 168 THEN 'FILE_TYPE_T3GP' WHEN 200 THEN 'FILE_TYPE_PDF' WHEN 201 THEN 'FILE_TYPE_PS' WHEN 202 THEN 'FILE_TYPE_DOC' WHEN 203 THEN 'FILE_TYPE_DOCX' WHEN 204 THEN 'FILE_TYPE_PPT' WHEN 205 THEN 'FILE_TYPE_PPTX' WHEN 209 THEN 'FILE_TYPE_PPSX' WHEN 206 THEN 'FILE_TYPE_XLS' WHEN 207 THEN 'FILE_TYPE_XLSX' WHEN 208 THEN 'FILE_TYPE_RTF' WHEN 250 THEN 'FILE_TYPE_ODP' WHEN 251 THEN 'FILE_TYPE_ODS' WHEN 252 THEN 'FILE_TYPE_ODT' WHEN 253 THEN 'FILE_TYPE_HWP' WHEN 254 THEN 'FILE_TYPE_GUL' WHEN 255 THEN 'FILE_TYPE_ODF' WHEN 256 THEN 'FILE_TYPE_ODG' WHEN 260 THEN 'FILE_TYPE_EBOOK' WHEN 261 THEN 'FILE_TYPE_LATEX' WHEN 262 THEN 'FILE_TYPE_TTF' WHEN 263 THEN 'FILE_TYPE_EOT' WHEN 264 THEN 'FILE_TYPE_WOFF' WHEN 265 THEN 'FILE_TYPE_CHM' WHEN 300 THEN 'FILE_TYPE_ZIP' WHEN 301 THEN 'FILE_TYPE_GZIP' WHEN 302 THEN 'FILE_TYPE_BZIP' WHEN 303 THEN 'FILE_TYPE_RZIP' WHEN 304 THEN 'FILE_TYPE_DZIP' WHEN 305 THEN 'FILE_TYPE_SEVENZIP' WHEN 306 THEN 'FILE_TYPE_CAB' WHEN 307 THEN 'FILE_TYPE_JAR' WHEN 308 THEN 'FILE_TYPE_RAR' WHEN 309 THEN 'FILE_TYPE_MSCOMPRESS' WHEN 310 THEN 'FILE_TYPE_ACE' WHEN 311 THEN 'FILE_TYPE_ARC' WHEN 312 THEN 'FILE_TYPE_ARJ' WHEN 313 THEN 'FILE_TYPE_ASD' WHEN 314 THEN 'FILE_TYPE_BLACKHOLE' WHEN 315 THEN 'FILE_TYPE_KGB' WHEN 316 THEN 'FILE_TYPE_ZLIB' WHEN 317 THEN 'FILE_TYPE_TAR' WHEN 400 THEN 'FILE_TYPE_TEXT' WHEN 401 THEN 'FILE_TYPE_SCRIPT' WHEN 402 THEN 'FILE_TYPE_PHP' WHEN 403 THEN 'FILE_TYPE_PYTHON' WHEN 404 THEN 'FILE_TYPE_PERL' WHEN 405 THEN 'FILE_TYPE_RUBY' WHEN 406 THEN 'FILE_TYPE_C' WHEN 407 THEN 'FILE_TYPE_CPP' WHEN 408 THEN 'FILE_TYPE_JAVA' WHEN 409 THEN 'FILE_TYPE_SHELLSCRIPT' WHEN 410 THEN 'FILE_TYPE_PASCAL' WHEN 411 THEN 'FILE_TYPE_AWK' WHEN 412 THEN 'FILE_TYPE_DYALOG' WHEN 413 THEN 'FILE_TYPE_FORTRAN' WHEN 414 THEN 'FILE_TYPE_JAVASCRIPT' WHEN 415 THEN 'FILE_TYPE_POWERSHELL' WHEN 416 THEN 'FILE_TYPE_VBA' WHEN 500 THEN 'FILE_TYPE_SYMBIAN' WHEN 501 THEN 'FILE_TYPE_PALMOS' WHEN 502 THEN 'FILE_TYPE_WINCE' WHEN 503 THEN 'FILE_TYPE_ANDROID' WHEN 504 THEN 'FILE_TYPE_IPHONE' WHEN 600 THEN 'FILE_TYPE_HTML' WHEN 601 THEN 'FILE_TYPE_XML' WHEN 602 THEN 'FILE_TYPE_SWF' WHEN 603 THEN 'FILE_TYPE_FLA' WHEN 604 THEN 'FILE_TYPE_COOKIE' WHEN 605 THEN 'FILE_TYPE_TORRENT' WHEN 606 THEN 'FILE_TYPE_EMAIL_TYPE' WHEN 607 THEN 'FILE_TYPE_OUTLOOK' WHEN 700 THEN 'FILE_TYPE_CAP' WHEN 800 THEN 'FILE_TYPE_ISOIMAGE' WHEN 1000 THEN 'FILE_TYPE_APPLE' WHEN 1001 THEN 'FILE_TYPE_MACINTOSH' WHEN 1002 THEN 'FILE_TYPE_APPLESINGLE' WHEN 1003 THEN 'FILE_TYPE_APPLEDOUBLE' WHEN 1004 THEN 'FILE_TYPE_MACINTOSH_HFS' WHEN 1005 THEN 'FILE_TYPE_APPLE_PLIST' WHEN 1006 THEN 'FILE_TYPE_MACINTOSH_LIB' WHEN 1007 THEN 'FILE_TYPE_APPLESCRIPT' WHEN 1008 THEN 'FILE_TYPE_APPLESCRIPT_COMPILED' WHEN 1100 THEN 'FILE_TYPE_CRX' WHEN 1101 THEN 'FILE_TYPE_XPI' WHEN 1200 THEN 'FILE_TYPE_ROM' END ;; - group_label: "src" - label: "src.file.file_type_enum_name" - view_label: "UDM" - description: "FileType field." - } # dimension src__file__file_type_enum_name - - dimension_group: src__file__first_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.first_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.file.first_seen_time" - view_label: "UDM" - description: "Timestamp the file was first seen in the customer's environment." - } # dimension src__file__first_seen_time - - dimension: src__file__full_path { - type: string - sql: ${TABLE}.src.file.full_path ;; - group_label: "src" - label: "src.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension src__file__full_path - - dimension_group: src__file__last_analysis_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.last_analysis_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.last_analysis_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.file.last_analysis_time" - view_label: "UDM" - description: "Timestamp the file was last analysed." - } # dimension src__file__last_analysis_time - - dimension_group: src__file__last_modification_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.last_modification_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.last_modification_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.file.last_modification_time" - view_label: "UDM" - description: "Timestamp when the file was last updated." - } # dimension src__file__last_modification_time - - dimension_group: src__file__last_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.last_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.file.last_seen_time" - view_label: "UDM" - description: "Timestamp the file was last seen in the customer's environment." - } # dimension src__file__last_seen_time - - dimension: src__file__md5 { - type: string - sql: ${TABLE}.src.file.md5 ;; - group_label: "src" - label: "src.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension src__file__md5 - - dimension: src__file__mime_type { - type: string - sql: ${TABLE}.src.file.mime_type ;; - group_label: "src" - label: "src.file.mime_type" - view_label: "UDM" - description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." - } # dimension src__file__mime_type - - dimension: src__file__names { - hidden: yes - } # dimension src__file__names - - dimension: src__file__sha1 { - type: string - sql: ${TABLE}.src.file.sha1 ;; - group_label: "src" - label: "src.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension src__file__sha1 - - dimension: src__file__sha256 { - type: string - sql: ${TABLE}.src.file.sha256 ;; - group_label: "src" - label: "src.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension src__file__sha256 - - dimension: src__file__signature_info { - hidden: yes - } # dimension src__file__signature_info - - dimension: src__file__signature_info__codesign { - hidden: yes - } # dimension src__file__signature_info__codesign - - dimension_group: src__file__signature_info__codesign__compilation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.file.signature_info.codesign.compilation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.file.signature_info.codesign.compilation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.file.signature_info.codesign.compilation_time" - view_label: "UDM" - description: "Code sign timestamp" - } # dimension src__file__signature_info__codesign__compilation_time - - dimension: src__file__signature_info__codesign__format { - type: string - sql: ${TABLE}.src.file.signature_info.codesign.format ;; - group_label: "src" - label: "src.file.signature_info.codesign.format" - view_label: "UDM" - description: "Code sign format." - } # dimension src__file__signature_info__codesign__format - - dimension: src__file__signature_info__codesign__id { - type: string - sql: ${TABLE}.src.file.signature_info.codesign.id ;; - group_label: "src" - label: "src.file.signature_info.codesign.id" - view_label: "UDM" - description: "Code sign identifier." - } # dimension src__file__signature_info__codesign__id - - dimension: src__file__signature_info__sigcheck { - hidden: yes - } # dimension src__file__signature_info__sigcheck - - dimension: src__file__signature_info__sigcheck__signers { - hidden: yes - } # dimension src__file__signature_info__sigcheck__signers - - dimension: src__file__signature_info__sigcheck__verification_message { - type: string - sql: ${TABLE}.src.file.signature_info.sigcheck.verification_message ;; - group_label: "src" - label: "src.file.signature_info.sigcheck.verification_message" - view_label: "UDM" - description: "Status of the certificate. Valid values are \"Signed\", \"Unsigned\" or a description of the certificate anomaly, if found." - } # dimension src__file__signature_info__sigcheck__verification_message - - dimension: src__file__signature_info__sigcheck__verified { - type: yesno - sql: ${TABLE}.src.file.signature_info.sigcheck.verified ;; - group_label: "src" - label: "src.file.signature_info.sigcheck.verified" - view_label: "UDM" - description: "True iff verification_message == \"Signed\"" - } # dimension src__file__signature_info__sigcheck__verified - - dimension: src__file__size { - type: number - sql: ${TABLE}.src.file.size ;; - group_label: "src" - label: "src.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension src__file__size - - dimension: src__file__ssdeep { - type: string - sql: ${TABLE}.src.file.ssdeep ;; - group_label: "src" - label: "src.file.ssdeep" - view_label: "UDM" - description: "Ssdeep of the file" - } # dimension src__file__ssdeep - - dimension: src__file__tags { - hidden: yes - } # dimension src__file__tags - - dimension: src__file__vhash { - type: string - sql: ${TABLE}.src.file.vhash ;; - group_label: "src" - label: "src.file.vhash" - view_label: "UDM" - description: "Vhash of the file." - } # dimension src__file__vhash - - dimension: src__group { - hidden: yes - } # dimension src__group - - dimension: src__group__group_display_name { - type: string - sql: ${TABLE}.src.group.group_display_name ;; - group_label: "src" - label: "src.group.group_display_name" - view_label: "UDM" - description: "Group display name. e.g. \"Finance\"." - } # dimension src__group__group_display_name - - dimension: src__group__product_object_id { - type: string - sql: ${TABLE}.src.group.product_object_id ;; - group_label: "src" - label: "src.group.product_object_id" - view_label: "UDM" - description: "Product globally unique user object identifier, such as an LDAP Object Identifier." - } # dimension src__group__product_object_id - - dimension: src__hostname { - type: string - sql: ${TABLE}.src.hostname ;; - group_label: "src" - label: "src.hostname" - view_label: "UDM" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension src__hostname - - dimension: src__investigation { - hidden: yes - } # dimension src__investigation - - dimension: src__investigation__risk_score { - type: number - sql: ${TABLE}.src.investigation.risk_score ;; - group_label: "src" - label: "src.investigation.risk_score" - view_label: "UDM" - description: "Risk score for a finding set by an analyst." - } # dimension src__investigation__risk_score - - dimension: src__ip { - hidden: yes - } # dimension src__ip - - dimension: src__ip_geo_artifact { - hidden: yes - } # dimension src__ip_geo_artifact - - dimension: src__ip_location { - hidden: yes - } # dimension src__ip_location - - dimension: src__labels { - hidden: yes - } # dimension src__labels - - dimension: src__location { - hidden: yes - } # dimension src__location - - dimension: src__location__city { - type: string - sql: ${TABLE}.src.location.city ;; - group_label: "src" - label: "src.location.city" - view_label: "UDM" - description: "The city." - } # dimension src__location__city - - dimension: src__location__country_or_region { - type: string - sql: ${TABLE}.src.location.country_or_region ;; - group_label: "src" - label: "src.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension src__location__country_or_region - - dimension: src__location__name { - type: string - sql: ${TABLE}.src.location.name ;; - group_label: "src" - label: "src.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension src__location__name - - dimension: src__location__region_coordinates { - type: location - sql_latitude: ${TABLE}.src.location.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.src.location.region_coordinates.longitude ;; - group_label: "src" - group_item_label: "src.location.region_coordinates [L]" - label: "src.location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." - } # dimension src__location__region_coordinates - - dimension: src__location__region_latitude { - type: number - sql: ${TABLE}.src.location.region_latitude ;; - group_label: "src" - group_item_label: "src.location.region_latitude [D]" - label: "src.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__location__region_latitude - - dimension: src__location__region_longitude { - type: number - sql: ${TABLE}.src.location.region_longitude ;; - group_label: "src" - group_item_label: "src.location.region_longitude [D]" - label: "src.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__location__region_longitude - - dimension: src__location__location { - type: location - sql_latitude: ${TABLE}.src.location.region_latitude ;; - sql_longitude: ${TABLE}.src.location.region_longitude ;; - group_label: "src" - group_item_label: "src.location.location [D][L]" - label: "src.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension src__location__location - - dimension: src__location__state { - type: string - sql: ${TABLE}.src.location.state ;; - group_label: "src" - label: "src.location.state" - view_label: "UDM" - description: "The state." - } # dimension src__location__state - - dimension: src__mac { - hidden: yes - } # dimension src__mac - - dimension: src__namespace { - type: string - sql: ${TABLE}.src.namespace ;; - group_label: "src" - label: "src.namespace" - view_label: "UDM" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension src__namespace - - dimension: src__nat_ip { - hidden: yes - } # dimension src__nat_ip - - dimension: src__network { - hidden: yes - } # dimension src__network - - dimension: src__network__application_protocol_version { - type: string - sql: ${TABLE}.src.network.application_protocol_version ;; - group_label: "src" - label: "src.network.application_protocol_version" - view_label: "UDM" - description: "The version of the application protocol. e.g. \"1.1, 2.0\"" - } # dimension src__network__application_protocol_version - - dimension: src__platform_version { - type: string - sql: ${TABLE}.src.platform_version ;; - group_label: "src" - label: "src.platform_version" - view_label: "UDM" - description: "Platform version. For example, \"Microsoft Windows 1803\"." - } # dimension src__platform_version - - dimension: src__port { - type: number - value_format: "#" - sql: ${TABLE}.src.port ;; - group_label: "src" - label: "src.port" - view_label: "UDM" - description: "Source or destination network port number when a specific network connection is described within an event." - } # dimension src__port - - dimension: src__process { - hidden: yes - } # dimension src__process - - dimension: src__process__command_line { - type: string - sql: ${TABLE}.src.process.command_line ;; - group_label: "src" - label: "src.process.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension src__process__command_line - - dimension: src__process__file { - hidden: yes - } # dimension src__process__file - - dimension: src__process__file__full_path { - type: string - sql: ${TABLE}.src.process.file.full_path ;; - group_label: "src" - label: "src.process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension src__process__file__full_path - - dimension: src__process__file__md5 { - type: string - sql: ${TABLE}.src.process.file.md5 ;; - group_label: "src" - label: "src.process.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension src__process__file__md5 - - dimension: src__process__file__names { - hidden: yes - } # dimension src__process__file__names - - dimension: src__process__file__sha1 { - type: string - sql: ${TABLE}.src.process.file.sha1 ;; - group_label: "src" - label: "src.process.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension src__process__file__sha1 - - dimension: src__process__file__sha256 { - type: string - sql: ${TABLE}.src.process.file.sha256 ;; - group_label: "src" - label: "src.process.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension src__process__file__sha256 - - dimension: src__process__file__size { - type: number - sql: ${TABLE}.src.process.file.size ;; - group_label: "src" - label: "src.process.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension src__process__file__size - - dimension: src__process__parent_process { - hidden: yes - } # dimension src__process__parent_process - - dimension: src__process__parent_process__file { - hidden: yes - } # dimension src__process__parent_process__file - - dimension: src__process__parent_process__file__full_path { - type: string - sql: ${TABLE}.src.process.parent_process.file.full_path ;; - group_label: "src" - label: "src.process.parent_process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension src__process__parent_process__file__full_path - - dimension: src__process__pid { - type: string - sql: ${TABLE}.src.process.pid ;; - group_label: "src" - label: "src.process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension src__process__pid - - dimension: src__process_ancestors { - hidden: yes - } # dimension src__process_ancestors - - dimension: src__registry { - hidden: yes - } # dimension src__registry - - dimension: src__registry__registry_key { - type: string - sql: ${TABLE}.src.registry.registry_key ;; - group_label: "src" - label: "src.registry.registry_key" - view_label: "UDM" - description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." - } # dimension src__registry__registry_key - - dimension: src__registry__registry_value_data { - type: string - sql: ${TABLE}.src.registry.registry_value_data ;; - group_label: "src" - label: "src.registry.registry_value_data" - view_label: "UDM" - description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." - } # dimension src__registry__registry_value_data - - dimension: src__registry__registry_value_name { - type: string - sql: ${TABLE}.src.registry.registry_value_name ;; - group_label: "src" - label: "src.registry.registry_value_name" - view_label: "UDM" - description: "Name of the registry value associated with an application or system component (e.g. TEMP)." - } # dimension src__registry__registry_value_name - - dimension: src__resource { - hidden: yes - } # dimension src__resource - - dimension: src__resource__attribute { - hidden: yes - } # dimension src__resource__attribute - - dimension_group: src__resource__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.resource.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension src__resource__attribute__creation_time - - dimension: src__resource__attribute__labels { - hidden: yes - } # dimension src__resource__attribute__labels - - dimension_group: src__resource__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.resource.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension src__resource__attribute__last_update_time - - dimension: src__resource__attribute__permissions { - hidden: yes - } # dimension src__resource__attribute__permissions - - dimension: src__resource__id { - type: string - sql: ${TABLE}.src.resource.id ;; - group_label: "src" - group_item_label: "src.resource.id [D]" - label: "src.resource.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__resource__id - - dimension: src__resource__name { - type: string - sql: ${TABLE}.src.resource.name ;; - group_label: "src" - label: "src.resource.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension src__resource__name - - dimension: src__resource__parent { - type: string - sql: ${TABLE}.src.resource.parent ;; - group_label: "src" - group_item_label: "src.resource.parent [D]" - label: "src.resource.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__resource__parent - - dimension: src__resource__product_object_id { - type: string - sql: ${TABLE}.src.resource.product_object_id ;; - group_label: "src" - label: "src.resource.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension src__resource__product_object_id - - dimension: src__resource__resource_subtype { - type: string - sql: ${TABLE}.src.resource.resource_subtype ;; - group_label: "src" - label: "src.resource.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension src__resource__resource_subtype - - dimension: src__resource__resource_type { - type: number - sql: ${TABLE}.src.resource.resource_type ;; - group_label: "src" - label: "src.resource.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension src__resource__resource_type - - dimension: src__resource__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.src.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "src" - label: "src.resource.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension src__resource__resource_type_enum_name - - dimension: src__resource__type { - type: string - sql: ${TABLE}.src.resource.type ;; - group_label: "src" - group_item_label: "src.resource.type [D]" - label: "src.resource.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__resource__type - - dimension: src__resource_ancestors { - hidden: yes - } # dimension src__resource_ancestors - - dimension: src__url { - type: string - sql: ${TABLE}.src.url ;; - group_label: "src" - label: "src.url" - view_label: "UDM" - description: "The URL." - } # dimension src__url - - dimension: src__user { - hidden: yes - } # dimension src__user - - dimension: src__user__account_type { - type: number - sql: ${TABLE}.src.user.account_type ;; - group_label: "src" - label: "src.user.account_type" - view_label: "UDM" - description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" - } # dimension src__user__account_type - - dimension: src__user__account_type_enum_name { - type: string - suggestions: ["ACCOUNT_TYPE_UNSPECIFIED", "CLOUD_ACCOUNT_TYPE", "DEFAULT_ACCOUNT_TYPE", "DOMAIN_ACCOUNT_TYPE", "LOCAL_ACCOUNT_TYPE", "SERVICE_ACCOUNT_TYPE"] - sql: CASE ${TABLE}.src.user.account_type WHEN 0 THEN 'ACCOUNT_TYPE_UNSPECIFIED' WHEN 1 THEN 'DOMAIN_ACCOUNT_TYPE' WHEN 2 THEN 'LOCAL_ACCOUNT_TYPE' WHEN 3 THEN 'CLOUD_ACCOUNT_TYPE' WHEN 4 THEN 'SERVICE_ACCOUNT_TYPE' WHEN 5 THEN 'DEFAULT_ACCOUNT_TYPE' END ;; - group_label: "src" - label: "src.user.account_type_enum_name" - view_label: "UDM" - description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" - } # dimension src__user__account_type_enum_name - - dimension: src__user__attribute { - hidden: yes - } # dimension src__user__attribute - - dimension: src__user__attribute__cloud { - hidden: yes - } # dimension src__user__attribute__cloud - - dimension: src__user__attribute__cloud__project { - hidden: yes - } # dimension src__user__attribute__cloud__project - - dimension: src__user__attribute__cloud__project__name { - type: string - sql: ${TABLE}.src.user.attribute.cloud.project.name ;; - group_label: "src" - group_item_label: "src.user.attribute.cloud.project.name [D]" - label: "src.user.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__user__attribute__cloud__project__name - - dimension_group: src__user__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.user.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension src__user__attribute__creation_time - - dimension: src__user__attribute__labels { - hidden: yes - } # dimension src__user__attribute__labels - - dimension_group: src__user__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.user.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension src__user__attribute__last_update_time - - dimension: src__user__attribute__roles { - hidden: yes - } # dimension src__user__attribute__roles - - dimension: src__user__company_name { - type: string - sql: ${TABLE}.src.user.company_name ;; - group_label: "src" - label: "src.user.company_name" - view_label: "UDM" - description: "User job company name." - } # dimension src__user__company_name - - dimension: src__user__department { - hidden: yes - } # dimension src__user__department - - dimension: src__user__email_addresses { - hidden: yes - } # dimension src__user__email_addresses - - dimension: src__user__employee_id { - type: string - sql: ${TABLE}.src.user.employee_id ;; - group_label: "src" - label: "src.user.employee_id" - view_label: "UDM" - description: "Human capital management identifier." - } # dimension src__user__employee_id - - dimension: src__user__first_name { - type: string - sql: ${TABLE}.src.user.first_name ;; - group_label: "src" - label: "src.user.first_name" - view_label: "UDM" - description: "First name of the user (e.g. \"John\")." - } # dimension src__user__first_name - - dimension: src__user__group_identifiers { - hidden: yes - } # dimension src__user__group_identifiers - - dimension: src__user__groupid { - type: string - sql: ${TABLE}.src.user.groupid ;; - group_label: "src" - group_item_label: "src.user.groupid [D]" - label: "src.user.groupid" - view_label: "UDM" - description: "The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__user__groupid - - dimension_group: src__user__hire_date { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.user.hire_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.user.hire_date.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.user.hire_date" - view_label: "UDM" - description: "User job employment hire date." - } # dimension src__user__hire_date - - dimension: src__user__last_name { - type: string - sql: ${TABLE}.src.user.last_name ;; - group_label: "src" - label: "src.user.last_name" - view_label: "UDM" - description: "Last name of the user (e.g. \"Locke\")." - } # dimension src__user__last_name - - dimension: src__user__managers { - hidden: yes - } # dimension src__user__managers - - dimension: src__user__middle_name { - type: string - sql: ${TABLE}.src.user.middle_name ;; - group_label: "src" - label: "src.user.middle_name" - view_label: "UDM" - description: "Middle name of the user." - } # dimension src__user__middle_name - - dimension: src__user__office_address { - hidden: yes - } # dimension src__user__office_address - - dimension: src__user__office_address__city { - type: string - sql: ${TABLE}.src.user.office_address.city ;; - group_label: "src" - label: "src.user.office_address.city" - view_label: "UDM" - description: "The city." - } # dimension src__user__office_address__city - - dimension: src__user__office_address__country_or_region { - type: string - sql: ${TABLE}.src.user.office_address.country_or_region ;; - group_label: "src" - label: "src.user.office_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension src__user__office_address__country_or_region - - dimension: src__user__office_address__desk_name { - type: string - sql: ${TABLE}.src.user.office_address.desk_name ;; - group_label: "src" - label: "src.user.office_address.desk_name" - view_label: "UDM" - description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." - } # dimension src__user__office_address__desk_name - - dimension: src__user__office_address__floor_name { - type: string - sql: ${TABLE}.src.user.office_address.floor_name ;; - group_label: "src" - label: "src.user.office_address.floor_name" - view_label: "UDM" - description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." - } # dimension src__user__office_address__floor_name - - dimension: src__user__office_address__name { - type: string - sql: ${TABLE}.src.user.office_address.name ;; - group_label: "src" - label: "src.user.office_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension src__user__office_address__name - - dimension: src__user__office_address__state { - type: string - sql: ${TABLE}.src.user.office_address.state ;; - group_label: "src" - label: "src.user.office_address.state" - view_label: "UDM" - description: "The state." - } # dimension src__user__office_address__state - - dimension: src__user__personal_address { - hidden: yes - } # dimension src__user__personal_address - - dimension: src__user__personal_address__city { - type: string - sql: ${TABLE}.src.user.personal_address.city ;; - group_label: "src" - label: "src.user.personal_address.city" - view_label: "UDM" - description: "The city." - } # dimension src__user__personal_address__city - - dimension: src__user__personal_address__country_or_region { - type: string - sql: ${TABLE}.src.user.personal_address.country_or_region ;; - group_label: "src" - label: "src.user.personal_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension src__user__personal_address__country_or_region - - dimension: src__user__personal_address__name { - type: string - sql: ${TABLE}.src.user.personal_address.name ;; - group_label: "src" - label: "src.user.personal_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension src__user__personal_address__name - - dimension: src__user__personal_address__state { - type: string - sql: ${TABLE}.src.user.personal_address.state ;; - group_label: "src" - label: "src.user.personal_address.state" - view_label: "UDM" - description: "The state." - } # dimension src__user__personal_address__state - - dimension: src__user__phone_numbers { - hidden: yes - } # dimension src__user__phone_numbers - - dimension: src__user__product_object_id { - type: string - sql: ${TABLE}.src.user.product_object_id ;; - group_label: "src" - label: "src.user.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension src__user__product_object_id - - dimension: src__user__role_name { - type: string - sql: ${TABLE}.src.user.role_name ;; - group_label: "src" - group_item_label: "src.user.role_name [D]" - label: "src.user.role_name" - view_label: "UDM" - description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension src__user__role_name - - dimension_group: src__user__termination_date { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.src.user.termination_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.src.user.termination_date.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.user.termination_date" - view_label: "UDM" - description: "User job employment termination date." - } # dimension src__user__termination_date - - dimension: src__user__time_off { - hidden: yes - } # dimension src__user__time_off - - dimension: src__user__title { - type: string - sql: ${TABLE}.src.user.title ;; - group_label: "src" - label: "src.user.title" - view_label: "UDM" - description: "User job title." - } # dimension src__user__title - - dimension: src__user__user_authentication_status { - type: number - sql: ${TABLE}.src.user.user_authentication_status ;; - group_label: "src" - label: "src.user.user_authentication_status" - view_label: "UDM" - description: "System authentication status for user." - } # dimension src__user__user_authentication_status - - dimension: src__user__user_authentication_status_enum_name { - type: string - suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] - sql: CASE ${TABLE}.src.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; - group_label: "src" - label: "src.user.user_authentication_status_enum_name" - view_label: "UDM" - description: "System authentication status for user." - } # dimension src__user__user_authentication_status_enum_name - - dimension: src__user__user_display_name { - type: string - sql: ${TABLE}.src.user.user_display_name ;; - group_label: "src" - label: "src.user.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension src__user__user_display_name - - dimension: src__user__userid { - type: string - sql: ${TABLE}.src.user.userid ;; - group_label: "src" - label: "src.user.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension src__user__userid - - dimension: src__user__windows_sid { - type: string - sql: ${TABLE}.src.user.windows_sid ;; - group_label: "src" - label: "src.user.windows_sid" - view_label: "UDM" - description: "The Microsoft Windows SID of the user." - } # dimension src__user__windows_sid - - dimension: target { - hidden: yes - } # dimension target - - dimension: target__administrative_domain { - type: string - sql: ${TABLE}.target.administrative_domain ;; - group_label: "target" - label: "target.administrative_domain" - view_label: "UDM" - description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." - } # dimension target__administrative_domain - - dimension: target__application { - type: string - sql: ${TABLE}.target.application ;; - group_label: "target" - label: "target.application" - view_label: "UDM" - description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." - } # dimension target__application - - dimension: target__artifact { - hidden: yes - } # dimension target__artifact - - dimension: target__artifact__ip { - type: string - sql: ${TABLE}.target.artifact.ip ;; - group_label: "target" - label: "target.artifact.ip" - view_label: "UDM" - description: "IP address of the artifact." - } # dimension target__artifact__ip - - dimension: target__artifact__network { - hidden: yes - } # dimension target__artifact__network - - dimension: target__artifact__network__email { - hidden: yes - } # dimension target__artifact__network__email - - dimension: target__artifact__network__email__subject { - hidden: yes - } # dimension target__artifact__network__email__subject - - dimension: target__artifact__network__sent_bytes { - type: number - sql: ${TABLE}.target.artifact.network.sent_bytes ;; - group_label: "target" - label: "target.artifact.network.sent_bytes" - view_label: "UDM" - description: "The number of bytes sent." - } # dimension target__artifact__network__sent_bytes - - dimension: target__asset { - hidden: yes - } # dimension target__asset - - dimension: target__asset__asset_id { - type: string - sql: ${TABLE}.target.asset.asset_id ;; - group_label: "target" - label: "target.asset.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension target__asset__asset_id - - dimension: target__asset__attribute { - hidden: yes - } # dimension target__asset__attribute - - dimension: target__asset__attribute__cloud { - hidden: yes - } # dimension target__asset__attribute__cloud - - dimension: target__asset__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.target.asset.attribute.cloud.availability_zone ;; - group_label: "target" - label: "target.asset.attribute.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name)." - } # dimension target__asset__attribute__cloud__availability_zone - - dimension: target__asset__attribute__cloud__environment { - type: number - sql: ${TABLE}.target.asset.attribute.cloud.environment ;; - group_label: "target" - label: "target.asset.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension target__asset__attribute__cloud__environment - - dimension: target__asset__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.target.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "target" - label: "target.asset.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension target__asset__attribute__cloud__environment_enum_name - - dimension: target__asset__attribute__cloud__project { - hidden: yes - } # dimension target__asset__attribute__cloud__project - - dimension: target__asset__attribute__cloud__project__id { - type: string - sql: ${TABLE}.target.asset.attribute.cloud.project.id ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.project.id [D]" - label: "target.asset.attribute.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__project__id - - dimension: target__asset__attribute__cloud__project__name { - type: string - sql: ${TABLE}.target.asset.attribute.cloud.project.name ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.project.name [D]" - label: "target.asset.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__project__name - - dimension: target__asset__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.target.asset.attribute.cloud.project.product_object_id ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.project.product_object_id [D]" - label: "target.asset.attribute.cloud.project.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__project__product_object_id - - dimension: target__asset__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.target.asset.attribute.cloud.project.resource_type ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.project.resource_type [D]" - label: "target.asset.attribute.cloud.project.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__project__resource_type - - dimension: target__asset__attribute__cloud__project__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.target.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.project.resource_type_enum_name [D]" - label: "target.asset.attribute.cloud.project.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__project__resource_type_enum_name - - dimension: target__asset__attribute__cloud__project__type { - type: string - sql: ${TABLE}.target.asset.attribute.cloud.project.type ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.project.type [D]" - label: "target.asset.attribute.cloud.project.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__project__type - - dimension: target__asset__attribute__cloud__vpc { - hidden: yes - } # dimension target__asset__attribute__cloud__vpc - - dimension: target__asset__attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.target.asset.attribute.cloud.vpc.id ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.vpc.id [D]" - label: "target.asset.attribute.cloud.vpc.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__vpc__id - - dimension: target__asset__attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.target.asset.attribute.cloud.vpc.name ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.vpc.name [D]" - label: "target.asset.attribute.cloud.vpc.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__vpc__name - - dimension: target__asset__attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.target.asset.attribute.cloud.vpc.resource_type ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.vpc.resource_type [D]" - label: "target.asset.attribute.cloud.vpc.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__vpc__resource_type - - dimension: target__asset__attribute__cloud__vpc__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.target.asset.attribute.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "target" - group_item_label: "target.asset.attribute.cloud.vpc.resource_type_enum_name [D]" - label: "target.asset.attribute.cloud.vpc.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__attribute__cloud__vpc__resource_type_enum_name - - dimension_group: target__asset__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension target__asset__attribute__creation_time - - dimension: target__asset__attribute__labels { - hidden: yes - } # dimension target__asset__attribute__labels - - dimension_group: target__asset__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension target__asset__attribute__last_update_time - - dimension: target__asset__attribute__permissions { - hidden: yes - } # dimension target__asset__attribute__permissions - - dimension: target__asset__attribute__roles { - hidden: yes - } # dimension target__asset__attribute__roles - - dimension: target__asset__category { - type: string - sql: ${TABLE}.target.asset.category ;; - group_label: "target" - label: "target.asset.category" - view_label: "UDM" - description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." - } # dimension target__asset__category - - dimension_group: target__asset__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - group_item_label: "target.asset.creation_time [D]" - label: "target.asset.creation_time" - view_label: "UDM" - description: "Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__creation_time - - dimension: target__asset__deployment_status { - type: number - sql: ${TABLE}.target.asset.deployment_status ;; - group_label: "target" - label: "target.asset.deployment_status" - view_label: "UDM" - description: "The deployment status of the asset for device lifecycle purposes." - } # dimension target__asset__deployment_status - - dimension: target__asset__deployment_status_enum_name { - type: string - suggestions: ["ACTIVE", "DECOMISSIONED", "DEPLOYMENT_STATUS_UNSPECIFIED", "PENDING_DECOMISSION"] - sql: CASE ${TABLE}.target.asset.deployment_status WHEN 0 THEN 'DEPLOYMENT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'PENDING_DECOMISSION' WHEN 3 THEN 'DECOMISSIONED' END ;; - group_label: "target" - label: "target.asset.deployment_status_enum_name" - view_label: "UDM" - description: "The deployment status of the asset for device lifecycle purposes." - } # dimension target__asset__deployment_status_enum_name - - dimension_group: target__asset__first_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.first_discover_time" - view_label: "UDM" - description: "Time the asset was first discovered (by asset management/discoverability software)." - } # dimension target__asset__first_discover_time - - dimension_group: target__asset__first_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.first_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.first_seen_time" - view_label: "UDM" - description: "The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed." - } # dimension target__asset__first_seen_time - - dimension: target__asset__hardware { - hidden: yes - } # dimension target__asset__hardware - - dimension: target__asset__hostname { - type: string - sql: ${TABLE}.target.asset.hostname ;; - group_label: "target" - label: "target.asset.hostname" - view_label: "UDM" - description: "Asset hostname or domain name field." - } # dimension target__asset__hostname - - dimension: target__asset__ip { - hidden: yes - } # dimension target__asset__ip - - dimension: target__asset__labels { - hidden: yes - } # dimension target__asset__labels - - dimension_group: target__asset__last_boot_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.last_boot_time" - view_label: "UDM" - description: "Time the asset was last boot started." - } # dimension target__asset__last_boot_time - - dimension_group: target__asset__last_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.last_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.last_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.last_discover_time" - view_label: "UDM" - description: "Time the asset was last discovered (by asset management/discoverability software)." - } # dimension target__asset__last_discover_time - - dimension: target__asset__location { - hidden: yes - } # dimension target__asset__location - - dimension: target__asset__location__city { - type: string - sql: ${TABLE}.target.asset.location.city ;; - group_label: "target" - label: "target.asset.location.city" - view_label: "UDM" - description: "The city." - } # dimension target__asset__location__city - - dimension: target__asset__location__country_or_region { - type: string - sql: ${TABLE}.target.asset.location.country_or_region ;; - group_label: "target" - label: "target.asset.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension target__asset__location__country_or_region - - dimension: target__asset__location__floor_name { - type: string - sql: ${TABLE}.target.asset.location.floor_name ;; - group_label: "target" - label: "target.asset.location.floor_name" - view_label: "UDM" - description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." - } # dimension target__asset__location__floor_name - - dimension: target__asset__location__name { - type: string - sql: ${TABLE}.target.asset.location.name ;; - group_label: "target" - label: "target.asset.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension target__asset__location__name - - dimension: target__asset__location__region_latitude { - type: number - sql: ${TABLE}.target.asset.location.region_latitude ;; - group_label: "target" - group_item_label: "target.asset.location.region_latitude [D]" - label: "target.asset.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__location__region_latitude - - dimension: target__asset__location__region_longitude { - type: number - sql: ${TABLE}.target.asset.location.region_longitude ;; - group_label: "target" - group_item_label: "target.asset.location.region_longitude [D]" - label: "target.asset.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__asset__location__region_longitude - - dimension: target__asset__location__location { - type: location - sql_latitude: ${TABLE}.target.asset.location.region_latitude ;; - sql_longitude: ${TABLE}.target.asset.location.region_longitude ;; - group_label: "target" - group_item_label: "target.asset.location.location [D][L]" - label: "target.asset.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension target__asset__location__location - - dimension: target__asset__location__state { - type: string - sql: ${TABLE}.target.asset.location.state ;; - group_label: "target" - label: "target.asset.location.state" - view_label: "UDM" - description: "The state." - } # dimension target__asset__location__state - - dimension: target__asset__mac { - hidden: yes - } # dimension target__asset__mac - - dimension: target__asset__nat_ip { - hidden: yes - } # dimension target__asset__nat_ip - - dimension: target__asset__network_domain { - type: string - sql: ${TABLE}.target.asset.network_domain ;; - group_label: "target" - label: "target.asset.network_domain" - view_label: "UDM" - description: "The network domain of the asset (e.g. \"corp.acme.com\")" - } # dimension target__asset__network_domain - - dimension: target__asset__platform_software { - hidden: yes - } # dimension target__asset__platform_software - - dimension: target__asset__platform_software__platform { - type: number - sql: ${TABLE}.target.asset.platform_software.platform ;; - group_label: "target" - label: "target.asset.platform_software.platform" - view_label: "UDM" - description: "The platform operating system." - } # dimension target__asset__platform_software__platform - - dimension: target__asset__platform_software__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.target.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "target" - label: "target.asset.platform_software.platform_enum_name" - view_label: "UDM" - description: "The platform operating system." - } # dimension target__asset__platform_software__platform_enum_name - - dimension: target__asset__platform_software__platform_patch_level { - type: string - sql: ${TABLE}.target.asset.platform_software.platform_patch_level ;; - group_label: "target" - label: "target.asset.platform_software.platform_patch_level" - view_label: "UDM" - description: "The platform software patch level ( e.g. \"Build 17134.48\", \"SP1\")." - } # dimension target__asset__platform_software__platform_patch_level - - dimension: target__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.target.asset.platform_software.platform_version ;; - group_label: "target" - label: "target.asset.platform_software.platform_version" - view_label: "UDM" - description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." - } # dimension target__asset__platform_software__platform_version - - dimension: target__asset__product_object_id { - type: string - sql: ${TABLE}.target.asset.product_object_id ;; - group_label: "target" - label: "target.asset.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension target__asset__product_object_id - - dimension: target__asset__software { - hidden: yes - } # dimension target__asset__software - - dimension_group: target__asset__system_last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.asset.system_last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.asset.system_last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.system_last_update_time" - view_label: "UDM" - description: "Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time." - } # dimension target__asset__system_last_update_time - - dimension: target__asset__type { - type: number - sql: ${TABLE}.target.asset.type ;; - group_label: "target" - label: "target.asset.type" - view_label: "UDM" - description: "The type of the asset (e.g. workstation or laptop or server)." - } # dimension target__asset__type - - dimension: target__asset__type_enum_name { - type: string - suggestions: ["IOT", "LAPTOP", "MOBILE", "NETWORK_ATTACHED_STORAGE", "PRINTER", "ROLE_UNSPECIFIED", "SCANNER", "SERVER", "TAPE_LIBRARY", "WORKSTATION"] - sql: CASE ${TABLE}.target.asset.type WHEN 0 THEN 'ROLE_UNSPECIFIED' WHEN 1 THEN 'WORKSTATION' WHEN 2 THEN 'LAPTOP' WHEN 3 THEN 'IOT' WHEN 4 THEN 'NETWORK_ATTACHED_STORAGE' WHEN 5 THEN 'PRINTER' WHEN 6 THEN 'SCANNER' WHEN 7 THEN 'SERVER' WHEN 8 THEN 'TAPE_LIBRARY' WHEN 9 THEN 'MOBILE' END ;; - group_label: "target" - label: "target.asset.type_enum_name" - view_label: "UDM" - description: "The type of the asset (e.g. workstation or laptop or server)." - } # dimension target__asset__type_enum_name - - dimension: target__asset__vulnerabilities { - hidden: yes - } # dimension target__asset__vulnerabilities - - dimension: target__asset_id { - type: string - sql: ${TABLE}.target.asset_id ;; - group_label: "target" - label: "target.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension target__asset_id - - dimension: target__cloud { - hidden: yes - } # dimension target__cloud - - dimension: target__cloud__availability_zone { - type: string - sql: ${TABLE}.target.cloud.availability_zone ;; - group_label: "target" - group_item_label: "target.cloud.availability_zone [D]" - label: "target.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__availability_zone - - dimension: target__cloud__environment { - type: number - sql: ${TABLE}.target.cloud.environment ;; - group_label: "target" - group_item_label: "target.cloud.environment [D]" - label: "target.cloud.environment" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__environment - - dimension: target__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.target.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "target" - group_item_label: "target.cloud.environment_enum_name [D]" - label: "target.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__environment_enum_name - - dimension: target__cloud__project { - hidden: yes - } # dimension target__cloud__project - - dimension: target__cloud__project__attribute { - hidden: yes - } # dimension target__cloud__project__attribute - - dimension: target__cloud__project__attribute__labels { - hidden: yes - } # dimension target__cloud__project__attribute__labels - - dimension: target__cloud__project__id { - type: string - sql: ${TABLE}.target.cloud.project.id ;; - group_label: "target" - group_item_label: "target.cloud.project.id [D]" - label: "target.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__project__id - - dimension: target__cloud__project__name { - type: string - sql: ${TABLE}.target.cloud.project.name ;; - group_label: "target" - group_item_label: "target.cloud.project.name [D]" - label: "target.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__project__name - - dimension: target__cloud__project__product_object_id { - type: string - sql: ${TABLE}.target.cloud.project.product_object_id ;; - group_label: "target" - group_item_label: "target.cloud.project.product_object_id [D]" - label: "target.cloud.project.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__project__product_object_id - - dimension: target__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.target.cloud.project.resource_subtype ;; - group_label: "target" - group_item_label: "target.cloud.project.resource_subtype [D]" - label: "target.cloud.project.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__project__resource_subtype - - dimension: target__cloud__project__type { - type: string - sql: ${TABLE}.target.cloud.project.type ;; - group_label: "target" - group_item_label: "target.cloud.project.type [D]" - label: "target.cloud.project.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__project__type - - dimension: target__cloud__vpc { - hidden: yes - } # dimension target__cloud__vpc - - dimension: target__cloud__vpc__id { - type: string - sql: ${TABLE}.target.cloud.vpc.id ;; - group_label: "target" - group_item_label: "target.cloud.vpc.id [D]" - label: "target.cloud.vpc.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__vpc__id - - dimension: target__cloud__vpc__name { - type: string - sql: ${TABLE}.target.cloud.vpc.name ;; - group_label: "target" - group_item_label: "target.cloud.vpc.name [D]" - label: "target.cloud.vpc.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__vpc__name - - dimension: target__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.target.cloud.vpc.product_object_id ;; - group_label: "target" - group_item_label: "target.cloud.vpc.product_object_id [D]" - label: "target.cloud.vpc.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__vpc__product_object_id - - dimension: target__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.target.cloud.vpc.resource_subtype ;; - group_label: "target" - group_item_label: "target.cloud.vpc.resource_subtype [D]" - label: "target.cloud.vpc.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\"). [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__vpc__resource_subtype - - dimension: target__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.target.cloud.vpc.resource_type ;; - group_label: "target" - group_item_label: "target.cloud.vpc.resource_type [D]" - label: "target.cloud.vpc.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__vpc__resource_type - - dimension: target__cloud__vpc__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.target.cloud.vpc.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "target" - group_item_label: "target.cloud.vpc.resource_type_enum_name [D]" - label: "target.cloud.vpc.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__cloud__vpc__resource_type_enum_name - - dimension: target__domain { - hidden: yes - } # dimension target__domain - - dimension: target__domain__contact_email { - type: string - sql: ${TABLE}.target.domain.contact_email ;; - group_label: "target" - label: "target.domain.contact_email" - view_label: "UDM" - description: "Contact email address." - } # dimension target__domain__contact_email - - dimension_group: target__domain__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.domain.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.domain.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.domain.creation_time" - view_label: "UDM" - description: "Domain creation time." - } # dimension target__domain__creation_time - - dimension_group: target__domain__expiration_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.domain.expiration_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.domain.expiration_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.domain.expiration_time" - view_label: "UDM" - description: "Expiration time." - } # dimension target__domain__expiration_time - - dimension_group: target__domain__last_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.domain.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.domain.last_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.domain.last_seen_time" - view_label: "UDM" - description: "Last seen timestamp of the domain in the customer's environment." - } # dimension target__domain__last_seen_time - - dimension: target__domain__name { - type: string - sql: ${TABLE}.target.domain.name ;; - group_label: "target" - label: "target.domain.name" - view_label: "UDM" - description: "The domain name." - } # dimension target__domain__name - - dimension: target__domain__name_server { - hidden: yes - } # dimension target__domain__name_server - - dimension: target__domain__prevalence { - hidden: yes - } # dimension target__domain__prevalence - - dimension: target__domain__prevalence__day_count { - type: number - sql: ${TABLE}.target.domain.prevalence.day_count ;; - group_label: "target" - label: "target.domain.prevalence.day_count" - view_label: "UDM" - description: "The number of days over which rolling_max is calculated." - } # dimension target__domain__prevalence__day_count - - dimension: target__domain__prevalence__rolling_max { - type: number - sql: ${TABLE}.target.domain.prevalence.rolling_max ;; - group_label: "target" - label: "target.domain.prevalence.rolling_max" - view_label: "UDM" - description: "The maximum number of assets per day accessing the resource over the trailing day_count days." - } # dimension target__domain__prevalence__rolling_max - - dimension: target__domain__private_registration { - type: yesno - sql: ${TABLE}.target.domain.private_registration ;; - group_label: "target" - label: "target.domain.private_registration" - view_label: "UDM" - description: "Indicates whether the domain appears to be using a private registration service to mask the owner's contact information." - } # dimension target__domain__private_registration - - dimension: target__domain__registrar { - type: string - sql: ${TABLE}.target.domain.registrar ;; - group_label: "target" - label: "target.domain.registrar" - view_label: "UDM" - description: "Registrar name - e.g. \"Wild West Domains, Inc. (R120-LROR)\", \"GoDaddy.com, LLC\", \"PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM\", etc." - } # dimension target__domain__registrar - - dimension: target__domain__status { - type: string - sql: ${TABLE}.target.domain.status ;; - group_label: "target" - label: "target.domain.status" - view_label: "UDM" - description: "Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values" - } # dimension target__domain__status - - dimension: target__domain__tech { - hidden: yes - } # dimension target__domain__tech - - dimension: target__domain__tech__company_name { - type: string - sql: ${TABLE}.target.domain.tech.company_name ;; - group_label: "target" - label: "target.domain.tech.company_name" - view_label: "UDM" - description: "User job company name." - } # dimension target__domain__tech__company_name - - dimension_group: target__domain__update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.domain.update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.domain.update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.domain.update_time" - view_label: "UDM" - description: "Last updated time." - } # dimension target__domain__update_time - - dimension: target__domain__whois_server { - type: string - sql: ${TABLE}.target.domain.whois_server ;; - group_label: "target" - label: "target.domain.whois_server" - view_label: "UDM" - description: "Whois server name." - } # dimension target__domain__whois_server - - dimension: target__email { - type: string - sql: ${TABLE}.target.email ;; - group_label: "target" - label: "target.email" - view_label: "UDM" - description: "Email address. Only filled in for security_result.about" - } # dimension target__email - - dimension: target__file { - hidden: yes - } # dimension target__file - - dimension: target__file__authentihash { - type: string - sql: ${TABLE}.target.file.authentihash ;; - group_label: "target" - label: "target.file.authentihash" - view_label: "UDM" - description: "Authentihash of the file." - } # dimension target__file__authentihash - - dimension: target__file__capabilities_tags { - hidden: yes - } # dimension target__file__capabilities_tags - - dimension: target__file__embedded_domains { - hidden: yes - } # dimension target__file__embedded_domains - - dimension: target__file__embedded_ips { - hidden: yes - } # dimension target__file__embedded_ips - - dimension: target__file__embedded_urls { - hidden: yes - } # dimension target__file__embedded_urls - - dimension: target__file__exif_info { - hidden: yes - } # dimension target__file__exif_info - - dimension: target__file__exif_info__company { - type: string - sql: ${TABLE}.target.file.exif_info.company ;; - group_label: "target" - label: "target.file.exif_info.company" - view_label: "UDM" - description: "company name." - } # dimension target__file__exif_info__company - - dimension_group: target__file__exif_info__compilation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.exif_info.compilation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.exif_info.compilation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.file.exif_info.compilation_time" - view_label: "UDM" - description: "Compilation time." - } # dimension target__file__exif_info__compilation_time - - dimension: target__file__exif_info__entry_point { - type: number - sql: ${TABLE}.target.file.exif_info.entry_point ;; - group_label: "target" - label: "target.file.exif_info.entry_point" - view_label: "UDM" - description: "entry point." - } # dimension target__file__exif_info__entry_point - - dimension: target__file__exif_info__file_description { - type: string - sql: ${TABLE}.target.file.exif_info.file_description ;; - group_label: "target" - label: "target.file.exif_info.file_description" - view_label: "UDM" - description: "description of a file." - } # dimension target__file__exif_info__file_description - - dimension: target__file__exif_info__original_file { - type: string - sql: ${TABLE}.target.file.exif_info.original_file ;; - group_label: "target" - label: "target.file.exif_info.original_file" - view_label: "UDM" - description: "original file name." - } # dimension target__file__exif_info__original_file - - dimension: target__file__exif_info__product { - type: string - sql: ${TABLE}.target.file.exif_info.product ;; - group_label: "target" - label: "target.file.exif_info.product" - view_label: "UDM" - description: "product name." - } # dimension target__file__exif_info__product - - dimension: target__file__file_metadata { - hidden: yes - } # dimension target__file__file_metadata - - dimension: target__file__file_metadata__pe { - hidden: yes - } # dimension target__file__file_metadata__pe - - dimension: target__file__file_metadata__pe__import_hash { - type: string - sql: ${TABLE}.target.file.file_metadata.pe.import_hash ;; - group_label: "target" - group_item_label: "target.file.file_metadata.pe.import_hash [D]" - label: "target.file.file_metadata.pe.import_hash" - view_label: "UDM" - description: "Hash of PE imports. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__file__file_metadata__pe__import_hash - - dimension: target__file__file_type { - type: number - sql: ${TABLE}.target.file.file_type ;; - group_label: "target" - label: "target.file.file_type" - view_label: "UDM" - description: "FileType field." - } # dimension target__file__file_type - - dimension: target__file__file_type_enum_name { - type: string - suggestions: ["FILE_TYPE_ACE", "FILE_TYPE_ANDROID", "FILE_TYPE_APPLE", "FILE_TYPE_APPLEDOUBLE", "FILE_TYPE_APPLESCRIPT", "FILE_TYPE_APPLESCRIPT_COMPILED", "FILE_TYPE_APPLESINGLE", "FILE_TYPE_APPLE_PLIST", "FILE_TYPE_ARC", "FILE_TYPE_ARJ", "FILE_TYPE_ASD", "FILE_TYPE_ASF", "FILE_TYPE_AVI", "FILE_TYPE_AWK", "FILE_TYPE_BLACKHOLE", "FILE_TYPE_BMP", "FILE_TYPE_BZIP", "FILE_TYPE_C", "FILE_TYPE_CAB", "FILE_TYPE_CAP", "FILE_TYPE_CHM", "FILE_TYPE_COFF", "FILE_TYPE_COOKIE", "FILE_TYPE_CPP", "FILE_TYPE_CRX", "FILE_TYPE_DEB", "FILE_TYPE_DIB", "FILE_TYPE_DIVX", "FILE_TYPE_DMG", "FILE_TYPE_DOC", "FILE_TYPE_DOCX", "FILE_TYPE_DOS_COM", "FILE_TYPE_DOS_EXE", "FILE_TYPE_DYALOG", "FILE_TYPE_DZIP", "FILE_TYPE_EBOOK", "FILE_TYPE_ELF", "FILE_TYPE_EMAIL_TYPE", "FILE_TYPE_EMF", "FILE_TYPE_EOT", "FILE_TYPE_EPS", "FILE_TYPE_FLA", "FILE_TYPE_FLAC", "FILE_TYPE_FLC", "FILE_TYPE_FLI", "FILE_TYPE_FLV", "FILE_TYPE_FORTRAN", "FILE_TYPE_FPX", "FILE_TYPE_GIF", "FILE_TYPE_GIMP", "FILE_TYPE_GUL", "FILE_TYPE_GZIP", "FILE_TYPE_HTML", "FILE_TYPE_HWP", "FILE_TYPE_ICO", "FILE_TYPE_IN_DESIGN", "FILE_TYPE_IPHONE", "FILE_TYPE_ISOIMAGE", "FILE_TYPE_JAR", "FILE_TYPE_JAVA", "FILE_TYPE_JAVASCRIPT", "FILE_TYPE_JAVA_BYTECODE", "FILE_TYPE_JNG", "FILE_TYPE_JPEG", "FILE_TYPE_KGB", "FILE_TYPE_LATEX", "FILE_TYPE_LINUX", "FILE_TYPE_LINUX_KERNEL", "FILE_TYPE_LNK", "FILE_TYPE_MACH_O", "FILE_TYPE_MACINTOSH", "FILE_TYPE_MACINTOSH_HFS", "FILE_TYPE_MACINTOSH_LIB", "FILE_TYPE_MIDI", "FILE_TYPE_MOV", "FILE_TYPE_MP3", "FILE_TYPE_MP4", "FILE_TYPE_MPEG", "FILE_TYPE_MSCOMPRESS", "FILE_TYPE_MSI", "FILE_TYPE_NE_DLL", "FILE_TYPE_NE_EXE", "FILE_TYPE_ODF", "FILE_TYPE_ODG", "FILE_TYPE_ODP", "FILE_TYPE_ODS", "FILE_TYPE_ODT", "FILE_TYPE_OGG", "FILE_TYPE_OUTLOOK", "FILE_TYPE_PALMOS", "FILE_TYPE_PASCAL", "FILE_TYPE_PDF", "FILE_TYPE_PERL", "FILE_TYPE_PE_DLL", "FILE_TYPE_PE_EXE", "FILE_TYPE_PHP", "FILE_TYPE_PKG", "FILE_TYPE_PNG", "FILE_TYPE_POWERSHELL", "FILE_TYPE_PPSX", "FILE_TYPE_PPT", "FILE_TYPE_PPTX", "FILE_TYPE_PS", "FILE_TYPE_PSD", "FILE_TYPE_PYTHON", "FILE_TYPE_QUICKTIME", "FILE_TYPE_RAR", "FILE_TYPE_RM", "FILE_TYPE_ROM", "FILE_TYPE_RPM", "FILE_TYPE_RTF", "FILE_TYPE_RUBY", "FILE_TYPE_RZIP", "FILE_TYPE_SCRIPT", "FILE_TYPE_SEVENZIP", "FILE_TYPE_SHELLSCRIPT", "FILE_TYPE_SVG", "FILE_TYPE_SWF", "FILE_TYPE_SYMBIAN", "FILE_TYPE_T3GP", "FILE_TYPE_TAR", "FILE_TYPE_TARGA", "FILE_TYPE_TEXT", "FILE_TYPE_TIFF", "FILE_TYPE_TORRENT", "FILE_TYPE_TTF", "FILE_TYPE_UNSPECIFIED", "FILE_TYPE_VBA", "FILE_TYPE_WAV", "FILE_TYPE_WEBP", "FILE_TYPE_WINCE", "FILE_TYPE_WMA", "FILE_TYPE_WMV", "FILE_TYPE_WOFF", "FILE_TYPE_XLS", "FILE_TYPE_XLSX", "FILE_TYPE_XML", "FILE_TYPE_XPI", "FILE_TYPE_XWD", "FILE_TYPE_ZIP", "FILE_TYPE_ZLIB"] - sql: CASE ${TABLE}.target.file.file_type WHEN 0 THEN 'FILE_TYPE_UNSPECIFIED' WHEN 1 THEN 'FILE_TYPE_PE_EXE' WHEN 2 THEN 'FILE_TYPE_PE_DLL' WHEN 3 THEN 'FILE_TYPE_MSI' WHEN 10 THEN 'FILE_TYPE_NE_EXE' WHEN 11 THEN 'FILE_TYPE_NE_DLL' WHEN 20 THEN 'FILE_TYPE_DOS_EXE' WHEN 21 THEN 'FILE_TYPE_DOS_COM' WHEN 30 THEN 'FILE_TYPE_COFF' WHEN 31 THEN 'FILE_TYPE_ELF' WHEN 32 THEN 'FILE_TYPE_LINUX_KERNEL' WHEN 33 THEN 'FILE_TYPE_RPM' WHEN 34 THEN 'FILE_TYPE_LINUX' WHEN 35 THEN 'FILE_TYPE_MACH_O' WHEN 36 THEN 'FILE_TYPE_JAVA_BYTECODE' WHEN 37 THEN 'FILE_TYPE_DMG' WHEN 38 THEN 'FILE_TYPE_DEB' WHEN 39 THEN 'FILE_TYPE_PKG' WHEN 50 THEN 'FILE_TYPE_LNK' WHEN 100 THEN 'FILE_TYPE_JPEG' WHEN 101 THEN 'FILE_TYPE_TIFF' WHEN 102 THEN 'FILE_TYPE_GIF' WHEN 103 THEN 'FILE_TYPE_PNG' WHEN 104 THEN 'FILE_TYPE_BMP' WHEN 105 THEN 'FILE_TYPE_GIMP' WHEN 106 THEN 'FILE_TYPE_IN_DESIGN' WHEN 107 THEN 'FILE_TYPE_PSD' WHEN 108 THEN 'FILE_TYPE_TARGA' WHEN 109 THEN 'FILE_TYPE_XWD' WHEN 110 THEN 'FILE_TYPE_DIB' WHEN 111 THEN 'FILE_TYPE_JNG' WHEN 112 THEN 'FILE_TYPE_ICO' WHEN 113 THEN 'FILE_TYPE_FPX' WHEN 114 THEN 'FILE_TYPE_EPS' WHEN 115 THEN 'FILE_TYPE_SVG' WHEN 116 THEN 'FILE_TYPE_EMF' WHEN 117 THEN 'FILE_TYPE_WEBP' WHEN 150 THEN 'FILE_TYPE_OGG' WHEN 151 THEN 'FILE_TYPE_FLC' WHEN 152 THEN 'FILE_TYPE_FLI' WHEN 153 THEN 'FILE_TYPE_MP3' WHEN 154 THEN 'FILE_TYPE_FLAC' WHEN 155 THEN 'FILE_TYPE_WAV' WHEN 156 THEN 'FILE_TYPE_MIDI' WHEN 157 THEN 'FILE_TYPE_AVI' WHEN 158 THEN 'FILE_TYPE_MPEG' WHEN 159 THEN 'FILE_TYPE_QUICKTIME' WHEN 160 THEN 'FILE_TYPE_ASF' WHEN 161 THEN 'FILE_TYPE_DIVX' WHEN 162 THEN 'FILE_TYPE_FLV' WHEN 163 THEN 'FILE_TYPE_WMA' WHEN 164 THEN 'FILE_TYPE_WMV' WHEN 165 THEN 'FILE_TYPE_RM' WHEN 166 THEN 'FILE_TYPE_MOV' WHEN 167 THEN 'FILE_TYPE_MP4' WHEN 168 THEN 'FILE_TYPE_T3GP' WHEN 200 THEN 'FILE_TYPE_PDF' WHEN 201 THEN 'FILE_TYPE_PS' WHEN 202 THEN 'FILE_TYPE_DOC' WHEN 203 THEN 'FILE_TYPE_DOCX' WHEN 204 THEN 'FILE_TYPE_PPT' WHEN 205 THEN 'FILE_TYPE_PPTX' WHEN 209 THEN 'FILE_TYPE_PPSX' WHEN 206 THEN 'FILE_TYPE_XLS' WHEN 207 THEN 'FILE_TYPE_XLSX' WHEN 208 THEN 'FILE_TYPE_RTF' WHEN 250 THEN 'FILE_TYPE_ODP' WHEN 251 THEN 'FILE_TYPE_ODS' WHEN 252 THEN 'FILE_TYPE_ODT' WHEN 253 THEN 'FILE_TYPE_HWP' WHEN 254 THEN 'FILE_TYPE_GUL' WHEN 255 THEN 'FILE_TYPE_ODF' WHEN 256 THEN 'FILE_TYPE_ODG' WHEN 260 THEN 'FILE_TYPE_EBOOK' WHEN 261 THEN 'FILE_TYPE_LATEX' WHEN 262 THEN 'FILE_TYPE_TTF' WHEN 263 THEN 'FILE_TYPE_EOT' WHEN 264 THEN 'FILE_TYPE_WOFF' WHEN 265 THEN 'FILE_TYPE_CHM' WHEN 300 THEN 'FILE_TYPE_ZIP' WHEN 301 THEN 'FILE_TYPE_GZIP' WHEN 302 THEN 'FILE_TYPE_BZIP' WHEN 303 THEN 'FILE_TYPE_RZIP' WHEN 304 THEN 'FILE_TYPE_DZIP' WHEN 305 THEN 'FILE_TYPE_SEVENZIP' WHEN 306 THEN 'FILE_TYPE_CAB' WHEN 307 THEN 'FILE_TYPE_JAR' WHEN 308 THEN 'FILE_TYPE_RAR' WHEN 309 THEN 'FILE_TYPE_MSCOMPRESS' WHEN 310 THEN 'FILE_TYPE_ACE' WHEN 311 THEN 'FILE_TYPE_ARC' WHEN 312 THEN 'FILE_TYPE_ARJ' WHEN 313 THEN 'FILE_TYPE_ASD' WHEN 314 THEN 'FILE_TYPE_BLACKHOLE' WHEN 315 THEN 'FILE_TYPE_KGB' WHEN 316 THEN 'FILE_TYPE_ZLIB' WHEN 317 THEN 'FILE_TYPE_TAR' WHEN 400 THEN 'FILE_TYPE_TEXT' WHEN 401 THEN 'FILE_TYPE_SCRIPT' WHEN 402 THEN 'FILE_TYPE_PHP' WHEN 403 THEN 'FILE_TYPE_PYTHON' WHEN 404 THEN 'FILE_TYPE_PERL' WHEN 405 THEN 'FILE_TYPE_RUBY' WHEN 406 THEN 'FILE_TYPE_C' WHEN 407 THEN 'FILE_TYPE_CPP' WHEN 408 THEN 'FILE_TYPE_JAVA' WHEN 409 THEN 'FILE_TYPE_SHELLSCRIPT' WHEN 410 THEN 'FILE_TYPE_PASCAL' WHEN 411 THEN 'FILE_TYPE_AWK' WHEN 412 THEN 'FILE_TYPE_DYALOG' WHEN 413 THEN 'FILE_TYPE_FORTRAN' WHEN 414 THEN 'FILE_TYPE_JAVASCRIPT' WHEN 415 THEN 'FILE_TYPE_POWERSHELL' WHEN 416 THEN 'FILE_TYPE_VBA' WHEN 500 THEN 'FILE_TYPE_SYMBIAN' WHEN 501 THEN 'FILE_TYPE_PALMOS' WHEN 502 THEN 'FILE_TYPE_WINCE' WHEN 503 THEN 'FILE_TYPE_ANDROID' WHEN 504 THEN 'FILE_TYPE_IPHONE' WHEN 600 THEN 'FILE_TYPE_HTML' WHEN 601 THEN 'FILE_TYPE_XML' WHEN 602 THEN 'FILE_TYPE_SWF' WHEN 603 THEN 'FILE_TYPE_FLA' WHEN 604 THEN 'FILE_TYPE_COOKIE' WHEN 605 THEN 'FILE_TYPE_TORRENT' WHEN 606 THEN 'FILE_TYPE_EMAIL_TYPE' WHEN 607 THEN 'FILE_TYPE_OUTLOOK' WHEN 700 THEN 'FILE_TYPE_CAP' WHEN 800 THEN 'FILE_TYPE_ISOIMAGE' WHEN 1000 THEN 'FILE_TYPE_APPLE' WHEN 1001 THEN 'FILE_TYPE_MACINTOSH' WHEN 1002 THEN 'FILE_TYPE_APPLESINGLE' WHEN 1003 THEN 'FILE_TYPE_APPLEDOUBLE' WHEN 1004 THEN 'FILE_TYPE_MACINTOSH_HFS' WHEN 1005 THEN 'FILE_TYPE_APPLE_PLIST' WHEN 1006 THEN 'FILE_TYPE_MACINTOSH_LIB' WHEN 1007 THEN 'FILE_TYPE_APPLESCRIPT' WHEN 1008 THEN 'FILE_TYPE_APPLESCRIPT_COMPILED' WHEN 1100 THEN 'FILE_TYPE_CRX' WHEN 1101 THEN 'FILE_TYPE_XPI' WHEN 1200 THEN 'FILE_TYPE_ROM' END ;; - group_label: "target" - label: "target.file.file_type_enum_name" - view_label: "UDM" - description: "FileType field." - } # dimension target__file__file_type_enum_name - - dimension_group: target__file__first_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.first_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.file.first_seen_time" - view_label: "UDM" - description: "Timestamp the file was first seen in the customer's environment." - } # dimension target__file__first_seen_time - - dimension: target__file__full_path { - type: string - sql: ${TABLE}.target.file.full_path ;; - group_label: "target" - label: "target.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension target__file__full_path - - dimension_group: target__file__last_analysis_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.last_analysis_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.last_analysis_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.file.last_analysis_time" - view_label: "UDM" - description: "Timestamp the file was last analysed." - } # dimension target__file__last_analysis_time - - dimension_group: target__file__last_modification_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.last_modification_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.last_modification_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.file.last_modification_time" - view_label: "UDM" - description: "Timestamp when the file was last updated." - } # dimension target__file__last_modification_time - - dimension_group: target__file__last_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.last_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.file.last_seen_time" - view_label: "UDM" - description: "Timestamp the file was last seen in the customer's environment." - } # dimension target__file__last_seen_time - - dimension: target__file__md5 { - type: string - sql: ${TABLE}.target.file.md5 ;; - group_label: "target" - label: "target.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension target__file__md5 - - dimension: target__file__mime_type { - type: string - sql: ${TABLE}.target.file.mime_type ;; - group_label: "target" - label: "target.file.mime_type" - view_label: "UDM" - description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." - } # dimension target__file__mime_type - - dimension: target__file__names { - hidden: yes - } # dimension target__file__names - - dimension: target__file__pe_file { - hidden: yes - } # dimension target__file__pe_file - - dimension_group: target__file__pe_file__compilation_exiftool_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.pe_file.compilation_exiftool_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.pe_file.compilation_exiftool_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.file.pe_file.compilation_exiftool_time" - view_label: "UDM" - description: "info.exiftool.TimeStamp." - } # dimension target__file__pe_file__compilation_exiftool_time - - dimension_group: target__file__pe_file__compilation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.pe_file.compilation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.pe_file.compilation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.file.pe_file.compilation_time" - view_label: "UDM" - description: "info.pe-timestamp." - } # dimension target__file__pe_file__compilation_time - - dimension: target__file__pe_file__entry_point { - type: number - sql: ${TABLE}.target.file.pe_file.entry_point ;; - group_label: "target" - label: "target.file.pe_file.entry_point" - view_label: "UDM" - description: "info.pe-entry-point." - } # dimension target__file__pe_file__entry_point - - dimension: target__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.target.file.pe_file.entry_point_exiftool ;; - group_label: "target" - label: "target.file.pe_file.entry_point_exiftool" - view_label: "UDM" - description: "info.exiftool.EntryPoint." - } # dimension target__file__pe_file__entry_point_exiftool - - dimension: target__file__pe_file__imphash { - type: string - sql: ${TABLE}.target.file.pe_file.imphash ;; - group_label: "target" - label: "target.file.pe_file.imphash" - view_label: "UDM" - description: "Imphash of the file." - } # dimension target__file__pe_file__imphash - - dimension: target__file__pe_file__imports { - hidden: yes - } # dimension target__file__pe_file__imports - - dimension: target__file__pe_file__resource { - hidden: yes - } # dimension target__file__pe_file__resource - - dimension: target__file__pe_file__resources_language_count_str { - hidden: yes - } # dimension target__file__pe_file__resources_language_count_str - - dimension: target__file__pe_file__resources_type_count_str { - hidden: yes - } # dimension target__file__pe_file__resources_type_count_str - - dimension: target__file__pe_file__section { - hidden: yes - } # dimension target__file__pe_file__section - - dimension: target__file__sha1 { - type: string - sql: ${TABLE}.target.file.sha1 ;; - group_label: "target" - label: "target.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension target__file__sha1 - - dimension: target__file__sha256 { - type: string - sql: ${TABLE}.target.file.sha256 ;; - group_label: "target" - label: "target.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension target__file__sha256 - - dimension: target__file__signature_info { - hidden: yes - } # dimension target__file__signature_info - - dimension: target__file__signature_info__codesign { - hidden: yes - } # dimension target__file__signature_info__codesign - - dimension_group: target__file__signature_info__codesign__compilation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.file.signature_info.codesign.compilation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.file.signature_info.codesign.compilation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.file.signature_info.codesign.compilation_time" - view_label: "UDM" - description: "Code sign timestamp" - } # dimension target__file__signature_info__codesign__compilation_time - - dimension: target__file__signature_info__codesign__format { - type: string - sql: ${TABLE}.target.file.signature_info.codesign.format ;; - group_label: "target" - label: "target.file.signature_info.codesign.format" - view_label: "UDM" - description: "Code sign format." - } # dimension target__file__signature_info__codesign__format - - dimension: target__file__signature_info__codesign__id { - type: string - sql: ${TABLE}.target.file.signature_info.codesign.id ;; - group_label: "target" - label: "target.file.signature_info.codesign.id" - view_label: "UDM" - description: "Code sign identifier." - } # dimension target__file__signature_info__codesign__id - - dimension: target__file__signature_info__sigcheck { - hidden: yes - } # dimension target__file__signature_info__sigcheck - - dimension: target__file__signature_info__sigcheck__signers { - hidden: yes - } # dimension target__file__signature_info__sigcheck__signers - - dimension: target__file__signature_info__sigcheck__verification_message { - type: string - sql: ${TABLE}.target.file.signature_info.sigcheck.verification_message ;; - group_label: "target" - label: "target.file.signature_info.sigcheck.verification_message" - view_label: "UDM" - description: "Status of the certificate. Valid values are \"Signed\", \"Unsigned\" or a description of the certificate anomaly, if found." - } # dimension target__file__signature_info__sigcheck__verification_message - - dimension: target__file__signature_info__sigcheck__verified { - type: yesno - sql: ${TABLE}.target.file.signature_info.sigcheck.verified ;; - group_label: "target" - label: "target.file.signature_info.sigcheck.verified" - view_label: "UDM" - description: "True iff verification_message == \"Signed\"" - } # dimension target__file__signature_info__sigcheck__verified - - dimension: target__file__signature_info__sigcheck__x509 { - hidden: yes - } # dimension target__file__signature_info__sigcheck__x509 - - dimension: target__file__size { - type: number - sql: ${TABLE}.target.file.size ;; - group_label: "target" - label: "target.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension target__file__size - - dimension: target__file__ssdeep { - type: string - sql: ${TABLE}.target.file.ssdeep ;; - group_label: "target" - label: "target.file.ssdeep" - view_label: "UDM" - description: "Ssdeep of the file" - } # dimension target__file__ssdeep - - dimension: target__file__tags { - hidden: yes - } # dimension target__file__tags - - dimension: target__file__vhash { - type: string - sql: ${TABLE}.target.file.vhash ;; - group_label: "target" - label: "target.file.vhash" - view_label: "UDM" - description: "Vhash of the file." - } # dimension target__file__vhash - - dimension: target__group { - hidden: yes - } # dimension target__group - - dimension: target__group__attribute { - hidden: yes - } # dimension target__group__attribute - - dimension: target__group__attribute__labels { - hidden: yes - } # dimension target__group__attribute__labels - - dimension: target__group__attribute__permissions { - hidden: yes - } # dimension target__group__attribute__permissions - - dimension: target__group__attribute__roles { - hidden: yes - } # dimension target__group__attribute__roles - - dimension_group: target__group__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.group.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.group.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - group_item_label: "target.group.creation_time [D]" - label: "target.group.creation_time" - view_label: "UDM" - description: "Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__group__creation_time - - dimension: target__group__email_addresses { - hidden: yes - } # dimension target__group__email_addresses - - dimension: target__group__group_display_name { - type: string - sql: ${TABLE}.target.group.group_display_name ;; - group_label: "target" - label: "target.group.group_display_name" - view_label: "UDM" - description: "Group display name. e.g. \"Finance\"." - } # dimension target__group__group_display_name - - dimension: target__group__product_object_id { - type: string - sql: ${TABLE}.target.group.product_object_id ;; - group_label: "target" - label: "target.group.product_object_id" - view_label: "UDM" - description: "Product globally unique user object identifier, such as an LDAP Object Identifier." - } # dimension target__group__product_object_id - - dimension: target__group__windows_sid { - type: string - sql: ${TABLE}.target.group.windows_sid ;; - group_label: "target" - label: "target.group.windows_sid" - view_label: "UDM" - description: "Microsoft Windows SID of the group." - } # dimension target__group__windows_sid - - dimension: target__hostname { - type: string - sql: ${TABLE}.target.hostname ;; - group_label: "target" - label: "target.hostname" - view_label: "UDM" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension target__hostname - - dimension: target__investigation { - hidden: yes - } # dimension target__investigation - - dimension: target__investigation__comments { - hidden: yes - } # dimension target__investigation__comments - - dimension: target__investigation__severity_score { - type: number - sql: ${TABLE}.target.investigation.severity_score ;; - group_label: "target" - label: "target.investigation.severity_score" - view_label: "UDM" - description: "Severity score for a finding set by an analyst." - } # dimension target__investigation__severity_score - - dimension: target__ip { - hidden: yes - } # dimension target__ip - - dimension: target__ip_geo_artifact { - hidden: yes - } # dimension target__ip_geo_artifact - - dimension: target__ip_location { - hidden: yes - } # dimension target__ip_location - - dimension: target__labels { - hidden: yes - } # dimension target__labels - - dimension: target__location { - hidden: yes - } # dimension target__location - - dimension: target__location__city { - type: string - sql: ${TABLE}.target.location.city ;; - group_label: "target" - label: "target.location.city" - view_label: "UDM" - description: "The city." - } # dimension target__location__city - - dimension: target__location__country_or_region { - type: string - sql: ${TABLE}.target.location.country_or_region ;; - group_label: "target" - label: "target.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension target__location__country_or_region - - dimension: target__location__name { - type: string - sql: ${TABLE}.target.location.name ;; - group_label: "target" - label: "target.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension target__location__name - - dimension: target__location__region_coordinates { - type: location - sql_latitude: ${TABLE}.target.location.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.target.location.region_coordinates.longitude ;; - group_label: "target" - group_item_label: "target.location.region_coordinates [L]" - label: "target.location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." - } # dimension target__location__region_coordinates - - dimension: target__location__region_latitude { - type: number - sql: ${TABLE}.target.location.region_latitude ;; - group_label: "target" - group_item_label: "target.location.region_latitude [D]" - label: "target.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__location__region_latitude - - dimension: target__location__region_longitude { - type: number - sql: ${TABLE}.target.location.region_longitude ;; - group_label: "target" - group_item_label: "target.location.region_longitude [D]" - label: "target.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__location__region_longitude - - dimension: target__location__location { - type: location - sql_latitude: ${TABLE}.target.location.region_latitude ;; - sql_longitude: ${TABLE}.target.location.region_longitude ;; - group_label: "target" - group_item_label: "target.location.location [D][L]" - label: "target.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension target__location__location - - dimension: target__location__state { - type: string - sql: ${TABLE}.target.location.state ;; - group_label: "target" - label: "target.location.state" - view_label: "UDM" - description: "The state." - } # dimension target__location__state - - dimension: target__mac { - hidden: yes - } # dimension target__mac - - dimension: target__namespace { - type: string - sql: ${TABLE}.target.namespace ;; - group_label: "target" - label: "target.namespace" - view_label: "UDM" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension target__namespace - - dimension: target__nat_ip { - hidden: yes - } # dimension target__nat_ip - - dimension: target__nat_port { - type: number - value_format: "#" - sql: ${TABLE}.target.nat_port ;; - group_label: "target" - label: "target.nat_port" - view_label: "UDM" - description: "NAT external network port number when a specific network connection is described within an event." - } # dimension target__nat_port - - dimension: target__network { - hidden: yes - } # dimension target__network - - dimension: target__network__http { - hidden: yes - } # dimension target__network__http - - dimension: target__network__http__method { - type: string - sql: ${TABLE}.target.network.http.method ;; - group_label: "target" - label: "target.network.http.method" - view_label: "UDM" - description: "The HTTP request method (e.g. \"GET\", \"POST\", \"PATCH\", \"DELETE\")." - } # dimension target__network__http__method - - dimension: target__network__http__referral_url { - type: string - sql: ${TABLE}.target.network.http.referral_url ;; - group_label: "target" - label: "target.network.http.referral_url" - view_label: "UDM" - description: "The URL for the HTTP referer." - } # dimension target__network__http__referral_url - - dimension: target__platform { - type: number - sql: ${TABLE}.target.platform ;; - group_label: "target" - label: "target.platform" - view_label: "UDM" - description: "Platform." - } # dimension target__platform - - dimension: target__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.target.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "target" - label: "target.platform_enum_name" - view_label: "UDM" - description: "Platform." - } # dimension target__platform_enum_name - - dimension: target__platform_patch_level { - type: string - sql: ${TABLE}.target.platform_patch_level ;; - group_label: "target" - label: "target.platform_patch_level" - view_label: "UDM" - description: "Platform patch level. For example, \"Build 17134.48\"" - } # dimension target__platform_patch_level - - dimension: target__platform_version { - type: string - sql: ${TABLE}.target.platform_version ;; - group_label: "target" - label: "target.platform_version" - view_label: "UDM" - description: "Platform version. For example, \"Microsoft Windows 1803\"." - } # dimension target__platform_version - - dimension: target__port { - type: number - value_format: "#" - sql: ${TABLE}.target.port ;; - group_label: "target" - label: "target.port" - view_label: "UDM" - description: "Source or destination network port number when a specific network connection is described within an event." - } # dimension target__port - - dimension: target__process { - hidden: yes - } # dimension target__process - - dimension: target__process__access_mask { - type: number - sql: ${TABLE}.target.process.access_mask ;; - group_label: "target" - label: "target.process.access_mask" - view_label: "UDM" - description: "A bit mask representing the level of access." - } # dimension target__process__access_mask - - dimension: target__process__command_line { - type: string - sql: ${TABLE}.target.process.command_line ;; - group_label: "target" - label: "target.process.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension target__process__command_line - - dimension: target__process__command_line_history { - hidden: yes - } # dimension target__process__command_line_history - - dimension: target__process__file { - hidden: yes - } # dimension target__process__file - - dimension: target__process__file__capabilities_tags { - hidden: yes - } # dimension target__process__file__capabilities_tags - - dimension: target__process__file__file_metadata { - hidden: yes - } # dimension target__process__file__file_metadata - - dimension: target__process__file__file_metadata__pe { - hidden: yes - } # dimension target__process__file__file_metadata__pe - - dimension: target__process__file__file_metadata__pe__import_hash { - type: string - sql: ${TABLE}.target.process.file.file_metadata.pe.import_hash ;; - group_label: "target" - group_item_label: "target.process.file.file_metadata.pe.import_hash [D]" - label: "target.process.file.file_metadata.pe.import_hash" - view_label: "UDM" - description: "Hash of PE imports. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__process__file__file_metadata__pe__import_hash - - dimension: target__process__file__file_type { - type: number - sql: ${TABLE}.target.process.file.file_type ;; - group_label: "target" - label: "target.process.file.file_type" - view_label: "UDM" - description: "FileType field." - } # dimension target__process__file__file_type - - dimension: target__process__file__file_type_enum_name { - type: string - suggestions: ["FILE_TYPE_ACE", "FILE_TYPE_ANDROID", "FILE_TYPE_APPLE", "FILE_TYPE_APPLEDOUBLE", "FILE_TYPE_APPLESCRIPT", "FILE_TYPE_APPLESCRIPT_COMPILED", "FILE_TYPE_APPLESINGLE", "FILE_TYPE_APPLE_PLIST", "FILE_TYPE_ARC", "FILE_TYPE_ARJ", "FILE_TYPE_ASD", "FILE_TYPE_ASF", "FILE_TYPE_AVI", "FILE_TYPE_AWK", "FILE_TYPE_BLACKHOLE", "FILE_TYPE_BMP", "FILE_TYPE_BZIP", "FILE_TYPE_C", "FILE_TYPE_CAB", "FILE_TYPE_CAP", "FILE_TYPE_CHM", "FILE_TYPE_COFF", "FILE_TYPE_COOKIE", "FILE_TYPE_CPP", "FILE_TYPE_CRX", "FILE_TYPE_DEB", "FILE_TYPE_DIB", "FILE_TYPE_DIVX", "FILE_TYPE_DMG", "FILE_TYPE_DOC", "FILE_TYPE_DOCX", "FILE_TYPE_DOS_COM", "FILE_TYPE_DOS_EXE", "FILE_TYPE_DYALOG", "FILE_TYPE_DZIP", "FILE_TYPE_EBOOK", "FILE_TYPE_ELF", "FILE_TYPE_EMAIL_TYPE", "FILE_TYPE_EMF", "FILE_TYPE_EOT", "FILE_TYPE_EPS", "FILE_TYPE_FLA", "FILE_TYPE_FLAC", "FILE_TYPE_FLC", "FILE_TYPE_FLI", "FILE_TYPE_FLV", "FILE_TYPE_FORTRAN", "FILE_TYPE_FPX", "FILE_TYPE_GIF", "FILE_TYPE_GIMP", "FILE_TYPE_GUL", "FILE_TYPE_GZIP", "FILE_TYPE_HTML", "FILE_TYPE_HWP", "FILE_TYPE_ICO", "FILE_TYPE_IN_DESIGN", "FILE_TYPE_IPHONE", "FILE_TYPE_ISOIMAGE", "FILE_TYPE_JAR", "FILE_TYPE_JAVA", "FILE_TYPE_JAVASCRIPT", "FILE_TYPE_JAVA_BYTECODE", "FILE_TYPE_JNG", "FILE_TYPE_JPEG", "FILE_TYPE_KGB", "FILE_TYPE_LATEX", "FILE_TYPE_LINUX", "FILE_TYPE_LINUX_KERNEL", "FILE_TYPE_LNK", "FILE_TYPE_MACH_O", "FILE_TYPE_MACINTOSH", "FILE_TYPE_MACINTOSH_HFS", "FILE_TYPE_MACINTOSH_LIB", "FILE_TYPE_MIDI", "FILE_TYPE_MOV", "FILE_TYPE_MP3", "FILE_TYPE_MP4", "FILE_TYPE_MPEG", "FILE_TYPE_MSCOMPRESS", "FILE_TYPE_MSI", "FILE_TYPE_NE_DLL", "FILE_TYPE_NE_EXE", "FILE_TYPE_ODF", "FILE_TYPE_ODG", "FILE_TYPE_ODP", "FILE_TYPE_ODS", "FILE_TYPE_ODT", "FILE_TYPE_OGG", "FILE_TYPE_OUTLOOK", "FILE_TYPE_PALMOS", "FILE_TYPE_PASCAL", "FILE_TYPE_PDF", "FILE_TYPE_PERL", "FILE_TYPE_PE_DLL", "FILE_TYPE_PE_EXE", "FILE_TYPE_PHP", "FILE_TYPE_PKG", "FILE_TYPE_PNG", "FILE_TYPE_POWERSHELL", "FILE_TYPE_PPSX", "FILE_TYPE_PPT", "FILE_TYPE_PPTX", "FILE_TYPE_PS", "FILE_TYPE_PSD", "FILE_TYPE_PYTHON", "FILE_TYPE_QUICKTIME", "FILE_TYPE_RAR", "FILE_TYPE_RM", "FILE_TYPE_ROM", "FILE_TYPE_RPM", "FILE_TYPE_RTF", "FILE_TYPE_RUBY", "FILE_TYPE_RZIP", "FILE_TYPE_SCRIPT", "FILE_TYPE_SEVENZIP", "FILE_TYPE_SHELLSCRIPT", "FILE_TYPE_SVG", "FILE_TYPE_SWF", "FILE_TYPE_SYMBIAN", "FILE_TYPE_T3GP", "FILE_TYPE_TAR", "FILE_TYPE_TARGA", "FILE_TYPE_TEXT", "FILE_TYPE_TIFF", "FILE_TYPE_TORRENT", "FILE_TYPE_TTF", "FILE_TYPE_UNSPECIFIED", "FILE_TYPE_VBA", "FILE_TYPE_WAV", "FILE_TYPE_WEBP", "FILE_TYPE_WINCE", "FILE_TYPE_WMA", "FILE_TYPE_WMV", "FILE_TYPE_WOFF", "FILE_TYPE_XLS", "FILE_TYPE_XLSX", "FILE_TYPE_XML", "FILE_TYPE_XPI", "FILE_TYPE_XWD", "FILE_TYPE_ZIP", "FILE_TYPE_ZLIB"] - sql: CASE ${TABLE}.target.process.file.file_type WHEN 0 THEN 'FILE_TYPE_UNSPECIFIED' WHEN 1 THEN 'FILE_TYPE_PE_EXE' WHEN 2 THEN 'FILE_TYPE_PE_DLL' WHEN 3 THEN 'FILE_TYPE_MSI' WHEN 10 THEN 'FILE_TYPE_NE_EXE' WHEN 11 THEN 'FILE_TYPE_NE_DLL' WHEN 20 THEN 'FILE_TYPE_DOS_EXE' WHEN 21 THEN 'FILE_TYPE_DOS_COM' WHEN 30 THEN 'FILE_TYPE_COFF' WHEN 31 THEN 'FILE_TYPE_ELF' WHEN 32 THEN 'FILE_TYPE_LINUX_KERNEL' WHEN 33 THEN 'FILE_TYPE_RPM' WHEN 34 THEN 'FILE_TYPE_LINUX' WHEN 35 THEN 'FILE_TYPE_MACH_O' WHEN 36 THEN 'FILE_TYPE_JAVA_BYTECODE' WHEN 37 THEN 'FILE_TYPE_DMG' WHEN 38 THEN 'FILE_TYPE_DEB' WHEN 39 THEN 'FILE_TYPE_PKG' WHEN 50 THEN 'FILE_TYPE_LNK' WHEN 100 THEN 'FILE_TYPE_JPEG' WHEN 101 THEN 'FILE_TYPE_TIFF' WHEN 102 THEN 'FILE_TYPE_GIF' WHEN 103 THEN 'FILE_TYPE_PNG' WHEN 104 THEN 'FILE_TYPE_BMP' WHEN 105 THEN 'FILE_TYPE_GIMP' WHEN 106 THEN 'FILE_TYPE_IN_DESIGN' WHEN 107 THEN 'FILE_TYPE_PSD' WHEN 108 THEN 'FILE_TYPE_TARGA' WHEN 109 THEN 'FILE_TYPE_XWD' WHEN 110 THEN 'FILE_TYPE_DIB' WHEN 111 THEN 'FILE_TYPE_JNG' WHEN 112 THEN 'FILE_TYPE_ICO' WHEN 113 THEN 'FILE_TYPE_FPX' WHEN 114 THEN 'FILE_TYPE_EPS' WHEN 115 THEN 'FILE_TYPE_SVG' WHEN 116 THEN 'FILE_TYPE_EMF' WHEN 117 THEN 'FILE_TYPE_WEBP' WHEN 150 THEN 'FILE_TYPE_OGG' WHEN 151 THEN 'FILE_TYPE_FLC' WHEN 152 THEN 'FILE_TYPE_FLI' WHEN 153 THEN 'FILE_TYPE_MP3' WHEN 154 THEN 'FILE_TYPE_FLAC' WHEN 155 THEN 'FILE_TYPE_WAV' WHEN 156 THEN 'FILE_TYPE_MIDI' WHEN 157 THEN 'FILE_TYPE_AVI' WHEN 158 THEN 'FILE_TYPE_MPEG' WHEN 159 THEN 'FILE_TYPE_QUICKTIME' WHEN 160 THEN 'FILE_TYPE_ASF' WHEN 161 THEN 'FILE_TYPE_DIVX' WHEN 162 THEN 'FILE_TYPE_FLV' WHEN 163 THEN 'FILE_TYPE_WMA' WHEN 164 THEN 'FILE_TYPE_WMV' WHEN 165 THEN 'FILE_TYPE_RM' WHEN 166 THEN 'FILE_TYPE_MOV' WHEN 167 THEN 'FILE_TYPE_MP4' WHEN 168 THEN 'FILE_TYPE_T3GP' WHEN 200 THEN 'FILE_TYPE_PDF' WHEN 201 THEN 'FILE_TYPE_PS' WHEN 202 THEN 'FILE_TYPE_DOC' WHEN 203 THEN 'FILE_TYPE_DOCX' WHEN 204 THEN 'FILE_TYPE_PPT' WHEN 205 THEN 'FILE_TYPE_PPTX' WHEN 209 THEN 'FILE_TYPE_PPSX' WHEN 206 THEN 'FILE_TYPE_XLS' WHEN 207 THEN 'FILE_TYPE_XLSX' WHEN 208 THEN 'FILE_TYPE_RTF' WHEN 250 THEN 'FILE_TYPE_ODP' WHEN 251 THEN 'FILE_TYPE_ODS' WHEN 252 THEN 'FILE_TYPE_ODT' WHEN 253 THEN 'FILE_TYPE_HWP' WHEN 254 THEN 'FILE_TYPE_GUL' WHEN 255 THEN 'FILE_TYPE_ODF' WHEN 256 THEN 'FILE_TYPE_ODG' WHEN 260 THEN 'FILE_TYPE_EBOOK' WHEN 261 THEN 'FILE_TYPE_LATEX' WHEN 262 THEN 'FILE_TYPE_TTF' WHEN 263 THEN 'FILE_TYPE_EOT' WHEN 264 THEN 'FILE_TYPE_WOFF' WHEN 265 THEN 'FILE_TYPE_CHM' WHEN 300 THEN 'FILE_TYPE_ZIP' WHEN 301 THEN 'FILE_TYPE_GZIP' WHEN 302 THEN 'FILE_TYPE_BZIP' WHEN 303 THEN 'FILE_TYPE_RZIP' WHEN 304 THEN 'FILE_TYPE_DZIP' WHEN 305 THEN 'FILE_TYPE_SEVENZIP' WHEN 306 THEN 'FILE_TYPE_CAB' WHEN 307 THEN 'FILE_TYPE_JAR' WHEN 308 THEN 'FILE_TYPE_RAR' WHEN 309 THEN 'FILE_TYPE_MSCOMPRESS' WHEN 310 THEN 'FILE_TYPE_ACE' WHEN 311 THEN 'FILE_TYPE_ARC' WHEN 312 THEN 'FILE_TYPE_ARJ' WHEN 313 THEN 'FILE_TYPE_ASD' WHEN 314 THEN 'FILE_TYPE_BLACKHOLE' WHEN 315 THEN 'FILE_TYPE_KGB' WHEN 316 THEN 'FILE_TYPE_ZLIB' WHEN 317 THEN 'FILE_TYPE_TAR' WHEN 400 THEN 'FILE_TYPE_TEXT' WHEN 401 THEN 'FILE_TYPE_SCRIPT' WHEN 402 THEN 'FILE_TYPE_PHP' WHEN 403 THEN 'FILE_TYPE_PYTHON' WHEN 404 THEN 'FILE_TYPE_PERL' WHEN 405 THEN 'FILE_TYPE_RUBY' WHEN 406 THEN 'FILE_TYPE_C' WHEN 407 THEN 'FILE_TYPE_CPP' WHEN 408 THEN 'FILE_TYPE_JAVA' WHEN 409 THEN 'FILE_TYPE_SHELLSCRIPT' WHEN 410 THEN 'FILE_TYPE_PASCAL' WHEN 411 THEN 'FILE_TYPE_AWK' WHEN 412 THEN 'FILE_TYPE_DYALOG' WHEN 413 THEN 'FILE_TYPE_FORTRAN' WHEN 414 THEN 'FILE_TYPE_JAVASCRIPT' WHEN 415 THEN 'FILE_TYPE_POWERSHELL' WHEN 416 THEN 'FILE_TYPE_VBA' WHEN 500 THEN 'FILE_TYPE_SYMBIAN' WHEN 501 THEN 'FILE_TYPE_PALMOS' WHEN 502 THEN 'FILE_TYPE_WINCE' WHEN 503 THEN 'FILE_TYPE_ANDROID' WHEN 504 THEN 'FILE_TYPE_IPHONE' WHEN 600 THEN 'FILE_TYPE_HTML' WHEN 601 THEN 'FILE_TYPE_XML' WHEN 602 THEN 'FILE_TYPE_SWF' WHEN 603 THEN 'FILE_TYPE_FLA' WHEN 604 THEN 'FILE_TYPE_COOKIE' WHEN 605 THEN 'FILE_TYPE_TORRENT' WHEN 606 THEN 'FILE_TYPE_EMAIL_TYPE' WHEN 607 THEN 'FILE_TYPE_OUTLOOK' WHEN 700 THEN 'FILE_TYPE_CAP' WHEN 800 THEN 'FILE_TYPE_ISOIMAGE' WHEN 1000 THEN 'FILE_TYPE_APPLE' WHEN 1001 THEN 'FILE_TYPE_MACINTOSH' WHEN 1002 THEN 'FILE_TYPE_APPLESINGLE' WHEN 1003 THEN 'FILE_TYPE_APPLEDOUBLE' WHEN 1004 THEN 'FILE_TYPE_MACINTOSH_HFS' WHEN 1005 THEN 'FILE_TYPE_APPLE_PLIST' WHEN 1006 THEN 'FILE_TYPE_MACINTOSH_LIB' WHEN 1007 THEN 'FILE_TYPE_APPLESCRIPT' WHEN 1008 THEN 'FILE_TYPE_APPLESCRIPT_COMPILED' WHEN 1100 THEN 'FILE_TYPE_CRX' WHEN 1101 THEN 'FILE_TYPE_XPI' WHEN 1200 THEN 'FILE_TYPE_ROM' END ;; - group_label: "target" - label: "target.process.file.file_type_enum_name" - view_label: "UDM" - description: "FileType field." - } # dimension target__process__file__file_type_enum_name - - dimension: target__process__file__full_path { - type: string - sql: ${TABLE}.target.process.file.full_path ;; - group_label: "target" - label: "target.process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension target__process__file__full_path - - dimension: target__process__file__md5 { - type: string - sql: ${TABLE}.target.process.file.md5 ;; - group_label: "target" - label: "target.process.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension target__process__file__md5 - - dimension: target__process__file__mime_type { - type: string - sql: ${TABLE}.target.process.file.mime_type ;; - group_label: "target" - label: "target.process.file.mime_type" - view_label: "UDM" - description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." - } # dimension target__process__file__mime_type - - dimension: target__process__file__names { - hidden: yes - } # dimension target__process__file__names - - dimension: target__process__file__pe_file { - hidden: yes - } # dimension target__process__file__pe_file - - dimension: target__process__file__pe_file__signature_info { - hidden: yes - } # dimension target__process__file__pe_file__signature_info - - dimension: target__process__file__pe_file__signature_info__signer { - hidden: yes - } # dimension target__process__file__pe_file__signature_info__signer - - dimension: target__process__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.target.process.file.pe_file.signature_info.verification_message ;; - group_label: "target" - group_item_label: "target.process.file.pe_file.signature_info.verification_message [D]" - label: "target.process.file.pe_file.signature_info.verification_message" - view_label: "UDM" - description: "Status of the certificate. Valid values are \"Signed\", \"Unsigned\" or a description of the certificate anomaly, if found. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__process__file__pe_file__signature_info__verification_message - - dimension: target__process__file__sha1 { - type: string - sql: ${TABLE}.target.process.file.sha1 ;; - group_label: "target" - label: "target.process.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension target__process__file__sha1 - - dimension: target__process__file__sha256 { - type: string - sql: ${TABLE}.target.process.file.sha256 ;; - group_label: "target" - label: "target.process.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension target__process__file__sha256 - - dimension: target__process__file__size { - type: number - sql: ${TABLE}.target.process.file.size ;; - group_label: "target" - label: "target.process.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension target__process__file__size - - dimension: target__process__parent_pid { - type: string - sql: ${TABLE}.target.process.parent_pid ;; - group_label: "target" - group_item_label: "target.process.parent_pid [D]" - label: "target.process.parent_pid" - view_label: "UDM" - description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__process__parent_pid - - dimension: target__process__parent_process { - hidden: yes - } # dimension target__process__parent_process - - dimension: target__process__parent_process__command_line { - type: string - sql: ${TABLE}.target.process.parent_process.command_line ;; - group_label: "target" - label: "target.process.parent_process.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension target__process__parent_process__command_line - - dimension: target__process__parent_process__file { - hidden: yes - } # dimension target__process__parent_process__file - - dimension: target__process__parent_process__file__capabilities_tags { - hidden: yes - } # dimension target__process__parent_process__file__capabilities_tags - - dimension: target__process__parent_process__file__full_path { - type: string - sql: ${TABLE}.target.process.parent_process.file.full_path ;; - group_label: "target" - label: "target.process.parent_process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension target__process__parent_process__file__full_path - - dimension: target__process__parent_process__file__md5 { - type: string - sql: ${TABLE}.target.process.parent_process.file.md5 ;; - group_label: "target" - label: "target.process.parent_process.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension target__process__parent_process__file__md5 - - dimension: target__process__parent_process__file__names { - hidden: yes - } # dimension target__process__parent_process__file__names - - dimension: target__process__parent_process__file__sha1 { - type: string - sql: ${TABLE}.target.process.parent_process.file.sha1 ;; - group_label: "target" - label: "target.process.parent_process.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension target__process__parent_process__file__sha1 - - dimension: target__process__parent_process__file__sha256 { - type: string - sql: ${TABLE}.target.process.parent_process.file.sha256 ;; - group_label: "target" - label: "target.process.parent_process.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension target__process__parent_process__file__sha256 - - dimension: target__process__parent_process__parent_pid { - type: string - sql: ${TABLE}.target.process.parent_process.parent_pid ;; - group_label: "target" - group_item_label: "target.process.parent_process.parent_pid [D]" - label: "target.process.parent_process.parent_pid" - view_label: "UDM" - description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__process__parent_process__parent_pid - - dimension: target__process__parent_process__pid { - type: string - sql: ${TABLE}.target.process.parent_process.pid ;; - group_label: "target" - label: "target.process.parent_process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension target__process__parent_process__pid - - dimension: target__process__parent_process__product_specific_process_id { - type: string - sql: ${TABLE}.target.process.parent_process.product_specific_process_id ;; - group_label: "target" - label: "target.process.parent_process.product_specific_process_id" - view_label: "UDM" - description: "A product specific process id." - } # dimension target__process__parent_process__product_specific_process_id - - dimension: target__process__pid { - type: string - sql: ${TABLE}.target.process.pid ;; - group_label: "target" - label: "target.process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension target__process__pid - - dimension: target__process__product_specific_parent_process_id { - type: string - sql: ${TABLE}.target.process.product_specific_parent_process_id ;; - group_label: "target" - group_item_label: "target.process.product_specific_parent_process_id [D]" - label: "target.process.product_specific_parent_process_id" - view_label: "UDM" - description: "A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__process__product_specific_parent_process_id - - dimension: target__process__product_specific_process_id { - type: string - sql: ${TABLE}.target.process.product_specific_process_id ;; - group_label: "target" - label: "target.process.product_specific_process_id" - view_label: "UDM" - description: "A product specific process id." - } # dimension target__process__product_specific_process_id - - dimension: target__process_ancestors { - hidden: yes - } # dimension target__process_ancestors - - dimension: target__registry { - hidden: yes - } # dimension target__registry - - dimension: target__registry__registry_key { - type: string - sql: ${TABLE}.target.registry.registry_key ;; - group_label: "target" - label: "target.registry.registry_key" - view_label: "UDM" - description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." - } # dimension target__registry__registry_key - - dimension: target__registry__registry_value_data { - type: string - sql: ${TABLE}.target.registry.registry_value_data ;; - group_label: "target" - label: "target.registry.registry_value_data" - view_label: "UDM" - description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." - } # dimension target__registry__registry_value_data - - dimension: target__registry__registry_value_name { - type: string - sql: ${TABLE}.target.registry.registry_value_name ;; - group_label: "target" - label: "target.registry.registry_value_name" - view_label: "UDM" - description: "Name of the registry value associated with an application or system component (e.g. TEMP)." - } # dimension target__registry__registry_value_name - - dimension: target__resource { - hidden: yes - } # dimension target__resource - - dimension: target__resource__attribute { - hidden: yes - } # dimension target__resource__attribute - - dimension: target__resource__attribute__cloud { - hidden: yes - } # dimension target__resource__attribute__cloud - - dimension: target__resource__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.target.resource.attribute.cloud.availability_zone ;; - group_label: "target" - label: "target.resource.attribute.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name)." - } # dimension target__resource__attribute__cloud__availability_zone - - dimension: target__resource__attribute__cloud__environment { - type: number - sql: ${TABLE}.target.resource.attribute.cloud.environment ;; - group_label: "target" - label: "target.resource.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension target__resource__attribute__cloud__environment - - dimension: target__resource__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.target.resource.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "target" - label: "target.resource.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension target__resource__attribute__cloud__environment_enum_name - - dimension: target__resource__attribute__cloud__project { - hidden: yes - } # dimension target__resource__attribute__cloud__project - - dimension: target__resource__attribute__cloud__project__id { - type: string - sql: ${TABLE}.target.resource.attribute.cloud.project.id ;; - group_label: "target" - group_item_label: "target.resource.attribute.cloud.project.id [D]" - label: "target.resource.attribute.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__resource__attribute__cloud__project__id - - dimension: target__resource__attribute__cloud__project__name { - type: string - sql: ${TABLE}.target.resource.attribute.cloud.project.name ;; - group_label: "target" - group_item_label: "target.resource.attribute.cloud.project.name [D]" - label: "target.resource.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__resource__attribute__cloud__project__name - - dimension_group: target__resource__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.resource.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension target__resource__attribute__creation_time - - dimension: target__resource__attribute__labels { - hidden: yes - } # dimension target__resource__attribute__labels - - dimension_group: target__resource__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.resource.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension target__resource__attribute__last_update_time - - dimension: target__resource__attribute__permissions { - hidden: yes - } # dimension target__resource__attribute__permissions - - dimension: target__resource__attribute__roles { - hidden: yes - } # dimension target__resource__attribute__roles - - dimension: target__resource__id { - type: string - sql: ${TABLE}.target.resource.id ;; - group_label: "target" - group_item_label: "target.resource.id [D]" - label: "target.resource.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__resource__id - - dimension: target__resource__name { - type: string - sql: ${TABLE}.target.resource.name ;; - group_label: "target" - label: "target.resource.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension target__resource__name - - dimension: target__resource__parent { - type: string - sql: ${TABLE}.target.resource.parent ;; - group_label: "target" - group_item_label: "target.resource.parent [D]" - label: "target.resource.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__resource__parent - - dimension: target__resource__product_object_id { - type: string - sql: ${TABLE}.target.resource.product_object_id ;; - group_label: "target" - label: "target.resource.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension target__resource__product_object_id - - dimension: target__resource__resource_subtype { - type: string - sql: ${TABLE}.target.resource.resource_subtype ;; - group_label: "target" - label: "target.resource.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension target__resource__resource_subtype - - dimension: target__resource__resource_type { - type: number - sql: ${TABLE}.target.resource.resource_type ;; - group_label: "target" - label: "target.resource.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension target__resource__resource_type - - dimension: target__resource__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.target.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "target" - label: "target.resource.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension target__resource__resource_type_enum_name - - dimension: target__resource__type { - type: string - sql: ${TABLE}.target.resource.type ;; - group_label: "target" - group_item_label: "target.resource.type [D]" - label: "target.resource.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__resource__type - - dimension: target__resource_ancestors { - hidden: yes - } # dimension target__resource_ancestors - - dimension: target__url { - type: string - sql: ${TABLE}.target.url ;; - group_label: "target" - label: "target.url" - view_label: "UDM" - description: "The URL." - } # dimension target__url - - dimension: target__user { - hidden: yes - } # dimension target__user - - dimension: target__user__account_type { - type: number - sql: ${TABLE}.target.user.account_type ;; - group_label: "target" - label: "target.user.account_type" - view_label: "UDM" - description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" - } # dimension target__user__account_type - - dimension: target__user__account_type_enum_name { - type: string - suggestions: ["ACCOUNT_TYPE_UNSPECIFIED", "CLOUD_ACCOUNT_TYPE", "DEFAULT_ACCOUNT_TYPE", "DOMAIN_ACCOUNT_TYPE", "LOCAL_ACCOUNT_TYPE", "SERVICE_ACCOUNT_TYPE"] - sql: CASE ${TABLE}.target.user.account_type WHEN 0 THEN 'ACCOUNT_TYPE_UNSPECIFIED' WHEN 1 THEN 'DOMAIN_ACCOUNT_TYPE' WHEN 2 THEN 'LOCAL_ACCOUNT_TYPE' WHEN 3 THEN 'CLOUD_ACCOUNT_TYPE' WHEN 4 THEN 'SERVICE_ACCOUNT_TYPE' WHEN 5 THEN 'DEFAULT_ACCOUNT_TYPE' END ;; - group_label: "target" - label: "target.user.account_type_enum_name" - view_label: "UDM" - description: "Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/" - } # dimension target__user__account_type_enum_name - - dimension: target__user__attribute { - hidden: yes - } # dimension target__user__attribute - - dimension: target__user__attribute__cloud { - hidden: yes - } # dimension target__user__attribute__cloud - - dimension: target__user__attribute__cloud__environment { - type: number - sql: ${TABLE}.target.user.attribute.cloud.environment ;; - group_label: "target" - label: "target.user.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension target__user__attribute__cloud__environment - - dimension: target__user__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.target.user.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "target" - label: "target.user.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension target__user__attribute__cloud__environment_enum_name - - dimension: target__user__attribute__cloud__project { - hidden: yes - } # dimension target__user__attribute__cloud__project - - dimension: target__user__attribute__cloud__project__id { - type: string - sql: ${TABLE}.target.user.attribute.cloud.project.id ;; - group_label: "target" - group_item_label: "target.user.attribute.cloud.project.id [D]" - label: "target.user.attribute.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__attribute__cloud__project__id - - dimension: target__user__attribute__cloud__vpc { - hidden: yes - } # dimension target__user__attribute__cloud__vpc - - dimension: target__user__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.target.user.attribute.cloud.vpc.product_object_id ;; - group_label: "target" - group_item_label: "target.user.attribute.cloud.vpc.product_object_id [D]" - label: "target.user.attribute.cloud.vpc.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__attribute__cloud__vpc__product_object_id - - dimension_group: target__user__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.user.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension target__user__attribute__creation_time - - dimension: target__user__attribute__labels { - hidden: yes - } # dimension target__user__attribute__labels - - dimension_group: target__user__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.user.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension target__user__attribute__last_update_time - - dimension: target__user__attribute__permissions { - hidden: yes - } # dimension target__user__attribute__permissions - - dimension: target__user__attribute__roles { - hidden: yes - } # dimension target__user__attribute__roles - - dimension: target__user__company_name { - type: string - sql: ${TABLE}.target.user.company_name ;; - group_label: "target" - label: "target.user.company_name" - view_label: "UDM" - description: "User job company name." - } # dimension target__user__company_name - - dimension: target__user__department { - hidden: yes - } # dimension target__user__department - - dimension: target__user__email_addresses { - hidden: yes - } # dimension target__user__email_addresses - - dimension: target__user__employee_id { - type: string - sql: ${TABLE}.target.user.employee_id ;; - group_label: "target" - label: "target.user.employee_id" - view_label: "UDM" - description: "Human capital management identifier." - } # dimension target__user__employee_id - - dimension: target__user__first_name { - type: string - sql: ${TABLE}.target.user.first_name ;; - group_label: "target" - label: "target.user.first_name" - view_label: "UDM" - description: "First name of the user (e.g. \"John\")." - } # dimension target__user__first_name - - dimension: target__user__group_identifiers { - hidden: yes - } # dimension target__user__group_identifiers - - dimension: target__user__groupid { - type: string - sql: ${TABLE}.target.user.groupid ;; - group_label: "target" - group_item_label: "target.user.groupid [D]" - label: "target.user.groupid" - view_label: "UDM" - description: "The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__groupid - - dimension_group: target__user__hire_date { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.user.hire_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.user.hire_date.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.user.hire_date" - view_label: "UDM" - description: "User job employment hire date." - } # dimension target__user__hire_date - - dimension: target__user__last_name { - type: string - sql: ${TABLE}.target.user.last_name ;; - group_label: "target" - label: "target.user.last_name" - view_label: "UDM" - description: "Last name of the user (e.g. \"Locke\")." - } # dimension target__user__last_name - - dimension: target__user__managers { - hidden: yes - } # dimension target__user__managers - - dimension: target__user__middle_name { - type: string - sql: ${TABLE}.target.user.middle_name ;; - group_label: "target" - label: "target.user.middle_name" - view_label: "UDM" - description: "Middle name of the user." - } # dimension target__user__middle_name - - dimension: target__user__office_address { - hidden: yes - } # dimension target__user__office_address - - dimension: target__user__office_address__city { - type: string - sql: ${TABLE}.target.user.office_address.city ;; - group_label: "target" - label: "target.user.office_address.city" - view_label: "UDM" - description: "The city." - } # dimension target__user__office_address__city - - dimension: target__user__office_address__country_or_region { - type: string - sql: ${TABLE}.target.user.office_address.country_or_region ;; - group_label: "target" - label: "target.user.office_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension target__user__office_address__country_or_region - - dimension: target__user__office_address__desk_name { - type: string - sql: ${TABLE}.target.user.office_address.desk_name ;; - group_label: "target" - label: "target.user.office_address.desk_name" - view_label: "UDM" - description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\")." - } # dimension target__user__office_address__desk_name - - dimension: target__user__office_address__floor_name { - type: string - sql: ${TABLE}.target.user.office_address.floor_name ;; - group_label: "target" - label: "target.user.office_address.floor_name" - view_label: "UDM" - description: "Floor name, number or a combination of the two for a building. (e.g. \"1-A\")." - } # dimension target__user__office_address__floor_name - - dimension: target__user__office_address__name { - type: string - sql: ${TABLE}.target.user.office_address.name ;; - group_label: "target" - label: "target.user.office_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension target__user__office_address__name - - dimension: target__user__office_address__state { - type: string - sql: ${TABLE}.target.user.office_address.state ;; - group_label: "target" - label: "target.user.office_address.state" - view_label: "UDM" - description: "The state." - } # dimension target__user__office_address__state - - dimension: target__user__personal_address { - hidden: yes - } # dimension target__user__personal_address - - dimension: target__user__personal_address__city { - type: string - sql: ${TABLE}.target.user.personal_address.city ;; - group_label: "target" - label: "target.user.personal_address.city" - view_label: "UDM" - description: "The city." - } # dimension target__user__personal_address__city - - dimension: target__user__personal_address__country_or_region { - type: string - sql: ${TABLE}.target.user.personal_address.country_or_region ;; - group_label: "target" - label: "target.user.personal_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension target__user__personal_address__country_or_region - - dimension: target__user__personal_address__name { - type: string - sql: ${TABLE}.target.user.personal_address.name ;; - group_label: "target" - label: "target.user.personal_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension target__user__personal_address__name - - dimension: target__user__personal_address__region_latitude { - type: number - sql: ${TABLE}.target.user.personal_address.region_latitude ;; - group_label: "target" - group_item_label: "target.user.personal_address.region_latitude [D]" - label: "target.user.personal_address.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__personal_address__region_latitude - - dimension: target__user__personal_address__region_longitude { - type: number - sql: ${TABLE}.target.user.personal_address.region_longitude ;; - group_label: "target" - group_item_label: "target.user.personal_address.region_longitude [D]" - label: "target.user.personal_address.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__personal_address__region_longitude - - dimension: target__user__personal_address__location { - type: location - sql_latitude: ${TABLE}.target.user.personal_address.region_latitude ;; - sql_longitude: ${TABLE}.target.user.personal_address.region_longitude ;; - group_label: "target" - group_item_label: "target.user.personal_address.location [D][L]" - label: "target.user.personal_address.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension target__user__personal_address__location - - dimension: target__user__personal_address__state { - type: string - sql: ${TABLE}.target.user.personal_address.state ;; - group_label: "target" - label: "target.user.personal_address.state" - view_label: "UDM" - description: "The state." - } # dimension target__user__personal_address__state - - dimension: target__user__phone_numbers { - hidden: yes - } # dimension target__user__phone_numbers - - dimension: target__user__product_object_id { - type: string - sql: ${TABLE}.target.user.product_object_id ;; - group_label: "target" - label: "target.user.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension target__user__product_object_id - - dimension: target__user__role_description { - type: string - sql: ${TABLE}.target.user.role_description ;; - group_label: "target" - group_item_label: "target.user.role_description [D]" - label: "target.user.role_description" - view_label: "UDM" - description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__role_description - - dimension: target__user__role_name { - type: string - sql: ${TABLE}.target.user.role_name ;; - group_label: "target" - group_item_label: "target.user.role_name [D]" - label: "target.user.role_name" - view_label: "UDM" - description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__role_name - - dimension_group: target__user__termination_date { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.target.user.termination_date.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.target.user.termination_date.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.user.termination_date" - view_label: "UDM" - description: "User job employment termination date." - } # dimension target__user__termination_date - - dimension: target__user__time_off { - hidden: yes - } # dimension target__user__time_off - - dimension: target__user__title { - type: string - sql: ${TABLE}.target.user.title ;; - group_label: "target" - label: "target.user.title" - view_label: "UDM" - description: "User job title." - } # dimension target__user__title - - dimension: target__user__user_authentication_status { - type: number - sql: ${TABLE}.target.user.user_authentication_status ;; - group_label: "target" - label: "target.user.user_authentication_status" - view_label: "UDM" - description: "System authentication status for user." - } # dimension target__user__user_authentication_status - - dimension: target__user__user_authentication_status_enum_name { - type: string - suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] - sql: CASE ${TABLE}.target.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; - group_label: "target" - label: "target.user.user_authentication_status_enum_name" - view_label: "UDM" - description: "System authentication status for user." - } # dimension target__user__user_authentication_status_enum_name - - dimension: target__user__user_display_name { - type: string - sql: ${TABLE}.target.user.user_display_name ;; - group_label: "target" - label: "target.user.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension target__user__user_display_name - - dimension: target__user__user_role { - type: number - sql: ${TABLE}.target.user.user_role ;; - group_label: "target" - group_item_label: "target.user.user_role [D]" - label: "target.user.user_role" - view_label: "UDM" - description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__user_role - - dimension: target__user__user_role_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "UNKNOWN_ROLE"] - sql: CASE ${TABLE}.target.user.user_role WHEN 0 THEN 'UNKNOWN_ROLE' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "target" - group_item_label: "target.user.user_role_enum_name [D]" - label: "target.user.user_role_enum_name" - view_label: "UDM" - description: "System role for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension target__user__user_role_enum_name - - dimension: target__user__userid { - type: string - sql: ${TABLE}.target.user.userid ;; - group_label: "target" - label: "target.user.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension target__user__userid - - dimension: target__user__windows_sid { - type: string - sql: ${TABLE}.target.user.windows_sid ;; - group_label: "target" - label: "target.user.windows_sid" - view_label: "UDM" - description: "The Microsoft Windows SID of the user." - } # dimension target__user__windows_sid - - dimension: target__user_management_chain { - hidden: yes - } # dimension target__user_management_chain - -} # view udm_events - -view: udm_events__about__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "about" - label: "about.asset.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "about" - label: "about.asset.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__about__asset__attribute__labels - -view: udm_events__about__asset__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "about" - label: "about.asset.attribute.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - -} # view udm_events__about__asset__attribute__permissions - -view: udm_events__about__asset__hardware { - dimension: manufacturer { - type: string - sql: ${TABLE}.manufacturer ;; - group_label: "about" - label: "about.asset.hardware.manufacturer" - view_label: "UDM" - description: "Hardware manufacturer." - } # dimension manufacturer - - dimension: model { - type: string - sql: ${TABLE}.model ;; - group_label: "about" - label: "about.asset.hardware.model" - view_label: "UDM" - description: "Hardware model." - } # dimension model - - dimension: serial_number { - type: string - sql: ${TABLE}.serial_number ;; - group_label: "about" - label: "about.asset.hardware.serial_number" - view_label: "UDM" - description: "Hardware serial number." - } # dimension serial_number - -} # view udm_events__about__asset__hardware - -view: udm_events__about__asset__ip { - dimension: udm_events__about__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.asset.ip" - view_label: "UDM" - description: "A list of IP addresses associated with an asset." - } # dimension udm_events__about__asset__ip -} # view udm_events__about__asset__ip - -view: udm_events__about__asset__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "about" - group_item_label: "about.asset.labels.key [D]" - label: "about.asset.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "about" - group_item_label: "about.asset.labels.value [D]" - label: "about.asset.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view udm_events__about__asset__labels - -view: udm_events__about__asset__vulnerabilities { - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - group_label: "about" - label: "about.asset.vulnerabilities.severity" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity - - dimension: severity_enum_name { - type: string - suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] - sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; - group_label: "about" - label: "about.asset.vulnerabilities.severity_enum_name" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity_enum_name - -} # view udm_events__about__asset__vulnerabilities - -view: udm_events__about__file__capabilities_tags { - dimension: udm_events__about__file__capabilities_tags { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.file.capabilities_tags" - view_label: "UDM" - description: "Capabilities tags." - } # dimension udm_events__about__file__capabilities_tags -} # view udm_events__about__file__capabilities_tags - -view: udm_events__about__file__names { - dimension: udm_events__about__file__names { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension udm_events__about__file__names -} # view udm_events__about__file__names - -view: udm_events__about__investigation__comments { - dimension: udm_events__about__investigation__comments { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.investigation.comments" - view_label: "UDM" - description: "Comment added by the Analyst." - } # dimension udm_events__about__investigation__comments -} # view udm_events__about__investigation__comments - -view: udm_events__about__ip { - dimension: udm_events__about__ip { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.ip" - view_label: "UDM" - description: "A list of IP addresses associated with a network connection." - } # dimension udm_events__about__ip -} # view udm_events__about__ip - -view: udm_events__about__ip_location { - dimension: country_or_region { - type: string - sql: ${TABLE}.country_or_region ;; - group_label: "about" - group_item_label: "about.ip_location.country_or_region [D]" - label: "about.ip_location.country_or_region" - view_label: "UDM" - description: "The country or region. [D]: This field is deprecated and will be removed in a future release" - } # dimension country_or_region - -} # view udm_events__about__ip_location - -view: udm_events__about__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "about" - group_item_label: "about.labels.key [D]" - label: "about.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "about" - group_item_label: "about.labels.value [D]" - label: "about.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view udm_events__about__labels - -view: udm_events__about__mac { - dimension: udm_events__about__mac { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.mac" - view_label: "UDM" - description: "List of MAC addresses associated with a device." - } # dimension udm_events__about__mac -} # view udm_events__about__mac - -view: udm_events__about__nat_ip { - dimension: udm_events__about__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.nat_ip" - view_label: "UDM" - description: "A list of NAT translated IP addresses associated with a network connection." - } # dimension udm_events__about__nat_ip -} # view udm_events__about__nat_ip - -view: udm_events__about__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "about" - label: "about.resource.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "about" - label: "about.resource.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__about__resource__attribute__labels - -view: udm_events__about__resource__attribute__permissions { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "about" - label: "about.resource.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view udm_events__about__resource__attribute__permissions - -view: udm_events__about__resource_ancestors__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "about" - label: "about.resource_ancestors.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "about" - label: "about.resource_ancestors.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__about__resource_ancestors__attribute__labels - -view: udm_events__about__resource_ancestors { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension_group: about__resource_ancestors__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "about" - label: "about.resource_ancestors.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension about__resource_ancestors__attribute__creation_time - - dimension: attribute__labels { - hidden: yes - } # dimension attribute__labels - - dimension_group: about__resource_ancestors__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "about" - label: "about.resource_ancestors.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension about__resource_ancestors__attribute__last_update_time - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "about" - label: "about.resource_ancestors.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension name - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "about" - label: "about.resource_ancestors.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension product_object_id - -} # view udm_events__about__resource_ancestors - -view: udm_events__about__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "about" - label: "about.user.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "about" - label: "about.user.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__about__user__attribute__labels - -view: udm_events__about__user__attribute__permissions { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "about" - label: "about.user.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view udm_events__about__user__attribute__permissions - -view: udm_events__about__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "about" - label: "about.user.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "about" - label: "about.user.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - -} # view udm_events__about__user__attribute__roles - -view: udm_events__about__user__department { - dimension: udm_events__about__user__department { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.user.department" - view_label: "UDM" - description: "User job department" - } # dimension udm_events__about__user__department -} # view udm_events__about__user__department - -view: udm_events__about__user__email_addresses { - dimension: udm_events__about__user__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.user.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension udm_events__about__user__email_addresses -} # view udm_events__about__user__email_addresses - -view: udm_events__about__user__group_identifiers { - dimension: udm_events__about__user__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "about" - label: "about.user.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension udm_events__about__user__group_identifiers -} # view udm_events__about__user__group_identifiers - -view: udm_events__about { - dimension: administrative_domain { - type: string - sql: ${TABLE}.administrative_domain ;; - group_label: "about" - label: "about.administrative_domain" - view_label: "UDM" - description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." - } # dimension administrative_domain - - dimension: application { - type: string - sql: ${TABLE}.application ;; - group_label: "about" - label: "about.application" - view_label: "UDM" - description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." - } # dimension application - - dimension: artifact { - hidden: yes - } # dimension artifact - - dimension: artifact__prevalence { - hidden: yes - } # dimension artifact__prevalence - - dimension: artifact__prevalence__day_count { - type: number - sql: ${TABLE}.artifact.prevalence.day_count ;; - group_label: "about" - label: "about.artifact.prevalence.day_count" - view_label: "UDM" - description: "The number of days over which rolling_max is calculated." - } # dimension artifact__prevalence__day_count - - dimension: artifact__prevalence__day_max { - type: number - sql: ${TABLE}.artifact.prevalence.day_max ;; - group_label: "about" - label: "about.artifact.prevalence.day_max" - view_label: "UDM" - description: "The max prevalence score in a day interval window." - } # dimension artifact__prevalence__day_max - - dimension: asset { - hidden: yes - } # dimension asset - - dimension: asset__asset_id { - type: string - sql: ${TABLE}.asset.asset_id ;; - group_label: "about" - label: "about.asset.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension asset__asset_id - - dimension: asset__attribute { - hidden: yes - } # dimension asset__attribute - - dimension: asset__attribute__labels { - hidden: yes - } # dimension asset__attribute__labels - - dimension: asset__attribute__permissions { - hidden: yes - } # dimension asset__attribute__permissions - - dimension: asset__category { - type: string - sql: ${TABLE}.asset.category ;; - group_label: "about" - label: "about.asset.category" - view_label: "UDM" - description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." - } # dimension asset__category - - dimension_group: about__asset__first_discover_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.asset.first_discover_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.asset.first_discover_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "about" - label: "about.asset.first_discover_time" - view_label: "UDM" - description: "Time the asset was first discovered (by asset management/discoverability software)." - } # dimension about__asset__first_discover_time - - dimension: asset__hardware { - hidden: yes - } # dimension asset__hardware - - dimension: asset__hostname { - type: string - sql: ${TABLE}.asset.hostname ;; - group_label: "about" - label: "about.asset.hostname" - view_label: "UDM" - description: "Asset hostname or domain name field." - } # dimension asset__hostname - - dimension: asset__ip { - hidden: yes - } # dimension asset__ip - - dimension: asset__labels { - hidden: yes - } # dimension asset__labels - - dimension_group: about__asset__last_boot_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.asset.last_boot_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.asset.last_boot_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "about" - label: "about.asset.last_boot_time" - view_label: "UDM" - description: "Time the asset was last boot started." - } # dimension about__asset__last_boot_time - - dimension: asset__location { - hidden: yes - } # dimension asset__location - - dimension: asset__location__name { - type: string - sql: ${TABLE}.asset.location.name ;; - group_label: "about" - label: "about.asset.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension asset__location__name - - dimension: asset__product_object_id { - type: string - sql: ${TABLE}.asset.product_object_id ;; - group_label: "about" - label: "about.asset.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension asset__product_object_id - - dimension: asset__vulnerabilities { - hidden: yes - } # dimension asset__vulnerabilities - - dimension: asset_id { - type: string - sql: ${TABLE}.asset_id ;; - group_label: "about" - label: "about.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension asset_id - - dimension: cloud { - hidden: yes - } # dimension cloud - - dimension: cloud__vpc { - hidden: yes - } # dimension cloud__vpc - - dimension: cloud__vpc__id { - type: string - sql: ${TABLE}.cloud.vpc.id ;; - group_label: "about" - group_item_label: "about.cloud.vpc.id [D]" - label: "about.cloud.vpc.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension cloud__vpc__id - - dimension: domain { - hidden: yes - } # dimension domain - - dimension: domain__billing { - hidden: yes - } # dimension domain__billing - - dimension: domain__billing__title { - type: string - sql: ${TABLE}.domain.billing.title ;; - group_label: "about" - label: "about.domain.billing.title" - view_label: "UDM" - description: "User job title." - } # dimension domain__billing__title - - dimension: domain__name { - type: string - sql: ${TABLE}.domain.name ;; - group_label: "about" - label: "about.domain.name" - view_label: "UDM" - description: "The domain name." - } # dimension domain__name - - dimension: email { - type: string - sql: ${TABLE}.email ;; - group_label: "about" - label: "about.email" - view_label: "UDM" - description: "Email address. Only filled in for security_result.about" - } # dimension email - - dimension: file { - hidden: yes - } # dimension file - - dimension: file__capabilities_tags { - hidden: yes - } # dimension file__capabilities_tags - - dimension: file__full_path { - type: string - sql: ${TABLE}.file.full_path ;; - group_label: "about" - label: "about.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension file__full_path - - dimension_group: about__file__last_modification_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.file.last_modification_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.file.last_modification_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "about" - label: "about.file.last_modification_time" - view_label: "UDM" - description: "Timestamp when the file was last updated." - } # dimension about__file__last_modification_time - - dimension: file__md5 { - type: string - sql: ${TABLE}.file.md5 ;; - group_label: "about" - label: "about.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension file__md5 - - dimension: file__mime_type { - type: string - sql: ${TABLE}.file.mime_type ;; - group_label: "about" - label: "about.file.mime_type" - view_label: "UDM" - description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." - } # dimension file__mime_type - - dimension: file__names { - hidden: yes - } # dimension file__names - - dimension: file__sha1 { - type: string - sql: ${TABLE}.file.sha1 ;; - group_label: "about" - label: "about.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension file__sha1 - - dimension: file__sha256 { - type: string - sql: ${TABLE}.file.sha256 ;; - group_label: "about" - label: "about.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension file__sha256 - - dimension: file__size { - type: number - sql: ${TABLE}.file.size ;; - group_label: "about" - label: "about.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension file__size - - dimension: group { - hidden: yes - } # dimension group - - dimension: group__group_display_name { - type: string - sql: ${TABLE}.group.group_display_name ;; - group_label: "about" - label: "about.group.group_display_name" - view_label: "UDM" - description: "Group display name. e.g. \"Finance\"." - } # dimension group__group_display_name - - dimension: group__product_object_id { - type: string - sql: ${TABLE}.group.product_object_id ;; - group_label: "about" - label: "about.group.product_object_id" - view_label: "UDM" - description: "Product globally unique user object identifier, such as an LDAP Object Identifier." - } # dimension group__product_object_id - - dimension: hostname { - type: string - sql: ${TABLE}.hostname ;; - group_label: "about" - label: "about.hostname" - view_label: "UDM" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension hostname - - dimension: investigation { - hidden: yes - } # dimension investigation - - dimension: investigation__comments { - hidden: yes - } # dimension investigation__comments - - dimension: investigation__root_cause { - type: string - sql: ${TABLE}.investigation.root_cause ;; - group_label: "about" - label: "about.investigation.root_cause" - view_label: "UDM" - description: "Root cause of the Alert or Finding set by analyst." - } # dimension investigation__root_cause - - dimension: ip { - hidden: yes - } # dimension ip - - dimension: ip_location { - hidden: yes - } # dimension ip_location - - dimension: labels { - hidden: yes - } # dimension labels - - dimension: location { - hidden: yes - } # dimension location - - dimension: location__city { - type: string - sql: ${TABLE}.location.city ;; - group_label: "about" - label: "about.location.city" - view_label: "UDM" - description: "The city." - } # dimension location__city - - dimension: location__country_or_region { - type: string - sql: ${TABLE}.location.country_or_region ;; - group_label: "about" - label: "about.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension location__country_or_region - - dimension: location__state { - type: string - sql: ${TABLE}.location.state ;; - group_label: "about" - label: "about.location.state" - view_label: "UDM" - description: "The state." - } # dimension location__state - - dimension: mac { - hidden: yes - } # dimension mac - - dimension: namespace { - type: string - sql: ${TABLE}.namespace ;; - group_label: "about" - label: "about.namespace" - view_label: "UDM" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension namespace - - dimension: nat_ip { - hidden: yes - } # dimension nat_ip - - dimension: platform_patch_level { - type: string - sql: ${TABLE}.platform_patch_level ;; - group_label: "about" - label: "about.platform_patch_level" - view_label: "UDM" - description: "Platform patch level. For example, \"Build 17134.48\"" - } # dimension platform_patch_level - - dimension: platform_version { - type: string - sql: ${TABLE}.platform_version ;; - group_label: "about" - label: "about.platform_version" - view_label: "UDM" - description: "Platform version. For example, \"Microsoft Windows 1803\"." - } # dimension platform_version - - dimension: port { - type: number - value_format: "#" - sql: ${TABLE}.port ;; - group_label: "about" - label: "about.port" - view_label: "UDM" - description: "Source or destination network port number when a specific network connection is described within an event." - } # dimension port - - dimension: process { - hidden: yes - } # dimension process - - dimension: process__access_mask { - type: number - sql: ${TABLE}.process.access_mask ;; - group_label: "about" - label: "about.process.access_mask" - view_label: "UDM" - description: "A bit mask representing the level of access." - } # dimension process__access_mask - - dimension: process__command_line { - type: string - sql: ${TABLE}.process.command_line ;; - group_label: "about" - label: "about.process.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension process__command_line - - dimension: process__file { - hidden: yes - } # dimension process__file - - dimension: process__file__full_path { - type: string - sql: ${TABLE}.process.file.full_path ;; - group_label: "about" - label: "about.process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension process__file__full_path - - dimension: process__parent_pid { - type: string - sql: ${TABLE}.process.parent_pid ;; - group_label: "about" - group_item_label: "about.process.parent_pid [D]" - label: "about.process.parent_pid" - view_label: "UDM" - description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension process__parent_pid - - dimension: process__pid { - type: string - sql: ${TABLE}.process.pid ;; - group_label: "about" - label: "about.process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension process__pid - - dimension: registry { - hidden: yes - } # dimension registry - - dimension: registry__registry_key { - type: string - sql: ${TABLE}.registry.registry_key ;; - group_label: "about" - label: "about.registry.registry_key" - view_label: "UDM" - description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." - } # dimension registry__registry_key - - dimension: resource { - hidden: yes - } # dimension resource - - dimension: resource__attribute { - hidden: yes - } # dimension resource__attribute - - dimension: resource__attribute__cloud { - hidden: yes - } # dimension resource__attribute__cloud - - dimension: resource__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.resource.attribute.cloud.availability_zone ;; - group_label: "about" - label: "about.resource.attribute.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name)." - } # dimension resource__attribute__cloud__availability_zone - - dimension_group: about__resource__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "about" - label: "about.resource.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension about__resource__attribute__creation_time - - dimension: resource__attribute__labels { - hidden: yes - } # dimension resource__attribute__labels - - dimension_group: about__resource__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "about" - label: "about.resource.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension about__resource__attribute__last_update_time - - dimension: resource__attribute__permissions { - hidden: yes - } # dimension resource__attribute__permissions - - dimension: resource__id { - type: string - sql: ${TABLE}.resource.id ;; - group_label: "about" - group_item_label: "about.resource.id [D]" - label: "about.resource.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension resource__id - - dimension: resource__name { - type: string - sql: ${TABLE}.resource.name ;; - group_label: "about" - label: "about.resource.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension resource__name - - dimension: resource__parent { - type: string - sql: ${TABLE}.resource.parent ;; - group_label: "about" - group_item_label: "about.resource.parent [D]" - label: "about.resource.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension resource__parent - - dimension: resource__product_object_id { - type: string - sql: ${TABLE}.resource.product_object_id ;; - group_label: "about" - label: "about.resource.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension resource__product_object_id - - dimension: resource__resource_subtype { - type: string - sql: ${TABLE}.resource.resource_subtype ;; - group_label: "about" - label: "about.resource.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension resource__resource_subtype - - dimension: resource__resource_type { - type: number - sql: ${TABLE}.resource.resource_type ;; - group_label: "about" - label: "about.resource.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension resource__resource_type - - dimension: resource__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "about" - label: "about.resource.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension resource__resource_type_enum_name - - dimension: resource__type { - type: string - sql: ${TABLE}.resource.type ;; - group_label: "about" - group_item_label: "about.resource.type [D]" - label: "about.resource.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension resource__type - - dimension: resource_ancestors { - hidden: yes - } # dimension resource_ancestors - - dimension: url { - type: string - sql: ${TABLE}.url ;; - group_label: "about" - label: "about.url" - view_label: "UDM" - description: "The URL." - } # dimension url - - dimension: user { - hidden: yes - } # dimension user - - dimension: user__attribute { - hidden: yes - } # dimension user__attribute - - dimension: user__attribute__labels { - hidden: yes - } # dimension user__attribute__labels - - dimension: user__attribute__permissions { - hidden: yes - } # dimension user__attribute__permissions - - dimension: user__attribute__roles { - hidden: yes - } # dimension user__attribute__roles - - dimension: user__department { - hidden: yes - } # dimension user__department - - dimension: user__email_addresses { - hidden: yes - } # dimension user__email_addresses - - dimension: user__group_identifiers { - hidden: yes - } # dimension user__group_identifiers - - dimension: user__groupid { - type: string - sql: ${TABLE}.user.groupid ;; - group_label: "about" - group_item_label: "about.user.groupid [D]" - label: "about.user.groupid" - view_label: "UDM" - description: "The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. [D]: This field is deprecated and will be removed in a future release" - } # dimension user__groupid - - dimension: user__product_object_id { - type: string - sql: ${TABLE}.user.product_object_id ;; - group_label: "about" - label: "about.user.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension user__product_object_id - - dimension: user__role_description { - type: string - sql: ${TABLE}.user.role_description ;; - group_label: "about" - group_item_label: "about.user.role_description [D]" - label: "about.user.role_description" - view_label: "UDM" - description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension user__role_description - - dimension: user__role_name { - type: string - sql: ${TABLE}.user.role_name ;; - group_label: "about" - group_item_label: "about.user.role_name [D]" - label: "about.user.role_name" - view_label: "UDM" - description: "System role name for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension user__role_name - - dimension: user__user_authentication_status { - type: number - sql: ${TABLE}.user.user_authentication_status ;; - group_label: "about" - label: "about.user.user_authentication_status" - view_label: "UDM" - description: "System authentication status for user." - } # dimension user__user_authentication_status - - dimension: user__user_authentication_status_enum_name { - type: string - suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] - sql: CASE ${TABLE}.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; - group_label: "about" - label: "about.user.user_authentication_status_enum_name" - view_label: "UDM" - description: "System authentication status for user." - } # dimension user__user_authentication_status_enum_name - - dimension: user__user_display_name { - type: string - sql: ${TABLE}.user.user_display_name ;; - group_label: "about" - label: "about.user.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension user__user_display_name - - dimension: user__userid { - type: string - sql: ${TABLE}.user.userid ;; - group_label: "about" - label: "about.user.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension user__userid - - dimension: user__windows_sid { - type: string - sql: ${TABLE}.user.windows_sid ;; - group_label: "about" - label: "about.user.windows_sid" - view_label: "UDM" - description: "The Microsoft Windows SID of the user." - } # dimension user__windows_sid - -} # view udm_events__about - -view: udm_events__additional__fields__value__list_value__values__struct_value__fields { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "additional" - label: "additional.fields.value.list_value.values.struct_value.fields.key" - view_label: "UDM" - } # dimension key - -} # view udm_events__additional__fields__value__list_value__values__struct_value__fields - -view: udm_events__additional__fields__value__list_value__values { - dimension: string_value { - type: string - sql: ${TABLE}.string_value ;; - group_label: "additional" - label: "additional.fields.value.list_value.values.string_value" - view_label: "UDM" - } # dimension string_value - - dimension: struct_value { - hidden: yes - } # dimension struct_value - - dimension: struct_value__fields { - hidden: yes - } # dimension struct_value__fields - -} # view udm_events__additional__fields__value__list_value__values - -view: udm_events__additional__fields__value__struct_value__fields { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "additional" - label: "additional.fields.value.struct_value.fields.key" - view_label: "UDM" - } # dimension key - -} # view udm_events__additional__fields__value__struct_value__fields - -view: udm_events__additional__fields { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "additional" - label: "additional.fields.key" - view_label: "UDM" - } # dimension key - - dimension: value { - hidden: yes - } # dimension value - - dimension: value__bool_value { - type: yesno - sql: ${TABLE}.value.bool_value ;; - group_label: "additional" - label: "additional.fields.value.bool_value" - view_label: "UDM" - } # dimension value__bool_value - - dimension: value__list_value { - hidden: yes - } # dimension value__list_value - - dimension: value__list_value__values { - hidden: yes - } # dimension value__list_value__values - - dimension: value__null_value { - type: number - sql: ${TABLE}.value.null_value ;; - group_label: "additional" - label: "additional.fields.value.null_value" - view_label: "UDM" - } # dimension value__null_value - - dimension: value__null_value_enum_name { - type: string - suggestions: ["NULL_VALUE"] - sql: CASE ${TABLE}.value.null_value WHEN 0 THEN 'NULL_VALUE' END ;; - group_label: "additional" - label: "additional.fields.value.null_value_enum_name" - view_label: "UDM" - } # dimension value__null_value_enum_name - - dimension: value__number_value { - type: number - sql: ${TABLE}.value.number_value ;; - group_label: "additional" - label: "additional.fields.value.number_value" - view_label: "UDM" - } # dimension value__number_value - - dimension: value__string_value { - type: string - sql: ${TABLE}.value.string_value ;; - group_label: "additional" - label: "additional.fields.value.string_value" - view_label: "UDM" - } # dimension value__string_value - - dimension: value__struct_value { - hidden: yes - } # dimension value__struct_value - - dimension: value__struct_value__fields { - hidden: yes - } # dimension value__struct_value__fields - -} # view udm_events__additional__fields - -view: udm_events__extensions__auth__mechanism { - dimension: udm_events__extensions__auth__mechanism { - type: number - sql: ${TABLE} ;; - group_label: "extensions" - label: "extensions.auth.mechanism" - view_label: "UDM" - description: "The authentication mechanism." - } # dimension udm_events__extensions__auth__mechanism -} # view udm_events__extensions__auth__mechanism - -view: udm_events__extensions__auth__mechanism_enum_name { - dimension: udm_events__extensions__auth__mechanism_enum_name { - type: string - suggestions: ["BADGE_READER", "BATCH", "CACHED_INTERACTIVE", "CACHED_REMOTE_INTERACTIVE", "CACHED_UNLOCK", "HARDWARE_KEY", "INTERACTIVE", "LOCAL", "MECHANISM_OTHER", "MECHANISM_UNSPECIFIED", "NETWORK", "NETWORK_CLEAR_TEXT", "NEW_CREDENTIALS", "OTP", "REMOTE", "REMOTE_INTERACTIVE", "SERVICE", "UNLOCK", "USERNAME_PASSWORD"] - sql: CASE ${TABLE} WHEN 0 THEN 'MECHANISM_UNSPECIFIED' WHEN 1 THEN 'USERNAME_PASSWORD' WHEN 2 THEN 'OTP' WHEN 3 THEN 'HARDWARE_KEY' WHEN 4 THEN 'LOCAL' WHEN 5 THEN 'REMOTE' WHEN 6 THEN 'REMOTE_INTERACTIVE' WHEN 7 THEN 'MECHANISM_OTHER' WHEN 8 THEN 'BADGE_READER' WHEN 9 THEN 'NETWORK' WHEN 10 THEN 'BATCH' WHEN 11 THEN 'SERVICE' WHEN 12 THEN 'UNLOCK' WHEN 13 THEN 'NETWORK_CLEAR_TEXT' WHEN 14 THEN 'NEW_CREDENTIALS' WHEN 15 THEN 'INTERACTIVE' WHEN 16 THEN 'CACHED_INTERACTIVE' WHEN 17 THEN 'CACHED_REMOTE_INTERACTIVE' WHEN 18 THEN 'CACHED_UNLOCK' END ;; - group_label: "extensions" - label: "extensions.auth.mechanism_enum_name" - view_label: "UDM" - description: "The authentication mechanism." - } # dimension udm_events__extensions__auth__mechanism_enum_name -} # view udm_events__extensions__auth__mechanism_enum_name - -view: udm_events__extensions__vulns__vulnerabilities__about__asset__ip { - dimension: udm_events__extensions__vulns__vulnerabilities__about__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.asset.ip" - view_label: "UDM" - description: "A list of IP addresses associated with an asset." - } # dimension udm_events__extensions__vulns__vulnerabilities__about__asset__ip -} # view udm_events__extensions__vulns__vulnerabilities__about__asset__ip - -view: udm_events__extensions__vulns__vulnerabilities__about__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "extensions" - group_item_label: "extensions.vulns.vulnerabilities.about.labels.key [D]" - label: "extensions.vulns.vulnerabilities.about.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "extensions" - group_item_label: "extensions.vulns.vulnerabilities.about.labels.value [D]" - label: "extensions.vulns.vulnerabilities.about.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view udm_events__extensions__vulns__vulnerabilities__about__labels - -view: udm_events__extensions__vulns__vulnerabilities__about__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.resource.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.resource.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__extensions__vulns__vulnerabilities__about__resource__attribute__labels - -view: udm_events__extensions__vulns__vulnerabilities { - dimension: about { - hidden: yes - } # dimension about - - dimension: about__asset { - hidden: yes - } # dimension about__asset - - dimension: about__asset__hostname { - type: string - sql: ${TABLE}.about.asset.hostname ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.asset.hostname" - view_label: "UDM" - description: "Asset hostname or domain name field." - } # dimension about__asset__hostname - - dimension: about__asset__ip { - hidden: yes - } # dimension about__asset__ip - - dimension: about__asset__platform_software { - hidden: yes - } # dimension about__asset__platform_software - - dimension: about__asset__platform_software__platform { - type: number - sql: ${TABLE}.about.asset.platform_software.platform ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.asset.platform_software.platform" - view_label: "UDM" - description: "The platform operating system." - } # dimension about__asset__platform_software__platform - - dimension: about__asset__platform_software__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.about.asset.platform_software.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.asset.platform_software.platform_enum_name" - view_label: "UDM" - description: "The platform operating system." - } # dimension about__asset__platform_software__platform_enum_name - - dimension: about__asset__product_object_id { - type: string - sql: ${TABLE}.about.asset.product_object_id ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.asset.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension about__asset__product_object_id - - dimension: about__cloud { - hidden: yes - } # dimension about__cloud - - dimension: about__cloud__availability_zone { - type: string - sql: ${TABLE}.about.cloud.availability_zone ;; - group_label: "extensions" - group_item_label: "extensions.vulns.vulnerabilities.about.cloud.availability_zone [D]" - label: "extensions.vulns.vulnerabilities.about.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__availability_zone - - dimension: about__cloud__environment { - type: number - sql: ${TABLE}.about.cloud.environment ;; - group_label: "extensions" - group_item_label: "extensions.vulns.vulnerabilities.about.cloud.environment [D]" - label: "extensions.vulns.vulnerabilities.about.cloud.environment" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__environment - - dimension: about__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.about.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "extensions" - group_item_label: "extensions.vulns.vulnerabilities.about.cloud.environment_enum_name [D]" - label: "extensions.vulns.vulnerabilities.about.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__environment_enum_name - - dimension: about__cloud__project { - hidden: yes - } # dimension about__cloud__project - - dimension: about__cloud__project__name { - type: string - sql: ${TABLE}.about.cloud.project.name ;; - group_label: "extensions" - group_item_label: "extensions.vulns.vulnerabilities.about.cloud.project.name [D]" - label: "extensions.vulns.vulnerabilities.about.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__project__name - - dimension: about__group { - hidden: yes - } # dimension about__group - - dimension: about__group__attribute { - hidden: yes - } # dimension about__group__attribute - - dimension: about__group__attribute__cloud { - hidden: yes - } # dimension about__group__attribute__cloud - - dimension: about__group__attribute__cloud__project { - hidden: yes - } # dimension about__group__attribute__cloud__project - - dimension: about__group__attribute__cloud__project__name { - type: string - sql: ${TABLE}.about.group.attribute.cloud.project.name ;; - group_label: "extensions" - group_item_label: "extensions.vulns.vulnerabilities.about.group.attribute.cloud.project.name [D]" - label: "extensions.vulns.vulnerabilities.about.group.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__group__attribute__cloud__project__name - - dimension: about__hostname { - type: string - sql: ${TABLE}.about.hostname ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.hostname" - view_label: "UDM" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension about__hostname - - dimension: about__labels { - hidden: yes - } # dimension about__labels - - dimension: about__namespace { - type: string - sql: ${TABLE}.about.namespace ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.namespace" - view_label: "UDM" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension about__namespace - - dimension: about__platform { - type: number - sql: ${TABLE}.about.platform ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.platform" - view_label: "UDM" - description: "Platform." - } # dimension about__platform - - dimension: about__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.about.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.platform_enum_name" - view_label: "UDM" - description: "Platform." - } # dimension about__platform_enum_name - - dimension: about__resource { - hidden: yes - } # dimension about__resource - - dimension: about__resource__attribute { - hidden: yes - } # dimension about__resource__attribute - - dimension: about__resource__attribute__labels { - hidden: yes - } # dimension about__resource__attribute__labels - - dimension: about__resource__product_object_id { - type: string - sql: ${TABLE}.about.resource.product_object_id ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.about.resource.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension about__resource__product_object_id - - dimension: cve_description { - type: string - sql: ${TABLE}.cve_description ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.cve_description" - view_label: "UDM" - description: "Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record" - } # dimension cve_description - - dimension: cve_id { - type: string - sql: ${TABLE}.cve_id ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.cve_id" - view_label: "UDM" - description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" - } # dimension cve_id - - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.cvss_base_score" - view_label: "UDM" - description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." - } # dimension cvss_base_score - - dimension: cvss_vector { - type: string - sql: ${TABLE}.cvss_vector ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.cvss_vector" - view_label: "UDM" - description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" - } # dimension cvss_vector - - dimension: cvss_version { - type: string - sql: ${TABLE}.cvss_version ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.cvss_version" - view_label: "UDM" - description: "Version of CVSS Vector/Score." - } # dimension cvss_version - - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.description" - view_label: "UDM" - description: "Description of the vulnerability." - } # dimension description - - dimension_group: extensions__vulns__vulnerabilities__first_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.first_found" - view_label: "UDM" - description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." - } # dimension extensions__vulns__vulnerabilities__first_found - - dimension_group: extensions__vulns__vulnerabilities__last_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.last_found" - view_label: "UDM" - description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." - } # dimension extensions__vulns__vulnerabilities__last_found - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.name" - view_label: "UDM" - description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." - } # dimension name - - dimension_group: extensions__vulns__vulnerabilities__scan_end_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.scan_end_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." - } # dimension extensions__vulns__vulnerabilities__scan_end_time - - dimension_group: extensions__vulns__vulnerabilities__scan_start_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.scan_start_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." - } # dimension extensions__vulns__vulnerabilities__scan_start_time - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.severity" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity - - dimension: severity_enum_name { - type: string - suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] - sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.severity_enum_name" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity_enum_name - - dimension: severity_details { - type: string - sql: ${TABLE}.severity_details ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.severity_details" - view_label: "UDM" - description: "Vendor-specific severity" - } # dimension severity_details - - dimension: vendor { - type: string - sql: ${TABLE}.vendor ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.vendor" - view_label: "UDM" - description: "Vendor of scan that discovered vulnerability." - } # dimension vendor - - dimension: vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.vendor_knowledge_base_article_id ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.vendor_knowledge_base_article_id" - view_label: "UDM" - description: "Vendor specific knowledge base article (e.g. \"KBXXXXXX\" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase" - } # dimension vendor_knowledge_base_article_id - - dimension: vendor_vulnerability_id { - type: string - sql: ${TABLE}.vendor_vulnerability_id ;; - group_label: "extensions" - label: "extensions.vulns.vulnerabilities.vendor_vulnerability_id" - view_label: "UDM" - description: "Vendor specific vulnerability id (e.g. Microsoft security bulletin id)." - } # dimension vendor_vulnerability_id - -} # view udm_events__extensions__vulns__vulnerabilities - -view: udm_events__intermediary__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "intermediary" - label: "intermediary.asset.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "intermediary" - label: "intermediary.asset.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__intermediary__asset__attribute__labels - -view: udm_events__intermediary__asset__hardware { - dimension: model { - type: string - sql: ${TABLE}.model ;; - group_label: "intermediary" - label: "intermediary.asset.hardware.model" - view_label: "UDM" - description: "Hardware model." - } # dimension model - - dimension: serial_number { - type: string - sql: ${TABLE}.serial_number ;; - group_label: "intermediary" - label: "intermediary.asset.hardware.serial_number" - view_label: "UDM" - description: "Hardware serial number." - } # dimension serial_number - -} # view udm_events__intermediary__asset__hardware - -view: udm_events__intermediary__asset__ip { - dimension: udm_events__intermediary__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "intermediary" - label: "intermediary.asset.ip" - view_label: "UDM" - description: "A list of IP addresses associated with an asset." - } # dimension udm_events__intermediary__asset__ip -} # view udm_events__intermediary__asset__ip - -view: udm_events__intermediary__asset__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "intermediary" - group_item_label: "intermediary.asset.labels.key [D]" - label: "intermediary.asset.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "intermediary" - group_item_label: "intermediary.asset.labels.value [D]" - label: "intermediary.asset.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view udm_events__intermediary__asset__labels - -view: udm_events__intermediary__asset__mac { - dimension: udm_events__intermediary__asset__mac { - type: string - sql: ${TABLE} ;; - group_label: "intermediary" - label: "intermediary.asset.mac" - view_label: "UDM" - description: "List of MAC addresses associated with an asset." - } # dimension udm_events__intermediary__asset__mac -} # view udm_events__intermediary__asset__mac - -view: udm_events__intermediary__asset__software { - dimension: version { - type: string - sql: ${TABLE}.version ;; - group_label: "intermediary" - label: "intermediary.asset.software.version" - view_label: "UDM" - description: "The version of the software." - } # dimension version - -} # view udm_events__intermediary__asset__software - -view: udm_events__intermediary__ip { - dimension: udm_events__intermediary__ip { - type: string - sql: ${TABLE} ;; - group_label: "intermediary" - label: "intermediary.ip" - view_label: "UDM" - description: "A list of IP addresses associated with a network connection." - } # dimension udm_events__intermediary__ip -} # view udm_events__intermediary__ip - -view: udm_events__intermediary__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "intermediary" - group_item_label: "intermediary.labels.key [D]" - label: "intermediary.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "intermediary" - group_item_label: "intermediary.labels.value [D]" - label: "intermediary.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view udm_events__intermediary__labels - -view: udm_events__intermediary__mac { - dimension: udm_events__intermediary__mac { - type: string - sql: ${TABLE} ;; - group_label: "intermediary" - label: "intermediary.mac" - view_label: "UDM" - description: "List of MAC addresses associated with a device." - } # dimension udm_events__intermediary__mac -} # view udm_events__intermediary__mac - -view: udm_events__intermediary__nat_ip { - dimension: udm_events__intermediary__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "intermediary" - label: "intermediary.nat_ip" - view_label: "UDM" - description: "A list of NAT translated IP addresses associated with a network connection." - } # dimension udm_events__intermediary__nat_ip -} # view udm_events__intermediary__nat_ip - -view: udm_events__intermediary__process__file__names { - dimension: udm_events__intermediary__process__file__names { - type: string - sql: ${TABLE} ;; - group_label: "intermediary" - label: "intermediary.process.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension udm_events__intermediary__process__file__names -} # view udm_events__intermediary__process__file__names - -view: udm_events__intermediary__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "intermediary" - label: "intermediary.resource.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "intermediary" - label: "intermediary.resource.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__intermediary__resource__attribute__labels - -view: udm_events__intermediary__user__email_addresses { - dimension: udm_events__intermediary__user__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "intermediary" - label: "intermediary.user.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension udm_events__intermediary__user__email_addresses -} # view udm_events__intermediary__user__email_addresses - -view: udm_events__intermediary__user__group_identifiers { - dimension: udm_events__intermediary__user__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "intermediary" - label: "intermediary.user.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension udm_events__intermediary__user__group_identifiers -} # view udm_events__intermediary__user__group_identifiers - -view: udm_events__intermediary { - dimension: administrative_domain { - type: string - sql: ${TABLE}.administrative_domain ;; - group_label: "intermediary" - label: "intermediary.administrative_domain" - view_label: "UDM" - description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." - } # dimension administrative_domain - - dimension: application { - type: string - sql: ${TABLE}.application ;; - group_label: "intermediary" - label: "intermediary.application" - view_label: "UDM" - description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." - } # dimension application - - dimension: asset { - hidden: yes - } # dimension asset - - dimension: asset__asset_id { - type: string - sql: ${TABLE}.asset.asset_id ;; - group_label: "intermediary" - label: "intermediary.asset.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension asset__asset_id - - dimension: asset__attribute { - hidden: yes - } # dimension asset__attribute - - dimension: asset__attribute__labels { - hidden: yes - } # dimension asset__attribute__labels - - dimension: asset__category { - type: string - sql: ${TABLE}.asset.category ;; - group_label: "intermediary" - label: "intermediary.asset.category" - view_label: "UDM" - description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." - } # dimension asset__category - - dimension: asset__hardware { - hidden: yes - } # dimension asset__hardware - - dimension: asset__hostname { - type: string - sql: ${TABLE}.asset.hostname ;; - group_label: "intermediary" - label: "intermediary.asset.hostname" - view_label: "UDM" - description: "Asset hostname or domain name field." - } # dimension asset__hostname - - dimension: asset__ip { - hidden: yes - } # dimension asset__ip - - dimension: asset__labels { - hidden: yes - } # dimension asset__labels - - dimension: asset__location { - hidden: yes - } # dimension asset__location - - dimension: asset__location__country_or_region { - type: string - sql: ${TABLE}.asset.location.country_or_region ;; - group_label: "intermediary" - label: "intermediary.asset.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension asset__location__country_or_region - - dimension: asset__mac { - hidden: yes - } # dimension asset__mac - - dimension: asset__network_domain { - type: string - sql: ${TABLE}.asset.network_domain ;; - group_label: "intermediary" - label: "intermediary.asset.network_domain" - view_label: "UDM" - description: "The network domain of the asset (e.g. \"corp.acme.com\")" - } # dimension asset__network_domain - - dimension: asset__platform_software { - hidden: yes - } # dimension asset__platform_software - - dimension: asset__platform_software__platform_version { - type: string - sql: ${TABLE}.asset.platform_software.platform_version ;; - group_label: "intermediary" - label: "intermediary.asset.platform_software.platform_version" - view_label: "UDM" - description: "The platform software version ( e.g. \"Microsoft Windows 1803\")." - } # dimension asset__platform_software__platform_version - - dimension: asset__product_object_id { - type: string - sql: ${TABLE}.asset.product_object_id ;; - group_label: "intermediary" - label: "intermediary.asset.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension asset__product_object_id - - dimension: asset__software { - hidden: yes - } # dimension asset__software - - dimension: asset_id { - type: string - sql: ${TABLE}.asset_id ;; - group_label: "intermediary" - label: "intermediary.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension asset_id - - dimension: cloud { - hidden: yes - } # dimension cloud - - dimension: cloud__environment { - type: number - sql: ${TABLE}.cloud.environment ;; - group_label: "intermediary" - group_item_label: "intermediary.cloud.environment [D]" - label: "intermediary.cloud.environment" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension cloud__environment - - dimension: cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "intermediary" - group_item_label: "intermediary.cloud.environment_enum_name [D]" - label: "intermediary.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment. [D]: This field is deprecated and will be removed in a future release" - } # dimension cloud__environment_enum_name - - dimension: domain { - hidden: yes - } # dimension domain - - dimension: domain__name { - type: string - sql: ${TABLE}.domain.name ;; - group_label: "intermediary" - label: "intermediary.domain.name" - view_label: "UDM" - description: "The domain name." - } # dimension domain__name - - dimension: email { - type: string - sql: ${TABLE}.email ;; - group_label: "intermediary" - label: "intermediary.email" - view_label: "UDM" - description: "Email address. Only filled in for security_result.about" - } # dimension email - - dimension: file { - hidden: yes - } # dimension file - - dimension: file__full_path { - type: string - sql: ${TABLE}.file.full_path ;; - group_label: "intermediary" - label: "intermediary.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension file__full_path - - dimension: file__md5 { - type: string - sql: ${TABLE}.file.md5 ;; - group_label: "intermediary" - label: "intermediary.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension file__md5 - - dimension: file__mime_type { - type: string - sql: ${TABLE}.file.mime_type ;; - group_label: "intermediary" - label: "intermediary.file.mime_type" - view_label: "UDM" - description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." - } # dimension file__mime_type - - dimension: file__sha1 { - type: string - sql: ${TABLE}.file.sha1 ;; - group_label: "intermediary" - label: "intermediary.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension file__sha1 - - dimension: file__sha256 { - type: string - sql: ${TABLE}.file.sha256 ;; - group_label: "intermediary" - label: "intermediary.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension file__sha256 - - dimension: file__size { - type: number - sql: ${TABLE}.file.size ;; - group_label: "intermediary" - label: "intermediary.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension file__size - - dimension: group { - hidden: yes - } # dimension group - - dimension: group__group_display_name { - type: string - sql: ${TABLE}.group.group_display_name ;; - group_label: "intermediary" - label: "intermediary.group.group_display_name" - view_label: "UDM" - description: "Group display name. e.g. \"Finance\"." - } # dimension group__group_display_name - - dimension: group__product_object_id { - type: string - sql: ${TABLE}.group.product_object_id ;; - group_label: "intermediary" - label: "intermediary.group.product_object_id" - view_label: "UDM" - description: "Product globally unique user object identifier, such as an LDAP Object Identifier." - } # dimension group__product_object_id - - dimension: hostname { - type: string - sql: ${TABLE}.hostname ;; - group_label: "intermediary" - label: "intermediary.hostname" - view_label: "UDM" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension hostname - - dimension: ip { - hidden: yes - } # dimension ip - - dimension: labels { - hidden: yes - } # dimension labels - - dimension: location { - hidden: yes - } # dimension location - - dimension: location__city { - type: string - sql: ${TABLE}.location.city ;; - group_label: "intermediary" - label: "intermediary.location.city" - view_label: "UDM" - description: "The city." - } # dimension location__city - - dimension: location__country_or_region { - type: string - sql: ${TABLE}.location.country_or_region ;; - group_label: "intermediary" - label: "intermediary.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension location__country_or_region - - dimension: location__name { - type: string - sql: ${TABLE}.location.name ;; - group_label: "intermediary" - label: "intermediary.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension location__name - - dimension: location__region_latitude { - type: number - sql: ${TABLE}.location.region_latitude ;; - group_label: "intermediary" - group_item_label: "intermediary.location.region_latitude [D]" - label: "intermediary.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension location__region_latitude - - dimension: location__region_longitude { - type: number - sql: ${TABLE}.location.region_longitude ;; - group_label: "intermediary" - group_item_label: "intermediary.location.region_longitude [D]" - label: "intermediary.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension location__region_longitude - - dimension: location__location { - type: location - sql_latitude: ${TABLE}.location.region_latitude ;; - sql_longitude: ${TABLE}.location.region_longitude ;; - group_label: "intermediary" - group_item_label: "intermediary.location.location [D][L]" - label: "intermediary.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension location__location - - dimension: location__state { - type: string - sql: ${TABLE}.location.state ;; - group_label: "intermediary" - label: "intermediary.location.state" - view_label: "UDM" - description: "The state." - } # dimension location__state - - dimension: mac { - hidden: yes - } # dimension mac - - dimension: namespace { - type: string - sql: ${TABLE}.namespace ;; - group_label: "intermediary" - label: "intermediary.namespace" - view_label: "UDM" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension namespace - - dimension: nat_ip { - hidden: yes - } # dimension nat_ip - - dimension: platform { - type: number - sql: ${TABLE}.platform ;; - group_label: "intermediary" - label: "intermediary.platform" - view_label: "UDM" - description: "Platform." - } # dimension platform - - dimension: platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "intermediary" - label: "intermediary.platform_enum_name" - view_label: "UDM" - description: "Platform." - } # dimension platform_enum_name - - dimension: platform_version { - type: string - sql: ${TABLE}.platform_version ;; - group_label: "intermediary" - label: "intermediary.platform_version" - view_label: "UDM" - description: "Platform version. For example, \"Microsoft Windows 1803\"." - } # dimension platform_version - - dimension: port { - type: number - value_format: "#" - sql: ${TABLE}.port ;; - group_label: "intermediary" - label: "intermediary.port" - view_label: "UDM" - description: "Source or destination network port number when a specific network connection is described within an event." - } # dimension port - - dimension: process { - hidden: yes - } # dimension process - - dimension: process__command_line { - type: string - sql: ${TABLE}.process.command_line ;; - group_label: "intermediary" - label: "intermediary.process.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension process__command_line - - dimension: process__file { - hidden: yes - } # dimension process__file - - dimension: process__file__full_path { - type: string - sql: ${TABLE}.process.file.full_path ;; - group_label: "intermediary" - label: "intermediary.process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension process__file__full_path - - dimension: process__file__names { - hidden: yes - } # dimension process__file__names - - dimension: process__file__sha1 { - type: string - sql: ${TABLE}.process.file.sha1 ;; - group_label: "intermediary" - label: "intermediary.process.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension process__file__sha1 - - dimension: process__file__sha256 { - type: string - sql: ${TABLE}.process.file.sha256 ;; - group_label: "intermediary" - label: "intermediary.process.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension process__file__sha256 - - dimension: process__file__size { - type: number - sql: ${TABLE}.process.file.size ;; - group_label: "intermediary" - label: "intermediary.process.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension process__file__size - - dimension: process__parent_process { - hidden: yes - } # dimension process__parent_process - - dimension: process__parent_process__file { - hidden: yes - } # dimension process__parent_process__file - - dimension: process__parent_process__file__full_path { - type: string - sql: ${TABLE}.process.parent_process.file.full_path ;; - group_label: "intermediary" - label: "intermediary.process.parent_process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension process__parent_process__file__full_path - - dimension: process__parent_process__file__size { - type: number - sql: ${TABLE}.process.parent_process.file.size ;; - group_label: "intermediary" - label: "intermediary.process.parent_process.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension process__parent_process__file__size - - dimension: process__parent_process__pid { - type: string - sql: ${TABLE}.process.parent_process.pid ;; - group_label: "intermediary" - label: "intermediary.process.parent_process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension process__parent_process__pid - - dimension: process__pid { - type: string - sql: ${TABLE}.process.pid ;; - group_label: "intermediary" - label: "intermediary.process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension process__pid - - dimension: registry { - hidden: yes - } # dimension registry - - dimension: registry__registry_key { - type: string - sql: ${TABLE}.registry.registry_key ;; - group_label: "intermediary" - label: "intermediary.registry.registry_key" - view_label: "UDM" - description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." - } # dimension registry__registry_key - - dimension: registry__registry_value_data { - type: string - sql: ${TABLE}.registry.registry_value_data ;; - group_label: "intermediary" - label: "intermediary.registry.registry_value_data" - view_label: "UDM" - description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." - } # dimension registry__registry_value_data - - dimension: registry__registry_value_name { - type: string - sql: ${TABLE}.registry.registry_value_name ;; - group_label: "intermediary" - label: "intermediary.registry.registry_value_name" - view_label: "UDM" - description: "Name of the registry value associated with an application or system component (e.g. TEMP)." - } # dimension registry__registry_value_name - - dimension: resource { - hidden: yes - } # dimension resource - - dimension: resource__attribute { - hidden: yes - } # dimension resource__attribute - - dimension: resource__attribute__labels { - hidden: yes - } # dimension resource__attribute__labels - - dimension: resource__id { - type: string - sql: ${TABLE}.resource.id ;; - group_label: "intermediary" - group_item_label: "intermediary.resource.id [D]" - label: "intermediary.resource.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension resource__id - - dimension: resource__name { - type: string - sql: ${TABLE}.resource.name ;; - group_label: "intermediary" - label: "intermediary.resource.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension resource__name - - dimension: resource__parent { - type: string - sql: ${TABLE}.resource.parent ;; - group_label: "intermediary" - group_item_label: "intermediary.resource.parent [D]" - label: "intermediary.resource.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension resource__parent - - dimension: resource__product_object_id { - type: string - sql: ${TABLE}.resource.product_object_id ;; - group_label: "intermediary" - label: "intermediary.resource.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension resource__product_object_id - - dimension: resource__resource_subtype { - type: string - sql: ${TABLE}.resource.resource_subtype ;; - group_label: "intermediary" - label: "intermediary.resource.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension resource__resource_subtype - - dimension: resource__resource_type { - type: number - sql: ${TABLE}.resource.resource_type ;; - group_label: "intermediary" - label: "intermediary.resource.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension resource__resource_type - - dimension: resource__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "intermediary" - label: "intermediary.resource.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension resource__resource_type_enum_name - - dimension: resource__type { - type: string - sql: ${TABLE}.resource.type ;; - group_label: "intermediary" - group_item_label: "intermediary.resource.type [D]" - label: "intermediary.resource.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension resource__type - - dimension: url { - type: string - sql: ${TABLE}.url ;; - group_label: "intermediary" - label: "intermediary.url" - view_label: "UDM" - description: "The URL." - } # dimension url - - dimension: user { - hidden: yes - } # dimension user - - dimension: user__email_addresses { - hidden: yes - } # dimension user__email_addresses - - dimension: user__group_identifiers { - hidden: yes - } # dimension user__group_identifiers - - dimension: user__product_object_id { - type: string - sql: ${TABLE}.user.product_object_id ;; - group_label: "intermediary" - label: "intermediary.user.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension user__product_object_id - - dimension: user__user_display_name { - type: string - sql: ${TABLE}.user.user_display_name ;; - group_label: "intermediary" - label: "intermediary.user.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension user__user_display_name - - dimension: user__userid { - type: string - sql: ${TABLE}.user.userid ;; - group_label: "intermediary" - label: "intermediary.user.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension user__userid - - dimension: user__windows_sid { - type: string - sql: ${TABLE}.user.windows_sid ;; - group_label: "intermediary" - label: "intermediary.user.windows_sid" - view_label: "UDM" - description: "The Microsoft Windows SID of the user." - } # dimension user__windows_sid - -} # view udm_events__intermediary - -view: udm_events__metadata__base_labels__log_types { - dimension: udm_events__metadata__base_labels__log_types { - type: string - sql: ${TABLE} ;; - group_label: "metadata" - label: "metadata.base_labels.log_types" - view_label: "UDM" - description: "All the LogType labels. We use string to log types to avoid moving LogType proto, which contains customer info, to external." - } # dimension udm_events__metadata__base_labels__log_types -} # view udm_events__metadata__base_labels__log_types - -view: udm_events__metadata__base_labels__namespaces { - dimension: udm_events__metadata__base_labels__namespaces { - type: string - sql: ${TABLE} ;; - group_label: "metadata" - label: "metadata.base_labels.namespaces" - view_label: "UDM" - description: "All the namespaces." - } # dimension udm_events__metadata__base_labels__namespaces -} # view udm_events__metadata__base_labels__namespaces - -view: udm_events__metadata__ingestion_labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "metadata" - label: "metadata.ingestion_labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: source { - type: string - sql: ${TABLE}.source ;; - group_label: "metadata" - label: "metadata.ingestion_labels.source" - view_label: "UDM" - description: "@hide_from_doc" - } # dimension source - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "metadata" - label: "metadata.ingestion_labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__metadata__ingestion_labels - -view: udm_events__metadata__tags__data_tap_config_name { - dimension: udm_events__metadata__tags__data_tap_config_name { - type: string - sql: ${TABLE} ;; - group_label: "metadata" - label: "metadata.tags.data_tap_config_name" - view_label: "UDM" - description: "A list of sink name values defined in DataTap configurations." - } # dimension udm_events__metadata__tags__data_tap_config_name -} # view udm_events__metadata__tags__data_tap_config_name - -view: udm_events__metadata__tags__tenant_id { - dimension: udm_events__metadata__tags__tenant_id { - type: string - sql: ${TABLE} ;; - group_label: "metadata" - label: "metadata.tags.tenant_id" - view_label: "UDM" - description: "A list of subtenant ids that this event belongs to." - } # dimension udm_events__metadata__tags__tenant_id -} # view udm_events__metadata__tags__tenant_id - -view: udm_events__network__dhcp__options { - dimension: code { - type: number - sql: ${TABLE}.code ;; - group_label: "network" - label: "network.dhcp.options.code" - view_label: "UDM" - description: "Code. See RFC1533." - } # dimension code - -} # view udm_events__network__dhcp__options - -view: udm_events__network__dns__additional { - dimension: class { - type: number - sql: ${TABLE}.class ;; - group_label: "network" - label: "network.dns.additional.class" - view_label: "UDM" - description: "The code specifying the class of the resource record." - } # dimension class - - dimension: data { - type: string - sql: ${TABLE}.data ;; - group_label: "network" - label: "network.dns.additional.data" - view_label: "UDM" - description: "The payload or response to the DNS question for all responses encoded in UTF-8 format" - } # dimension data - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "network" - label: "network.dns.additional.name" - view_label: "UDM" - description: "The name of the owner of the resource record." - } # dimension name - - dimension: ttl { - type: number - sql: ${TABLE}.ttl ;; - group_label: "network" - label: "network.dns.additional.ttl" - view_label: "UDM" - description: "The time interval for which the resource record can be cached before the source of the information should again be queried." - } # dimension ttl - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "network" - label: "network.dns.additional.type" - view_label: "UDM" - description: "The code specifying the type of the resource record." - } # dimension type - -} # view udm_events__network__dns__additional - -view: udm_events__network__dns__answers { - dimension: binary_data { - type: string - sql: ${TABLE}.binary_data ;; - group_label: "network" - label: "network.dns.answers.binary_data" - view_label: "UDM" - description: "The raw bytes of any non-UTF8 strings that might be included as part of a DNS response." - } # dimension binary_data - - dimension: class { - type: number - sql: ${TABLE}.class ;; - group_label: "network" - label: "network.dns.answers.class" - view_label: "UDM" - description: "The code specifying the class of the resource record." - } # dimension class - - dimension: data { - type: string - sql: ${TABLE}.data ;; - group_label: "network" - label: "network.dns.answers.data" - view_label: "UDM" - description: "The payload or response to the DNS question for all responses encoded in UTF-8 format" - } # dimension data - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "network" - label: "network.dns.answers.name" - view_label: "UDM" - description: "The name of the owner of the resource record." - } # dimension name - - dimension: ttl { - type: number - sql: ${TABLE}.ttl ;; - group_label: "network" - label: "network.dns.answers.ttl" - view_label: "UDM" - description: "The time interval for which the resource record can be cached before the source of the information should again be queried." - } # dimension ttl - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "network" - label: "network.dns.answers.type" - view_label: "UDM" - description: "The code specifying the type of the resource record." - } # dimension type - -} # view udm_events__network__dns__answers - -view: udm_events__network__dns__authority { - dimension: class { - type: number - sql: ${TABLE}.class ;; - group_label: "network" - label: "network.dns.authority.class" - view_label: "UDM" - description: "The code specifying the class of the resource record." - } # dimension class - - dimension: data { - type: string - sql: ${TABLE}.data ;; - group_label: "network" - label: "network.dns.authority.data" - view_label: "UDM" - description: "The payload or response to the DNS question for all responses encoded in UTF-8 format" - } # dimension data - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "network" - label: "network.dns.authority.name" - view_label: "UDM" - description: "The name of the owner of the resource record." - } # dimension name - - dimension: ttl { - type: number - sql: ${TABLE}.ttl ;; - group_label: "network" - label: "network.dns.authority.ttl" - view_label: "UDM" - description: "The time interval for which the resource record can be cached before the source of the information should again be queried." - } # dimension ttl - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "network" - label: "network.dns.authority.type" - view_label: "UDM" - description: "The code specifying the type of the resource record." - } # dimension type - -} # view udm_events__network__dns__authority - -view: udm_events__network__dns__questions { - dimension: class { - type: number - sql: ${TABLE}.class ;; - group_label: "network" - label: "network.dns.questions.class" - view_label: "UDM" - description: "The code specifying the class of the query." - } # dimension class - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "network" - label: "network.dns.questions.name" - view_label: "UDM" - description: "The domain name." - } # dimension name - - dimension: prevalence { - hidden: yes - } # dimension prevalence - - dimension: prevalence__day_count { - type: number - sql: ${TABLE}.prevalence.day_count ;; - group_label: "network" - label: "network.dns.questions.prevalence.day_count" - view_label: "UDM" - description: "The number of days over which rolling_max is calculated." - } # dimension prevalence__day_count - - dimension: prevalence__rolling_max { - type: number - sql: ${TABLE}.prevalence.rolling_max ;; - group_label: "network" - label: "network.dns.questions.prevalence.rolling_max" - view_label: "UDM" - description: "The maximum number of assets per day accessing the resource over the trailing day_count days." - } # dimension prevalence__rolling_max - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "network" - label: "network.dns.questions.type" - view_label: "UDM" - description: "The code specifying the type of the query." - } # dimension type - -} # view udm_events__network__dns__questions - -view: udm_events__network__email__bcc { - dimension: udm_events__network__email__bcc { - type: string - sql: ${TABLE} ;; - group_label: "network" - label: "network.email.bcc" - view_label: "UDM" - description: "A list of 'bcc' addresses." - } # dimension udm_events__network__email__bcc -} # view udm_events__network__email__bcc - -view: udm_events__network__email__cc { - dimension: udm_events__network__email__cc { - type: string - sql: ${TABLE} ;; - group_label: "network" - label: "network.email.cc" - view_label: "UDM" - description: "A list of 'cc' addresses." - } # dimension udm_events__network__email__cc -} # view udm_events__network__email__cc - -view: udm_events__network__email__subject { - dimension: udm_events__network__email__subject { - type: string - sql: ${TABLE} ;; - group_label: "network" - label: "network.email.subject" - view_label: "UDM" - description: "The subject line(s) of the email." - } # dimension udm_events__network__email__subject -} # view udm_events__network__email__subject - -view: udm_events__network__email__to { - dimension: udm_events__network__email__to { - type: string - sql: ${TABLE} ;; - group_label: "network" - label: "network.email.to" - view_label: "UDM" - description: "A list of 'to' addresses." - } # dimension udm_events__network__email__to -} # view udm_events__network__email__to - -view: udm_events__network__http__parsed_user_agent__annotation { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "network" - label: "network.http.parsed_user_agent.annotation.key" - view_label: "UDM" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "network" - label: "network.http.parsed_user_agent.annotation.value" - view_label: "UDM" - } # dimension value - -} # view udm_events__network__http__parsed_user_agent__annotation - -view: udm_events__network__tls__client__supported_ciphers { - dimension: udm_events__network__tls__client__supported_ciphers { - type: string - sql: ${TABLE} ;; - group_label: "network" - label: "network.tls.client.supported_ciphers" - view_label: "UDM" - description: "Ciphers supported by the client during client hello." - } # dimension udm_events__network__tls__client__supported_ciphers -} # view udm_events__network__tls__client__supported_ciphers - -view: udm_events__observer__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "observer" - label: "observer.asset.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "observer" - label: "observer.asset.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__observer__asset__attribute__labels - -view: udm_events__observer__asset__ip { - dimension: udm_events__observer__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "observer" - label: "observer.asset.ip" - view_label: "UDM" - description: "A list of IP addresses associated with an asset." - } # dimension udm_events__observer__asset__ip -} # view udm_events__observer__asset__ip - -view: udm_events__observer__asset__software { - dimension: version { - type: string - sql: ${TABLE}.version ;; - group_label: "observer" - label: "observer.asset.software.version" - view_label: "UDM" - description: "The version of the software." - } # dimension version - -} # view udm_events__observer__asset__software - -view: udm_events__observer__asset__vulnerabilities { - dimension_group: observer__asset__vulnerabilities__scan_start_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "observer" - label: "observer.asset.vulnerabilities.scan_start_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." - } # dimension observer__asset__vulnerabilities__scan_start_time - -} # view udm_events__observer__asset__vulnerabilities - -view: udm_events__observer__ip { - dimension: udm_events__observer__ip { - type: string - sql: ${TABLE} ;; - group_label: "observer" - label: "observer.ip" - view_label: "UDM" - description: "A list of IP addresses associated with a network connection." - } # dimension udm_events__observer__ip -} # view udm_events__observer__ip - -view: udm_events__observer__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "observer" - group_item_label: "observer.labels.key [D]" - label: "observer.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "observer" - group_item_label: "observer.labels.value [D]" - label: "observer.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view udm_events__observer__labels - -view: udm_events__observer__mac { - dimension: udm_events__observer__mac { - type: string - sql: ${TABLE} ;; - group_label: "observer" - label: "observer.mac" - view_label: "UDM" - description: "List of MAC addresses associated with a device." - } # dimension udm_events__observer__mac -} # view udm_events__observer__mac - -view: udm_events__observer__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "observer" - label: "observer.resource.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "observer" - label: "observer.resource.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__observer__resource__attribute__labels - -view: udm_events__observer__user__email_addresses { - dimension: udm_events__observer__user__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "observer" - label: "observer.user.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension udm_events__observer__user__email_addresses -} # view udm_events__observer__user__email_addresses - -view: udm_events__observer__user__group_identifiers { - dimension: udm_events__observer__user__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "observer" - label: "observer.user.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension udm_events__observer__user__group_identifiers -} # view udm_events__observer__user__group_identifiers - -view: udm_events__principal__artifact__network__dns__answers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.artifact.network.dns.answers.name" - view_label: "UDM" - description: "The name of the owner of the resource record." - } # dimension name - -} # view udm_events__principal__artifact__network__dns__answers - -view: udm_events__principal__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "principal" - label: "principal.asset.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "principal" - label: "principal.asset.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__principal__asset__attribute__labels - -view: udm_events__principal__asset__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.asset.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.asset.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "principal" - label: "principal.asset.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "principal" - label: "principal.asset.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view udm_events__principal__asset__attribute__roles - -view: udm_events__principal__asset__hardware { - dimension: cpu_model { - type: string - sql: ${TABLE}.cpu_model ;; - group_label: "principal" - label: "principal.asset.hardware.cpu_model" - view_label: "UDM" - description: "Model description of the hardware CPU (e.g. \"2.8 GHz Quad-Core Intel Core i5\")." - } # dimension cpu_model - - dimension: cpu_platform { - type: string - sql: ${TABLE}.cpu_platform ;; - group_label: "principal" - label: "principal.asset.hardware.cpu_platform" - view_label: "UDM" - description: "Platform of the hardware CPU (e.g. \"Intel Broadwell\")." - } # dimension cpu_platform - - dimension: manufacturer { - type: string - sql: ${TABLE}.manufacturer ;; - group_label: "principal" - label: "principal.asset.hardware.manufacturer" - view_label: "UDM" - description: "Hardware manufacturer." - } # dimension manufacturer - - dimension: model { - type: string - sql: ${TABLE}.model ;; - group_label: "principal" - label: "principal.asset.hardware.model" - view_label: "UDM" - description: "Hardware model." - } # dimension model - - dimension: ram { - type: number - sql: ${TABLE}.ram ;; - group_label: "principal" - label: "principal.asset.hardware.ram" - view_label: "UDM" - description: "Amount of the hardware ramdom access memory (RAM) in Mb." - } # dimension ram - - dimension: serial_number { - type: string - sql: ${TABLE}.serial_number ;; - group_label: "principal" - label: "principal.asset.hardware.serial_number" - view_label: "UDM" - description: "Hardware serial number." - } # dimension serial_number - -} # view udm_events__principal__asset__hardware - -view: udm_events__principal__asset__ip { - dimension: udm_events__principal__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.asset.ip" - view_label: "UDM" - description: "A list of IP addresses associated with an asset." - } # dimension udm_events__principal__asset__ip -} # view udm_events__principal__asset__ip - -view: udm_events__principal__asset__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "principal" - group_item_label: "principal.asset.labels.key [D]" - label: "principal.asset.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "principal" - group_item_label: "principal.asset.labels.value [D]" - label: "principal.asset.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view udm_events__principal__asset__labels - -view: udm_events__principal__asset__mac { - dimension: udm_events__principal__asset__mac { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.asset.mac" - view_label: "UDM" - description: "List of MAC addresses associated with an asset." - } # dimension udm_events__principal__asset__mac -} # view udm_events__principal__asset__mac - -view: udm_events__principal__asset__nat_ip { - dimension: udm_events__principal__asset__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.asset.nat_ip" - view_label: "UDM" - description: "List of NAT IP addresses associated with an asset." - } # dimension udm_events__principal__asset__nat_ip -} # view udm_events__principal__asset__nat_ip - -view: udm_events__principal__asset__software__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.asset.software.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.asset.software.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view udm_events__principal__asset__software__permissions - -view: udm_events__principal__asset__software { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.asset.software.description" - view_label: "UDM" - description: "The description of the software." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.asset.software.name" - view_label: "UDM" - description: "The name of the software." - } # dimension name - - dimension: permissions { - hidden: yes - } # dimension permissions - - dimension: vendor_name { - type: string - sql: ${TABLE}.vendor_name ;; - group_label: "principal" - label: "principal.asset.software.vendor_name" - view_label: "UDM" - description: "The name of the software vendor." - } # dimension vendor_name - - dimension: version { - type: string - sql: ${TABLE}.version ;; - group_label: "principal" - label: "principal.asset.software.version" - view_label: "UDM" - description: "The version of the software." - } # dimension version - -} # view udm_events__principal__asset__software - -view: udm_events__principal__asset__vulnerabilities { - dimension: cve_description { - type: string - sql: ${TABLE}.cve_description ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.cve_description" - view_label: "UDM" - description: "Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record" - } # dimension cve_description - - dimension: cve_id { - type: string - sql: ${TABLE}.cve_id ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.cve_id" - view_label: "UDM" - description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" - } # dimension cve_id - - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.cvss_base_score" - view_label: "UDM" - description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." - } # dimension cvss_base_score - - dimension: cvss_vector { - type: string - sql: ${TABLE}.cvss_vector ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.cvss_vector" - view_label: "UDM" - description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" - } # dimension cvss_vector - - dimension: cvss_version { - type: string - sql: ${TABLE}.cvss_version ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.cvss_version" - view_label: "UDM" - description: "Version of CVSS Vector/Score." - } # dimension cvss_version - - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.description" - view_label: "UDM" - description: "Description of the vulnerability." - } # dimension description - - dimension_group: principal__asset__vulnerabilities__first_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.first_found" - view_label: "UDM" - description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." - } # dimension principal__asset__vulnerabilities__first_found - - dimension_group: principal__asset__vulnerabilities__last_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.last_found" - view_label: "UDM" - description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." - } # dimension principal__asset__vulnerabilities__last_found - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.name" - view_label: "UDM" - description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." - } # dimension name - - dimension_group: principal__asset__vulnerabilities__scan_end_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.scan_end_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." - } # dimension principal__asset__vulnerabilities__scan_end_time - - dimension_group: principal__asset__vulnerabilities__scan_start_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.scan_start_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." - } # dimension principal__asset__vulnerabilities__scan_start_time - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.severity" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity - - dimension: severity_enum_name { - type: string - suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] - sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.severity_enum_name" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity_enum_name - - dimension: severity_details { - type: string - sql: ${TABLE}.severity_details ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.severity_details" - view_label: "UDM" - description: "Vendor-specific severity" - } # dimension severity_details - - dimension: vendor { - type: string - sql: ${TABLE}.vendor ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.vendor" - view_label: "UDM" - description: "Vendor of scan that discovered vulnerability." - } # dimension vendor - - dimension: vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.vendor_knowledge_base_article_id ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.vendor_knowledge_base_article_id" - view_label: "UDM" - description: "Vendor specific knowledge base article (e.g. \"KBXXXXXX\" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase" - } # dimension vendor_knowledge_base_article_id - - dimension: vendor_vulnerability_id { - type: string - sql: ${TABLE}.vendor_vulnerability_id ;; - group_label: "principal" - label: "principal.asset.vulnerabilities.vendor_vulnerability_id" - view_label: "UDM" - description: "Vendor specific vulnerability id (e.g. Microsoft security bulletin id)." - } # dimension vendor_vulnerability_id - -} # view udm_events__principal__asset__vulnerabilities - -view: udm_events__principal__domain__name_server { - dimension: udm_events__principal__domain__name_server { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.domain.name_server" - view_label: "UDM" - description: "Repeated list of name servers." - } # dimension udm_events__principal__domain__name_server -} # view udm_events__principal__domain__name_server - -view: udm_events__principal__domain__tech__group_identifiers { - dimension: udm_events__principal__domain__tech__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.domain.tech.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension udm_events__principal__domain__tech__group_identifiers -} # view udm_events__principal__domain__tech__group_identifiers - -view: udm_events__principal__file__names { - dimension: udm_events__principal__file__names { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension udm_events__principal__file__names -} # view udm_events__principal__file__names - -view: udm_events__principal__group__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "principal" - label: "principal.group.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "principal" - label: "principal.group.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__principal__group__attribute__labels - -view: udm_events__principal__group__attribute__roles { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.group.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - -} # view udm_events__principal__group__attribute__roles - -view: udm_events__principal__group__email_addresses { - dimension: udm_events__principal__group__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.group.email_addresses" - view_label: "UDM" - description: "Email addresses of the group." - } # dimension udm_events__principal__group__email_addresses -} # view udm_events__principal__group__email_addresses - -view: udm_events__principal__investigation__comments { - dimension: udm_events__principal__investigation__comments { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.investigation.comments" - view_label: "UDM" - description: "Comment added by the Analyst." - } # dimension udm_events__principal__investigation__comments -} # view udm_events__principal__investigation__comments - -view: udm_events__principal__ip { - dimension: udm_events__principal__ip { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.ip" - view_label: "UDM" - description: "A list of IP addresses associated with a network connection." - } # dimension udm_events__principal__ip -} # view udm_events__principal__ip - -view: udm_events__principal__ip_geo_artifact { - dimension: ip { - type: string - sql: ${TABLE}.ip ;; - group_label: "principal" - label: "principal.ip_geo_artifact.ip" - view_label: "UDM" - description: "IP address of the artifact." - } # dimension ip - - dimension: location { - hidden: yes - } # dimension location - - dimension: location__country_or_region { - type: string - sql: ${TABLE}.location.country_or_region ;; - group_label: "principal" - label: "principal.ip_geo_artifact.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension location__country_or_region - - dimension: location__region_coordinates { - type: location - sql_latitude: ${TABLE}.location.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.location.region_coordinates.longitude ;; - group_label: "principal" - group_item_label: "principal.ip_geo_artifact.location.region_coordinates [L]" - label: "principal.ip_geo_artifact.location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." - } # dimension location__region_coordinates - - dimension: location__region_latitude { - type: number - sql: ${TABLE}.location.region_latitude ;; - group_label: "principal" - group_item_label: "principal.ip_geo_artifact.location.region_latitude [D]" - label: "principal.ip_geo_artifact.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension location__region_latitude - - dimension: location__region_longitude { - type: number - sql: ${TABLE}.location.region_longitude ;; - group_label: "principal" - group_item_label: "principal.ip_geo_artifact.location.region_longitude [D]" - label: "principal.ip_geo_artifact.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension location__region_longitude - - dimension: location__location { - type: location - sql_latitude: ${TABLE}.location.region_latitude ;; - sql_longitude: ${TABLE}.location.region_longitude ;; - group_label: "principal" - group_item_label: "principal.ip_geo_artifact.location.location [D][L]" - label: "principal.ip_geo_artifact.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension location__location - - dimension: location__state { - type: string - sql: ${TABLE}.location.state ;; - group_label: "principal" - label: "principal.ip_geo_artifact.location.state" - view_label: "UDM" - description: "The state." - } # dimension location__state - - dimension: network { - hidden: yes - } # dimension network - - dimension: network__asn { - type: string - sql: ${TABLE}.network.asn ;; - group_label: "principal" - label: "principal.ip_geo_artifact.network.asn" - view_label: "UDM" - description: "Autonomous system number." - } # dimension network__asn - - dimension: network__carrier_name { - type: string - sql: ${TABLE}.network.carrier_name ;; - group_label: "principal" - label: "principal.ip_geo_artifact.network.carrier_name" - view_label: "UDM" - description: "Carrier identification." - } # dimension network__carrier_name - - dimension: network__dns_domain { - type: string - sql: ${TABLE}.network.dns_domain ;; - group_label: "principal" - label: "principal.ip_geo_artifact.network.dns_domain" - view_label: "UDM" - description: "DNS domain name." - } # dimension network__dns_domain - - dimension: network__organization_name { - type: string - sql: ${TABLE}.network.organization_name ;; - group_label: "principal" - label: "principal.ip_geo_artifact.network.organization_name" - view_label: "UDM" - description: "Organization name (e.g Google)." - } # dimension network__organization_name - -} # view udm_events__principal__ip_geo_artifact - -view: udm_events__principal__ip_location { - dimension: city { - type: string - sql: ${TABLE}.city ;; - group_label: "principal" - group_item_label: "principal.ip_location.city [D]" - label: "principal.ip_location.city" - view_label: "UDM" - description: "The city. [D]: This field is deprecated and will be removed in a future release" - } # dimension city - - dimension: country_or_region { - type: string - sql: ${TABLE}.country_or_region ;; - group_label: "principal" - group_item_label: "principal.ip_location.country_or_region [D]" - label: "principal.ip_location.country_or_region" - view_label: "UDM" - description: "The country or region. [D]: This field is deprecated and will be removed in a future release" - } # dimension country_or_region - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - group_item_label: "principal.ip_location.name [D]" - label: "principal.ip_location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\"). [D]: This field is deprecated and will be removed in a future release" - } # dimension name - - dimension: region_coordinates { - type: location - sql_latitude: ${TABLE}.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.region_coordinates.longitude ;; - group_label: "principal" - group_item_label: "principal.ip_location.region_coordinates [D][L]" - label: "principal.ip_location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension region_coordinates - - dimension: region_latitude { - type: number - sql: ${TABLE}.region_latitude ;; - group_label: "principal" - group_item_label: "principal.ip_location.region_latitude [D]" - label: "principal.ip_location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension region_latitude - - dimension: region_longitude { - type: number - sql: ${TABLE}.region_longitude ;; - group_label: "principal" - group_item_label: "principal.ip_location.region_longitude [D]" - label: "principal.ip_location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension region_longitude - - dimension: location { - type: location - sql_latitude: ${TABLE}.region_latitude ;; - sql_longitude: ${TABLE}.region_longitude ;; - group_label: "principal" - group_item_label: "principal.ip_location.location [D][L]" - label: "principal.ip_location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension location - - dimension: state { - type: string - sql: ${TABLE}.state ;; - group_label: "principal" - group_item_label: "principal.ip_location.state [D]" - label: "principal.ip_location.state" - view_label: "UDM" - description: "The state. [D]: This field is deprecated and will be removed in a future release" - } # dimension state - -} # view udm_events__principal__ip_location - -view: udm_events__principal__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "principal" - group_item_label: "principal.labels.key [D]" - label: "principal.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "principal" - group_item_label: "principal.labels.value [D]" - label: "principal.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view udm_events__principal__labels - -view: udm_events__principal__mac { - dimension: udm_events__principal__mac { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.mac" - view_label: "UDM" - description: "List of MAC addresses associated with a device." - } # dimension udm_events__principal__mac -} # view udm_events__principal__mac - -view: udm_events__principal__nat_ip { - dimension: udm_events__principal__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.nat_ip" - view_label: "UDM" - description: "A list of NAT translated IP addresses associated with a network connection." - } # dimension udm_events__principal__nat_ip -} # view udm_events__principal__nat_ip - -view: udm_events__principal__process__command_line_history { - dimension: udm_events__principal__process__command_line_history { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.process.command_line_history" - view_label: "UDM" - description: "The command line history of the process." - } # dimension udm_events__principal__process__command_line_history -} # view udm_events__principal__process__command_line_history - -view: udm_events__principal__process__file__capabilities_tags { - dimension: udm_events__principal__process__file__capabilities_tags { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.process.file.capabilities_tags" - view_label: "UDM" - description: "Capabilities tags." - } # dimension udm_events__principal__process__file__capabilities_tags -} # view udm_events__principal__process__file__capabilities_tags - -view: udm_events__principal__process__file__names { - dimension: udm_events__principal__process__file__names { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.process.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension udm_events__principal__process__file__names -} # view udm_events__principal__process__file__names - -view: udm_events__principal__process_ancestors { - dimension: file { - hidden: yes - } # dimension file - - dimension: file__full_path { - type: string - sql: ${TABLE}.file.full_path ;; - group_label: "principal" - label: "principal.process_ancestors.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension file__full_path - - dimension: pid { - type: string - sql: ${TABLE}.pid ;; - group_label: "principal" - label: "principal.process_ancestors.pid" - view_label: "UDM" - description: "The process ID." - } # dimension pid - -} # view udm_events__principal__process_ancestors - -view: udm_events__principal__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "principal" - label: "principal.resource.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "principal" - label: "principal.resource.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__principal__resource__attribute__labels - -view: udm_events__principal__resource__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.resource.attribute.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.resource.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "principal" - label: "principal.resource.attribute.permissions.type" - view_label: "UDM" - description: "Type of the permission." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; - group_label: "principal" - label: "principal.resource.attribute.permissions.type_enum_name" - view_label: "UDM" - description: "Type of the permission." - } # dimension type_enum_name - -} # view udm_events__principal__resource__attribute__permissions - -view: udm_events__principal__resource__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.resource.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.resource.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "principal" - label: "principal.resource.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "principal" - label: "principal.resource.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view udm_events__principal__resource__attribute__roles - -view: udm_events__principal__resource_ancestors__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "principal" - label: "principal.resource_ancestors.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "principal" - label: "principal.resource_ancestors.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__principal__resource_ancestors__attribute__labels - -view: udm_events__principal__resource_ancestors { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension: attribute__labels { - hidden: yes - } # dimension attribute__labels - - dimension: id { - type: string - sql: ${TABLE}.id ;; - group_label: "principal" - group_item_label: "principal.resource_ancestors.id [D]" - label: "principal.resource_ancestors.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension id - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.resource_ancestors.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension name - - dimension: parent { - type: string - sql: ${TABLE}.parent ;; - group_label: "principal" - group_item_label: "principal.resource_ancestors.parent [D]" - label: "principal.resource_ancestors.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension parent - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "principal" - label: "principal.resource_ancestors.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension product_object_id - - dimension: resource_type { - type: number - sql: ${TABLE}.resource_type ;; - group_label: "principal" - label: "principal.resource_ancestors.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension resource_type - - dimension: resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "principal" - label: "principal.resource_ancestors.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension resource_type_enum_name - -} # view udm_events__principal__resource_ancestors - -view: udm_events__principal__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "principal" - label: "principal.user.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "principal" - label: "principal.user.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__principal__user__attribute__labels - -view: udm_events__principal__user__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.user.attribute.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.user.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "principal" - label: "principal.user.attribute.permissions.type" - view_label: "UDM" - description: "Type of the permission." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; - group_label: "principal" - label: "principal.user.attribute.permissions.type_enum_name" - view_label: "UDM" - description: "Type of the permission." - } # dimension type_enum_name - -} # view udm_events__principal__user__attribute__permissions - -view: udm_events__principal__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.user.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.user.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "principal" - label: "principal.user.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "principal" - label: "principal.user.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view udm_events__principal__user__attribute__roles - -view: udm_events__principal__user__department { - dimension: udm_events__principal__user__department { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.user.department" - view_label: "UDM" - description: "User job department" - } # dimension udm_events__principal__user__department -} # view udm_events__principal__user__department - -view: udm_events__principal__user__email_addresses { - dimension: udm_events__principal__user__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.user.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension udm_events__principal__user__email_addresses -} # view udm_events__principal__user__email_addresses - -view: udm_events__principal__user__group_identifiers { - dimension: udm_events__principal__user__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.user.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension udm_events__principal__user__group_identifiers -} # view udm_events__principal__user__group_identifiers - -view: udm_events__principal__user__managers__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "principal" - label: "principal.user.managers.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "principal" - label: "principal.user.managers.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__principal__user__managers__attribute__labels - -view: udm_events__principal__user__managers__attribute__roles { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "principal" - label: "principal.user.managers.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "principal" - label: "principal.user.managers.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "principal" - label: "principal.user.managers.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view udm_events__principal__user__managers__attribute__roles - -view: udm_events__principal__user__managers__department { - dimension: udm_events__principal__user__managers__department { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.user.managers.department" - view_label: "UDM" - description: "User job department" - } # dimension udm_events__principal__user__managers__department -} # view udm_events__principal__user__managers__department - -view: udm_events__principal__user__managers__email_addresses { - dimension: udm_events__principal__user__managers__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.user.managers.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension udm_events__principal__user__managers__email_addresses -} # view udm_events__principal__user__managers__email_addresses - -view: udm_events__principal__user__managers__group_identifiers { - dimension: udm_events__principal__user__managers__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.user.managers.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension udm_events__principal__user__managers__group_identifiers -} # view udm_events__principal__user__managers__group_identifiers - -view: udm_events__principal__user__managers__phone_numbers { - dimension: udm_events__principal__user__managers__phone_numbers { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.user.managers.phone_numbers" - view_label: "UDM" - description: "Phone numbers for the user." - } # dimension udm_events__principal__user__managers__phone_numbers -} # view udm_events__principal__user__managers__phone_numbers - -view: udm_events__principal__user__managers { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension: attribute__labels { - hidden: yes - } # dimension attribute__labels - - dimension: attribute__roles { - hidden: yes - } # dimension attribute__roles - - dimension: company_name { - type: string - sql: ${TABLE}.company_name ;; - group_label: "principal" - label: "principal.user.managers.company_name" - view_label: "UDM" - description: "User job company name." - } # dimension company_name - - dimension: department { - hidden: yes - } # dimension department - - dimension: email_addresses { - hidden: yes - } # dimension email_addresses - - dimension: employee_id { - type: string - sql: ${TABLE}.employee_id ;; - group_label: "principal" - label: "principal.user.managers.employee_id" - view_label: "UDM" - description: "Human capital management identifier." - } # dimension employee_id - - dimension: first_name { - type: string - sql: ${TABLE}.first_name ;; - group_label: "principal" - label: "principal.user.managers.first_name" - view_label: "UDM" - description: "First name of the user (e.g. \"John\")." - } # dimension first_name - - dimension: group_identifiers { - hidden: yes - } # dimension group_identifiers - - dimension: last_name { - type: string - sql: ${TABLE}.last_name ;; - group_label: "principal" - label: "principal.user.managers.last_name" - view_label: "UDM" - description: "Last name of the user (e.g. \"Locke\")." - } # dimension last_name - - dimension: personal_address { - hidden: yes - } # dimension personal_address - - dimension: personal_address__city { - type: string - sql: ${TABLE}.personal_address.city ;; - group_label: "principal" - label: "principal.user.managers.personal_address.city" - view_label: "UDM" - description: "The city." - } # dimension personal_address__city - - dimension: personal_address__country_or_region { - type: string - sql: ${TABLE}.personal_address.country_or_region ;; - group_label: "principal" - label: "principal.user.managers.personal_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension personal_address__country_or_region - - dimension: personal_address__name { - type: string - sql: ${TABLE}.personal_address.name ;; - group_label: "principal" - label: "principal.user.managers.personal_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension personal_address__name - - dimension: personal_address__state { - type: string - sql: ${TABLE}.personal_address.state ;; - group_label: "principal" - label: "principal.user.managers.personal_address.state" - view_label: "UDM" - description: "The state." - } # dimension personal_address__state - - dimension: phone_numbers { - hidden: yes - } # dimension phone_numbers - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "principal" - label: "principal.user.managers.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension product_object_id - - dimension: title { - type: string - sql: ${TABLE}.title ;; - group_label: "principal" - label: "principal.user.managers.title" - view_label: "UDM" - description: "User job title." - } # dimension title - - dimension: user_display_name { - type: string - sql: ${TABLE}.user_display_name ;; - group_label: "principal" - label: "principal.user.managers.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension user_display_name - - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - group_label: "principal" - label: "principal.user.managers.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension userid - - dimension: windows_sid { - type: string - sql: ${TABLE}.windows_sid ;; - group_label: "principal" - label: "principal.user.managers.windows_sid" - view_label: "UDM" - description: "The Microsoft Windows SID of the user." - } # dimension windows_sid - -} # view udm_events__principal__user__managers - -view: udm_events__principal__user__phone_numbers { - dimension: udm_events__principal__user__phone_numbers { - type: string - sql: ${TABLE} ;; - group_label: "principal" - label: "principal.user.phone_numbers" - view_label: "UDM" - description: "Phone numbers for the user." - } # dimension udm_events__principal__user__phone_numbers -} # view udm_events__principal__user__phone_numbers - -view: udm_events__principal__user__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "principal" - label: "principal.user.time_off.description" - view_label: "UDM" - description: "Description of the leave if available (e.g. 'Vacation')." - } # dimension description - - dimension_group: principal__user__time_off__interval { - type: duration - intervals: [ second, minute, hour ] - sql_start: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.start_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.start_time.nanos,0) / 1000) as INT64)) ;; - sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.end_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.end_time.nanos,0) / 1000) as INT64)) ;; - group_label: "principal" - label: "principal.user.time_off.interval" - view_label: "UDM" - description: "Interval duration of the leave." - } # dimension principal__user__time_off__interval - -} # view udm_events__principal__user__time_off - -view: udm_events__security_result__about__asset__attribute__permissions { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "security_result" - label: "security_result.about.asset.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view udm_events__security_result__about__asset__attribute__permissions - -view: udm_events__security_result__about__asset__ip { - dimension: udm_events__security_result__about__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.asset.ip" - view_label: "UDM" - description: "A list of IP addresses associated with an asset." - } # dimension udm_events__security_result__about__asset__ip -} # view udm_events__security_result__about__asset__ip - -view: udm_events__security_result__about__asset__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "security_result" - group_item_label: "security_result.about.asset.labels.key [D]" - label: "security_result.about.asset.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "security_result" - group_item_label: "security_result.about.asset.labels.value [D]" - label: "security_result.about.asset.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view udm_events__security_result__about__asset__labels - -view: udm_events__security_result__about__asset__mac { - dimension: udm_events__security_result__about__asset__mac { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.asset.mac" - view_label: "UDM" - description: "List of MAC addresses associated with an asset." - } # dimension udm_events__security_result__about__asset__mac -} # view udm_events__security_result__about__asset__mac - -view: udm_events__security_result__about__asset__software__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "security_result" - label: "security_result.about.asset.software.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "security_result" - label: "security_result.about.asset.software.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view udm_events__security_result__about__asset__software__permissions - -view: udm_events__security_result__about__asset__software { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "security_result" - label: "security_result.about.asset.software.name" - view_label: "UDM" - description: "The name of the software." - } # dimension name - - dimension: permissions { - hidden: yes - } # dimension permissions - - dimension: version { - type: string - sql: ${TABLE}.version ;; - group_label: "security_result" - label: "security_result.about.asset.software.version" - view_label: "UDM" - description: "The version of the software." - } # dimension version - -} # view udm_events__security_result__about__asset__software - -view: udm_events__security_result__about__asset__vulnerabilities { - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - group_label: "security_result" - label: "security_result.about.asset.vulnerabilities.cvss_base_score" - view_label: "UDM" - description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." - } # dimension cvss_base_score - -} # view udm_events__security_result__about__asset__vulnerabilities - -view: udm_events__security_result__about__domain__tech__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "security_result" - label: "security_result.about.domain.tech.attribute.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - -} # view udm_events__security_result__about__domain__tech__attribute__permissions - -view: udm_events__security_result__about__file__capabilities_tags { - dimension: udm_events__security_result__about__file__capabilities_tags { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.file.capabilities_tags" - view_label: "UDM" - description: "Capabilities tags." - } # dimension udm_events__security_result__about__file__capabilities_tags -} # view udm_events__security_result__about__file__capabilities_tags - -view: udm_events__security_result__about__file__names { - dimension: udm_events__security_result__about__file__names { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension udm_events__security_result__about__file__names -} # view udm_events__security_result__about__file__names - -view: udm_events__security_result__about__investigation__comments { - dimension: udm_events__security_result__about__investigation__comments { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.investigation.comments" - view_label: "UDM" - description: "Comment added by the Analyst." - } # dimension udm_events__security_result__about__investigation__comments -} # view udm_events__security_result__about__investigation__comments - -view: udm_events__security_result__about__ip { - dimension: udm_events__security_result__about__ip { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.ip" - view_label: "UDM" - description: "A list of IP addresses associated with a network connection." - } # dimension udm_events__security_result__about__ip -} # view udm_events__security_result__about__ip - -view: udm_events__security_result__about__ip_location { - dimension: country_or_region { - type: string - sql: ${TABLE}.country_or_region ;; - group_label: "security_result" - group_item_label: "security_result.about.ip_location.country_or_region [D]" - label: "security_result.about.ip_location.country_or_region" - view_label: "UDM" - description: "The country or region. [D]: This field is deprecated and will be removed in a future release" - } # dimension country_or_region - -} # view udm_events__security_result__about__ip_location - -view: udm_events__security_result__about__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "security_result" - group_item_label: "security_result.about.labels.key [D]" - label: "security_result.about.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "security_result" - group_item_label: "security_result.about.labels.value [D]" - label: "security_result.about.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view udm_events__security_result__about__labels - -view: udm_events__security_result__about__mac { - dimension: udm_events__security_result__about__mac { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.mac" - view_label: "UDM" - description: "List of MAC addresses associated with a device." - } # dimension udm_events__security_result__about__mac -} # view udm_events__security_result__about__mac - -view: udm_events__security_result__about__nat_ip { - dimension: udm_events__security_result__about__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.nat_ip" - view_label: "UDM" - description: "A list of NAT translated IP addresses associated with a network connection." - } # dimension udm_events__security_result__about__nat_ip -} # view udm_events__security_result__about__nat_ip - -view: udm_events__security_result__about__process__command_line_history { - dimension: udm_events__security_result__about__process__command_line_history { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.process.command_line_history" - view_label: "UDM" - description: "The command line history of the process." - } # dimension udm_events__security_result__about__process__command_line_history -} # view udm_events__security_result__about__process__command_line_history - -view: udm_events__security_result__about__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "security_result" - label: "security_result.about.resource.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "security_result" - label: "security_result.about.resource.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__security_result__about__resource__attribute__labels - -view: udm_events__security_result__about__resource_ancestors { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "security_result" - label: "security_result.about.resource_ancestors.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension name - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "security_result" - label: "security_result.about.resource_ancestors.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension product_object_id - - dimension: resource_type { - type: number - sql: ${TABLE}.resource_type ;; - group_label: "security_result" - label: "security_result.about.resource_ancestors.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension resource_type - - dimension: resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "security_result" - label: "security_result.about.resource_ancestors.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension resource_type_enum_name - -} # view udm_events__security_result__about__resource_ancestors - -view: udm_events__security_result__about__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "security_result" - label: "security_result.about.user.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "security_result" - label: "security_result.about.user.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__security_result__about__user__attribute__labels - -view: udm_events__security_result__about__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "security_result" - label: "security_result.about.user.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "security_result" - label: "security_result.about.user.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - -} # view udm_events__security_result__about__user__attribute__roles - -view: udm_events__security_result__about__user__email_addresses { - dimension: udm_events__security_result__about__user__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.user.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension udm_events__security_result__about__user__email_addresses -} # view udm_events__security_result__about__user__email_addresses - -view: udm_events__security_result__about__user__group_identifiers { - dimension: udm_events__security_result__about__user__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.about.user.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension udm_events__security_result__about__user__group_identifiers -} # view udm_events__security_result__about__user__group_identifiers - -view: udm_events__security_result__about__user_management_chain { - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - group_label: "security_result" - label: "security_result.about.user_management_chain.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension userid - -} # view udm_events__security_result__about__user_management_chain - -view: udm_events__security_result__action { - dimension: udm_events__security_result__action { - type: number - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.action" - view_label: "UDM" - description: "Actions taken for this event." - } # dimension udm_events__security_result__action -} # view udm_events__security_result__action - -view: udm_events__security_result__action_enum_name { - dimension: udm_events__security_result__action_enum_name { - type: string - suggestions: ["ALLOW", "ALLOW_WITH_MODIFICATION", "BLOCK", "CHALLENGE", "FAIL", "QUARANTINE", "UNKNOWN_ACTION"] - sql: CASE ${TABLE} WHEN 0 THEN 'UNKNOWN_ACTION' WHEN 1 THEN 'ALLOW' WHEN 2 THEN 'BLOCK' WHEN 3 THEN 'ALLOW_WITH_MODIFICATION' WHEN 4 THEN 'QUARANTINE' WHEN 5 THEN 'FAIL' WHEN 6 THEN 'CHALLENGE' END ;; - group_label: "security_result" - label: "security_result.action_enum_name" - view_label: "UDM" - description: "Actions taken for this event." - } # dimension udm_events__security_result__action_enum_name -} # view udm_events__security_result__action_enum_name - -view: udm_events__security_result__attack_details__tactics { - dimension: id { - type: string - sql: ${TABLE}.id ;; - group_label: "security_result" - label: "security_result.attack_details.tactics.id" - view_label: "UDM" - description: "Tactic ID (e.g. \"TA0043\")." - } # dimension id - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "security_result" - label: "security_result.attack_details.tactics.name" - view_label: "UDM" - description: "Tactic Name (e.g. \"Reconnaissance\")" - } # dimension name - -} # view udm_events__security_result__attack_details__tactics - -view: udm_events__security_result__attack_details__techniques { - dimension: id { - type: string - sql: ${TABLE}.id ;; - group_label: "security_result" - label: "security_result.attack_details.techniques.id" - view_label: "UDM" - description: "Technique ID (e.g. \"T1595\")." - } # dimension id - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "security_result" - label: "security_result.attack_details.techniques.name" - view_label: "UDM" - description: "Technique Name (e.g. \"Active Scanning\")." - } # dimension name - - dimension: subtechnique_id { - type: string - sql: ${TABLE}.subtechnique_id ;; - group_label: "security_result" - label: "security_result.attack_details.techniques.subtechnique_id" - view_label: "UDM" - description: "Subtechnique ID (e.g. \"T1595.001\")." - } # dimension subtechnique_id - - dimension: subtechnique_name { - type: string - sql: ${TABLE}.subtechnique_name ;; - group_label: "security_result" - label: "security_result.attack_details.techniques.subtechnique_name" - view_label: "UDM" - description: "Subtechnique Name (e.g. \"Scanning IP Blocks\")." - } # dimension subtechnique_name - -} # view udm_events__security_result__attack_details__techniques - -view: udm_events__security_result__category { - dimension: udm_events__security_result__category { - type: number - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.category" - view_label: "UDM" - description: "The security category." - } # dimension udm_events__security_result__category -} # view udm_events__security_result__category - -view: udm_events__security_result__category_enum_name { - dimension: udm_events__security_result__category_enum_name { - type: string - suggestions: ["ACL_VIOLATION", "AUTH_VIOLATION", "DATA_AT_REST", "DATA_DESTRUCTION", "DATA_EXFILTRATION", "EXPLOIT", "MAIL_PHISHING", "MAIL_SPAM", "MAIL_SPOOFING", "NETWORK_CATEGORIZED_CONTENT", "NETWORK_COMMAND_AND_CONTROL", "NETWORK_DENIAL_OF_SERVICE", "NETWORK_MALICIOUS", "NETWORK_RECON", "NETWORK_SUSPICIOUS", "PHISHING", "POLICY_VIOLATION", "SOCIAL_ENGINEERING", "SOFTWARE_MALICIOUS", "SOFTWARE_PUA", "SOFTWARE_SUSPICIOUS", "TOR_EXIT_NODE", "UNKNOWN_CATEGORY"] - sql: CASE ${TABLE} WHEN 0 THEN 'UNKNOWN_CATEGORY' WHEN 10000 THEN 'SOFTWARE_MALICIOUS' WHEN 10100 THEN 'SOFTWARE_SUSPICIOUS' WHEN 10200 THEN 'SOFTWARE_PUA' WHEN 20000 THEN 'NETWORK_MALICIOUS' WHEN 20100 THEN 'NETWORK_SUSPICIOUS' WHEN 20200 THEN 'NETWORK_CATEGORIZED_CONTENT' WHEN 20300 THEN 'NETWORK_DENIAL_OF_SERVICE' WHEN 20400 THEN 'NETWORK_RECON' WHEN 20500 THEN 'NETWORK_COMMAND_AND_CONTROL' WHEN 30000 THEN 'ACL_VIOLATION' WHEN 40000 THEN 'AUTH_VIOLATION' WHEN 50000 THEN 'EXPLOIT' WHEN 60000 THEN 'DATA_EXFILTRATION' WHEN 60100 THEN 'DATA_AT_REST' WHEN 60200 THEN 'DATA_DESTRUCTION' WHEN 60300 THEN 'TOR_EXIT_NODE' WHEN 70000 THEN 'MAIL_SPAM' WHEN 70100 THEN 'MAIL_PHISHING' WHEN 70200 THEN 'MAIL_SPOOFING' WHEN 80000 THEN 'POLICY_VIOLATION' WHEN 90001 THEN 'SOCIAL_ENGINEERING' WHEN 90002 THEN 'PHISHING' END ;; - group_label: "security_result" - label: "security_result.category_enum_name" - view_label: "UDM" - description: "The security category." - } # dimension udm_events__security_result__category_enum_name -} # view udm_events__security_result__category_enum_name - -view: udm_events__security_result__category_details { - dimension: udm_events__security_result__category_details { - type: string - sql: ${TABLE} ;; - group_label: "security_result" - label: "security_result.category_details" - view_label: "UDM" - description: "For vendor-specific categories. For web categorization, put type in here such as \"gambling\", \"porn\", etc." - } # dimension udm_events__security_result__category_details -} # view udm_events__security_result__category_details - -view: udm_events__security_result__detection_fields { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "security_result" - label: "security_result.detection_fields.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: source { - type: string - sql: ${TABLE}.source ;; - group_label: "security_result" - label: "security_result.detection_fields.source" - view_label: "UDM" - description: "@hide_from_doc" - } # dimension source - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "security_result" - label: "security_result.detection_fields.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__security_result__detection_fields - -view: udm_events__security_result__outcomes { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "security_result" - label: "security_result.outcomes.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "security_result" - label: "security_result.outcomes.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__security_result__outcomes - -view: udm_events__security_result__rule_labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "security_result" - label: "security_result.rule_labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "security_result" - label: "security_result.rule_labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__security_result__rule_labels - -view: udm_events__security_result { - dimension: about { - hidden: yes - } # dimension about - - dimension: about__administrative_domain { - type: string - sql: ${TABLE}.about.administrative_domain ;; - group_label: "security_result" - label: "security_result.about.administrative_domain" - view_label: "UDM" - description: "Domain which the device belongs to (for example, the Microsoft Windows domain)." - } # dimension about__administrative_domain - - dimension: about__application { - type: string - sql: ${TABLE}.about.application ;; - group_label: "security_result" - label: "security_result.about.application" - view_label: "UDM" - description: "The name of an application or service. Some SSO solutions only capture the name of a target application such as \"Atlassian\" or \"Chronicle\"." - } # dimension about__application - - dimension: about__artifact { - hidden: yes - } # dimension about__artifact - - dimension_group: security_result__about__artifact__first_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.artifact.first_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.artifact.first_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.artifact.first_seen_time" - view_label: "UDM" - description: "First seen timestamp of the IP in the customer's environment." - } # dimension security_result__about__artifact__first_seen_time - - dimension_group: security_result__about__artifact__last_seen_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.artifact.last_seen_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.artifact.last_seen_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.artifact.last_seen_time" - view_label: "UDM" - description: "Last seen timestamp of the IP address in the customer's environment." - } # dimension security_result__about__artifact__last_seen_time - - dimension: about__asset { - hidden: yes - } # dimension about__asset - - dimension: about__asset__asset_id { - type: string - sql: ${TABLE}.about.asset.asset_id ;; - group_label: "security_result" - label: "security_result.about.asset.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension about__asset__asset_id - - dimension: about__asset__attribute { - hidden: yes - } # dimension about__asset__attribute - - dimension: about__asset__attribute__cloud { - hidden: yes - } # dimension about__asset__attribute__cloud - - dimension: about__asset__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.availability_zone ;; - group_label: "security_result" - label: "security_result.about.asset.attribute.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name)." - } # dimension about__asset__attribute__cloud__availability_zone - - dimension: about__asset__attribute__cloud__environment { - type: number - sql: ${TABLE}.about.asset.attribute.cloud.environment ;; - group_label: "security_result" - label: "security_result.about.asset.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension about__asset__attribute__cloud__environment - - dimension: about__asset__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.about.asset.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "security_result" - label: "security_result.about.asset.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension about__asset__attribute__cloud__environment_enum_name - - dimension: about__asset__attribute__cloud__project { - hidden: yes - } # dimension about__asset__attribute__cloud__project - - dimension: about__asset__attribute__cloud__project__id { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.project.id ;; - group_label: "security_result" - group_item_label: "security_result.about.asset.attribute.cloud.project.id [D]" - label: "security_result.about.asset.attribute.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__asset__attribute__cloud__project__id - - dimension: about__asset__attribute__cloud__project__name { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.project.name ;; - group_label: "security_result" - group_item_label: "security_result.about.asset.attribute.cloud.project.name [D]" - label: "security_result.about.asset.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__asset__attribute__cloud__project__name - - dimension: about__asset__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.project.product_object_id ;; - group_label: "security_result" - group_item_label: "security_result.about.asset.attribute.cloud.project.product_object_id [D]" - label: "security_result.about.asset.attribute.cloud.project.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension about__asset__attribute__cloud__project__product_object_id - - dimension: about__asset__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.about.asset.attribute.cloud.project.resource_type ;; - group_label: "security_result" - group_item_label: "security_result.about.asset.attribute.cloud.project.resource_type [D]" - label: "security_result.about.asset.attribute.cloud.project.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__asset__attribute__cloud__project__resource_type - - dimension: about__asset__attribute__cloud__project__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.about.asset.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "security_result" - group_item_label: "security_result.about.asset.attribute.cloud.project.resource_type_enum_name [D]" - label: "security_result.about.asset.attribute.cloud.project.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__asset__attribute__cloud__project__resource_type_enum_name - - dimension_group: security_result__about__asset__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.asset.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.asset.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.asset.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension security_result__about__asset__attribute__creation_time - - dimension_group: security_result__about__asset__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.asset.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.asset.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.asset.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension security_result__about__asset__attribute__last_update_time - - dimension: about__asset__attribute__permissions { - hidden: yes - } # dimension about__asset__attribute__permissions - - dimension: about__asset__category { - type: string - sql: ${TABLE}.about.asset.category ;; - group_label: "security_result" - label: "security_result.about.asset.category" - view_label: "UDM" - description: "The category of the asset (e.g. \"End User Asset\", \"Workstation\", \"Server\")." - } # dimension about__asset__category - - dimension: about__asset__hostname { - type: string - sql: ${TABLE}.about.asset.hostname ;; - group_label: "security_result" - label: "security_result.about.asset.hostname" - view_label: "UDM" - description: "Asset hostname or domain name field." - } # dimension about__asset__hostname - - dimension: about__asset__ip { - hidden: yes - } # dimension about__asset__ip - - dimension: about__asset__labels { - hidden: yes - } # dimension about__asset__labels - - dimension: about__asset__location { - hidden: yes - } # dimension about__asset__location - - dimension: about__asset__location__city { - type: string - sql: ${TABLE}.about.asset.location.city ;; - group_label: "security_result" - label: "security_result.about.asset.location.city" - view_label: "UDM" - description: "The city." - } # dimension about__asset__location__city - - dimension: about__asset__location__country_or_region { - type: string - sql: ${TABLE}.about.asset.location.country_or_region ;; - group_label: "security_result" - label: "security_result.about.asset.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension about__asset__location__country_or_region - - dimension: about__asset__location__state { - type: string - sql: ${TABLE}.about.asset.location.state ;; - group_label: "security_result" - label: "security_result.about.asset.location.state" - view_label: "UDM" - description: "The state." - } # dimension about__asset__location__state - - dimension: about__asset__mac { - hidden: yes - } # dimension about__asset__mac - - dimension: about__asset__product_object_id { - type: string - sql: ${TABLE}.about.asset.product_object_id ;; - group_label: "security_result" - label: "security_result.about.asset.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID or similar)." - } # dimension about__asset__product_object_id - - dimension: about__asset__software { - hidden: yes - } # dimension about__asset__software - - dimension: about__asset__vulnerabilities { - hidden: yes - } # dimension about__asset__vulnerabilities - - dimension: about__asset_id { - type: string - sql: ${TABLE}.about.asset_id ;; - group_label: "security_result" - label: "security_result.about.asset_id" - view_label: "UDM" - description: "The asset ID." - } # dimension about__asset_id - - dimension: about__cloud { - hidden: yes - } # dimension about__cloud - - dimension: about__cloud__availability_zone { - type: string - sql: ${TABLE}.about.cloud.availability_zone ;; - group_label: "security_result" - group_item_label: "security_result.about.cloud.availability_zone [D]" - label: "security_result.about.cloud.availability_zone" - view_label: "UDM" - description: "The cloud environment availability zone (different from region which is location.name). [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__availability_zone - - dimension: about__cloud__project { - hidden: yes - } # dimension about__cloud__project - - dimension: about__cloud__project__id { - type: string - sql: ${TABLE}.about.cloud.project.id ;; - group_label: "security_result" - group_item_label: "security_result.about.cloud.project.id [D]" - label: "security_result.about.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__project__id - - dimension: about__cloud__project__name { - type: string - sql: ${TABLE}.about.cloud.project.name ;; - group_label: "security_result" - group_item_label: "security_result.about.cloud.project.name [D]" - label: "security_result.about.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__project__name - - dimension: about__cloud__project__parent { - type: string - sql: ${TABLE}.about.cloud.project.parent ;; - group_label: "security_result" - group_item_label: "security_result.about.cloud.project.parent [D]" - label: "security_result.about.cloud.project.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__project__parent - - dimension: about__cloud__project__product_object_id { - type: string - sql: ${TABLE}.about.cloud.project.product_object_id ;; - group_label: "security_result" - group_item_label: "security_result.about.cloud.project.product_object_id [D]" - label: "security_result.about.cloud.project.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) [D]: This field is deprecated and will be removed in a future release" - } # dimension about__cloud__project__product_object_id - - dimension: about__domain { - hidden: yes - } # dimension about__domain - - dimension: about__domain__admin { - hidden: yes - } # dimension about__domain__admin - - dimension: about__domain__admin__userid { - type: string - sql: ${TABLE}.about.domain.admin.userid ;; - group_label: "security_result" - label: "security_result.about.domain.admin.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension about__domain__admin__userid - - dimension: about__domain__registrant { - hidden: yes - } # dimension about__domain__registrant - - dimension: about__domain__registrant__role_description { - type: string - sql: ${TABLE}.about.domain.registrant.role_description ;; - group_label: "security_result" - group_item_label: "security_result.about.domain.registrant.role_description [D]" - label: "security_result.about.domain.registrant.role_description" - view_label: "UDM" - description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__domain__registrant__role_description - - dimension: about__domain__tech { - hidden: yes - } # dimension about__domain__tech - - dimension: about__domain__tech__attribute { - hidden: yes - } # dimension about__domain__tech__attribute - - dimension: about__domain__tech__attribute__permissions { - hidden: yes - } # dimension about__domain__tech__attribute__permissions - - dimension: about__email { - type: string - sql: ${TABLE}.about.email ;; - group_label: "security_result" - label: "security_result.about.email" - view_label: "UDM" - description: "Email address. Only filled in for security_result.about" - } # dimension about__email - - dimension: about__file { - hidden: yes - } # dimension about__file - - dimension: about__file__ahash { - type: string - sql: ${TABLE}.about.file.ahash ;; - group_label: "security_result" - group_item_label: "security_result.about.file.ahash [D]" - label: "security_result.about.file.ahash" - view_label: "UDM" - description: "Deprecated. Use authentihash instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__file__ahash - - dimension: about__file__capabilities_tags { - hidden: yes - } # dimension about__file__capabilities_tags - - dimension: about__file__full_path { - type: string - sql: ${TABLE}.about.file.full_path ;; - group_label: "security_result" - label: "security_result.about.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension about__file__full_path - - dimension_group: security_result__about__file__last_modification_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.file.last_modification_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.file.last_modification_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.file.last_modification_time" - view_label: "UDM" - description: "Timestamp when the file was last updated." - } # dimension security_result__about__file__last_modification_time - - dimension: about__file__md5 { - type: string - sql: ${TABLE}.about.file.md5 ;; - group_label: "security_result" - label: "security_result.about.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension about__file__md5 - - dimension: about__file__mime_type { - type: string - sql: ${TABLE}.about.file.mime_type ;; - group_label: "security_result" - label: "security_result.about.file.mime_type" - view_label: "UDM" - description: "The MIME (Multipurpose Internet Mail Extensions) type of the file, for example \"PE\", \"PDF\", \"powershell script\", etc." - } # dimension about__file__mime_type - - dimension: about__file__names { - hidden: yes - } # dimension about__file__names - - dimension: about__file__sha1 { - type: string - sql: ${TABLE}.about.file.sha1 ;; - group_label: "security_result" - label: "security_result.about.file.sha1" - view_label: "UDM" - description: "The SHA1 hash of the file." - } # dimension about__file__sha1 - - dimension: about__file__sha256 { - type: string - sql: ${TABLE}.about.file.sha256 ;; - group_label: "security_result" - label: "security_result.about.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension about__file__sha256 - - dimension: about__file__size { - type: number - sql: ${TABLE}.about.file.size ;; - group_label: "security_result" - label: "security_result.about.file.size" - view_label: "UDM" - description: "The size of the file in bytes." - } # dimension about__file__size - - dimension: about__file__ssdeep { - type: string - sql: ${TABLE}.about.file.ssdeep ;; - group_label: "security_result" - label: "security_result.about.file.ssdeep" - view_label: "UDM" - description: "Ssdeep of the file" - } # dimension about__file__ssdeep - - dimension: about__group { - hidden: yes - } # dimension about__group - - dimension: about__group__group_display_name { - type: string - sql: ${TABLE}.about.group.group_display_name ;; - group_label: "security_result" - label: "security_result.about.group.group_display_name" - view_label: "UDM" - description: "Group display name. e.g. \"Finance\"." - } # dimension about__group__group_display_name - - dimension: about__group__product_object_id { - type: string - sql: ${TABLE}.about.group.product_object_id ;; - group_label: "security_result" - label: "security_result.about.group.product_object_id" - view_label: "UDM" - description: "Product globally unique user object identifier, such as an LDAP Object Identifier." - } # dimension about__group__product_object_id - - dimension: about__hostname { - type: string - sql: ${TABLE}.about.hostname ;; - group_label: "security_result" - label: "security_result.about.hostname" - view_label: "UDM" - description: "Client hostname or domain name field. Hostname also doubles as the domain for remote entities." - } # dimension about__hostname - - dimension: about__investigation { - hidden: yes - } # dimension about__investigation - - dimension: about__investigation__comments { - hidden: yes - } # dimension about__investigation__comments - - dimension: about__investigation__risk_score { - type: number - sql: ${TABLE}.about.investigation.risk_score ;; - group_label: "security_result" - label: "security_result.about.investigation.risk_score" - view_label: "UDM" - description: "Risk score for a finding set by an analyst." - } # dimension about__investigation__risk_score - - dimension: about__investigation__root_cause { - type: string - sql: ${TABLE}.about.investigation.root_cause ;; - group_label: "security_result" - label: "security_result.about.investigation.root_cause" - view_label: "UDM" - description: "Root cause of the Alert or Finding set by analyst." - } # dimension about__investigation__root_cause - - dimension: about__investigation__severity_score { - type: number - sql: ${TABLE}.about.investigation.severity_score ;; - group_label: "security_result" - label: "security_result.about.investigation.severity_score" - view_label: "UDM" - description: "Severity score for a finding set by an analyst." - } # dimension about__investigation__severity_score - - dimension: about__investigation__status { - type: number - sql: ${TABLE}.about.investigation.status ;; - group_label: "security_result" - label: "security_result.about.investigation.status" - view_label: "UDM" - description: "Describes the workflow status of a finding." - } # dimension about__investigation__status - - dimension: about__investigation__status_enum_name { - type: string - suggestions: ["CLOSED", "NEW", "OPEN", "REVIEWED", "STATUS_UNSPECIFIED"] - sql: CASE ${TABLE}.about.investigation.status WHEN 0 THEN 'STATUS_UNSPECIFIED' WHEN 1 THEN 'NEW' WHEN 2 THEN 'REVIEWED' WHEN 3 THEN 'CLOSED' WHEN 4 THEN 'OPEN' END ;; - group_label: "security_result" - label: "security_result.about.investigation.status_enum_name" - view_label: "UDM" - description: "Describes the workflow status of a finding." - } # dimension about__investigation__status_enum_name - - dimension: about__investigation__verdict { - type: number - sql: ${TABLE}.about.investigation.verdict ;; - group_label: "security_result" - label: "security_result.about.investigation.verdict" - view_label: "UDM" - description: "Describes reason a finding investigation was resolved." - } # dimension about__investigation__verdict - - dimension: about__investigation__verdict_enum_name { - type: string - suggestions: ["FALSE_POSITIVE", "TRUE_POSITIVE", "VERDICT_UNSPECIFIED"] - sql: CASE ${TABLE}.about.investigation.verdict WHEN 0 THEN 'VERDICT_UNSPECIFIED' WHEN 1 THEN 'TRUE_POSITIVE' WHEN 2 THEN 'FALSE_POSITIVE' END ;; - group_label: "security_result" - label: "security_result.about.investigation.verdict_enum_name" - view_label: "UDM" - description: "Describes reason a finding investigation was resolved." - } # dimension about__investigation__verdict_enum_name - - dimension: about__ip { - hidden: yes - } # dimension about__ip - - dimension: about__ip_location { - hidden: yes - } # dimension about__ip_location - - dimension: about__labels { - hidden: yes - } # dimension about__labels - - dimension: about__location { - hidden: yes - } # dimension about__location - - dimension: about__location__city { - type: string - sql: ${TABLE}.about.location.city ;; - group_label: "security_result" - label: "security_result.about.location.city" - view_label: "UDM" - description: "The city." - } # dimension about__location__city - - dimension: about__location__country_or_region { - type: string - sql: ${TABLE}.about.location.country_or_region ;; - group_label: "security_result" - label: "security_result.about.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension about__location__country_or_region - - dimension: about__location__name { - type: string - sql: ${TABLE}.about.location.name ;; - group_label: "security_result" - label: "security_result.about.location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension about__location__name - - dimension: about__location__state { - type: string - sql: ${TABLE}.about.location.state ;; - group_label: "security_result" - label: "security_result.about.location.state" - view_label: "UDM" - description: "The state." - } # dimension about__location__state - - dimension: about__mac { - hidden: yes - } # dimension about__mac - - dimension: about__namespace { - type: string - sql: ${TABLE}.about.namespace ;; - group_label: "security_result" - label: "security_result.about.namespace" - view_label: "UDM" - description: "Namespace which the device belongs to (e.g. AD forest) Uses for this field include Microsoft Windows AD forest, name of subsidiary or acquisition, etc." - } # dimension about__namespace - - dimension: about__nat_ip { - hidden: yes - } # dimension about__nat_ip - - dimension: about__object_reference { - hidden: yes - } # dimension about__object_reference - - dimension: about__object_reference__id { - type: string - sql: ${TABLE}.about.object_reference.id ;; - group_label: "security_result" - label: "security_result.about.object_reference.id" - view_label: "UDM" - description: "Full raw ID." - } # dimension about__object_reference__id - - dimension: about__platform { - type: number - sql: ${TABLE}.about.platform ;; - group_label: "security_result" - label: "security_result.about.platform" - view_label: "UDM" - description: "Platform." - } # dimension about__platform - - dimension: about__platform_enum_name { - type: string - suggestions: ["ANDROID", "AWS", "AZURE", "CHROME_OS", "GCP", "IOS", "LINUX", "MAC", "UNKNOWN_PLATFORM", "WINDOWS"] - sql: CASE ${TABLE}.about.platform WHEN 0 THEN 'UNKNOWN_PLATFORM' WHEN 1 THEN 'WINDOWS' WHEN 2 THEN 'MAC' WHEN 3 THEN 'LINUX' WHEN 4 THEN 'GCP' WHEN 5 THEN 'AWS' WHEN 6 THEN 'AZURE' WHEN 7 THEN 'IOS' WHEN 8 THEN 'ANDROID' WHEN 9 THEN 'CHROME_OS' END ;; - group_label: "security_result" - label: "security_result.about.platform_enum_name" - view_label: "UDM" - description: "Platform." - } # dimension about__platform_enum_name - - dimension: about__platform_version { - type: string - sql: ${TABLE}.about.platform_version ;; - group_label: "security_result" - label: "security_result.about.platform_version" - view_label: "UDM" - description: "Platform version. For example, \"Microsoft Windows 1803\"." - } # dimension about__platform_version - - dimension: about__port { - type: number - value_format: "#" - sql: ${TABLE}.about.port ;; - group_label: "security_result" - label: "security_result.about.port" - view_label: "UDM" - description: "Source or destination network port number when a specific network connection is described within an event." - } # dimension about__port - - dimension: about__process { - hidden: yes - } # dimension about__process - - dimension: about__process__command_line { - type: string - sql: ${TABLE}.about.process.command_line ;; - group_label: "security_result" - label: "security_result.about.process.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension about__process__command_line - - dimension: about__process__command_line_history { - hidden: yes - } # dimension about__process__command_line_history - - dimension: about__process__file { - hidden: yes - } # dimension about__process__file - - dimension: about__process__file__full_path { - type: string - sql: ${TABLE}.about.process.file.full_path ;; - group_label: "security_result" - label: "security_result.about.process.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension about__process__file__full_path - - dimension: about__process__file__md5 { - type: string - sql: ${TABLE}.about.process.file.md5 ;; - group_label: "security_result" - label: "security_result.about.process.file.md5" - view_label: "UDM" - description: "The MD5 hash of the file." - } # dimension about__process__file__md5 - - dimension: about__process__file__sha256 { - type: string - sql: ${TABLE}.about.process.file.sha256 ;; - group_label: "security_result" - label: "security_result.about.process.file.sha256" - view_label: "UDM" - description: "The SHA256 hash of the file." - } # dimension about__process__file__sha256 - - dimension: about__process__parent_pid { - type: string - sql: ${TABLE}.about.process.parent_pid ;; - group_label: "security_result" - group_item_label: "security_result.about.process.parent_pid [D]" - label: "security_result.about.process.parent_pid" - view_label: "UDM" - description: "The ID of the parent process. Deprecated: use parent_process.pid instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__process__parent_pid - - dimension: about__process__parent_process { - hidden: yes - } # dimension about__process__parent_process - - dimension: about__process__parent_process__pid { - type: string - sql: ${TABLE}.about.process.parent_process.pid ;; - group_label: "security_result" - label: "security_result.about.process.parent_process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension about__process__parent_process__pid - - dimension: about__process__pid { - type: string - sql: ${TABLE}.about.process.pid ;; - group_label: "security_result" - label: "security_result.about.process.pid" - view_label: "UDM" - description: "The process ID." - } # dimension about__process__pid - - dimension: about__process__product_specific_process_id { - type: string - sql: ${TABLE}.about.process.product_specific_process_id ;; - group_label: "security_result" - label: "security_result.about.process.product_specific_process_id" - view_label: "UDM" - description: "A product specific process id." - } # dimension about__process__product_specific_process_id - - dimension: about__registry { - hidden: yes - } # dimension about__registry - - dimension: about__registry__registry_key { - type: string - sql: ${TABLE}.about.registry.registry_key ;; - group_label: "security_result" - label: "security_result.about.registry.registry_key" - view_label: "UDM" - description: "Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...)." - } # dimension about__registry__registry_key - - dimension: about__registry__registry_value_data { - type: string - sql: ${TABLE}.about.registry.registry_value_data ;; - group_label: "security_result" - label: "security_result.about.registry.registry_value_data" - view_label: "UDM" - description: "Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp)." - } # dimension about__registry__registry_value_data - - dimension: about__resource { - hidden: yes - } # dimension about__resource - - dimension: about__resource__attribute { - hidden: yes - } # dimension about__resource__attribute - - dimension_group: security_result__about__resource__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.resource.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.resource.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.resource.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension security_result__about__resource__attribute__creation_time - - dimension: about__resource__attribute__labels { - hidden: yes - } # dimension about__resource__attribute__labels - - dimension_group: security_result__about__resource__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.resource.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.resource.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.resource.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension security_result__about__resource__attribute__last_update_time - - dimension: about__resource__id { - type: string - sql: ${TABLE}.about.resource.id ;; - group_label: "security_result" - group_item_label: "security_result.about.resource.id [D]" - label: "security_result.about.resource.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__resource__id - - dimension: about__resource__name { - type: string - sql: ${TABLE}.about.resource.name ;; - group_label: "security_result" - label: "security_result.about.resource.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension about__resource__name - - dimension: about__resource__parent { - type: string - sql: ${TABLE}.about.resource.parent ;; - group_label: "security_result" - group_item_label: "security_result.about.resource.parent [D]" - label: "security_result.about.resource.parent" - view_label: "UDM" - description: "The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: use resource_ancestors.name. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__resource__parent - - dimension: about__resource__product_object_id { - type: string - sql: ${TABLE}.about.resource.product_object_id ;; - group_label: "security_result" - label: "security_result.about.resource.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension about__resource__product_object_id - - dimension: about__resource__resource_subtype { - type: string - sql: ${TABLE}.about.resource.resource_subtype ;; - group_label: "security_result" - label: "security_result.about.resource.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension about__resource__resource_subtype - - dimension: about__resource__resource_type { - type: number - sql: ${TABLE}.about.resource.resource_type ;; - group_label: "security_result" - label: "security_result.about.resource.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension about__resource__resource_type - - dimension: about__resource__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.about.resource.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "security_result" - label: "security_result.about.resource.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension about__resource__resource_type_enum_name - - dimension: about__resource__type { - type: string - sql: ${TABLE}.about.resource.type ;; - group_label: "security_result" - group_item_label: "security_result.about.resource.type [D]" - label: "security_result.about.resource.type" - view_label: "UDM" - description: "Deprecated: use resource_type instead. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__resource__type - - dimension: about__resource_ancestors { - hidden: yes - } # dimension about__resource_ancestors - - dimension: about__url { - type: string - sql: ${TABLE}.about.url ;; - group_label: "security_result" - label: "security_result.about.url" - view_label: "UDM" - description: "The URL." - } # dimension about__url - - dimension: about__user { - hidden: yes - } # dimension about__user - - dimension: about__user__attribute { - hidden: yes - } # dimension about__user__attribute - - dimension: about__user__attribute__cloud { - hidden: yes - } # dimension about__user__attribute__cloud - - dimension: about__user__attribute__cloud__environment { - type: number - sql: ${TABLE}.about.user.attribute.cloud.environment ;; - group_label: "security_result" - label: "security_result.about.user.attribute.cloud.environment" - view_label: "UDM" - description: "The Cloud environment." - } # dimension about__user__attribute__cloud__environment - - dimension: about__user__attribute__cloud__environment_enum_name { - type: string - suggestions: ["AMAZON_WEB_SERVICES", "GOOGLE_CLOUD_PLATFORM", "MICROSOFT_AZURE", "UNSPECIFIED_CLOUD_ENVIRONMENT"] - sql: CASE ${TABLE}.about.user.attribute.cloud.environment WHEN 0 THEN 'UNSPECIFIED_CLOUD_ENVIRONMENT' WHEN 1 THEN 'GOOGLE_CLOUD_PLATFORM' WHEN 2 THEN 'AMAZON_WEB_SERVICES' WHEN 3 THEN 'MICROSOFT_AZURE' END ;; - group_label: "security_result" - label: "security_result.about.user.attribute.cloud.environment_enum_name" - view_label: "UDM" - description: "The Cloud environment." - } # dimension about__user__attribute__cloud__environment_enum_name - - dimension: about__user__attribute__cloud__project { - hidden: yes - } # dimension about__user__attribute__cloud__project - - dimension: about__user__attribute__cloud__project__id { - type: string - sql: ${TABLE}.about.user.attribute.cloud.project.id ;; - group_label: "security_result" - group_item_label: "security_result.about.user.attribute.cloud.project.id [D]" - label: "security_result.about.user.attribute.cloud.project.id" - view_label: "UDM" - description: "Deprecated: Use resource.name or resource.product_object_id. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__user__attribute__cloud__project__id - - dimension: about__user__attribute__cloud__project__name { - type: string - sql: ${TABLE}.about.user.attribute.cloud.project.name ;; - group_label: "security_result" - group_item_label: "security_result.about.user.attribute.cloud.project.name [D]" - label: "security_result.about.user.attribute.cloud.project.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__user__attribute__cloud__project__name - - dimension: about__user__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.about.user.attribute.cloud.project.resource_type ;; - group_label: "security_result" - group_item_label: "security_result.about.user.attribute.cloud.project.resource_type [D]" - label: "security_result.about.user.attribute.cloud.project.resource_type" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__user__attribute__cloud__project__resource_type - - dimension: about__user__attribute__cloud__project__resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.about.user.attribute.cloud.project.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "security_result" - group_item_label: "security_result.about.user.attribute.cloud.project.resource_type_enum_name [D]" - label: "security_result.about.user.attribute.cloud.project.resource_type_enum_name" - view_label: "UDM" - description: "Resource type. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__user__attribute__cloud__project__resource_type_enum_name - - dimension_group: security_result__about__user__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.user.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.user.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.user.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension security_result__about__user__attribute__creation_time - - dimension: about__user__attribute__labels { - hidden: yes - } # dimension about__user__attribute__labels - - dimension_group: security_result__about__user__attribute__last_update_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.about.user.attribute.last_update_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.about.user.attribute.last_update_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "security_result" - label: "security_result.about.user.attribute.last_update_time" - view_label: "UDM" - description: "Time the resource or entity was last updated." - } # dimension security_result__about__user__attribute__last_update_time - - dimension: about__user__attribute__roles { - hidden: yes - } # dimension about__user__attribute__roles - - dimension: about__user__email_addresses { - hidden: yes - } # dimension about__user__email_addresses - - dimension: about__user__group_identifiers { - hidden: yes - } # dimension about__user__group_identifiers - - dimension: about__user__product_object_id { - type: string - sql: ${TABLE}.about.user.product_object_id ;; - group_label: "security_result" - label: "security_result.about.user.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension about__user__product_object_id - - dimension: about__user__role_description { - type: string - sql: ${TABLE}.about.user.role_description ;; - group_label: "security_result" - group_item_label: "security_result.about.user.role_description [D]" - label: "security_result.about.user.role_description" - view_label: "UDM" - description: "System role description for user. Deprecated: use attribute.roles. [D]: This field is deprecated and will be removed in a future release" - } # dimension about__user__role_description - - dimension: about__user__user_authentication_status { - type: number - sql: ${TABLE}.about.user.user_authentication_status ;; - group_label: "security_result" - label: "security_result.about.user.user_authentication_status" - view_label: "UDM" - description: "System authentication status for user." - } # dimension about__user__user_authentication_status - - dimension: about__user__user_authentication_status_enum_name { - type: string - suggestions: ["ACTIVE", "DELETED", "NO_ACTIVE_CREDENTIALS", "SUSPENDED", "UNKNOWN_AUTHENTICATION_STATUS"] - sql: CASE ${TABLE}.about.user.user_authentication_status WHEN 0 THEN 'UNKNOWN_AUTHENTICATION_STATUS' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'SUSPENDED' WHEN 3 THEN 'NO_ACTIVE_CREDENTIALS' WHEN 4 THEN 'DELETED' END ;; - group_label: "security_result" - label: "security_result.about.user.user_authentication_status_enum_name" - view_label: "UDM" - description: "System authentication status for user." - } # dimension about__user__user_authentication_status_enum_name - - dimension: about__user__user_display_name { - type: string - sql: ${TABLE}.about.user.user_display_name ;; - group_label: "security_result" - label: "security_result.about.user.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension about__user__user_display_name - - dimension: about__user__userid { - type: string - sql: ${TABLE}.about.user.userid ;; - group_label: "security_result" - label: "security_result.about.user.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension about__user__userid - - dimension: about__user_management_chain { - hidden: yes - } # dimension about__user_management_chain - - dimension: action { - hidden: yes - } # dimension action - - dimension: action_enum_name { - hidden: yes - } # dimension action_enum_name - - dimension: action_details { - type: string - sql: ${TABLE}.action_details ;; - group_label: "security_result" - label: "security_result.action_details" - view_label: "UDM" - description: "The detail of the action taken as provided by the vendor." - } # dimension action_details - - dimension: alert_state { - type: number - sql: ${TABLE}.alert_state ;; - group_label: "security_result" - label: "security_result.alert_state" - view_label: "UDM" - description: "The alerting types of this security result." - } # dimension alert_state - - dimension: alert_state_enum_name { - type: string - suggestions: ["ALERTING", "NOT_ALERTING", "UNSPECIFIED"] - sql: CASE ${TABLE}.alert_state WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'NOT_ALERTING' WHEN 2 THEN 'ALERTING' END ;; - group_label: "security_result" - label: "security_result.alert_state_enum_name" - view_label: "UDM" - description: "The alerting types of this security result." - } # dimension alert_state_enum_name - - dimension: attack_details { - hidden: yes - } # dimension attack_details - - dimension: attack_details__tactics { - hidden: yes - } # dimension attack_details__tactics - - dimension: attack_details__techniques { - hidden: yes - } # dimension attack_details__techniques - - dimension: attack_details__version { - type: string - sql: ${TABLE}.attack_details.version ;; - group_label: "security_result" - label: "security_result.attack_details.version" - view_label: "UDM" - description: "ATT&CK version (e.g. 12.1)." - } # dimension attack_details__version - - dimension: category { - hidden: yes - } # dimension category - - dimension: category_enum_name { - hidden: yes - } # dimension category_enum_name - - dimension: category_details { - hidden: yes - } # dimension category_details - - dimension: confidence { - type: number - sql: ${TABLE}.confidence ;; - group_label: "security_result" - label: "security_result.confidence" - view_label: "UDM" - description: "The confidence level of the result as estimated by the product." - } # dimension confidence - - dimension: confidence_enum_name { - type: string - suggestions: ["HIGH_CONFIDENCE", "LOW_CONFIDENCE", "MEDIUM_CONFIDENCE", "UNKNOWN_CONFIDENCE"] - sql: CASE ${TABLE}.confidence WHEN 0 THEN 'UNKNOWN_CONFIDENCE' WHEN 200 THEN 'LOW_CONFIDENCE' WHEN 300 THEN 'MEDIUM_CONFIDENCE' WHEN 400 THEN 'HIGH_CONFIDENCE' END ;; - group_label: "security_result" - label: "security_result.confidence_enum_name" - view_label: "UDM" - description: "The confidence level of the result as estimated by the product." - } # dimension confidence_enum_name - - dimension: confidence_details { - type: string - sql: ${TABLE}.confidence_details ;; - group_label: "security_result" - label: "security_result.confidence_details" - view_label: "UDM" - description: "Additional detail with regards to the confidence of a security event as estimated by the product vendor." - } # dimension confidence_details - - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "security_result" - label: "security_result.description" - view_label: "UDM" - description: "A human readable description (e.g. \"user password was wrong\")" - } # dimension description - - dimension: detection_fields { - hidden: yes - } # dimension detection_fields - - dimension: outcomes { - hidden: yes - } # dimension outcomes - - dimension: priority { - type: number - sql: ${TABLE}.priority ;; - group_label: "security_result" - label: "security_result.priority" - view_label: "UDM" - description: "The priority of the result." - } # dimension priority - - dimension: priority_enum_name { - type: string - suggestions: ["HIGH_PRIORITY", "LOW_PRIORITY", "MEDIUM_PRIORITY", "UNKNOWN_PRIORITY"] - sql: CASE ${TABLE}.priority WHEN 0 THEN 'UNKNOWN_PRIORITY' WHEN 200 THEN 'LOW_PRIORITY' WHEN 300 THEN 'MEDIUM_PRIORITY' WHEN 400 THEN 'HIGH_PRIORITY' END ;; - group_label: "security_result" - label: "security_result.priority_enum_name" - view_label: "UDM" - description: "The priority of the result." - } # dimension priority_enum_name - - dimension: priority_details { - type: string - sql: ${TABLE}.priority_details ;; - group_label: "security_result" - label: "security_result.priority_details" - view_label: "UDM" - description: "Vendor-specific information about the security result priority." - } # dimension priority_details - - dimension: rule_author { - type: string - sql: ${TABLE}.rule_author ;; - group_label: "security_result" - label: "security_result.rule_author" - view_label: "UDM" - description: "Author of the security rule." - } # dimension rule_author - - dimension: rule_id { - type: string - sql: ${TABLE}.rule_id ;; - group_label: "security_result" - label: "security_result.rule_id" - view_label: "UDM" - description: "A vendor-specific ID and name for a rule, varying by observerer type (e.g. \"08123\", \"5d2b44d0-5ef6-40f5-a704-47d61d3babbe\")." - } # dimension rule_id - - dimension: rule_labels { - hidden: yes - } # dimension rule_labels - - dimension: rule_name { - type: string - sql: ${TABLE}.rule_name ;; - group_label: "security_result" - label: "security_result.rule_name" - view_label: "UDM" - description: "Name of the security rule (e.g. \"BlockInboundToOracle\")." - } # dimension rule_name - - dimension: rule_set { - type: string - sql: ${TABLE}.rule_set ;; - group_label: "security_result" - label: "security_result.rule_set" - view_label: "UDM" - description: "The result's rule set identifier. (e.g. \"windows-threats\")" - } # dimension rule_set - - dimension: rule_set_display_name { - type: string - sql: ${TABLE}.rule_set_display_name ;; - group_label: "security_result" - label: "security_result.rule_set_display_name" - view_label: "UDM" - description: "The result's rule set display name. (e.g. \"Windows Threats\")" - } # dimension rule_set_display_name - - dimension: rule_type { - type: string - sql: ${TABLE}.rule_type ;; - group_label: "security_result" - label: "security_result.rule_type" - view_label: "UDM" - description: "The type of security rule." - } # dimension rule_type - - dimension: rule_version { - type: string - sql: ${TABLE}.rule_version ;; - group_label: "security_result" - label: "security_result.rule_version" - view_label: "UDM" - description: "Version of the security rule. (e.g. \"v1.1\", \"00001\", \"1604709794\", \"2020-11-16T23:04:19+00:00\"). Note that rule versions are source-dependant and lexical ordering should not be assumed." - } # dimension rule_version - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - group_label: "security_result" - label: "security_result.severity" - view_label: "UDM" - description: "The severity of the result." - } # dimension severity - - dimension: severity_enum_name { - type: string - suggestions: ["CRITICAL", "ERROR", "HIGH", "INFORMATIONAL", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] - sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 100 THEN 'INFORMATIONAL' WHEN 150 THEN 'ERROR' WHEN 200 THEN 'LOW' WHEN 300 THEN 'MEDIUM' WHEN 400 THEN 'HIGH' WHEN 500 THEN 'CRITICAL' END ;; - group_label: "security_result" - label: "security_result.severity_enum_name" - view_label: "UDM" - description: "The severity of the result." - } # dimension severity_enum_name - - dimension: severity_details { - type: string - sql: ${TABLE}.severity_details ;; - group_label: "security_result" - label: "security_result.severity_details" - view_label: "UDM" - description: "Vendor-specific severity." - } # dimension severity_details - - dimension: summary { - type: string - sql: ${TABLE}.summary ;; - group_label: "security_result" - label: "security_result.summary" - view_label: "UDM" - description: "A human readable summary (e.g. \"failed login occurred\")" - } # dimension summary - - dimension: threat_feed_name { - type: string - sql: ${TABLE}.threat_feed_name ;; - group_label: "security_result" - label: "security_result.threat_feed_name" - view_label: "UDM" - description: "Vendor feed name for a threat indicator feed." - } # dimension threat_feed_name - - dimension: threat_id { - type: string - sql: ${TABLE}.threat_id ;; - group_label: "security_result" - label: "security_result.threat_id" - view_label: "UDM" - description: "Vendor-specific ID for a threat." - } # dimension threat_id - - dimension: threat_id_namespace { - type: number - sql: ${TABLE}.threat_id_namespace ;; - group_label: "security_result" - label: "security_result.threat_id_namespace" - view_label: "UDM" - description: "The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id." - } # dimension threat_id_namespace - - dimension: threat_id_namespace_enum_name { - type: string - suggestions: ["MACHINE_INTELLIGENCE", "NORMALIZED_TELEMETRY", "RAW_TELEMETRY", "RULE_DETECTIONS", "SECURITY_COMMAND_CENTER", "SOAR_ALERT", "UNSPECIFIED", "UPPERCASE"] - sql: CASE ${TABLE}.threat_id_namespace WHEN 0 THEN 'NORMALIZED_TELEMETRY' WHEN 1 THEN 'RAW_TELEMETRY' WHEN 2 THEN 'RULE_DETECTIONS' WHEN 3 THEN 'UPPERCASE' WHEN 4 THEN 'MACHINE_INTELLIGENCE' WHEN 5 THEN 'SECURITY_COMMAND_CENTER' WHEN 6 THEN 'UNSPECIFIED' WHEN 7 THEN 'SOAR_ALERT' END ;; - group_label: "security_result" - label: "security_result.threat_id_namespace_enum_name" - view_label: "UDM" - description: "The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id." - } # dimension threat_id_namespace_enum_name - - dimension: threat_name { - type: string - sql: ${TABLE}.threat_name ;; - group_label: "security_result" - label: "security_result.threat_name" - view_label: "UDM" - description: "A vendor-assigned classification common across multiple customers (e.g. \"W32/File-A\", \"Slammer\")." - } # dimension threat_name - - dimension: threat_status { - type: number - sql: ${TABLE}.threat_status ;; - group_label: "security_result" - label: "security_result.threat_status" - view_label: "UDM" - description: "Current status of the threat" - } # dimension threat_status - - dimension: threat_status_enum_name { - type: string - suggestions: ["ACTIVE", "CLEARED", "FALSE_POSITIVE", "THREAT_STATUS_UNSPECIFIED"] - sql: CASE ${TABLE}.threat_status WHEN 0 THEN 'THREAT_STATUS_UNSPECIFIED' WHEN 1 THEN 'ACTIVE' WHEN 2 THEN 'CLEARED' WHEN 3 THEN 'FALSE_POSITIVE' END ;; - group_label: "security_result" - label: "security_result.threat_status_enum_name" - view_label: "UDM" - description: "Current status of the threat" - } # dimension threat_status_enum_name - - dimension: url_back_to_product { - type: string - sql: ${TABLE}.url_back_to_product ;; - group_label: "security_result" - label: "security_result.url_back_to_product" - view_label: "UDM" - description: "URL that takes the user to the source product console for this event." - } # dimension url_back_to_product - -} # view udm_events__security_result - -view: udm_events__src__artifact__network__dns__questions { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.artifact.network.dns.questions.name" - view_label: "UDM" - description: "The domain name." - } # dimension name - -} # view udm_events__src__artifact__network__dns__questions - -view: udm_events__src__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "src" - label: "src.asset.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "src" - label: "src.asset.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__src__asset__attribute__labels - -view: udm_events__src__asset__hardware { - dimension: cpu_model { - type: string - sql: ${TABLE}.cpu_model ;; - group_label: "src" - label: "src.asset.hardware.cpu_model" - view_label: "UDM" - description: "Model description of the hardware CPU (e.g. \"2.8 GHz Quad-Core Intel Core i5\")." - } # dimension cpu_model - - dimension: cpu_platform { - type: string - sql: ${TABLE}.cpu_platform ;; - group_label: "src" - label: "src.asset.hardware.cpu_platform" - view_label: "UDM" - description: "Platform of the hardware CPU (e.g. \"Intel Broadwell\")." - } # dimension cpu_platform - - dimension: manufacturer { - type: string - sql: ${TABLE}.manufacturer ;; - group_label: "src" - label: "src.asset.hardware.manufacturer" - view_label: "UDM" - description: "Hardware manufacturer." - } # dimension manufacturer - - dimension: model { - type: string - sql: ${TABLE}.model ;; - group_label: "src" - label: "src.asset.hardware.model" - view_label: "UDM" - description: "Hardware model." - } # dimension model - - dimension: ram { - type: number - sql: ${TABLE}.ram ;; - group_label: "src" - label: "src.asset.hardware.ram" - view_label: "UDM" - description: "Amount of the hardware ramdom access memory (RAM) in Mb." - } # dimension ram - - dimension: serial_number { - type: string - sql: ${TABLE}.serial_number ;; - group_label: "src" - label: "src.asset.hardware.serial_number" - view_label: "UDM" - description: "Hardware serial number." - } # dimension serial_number - -} # view udm_events__src__asset__hardware - -view: udm_events__src__asset__ip { - dimension: udm_events__src__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.asset.ip" - view_label: "UDM" - description: "A list of IP addresses associated with an asset." - } # dimension udm_events__src__asset__ip -} # view udm_events__src__asset__ip - -view: udm_events__src__asset__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "src" - group_item_label: "src.asset.labels.key [D]" - label: "src.asset.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "src" - group_item_label: "src.asset.labels.value [D]" - label: "src.asset.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view udm_events__src__asset__labels - -view: udm_events__src__asset__mac { - dimension: udm_events__src__asset__mac { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.asset.mac" - view_label: "UDM" - description: "List of MAC addresses associated with an asset." - } # dimension udm_events__src__asset__mac -} # view udm_events__src__asset__mac - -view: udm_events__src__asset__nat_ip { - dimension: udm_events__src__asset__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.asset.nat_ip" - view_label: "UDM" - description: "List of NAT IP addresses associated with an asset." - } # dimension udm_events__src__asset__nat_ip -} # view udm_events__src__asset__nat_ip - -view: udm_events__src__asset__software__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "src" - label: "src.asset.software.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.asset.software.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view udm_events__src__asset__software__permissions - -view: udm_events__src__asset__software { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.asset.software.name" - view_label: "UDM" - description: "The name of the software." - } # dimension name - - dimension: permissions { - hidden: yes - } # dimension permissions - - dimension: version { - type: string - sql: ${TABLE}.version ;; - group_label: "src" - label: "src.asset.software.version" - view_label: "UDM" - description: "The version of the software." - } # dimension version - -} # view udm_events__src__asset__software - -view: udm_events__src__asset__vulnerabilities { - dimension: cve_id { - type: string - sql: ${TABLE}.cve_id ;; - group_label: "src" - label: "src.asset.vulnerabilities.cve_id" - view_label: "UDM" - description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" - } # dimension cve_id - - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - group_label: "src" - label: "src.asset.vulnerabilities.cvss_base_score" - view_label: "UDM" - description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." - } # dimension cvss_base_score - - dimension: cvss_vector { - type: string - sql: ${TABLE}.cvss_vector ;; - group_label: "src" - label: "src.asset.vulnerabilities.cvss_vector" - view_label: "UDM" - description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" - } # dimension cvss_vector - - dimension: cvss_version { - type: string - sql: ${TABLE}.cvss_version ;; - group_label: "src" - label: "src.asset.vulnerabilities.cvss_version" - view_label: "UDM" - description: "Version of CVSS Vector/Score." - } # dimension cvss_version - - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "src" - label: "src.asset.vulnerabilities.description" - view_label: "UDM" - description: "Description of the vulnerability." - } # dimension description - - dimension_group: src__asset__vulnerabilities__first_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.vulnerabilities.first_found" - view_label: "UDM" - description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." - } # dimension src__asset__vulnerabilities__first_found - - dimension_group: src__asset__vulnerabilities__last_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.vulnerabilities.last_found" - view_label: "UDM" - description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." - } # dimension src__asset__vulnerabilities__last_found - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.asset.vulnerabilities.name" - view_label: "UDM" - description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." - } # dimension name - - dimension_group: src__asset__vulnerabilities__scan_end_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.vulnerabilities.scan_end_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." - } # dimension src__asset__vulnerabilities__scan_end_time - - dimension_group: src__asset__vulnerabilities__scan_start_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.asset.vulnerabilities.scan_start_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." - } # dimension src__asset__vulnerabilities__scan_start_time - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - group_label: "src" - label: "src.asset.vulnerabilities.severity" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity - - dimension: severity_enum_name { - type: string - suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] - sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; - group_label: "src" - label: "src.asset.vulnerabilities.severity_enum_name" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity_enum_name - -} # view udm_events__src__asset__vulnerabilities - -view: udm_events__src__file__capabilities_tags { - dimension: udm_events__src__file__capabilities_tags { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.file.capabilities_tags" - view_label: "UDM" - description: "Capabilities tags." - } # dimension udm_events__src__file__capabilities_tags -} # view udm_events__src__file__capabilities_tags - -view: udm_events__src__file__embedded_domains { - dimension: udm_events__src__file__embedded_domains { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.file.embedded_domains" - view_label: "UDM" - description: "Embedded domains found in the file." - } # dimension udm_events__src__file__embedded_domains -} # view udm_events__src__file__embedded_domains - -view: udm_events__src__file__embedded_ips { - dimension: udm_events__src__file__embedded_ips { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.file.embedded_ips" - view_label: "UDM" - description: "Embedded IP addresses found in the file." - } # dimension udm_events__src__file__embedded_ips -} # view udm_events__src__file__embedded_ips - -view: udm_events__src__file__embedded_urls { - dimension: udm_events__src__file__embedded_urls { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.file.embedded_urls" - view_label: "UDM" - description: "Embedded urls found in the file." - } # dimension udm_events__src__file__embedded_urls -} # view udm_events__src__file__embedded_urls - -view: udm_events__src__file__names { - dimension: udm_events__src__file__names { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension udm_events__src__file__names -} # view udm_events__src__file__names - -view: udm_events__src__file__signature_info__sigcheck__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.file.signature_info.sigcheck.signers.name" - view_label: "UDM" - description: "Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority." - } # dimension name - -} # view udm_events__src__file__signature_info__sigcheck__signers - -view: udm_events__src__file__tags { - dimension: udm_events__src__file__tags { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.file.tags" - view_label: "UDM" - description: "Tags for the file." - } # dimension udm_events__src__file__tags -} # view udm_events__src__file__tags - -view: udm_events__src__ip { - dimension: udm_events__src__ip { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.ip" - view_label: "UDM" - description: "A list of IP addresses associated with a network connection." - } # dimension udm_events__src__ip -} # view udm_events__src__ip - -view: udm_events__src__ip_geo_artifact { - dimension: ip { - type: string - sql: ${TABLE}.ip ;; - group_label: "src" - label: "src.ip_geo_artifact.ip" - view_label: "UDM" - description: "IP address of the artifact." - } # dimension ip - - dimension: location { - hidden: yes - } # dimension location - - dimension: location__country_or_region { - type: string - sql: ${TABLE}.location.country_or_region ;; - group_label: "src" - label: "src.ip_geo_artifact.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension location__country_or_region - - dimension: location__region_coordinates { - type: location - sql_latitude: ${TABLE}.location.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.location.region_coordinates.longitude ;; - group_label: "src" - group_item_label: "src.ip_geo_artifact.location.region_coordinates [L]" - label: "src.ip_geo_artifact.location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." - } # dimension location__region_coordinates - - dimension: location__region_latitude { - type: number - sql: ${TABLE}.location.region_latitude ;; - group_label: "src" - group_item_label: "src.ip_geo_artifact.location.region_latitude [D]" - label: "src.ip_geo_artifact.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension location__region_latitude - - dimension: location__region_longitude { - type: number - sql: ${TABLE}.location.region_longitude ;; - group_label: "src" - group_item_label: "src.ip_geo_artifact.location.region_longitude [D]" - label: "src.ip_geo_artifact.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension location__region_longitude - - dimension: location__location { - type: location - sql_latitude: ${TABLE}.location.region_latitude ;; - sql_longitude: ${TABLE}.location.region_longitude ;; - group_label: "src" - group_item_label: "src.ip_geo_artifact.location.location [D][L]" - label: "src.ip_geo_artifact.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension location__location - - dimension: location__state { - type: string - sql: ${TABLE}.location.state ;; - group_label: "src" - label: "src.ip_geo_artifact.location.state" - view_label: "UDM" - description: "The state." - } # dimension location__state - - dimension: network { - hidden: yes - } # dimension network - - dimension: network__asn { - type: string - sql: ${TABLE}.network.asn ;; - group_label: "src" - label: "src.ip_geo_artifact.network.asn" - view_label: "UDM" - description: "Autonomous system number." - } # dimension network__asn - - dimension: network__carrier_name { - type: string - sql: ${TABLE}.network.carrier_name ;; - group_label: "src" - label: "src.ip_geo_artifact.network.carrier_name" - view_label: "UDM" - description: "Carrier identification." - } # dimension network__carrier_name - - dimension: network__dns_domain { - type: string - sql: ${TABLE}.network.dns_domain ;; - group_label: "src" - label: "src.ip_geo_artifact.network.dns_domain" - view_label: "UDM" - description: "DNS domain name." - } # dimension network__dns_domain - - dimension: network__organization_name { - type: string - sql: ${TABLE}.network.organization_name ;; - group_label: "src" - label: "src.ip_geo_artifact.network.organization_name" - view_label: "UDM" - description: "Organization name (e.g Google)." - } # dimension network__organization_name - -} # view udm_events__src__ip_geo_artifact - -view: udm_events__src__ip_location { - dimension: country_or_region { - type: string - sql: ${TABLE}.country_or_region ;; - group_label: "src" - group_item_label: "src.ip_location.country_or_region [D]" - label: "src.ip_location.country_or_region" - view_label: "UDM" - description: "The country or region. [D]: This field is deprecated and will be removed in a future release" - } # dimension country_or_region - - dimension: region_coordinates { - type: location - sql_latitude: ${TABLE}.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.region_coordinates.longitude ;; - group_label: "src" - group_item_label: "src.ip_location.region_coordinates [D][L]" - label: "src.ip_location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension region_coordinates - - dimension: region_latitude { - type: number - sql: ${TABLE}.region_latitude ;; - group_label: "src" - group_item_label: "src.ip_location.region_latitude [D]" - label: "src.ip_location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension region_latitude - - dimension: region_longitude { - type: number - sql: ${TABLE}.region_longitude ;; - group_label: "src" - group_item_label: "src.ip_location.region_longitude [D]" - label: "src.ip_location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension region_longitude - - dimension: location { - type: location - sql_latitude: ${TABLE}.region_latitude ;; - sql_longitude: ${TABLE}.region_longitude ;; - group_label: "src" - group_item_label: "src.ip_location.location [D][L]" - label: "src.ip_location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension location - - dimension: state { - type: string - sql: ${TABLE}.state ;; - group_label: "src" - group_item_label: "src.ip_location.state [D]" - label: "src.ip_location.state" - view_label: "UDM" - description: "The state. [D]: This field is deprecated and will be removed in a future release" - } # dimension state - -} # view udm_events__src__ip_location - -view: udm_events__src__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "src" - group_item_label: "src.labels.key [D]" - label: "src.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "src" - group_item_label: "src.labels.value [D]" - label: "src.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view udm_events__src__labels - -view: udm_events__src__mac { - dimension: udm_events__src__mac { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.mac" - view_label: "UDM" - description: "List of MAC addresses associated with a device." - } # dimension udm_events__src__mac -} # view udm_events__src__mac - -view: udm_events__src__nat_ip { - dimension: udm_events__src__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.nat_ip" - view_label: "UDM" - description: "A list of NAT translated IP addresses associated with a network connection." - } # dimension udm_events__src__nat_ip -} # view udm_events__src__nat_ip - -view: udm_events__src__process__file__names { - dimension: udm_events__src__process__file__names { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.process.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension udm_events__src__process__file__names -} # view udm_events__src__process__file__names - -view: udm_events__src__process_ancestors { - dimension: file { - hidden: yes - } # dimension file - - dimension: file__full_path { - type: string - sql: ${TABLE}.file.full_path ;; - group_label: "src" - label: "src.process_ancestors.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension file__full_path - -} # view udm_events__src__process_ancestors - -view: udm_events__src__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "src" - label: "src.resource.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: source { - type: string - sql: ${TABLE}.source ;; - group_label: "src" - label: "src.resource.attribute.labels.source" - view_label: "UDM" - description: "@hide_from_doc" - } # dimension source - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "src" - label: "src.resource.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__src__resource__attribute__labels - -view: udm_events__src__resource__attribute__permissions { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.resource.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view udm_events__src__resource__attribute__permissions - -view: udm_events__src__resource_ancestors__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "src" - label: "src.resource_ancestors.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "src" - label: "src.resource_ancestors.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__src__resource_ancestors__attribute__labels - -view: udm_events__src__resource_ancestors { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension: attribute__labels { - hidden: yes - } # dimension attribute__labels - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.resource_ancestors.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension name - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "src" - label: "src.resource_ancestors.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension product_object_id - - dimension: resource_type { - type: number - sql: ${TABLE}.resource_type ;; - group_label: "src" - label: "src.resource_ancestors.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension resource_type - - dimension: resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "src" - label: "src.resource_ancestors.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension resource_type_enum_name - -} # view udm_events__src__resource_ancestors - -view: udm_events__src__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "src" - label: "src.user.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "src" - label: "src.user.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__src__user__attribute__labels - -view: udm_events__src__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "src" - label: "src.user.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.user.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "src" - label: "src.user.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "src" - label: "src.user.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view udm_events__src__user__attribute__roles - -view: udm_events__src__user__department { - dimension: udm_events__src__user__department { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.user.department" - view_label: "UDM" - description: "User job department" - } # dimension udm_events__src__user__department -} # view udm_events__src__user__department - -view: udm_events__src__user__email_addresses { - dimension: udm_events__src__user__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.user.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension udm_events__src__user__email_addresses -} # view udm_events__src__user__email_addresses - -view: udm_events__src__user__group_identifiers { - dimension: udm_events__src__user__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.user.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension udm_events__src__user__group_identifiers -} # view udm_events__src__user__group_identifiers - -view: udm_events__src__user__managers__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "src" - label: "src.user.managers.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "src" - label: "src.user.managers.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__src__user__managers__attribute__labels - -view: udm_events__src__user__managers__attribute__roles { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "src" - label: "src.user.managers.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "src" - label: "src.user.managers.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "src" - label: "src.user.managers.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view udm_events__src__user__managers__attribute__roles - -view: udm_events__src__user__managers__department { - dimension: udm_events__src__user__managers__department { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.user.managers.department" - view_label: "UDM" - description: "User job department" - } # dimension udm_events__src__user__managers__department -} # view udm_events__src__user__managers__department - -view: udm_events__src__user__managers__email_addresses { - dimension: udm_events__src__user__managers__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.user.managers.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension udm_events__src__user__managers__email_addresses -} # view udm_events__src__user__managers__email_addresses - -view: udm_events__src__user__managers__group_identifiers { - dimension: udm_events__src__user__managers__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.user.managers.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension udm_events__src__user__managers__group_identifiers -} # view udm_events__src__user__managers__group_identifiers - -view: udm_events__src__user__managers__phone_numbers { - dimension: udm_events__src__user__managers__phone_numbers { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.user.managers.phone_numbers" - view_label: "UDM" - description: "Phone numbers for the user." - } # dimension udm_events__src__user__managers__phone_numbers -} # view udm_events__src__user__managers__phone_numbers - -view: udm_events__src__user__managers { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension: attribute__labels { - hidden: yes - } # dimension attribute__labels - - dimension: attribute__roles { - hidden: yes - } # dimension attribute__roles - - dimension: company_name { - type: string - sql: ${TABLE}.company_name ;; - group_label: "src" - label: "src.user.managers.company_name" - view_label: "UDM" - description: "User job company name." - } # dimension company_name - - dimension: department { - hidden: yes - } # dimension department - - dimension: email_addresses { - hidden: yes - } # dimension email_addresses - - dimension: employee_id { - type: string - sql: ${TABLE}.employee_id ;; - group_label: "src" - label: "src.user.managers.employee_id" - view_label: "UDM" - description: "Human capital management identifier." - } # dimension employee_id - - dimension: first_name { - type: string - sql: ${TABLE}.first_name ;; - group_label: "src" - label: "src.user.managers.first_name" - view_label: "UDM" - description: "First name of the user (e.g. \"John\")." - } # dimension first_name - - dimension: group_identifiers { - hidden: yes - } # dimension group_identifiers - - dimension: last_name { - type: string - sql: ${TABLE}.last_name ;; - group_label: "src" - label: "src.user.managers.last_name" - view_label: "UDM" - description: "Last name of the user (e.g. \"Locke\")." - } # dimension last_name - - dimension: personal_address { - hidden: yes - } # dimension personal_address - - dimension: personal_address__city { - type: string - sql: ${TABLE}.personal_address.city ;; - group_label: "src" - label: "src.user.managers.personal_address.city" - view_label: "UDM" - description: "The city." - } # dimension personal_address__city - - dimension: personal_address__country_or_region { - type: string - sql: ${TABLE}.personal_address.country_or_region ;; - group_label: "src" - label: "src.user.managers.personal_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension personal_address__country_or_region - - dimension: personal_address__name { - type: string - sql: ${TABLE}.personal_address.name ;; - group_label: "src" - label: "src.user.managers.personal_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension personal_address__name - - dimension: personal_address__state { - type: string - sql: ${TABLE}.personal_address.state ;; - group_label: "src" - label: "src.user.managers.personal_address.state" - view_label: "UDM" - description: "The state." - } # dimension personal_address__state - - dimension: phone_numbers { - hidden: yes - } # dimension phone_numbers - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "src" - label: "src.user.managers.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension product_object_id - - dimension: title { - type: string - sql: ${TABLE}.title ;; - group_label: "src" - label: "src.user.managers.title" - view_label: "UDM" - description: "User job title." - } # dimension title - - dimension: user_display_name { - type: string - sql: ${TABLE}.user_display_name ;; - group_label: "src" - label: "src.user.managers.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension user_display_name - - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - group_label: "src" - label: "src.user.managers.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension userid - - dimension: windows_sid { - type: string - sql: ${TABLE}.windows_sid ;; - group_label: "src" - label: "src.user.managers.windows_sid" - view_label: "UDM" - description: "The Microsoft Windows SID of the user." - } # dimension windows_sid - -} # view udm_events__src__user__managers - -view: udm_events__src__user__phone_numbers { - dimension: udm_events__src__user__phone_numbers { - type: string - sql: ${TABLE} ;; - group_label: "src" - label: "src.user.phone_numbers" - view_label: "UDM" - description: "Phone numbers for the user." - } # dimension udm_events__src__user__phone_numbers -} # view udm_events__src__user__phone_numbers - -view: udm_events__src__user__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "src" - label: "src.user.time_off.description" - view_label: "UDM" - description: "Description of the leave if available (e.g. 'Vacation')." - } # dimension description - - dimension_group: src__user__time_off__interval { - type: duration - intervals: [ second, minute, hour ] - sql_start: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.start_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.start_time.nanos,0) / 1000) as INT64)) ;; - sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.end_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.end_time.nanos,0) / 1000) as INT64)) ;; - group_label: "src" - label: "src.user.time_off.interval" - view_label: "UDM" - description: "Interval duration of the leave." - } # dimension src__user__time_off__interval - -} # view udm_events__src__user__time_off - -view: udm_events__target__artifact__network__email__subject { - dimension: udm_events__target__artifact__network__email__subject { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.artifact.network.email.subject" - view_label: "UDM" - description: "The subject line(s) of the email." - } # dimension udm_events__target__artifact__network__email__subject -} # view udm_events__target__artifact__network__email__subject - -view: udm_events__target__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - label: "target.asset.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - label: "target.asset.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__target__asset__attribute__labels - -view: udm_events__target__asset__attribute__permissions { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.asset.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view udm_events__target__asset__attribute__permissions - -view: udm_events__target__asset__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.asset.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.asset.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - -} # view udm_events__target__asset__attribute__roles - -view: udm_events__target__asset__hardware { - dimension: cpu_model { - type: string - sql: ${TABLE}.cpu_model ;; - group_label: "target" - label: "target.asset.hardware.cpu_model" - view_label: "UDM" - description: "Model description of the hardware CPU (e.g. \"2.8 GHz Quad-Core Intel Core i5\")." - } # dimension cpu_model - - dimension: cpu_number_cores { - type: number - sql: ${TABLE}.cpu_number_cores ;; - group_label: "target" - label: "target.asset.hardware.cpu_number_cores" - view_label: "UDM" - description: "Number of CPU cores." - } # dimension cpu_number_cores - - dimension: cpu_platform { - type: string - sql: ${TABLE}.cpu_platform ;; - group_label: "target" - label: "target.asset.hardware.cpu_platform" - view_label: "UDM" - description: "Platform of the hardware CPU (e.g. \"Intel Broadwell\")." - } # dimension cpu_platform - - dimension: manufacturer { - type: string - sql: ${TABLE}.manufacturer ;; - group_label: "target" - label: "target.asset.hardware.manufacturer" - view_label: "UDM" - description: "Hardware manufacturer." - } # dimension manufacturer - - dimension: model { - type: string - sql: ${TABLE}.model ;; - group_label: "target" - label: "target.asset.hardware.model" - view_label: "UDM" - description: "Hardware model." - } # dimension model - - dimension: ram { - type: number - sql: ${TABLE}.ram ;; - group_label: "target" - label: "target.asset.hardware.ram" - view_label: "UDM" - description: "Amount of the hardware ramdom access memory (RAM) in Mb." - } # dimension ram - - dimension: serial_number { - type: string - sql: ${TABLE}.serial_number ;; - group_label: "target" - label: "target.asset.hardware.serial_number" - view_label: "UDM" - description: "Hardware serial number." - } # dimension serial_number - -} # view udm_events__target__asset__hardware - -view: udm_events__target__asset__ip { - dimension: udm_events__target__asset__ip { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.asset.ip" - view_label: "UDM" - description: "A list of IP addresses associated with an asset." - } # dimension udm_events__target__asset__ip -} # view udm_events__target__asset__ip - -view: udm_events__target__asset__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - group_item_label: "target.asset.labels.key [D]" - label: "target.asset.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - group_item_label: "target.asset.labels.value [D]" - label: "target.asset.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view udm_events__target__asset__labels - -view: udm_events__target__asset__mac { - dimension: udm_events__target__asset__mac { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.asset.mac" - view_label: "UDM" - description: "List of MAC addresses associated with an asset." - } # dimension udm_events__target__asset__mac -} # view udm_events__target__asset__mac - -view: udm_events__target__asset__nat_ip { - dimension: udm_events__target__asset__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.asset.nat_ip" - view_label: "UDM" - description: "List of NAT IP addresses associated with an asset." - } # dimension udm_events__target__asset__nat_ip -} # view udm_events__target__asset__nat_ip - -view: udm_events__target__asset__software__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.asset.software.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.asset.software.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view udm_events__target__asset__software__permissions - -view: udm_events__target__asset__software { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.asset.software.name" - view_label: "UDM" - description: "The name of the software." - } # dimension name - - dimension: permissions { - hidden: yes - } # dimension permissions - - dimension: version { - type: string - sql: ${TABLE}.version ;; - group_label: "target" - label: "target.asset.software.version" - view_label: "UDM" - description: "The version of the software." - } # dimension version - -} # view udm_events__target__asset__software - -view: udm_events__target__asset__vulnerabilities { - dimension: cve_id { - type: string - sql: ${TABLE}.cve_id ;; - group_label: "target" - label: "target.asset.vulnerabilities.cve_id" - view_label: "UDM" - description: "Common Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id" - } # dimension cve_id - - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - group_label: "target" - label: "target.asset.vulnerabilities.cvss_base_score" - view_label: "UDM" - description: "CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting." - } # dimension cvss_base_score - - dimension: cvss_vector { - type: string - sql: ${TABLE}.cvss_vector ;; - group_label: "target" - label: "target.asset.vulnerabilities.cvss_vector" - view_label: "UDM" - description: "Vector of CVSS properties (e.g. \"AV:L/AC:H/Au:N/C:N/I:P/A:C\") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE" - } # dimension cvss_vector - - dimension: cvss_version { - type: string - sql: ${TABLE}.cvss_version ;; - group_label: "target" - label: "target.asset.vulnerabilities.cvss_version" - view_label: "UDM" - description: "Version of CVSS Vector/Score." - } # dimension cvss_version - - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.asset.vulnerabilities.description" - view_label: "UDM" - description: "Description of the vulnerability." - } # dimension description - - dimension_group: target__asset__vulnerabilities__first_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.first_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.first_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.vulnerabilities.first_found" - view_label: "UDM" - description: "Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset." - } # dimension target__asset__vulnerabilities__first_found - - dimension_group: target__asset__vulnerabilities__last_found { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.last_found.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.last_found.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.vulnerabilities.last_found" - view_label: "UDM" - description: "Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset." - } # dimension target__asset__vulnerabilities__last_found - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.asset.vulnerabilities.name" - view_label: "UDM" - description: "Name of the vulnerability (e.g. \"Unsupported OS Version detected\")." - } # dimension name - - dimension_group: target__asset__vulnerabilities__scan_end_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_end_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_end_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.vulnerabilities.scan_end_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable." - } # dimension target__asset__vulnerabilities__scan_end_time - - dimension_group: target__asset__vulnerabilities__scan_start_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.scan_start_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.scan_start_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.asset.vulnerabilities.scan_start_time" - view_label: "UDM" - description: "If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable." - } # dimension target__asset__vulnerabilities__scan_start_time - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - group_label: "target" - label: "target.asset.vulnerabilities.severity" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity - - dimension: severity_enum_name { - type: string - suggestions: ["CRITICAL", "HIGH", "LOW", "MEDIUM", "UNKNOWN_SEVERITY"] - sql: CASE ${TABLE}.severity WHEN 0 THEN 'UNKNOWN_SEVERITY' WHEN 1 THEN 'LOW' WHEN 2 THEN 'MEDIUM' WHEN 3 THEN 'HIGH' WHEN 4 THEN 'CRITICAL' END ;; - group_label: "target" - label: "target.asset.vulnerabilities.severity_enum_name" - view_label: "UDM" - description: "The severity of the vulnerability." - } # dimension severity_enum_name - -} # view udm_events__target__asset__vulnerabilities - -view: udm_events__target__cloud__project__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - group_item_label: "target.cloud.project.attribute.labels.key [D]" - label: "target.cloud.project.attribute.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - group_item_label: "target.cloud.project.attribute.labels.value [D]" - label: "target.cloud.project.attribute.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view udm_events__target__cloud__project__attribute__labels - -view: udm_events__target__domain__name_server { - dimension: udm_events__target__domain__name_server { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.domain.name_server" - view_label: "UDM" - description: "Repeated list of name servers." - } # dimension udm_events__target__domain__name_server -} # view udm_events__target__domain__name_server - -view: udm_events__target__file__capabilities_tags { - dimension: udm_events__target__file__capabilities_tags { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.file.capabilities_tags" - view_label: "UDM" - description: "Capabilities tags." - } # dimension udm_events__target__file__capabilities_tags -} # view udm_events__target__file__capabilities_tags - -view: udm_events__target__file__embedded_domains { - dimension: udm_events__target__file__embedded_domains { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.file.embedded_domains" - view_label: "UDM" - description: "Embedded domains found in the file." - } # dimension udm_events__target__file__embedded_domains -} # view udm_events__target__file__embedded_domains - -view: udm_events__target__file__embedded_ips { - dimension: udm_events__target__file__embedded_ips { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.file.embedded_ips" - view_label: "UDM" - description: "Embedded IP addresses found in the file." - } # dimension udm_events__target__file__embedded_ips -} # view udm_events__target__file__embedded_ips - -view: udm_events__target__file__embedded_urls { - dimension: udm_events__target__file__embedded_urls { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.file.embedded_urls" - view_label: "UDM" - description: "Embedded urls found in the file." - } # dimension udm_events__target__file__embedded_urls -} # view udm_events__target__file__embedded_urls - -view: udm_events__target__file__names { - dimension: udm_events__target__file__names { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension udm_events__target__file__names -} # view udm_events__target__file__names - -view: udm_events__target__file__pe_file__imports__functions { - dimension: udm_events__target__file__pe_file__imports__functions { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.file.pe_file.imports.functions" - view_label: "UDM" - description: "Function field." - } # dimension udm_events__target__file__pe_file__imports__functions -} # view udm_events__target__file__pe_file__imports__functions - -view: udm_events__target__file__pe_file__imports { - dimension: functions { - hidden: yes - } # dimension functions - - dimension: library { - type: string - sql: ${TABLE}.library ;; - group_label: "target" - label: "target.file.pe_file.imports.library" - view_label: "UDM" - description: "Library field." - } # dimension library - -} # view udm_events__target__file__pe_file__imports - -view: udm_events__target__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - group_label: "target" - label: "target.file.pe_file.resource.entropy" - view_label: "UDM" - description: "Entropy of the resource." - } # dimension entropy - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - group_label: "target" - label: "target.file.pe_file.resource.file_type" - view_label: "UDM" - description: "File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum." - } # dimension file_type - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - group_label: "target" - label: "target.file.pe_file.resource.filetype_magic" - view_label: "UDM" - description: "Type of resource content, as identified by the magic Python module. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/magic.py END GOOGLE-INTERNAL" - } # dimension filetype_magic - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - group_label: "target" - label: "target.file.pe_file.resource.language_code" - view_label: "UDM" - description: "Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/toolpefile.py?l=419&rcl=df1fcff7c5e82a39875359608b47669d5aff82c7 END GOOGLE-INTERNAL Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |" - } # dimension language_code - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - group_label: "target" - label: "target.file.pe_file.resource.sha256_hex" - view_label: "UDM" - description: "SHA256_hex field.." - } # dimension sha256_hex - -} # view udm_events__target__file__pe_file__resource - -view: udm_events__target__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - label: "target.file.pe_file.resources_language_count_str.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - label: "target.file.pe_file.resources_language_count_str.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__target__file__pe_file__resources_language_count_str - -view: udm_events__target__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - label: "target.file.pe_file.resources_type_count_str.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - label: "target.file.pe_file.resources_type_count_str.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__target__file__pe_file__resources_type_count_str - -view: udm_events__target__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - group_label: "target" - label: "target.file.pe_file.section.entropy" - view_label: "UDM" - description: "Entropy of the section." - } # dimension entropy - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - group_label: "target" - label: "target.file.pe_file.section.md5_hex" - view_label: "UDM" - description: "MD5 hex of the file." - } # dimension md5_hex - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.file.pe_file.section.name" - view_label: "UDM" - description: "Name of the section." - } # dimension name - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - group_label: "target" - label: "target.file.pe_file.section.raw_size_bytes" - view_label: "UDM" - description: "Raw file size in bytes." - } # dimension raw_size_bytes - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - group_label: "target" - label: "target.file.pe_file.section.virtual_size_bytes" - view_label: "UDM" - description: "Virtual file size in bytes." - } # dimension virtual_size_bytes - -} # view udm_events__target__file__pe_file__section - -view: udm_events__target__file__signature_info__sigcheck__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.file.signature_info.sigcheck.signers.name" - view_label: "UDM" - description: "Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority." - } # dimension name - -} # view udm_events__target__file__signature_info__sigcheck__signers - -view: udm_events__target__file__signature_info__sigcheck__x509 { - dimension: algorithm { - type: string - sql: ${TABLE}.algorithm ;; - group_label: "target" - label: "target.file.signature_info.sigcheck.x509.algorithm" - view_label: "UDM" - description: "Certificate algorithm." - } # dimension algorithm - - dimension: cert_issuer { - type: string - sql: ${TABLE}.cert_issuer ;; - group_label: "target" - label: "target.file.signature_info.sigcheck.x509.cert_issuer" - view_label: "UDM" - description: "Issuer of the certificate." - } # dimension cert_issuer - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.file.signature_info.sigcheck.x509.name" - view_label: "UDM" - description: "Certificate name." - } # dimension name - - dimension: serial_number { - type: string - sql: ${TABLE}.serial_number ;; - group_label: "target" - label: "target.file.signature_info.sigcheck.x509.serial_number" - view_label: "UDM" - description: "Certificate serial number." - } # dimension serial_number - - dimension: thumbprint { - type: string - sql: ${TABLE}.thumbprint ;; - group_label: "target" - label: "target.file.signature_info.sigcheck.x509.thumbprint" - view_label: "UDM" - description: "Certificate thumbprint." - } # dimension thumbprint - -} # view udm_events__target__file__signature_info__sigcheck__x509 - -view: udm_events__target__file__tags { - dimension: udm_events__target__file__tags { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.file.tags" - view_label: "UDM" - description: "Tags for the file." - } # dimension udm_events__target__file__tags -} # view udm_events__target__file__tags - -view: udm_events__target__group__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - label: "target.group.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - label: "target.group.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__target__group__attribute__labels - -view: udm_events__target__group__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.group.attribute.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.group.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view udm_events__target__group__attribute__permissions - -view: udm_events__target__group__attribute__roles { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.group.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - -} # view udm_events__target__group__attribute__roles - -view: udm_events__target__group__email_addresses { - dimension: udm_events__target__group__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.group.email_addresses" - view_label: "UDM" - description: "Email addresses of the group." - } # dimension udm_events__target__group__email_addresses -} # view udm_events__target__group__email_addresses - -view: udm_events__target__investigation__comments { - dimension: udm_events__target__investigation__comments { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.investigation.comments" - view_label: "UDM" - description: "Comment added by the Analyst." - } # dimension udm_events__target__investigation__comments -} # view udm_events__target__investigation__comments - -view: udm_events__target__ip { - dimension: udm_events__target__ip { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.ip" - view_label: "UDM" - description: "A list of IP addresses associated with a network connection." - } # dimension udm_events__target__ip -} # view udm_events__target__ip - -view: udm_events__target__ip_geo_artifact { - dimension: ip { - type: string - sql: ${TABLE}.ip ;; - group_label: "target" - label: "target.ip_geo_artifact.ip" - view_label: "UDM" - description: "IP address of the artifact." - } # dimension ip - - dimension: location { - hidden: yes - } # dimension location - - dimension: location__country_or_region { - type: string - sql: ${TABLE}.location.country_or_region ;; - group_label: "target" - label: "target.ip_geo_artifact.location.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension location__country_or_region - - dimension: location__region_coordinates { - type: location - sql_latitude: ${TABLE}.location.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.location.region_coordinates.longitude ;; - group_label: "target" - group_item_label: "target.ip_geo_artifact.location.region_coordinates [L]" - label: "target.ip_geo_artifact.location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [L]: This is a location field and can be used in maps." - } # dimension location__region_coordinates - - dimension: location__region_latitude { - type: number - sql: ${TABLE}.location.region_latitude ;; - group_label: "target" - group_item_label: "target.ip_geo_artifact.location.region_latitude [D]" - label: "target.ip_geo_artifact.location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension location__region_latitude - - dimension: location__region_longitude { - type: number - sql: ${TABLE}.location.region_longitude ;; - group_label: "target" - group_item_label: "target.ip_geo_artifact.location.region_longitude [D]" - label: "target.ip_geo_artifact.location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension location__region_longitude - - dimension: location__location { - type: location - sql_latitude: ${TABLE}.location.region_latitude ;; - sql_longitude: ${TABLE}.location.region_longitude ;; - group_label: "target" - group_item_label: "target.ip_geo_artifact.location.location [D][L]" - label: "target.ip_geo_artifact.location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension location__location - - dimension: location__state { - type: string - sql: ${TABLE}.location.state ;; - group_label: "target" - label: "target.ip_geo_artifact.location.state" - view_label: "UDM" - description: "The state." - } # dimension location__state - - dimension: network { - hidden: yes - } # dimension network - - dimension: network__asn { - type: string - sql: ${TABLE}.network.asn ;; - group_label: "target" - label: "target.ip_geo_artifact.network.asn" - view_label: "UDM" - description: "Autonomous system number." - } # dimension network__asn - - dimension: network__carrier_name { - type: string - sql: ${TABLE}.network.carrier_name ;; - group_label: "target" - label: "target.ip_geo_artifact.network.carrier_name" - view_label: "UDM" - description: "Carrier identification." - } # dimension network__carrier_name - - dimension: network__dns_domain { - type: string - sql: ${TABLE}.network.dns_domain ;; - group_label: "target" - label: "target.ip_geo_artifact.network.dns_domain" - view_label: "UDM" - description: "DNS domain name." - } # dimension network__dns_domain - - dimension: network__organization_name { - type: string - sql: ${TABLE}.network.organization_name ;; - group_label: "target" - label: "target.ip_geo_artifact.network.organization_name" - view_label: "UDM" - description: "Organization name (e.g Google)." - } # dimension network__organization_name - -} # view udm_events__target__ip_geo_artifact - -view: udm_events__target__ip_location { - dimension: city { - type: string - sql: ${TABLE}.city ;; - group_label: "target" - group_item_label: "target.ip_location.city [D]" - label: "target.ip_location.city" - view_label: "UDM" - description: "The city. [D]: This field is deprecated and will be removed in a future release" - } # dimension city - - dimension: country_or_region { - type: string - sql: ${TABLE}.country_or_region ;; - group_label: "target" - group_item_label: "target.ip_location.country_or_region [D]" - label: "target.ip_location.country_or_region" - view_label: "UDM" - description: "The country or region. [D]: This field is deprecated and will be removed in a future release" - } # dimension country_or_region - - dimension: desk_name { - type: string - sql: ${TABLE}.desk_name ;; - group_label: "target" - group_item_label: "target.ip_location.desk_name [D]" - label: "target.ip_location.desk_name" - view_label: "UDM" - description: "Desk name or individual location, typically for an employee in an office. (e.g. \"IN-BLR-BCPC-11-1121D\"). [D]: This field is deprecated and will be removed in a future release" - } # dimension desk_name - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - group_item_label: "target.ip_location.name [D]" - label: "target.ip_location.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\"). [D]: This field is deprecated and will be removed in a future release" - } # dimension name - - dimension: region_coordinates { - type: location - sql_latitude: ${TABLE}.region_coordinates.latitude ;; - sql_longitude: ${TABLE}.region_coordinates.longitude ;; - group_label: "target" - group_item_label: "target.ip_location.region_coordinates [D][L]" - label: "target.ip_location.region_coordinates" - view_label: "UDM" - description: "Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension region_coordinates - - dimension: region_latitude { - type: number - sql: ${TABLE}.region_latitude ;; - group_label: "target" - group_item_label: "target.ip_location.region_latitude [D]" - label: "target.ip_location.region_latitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension region_latitude - - dimension: region_longitude { - type: number - sql: ${TABLE}.region_longitude ;; - group_label: "target" - group_item_label: "target.ip_location.region_longitude [D]" - label: "target.ip_location.region_longitude" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release" - } # dimension region_longitude - - dimension: location { - type: location - sql_latitude: ${TABLE}.region_latitude ;; - sql_longitude: ${TABLE}.region_longitude ;; - group_label: "target" - group_item_label: "target.ip_location.location [D][L]" - label: "target.ip_location.location" - view_label: "UDM" - description: "Deprecated: use region_coordinates. [D]: This field is deprecated and will be removed in a future release [L]: This is a location field and can be used in maps." - } # dimension location - - dimension: state { - type: string - sql: ${TABLE}.state ;; - group_label: "target" - group_item_label: "target.ip_location.state [D]" - label: "target.ip_location.state" - view_label: "UDM" - description: "The state. [D]: This field is deprecated and will be removed in a future release" - } # dimension state - -} # view udm_events__target__ip_location - -view: udm_events__target__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - group_item_label: "target.labels.key [D]" - label: "target.labels.key" - view_label: "UDM" - description: "The key. [D]: This field is deprecated and will be removed in a future release" - } # dimension key - - dimension: source { - type: string - sql: ${TABLE}.source ;; - group_label: "target" - group_item_label: "target.labels.source [D]" - label: "target.labels.source" - view_label: "UDM" - description: "@hide_from_doc [D]: This field is deprecated and will be removed in a future release" - } # dimension source - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - group_item_label: "target.labels.value [D]" - label: "target.labels.value" - view_label: "UDM" - description: "The value. [D]: This field is deprecated and will be removed in a future release" - } # dimension value - -} # view udm_events__target__labels - -view: udm_events__target__mac { - dimension: udm_events__target__mac { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.mac" - view_label: "UDM" - description: "List of MAC addresses associated with a device." - } # dimension udm_events__target__mac -} # view udm_events__target__mac - -view: udm_events__target__nat_ip { - dimension: udm_events__target__nat_ip { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.nat_ip" - view_label: "UDM" - description: "A list of NAT translated IP addresses associated with a network connection." - } # dimension udm_events__target__nat_ip -} # view udm_events__target__nat_ip - -view: udm_events__target__process__command_line_history { - dimension: udm_events__target__process__command_line_history { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.process.command_line_history" - view_label: "UDM" - description: "The command line history of the process." - } # dimension udm_events__target__process__command_line_history -} # view udm_events__target__process__command_line_history - -view: udm_events__target__process__file__capabilities_tags { - dimension: udm_events__target__process__file__capabilities_tags { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.process.file.capabilities_tags" - view_label: "UDM" - description: "Capabilities tags." - } # dimension udm_events__target__process__file__capabilities_tags -} # view udm_events__target__process__file__capabilities_tags - -view: udm_events__target__process__file__names { - dimension: udm_events__target__process__file__names { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.process.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension udm_events__target__process__file__names -} # view udm_events__target__process__file__names - -view: udm_events__target__process__file__pe_file__signature_info__signer { - dimension: udm_events__target__process__file__pe_file__signature_info__signer { - type: string - sql: ${TABLE} ;; - group_label: "target" - group_item_label: "target.process.file.pe_file.signature_info.signer [D]" - label: "target.process.file.pe_file.signature_info.signer" - view_label: "UDM" - description: "Deprecated: use signers field. [D]: This field is deprecated and will be removed in a future release" - } # dimension udm_events__target__process__file__pe_file__signature_info__signer -} # view udm_events__target__process__file__pe_file__signature_info__signer - -view: udm_events__target__process__parent_process__file__capabilities_tags { - dimension: udm_events__target__process__parent_process__file__capabilities_tags { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.process.parent_process.file.capabilities_tags" - view_label: "UDM" - description: "Capabilities tags." - } # dimension udm_events__target__process__parent_process__file__capabilities_tags -} # view udm_events__target__process__parent_process__file__capabilities_tags - -view: udm_events__target__process__parent_process__file__names { - dimension: udm_events__target__process__parent_process__file__names { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.process.parent_process.file.names" - view_label: "UDM" - description: "Names fields." - } # dimension udm_events__target__process__parent_process__file__names -} # view udm_events__target__process__parent_process__file__names - -view: udm_events__target__process_ancestors { - dimension: command_line { - type: string - sql: ${TABLE}.command_line ;; - group_label: "target" - label: "target.process_ancestors.command_line" - view_label: "UDM" - description: "The command line command that created the process." - } # dimension command_line - - dimension: file { - hidden: yes - } # dimension file - - dimension: file__full_path { - type: string - sql: ${TABLE}.file.full_path ;; - group_label: "target" - label: "target.process_ancestors.file.full_path" - view_label: "UDM" - description: "The full path identifying the location of the file on the system." - } # dimension file__full_path - -} # view udm_events__target__process_ancestors - -view: udm_events__target__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - label: "target.resource.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: source { - type: string - sql: ${TABLE}.source ;; - group_label: "target" - label: "target.resource.attribute.labels.source" - view_label: "UDM" - description: "@hide_from_doc" - } # dimension source - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - label: "target.resource.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__target__resource__attribute__labels - -view: udm_events__target__resource__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.resource.attribute.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.resource.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "target" - label: "target.resource.attribute.permissions.type" - view_label: "UDM" - description: "Type of the permission." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; - group_label: "target" - label: "target.resource.attribute.permissions.type_enum_name" - view_label: "UDM" - description: "Type of the permission." - } # dimension type_enum_name - -} # view udm_events__target__resource__attribute__permissions - -view: udm_events__target__resource__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.resource.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.resource.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "target" - label: "target.resource.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "target" - label: "target.resource.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view udm_events__target__resource__attribute__roles - -view: udm_events__target__resource_ancestors__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - label: "target.resource_ancestors.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - label: "target.resource_ancestors.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__target__resource_ancestors__attribute__labels - -view: udm_events__target__resource_ancestors__attribute__permissions { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.resource_ancestors.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - -} # view udm_events__target__resource_ancestors__attribute__permissions - -view: udm_events__target__resource_ancestors { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension_group: target__resource_ancestors__attribute__creation_time { - type: time - timeframes: [raw, microsecond, second, time, minute, hour, date, week, month, year] - sql: TIMESTAMP_MICROS(IFNULL(${TABLE}.attribute.creation_time.seconds, 0) * 1000000 + CAST((IFNULL(${TABLE}.attribute.creation_time.nanos, 0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.resource_ancestors.attribute.creation_time" - view_label: "UDM" - description: "Time the resource or entity was created or provisioned." - } # dimension target__resource_ancestors__attribute__creation_time - - dimension: attribute__labels { - hidden: yes - } # dimension attribute__labels - - dimension: attribute__permissions { - hidden: yes - } # dimension attribute__permissions - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.resource_ancestors.name" - view_label: "UDM" - description: "The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe." - } # dimension name - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "target" - label: "target.resource_ancestors.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)" - } # dimension product_object_id - - dimension: resource_subtype { - type: string - sql: ${TABLE}.resource_subtype ;; - group_label: "target" - label: "target.resource_ancestors.resource_subtype" - view_label: "UDM" - description: "Resource sub-type (e.g. \"BigQuery\", \"Bigtable\")." - } # dimension resource_subtype - - dimension: resource_type { - type: number - sql: ${TABLE}.resource_type ;; - group_label: "target" - label: "target.resource_ancestors.resource_type" - view_label: "UDM" - description: "Resource type." - } # dimension resource_type - - dimension: resource_type_enum_name { - type: string - suggestions: ["ACCESS_POLICY", "BACKEND_SERVICE", "CLOUD_ORGANIZATION", "CLOUD_PROJECT", "CLUSTER", "DATABASE", "DATASET", "DEVICE", "FIREWALL_RULE", "MAILBOX_FOLDER", "MUTEX", "PIPE", "SERVICE_ACCOUNT", "SETTING", "STORAGE_BUCKET", "STORAGE_OBJECT", "TABLE", "TASK", "UNSPECIFIED", "VIRTUAL_MACHINE", "VPC_NETWORK"] - sql: CASE ${TABLE}.resource_type WHEN 0 THEN 'UNSPECIFIED' WHEN 1 THEN 'MUTEX' WHEN 2 THEN 'TASK' WHEN 3 THEN 'PIPE' WHEN 4 THEN 'DEVICE' WHEN 5 THEN 'FIREWALL_RULE' WHEN 6 THEN 'MAILBOX_FOLDER' WHEN 7 THEN 'VPC_NETWORK' WHEN 8 THEN 'VIRTUAL_MACHINE' WHEN 9 THEN 'STORAGE_BUCKET' WHEN 10 THEN 'STORAGE_OBJECT' WHEN 11 THEN 'DATABASE' WHEN 12 THEN 'TABLE' WHEN 13 THEN 'CLOUD_PROJECT' WHEN 14 THEN 'CLOUD_ORGANIZATION' WHEN 15 THEN 'SERVICE_ACCOUNT' WHEN 16 THEN 'ACCESS_POLICY' WHEN 17 THEN 'CLUSTER' WHEN 18 THEN 'SETTING' WHEN 19 THEN 'DATASET' WHEN 20 THEN 'BACKEND_SERVICE' END ;; - group_label: "target" - label: "target.resource_ancestors.resource_type_enum_name" - view_label: "UDM" - description: "Resource type." - } # dimension resource_type_enum_name - -} # view udm_events__target__resource_ancestors - -view: udm_events__target__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - label: "target.user.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - label: "target.user.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__target__user__attribute__labels - -view: udm_events__target__user__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.user.attribute.permissions.description" - view_label: "UDM" - description: "Description of the permission (e.g. 'Ability to update detect rules')." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.user.attribute.permissions.name" - view_label: "UDM" - description: "Name of the permission (e.g. chronicle.analyst.updateRule)." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "target" - label: "target.user.attribute.permissions.type" - view_label: "UDM" - description: "Type of the permission." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMIN_READ", "ADMIN_WRITE", "DATA_READ", "DATA_WRITE", "UNKNOWN_PERMISSION_TYPE"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'UNKNOWN_PERMISSION_TYPE' WHEN 1 THEN 'ADMIN_WRITE' WHEN 2 THEN 'ADMIN_READ' WHEN 3 THEN 'DATA_WRITE' WHEN 4 THEN 'DATA_READ' END ;; - group_label: "target" - label: "target.user.attribute.permissions.type_enum_name" - view_label: "UDM" - description: "Type of the permission." - } # dimension type_enum_name - -} # view udm_events__target__user__attribute__permissions - -view: udm_events__target__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.user.attribute.roles.description" - view_label: "UDM" - description: "System role description for user." - } # dimension description - - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.user.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "target" - label: "target.user.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "target" - label: "target.user.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view udm_events__target__user__attribute__roles - -view: udm_events__target__user__department { - dimension: udm_events__target__user__department { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.user.department" - view_label: "UDM" - description: "User job department" - } # dimension udm_events__target__user__department -} # view udm_events__target__user__department - -view: udm_events__target__user__email_addresses { - dimension: udm_events__target__user__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.user.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension udm_events__target__user__email_addresses -} # view udm_events__target__user__email_addresses - -view: udm_events__target__user__group_identifiers { - dimension: udm_events__target__user__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.user.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension udm_events__target__user__group_identifiers -} # view udm_events__target__user__group_identifiers - -view: udm_events__target__user__managers__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - group_label: "target" - label: "target.user.managers.attribute.labels.key" - view_label: "UDM" - description: "The key." - } # dimension key - - dimension: value { - type: string - sql: ${TABLE}.value ;; - group_label: "target" - label: "target.user.managers.attribute.labels.value" - view_label: "UDM" - description: "The value." - } # dimension value - -} # view udm_events__target__user__managers__attribute__labels - -view: udm_events__target__user__managers__attribute__roles { - dimension: name { - type: string - sql: ${TABLE}.name ;; - group_label: "target" - label: "target.user.managers.attribute.roles.name" - view_label: "UDM" - description: "System role name for user." - } # dimension name - - dimension: type { - type: number - sql: ${TABLE}.type ;; - group_label: "target" - label: "target.user.managers.attribute.roles.type" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type - - dimension: type_enum_name { - type: string - suggestions: ["ADMINISTRATOR", "SERVICE_ACCOUNT", "TYPE_UNSPECIFIED"] - sql: CASE ${TABLE}.type WHEN 0 THEN 'TYPE_UNSPECIFIED' WHEN 1 THEN 'ADMINISTRATOR' WHEN 2 THEN 'SERVICE_ACCOUNT' END ;; - group_label: "target" - label: "target.user.managers.attribute.roles.type_enum_name" - view_label: "UDM" - description: "System role type for well known roles." - } # dimension type_enum_name - -} # view udm_events__target__user__managers__attribute__roles - -view: udm_events__target__user__managers__department { - dimension: udm_events__target__user__managers__department { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.user.managers.department" - view_label: "UDM" - description: "User job department" - } # dimension udm_events__target__user__managers__department -} # view udm_events__target__user__managers__department - -view: udm_events__target__user__managers__email_addresses { - dimension: udm_events__target__user__managers__email_addresses { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.user.managers.email_addresses" - view_label: "UDM" - description: "Email addresses of the user." - } # dimension udm_events__target__user__managers__email_addresses -} # view udm_events__target__user__managers__email_addresses - -view: udm_events__target__user__managers__group_identifiers { - dimension: udm_events__target__user__managers__group_identifiers { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.user.managers.group_identifiers" - view_label: "UDM" - description: "Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar)." - } # dimension udm_events__target__user__managers__group_identifiers -} # view udm_events__target__user__managers__group_identifiers - -view: udm_events__target__user__managers__phone_numbers { - dimension: udm_events__target__user__managers__phone_numbers { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.user.managers.phone_numbers" - view_label: "UDM" - description: "Phone numbers for the user." - } # dimension udm_events__target__user__managers__phone_numbers -} # view udm_events__target__user__managers__phone_numbers - -view: udm_events__target__user__managers { - dimension: attribute { - hidden: yes - } # dimension attribute - - dimension: attribute__labels { - hidden: yes - } # dimension attribute__labels - - dimension: attribute__roles { - hidden: yes - } # dimension attribute__roles - - dimension: company_name { - type: string - sql: ${TABLE}.company_name ;; - group_label: "target" - label: "target.user.managers.company_name" - view_label: "UDM" - description: "User job company name." - } # dimension company_name - - dimension: department { - hidden: yes - } # dimension department - - dimension: email_addresses { - hidden: yes - } # dimension email_addresses - - dimension: employee_id { - type: string - sql: ${TABLE}.employee_id ;; - group_label: "target" - label: "target.user.managers.employee_id" - view_label: "UDM" - description: "Human capital management identifier." - } # dimension employee_id - - dimension: first_name { - type: string - sql: ${TABLE}.first_name ;; - group_label: "target" - label: "target.user.managers.first_name" - view_label: "UDM" - description: "First name of the user (e.g. \"John\")." - } # dimension first_name - - dimension: group_identifiers { - hidden: yes - } # dimension group_identifiers - - dimension: last_name { - type: string - sql: ${TABLE}.last_name ;; - group_label: "target" - label: "target.user.managers.last_name" - view_label: "UDM" - description: "Last name of the user (e.g. \"Locke\")." - } # dimension last_name - - dimension: personal_address { - hidden: yes - } # dimension personal_address - - dimension: personal_address__city { - type: string - sql: ${TABLE}.personal_address.city ;; - group_label: "target" - label: "target.user.managers.personal_address.city" - view_label: "UDM" - description: "The city." - } # dimension personal_address__city - - dimension: personal_address__country_or_region { - type: string - sql: ${TABLE}.personal_address.country_or_region ;; - group_label: "target" - label: "target.user.managers.personal_address.country_or_region" - view_label: "UDM" - description: "The country or region." - } # dimension personal_address__country_or_region - - dimension: personal_address__name { - type: string - sql: ${TABLE}.personal_address.name ;; - group_label: "target" - label: "target.user.managers.personal_address.name" - view_label: "UDM" - description: "Custom location name (e.g. building or site name like \"London Office\"). For cloud environments, this is the region (e.g. \"us-west2\")." - } # dimension personal_address__name - - dimension: personal_address__state { - type: string - sql: ${TABLE}.personal_address.state ;; - group_label: "target" - label: "target.user.managers.personal_address.state" - view_label: "UDM" - description: "The state." - } # dimension personal_address__state - - dimension: phone_numbers { - hidden: yes - } # dimension phone_numbers - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - group_label: "target" - label: "target.user.managers.product_object_id" - view_label: "UDM" - description: "A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar)." - } # dimension product_object_id - - dimension: title { - type: string - sql: ${TABLE}.title ;; - group_label: "target" - label: "target.user.managers.title" - view_label: "UDM" - description: "User job title." - } # dimension title - - dimension: user_display_name { - type: string - sql: ${TABLE}.user_display_name ;; - group_label: "target" - label: "target.user.managers.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension user_display_name - - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - group_label: "target" - label: "target.user.managers.userid" - view_label: "UDM" - description: "The ID of the user." - } # dimension userid - - dimension: windows_sid { - type: string - sql: ${TABLE}.windows_sid ;; - group_label: "target" - label: "target.user.managers.windows_sid" - view_label: "UDM" - description: "The Microsoft Windows SID of the user." - } # dimension windows_sid - -} # view udm_events__target__user__managers - -view: udm_events__target__user__phone_numbers { - dimension: udm_events__target__user__phone_numbers { - type: string - sql: ${TABLE} ;; - group_label: "target" - label: "target.user.phone_numbers" - view_label: "UDM" - description: "Phone numbers for the user." - } # dimension udm_events__target__user__phone_numbers -} # view udm_events__target__user__phone_numbers - -view: udm_events__target__user__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - group_label: "target" - label: "target.user.time_off.description" - view_label: "UDM" - description: "Description of the leave if available (e.g. 'Vacation')." - } # dimension description - - dimension_group: target__user__time_off__interval { - type: duration - intervals: [ second, minute, hour ] - sql_start: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.start_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.start_time.nanos,0) / 1000) as INT64)) ;; - sql_end: TIMESTAMP_MICROS(IFNULL(${TABLE}.interval.end_time.seconds,0) * 1000000 + CAST((IFNULL(${TABLE}.interval.end_time.nanos,0) / 1000) as INT64)) ;; - group_label: "target" - label: "target.user.time_off.interval" - view_label: "UDM" - description: "Interval duration of the leave." - } # dimension target__user__time_off__interval - -} # view udm_events__target__user__time_off - -view: udm_events__target__user_management_chain { - dimension: user_display_name { - type: string - sql: ${TABLE}.user_display_name ;; - group_label: "target" - label: "target.user_management_chain.user_display_name" - view_label: "UDM" - description: "The display name of the user (e.g. \"John Locke\")." - } # dimension user_display_name - -} # view udm_events__target__user_management_chain - -explore: udm_events { - ### BEGIN googlex/security/malachite/dashboards/lookml/udm/udm_events_explore_preamble.lkml - label: "UDM Events (Deprecated)" - - hidden: yes - - conditionally_filter: { - filters: { - field: udm_events.time_filter - value: "last 24 hours" - } - } - - fields: [ALL_FIELDS*,] - sql_always_where: {% condition udm_events.time_filter %} hour_time_bucket {% endcondition %} - AND {% condition udm_events.time_filter %} ${metadata__event_timestamp_raw} {% endcondition %};; - - ### END googlex/security/malachite/dashboards/lookml/udm/udm_events_explore_preamble.lkml - join: udm_events__about { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.about}) as udm_events__about ;; - view_label: "UDM" - } # join udm_events__about - - join: udm_events__about__asset__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__about.asset}.attribute.labels) as udm_events__about__asset__attribute__labels ;; - view_label: "UDM" - } # join udm_events__about__asset__attribute__labels - - join: udm_events__about__asset__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__about.asset}.attribute.permissions) as udm_events__about__asset__attribute__permissions ;; - view_label: "UDM" - } # join udm_events__about__asset__attribute__permissions - - join: udm_events__about__asset__hardware { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__about.asset}.hardware) as udm_events__about__asset__hardware ;; - view_label: "UDM" - } # join udm_events__about__asset__hardware - - join: udm_events__about__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__about.asset}.ip) as udm_events__about__asset__ip ;; - view_label: "UDM" - } # join udm_events__about__asset__ip - - join: udm_events__about__asset__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__about.asset}.labels) as udm_events__about__asset__labels ;; - view_label: "UDM" - } # join udm_events__about__asset__labels - - join: udm_events__about__asset__vulnerabilities { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__about.asset}.vulnerabilities) as udm_events__about__asset__vulnerabilities ;; - view_label: "UDM" - } # join udm_events__about__asset__vulnerabilities - - join: udm_events__about__file__capabilities_tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__about.file}.capabilities_tags) as udm_events__about__file__capabilities_tags ;; - view_label: "UDM" - } # join udm_events__about__file__capabilities_tags - - join: udm_events__about__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__about.file}.names) as udm_events__about__file__names ;; - view_label: "UDM" - } # join udm_events__about__file__names - - join: udm_events__about__investigation__comments { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__about.investigation}.comments) as udm_events__about__investigation__comments ;; - view_label: "UDM" - } # join udm_events__about__investigation__comments - - join: udm_events__about__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__about.ip}) as udm_events__about__ip ;; - view_label: "UDM" - } # join udm_events__about__ip - - join: udm_events__about__ip_location { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__about.ip_location}) as udm_events__about__ip_location ;; - view_label: "UDM" - } # join udm_events__about__ip_location - - join: udm_events__about__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__about.labels}) as udm_events__about__labels ;; - view_label: "UDM" - } # join udm_events__about__labels - - join: udm_events__about__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__about.mac}) as udm_events__about__mac ;; - view_label: "UDM" - } # join udm_events__about__mac - - join: udm_events__about__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__about.nat_ip}) as udm_events__about__nat_ip ;; - view_label: "UDM" - } # join udm_events__about__nat_ip - - join: udm_events__about__resource__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__about.resource}.attribute.labels) as udm_events__about__resource__attribute__labels ;; - view_label: "UDM" - } # join udm_events__about__resource__attribute__labels - - join: udm_events__about__resource__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__about.resource}.attribute.permissions) as udm_events__about__resource__attribute__permissions ;; - view_label: "UDM" - } # join udm_events__about__resource__attribute__permissions - - join: udm_events__about__resource_ancestors { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__about.resource_ancestors}) as udm_events__about__resource_ancestors ;; - view_label: "UDM" - } # join udm_events__about__resource_ancestors - - join: udm_events__about__resource_ancestors__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__about__resource_ancestors.attribute}.labels) as udm_events__about__resource_ancestors__attribute__labels ;; - view_label: "UDM" - } # join udm_events__about__resource_ancestors__attribute__labels - - join: udm_events__about__user__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__about.user}.attribute.labels) as udm_events__about__user__attribute__labels ;; - view_label: "UDM" - } # join udm_events__about__user__attribute__labels - - join: udm_events__about__user__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__about.user}.attribute.permissions) as udm_events__about__user__attribute__permissions ;; - view_label: "UDM" - } # join udm_events__about__user__attribute__permissions - - join: udm_events__about__user__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__about.user}.attribute.roles) as udm_events__about__user__attribute__roles ;; - view_label: "UDM" - } # join udm_events__about__user__attribute__roles - - join: udm_events__about__user__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__about.user}.department) as udm_events__about__user__department ;; - view_label: "UDM" - } # join udm_events__about__user__department - - join: udm_events__about__user__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__about.user}.email_addresses) as udm_events__about__user__email_addresses ;; - view_label: "UDM" - } # join udm_events__about__user__email_addresses - - join: udm_events__about__user__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__about.user}.group_identifiers) as udm_events__about__user__group_identifiers ;; - view_label: "UDM" - } # join udm_events__about__user__group_identifiers - - join: udm_events__additional__fields { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.additional}.fields) as udm_events__additional__fields ;; - view_label: "UDM" - } # join udm_events__additional__fields - - join: udm_events__additional__fields__value__list_value__values { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__additional__fields.value}.list_value.values) as udm_events__additional__fields__value__list_value__values ;; - view_label: "UDM" - } # join udm_events__additional__fields__value__list_value__values - - join: udm_events__additional__fields__value__list_value__values__struct_value__fields { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__additional__fields__value__list_value__values.struct_value}.fields) as udm_events__additional__fields__value__list_value__values__struct_value__fields ;; - view_label: "UDM" - } # join udm_events__additional__fields__value__list_value__values__struct_value__fields - - join: udm_events__additional__fields__value__struct_value__fields { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__additional__fields.value}.struct_value.fields) as udm_events__additional__fields__value__struct_value__fields ;; - view_label: "UDM" - } # join udm_events__additional__fields__value__struct_value__fields - - join: udm_events__extensions__auth__mechanism { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.extensions}.auth.mechanism) as udm_events__extensions__auth__mechanism ;; - view_label: "UDM" - } # join udm_events__extensions__auth__mechanism - - join: udm_events__extensions__auth__mechanism_enum_name { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.extensions}.auth.mechanism) as udm_events__extensions__auth__mechanism_enum_name ;; - view_label: "UDM" - } # join udm_events__extensions__auth__mechanism_enum_name - - join: udm_events__extensions__vulns__vulnerabilities { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.extensions}.vulns.vulnerabilities) as udm_events__extensions__vulns__vulnerabilities ;; - view_label: "UDM" - } # join udm_events__extensions__vulns__vulnerabilities - - join: udm_events__extensions__vulns__vulnerabilities__about__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__extensions__vulns__vulnerabilities.about}.asset.ip) as udm_events__extensions__vulns__vulnerabilities__about__asset__ip ;; - view_label: "UDM" - } # join udm_events__extensions__vulns__vulnerabilities__about__asset__ip - - join: udm_events__extensions__vulns__vulnerabilities__about__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__extensions__vulns__vulnerabilities.about}.labels) as udm_events__extensions__vulns__vulnerabilities__about__labels ;; - view_label: "UDM" - } # join udm_events__extensions__vulns__vulnerabilities__about__labels - - join: udm_events__extensions__vulns__vulnerabilities__about__resource__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__extensions__vulns__vulnerabilities.about}.resource.attribute.labels) as udm_events__extensions__vulns__vulnerabilities__about__resource__attribute__labels ;; - view_label: "UDM" - } # join udm_events__extensions__vulns__vulnerabilities__about__resource__attribute__labels - - join: udm_events__intermediary { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.intermediary}) as udm_events__intermediary ;; - view_label: "UDM" - } # join udm_events__intermediary - - join: udm_events__intermediary__asset__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__intermediary.asset}.attribute.labels) as udm_events__intermediary__asset__attribute__labels ;; - view_label: "UDM" - } # join udm_events__intermediary__asset__attribute__labels - - join: udm_events__intermediary__asset__hardware { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__intermediary.asset}.hardware) as udm_events__intermediary__asset__hardware ;; - view_label: "UDM" - } # join udm_events__intermediary__asset__hardware - - join: udm_events__intermediary__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__intermediary.asset}.ip) as udm_events__intermediary__asset__ip ;; - view_label: "UDM" - } # join udm_events__intermediary__asset__ip - - join: udm_events__intermediary__asset__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__intermediary.asset}.labels) as udm_events__intermediary__asset__labels ;; - view_label: "UDM" - } # join udm_events__intermediary__asset__labels - - join: udm_events__intermediary__asset__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__intermediary.asset}.mac) as udm_events__intermediary__asset__mac ;; - view_label: "UDM" - } # join udm_events__intermediary__asset__mac - - join: udm_events__intermediary__asset__software { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__intermediary.asset}.software) as udm_events__intermediary__asset__software ;; - view_label: "UDM" - } # join udm_events__intermediary__asset__software - - join: udm_events__intermediary__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__intermediary.ip}) as udm_events__intermediary__ip ;; - view_label: "UDM" - } # join udm_events__intermediary__ip - - join: udm_events__intermediary__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__intermediary.labels}) as udm_events__intermediary__labels ;; - view_label: "UDM" - } # join udm_events__intermediary__labels - - join: udm_events__intermediary__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__intermediary.mac}) as udm_events__intermediary__mac ;; - view_label: "UDM" - } # join udm_events__intermediary__mac - - join: udm_events__intermediary__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__intermediary.nat_ip}) as udm_events__intermediary__nat_ip ;; - view_label: "UDM" - } # join udm_events__intermediary__nat_ip - - join: udm_events__intermediary__process__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__intermediary.process}.file.names) as udm_events__intermediary__process__file__names ;; - view_label: "UDM" - } # join udm_events__intermediary__process__file__names - - join: udm_events__intermediary__resource__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__intermediary.resource}.attribute.labels) as udm_events__intermediary__resource__attribute__labels ;; - view_label: "UDM" - } # join udm_events__intermediary__resource__attribute__labels - - join: udm_events__intermediary__user__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__intermediary.user}.email_addresses) as udm_events__intermediary__user__email_addresses ;; - view_label: "UDM" - } # join udm_events__intermediary__user__email_addresses - - join: udm_events__intermediary__user__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__intermediary.user}.group_identifiers) as udm_events__intermediary__user__group_identifiers ;; - view_label: "UDM" - } # join udm_events__intermediary__user__group_identifiers - - join: udm_events__metadata__base_labels__log_types { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.metadata}.base_labels.log_types) as udm_events__metadata__base_labels__log_types ;; - view_label: "UDM" - } # join udm_events__metadata__base_labels__log_types - - join: udm_events__metadata__base_labels__namespaces { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.metadata}.base_labels.namespaces) as udm_events__metadata__base_labels__namespaces ;; - view_label: "UDM" - } # join udm_events__metadata__base_labels__namespaces - - join: udm_events__metadata__ingestion_labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.metadata}.ingestion_labels) as udm_events__metadata__ingestion_labels ;; - view_label: "UDM" - } # join udm_events__metadata__ingestion_labels - - join: udm_events__metadata__tags__data_tap_config_name { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.metadata}.tags.data_tap_config_name) as udm_events__metadata__tags__data_tap_config_name ;; - view_label: "UDM" - } # join udm_events__metadata__tags__data_tap_config_name - - join: udm_events__metadata__tags__tenant_id { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.metadata}.tags.tenant_id) as udm_events__metadata__tags__tenant_id ;; - view_label: "UDM" - } # join udm_events__metadata__tags__tenant_id - - join: udm_events__network__dhcp__options { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.network}.dhcp.options) as udm_events__network__dhcp__options ;; - view_label: "UDM" - } # join udm_events__network__dhcp__options - - join: udm_events__network__dns__additional { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.network}.dns.additional) as udm_events__network__dns__additional ;; - view_label: "UDM" - } # join udm_events__network__dns__additional - - join: udm_events__network__dns__answers { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.network}.dns.answers) as udm_events__network__dns__answers ;; - view_label: "UDM" - } # join udm_events__network__dns__answers - - join: udm_events__network__dns__authority { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.network}.dns.authority) as udm_events__network__dns__authority ;; - view_label: "UDM" - } # join udm_events__network__dns__authority - - join: udm_events__network__dns__questions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.network}.dns.questions) as udm_events__network__dns__questions ;; - view_label: "UDM" - } # join udm_events__network__dns__questions - - join: udm_events__network__email__bcc { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.network}.email.bcc) as udm_events__network__email__bcc ;; - view_label: "UDM" - } # join udm_events__network__email__bcc - - join: udm_events__network__email__cc { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.network}.email.cc) as udm_events__network__email__cc ;; - view_label: "UDM" - } # join udm_events__network__email__cc - - join: udm_events__network__email__subject { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.network}.email.subject) as udm_events__network__email__subject ;; - view_label: "UDM" - } # join udm_events__network__email__subject - - join: udm_events__network__email__to { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.network}.email.to) as udm_events__network__email__to ;; - view_label: "UDM" - } # join udm_events__network__email__to - - join: udm_events__network__http__parsed_user_agent__annotation { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.network}.http.parsed_user_agent.annotation) as udm_events__network__http__parsed_user_agent__annotation ;; - view_label: "UDM" - } # join udm_events__network__http__parsed_user_agent__annotation - - join: udm_events__network__tls__client__supported_ciphers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.network}.tls.client.supported_ciphers) as udm_events__network__tls__client__supported_ciphers ;; - view_label: "UDM" - } # join udm_events__network__tls__client__supported_ciphers - - join: udm_events__observer__asset__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.observer}.asset.attribute.labels) as udm_events__observer__asset__attribute__labels ;; - view_label: "UDM" - } # join udm_events__observer__asset__attribute__labels - - join: udm_events__observer__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.observer}.asset.ip) as udm_events__observer__asset__ip ;; - view_label: "UDM" - } # join udm_events__observer__asset__ip - - join: udm_events__observer__asset__software { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.observer}.asset.software) as udm_events__observer__asset__software ;; - view_label: "UDM" - } # join udm_events__observer__asset__software - - join: udm_events__observer__asset__vulnerabilities { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.observer}.asset.vulnerabilities) as udm_events__observer__asset__vulnerabilities ;; - view_label: "UDM" - } # join udm_events__observer__asset__vulnerabilities - - join: udm_events__observer__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.observer}.ip) as udm_events__observer__ip ;; - view_label: "UDM" - } # join udm_events__observer__ip - - join: udm_events__observer__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.observer}.labels) as udm_events__observer__labels ;; - view_label: "UDM" - } # join udm_events__observer__labels - - join: udm_events__observer__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.observer}.mac) as udm_events__observer__mac ;; - view_label: "UDM" - } # join udm_events__observer__mac - - join: udm_events__observer__resource__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.observer}.resource.attribute.labels) as udm_events__observer__resource__attribute__labels ;; - view_label: "UDM" - } # join udm_events__observer__resource__attribute__labels - - join: udm_events__observer__user__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.observer}.user.email_addresses) as udm_events__observer__user__email_addresses ;; - view_label: "UDM" - } # join udm_events__observer__user__email_addresses - - join: udm_events__observer__user__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.observer}.user.group_identifiers) as udm_events__observer__user__group_identifiers ;; - view_label: "UDM" - } # join udm_events__observer__user__group_identifiers - - join: udm_events__principal__artifact__network__dns__answers { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.artifact.network.dns.answers) as udm_events__principal__artifact__network__dns__answers ;; - view_label: "UDM" - } # join udm_events__principal__artifact__network__dns__answers - - join: udm_events__principal__asset__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.attribute.labels) as udm_events__principal__asset__attribute__labels ;; - view_label: "UDM" - } # join udm_events__principal__asset__attribute__labels - - join: udm_events__principal__asset__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.attribute.roles) as udm_events__principal__asset__attribute__roles ;; - view_label: "UDM" - } # join udm_events__principal__asset__attribute__roles - - join: udm_events__principal__asset__hardware { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.hardware) as udm_events__principal__asset__hardware ;; - view_label: "UDM" - } # join udm_events__principal__asset__hardware - - join: udm_events__principal__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.ip) as udm_events__principal__asset__ip ;; - view_label: "UDM" - } # join udm_events__principal__asset__ip - - join: udm_events__principal__asset__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.labels) as udm_events__principal__asset__labels ;; - view_label: "UDM" - } # join udm_events__principal__asset__labels - - join: udm_events__principal__asset__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.mac) as udm_events__principal__asset__mac ;; - view_label: "UDM" - } # join udm_events__principal__asset__mac - - join: udm_events__principal__asset__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.nat_ip) as udm_events__principal__asset__nat_ip ;; - view_label: "UDM" - } # join udm_events__principal__asset__nat_ip - - join: udm_events__principal__asset__software { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.software) as udm_events__principal__asset__software ;; - view_label: "UDM" - } # join udm_events__principal__asset__software - - join: udm_events__principal__asset__software__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__principal__asset__software.permissions}) as udm_events__principal__asset__software__permissions ;; - view_label: "UDM" - } # join udm_events__principal__asset__software__permissions - - join: udm_events__principal__asset__vulnerabilities { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.asset.vulnerabilities) as udm_events__principal__asset__vulnerabilities ;; - view_label: "UDM" - } # join udm_events__principal__asset__vulnerabilities - - join: udm_events__principal__domain__name_server { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.domain.name_server) as udm_events__principal__domain__name_server ;; - view_label: "UDM" - } # join udm_events__principal__domain__name_server - - join: udm_events__principal__domain__tech__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.domain.tech.group_identifiers) as udm_events__principal__domain__tech__group_identifiers ;; - view_label: "UDM" - } # join udm_events__principal__domain__tech__group_identifiers - - join: udm_events__principal__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.file.names) as udm_events__principal__file__names ;; - view_label: "UDM" - } # join udm_events__principal__file__names - - join: udm_events__principal__group__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.group.attribute.labels) as udm_events__principal__group__attribute__labels ;; - view_label: "UDM" - } # join udm_events__principal__group__attribute__labels - - join: udm_events__principal__group__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.group.attribute.roles) as udm_events__principal__group__attribute__roles ;; - view_label: "UDM" - } # join udm_events__principal__group__attribute__roles - - join: udm_events__principal__group__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.group.email_addresses) as udm_events__principal__group__email_addresses ;; - view_label: "UDM" - } # join udm_events__principal__group__email_addresses - - join: udm_events__principal__investigation__comments { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.investigation.comments) as udm_events__principal__investigation__comments ;; - view_label: "UDM" - } # join udm_events__principal__investigation__comments - - join: udm_events__principal__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.ip) as udm_events__principal__ip ;; - view_label: "UDM" - } # join udm_events__principal__ip - - join: udm_events__principal__ip_geo_artifact { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.ip_geo_artifact) as udm_events__principal__ip_geo_artifact ;; - view_label: "UDM" - } # join udm_events__principal__ip_geo_artifact - - join: udm_events__principal__ip_location { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.ip_location) as udm_events__principal__ip_location ;; - view_label: "UDM" - } # join udm_events__principal__ip_location - - join: udm_events__principal__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.labels) as udm_events__principal__labels ;; - view_label: "UDM" - } # join udm_events__principal__labels - - join: udm_events__principal__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.mac) as udm_events__principal__mac ;; - view_label: "UDM" - } # join udm_events__principal__mac - - join: udm_events__principal__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.nat_ip) as udm_events__principal__nat_ip ;; - view_label: "UDM" - } # join udm_events__principal__nat_ip - - join: udm_events__principal__process__command_line_history { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.process.command_line_history) as udm_events__principal__process__command_line_history ;; - view_label: "UDM" - } # join udm_events__principal__process__command_line_history - - join: udm_events__principal__process__file__capabilities_tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.process.file.capabilities_tags) as udm_events__principal__process__file__capabilities_tags ;; - view_label: "UDM" - } # join udm_events__principal__process__file__capabilities_tags - - join: udm_events__principal__process__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.process.file.names) as udm_events__principal__process__file__names ;; - view_label: "UDM" - } # join udm_events__principal__process__file__names - - join: udm_events__principal__process_ancestors { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.process_ancestors) as udm_events__principal__process_ancestors ;; - view_label: "UDM" - } # join udm_events__principal__process_ancestors - - join: udm_events__principal__resource__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.resource.attribute.labels) as udm_events__principal__resource__attribute__labels ;; - view_label: "UDM" - } # join udm_events__principal__resource__attribute__labels - - join: udm_events__principal__resource__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.resource.attribute.permissions) as udm_events__principal__resource__attribute__permissions ;; - view_label: "UDM" - } # join udm_events__principal__resource__attribute__permissions - - join: udm_events__principal__resource__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.resource.attribute.roles) as udm_events__principal__resource__attribute__roles ;; - view_label: "UDM" - } # join udm_events__principal__resource__attribute__roles - - join: udm_events__principal__resource_ancestors { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.resource_ancestors) as udm_events__principal__resource_ancestors ;; - view_label: "UDM" - } # join udm_events__principal__resource_ancestors - - join: udm_events__principal__resource_ancestors__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__principal__resource_ancestors.attribute}.labels) as udm_events__principal__resource_ancestors__attribute__labels ;; - view_label: "UDM" - } # join udm_events__principal__resource_ancestors__attribute__labels - - join: udm_events__principal__user__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.user.attribute.labels) as udm_events__principal__user__attribute__labels ;; - view_label: "UDM" - } # join udm_events__principal__user__attribute__labels - - join: udm_events__principal__user__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.user.attribute.permissions) as udm_events__principal__user__attribute__permissions ;; - view_label: "UDM" - } # join udm_events__principal__user__attribute__permissions - - join: udm_events__principal__user__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.user.attribute.roles) as udm_events__principal__user__attribute__roles ;; - view_label: "UDM" - } # join udm_events__principal__user__attribute__roles - - join: udm_events__principal__user__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.user.department) as udm_events__principal__user__department ;; - view_label: "UDM" - } # join udm_events__principal__user__department - - join: udm_events__principal__user__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.user.email_addresses) as udm_events__principal__user__email_addresses ;; - view_label: "UDM" - } # join udm_events__principal__user__email_addresses - - join: udm_events__principal__user__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.user.group_identifiers) as udm_events__principal__user__group_identifiers ;; - view_label: "UDM" - } # join udm_events__principal__user__group_identifiers - - join: udm_events__principal__user__managers { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.user.managers) as udm_events__principal__user__managers ;; - view_label: "UDM" - } # join udm_events__principal__user__managers - - join: udm_events__principal__user__managers__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__principal__user__managers.attribute}.labels) as udm_events__principal__user__managers__attribute__labels ;; - view_label: "UDM" - } # join udm_events__principal__user__managers__attribute__labels - - join: udm_events__principal__user__managers__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__principal__user__managers.attribute}.roles) as udm_events__principal__user__managers__attribute__roles ;; - view_label: "UDM" - } # join udm_events__principal__user__managers__attribute__roles - - join: udm_events__principal__user__managers__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__principal__user__managers.department}) as udm_events__principal__user__managers__department ;; - view_label: "UDM" - } # join udm_events__principal__user__managers__department - - join: udm_events__principal__user__managers__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__principal__user__managers.email_addresses}) as udm_events__principal__user__managers__email_addresses ;; - view_label: "UDM" - } # join udm_events__principal__user__managers__email_addresses - - join: udm_events__principal__user__managers__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__principal__user__managers.group_identifiers}) as udm_events__principal__user__managers__group_identifiers ;; - view_label: "UDM" - } # join udm_events__principal__user__managers__group_identifiers - - join: udm_events__principal__user__managers__phone_numbers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__principal__user__managers.phone_numbers}) as udm_events__principal__user__managers__phone_numbers ;; - view_label: "UDM" - } # join udm_events__principal__user__managers__phone_numbers - - join: udm_events__principal__user__phone_numbers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.principal}.user.phone_numbers) as udm_events__principal__user__phone_numbers ;; - view_label: "UDM" - } # join udm_events__principal__user__phone_numbers - - join: udm_events__principal__user__time_off { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.principal}.user.time_off) as udm_events__principal__user__time_off ;; - view_label: "UDM" - } # join udm_events__principal__user__time_off - - join: udm_events__security_result { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.security_result}) as udm_events__security_result ;; - view_label: "UDM" - } # join udm_events__security_result - - join: udm_events__security_result__about__asset__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.asset.attribute.permissions) as udm_events__security_result__about__asset__attribute__permissions ;; - view_label: "UDM" - } # join udm_events__security_result__about__asset__attribute__permissions - - join: udm_events__security_result__about__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.asset.ip) as udm_events__security_result__about__asset__ip ;; - view_label: "UDM" - } # join udm_events__security_result__about__asset__ip - - join: udm_events__security_result__about__asset__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.asset.labels) as udm_events__security_result__about__asset__labels ;; - view_label: "UDM" - } # join udm_events__security_result__about__asset__labels - - join: udm_events__security_result__about__asset__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.asset.mac) as udm_events__security_result__about__asset__mac ;; - view_label: "UDM" - } # join udm_events__security_result__about__asset__mac - - join: udm_events__security_result__about__asset__software { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.asset.software) as udm_events__security_result__about__asset__software ;; - view_label: "UDM" - } # join udm_events__security_result__about__asset__software - - join: udm_events__security_result__about__asset__software__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result__about__asset__software.permissions}) as udm_events__security_result__about__asset__software__permissions ;; - view_label: "UDM" - } # join udm_events__security_result__about__asset__software__permissions - - join: udm_events__security_result__about__asset__vulnerabilities { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.asset.vulnerabilities) as udm_events__security_result__about__asset__vulnerabilities ;; - view_label: "UDM" - } # join udm_events__security_result__about__asset__vulnerabilities - - join: udm_events__security_result__about__domain__tech__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.domain.tech.attribute.permissions) as udm_events__security_result__about__domain__tech__attribute__permissions ;; - view_label: "UDM" - } # join udm_events__security_result__about__domain__tech__attribute__permissions - - join: udm_events__security_result__about__file__capabilities_tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.file.capabilities_tags) as udm_events__security_result__about__file__capabilities_tags ;; - view_label: "UDM" - } # join udm_events__security_result__about__file__capabilities_tags - - join: udm_events__security_result__about__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.file.names) as udm_events__security_result__about__file__names ;; - view_label: "UDM" - } # join udm_events__security_result__about__file__names - - join: udm_events__security_result__about__investigation__comments { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.investigation.comments) as udm_events__security_result__about__investigation__comments ;; - view_label: "UDM" - } # join udm_events__security_result__about__investigation__comments - - join: udm_events__security_result__about__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.ip) as udm_events__security_result__about__ip ;; - view_label: "UDM" - } # join udm_events__security_result__about__ip - - join: udm_events__security_result__about__ip_location { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.ip_location) as udm_events__security_result__about__ip_location ;; - view_label: "UDM" - } # join udm_events__security_result__about__ip_location - - join: udm_events__security_result__about__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.labels) as udm_events__security_result__about__labels ;; - view_label: "UDM" - } # join udm_events__security_result__about__labels - - join: udm_events__security_result__about__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.mac) as udm_events__security_result__about__mac ;; - view_label: "UDM" - } # join udm_events__security_result__about__mac - - join: udm_events__security_result__about__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.nat_ip) as udm_events__security_result__about__nat_ip ;; - view_label: "UDM" - } # join udm_events__security_result__about__nat_ip - - join: udm_events__security_result__about__process__command_line_history { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.process.command_line_history) as udm_events__security_result__about__process__command_line_history ;; - view_label: "UDM" - } # join udm_events__security_result__about__process__command_line_history - - join: udm_events__security_result__about__resource__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.resource.attribute.labels) as udm_events__security_result__about__resource__attribute__labels ;; - view_label: "UDM" - } # join udm_events__security_result__about__resource__attribute__labels - - join: udm_events__security_result__about__resource_ancestors { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.resource_ancestors) as udm_events__security_result__about__resource_ancestors ;; - view_label: "UDM" - } # join udm_events__security_result__about__resource_ancestors - - join: udm_events__security_result__about__user__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.user.attribute.labels) as udm_events__security_result__about__user__attribute__labels ;; - view_label: "UDM" - } # join udm_events__security_result__about__user__attribute__labels - - join: udm_events__security_result__about__user__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.user.attribute.roles) as udm_events__security_result__about__user__attribute__roles ;; - view_label: "UDM" - } # join udm_events__security_result__about__user__attribute__roles - - join: udm_events__security_result__about__user__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.user.email_addresses) as udm_events__security_result__about__user__email_addresses ;; - view_label: "UDM" - } # join udm_events__security_result__about__user__email_addresses - - join: udm_events__security_result__about__user__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.user.group_identifiers) as udm_events__security_result__about__user__group_identifiers ;; - view_label: "UDM" - } # join udm_events__security_result__about__user__group_identifiers - - join: udm_events__security_result__about__user_management_chain { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result.about}.user_management_chain) as udm_events__security_result__about__user_management_chain ;; - view_label: "UDM" - } # join udm_events__security_result__about__user_management_chain - - join: udm_events__security_result__action { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__security_result.action}) as udm_events__security_result__action ;; - view_label: "UDM" - } # join udm_events__security_result__action - - join: udm_events__security_result__action_enum_name { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__security_result.action}) as udm_events__security_result__action_enum_name ;; - view_label: "UDM" - } # join udm_events__security_result__action_enum_name - - join: udm_events__security_result__attack_details__tactics { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result.attack_details}.tactics) as udm_events__security_result__attack_details__tactics ;; - view_label: "UDM" - } # join udm_events__security_result__attack_details__tactics - - join: udm_events__security_result__attack_details__techniques { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result.attack_details}.techniques) as udm_events__security_result__attack_details__techniques ;; - view_label: "UDM" - } # join udm_events__security_result__attack_details__techniques - - join: udm_events__security_result__category { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__security_result.category}) as udm_events__security_result__category ;; - view_label: "UDM" - } # join udm_events__security_result__category - - join: udm_events__security_result__category_enum_name { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__security_result.category}) as udm_events__security_result__category_enum_name ;; - view_label: "UDM" - } # join udm_events__security_result__category_enum_name - - join: udm_events__security_result__category_details { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__security_result.category_details}) as udm_events__security_result__category_details ;; - view_label: "UDM" - } # join udm_events__security_result__category_details - - join: udm_events__security_result__detection_fields { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result.detection_fields}) as udm_events__security_result__detection_fields ;; - view_label: "UDM" - } # join udm_events__security_result__detection_fields - - join: udm_events__security_result__outcomes { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result.outcomes}) as udm_events__security_result__outcomes ;; - view_label: "UDM" - } # join udm_events__security_result__outcomes - - join: udm_events__security_result__rule_labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__security_result.rule_labels}) as udm_events__security_result__rule_labels ;; - view_label: "UDM" - } # join udm_events__security_result__rule_labels - - join: udm_events__src__artifact__network__dns__questions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.artifact.network.dns.questions) as udm_events__src__artifact__network__dns__questions ;; - view_label: "UDM" - } # join udm_events__src__artifact__network__dns__questions - - join: udm_events__src__asset__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.asset.attribute.labels) as udm_events__src__asset__attribute__labels ;; - view_label: "UDM" - } # join udm_events__src__asset__attribute__labels - - join: udm_events__src__asset__hardware { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.asset.hardware) as udm_events__src__asset__hardware ;; - view_label: "UDM" - } # join udm_events__src__asset__hardware - - join: udm_events__src__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.src}.asset.ip) as udm_events__src__asset__ip ;; - view_label: "UDM" - } # join udm_events__src__asset__ip - - join: udm_events__src__asset__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.asset.labels) as udm_events__src__asset__labels ;; - view_label: "UDM" - } # join udm_events__src__asset__labels - - join: udm_events__src__asset__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.src}.asset.mac) as udm_events__src__asset__mac ;; - view_label: "UDM" - } # join udm_events__src__asset__mac - - join: udm_events__src__asset__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.src}.asset.nat_ip) as udm_events__src__asset__nat_ip ;; - view_label: "UDM" - } # join udm_events__src__asset__nat_ip - - join: udm_events__src__asset__software { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.asset.software) as udm_events__src__asset__software ;; - view_label: "UDM" - } # join udm_events__src__asset__software - - join: udm_events__src__asset__software__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__src__asset__software.permissions}) as udm_events__src__asset__software__permissions ;; - view_label: "UDM" - } # join udm_events__src__asset__software__permissions - - join: udm_events__src__asset__vulnerabilities { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.asset.vulnerabilities) as udm_events__src__asset__vulnerabilities ;; - view_label: "UDM" - } # join udm_events__src__asset__vulnerabilities - - join: udm_events__src__file__capabilities_tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.src}.file.capabilities_tags) as udm_events__src__file__capabilities_tags ;; - view_label: "UDM" - } # join udm_events__src__file__capabilities_tags - - join: udm_events__src__file__embedded_domains { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.src}.file.embedded_domains) as udm_events__src__file__embedded_domains ;; - view_label: "UDM" - } # join udm_events__src__file__embedded_domains - - join: udm_events__src__file__embedded_ips { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.src}.file.embedded_ips) as udm_events__src__file__embedded_ips ;; - view_label: "UDM" - } # join udm_events__src__file__embedded_ips - - join: udm_events__src__file__embedded_urls { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.src}.file.embedded_urls) as udm_events__src__file__embedded_urls ;; - view_label: "UDM" - } # join udm_events__src__file__embedded_urls - - join: udm_events__src__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.src}.file.names) as udm_events__src__file__names ;; - view_label: "UDM" - } # join udm_events__src__file__names - - join: udm_events__src__file__signature_info__sigcheck__signers { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.file.signature_info.sigcheck.signers) as udm_events__src__file__signature_info__sigcheck__signers ;; - view_label: "UDM" - } # join udm_events__src__file__signature_info__sigcheck__signers - - join: udm_events__src__file__tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.src}.file.tags) as udm_events__src__file__tags ;; - view_label: "UDM" - } # join udm_events__src__file__tags - - join: udm_events__src__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.src}.ip) as udm_events__src__ip ;; - view_label: "UDM" - } # join udm_events__src__ip - - join: udm_events__src__ip_geo_artifact { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.ip_geo_artifact) as udm_events__src__ip_geo_artifact ;; - view_label: "UDM" - } # join udm_events__src__ip_geo_artifact - - join: udm_events__src__ip_location { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.ip_location) as udm_events__src__ip_location ;; - view_label: "UDM" - } # join udm_events__src__ip_location - - join: udm_events__src__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.labels) as udm_events__src__labels ;; - view_label: "UDM" - } # join udm_events__src__labels - - join: udm_events__src__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.src}.mac) as udm_events__src__mac ;; - view_label: "UDM" - } # join udm_events__src__mac - - join: udm_events__src__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.src}.nat_ip) as udm_events__src__nat_ip ;; - view_label: "UDM" - } # join udm_events__src__nat_ip - - join: udm_events__src__process__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.src}.process.file.names) as udm_events__src__process__file__names ;; - view_label: "UDM" - } # join udm_events__src__process__file__names - - join: udm_events__src__process_ancestors { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.process_ancestors) as udm_events__src__process_ancestors ;; - view_label: "UDM" - } # join udm_events__src__process_ancestors - - join: udm_events__src__resource__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.resource.attribute.labels) as udm_events__src__resource__attribute__labels ;; - view_label: "UDM" - } # join udm_events__src__resource__attribute__labels - - join: udm_events__src__resource__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.resource.attribute.permissions) as udm_events__src__resource__attribute__permissions ;; - view_label: "UDM" - } # join udm_events__src__resource__attribute__permissions - - join: udm_events__src__resource_ancestors { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.resource_ancestors) as udm_events__src__resource_ancestors ;; - view_label: "UDM" - } # join udm_events__src__resource_ancestors - - join: udm_events__src__resource_ancestors__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__src__resource_ancestors.attribute}.labels) as udm_events__src__resource_ancestors__attribute__labels ;; - view_label: "UDM" - } # join udm_events__src__resource_ancestors__attribute__labels - - join: udm_events__src__user__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.user.attribute.labels) as udm_events__src__user__attribute__labels ;; - view_label: "UDM" - } # join udm_events__src__user__attribute__labels - - join: udm_events__src__user__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.user.attribute.roles) as udm_events__src__user__attribute__roles ;; - view_label: "UDM" - } # join udm_events__src__user__attribute__roles - - join: udm_events__src__user__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.src}.user.department) as udm_events__src__user__department ;; - view_label: "UDM" - } # join udm_events__src__user__department - - join: udm_events__src__user__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.src}.user.email_addresses) as udm_events__src__user__email_addresses ;; - view_label: "UDM" - } # join udm_events__src__user__email_addresses - - join: udm_events__src__user__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.src}.user.group_identifiers) as udm_events__src__user__group_identifiers ;; - view_label: "UDM" - } # join udm_events__src__user__group_identifiers - - join: udm_events__src__user__managers { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.user.managers) as udm_events__src__user__managers ;; - view_label: "UDM" - } # join udm_events__src__user__managers - - join: udm_events__src__user__managers__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__src__user__managers.attribute}.labels) as udm_events__src__user__managers__attribute__labels ;; - view_label: "UDM" - } # join udm_events__src__user__managers__attribute__labels - - join: udm_events__src__user__managers__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__src__user__managers.attribute}.roles) as udm_events__src__user__managers__attribute__roles ;; - view_label: "UDM" - } # join udm_events__src__user__managers__attribute__roles - - join: udm_events__src__user__managers__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__src__user__managers.department}) as udm_events__src__user__managers__department ;; - view_label: "UDM" - } # join udm_events__src__user__managers__department - - join: udm_events__src__user__managers__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__src__user__managers.email_addresses}) as udm_events__src__user__managers__email_addresses ;; - view_label: "UDM" - } # join udm_events__src__user__managers__email_addresses - - join: udm_events__src__user__managers__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__src__user__managers.group_identifiers}) as udm_events__src__user__managers__group_identifiers ;; - view_label: "UDM" - } # join udm_events__src__user__managers__group_identifiers - - join: udm_events__src__user__managers__phone_numbers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__src__user__managers.phone_numbers}) as udm_events__src__user__managers__phone_numbers ;; - view_label: "UDM" - } # join udm_events__src__user__managers__phone_numbers - - join: udm_events__src__user__phone_numbers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.src}.user.phone_numbers) as udm_events__src__user__phone_numbers ;; - view_label: "UDM" - } # join udm_events__src__user__phone_numbers - - join: udm_events__src__user__time_off { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.src}.user.time_off) as udm_events__src__user__time_off ;; - view_label: "UDM" - } # join udm_events__src__user__time_off - - join: udm_events__target__artifact__network__email__subject { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.artifact.network.email.subject) as udm_events__target__artifact__network__email__subject ;; - view_label: "UDM" - } # join udm_events__target__artifact__network__email__subject - - join: udm_events__target__asset__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.asset.attribute.labels) as udm_events__target__asset__attribute__labels ;; - view_label: "UDM" - } # join udm_events__target__asset__attribute__labels - - join: udm_events__target__asset__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.asset.attribute.permissions) as udm_events__target__asset__attribute__permissions ;; - view_label: "UDM" - } # join udm_events__target__asset__attribute__permissions - - join: udm_events__target__asset__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.asset.attribute.roles) as udm_events__target__asset__attribute__roles ;; - view_label: "UDM" - } # join udm_events__target__asset__attribute__roles - - join: udm_events__target__asset__hardware { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.asset.hardware) as udm_events__target__asset__hardware ;; - view_label: "UDM" - } # join udm_events__target__asset__hardware - - join: udm_events__target__asset__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.asset.ip) as udm_events__target__asset__ip ;; - view_label: "UDM" - } # join udm_events__target__asset__ip - - join: udm_events__target__asset__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.asset.labels) as udm_events__target__asset__labels ;; - view_label: "UDM" - } # join udm_events__target__asset__labels - - join: udm_events__target__asset__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.asset.mac) as udm_events__target__asset__mac ;; - view_label: "UDM" - } # join udm_events__target__asset__mac - - join: udm_events__target__asset__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.asset.nat_ip) as udm_events__target__asset__nat_ip ;; - view_label: "UDM" - } # join udm_events__target__asset__nat_ip - - join: udm_events__target__asset__software { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.asset.software) as udm_events__target__asset__software ;; - view_label: "UDM" - } # join udm_events__target__asset__software - - join: udm_events__target__asset__software__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__target__asset__software.permissions}) as udm_events__target__asset__software__permissions ;; - view_label: "UDM" - } # join udm_events__target__asset__software__permissions - - join: udm_events__target__asset__vulnerabilities { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.asset.vulnerabilities) as udm_events__target__asset__vulnerabilities ;; - view_label: "UDM" - } # join udm_events__target__asset__vulnerabilities - - join: udm_events__target__cloud__project__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.cloud.project.attribute.labels) as udm_events__target__cloud__project__attribute__labels ;; - view_label: "UDM" - } # join udm_events__target__cloud__project__attribute__labels - - join: udm_events__target__domain__name_server { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.domain.name_server) as udm_events__target__domain__name_server ;; - view_label: "UDM" - } # join udm_events__target__domain__name_server - - join: udm_events__target__file__capabilities_tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.file.capabilities_tags) as udm_events__target__file__capabilities_tags ;; - view_label: "UDM" - } # join udm_events__target__file__capabilities_tags - - join: udm_events__target__file__embedded_domains { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.file.embedded_domains) as udm_events__target__file__embedded_domains ;; - view_label: "UDM" - } # join udm_events__target__file__embedded_domains - - join: udm_events__target__file__embedded_ips { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.file.embedded_ips) as udm_events__target__file__embedded_ips ;; - view_label: "UDM" - } # join udm_events__target__file__embedded_ips - - join: udm_events__target__file__embedded_urls { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.file.embedded_urls) as udm_events__target__file__embedded_urls ;; - view_label: "UDM" - } # join udm_events__target__file__embedded_urls - - join: udm_events__target__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.file.names) as udm_events__target__file__names ;; - view_label: "UDM" - } # join udm_events__target__file__names - - join: udm_events__target__file__pe_file__imports { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.file.pe_file.imports) as udm_events__target__file__pe_file__imports ;; - view_label: "UDM" - } # join udm_events__target__file__pe_file__imports - - join: udm_events__target__file__pe_file__imports__functions { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__target__file__pe_file__imports.functions}) as udm_events__target__file__pe_file__imports__functions ;; - view_label: "UDM" - } # join udm_events__target__file__pe_file__imports__functions - - join: udm_events__target__file__pe_file__resource { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.file.pe_file.resource) as udm_events__target__file__pe_file__resource ;; - view_label: "UDM" - } # join udm_events__target__file__pe_file__resource - - join: udm_events__target__file__pe_file__resources_language_count_str { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.file.pe_file.resources_language_count_str) as udm_events__target__file__pe_file__resources_language_count_str ;; - view_label: "UDM" - } # join udm_events__target__file__pe_file__resources_language_count_str - - join: udm_events__target__file__pe_file__resources_type_count_str { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.file.pe_file.resources_type_count_str) as udm_events__target__file__pe_file__resources_type_count_str ;; - view_label: "UDM" - } # join udm_events__target__file__pe_file__resources_type_count_str - - join: udm_events__target__file__pe_file__section { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.file.pe_file.section) as udm_events__target__file__pe_file__section ;; - view_label: "UDM" - } # join udm_events__target__file__pe_file__section - - join: udm_events__target__file__signature_info__sigcheck__signers { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.file.signature_info.sigcheck.signers) as udm_events__target__file__signature_info__sigcheck__signers ;; - view_label: "UDM" - } # join udm_events__target__file__signature_info__sigcheck__signers - - join: udm_events__target__file__signature_info__sigcheck__x509 { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.file.signature_info.sigcheck.x509) as udm_events__target__file__signature_info__sigcheck__x509 ;; - view_label: "UDM" - } # join udm_events__target__file__signature_info__sigcheck__x509 - - join: udm_events__target__file__tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.file.tags) as udm_events__target__file__tags ;; - view_label: "UDM" - } # join udm_events__target__file__tags - - join: udm_events__target__group__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.group.attribute.labels) as udm_events__target__group__attribute__labels ;; - view_label: "UDM" - } # join udm_events__target__group__attribute__labels - - join: udm_events__target__group__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.group.attribute.permissions) as udm_events__target__group__attribute__permissions ;; - view_label: "UDM" - } # join udm_events__target__group__attribute__permissions - - join: udm_events__target__group__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.group.attribute.roles) as udm_events__target__group__attribute__roles ;; - view_label: "UDM" - } # join udm_events__target__group__attribute__roles - - join: udm_events__target__group__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.group.email_addresses) as udm_events__target__group__email_addresses ;; - view_label: "UDM" - } # join udm_events__target__group__email_addresses - - join: udm_events__target__investigation__comments { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.investigation.comments) as udm_events__target__investigation__comments ;; - view_label: "UDM" - } # join udm_events__target__investigation__comments - - join: udm_events__target__ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.ip) as udm_events__target__ip ;; - view_label: "UDM" - } # join udm_events__target__ip - - join: udm_events__target__ip_geo_artifact { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.ip_geo_artifact) as udm_events__target__ip_geo_artifact ;; - view_label: "UDM" - } # join udm_events__target__ip_geo_artifact - - join: udm_events__target__ip_location { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.ip_location) as udm_events__target__ip_location ;; - view_label: "UDM" - } # join udm_events__target__ip_location - - join: udm_events__target__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.labels) as udm_events__target__labels ;; - view_label: "UDM" - } # join udm_events__target__labels - - join: udm_events__target__mac { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.mac) as udm_events__target__mac ;; - view_label: "UDM" - } # join udm_events__target__mac - - join: udm_events__target__nat_ip { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.nat_ip) as udm_events__target__nat_ip ;; - view_label: "UDM" - } # join udm_events__target__nat_ip - - join: udm_events__target__process__command_line_history { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.process.command_line_history) as udm_events__target__process__command_line_history ;; - view_label: "UDM" - } # join udm_events__target__process__command_line_history - - join: udm_events__target__process__file__capabilities_tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.process.file.capabilities_tags) as udm_events__target__process__file__capabilities_tags ;; - view_label: "UDM" - } # join udm_events__target__process__file__capabilities_tags - - join: udm_events__target__process__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.process.file.names) as udm_events__target__process__file__names ;; - view_label: "UDM" - } # join udm_events__target__process__file__names - - join: udm_events__target__process__file__pe_file__signature_info__signer { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.process.file.pe_file.signature_info.signer) as udm_events__target__process__file__pe_file__signature_info__signer ;; - view_label: "UDM" - } # join udm_events__target__process__file__pe_file__signature_info__signer - - join: udm_events__target__process__parent_process__file__capabilities_tags { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.process.parent_process.file.capabilities_tags) as udm_events__target__process__parent_process__file__capabilities_tags ;; - view_label: "UDM" - } # join udm_events__target__process__parent_process__file__capabilities_tags - - join: udm_events__target__process__parent_process__file__names { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.process.parent_process.file.names) as udm_events__target__process__parent_process__file__names ;; - view_label: "UDM" - } # join udm_events__target__process__parent_process__file__names - - join: udm_events__target__process_ancestors { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.process_ancestors) as udm_events__target__process_ancestors ;; - view_label: "UDM" - } # join udm_events__target__process_ancestors - - join: udm_events__target__resource__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.resource.attribute.labels) as udm_events__target__resource__attribute__labels ;; - view_label: "UDM" - } # join udm_events__target__resource__attribute__labels - - join: udm_events__target__resource__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.resource.attribute.permissions) as udm_events__target__resource__attribute__permissions ;; - view_label: "UDM" - } # join udm_events__target__resource__attribute__permissions - - join: udm_events__target__resource__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.resource.attribute.roles) as udm_events__target__resource__attribute__roles ;; - view_label: "UDM" - } # join udm_events__target__resource__attribute__roles - - join: udm_events__target__resource_ancestors { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.resource_ancestors) as udm_events__target__resource_ancestors ;; - view_label: "UDM" - } # join udm_events__target__resource_ancestors - - join: udm_events__target__resource_ancestors__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__target__resource_ancestors.attribute}.labels) as udm_events__target__resource_ancestors__attribute__labels ;; - view_label: "UDM" - } # join udm_events__target__resource_ancestors__attribute__labels - - join: udm_events__target__resource_ancestors__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__target__resource_ancestors.attribute}.permissions) as udm_events__target__resource_ancestors__attribute__permissions ;; - view_label: "UDM" - } # join udm_events__target__resource_ancestors__attribute__permissions - - join: udm_events__target__user__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.user.attribute.labels) as udm_events__target__user__attribute__labels ;; - view_label: "UDM" - } # join udm_events__target__user__attribute__labels - - join: udm_events__target__user__attribute__permissions { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.user.attribute.permissions) as udm_events__target__user__attribute__permissions ;; - view_label: "UDM" - } # join udm_events__target__user__attribute__permissions - - join: udm_events__target__user__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.user.attribute.roles) as udm_events__target__user__attribute__roles ;; - view_label: "UDM" - } # join udm_events__target__user__attribute__roles - - join: udm_events__target__user__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.user.department) as udm_events__target__user__department ;; - view_label: "UDM" - } # join udm_events__target__user__department - - join: udm_events__target__user__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.user.email_addresses) as udm_events__target__user__email_addresses ;; - view_label: "UDM" - } # join udm_events__target__user__email_addresses - - join: udm_events__target__user__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.user.group_identifiers) as udm_events__target__user__group_identifiers ;; - view_label: "UDM" - } # join udm_events__target__user__group_identifiers - - join: udm_events__target__user__managers { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.user.managers) as udm_events__target__user__managers ;; - view_label: "UDM" - } # join udm_events__target__user__managers - - join: udm_events__target__user__managers__attribute__labels { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__target__user__managers.attribute}.labels) as udm_events__target__user__managers__attribute__labels ;; - view_label: "UDM" - } # join udm_events__target__user__managers__attribute__labels - - join: udm_events__target__user__managers__attribute__roles { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events__target__user__managers.attribute}.roles) as udm_events__target__user__managers__attribute__roles ;; - view_label: "UDM" - } # join udm_events__target__user__managers__attribute__roles - - join: udm_events__target__user__managers__department { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__target__user__managers.department}) as udm_events__target__user__managers__department ;; - view_label: "UDM" - } # join udm_events__target__user__managers__department - - join: udm_events__target__user__managers__email_addresses { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__target__user__managers.email_addresses}) as udm_events__target__user__managers__email_addresses ;; - view_label: "UDM" - } # join udm_events__target__user__managers__email_addresses - - join: udm_events__target__user__managers__group_identifiers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__target__user__managers.group_identifiers}) as udm_events__target__user__managers__group_identifiers ;; - view_label: "UDM" - } # join udm_events__target__user__managers__group_identifiers - - join: udm_events__target__user__managers__phone_numbers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events__target__user__managers.phone_numbers}) as udm_events__target__user__managers__phone_numbers ;; - view_label: "UDM" - } # join udm_events__target__user__managers__phone_numbers - - join: udm_events__target__user__phone_numbers { - relationship: one_to_one - sql: LEFT JOIN UNNEST(${udm_events.target}.user.phone_numbers) as udm_events__target__user__phone_numbers ;; - view_label: "UDM" - } # join udm_events__target__user__phone_numbers - - join: udm_events__target__user__time_off { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.user.time_off) as udm_events__target__user__time_off ;; - view_label: "UDM" - } # join udm_events__target__user__time_off - - join: udm_events__target__user_management_chain { - relationship: one_to_many - sql: LEFT JOIN UNNEST(${udm_events.target}.user_management_chain) as udm_events__target__user_management_chain ;; - view_label: "UDM" - } # join udm_events__target__user_management_chain - -} # explore udm_events - From 413701d51e3447bcc58c3d7d5383ea9ae8e5260d Mon Sep 17 00:00:00 2001 From: Pradeep Thangamuthu Date: Fri, 16 Jun 2023 11:26:08 +0530 Subject: [PATCH 14/14] Syncs latest embedded dashboard changes --- .DS_Store | Bin 0 -> 6148 bytes .../cdir_gcp_dashboard.dashboard.lookml | 853 + ...data_ingestion_and_health.dashboard.lookml | 73 +- .../health_ingestion_metrics.dashboard.lookml | 47 +- .../ingestion_health_alert.dashboard.lookml | 88 + dashboards/main.dashboard.lookml | 173 +- dashboards/rule_detections.dashboard.lookml | 2 +- .../user_signin_overview.dashboard.lookml | 83 +- explores/destination_geo_ip.explore.lkml | 6 - explores/global_threat_map_ioc.explore.lkml | 5 - .../refinements/entity_graph.explore.lkml | 3 + explores/refinements/events.explore.lkml | 1 + ...n_metric_with_ingestion_stats.explore.lkml | 7 + .../ingestion_metrics.explore.lkml | 6 + .../refinements/ingestion_stats.explore.lkml | 6 + explores/refinements/ioc_matches.explore.lkml | 3 + .../refinements/rule_detections.explore.lkml | 6 + explores/refinements/udm_events.explore.lkml | 3 + .../udm_events_aggregates.explore.lkml | 4 + .../refinements/udm_events_gcs.explore.lkml | 4 - explores/rule_detections.explore.lkml | 7 + ...rulesets_with_rule_detections.explore.lkml | 6 + ...dm_enum_value_to_name_mapping.explore.lkml | 2 +- explores/udm_events.explore.lkml | 54 +- explores/udm_events_aggregates.explore.lkml | 2 +- explores/udm_events_gcs.explore.lkml | 3171 - .../user_login_source_geo_ip.explore.lkml | 5 - manifest.lkml | 11 +- ..._rule_detections_with_udm_events.view.lkml | 4 +- views/custom/destination_geo_ip.view.lkml | 155 - views/custom/global_threat_map_ioc.view.lkml | 117 - ...tion_metric_with_ingestion_stats.view.lkml | 11 +- .../rulesets_with_rule_detections.view.lkml | 127 + .../custom/user_login_source_geo_ip.view.lkml | 107 - ..._rule_detections_with_udm_events.view.lkml | 4 +- views/ingestion_metrics.view.lkml | 5 + views/ingestion_stats.view.lkml | 2 +- views/ioc_matches.view.lkml | 2 +- views/job_metadata.view.lkml | 2 +- views/refinements/events.view.lkml | 15 + views/refinements/ingestion_metrics.view.lkml | 38 +- views/refinements/ingestion_stats.view.lkml | 50 +- views/refinements/rule_detections.view.lkml | 35 +- views/refinements/udm_events.view.lkml | 68 + .../udm_events_aggregates.view.lkml | 16 + views/rule_detections.view.lkml | 8 +- .../udm_enum_value_to_name_mapping.view.lkml | 2 +- views/udm_events.view.lkml | 47936 ++++++++-------- views/udm_events_aggregates.view.lkml | 2 +- views/udm_events_gcs.view.lkml | 23633 -------- 50 files changed, 25559 insertions(+), 51411 deletions(-) create mode 100644 .DS_Store create mode 100644 dashboards/cdir_gcp_dashboard.dashboard.lookml create mode 100644 dashboards/ingestion_health_alert.dashboard.lookml delete mode 100644 explores/destination_geo_ip.explore.lkml delete mode 100644 explores/global_threat_map_ioc.explore.lkml create mode 100644 explores/refinements/ingestion_metric_with_ingestion_stats.explore.lkml create mode 100644 explores/refinements/ingestion_metrics.explore.lkml create mode 100644 explores/refinements/ingestion_stats.explore.lkml create mode 100644 explores/refinements/rule_detections.explore.lkml delete mode 100644 explores/refinements/udm_events_gcs.explore.lkml create mode 100644 explores/rulesets_with_rule_detections.explore.lkml delete mode 100644 explores/udm_events_gcs.explore.lkml delete mode 100644 explores/user_login_source_geo_ip.explore.lkml delete mode 100644 views/custom/destination_geo_ip.view.lkml delete mode 100644 views/custom/global_threat_map_ioc.view.lkml create mode 100644 views/custom/rulesets_with_rule_detections.view.lkml delete mode 100644 views/custom/user_login_source_geo_ip.view.lkml delete mode 100644 views/udm_events_gcs.view.lkml diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..c6a6a297bfa94a62228330a2832535ff896ea8f6 GIT binary patch literal 6148 zcmeHKO>fgM7=GP#H0?C02M`kyQY5Zb>9UC(xMW>>m;@Xa1P4GRSptie#Z{9oNL8iY z2Y-RTz?~n$f8hj=KPt6pdz%m-ztZc+vERq``&71TB4XWfxKGq1A`33C+CZ_!M8EJA ztLPTNV{(j?VmhaUA{wkjn+BtRQQ&V=KX)K#O3}MmwJ&oMIc3OcLoV!RiP^xKgf2PUS)YI9V~JCzGpy^Fdh{IF z#@ylZ`lMoC7Zls3Yn+=A6>D|c5E&HNQ2z?wgJBY9d8hM(Rko_zcWPG6+Oghw7rgLt zKObjZfAmItz2rOz=5;@K6-ULOdG~~;xgV#|ND|^OLde_KaT@ZX%g1S$Nv@|lth!Yn zG#^YR&Ozr%%RcNJO<6Mn1g^Es0KR%eAnduh_le1%dTZR*J6`Im0 zU=&zZU`u^A#r@yk{Qh4inJ=S&QQ*H)fK_{5uZxuQ-MW&TxNB|rd$=$WH&ZAnDD-tK gE8;5NgG)o7Eh<1)<4hr1VCIj2l))56fj_FiZ`fVCNB{r; literal 0 HcmV?d00001 diff --git a/dashboards/cdir_gcp_dashboard.dashboard.lookml b/dashboards/cdir_gcp_dashboard.dashboard.lookml new file mode 100644 index 0000000..16ab071 --- /dev/null +++ b/dashboards/cdir_gcp_dashboard.dashboard.lookml @@ -0,0 +1,853 @@ +- dashboard: cdir_gcp_dashboard + title: Cloud Detection & Response - Overview + layout: newspaper + preferred_viewer: dashboards-next + description: '' + elements: + - title: Cloud Data Coverage (All Time) + name: Cloud Data Coverage (All Time) + explore: ingestion_metrics + type: looker_grid + fields: [ingestion_metrics.state, ingestion_metrics.total_size_bytes, ingested_logsmillions, + ingestion_metrics.min_start_time, ingestion_metrics.max_end_time, ingestion_metrics.gcp_log_type] + filters: + ingestion_metrics.state: "-NULL" + sorts: [ingestion_metrics.total_size_bytes desc] + limit: 500 + dynamic_fields: [{category: measure, label: Ingested logs(Millions), value_format: '[<1000000]0.00," + KB";[<1000000000]0.00,," MB";0.00,,," GB"', value_format_name: __custom, + based_on: ingestion_metrics.total_size_bytes, _kind_hint: measure, measure: ingested_logsmillions, + type: count_distinct, _type_hint: number}] + show_view_names: false + show_row_numbers: true + transpose: false + truncate_text: true + hide_totals: false + hide_row_totals: false + size_to_fit: true + table_theme: editable + limit_displayed_rows: false + enable_conditional_formatting: true + header_text_alignment: left + header_font_size: '12' + rows_font_size: '12' + conditional_formatting_include_totals: false + conditional_formatting_include_nulls: false + show_sql_query_menu_options: false + column_order: ["$$$_row_numbers_$$$", ingestion_metrics.gcp_log_type, ingestion_metrics.min_start_time, + ingestion_metrics.max_end_time, ingestion_metrics.state, ingested_logsmillions] + show_totals: true + show_row_totals: true + truncate_header: false + series_labels: + ingestion_metrics.min_start_time: First Seen + ingestion_metrics.max_end_time: Last Seen + ingestion_metrics.gcp_log_type: Log Type + series_column_widths: + ingestion_metrics.log_type: 373 + ingestion_metrics.total_size_bytes: 177 + ingestion_metrics.min_start_time: 148 + ingestion_metrics.max_end_time: 147 + ingestion_metrics.state: 298 + series_cell_visualizations: + ingestion_metrics.total_size_bytes: + is_active: true + conditional_formatting: [{type: along a scale..., value: !!null '', background_color: "#1A73E8", + font_color: !!null '', color_application: {collection_id: 7c56cc21-66e4-41c9-81ce-a60e1c3967b2, + custom: {id: 1441e149-24ab-c1f9-fad5-c394f860ea4c, label: Custom, type: continuous, + stops: [{color: "#FFFFFF", offset: 0}, {color: "#1a73e8", offset: 25}, + {color: "#FFFFFF", offset: 50}, {color: "#FFFFFF", offset: 75}, {color: "#FFFFFF", + offset: 100}]}, options: {steps: 5, constraints: {min: {type: minimum}, + mid: {type: number, value: 0}, max: {type: maximum}}, mirror: true, + reverse: false, stepped: false}}, bold: false, italic: false, strikethrough: false, + fields: !!null ''}] + defaults_version: 1 + hidden_fields: [ingestion_metrics.total_size_bytes] + listen: + GCP Log Type: ingestion_metrics.gcp_log_type + row: 24 + col: 0 + width: 24 + height: 6 + - title: Alerts by Severity Over Time + name: Alerts by Severity Over Time + explore: rule_detections + type: looker_line + fields: [rule_detections.event_timestamp_date, rule_detections.severity, rule_detections.count, + rule_detections.detection_alert_type] + pivots: [rule_detections.severity] + filters: + rule_detections.detection_alert_type: '2' + rule_detections.severity: "-NULL,-EMPTY" + rule_detections__rulesets.ruleset_family_name: Cloud Threats + sorts: [rule_detections.severity, rule_detections.event_timestamp_date desc] + limit: 5000 + dynamic_fields: [{measure: count_of_severity, based_on: rule_detections.severity, + expression: '', label: Count of Severity, type: count_distinct, _kind_hint: measure, + _type_hint: number}] + x_axis_gridlines: false + y_axis_gridlines: true + show_view_names: false + show_y_axis_labels: true + show_y_axis_ticks: true + y_axis_tick_density: default + y_axis_tick_density_custom: 5 + show_x_axis_label: true + show_x_axis_ticks: true + y_axis_scale_mode: linear + x_axis_reversed: false + y_axis_reversed: false + plot_size_by_field: false + trellis: '' + stacking: '' + limit_displayed_rows: false + legend_position: center + point_style: none + show_value_labels: false + label_density: 25 + x_axis_scale: auto + y_axis_combined: true + show_null_points: true + interpolation: linear + color_application: + collection_id: 7c79334a-9912-4ca1-be6a-35756782ae09 + palette_id: de0bdb92-9455-489c-afa7-f0e0fdc76078 + options: + steps: 5 + y_axes: [{label: Detection Alerts, orientation: left, series: [{axisId: rule_detections.count, + id: LOW - rule_detections.count, name: LOW}], showLabels: true, showValues: true, + unpinAxis: false, tickDensity: default, tickDensityCustom: 5, type: linear}] + x_axis_label: Date + x_axis_zoom: true + y_axis_zoom: true + series_types: {} + show_totals_labels: false + show_silhouette: false + totals_color: "#808080" + defaults_version: 1 + hidden_fields: [rule_detections.detection_alert_type] + show_row_numbers: true + transpose: false + truncate_text: true + hide_totals: false + hide_row_totals: false + size_to_fit: true + table_theme: white + enable_conditional_formatting: false + header_text_alignment: left + header_font_size: 12 + rows_font_size: 12 + conditional_formatting_include_totals: false + conditional_formatting_include_nulls: false + note_state: collapsed + note_display: hover + note_text: Alerts from Cloud Threats Rules Set in Curated Analytics grouped by + severity over time. + listen: + Time: rule_detections.event_timestamp_time + row: 10 + col: 0 + width: 24 + height: 9 + - title: Alerts + name: Alerts + explore: rule_detections + type: single_value + fields: [rule_detections.period, rule_detections.count_for_drill] + filters: + rule_detections__rulesets.ruleset_family_name: Cloud Threats + sorts: [rule_detections.count_for_drill desc 0] + limit: 500 + column_limit: 50 + dynamic_fields: [{category: table_calculation, expression: "(${rule_detections.count_for_drill}\ + \ - offset(${rule_detections.count_for_drill}, 1))", label: Delta, value_format: !!null '', + value_format_name: '', _kind_hint: measure, table_calculation: delta, _type_hint: number}] + custom_color_enabled: true + show_single_value_title: false + show_comparison: true + comparison_type: change + comparison_reverse_colors: false + show_comparison_label: false + enable_conditional_formatting: false + conditional_formatting_include_totals: false + conditional_formatting_include_nulls: false + single_value_title: CDIR Alerts + value_format: '[>=1000000]#,##0.0,," M";[>=1000]0.0," K";0' + x_axis_gridlines: false + y_axis_gridlines: true + show_view_names: false + show_y_axis_labels: true + show_y_axis_ticks: true + y_axis_tick_density: default + y_axis_tick_density_custom: 5 + show_x_axis_label: true + show_x_axis_ticks: true + y_axis_scale_mode: linear + x_axis_reversed: false + y_axis_reversed: false + plot_size_by_field: false + trellis: '' + stacking: '' + limit_displayed_rows: false + legend_position: center + point_style: none + show_value_labels: false + label_density: 25 + x_axis_scale: auto + y_axis_combined: true + ordering: none + show_null_labels: false + show_totals_labels: false + show_silhouette: false + totals_color: "#808080" + defaults_version: 1 + series_types: {} + hidden_pivots: {} + note_state: collapsed + note_display: hover + note_text: Total alerts from the Cloud Threats category in Curated Detections + listen: + Time: rule_detections.period_filter + row: 1 + col: 16 + width: 8 + height: 3 + - title: Untitled + name: Untitled + explore: ingestion_metrics + type: single_value + fields: [ingestion_metrics.gcp_log_types_used] + limit: 500 + total: true + custom_color_enabled: true + show_single_value_title: false + show_comparison: false + comparison_type: value + comparison_reverse_colors: false + show_comparison_label: false + enable_conditional_formatting: true + conditional_formatting_include_totals: false + conditional_formatting_include_nulls: false + color_application: + collection_id: 7c56cc21-66e4-41c9-81ce-a60e1c3967b2 + palette_id: 5d189dfc-4f46-46f3-822b-bfb0b61777b1 + single_value_title: GCP Data Sources Covered + value_format: 0% + comparison_label: '' + conditional_formatting: [{type: equal to, value: !!null '', background_color: !!null '', + font_color: !!null '', color_application: {collection_id: 7c56cc21-66e4-41c9-81ce-a60e1c3967b2, + palette_id: 4a00499b-c0fe-4b15-a304-4083c07ff4c4}, bold: false, italic: false, + strikethrough: false, fields: !!null ''}] + x_axis_gridlines: false + y_axis_gridlines: true + show_view_names: false + show_y_axis_labels: true + show_y_axis_ticks: true + y_axis_tick_density: default + y_axis_tick_density_custom: 5 + show_x_axis_label: true + show_x_axis_ticks: true + y_axis_scale_mode: linear + x_axis_reversed: false + y_axis_reversed: false + plot_size_by_field: false + trellis: '' + stacking: '' + limit_displayed_rows: false + legend_position: center + point_style: none + show_value_labels: false + label_density: 25 + x_axis_scale: auto + y_axis_combined: true + ordering: none + show_null_labels: false + show_totals_labels: false + show_silhouette: false + totals_color: "#808080" + defaults_version: 1 + series_types: {} + show_row_numbers: true + transpose: false + truncate_text: true + hide_totals: false + hide_row_totals: false + size_to_fit: true + table_theme: white + header_text_alignment: left + header_font_size: 12 + rows_font_size: 12 + hidden_pivots: {} + groupBars: true + labelSize: 10pt + showLegend: true + leftAxisLabelVisible: false + leftAxisLabel: '' + rightAxisLabelVisible: false + rightAxisLabel: '' + smoothedBars: false + orientation: automatic + labelPosition: left + percentType: total + percentPosition: inline + valuePosition: right + labelColorEnabled: false + labelColor: "#FFF" + font_size: 12 + map: usa + map_projection: '' + hidden_fields: [count_of_log_type_3] + note_state: collapsed + note_display: hover + note_text: Percentage of GCP sources data being ingested into Chronicle. + listen: {} + row: 1 + col: 8 + width: 8 + height: 3 + - title: Recent Alerts + name: Recent Alerts + explore: rule_detections + type: looker_grid + fields: [rule_detections.severity, rule_detections__detection__outcomes.int64_val, + rule_detections.alert_name] + filters: + rule_detections.detection_alert_type: '2' + rule_detections__detection__outcomes.name: '"risk_score"' + rule_detections__rulesets.ruleset_family_name: Cloud Threats + sorts: [rule_detections.severity] + limit: 500 + column_limit: 50 + show_view_names: false + show_row_numbers: true + transpose: false + truncate_text: true + hide_totals: false + hide_row_totals: false + size_to_fit: true + table_theme: white + limit_displayed_rows: false + enable_conditional_formatting: false + header_text_alignment: left + header_font_size: '12' + rows_font_size: '12' + conditional_formatting_include_totals: false + conditional_formatting_include_nulls: false + show_sql_query_menu_options: false + show_totals: true + show_row_totals: true + truncate_header: false + series_labels: + rule_detections.rule_name: Alert Name + rule_detections__detection__outcomes.int64_val: Risk Score + x_axis_gridlines: false + y_axis_gridlines: true + show_y_axis_labels: true + show_y_axis_ticks: true + y_axis_tick_density: default + y_axis_tick_density_custom: 5 + show_x_axis_label: true + show_x_axis_ticks: true + y_axis_scale_mode: linear + x_axis_reversed: false + y_axis_reversed: false + plot_size_by_field: false + trellis: '' + stacking: '' + legend_position: center + point_style: none + show_value_labels: false + label_density: 25 + x_axis_scale: auto + y_axis_combined: true + ordering: none + show_null_labels: false + show_totals_labels: false + show_silhouette: false + totals_color: "#808080" + defaults_version: 1 + hidden_fields: [] + series_types: {} + series_column_widths: + rule_detections.rule_name: 695 + column_order: ["$$$_row_numbers_$$$", rule_detections.alert_name, rule_detections.severity, + rule_detections__detection__outcomes.int64_val] + note_state: collapsed + note_display: hover + note_text: Recent alerts from rules in the Cloud Threats Rules set in Curated + Analytics. + listen: + Time: rule_detections.event_timestamp_time + row: 4 + col: 0 + width: 24 + height: 6 + - title: Untitled + name: Untitled (2) + explore: rulesets_with_rule_detections + type: single_value + fields: [rulesets_with_rule_detections.enabled_rulesets, rulesets_with_rule_detections.total_rulesets] + filters: + rulesets_with_rule_detections.ruleset_family_name: Cloud Threats + limit: 500 + column_limit: 50 + dynamic_fields: [{category: table_calculation, expression: "${rulesets_with_rule_detections.enabled_rulesets}/${rulesets_with_rule_detections.total_rulesets}", + label: Percent of rulesets covered, value_format: !!null '', value_format_name: percent_2, + _kind_hint: measure, table_calculation: percent_of_rulesets_covered, _type_hint: number}] + custom_color_enabled: true + show_single_value_title: false + show_comparison: false + comparison_type: progress_percentage + comparison_reverse_colors: false + show_comparison_label: false + enable_conditional_formatting: false + conditional_formatting_include_totals: false + conditional_formatting_include_nulls: false + single_value_title: '' + value_format: 0% + defaults_version: 1 + hidden_fields: [rulesets_with_rule_detections.enabled_rulesets, rulesets_with_rule_detections.total_rulesets] + note_state: collapsed + note_display: hover + note_text: Percentage of enabled rules in the Cloud Threats category of Curated + Detections + listen: {} + row: 1 + col: 0 + width: 8 + height: 3 + - title: Cloud Data Coverage (Last 24 Hours) + name: Cloud Data Coverage (Last 24 Hours) + explore: ingestion_metric_with_ingestion_stats + type: looker_area + fields: [ingestion_metric_with_ingestion_stats.total_size_bytes, ingestion_metric_with_ingestion_stats.timestamp_hour, + ingestion_metric_with_ingestion_stats.gcp_log_type] + pivots: [ingestion_metric_with_ingestion_stats.gcp_log_type] + fill_fields: [ingestion_metric_with_ingestion_stats.timestamp_hour] + filters: + ingestion_metric_with_ingestion_stats.timestamp_hour: 24 hours + sorts: [ingestion_metric_with_ingestion_stats.gcp_log_type, ingestion_metric_with_ingestion_stats.timestamp_hour + desc] + limit: 500 + x_axis_gridlines: false + y_axis_gridlines: true + show_view_names: false + show_y_axis_labels: true + show_y_axis_ticks: true + y_axis_tick_density: default + y_axis_tick_density_custom: 5 + show_x_axis_label: true + show_x_axis_ticks: true + y_axis_scale_mode: linear + x_axis_reversed: false + y_axis_reversed: false + plot_size_by_field: false + trellis: '' + stacking: percent + limit_displayed_rows: true + legend_position: right + point_style: none + show_value_labels: false + label_density: 25 + x_axis_scale: auto + y_axis_combined: true + show_null_points: true + interpolation: linear + show_totals_labels: false + show_silhouette: false + totals_color: "#808080" + y_axes: [{label: Throughput Percentage, orientation: left, series: [{axisId: GCP_BIGQUERY_CONTEXT + - ingestion_metric_with_ingestion_stats.total_size_bytes, id: GCP_BIGQUERY_CONTEXT + - ingestion_metric_with_ingestion_stats.total_size_bytes, name: GCP_BIGQUERY_CONTEXT}, + {axisId: GCP_CLOUDAUDIT - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_CLOUDAUDIT - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_CLOUDAUDIT}, {axisId: GCP_COMPUTE_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_COMPUTE_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_COMPUTE_CONTEXT}, {axisId: GCP_DLP_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_DLP_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_DLP_CONTEXT}, {axisId: GCP_DNS - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_DNS - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_DNS}, {axisId: GCP_IAM_ANALYSIS - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_IAM_ANALYSIS - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_IAM_ANALYSIS}, {axisId: GCP_IAM_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_IAM_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_IAM_CONTEXT}, {axisId: GCP_SECURITYCENTER - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_SECURITYCENTER - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_SECURITYCENTER}, {axisId: GCP_SECURITYCENTER_ERROR - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_SECURITYCENTER_ERROR - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_SECURITYCENTER_ERROR}, {axisId: GCP_SECURITYCENTER_MISCONFIGURATION + - ingestion_metric_with_ingestion_stats.total_size_bytes, id: GCP_SECURITYCENTER_MISCONFIGURATION + - ingestion_metric_with_ingestion_stats.total_size_bytes, name: GCP_SECURITYCENTER_MISCONFIGURATION}, + {axisId: GCP_SECURITYCENTER_OBSERVATION - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_SECURITYCENTER_OBSERVATION - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_SECURITYCENTER_OBSERVATION}, {axisId: GCP_SECURITYCENTER_THREAT + - ingestion_metric_with_ingestion_stats.total_size_bytes, id: GCP_SECURITYCENTER_THREAT + - ingestion_metric_with_ingestion_stats.total_size_bytes, name: GCP_SECURITYCENTER_THREAT}, + {axisId: GCP_SECURITYCENTER_UNSPECIFIED - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_SECURITYCENTER_UNSPECIFIED - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_SECURITYCENTER_UNSPECIFIED}, {axisId: GCP_SECURITYCENTER_VULNERABILITY + - ingestion_metric_with_ingestion_stats.total_size_bytes, id: GCP_SECURITYCENTER_VULNERABILITY + - ingestion_metric_with_ingestion_stats.total_size_bytes, name: GCP_SECURITYCENTER_VULNERABILITY}, + {axisId: GCP_STORAGE_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_STORAGE_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_STORAGE_CONTEXT}, {axisId: GCP_VPC_FLOW - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_VPC_FLOW - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_VPC_FLOW}], showLabels: true, showValues: true, unpinAxis: false, + tickDensity: default, tickDensityCustom: 5, type: linear}] + x_axis_zoom: true + y_axis_zoom: true + limit_displayed_rows_values: + show_hide: show + first_last: first + num_rows: '15' + hide_legend: false + series_types: {} + defaults_version: 1 + hidden_pivots: {} + listen: + GCP Log Type: ingestion_metric_with_ingestion_stats.gcp_log_type + row: 30 + col: 0 + width: 24 + height: 6 + - title: Cloud Data Coverage (Last 30 days) + name: Cloud Data Coverage (Last 30 days) + explore: ingestion_metric_with_ingestion_stats + type: looker_area + fields: [ingestion_metric_with_ingestion_stats.total_size_bytes, ingestion_metric_with_ingestion_stats.timestamp_date, + ingestion_metric_with_ingestion_stats.gcp_log_type] + pivots: [ingestion_metric_with_ingestion_stats.gcp_log_type] + fill_fields: [ingestion_metric_with_ingestion_stats.timestamp_date] + filters: + ingestion_metric_with_ingestion_stats.timestamp_date: 30 days + sorts: [ingestion_metric_with_ingestion_stats.gcp_log_type, ingestion_metric_with_ingestion_stats.timestamp_date + desc] + limit: 500 + x_axis_gridlines: false + y_axis_gridlines: true + show_view_names: false + show_y_axis_labels: true + show_y_axis_ticks: true + y_axis_tick_density: default + y_axis_tick_density_custom: 5 + show_x_axis_label: true + show_x_axis_ticks: true + y_axis_scale_mode: linear + x_axis_reversed: false + y_axis_reversed: false + plot_size_by_field: false + trellis: '' + stacking: percent + limit_displayed_rows: true + legend_position: right + point_style: none + show_value_labels: false + label_density: 25 + x_axis_scale: auto + y_axis_combined: true + show_null_points: true + interpolation: linear + show_totals_labels: false + show_silhouette: false + totals_color: "#808080" + y_axes: [{label: Throughput Percentage, orientation: left, series: [{axisId: GCP_BIGQUERY_CONTEXT + - ingestion_metric_with_ingestion_stats.total_size_bytes, id: GCP_BIGQUERY_CONTEXT + - ingestion_metric_with_ingestion_stats.total_size_bytes, name: GCP_BIGQUERY_CONTEXT}, + {axisId: GCP_CLOUDAUDIT - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_CLOUDAUDIT - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_CLOUDAUDIT}, {axisId: GCP_COMPUTE_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_COMPUTE_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_COMPUTE_CONTEXT}, {axisId: GCP_DLP_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_DLP_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_DLP_CONTEXT}, {axisId: GCP_DNS - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_DNS - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_DNS}, {axisId: GCP_IAM_ANALYSIS - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_IAM_ANALYSIS - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_IAM_ANALYSIS}, {axisId: GCP_IAM_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_IAM_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_IAM_CONTEXT}, {axisId: GCP_SECURITYCENTER - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_SECURITYCENTER - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_SECURITYCENTER}, {axisId: GCP_SECURITYCENTER_ERROR - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_SECURITYCENTER_ERROR - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_SECURITYCENTER_ERROR}, {axisId: GCP_SECURITYCENTER_MISCONFIGURATION + - ingestion_metric_with_ingestion_stats.total_size_bytes, id: GCP_SECURITYCENTER_MISCONFIGURATION + - ingestion_metric_with_ingestion_stats.total_size_bytes, name: GCP_SECURITYCENTER_MISCONFIGURATION}, + {axisId: GCP_SECURITYCENTER_OBSERVATION - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_SECURITYCENTER_OBSERVATION - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_SECURITYCENTER_OBSERVATION}, {axisId: GCP_SECURITYCENTER_THREAT + - ingestion_metric_with_ingestion_stats.total_size_bytes, id: GCP_SECURITYCENTER_THREAT + - ingestion_metric_with_ingestion_stats.total_size_bytes, name: GCP_SECURITYCENTER_THREAT}, + {axisId: GCP_SECURITYCENTER_UNSPECIFIED - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_SECURITYCENTER_UNSPECIFIED - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_SECURITYCENTER_UNSPECIFIED}, {axisId: GCP_SECURITYCENTER_VULNERABILITY + - ingestion_metric_with_ingestion_stats.total_size_bytes, id: GCP_SECURITYCENTER_VULNERABILITY + - ingestion_metric_with_ingestion_stats.total_size_bytes, name: GCP_SECURITYCENTER_VULNERABILITY}, + {axisId: GCP_STORAGE_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_STORAGE_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_STORAGE_CONTEXT}, {axisId: GCP_VPC_FLOW - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_VPC_FLOW - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_VPC_FLOW}], showLabels: true, showValues: true, unpinAxis: false, + tickDensity: default, tickDensityCustom: 5, type: linear}] + x_axis_zoom: true + y_axis_zoom: true + limit_displayed_rows_values: + show_hide: show + first_last: first + num_rows: '15' + hide_legend: false + series_types: {} + defaults_version: 1 + hidden_pivots: {} + listen: + GCP Log Type: ingestion_metric_with_ingestion_stats.gcp_log_type + row: 36 + col: 0 + width: 24 + height: 6 + - title: Cloud Data Coverage (Last 6 months) + name: Cloud Data Coverage (Last 6 months) + explore: ingestion_metric_with_ingestion_stats + type: looker_area + fields: [ingestion_metric_with_ingestion_stats.timestamp_month, ingestion_metric_with_ingestion_stats.total_size_bytes, + ingestion_metric_with_ingestion_stats.gcp_log_type] + pivots: [ingestion_metric_with_ingestion_stats.gcp_log_type] + fill_fields: [ingestion_metric_with_ingestion_stats.timestamp_month] + filters: + ingestion_metric_with_ingestion_stats.timestamp_month: 6 months + sorts: [ingestion_metric_with_ingestion_stats.gcp_log_type, ingestion_metric_with_ingestion_stats.timestamp_month + desc] + limit: 500 + x_axis_gridlines: false + y_axis_gridlines: true + show_view_names: false + show_y_axis_labels: true + show_y_axis_ticks: true + y_axis_tick_density: default + y_axis_tick_density_custom: 5 + show_x_axis_label: true + show_x_axis_ticks: true + y_axis_scale_mode: linear + x_axis_reversed: false + y_axis_reversed: false + plot_size_by_field: false + trellis: '' + stacking: percent + limit_displayed_rows: true + legend_position: right + point_style: none + show_value_labels: false + label_density: 25 + x_axis_scale: auto + y_axis_combined: true + show_null_points: true + interpolation: linear + show_totals_labels: false + show_silhouette: false + totals_color: "#808080" + y_axes: [{label: Throughput Percentage, orientation: left, series: [{axisId: GCP_BIGQUERY_CONTEXT + - ingestion_metric_with_ingestion_stats.total_size_bytes, id: GCP_BIGQUERY_CONTEXT + - ingestion_metric_with_ingestion_stats.total_size_bytes, name: GCP_BIGQUERY_CONTEXT}, + {axisId: GCP_CLOUDAUDIT - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_CLOUDAUDIT - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_CLOUDAUDIT}, {axisId: GCP_COMPUTE_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_COMPUTE_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_COMPUTE_CONTEXT}, {axisId: GCP_DLP_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_DLP_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_DLP_CONTEXT}, {axisId: GCP_DNS - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_DNS - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_DNS}, {axisId: GCP_IAM_ANALYSIS - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_IAM_ANALYSIS - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_IAM_ANALYSIS}, {axisId: GCP_IAM_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_IAM_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_IAM_CONTEXT}, {axisId: GCP_SECURITYCENTER - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_SECURITYCENTER - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_SECURITYCENTER}, {axisId: GCP_SECURITYCENTER_ERROR - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_SECURITYCENTER_ERROR - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_SECURITYCENTER_ERROR}, {axisId: GCP_SECURITYCENTER_MISCONFIGURATION + - ingestion_metric_with_ingestion_stats.total_size_bytes, id: GCP_SECURITYCENTER_MISCONFIGURATION + - ingestion_metric_with_ingestion_stats.total_size_bytes, name: GCP_SECURITYCENTER_MISCONFIGURATION}, + {axisId: GCP_SECURITYCENTER_OBSERVATION - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_SECURITYCENTER_OBSERVATION - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_SECURITYCENTER_OBSERVATION}, {axisId: GCP_SECURITYCENTER_THREAT + - ingestion_metric_with_ingestion_stats.total_size_bytes, id: GCP_SECURITYCENTER_THREAT + - ingestion_metric_with_ingestion_stats.total_size_bytes, name: GCP_SECURITYCENTER_THREAT}, + {axisId: GCP_SECURITYCENTER_UNSPECIFIED - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_SECURITYCENTER_UNSPECIFIED - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_SECURITYCENTER_UNSPECIFIED}, {axisId: GCP_SECURITYCENTER_VULNERABILITY + - ingestion_metric_with_ingestion_stats.total_size_bytes, id: GCP_SECURITYCENTER_VULNERABILITY + - ingestion_metric_with_ingestion_stats.total_size_bytes, name: GCP_SECURITYCENTER_VULNERABILITY}, + {axisId: GCP_STORAGE_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_STORAGE_CONTEXT - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_STORAGE_CONTEXT}, {axisId: GCP_VPC_FLOW - ingestion_metric_with_ingestion_stats.total_size_bytes, + id: GCP_VPC_FLOW - ingestion_metric_with_ingestion_stats.total_size_bytes, + name: GCP_VPC_FLOW}], showLabels: true, showValues: true, unpinAxis: false, + tickDensity: default, tickDensityCustom: 5, type: linear}] + x_axis_zoom: true + y_axis_zoom: true + limit_displayed_rows_values: + show_hide: show + first_last: first + num_rows: '15' + hide_legend: false + series_types: {} + defaults_version: 1 + hidden_pivots: {} + show_row_numbers: true + transpose: false + truncate_text: true + hide_totals: false + hide_row_totals: false + size_to_fit: true + table_theme: white + enable_conditional_formatting: false + header_text_alignment: left + header_font_size: 12 + rows_font_size: 12 + conditional_formatting_include_totals: false + conditional_formatting_include_nulls: false + listen: + GCP Log Type: ingestion_metric_with_ingestion_stats.gcp_log_type + row: 42 + col: 0 + width: 24 + height: 6 + - title: Detection Coverage + name: Detection Coverage + explore: rulesets_with_rule_detections + type: looker_grid + fields: [rulesets_with_rule_detections.ruleset_name, rulesets_with_rule_detections.precise_live, + rulesets_with_rule_detections.precise_alerting, rulesets_with_rule_detections.broad_live, + rulesets_with_rule_detections.broad_alerting, count_of_event_timestamp_time, + rulesets_with_rule_detections.latest_detection] + filters: + rulesets_with_rule_detections.ruleset_family_name: Cloud Threats + sorts: [count_of_event_timestamp_time desc 0] + limit: 500 + dynamic_fields: [{category: measure, expression: '', label: Count of Event Timestamp + Time, value_format: ' [>=1000000]0,,\"M\";[>=1000]0,\"K\";0', value_format_name: __custom, + based_on: rulesets_with_rule_detections.event_timestamp_time, _kind_hint: measure, + measure: count_of_event_timestamp_time, type: count_distinct, _type_hint: number}] + show_view_names: false + show_row_numbers: true + transpose: false + truncate_text: true + hide_totals: false + hide_row_totals: false + size_to_fit: true + table_theme: white + limit_displayed_rows: false + enable_conditional_formatting: false + header_text_alignment: left + header_font_size: '12' + rows_font_size: '12' + conditional_formatting_include_totals: false + conditional_formatting_include_nulls: false + x_axis_gridlines: false + y_axis_gridlines: true + show_y_axis_labels: true + show_y_axis_ticks: true + y_axis_tick_density: default + y_axis_tick_density_custom: 5 + show_x_axis_label: true + show_x_axis_ticks: true + y_axis_scale_mode: linear + x_axis_reversed: false + y_axis_reversed: false + plot_size_by_field: false + trellis: '' + stacking: '' + legend_position: center + point_style: none + show_value_labels: false + label_density: 25 + x_axis_scale: auto + y_axis_combined: true + ordering: none + show_null_labels: false + show_totals_labels: false + show_silhouette: false + totals_color: "#808080" + defaults_version: 1 + series_types: {} + show_sql_query_menu_options: false + column_order: ["$$$_row_numbers_$$$", rulesets_with_rule_detections.ruleset_name, + rulesets_with_rule_detections.precise_live, rulesets_with_rule_detections.precise_alerting, + rulesets_with_rule_detections.broad_live, rulesets_with_rule_detections.broad_alerting, + count_of_event_timestamp_time, rulesets_with_rule_detections.event_timestamp_time] + show_totals: true + show_row_totals: true + truncate_header: false + series_labels: + count_of_event_timestamp_time: Number of Detections + rulesets_with_rule_detections.event_timestamp_time: Latest detection + series_column_widths: + rulesets_with_rule_detections.event_timestamp_time: 129 + rulesets_with_rule_detections.broad_alerting: 124 + rulesets_with_rule_detections.ruleset_name: 292 + rulesets_with_rule_detections.broad_live: 123 + rulesets_with_rule_detections.precise_alerting: 144 + rulesets_with_rule_detections.precise_live: 137 + count_of_event_timestamp_time: 298 + series_cell_visualizations: + count_of_event_timestamp_time: + is_active: true + show_null_points: true + listen: {} + row: 19 + col: 0 + width: 24 + height: 5 + - name: CDIR Rulesets Enabled + type: text + title_text: CDIR Rulesets Enabled + subtitle_text: '' + body_text: '' + row: 0 + col: 0 + width: 8 + height: 1 + - name: CDIR Alerts + type: text + title_text: CDIR Alerts + subtitle_text: '' + body_text: '' + row: 0 + col: 16 + width: 8 + height: 1 + - name: GCP Data Sources Covered + type: text + title_text: GCP Data Sources Covered + subtitle_text: '' + body_text: '' + row: 0 + col: 8 + width: 8 + height: 1 + filters: + - name: Time + title: Time + type: field_filter + default_value: 7 day + allow_multiple_values: true + required: true + ui_config: + type: advanced + display: popover + options: [] + explore: rule_detections + listens_to_filters: [] + field: rule_detections.event_timestamp_time + - name: GCP Log Type + title: GCP Log Type + type: field_filter + default_value: "-NULL" + allow_multiple_values: true + required: false + ui_config: + type: advanced + display: popover + options: [] + explore: ingestion_metrics + listens_to_filters: [] + field: ingestion_metrics.gcp_log_type diff --git a/dashboards/data_ingestion_and_health.dashboard.lookml b/dashboards/data_ingestion_and_health.dashboard.lookml index 99f3baa..a3e680a 100644 --- a/dashboards/data_ingestion_and_health.dashboard.lookml +++ b/dashboards/data_ingestion_and_health.dashboard.lookml @@ -1,5 +1,5 @@ - dashboard: data_ingestion_and_health - title: Data Ingestion and Health (DEPRECATED) + title: Data Ingestion and Health layout: newspaper preferred_viewer: dashboards-next elements: @@ -11,7 +11,7 @@ filters: ingestion_stats.period: This Period sorts: [ingestion_stats.total_entry_number desc] - limit: 500 + limit: 50 value_labels: legend label_type: labPer x_axis_gridlines: false @@ -45,6 +45,7 @@ series_types: {} listen: Time: ingestion_stats.period_filter + Log Type: ingestion_stats.log_type row: 3 col: 0 width: 12 @@ -57,7 +58,7 @@ filters: ingestion_stats.period: This Period sorts: [ingestion_stats.total_size_bytes desc] - limit: 500 + limit: 50 value_labels: legend label_type: labPer x_axis_gridlines: false @@ -91,6 +92,7 @@ series_types: {} listen: Time: ingestion_stats.period_filter + Log Type: ingestion_stats.log_type row: 3 col: 12 width: 12 @@ -128,7 +130,8 @@ num_rows: '10' series_types: {} defaults_version: 1 - listen: {} + listen: + Log Type: ingestion_stats.log_type row: 24 col: 12 width: 12 @@ -182,7 +185,8 @@ ingestion_stats.total_size_bytes_GiB: Ingestion Throughput ingestion_stats.total_entry_number: Ingested Event Count defaults_version: 1 - listen: {} + listen: + Log Type: ingestion_stats.log_type row: 30 col: 0 width: 8 @@ -194,7 +198,7 @@ fields: [ingestion_stats.timestamp_hour, ingestion_stats.total_entry_number, ingestion_stats.total_size_bytes_GiB] fill_fields: [ingestion_stats.timestamp_hour] filters: - ingestion_stats.timestamp_time: 1 weeks + ingestion_stats.timestamp_time: 7 days sorts: [ingestion_stats.timestamp_hour desc] limit: 500 query_timezone: America/Los_Angeles @@ -236,7 +240,8 @@ ingestion_stats.total_entry_number: Ingested Event Count ingestion_stats.total_size_bytes_GiB: Ingestion Throughput defaults_version: 1 - listen: {} + listen: + Log Type: ingestion_stats.log_type row: 30 col: 8 width: 8 @@ -294,7 +299,8 @@ ingestion_stats.total_size_bytes_GiB: Ingestion Throughput ingestion_stats.total_entry_number: Ingested Event Count defaults_version: 1 - listen: {} + listen: + Log Type: ingestion_stats.log_type row: 30 col: 16 width: 8 @@ -307,9 +313,9 @@ sorts: [ingestion_stats.period desc] limit: 500 column_limit: 50 - dynamic_fields: [{table_calculation: delta, label: Delta, expression: '${ingestion_stats.total_entry_number} - - offset(${ingestion_stats.total_entry_number}, 1)', value_format: "#,##0,\" K\";-#,##0,\" K\"", - value_format_name: !!null '', _kind_hint: measure, _type_hint: number}] + dynamic_fields: [{table_calculation: delta, label: Delta, expression: "${ingestion_stats.total_entry_number}\ + \ - offset(${ingestion_stats.total_entry_number}, 1)", value_format: '#,##0," + K";-#,##0," K"', value_format_name: !!null '', _kind_hint: measure, _type_hint: number}] query_timezone: America/Los_Angeles custom_color_enabled: true show_single_value_title: false @@ -320,7 +326,7 @@ enable_conditional_formatting: false conditional_formatting_include_totals: false conditional_formatting_include_nulls: false - value_format: "[>=1000000000]#,##0,,,\" B\";[>=1000000]0,,\" M\";0,\" K\"" + value_format: '[>=1000000000]#,##0,,," B";[>=1000000]0,," M";0," K"' x_axis_gridlines: false y_axis_gridlines: true show_view_names: false @@ -352,6 +358,7 @@ note_text: Delta compared to previous time period listen: Time: ingestion_stats.period_filter + Log Type: ingestion_stats.log_type row: 0 col: 5 width: 5 @@ -363,9 +370,9 @@ fields: [ingestion_stats.total_error_events, ingestion_stats.period] sorts: [ingestion_stats.period desc] limit: 500 - dynamic_fields: [{table_calculation: delta, label: Delta, expression: '${ingestion_stats.total_error_events} - - offset(${ingestion_stats.total_error_events}, 1)', value_format: "#,##0.0,\" K\";-#,##0.0,\" K\"", - value_format_name: !!null '', _kind_hint: measure, _type_hint: number}] + dynamic_fields: [{table_calculation: delta, label: Delta, expression: "${ingestion_stats.total_error_events}\ + \ - offset(${ingestion_stats.total_error_events}, 1)", value_format: '#,##0.0," + K";-#,##0.0," K"', value_format_name: !!null '', _kind_hint: measure, _type_hint: number}] query_timezone: America/Los_Angeles custom_color_enabled: true show_single_value_title: false @@ -376,7 +383,7 @@ enable_conditional_formatting: false conditional_formatting_include_totals: false conditional_formatting_include_nulls: false - value_format: "[>=1000000000]#,##0,,,\" B\";[>=1000000]0,,\" M\";0,\" K\"" + value_format: '[>=1000000000]#,##0,,," B";[>=1000000]0,," M";0," K"' x_axis_gridlines: false y_axis_gridlines: true show_view_names: false @@ -408,6 +415,7 @@ note_text: Delta compared to previous time period listen: Time: ingestion_stats.period_filter + Log Type: ingestion_stats.log_type row: 0 col: 15 width: 5 @@ -415,7 +423,6 @@ - name: Ingested Events Count type: text title_text: Ingested Events Count - subtitle_text: '' body_text: '' row: 0 col: 0 @@ -424,7 +431,6 @@ - name: Ingestion Error Count type: text title_text: Ingestion Error Count - subtitle_text: '' body_text: '' row: 0 col: 10 @@ -491,7 +497,8 @@ totals_color: "#808080" defaults_version: 1 series_types: {} - listen: {} + listen: + Log Type: ingestion_stats.log_type row: 24 col: 0 width: 12 @@ -536,6 +543,7 @@ defaults_version: 1 listen: Time: ingestion_stats.period_filter + Log Type: ingestion_stats.log_type row: 9 col: 0 width: 24 @@ -611,6 +619,7 @@ series_types: {} listen: Time: ingestion_stats.period_filter + Log Type: ingestion_stats.log_type row: 16 col: 0 width: 24 @@ -730,7 +739,8 @@ defaults_version: 1 hide_totals: false hide_row_totals: false - listen: {} + listen: + Log Type: ingestion_stats.log_type row: 36 col: 0 width: 24 @@ -850,7 +860,8 @@ defaults_version: 1 hide_totals: false hide_row_totals: false - listen: {} + listen: + Log Type: ingestion_stats.log_type row: 43 col: 0 width: 24 @@ -970,7 +981,8 @@ defaults_version: 1 hide_totals: false hide_row_totals: false - listen: {} + listen: + Log Type: ingestion_stats.log_type row: 50 col: 0 width: 24 @@ -1088,7 +1100,8 @@ defaults_version: 1 hide_totals: false hide_row_totals: false - listen: {} + listen: + Log Type: ingestion_stats.log_type row: 57 col: 0 width: 24 @@ -1096,7 +1109,6 @@ - name: '' type: text title_text: '' - subtitle_text: '' body_text: '**Please note that the dashboards below have timelines that are pre-selected and the "Time" filter doesn''t apply to them**' row: 22 @@ -1117,3 +1129,16 @@ explore: ingestion_stats listens_to_filters: [] field: ingestion_stats.period_filter + - name: Log Type + title: Log Type + type: field_filter + default_value: '' + allow_multiple_values: true + required: false + ui_config: + type: advanced + display: popover + options: [] + explore: ingestion_stats + listens_to_filters: [] + field: ingestion_stats.log_type diff --git a/dashboards/health_ingestion_metrics.dashboard.lookml b/dashboards/health_ingestion_metrics.dashboard.lookml index 1987913..b6de7d8 100644 --- a/dashboards/health_ingestion_metrics.dashboard.lookml +++ b/dashboards/health_ingestion_metrics.dashboard.lookml @@ -11,7 +11,7 @@ filters: ingestion_metric_with_ingestion_stats.period: This Period sorts: [ingestion_metric_with_ingestion_stats.total_entry_number desc] - limit: 500 + limit: 50 value_labels: legend label_type: labPer x_axis_gridlines: false @@ -45,6 +45,7 @@ series_types: {} listen: Time: ingestion_metric_with_ingestion_stats.period_filter + Log Type: ingestion_metric_with_ingestion_stats.log_type row: 3 col: 0 width: 12 @@ -57,7 +58,7 @@ filters: ingestion_metric_with_ingestion_stats.period: This Period sorts: [ingestion_metric_with_ingestion_stats.total_size_bytes desc] - limit: 500 + limit: 50 value_labels: legend label_type: labPer x_axis_gridlines: false @@ -91,6 +92,7 @@ series_types: {} listen: Time: ingestion_metric_with_ingestion_stats.period_filter + Log Type: ingestion_metric_with_ingestion_stats.log_type row: 3 col: 12 width: 12 @@ -128,7 +130,8 @@ num_rows: '10' series_types: {} defaults_version: 1 - listen: {} + listen: + Log Type: ingestion_metric_with_ingestion_stats.log_type row: 24 col: 12 width: 12 @@ -182,7 +185,8 @@ ingestion_metric_with_ingestion_stats.total_size_bytes_GiB: Ingestion Throughput ingestion_metric_with_ingestion_stats.total_entry_number: Ingested Event Count defaults_version: 1 - listen: {} + listen: + Log Type: ingestion_metric_with_ingestion_stats.log_type row: 30 col: 0 width: 8 @@ -194,7 +198,7 @@ fields: [ingestion_metric_with_ingestion_stats.timestamp_hour, ingestion_metric_with_ingestion_stats.total_entry_number, ingestion_metric_with_ingestion_stats.total_size_bytes_GiB] fill_fields: [ingestion_metric_with_ingestion_stats.timestamp_hour] filters: - ingestion_metric_with_ingestion_stats.timestamp_time: 1 weeks + ingestion_metric_with_ingestion_stats.timestamp_time: 7 days sorts: [ingestion_metric_with_ingestion_stats.timestamp_hour desc] limit: 500 query_timezone: America/Los_Angeles @@ -236,7 +240,8 @@ ingestion_metric_with_ingestion_stats.total_entry_number: Ingested Event Count ingestion_metric_with_ingestion_stats.total_size_bytes_GiB: Ingestion Throughput defaults_version: 1 - listen: {} + listen: + Log Type: ingestion_metric_with_ingestion_stats.log_type row: 30 col: 8 width: 8 @@ -294,7 +299,8 @@ ingestion_metric_with_ingestion_stats.total_size_bytes_GiB: Ingestion Throughput ingestion_metric_with_ingestion_stats.total_entry_number: Ingested Event Count defaults_version: 1 - listen: {} + listen: + Log Type: ingestion_metric_with_ingestion_stats.log_type row: 30 col: 16 width: 8 @@ -352,8 +358,9 @@ note_text: Delta compared to previous time period listen: Time: ingestion_metric_with_ingestion_stats.period_filter + Log Type: ingestion_metric_with_ingestion_stats.log_type row: 0 - col: 5 + col: 7 width: 5 height: 3 - title: Total Error Count @@ -408,8 +415,9 @@ note_text: Delta compared to previous time period listen: Time: ingestion_metric_with_ingestion_stats.period_filter + Log Type: ingestion_metric_with_ingestion_stats.log_type row: 0 - col: 15 + col: 19 width: 5 height: 3 - name: Ingested Events Count @@ -418,7 +426,7 @@ subtitle_text: '' body_text: '' row: 0 - col: 0 + col: 2 width: 5 height: 3 - name: Ingestion Error Count @@ -427,7 +435,7 @@ subtitle_text: '' body_text: '' row: 0 - col: 10 + col: 14 width: 5 height: 3 - title: Recently Ingested Events @@ -491,7 +499,8 @@ totals_color: "#808080" defaults_version: 1 series_types: {} - listen: {} + listen: + Log Type: ingestion_metric_with_ingestion_stats.log_type row: 24 col: 0 width: 12 @@ -536,6 +545,7 @@ defaults_version: 1 listen: Time: ingestion_metric_with_ingestion_stats.period_filter + Log Type: ingestion_metric_with_ingestion_stats.log_type row: 9 col: 0 width: 24 @@ -611,6 +621,7 @@ series_types: {} listen: Time: ingestion_metric_with_ingestion_stats.period_filter + Log Type: ingestion_metric_with_ingestion_stats.log_type row: 16 col: 0 width: 24 @@ -730,7 +741,8 @@ defaults_version: 1 hide_totals: false hide_row_totals: false - listen: {} + listen: + Log Type: ingestion_metric_with_ingestion_stats.log_type row: 36 col: 0 width: 24 @@ -850,7 +862,8 @@ defaults_version: 1 hide_totals: false hide_row_totals: false - listen: {} + listen: + Log Type: ingestion_metric_with_ingestion_stats.log_type row: 43 col: 0 width: 24 @@ -970,7 +983,8 @@ defaults_version: 1 hide_totals: false hide_row_totals: false - listen: {} + listen: + Log Type: ingestion_metric_with_ingestion_stats.log_type row: 50 col: 0 width: 24 @@ -1088,7 +1102,8 @@ defaults_version: 1 hide_totals: false hide_row_totals: false - listen: {} + listen: + Log Type: ingestion_metric_with_ingestion_stats.log_type row: 57 col: 0 width: 24 diff --git a/dashboards/ingestion_health_alert.dashboard.lookml b/dashboards/ingestion_health_alert.dashboard.lookml new file mode 100644 index 0000000..4a44040 --- /dev/null +++ b/dashboards/ingestion_health_alert.dashboard.lookml @@ -0,0 +1,88 @@ +- dashboard: ingestion_health_alert + title: Ingestion Health Alert + layout: newspaper + preferred_viewer: dashboards-next + elements: + - title: Ingested Events + name: Ingested Events + explore: ingestion_metrics + type: looker_line + fields: [ingestion_metrics.timestamp_hour, ingestion_metrics.total_entry_number] + fill_fields: [ingestion_metrics.timestamp_hour] + sorts: [ingestion_metrics.timestamp_hour desc] + limit: 500 + x_axis_gridlines: false + y_axis_gridlines: true + show_view_names: false + show_y_axis_labels: true + show_y_axis_ticks: true + y_axis_tick_density: default + y_axis_tick_density_custom: 5 + show_x_axis_label: true + show_x_axis_ticks: true + y_axis_scale_mode: linear + x_axis_reversed: false + y_axis_reversed: false + plot_size_by_field: false + trellis: '' + stacking: '' + limit_displayed_rows: false + legend_position: center + point_style: none + show_value_labels: false + label_density: 25 + x_axis_scale: auto + y_axis_combined: true + show_null_points: true + interpolation: linear + y_axes: [{label: Ingested Event Count, orientation: left, series: [{axisId: ingestion_metrics.total_entry_number, + id: ingestion_metrics.total_entry_number, name: Total Entry Number}], + showLabels: true, showValues: true, unpinAxis: false, tickDensity: default, + tickDensityCustom: 5, type: linear}] + defaults_version: 1 + listen: + Collector ID: ingestion_metrics.collector_id + Log Type: ingestion_metrics.log_type + Timestamp Date: ingestion_metrics.timestamp_date + row: 0 + col: 0 + width: 22 + height: 10 + filters: + - name: Collector ID + title: Collector ID + type: field_filter + default_value: '' + allow_multiple_values: true + required: false + ui_config: + type: dropdown_menu + display: popover + explore: ingestion_metrics + listens_to_filters: [] + field: ingestion_metrics.collector_id + - name: Log Type + title: Log Type + type: field_filter + default_value: '' + allow_multiple_values: true + required: false + ui_config: + type: dropdown_menu + display: popover + explore: ingestion_metrics + listens_to_filters: [] + field: ingestion_metrics.log_type + - name: Timestamp Date + title: Timestamp Date + type: field_filter + default_value: 7 day + allow_multiple_values: true + required: false + ui_config: + type: relative_timeframes + display: inline + options: [] + explore: ingestion_metrics + listens_to_filters: [] + field: ingestion_metrics.timestamp_date diff --git a/dashboards/main.dashboard.lookml b/dashboards/main.dashboard.lookml index c9c1ef7..54e928f 100644 --- a/dashboards/main.dashboard.lookml +++ b/dashboards/main.dashboard.lookml @@ -39,7 +39,7 @@ limit: 500 dynamic_fields: [{table_calculation: delta, label: Delta, expression: '(${rule_detections.count_for_drill} - offset(${rule_detections.count_for_drill}, 1))', value_format: "#,##0;-#,##0", - value_format_name: !!null '', _kind_hint: measure, _type_hint: number}] + value_format_name: !!null '', _kind_hint: measure, _type_hint: number}] query_timezone: America/Los_Angeles custom_color_enabled: true show_single_value_title: false @@ -88,21 +88,17 @@ height: 3 - title: Ingestion Data Size name: Ingestion Data Size - explore: ingestion_stats + explore: ingestion_metric_with_ingestion_stats type: single_value - fields: [ingestion_stats.total_size_bytes, ingestion_stats.period] + fields: [ingestion_metric_with_ingestion_stats.total_size_bytes, ingestion_metric_with_ingestion_stats.period] filters: - ingestion_stats.log_type: -"FORWARDER_HEARTBEAT" - sorts: [ingestion_stats.period desc] + ingestion_metric_with_ingestion_stats.log_type: -"FORWARDER_HEARTBEAT" + sorts: [ingestion_metric_with_ingestion_stats.period desc] limit: 500 - dynamic_fields: [{table_calculation: size_gb, label: Size (GB), expression: " round(${ingestion_stats.total_size_bytes}/1000/1000/1000,\ - \ 2)", value_format: !!null '', value_format_name: !!null '', is_disabled: true, - _kind_hint: dimension, _type_hint: number}, {table_calculation: delta, label: Delta, - expression: '${ingestion_stats.total_size_bytes} - offset(${ingestion_stats.total_size_bytes},1)', - value_format: "#,##0.0,,,\" GB\";-#,##0.0,,,\" GB\"", value_format_name: !!null '', is_disabled: false, - _kind_hint: measure, _type_hint: number}, {measure: sum_of_size_bytes, based_on: ingestion_stats.size_bytes, - type: sum, label: Sum of Size Bytes, expression: !!null '', _kind_hint: measure, - _type_hint: number}] + dynamic_fields: [{category: table_calculation, expression: "${ingestion_metric_with_ingestion_stats.total_size_bytes}\ + \ - offset(${ingestion_metric_with_ingestion_stats.total_size_bytes},1)", + label: Delta, value_format: '#,##0.0,,," GB";-#,##0.0,,," GB"', value_format_name: !!null '', + _kind_hint: measure, table_calculation: delta, _type_hint: number}] query_timezone: America/Los_Angeles custom_color_enabled: true show_single_value_title: false @@ -165,26 +161,24 @@ note_display: hover note_text: Delta compared to previous time period listen: - Time: ingestion_stats.period_filter + Time: ingestion_metric_with_ingestion_stats.period_filter row: 3 col: 7 width: 9 height: 3 - title: Events Over Time name: Events Over Time - explore: ingestion_stats + explore: ingestion_metric_with_ingestion_stats type: looker_column - fields: [total_events_count, ingestion_stats.timestamp_date, ingestion_stats.log_type_for_drill] - pivots: [ingestion_stats.log_type_for_drill] - fill_fields: [ingestion_stats.timestamp_date] + fields: [ingestion_metric_with_ingestion_stats.total_entry_number, ingestion_metric_with_ingestion_stats.timestamp_date, + ingestion_metric_with_ingestion_stats.log_type_for_drill] + pivots: [ingestion_metric_with_ingestion_stats.log_type_for_drill] + fill_fields: [ingestion_metric_with_ingestion_stats.timestamp_date] filters: - ingestion_stats.log_type_for_drill: -"FORWARDER_HEARTBEAT",-NULL - ingestion_stats.period: This Period - sorts: [ingestion_stats.timestamp_date desc, ingestion_stats.log_type_for_drill] + ingestion_metric_with_ingestion_stats.log_type_for_drill: -"FORWARDER_HEARTBEAT",-NULL + ingestion_metric_with_ingestion_stats.period: This Period + sorts: [ingestion_metric_with_ingestion_stats.timestamp_date desc, ingestion_metric_with_ingestion_stats.log_type_for_drill] limit: 500 - dynamic_fields: [{measure: total_events_count, based_on: ingestion_stats.entry_number, - type: sum, label: Total Events Count, expression: !!null '', value_format: !!null '', - value_format_name: !!null '', _kind_hint: measure, _type_hint: number}] query_timezone: America/Los_Angeles x_axis_gridlines: false y_axis_gridlines: true @@ -225,22 +219,77 @@ note_display: hover note_text: Trends for volume of different event types ingested by Chronicle listen: - Time: ingestion_stats.period_filter + Time: ingestion_metric_with_ingestion_stats.period_filter row: 7 col: 0 width: 10 height: 9 + - title: Events for Main Dashboard + name: Events for Main Dashboard + explore: ingestion_metric_with_ingestion_stats + type: single_value + fields: [ingestion_metric_with_ingestion_stats.total_entry_number, ingestion_metric_with_ingestion_stats.period] + sorts: [ingestion_metric_with_ingestion_stats.period desc] + limit: 500 + column_limit: 50 + dynamic_fields: [{table_calculation: delta, label: Delta, expression: '${ingestion_metric_with_ingestion_stats.total_entry_number} + - offset(${ingestion_metric_with_ingestion_stats.total_entry_number}, 1)', value_format: "#,##0,\" K\";-#,##0,\" K\"", + value_format_name: !!null '', _kind_hint: measure, _type_hint: number}] + query_timezone: America/Los_Angeles + custom_color_enabled: true + show_single_value_title: false + show_comparison: true + comparison_type: change + comparison_reverse_colors: false + show_comparison_label: false + enable_conditional_formatting: false + conditional_formatting_include_totals: false + conditional_formatting_include_nulls: false + value_format: "[>=1000000000]#,##0,,,\" B\";[>=1000000]0,,\" M\";0,\" K\"" + x_axis_gridlines: false + y_axis_gridlines: true + show_view_names: false + show_y_axis_labels: true + show_y_axis_ticks: true + y_axis_tick_density: default + y_axis_tick_density_custom: 5 + show_x_axis_label: true + show_x_axis_ticks: true + y_axis_scale_mode: linear + x_axis_reversed: false + y_axis_reversed: false + plot_size_by_field: false + trellis: '' + stacking: '' + limit_displayed_rows: false + legend_position: center + point_style: none + show_value_labels: false + label_density: 25 + x_axis_scale: auto + y_axis_combined: true + show_null_points: true + interpolation: linear + defaults_version: 1 + series_types: {} + note_state: collapsed + note_display: hover + note_text: Delta compared to previous time period + listen: + Time: ingestion_metric_with_ingestion_stats.period_filter + row: 3 + col: 0 + width: 7 + height: 3 - title: Global Threat Map - IOC IP Matches name: Global Threat Map - IOC IP Matches - explore: global_threat_map_ioc + explore: ioc_matches type: looker_map - fields: [global_threat_map_ioc.ioc_matches_test_ioc_value, global_threat_map_ioc.location, - global_threat_map_ioc.count] + fields: [ioc_matches.ioc_value, ioc_matches.count, ioc_matches.ioc_location] filters: - global_threat_map_ioc.ioc_matches_test_ioc_value: "-NULL" - sorts: [global_threat_map_ioc.count desc] + ioc_matches.ioc_type: '"IOC_TYPE_IP"' + sorts: [ioc_matches.count desc] limit: 5000 - query_timezone: America/Los_Angeles map_plot_mode: points heatmap_gridlines: false heatmap_gridlines_empty: false @@ -262,49 +311,12 @@ show_legend: true quantize_map_value_colors: false reverse_map_value_colors: false - map_latitude: 18.646245142670608 - map_longitude: 4.921875000000001 - map_zoom: 1 - map_marker_radius_fixed: 3 - map_marker_radius_max: 20 + map_latitude: 34.28116438134217 + map_longitude: -65.88741302490236 + map_zoom: 3 map_marker_color: [red] - defaults_version: 1 - note_state: collapsed - note_display: hover - note_text: Geo-location of the IP addresses of IOC matches, put on a Global Map - listen: - Time: global_threat_map_ioc.period_filter - row: 7 - col: 10 - width: 14 - height: 9 - - title: Events for Main Dashboard - name: Events for Main Dashboard - explore: ingestion_stats - type: single_value - fields: [ingestion_stats.total_entry_number, ingestion_stats.period] - filters: - ingestion_stats.log_type: -"FORWARDER_HEARTBEAT" - sorts: [ingestion_stats.period desc] - limit: 500 - dynamic_fields: [{table_calculation: delta, label: Delta, expression: '${ingestion_stats.total_entry_number} - - offset(${ingestion_stats.total_entry_number}, 1)', - value_format: "#,##0,\" K\";-#,##0,\" K\"", value_format_name: !!null '', _kind_hint: measure, - _type_hint: number}] - query_timezone: America/Los_Angeles - custom_color_enabled: true - show_single_value_title: false - show_comparison: true - comparison_type: change - comparison_reverse_colors: false - show_comparison_label: false - enable_conditional_formatting: false - conditional_formatting_include_totals: false - conditional_formatting_include_nulls: false - value_format: "[>=1000000000]#,##0,,,\" B\";[>=1000000]0,,\" M\";0,\" K\"" x_axis_gridlines: false y_axis_gridlines: true - show_view_names: false show_y_axis_labels: true show_y_axis_ticks: true y_axis_tick_density: default @@ -324,19 +336,22 @@ label_density: 25 x_axis_scale: auto y_axis_combined: true - show_null_points: true - interpolation: linear + ordering: none + show_null_labels: false + show_totals_labels: false + show_silhouette: false + totals_color: "#808080" defaults_version: 1 series_types: {} note_state: collapsed note_display: hover - note_text: Delta compared to previous time period + note_text: Geo-location of the IP addresses of IOC matches, put on a Global Map listen: - Time: ingestion_stats.period_filter - row: 3 - col: 0 - width: 7 - height: 3 + Time: ioc_matches.event_timestamp_date + row: 5 + col: 10 + width: 14 + height: 9 filters: - name: Time title: Time diff --git a/dashboards/rule_detections.dashboard.lookml b/dashboards/rule_detections.dashboard.lookml index ded5a9d..bcbf9ff 100644 --- a/dashboards/rule_detections.dashboard.lookml +++ b/dashboards/rule_detections.dashboard.lookml @@ -144,7 +144,7 @@ filters: rule_detections.severity: "-NULL,-EMPTY" sorts: [rule_detections.severity 0] - limit: 500 + limit: 50 query_timezone: America/Los_Angeles value_labels: legend label_type: labPer diff --git a/dashboards/user_signin_overview.dashboard.lookml b/dashboards/user_signin_overview.dashboard.lookml index 4f8c670..1f57cda 100644 --- a/dashboards/user_signin_overview.dashboard.lookml +++ b/dashboards/user_signin_overview.dashboard.lookml @@ -9,7 +9,7 @@ type: looker_pie fields: [udm_events_aggregates.action, udm_events_aggregates.count] sorts: [udm_events_aggregates.count desc] - limit: 500 + limit: 50 value_labels: legend label_type: val inner_radius: 60 @@ -456,11 +456,10 @@ height: 6 - title: Sign In Location Map name: Sign In Location Map - explore: user_login_source_geo_ip + explore: udm_events_aggregates type: looker_map - fields: [user_login_source_geo_ip.principal_ip, user_login_source_geo_ip.location, - user_login_source_geo_ip.count] - sorts: [user_login_source_geo_ip.count desc] + fields: [udm_events_aggregates.count, udm_events_aggregates.principal_ip, udm_events_aggregates.principal_location__location] + sorts: [udm_events_aggregates.count desc] limit: 5000 map_plot_mode: points heatmap_gridlines: false @@ -489,7 +488,7 @@ map_marker_radius_max: 20 defaults_version: 1 listen: - Time: user_login_source_geo_ip.time_filter + Time: udm_events_aggregates.event_hour_time row: 21 col: 8 width: 7 @@ -578,12 +577,12 @@ height: 7 - title: Sign Ins by Country name: Sign Ins by Country - explore: user_login_source_geo_ip + explore: udm_events_aggregates type: looker_bar - fields: [user_login_source_geo_ip.count, user_login_source_geo_ip.country_label] + fields: [udm_events_aggregates.principal_location__country_or_region, udm_events_aggregates.count] filters: - user_login_source_geo_ip.country_label: "-NULL" - sorts: [user_login_source_geo_ip.count desc 0, user_login_source_geo_ip.country_label] + udm_events_aggregates.principal_location__country_or_region: "-NULL" + sorts: [udm_events_aggregates.count desc, udm_events_aggregates.principal_location__country_or_region] limit: 5000 x_axis_gridlines: false y_axis_gridlines: true @@ -612,51 +611,27 @@ show_totals_labels: false show_silhouette: false totals_color: "#808080" - y_axes: [{label: Events Count, orientation: bottom, series: [{axisId: user_login_source_geo_ip.count, - id: user_login_source_geo_ip.count, name: User Login Source Geo IP}], + y_axes: [{label: Events Count, orientation: bottom, series: [{axisId: udm_events_aggregates.count, + id: udm_events_aggregates.count, name: Udm Events Aggregates}], showLabels: true, showValues: true, unpinAxis: false, tickDensity: default, tickDensityCustom: 5, type: linear}] x_axis_label: Country series_types: {} - map_plot_mode: points - heatmap_gridlines: false - heatmap_gridlines_empty: false - heatmap_opacity: 0.5 - show_region_field: true - draw_map_labels_above_data: true - map_tile_provider: dark - map_position: fit_data - map_scale_indicator: 'off' - map_pannable: true - map_zoomable: true - map_marker_type: circle - map_marker_icon_name: default - map_marker_radius_mode: proportional_value - map_marker_units: pixels - map_marker_proportional_scale_type: linear - map_marker_color_mode: value - show_legend: true - quantize_map_value_colors: false - reverse_map_value_colors: false - map_latitude: 17.978733095556183 - map_longitude: 6.50390625 - map_zoom: 2 - map_marker_radius_max: 20 defaults_version: 1 listen: - Time: user_login_source_geo_ip.time_filter + Time: udm_events_aggregates.event_hour_date row: 15 col: 8 width: 16 height: 6 - title: Top 10 Countries by Sign Ins name: Top 10 Countries by Sign Ins - explore: user_login_source_geo_ip + explore: udm_events_aggregates type: looker_pie - fields: [user_login_source_geo_ip.count, user_login_source_geo_ip.country_label] + fields: [udm_events_aggregates.count, udm_events_aggregates.principal_location__country_or_region] filters: - user_login_source_geo_ip.country_label: "-NULL" - sorts: [user_login_source_geo_ip.count desc 0, user_login_source_geo_ip.country_label] + udm_events_aggregates.principal_location__country_or_region: "-NULL" + sorts: [udm_events_aggregates.count desc, udm_events_aggregates.principal_location__country_or_region] limit: 10 value_labels: legend label_type: labPer @@ -694,34 +669,10 @@ show_totals_labels: false show_silhouette: false totals_color: "#808080" - map_plot_mode: points - heatmap_gridlines: false - heatmap_gridlines_empty: false - heatmap_opacity: 0.5 - show_region_field: true - draw_map_labels_above_data: true - map_tile_provider: dark - map_position: fit_data - map_scale_indicator: 'off' - map_pannable: true - map_zoomable: true - map_marker_type: circle - map_marker_icon_name: default - map_marker_radius_mode: proportional_value - map_marker_units: pixels - map_marker_proportional_scale_type: linear - map_marker_color_mode: value - show_legend: true - quantize_map_value_colors: false - reverse_map_value_colors: false - map_latitude: 17.978733095556183 - map_longitude: 6.50390625 - map_zoom: 2 - map_marker_radius_max: 20 defaults_version: 1 series_types: {} listen: - Time: user_login_source_geo_ip.time_filter + Time: udm_events_aggregates.event_hour_date row: 15 col: 0 width: 8 diff --git a/explores/destination_geo_ip.explore.lkml b/explores/destination_geo_ip.explore.lkml deleted file mode 100644 index c80dfc1..0000000 --- a/explores/destination_geo_ip.explore.lkml +++ /dev/null @@ -1,6 +0,0 @@ -include: "/views/custom/global_threat_map_ioc.view.lkml" - -explore: destination_geo_ip { - extension: required - hidden: yes -} diff --git a/explores/global_threat_map_ioc.explore.lkml b/explores/global_threat_map_ioc.explore.lkml deleted file mode 100644 index bf30151..0000000 --- a/explores/global_threat_map_ioc.explore.lkml +++ /dev/null @@ -1,5 +0,0 @@ -include: "/views/custom/global_threat_map_ioc.view.lkml" - -explore: global_threat_map_ioc { - hidden: yes -} diff --git a/explores/refinements/entity_graph.explore.lkml b/explores/refinements/entity_graph.explore.lkml index 4ebeb1a..2a1aab9 100644 --- a/explores/refinements/entity_graph.explore.lkml +++ b/explores/refinements/entity_graph.explore.lkml @@ -1,9 +1,12 @@ +include: "/chronicle_features.lkml" include: "/views/refinements/entity_graph.view.lkml" include: "/views/refinements/entity_enum_value_to_name_mapping.view.lkml" include: "/explores/entity_graph.explore.lkml" explore: +entity_graph { + required_access_grants: [has_chronicle_explores_enabled] + #Naming Enums join: entity_graph__entity__asset__type { from: entity_enum__backstory__asset__asset_type diff --git a/explores/refinements/events.explore.lkml b/explores/refinements/events.explore.lkml index 1e6e881..db86e45 100644 --- a/explores/refinements/events.explore.lkml +++ b/explores/refinements/events.explore.lkml @@ -5,6 +5,7 @@ include: "/explores/events.explore.lkml" explore: +events { label: "UDM Events" + required_access_grants: [has_chronicle_feature_bq_export_external_source_enabled, has_chronicle_explores_enabled] # Naming enums join: metadata__event_type__enum { diff --git a/explores/refinements/ingestion_metric_with_ingestion_stats.explore.lkml b/explores/refinements/ingestion_metric_with_ingestion_stats.explore.lkml new file mode 100644 index 0000000..31d3c04 --- /dev/null +++ b/explores/refinements/ingestion_metric_with_ingestion_stats.explore.lkml @@ -0,0 +1,7 @@ +include: "/chronicle_features.lkml" +include: "/explores/ingestion_metric_with_ingestion_stats.explore.lkml" + + +explore: +ingestion_metric_with_ingestion_stats{ + required_access_grants: [has_chronicle_explores_enabled] +} diff --git a/explores/refinements/ingestion_metrics.explore.lkml b/explores/refinements/ingestion_metrics.explore.lkml new file mode 100644 index 0000000..780a9ae --- /dev/null +++ b/explores/refinements/ingestion_metrics.explore.lkml @@ -0,0 +1,6 @@ +include: "/chronicle_features.lkml" +include: "/explores/ingestion_metrics.explore.lkml" + +explore: +ingestion_metrics { + required_access_grants: [has_chronicle_explores_enabled] +} diff --git a/explores/refinements/ingestion_stats.explore.lkml b/explores/refinements/ingestion_stats.explore.lkml new file mode 100644 index 0000000..acce05d --- /dev/null +++ b/explores/refinements/ingestion_stats.explore.lkml @@ -0,0 +1,6 @@ +include: "/chronicle_features.lkml" +include: "/explores/ingestion_stats.explore.lkml" + +explore: +ingestion_stats { + required_access_grants: [has_chronicle_explores_enabled] +} diff --git a/explores/refinements/ioc_matches.explore.lkml b/explores/refinements/ioc_matches.explore.lkml index 991effd..2fceea5 100644 --- a/explores/refinements/ioc_matches.explore.lkml +++ b/explores/refinements/ioc_matches.explore.lkml @@ -1,6 +1,9 @@ +include: "/chronicle_features.lkml" include: "/views/refinements/ioc_matches.view.lkml" include: "/explores/ioc_matches.explore.lkml" explore: +ioc_matches{ label: "IOC Matches" + + required_access_grants: [has_chronicle_explores_enabled] } diff --git a/explores/refinements/rule_detections.explore.lkml b/explores/refinements/rule_detections.explore.lkml new file mode 100644 index 0000000..9cfae30 --- /dev/null +++ b/explores/refinements/rule_detections.explore.lkml @@ -0,0 +1,6 @@ +include: "/chronicle_features.lkml" +include: "/explores/rule_detections.explore.lkml" + +explore: +rule_detections { + required_access_grants: [has_chronicle_explores_enabled] +} diff --git a/explores/refinements/udm_events.explore.lkml b/explores/refinements/udm_events.explore.lkml index f7f5778..9d83a13 100644 --- a/explores/refinements/udm_events.explore.lkml +++ b/explores/refinements/udm_events.explore.lkml @@ -1,3 +1,4 @@ +include: "/chronicle_features.lkml" include: "/views/refinements/udm_events.view.lkml" include: "/views/refinements/udm_enum_value_to_name_mapping.view.lkml" include: "/explores/udm_events.explore.lkml" @@ -7,6 +8,8 @@ explore: +udm_events { hidden: yes + required_access_grants: [has_chronicle_feature_bq_export_external_source_enabled,has_chronicle_explores_enabled] + # Naming enums join: metadata__event_type__enum { from: enum__backstory__metadata__event_type diff --git a/explores/refinements/udm_events_aggregates.explore.lkml b/explores/refinements/udm_events_aggregates.explore.lkml index cc0d2ff..c758c4b 100644 --- a/explores/refinements/udm_events_aggregates.explore.lkml +++ b/explores/refinements/udm_events_aggregates.explore.lkml @@ -1,7 +1,11 @@ +include: "/chronicle_features.lkml" include: "/views/refinements/udm_events_aggregates.view.lkml" include: "/explores/udm_events_aggregates.explore.lkml" + explore: +udm_events_aggregates { label: "UDM Events Aggregates" # hidden: yes + + required_access_grants: [has_chronicle_explores_enabled] } diff --git a/explores/refinements/udm_events_gcs.explore.lkml b/explores/refinements/udm_events_gcs.explore.lkml deleted file mode 100644 index 0936d41..0000000 --- a/explores/refinements/udm_events_gcs.explore.lkml +++ /dev/null @@ -1,4 +0,0 @@ -include: "/explores/udm_events_gcs.explore.lkml" - -explore: +udm_events_gcs { -} diff --git a/explores/rule_detections.explore.lkml b/explores/rule_detections.explore.lkml index 6f0c2d4..f6ed3ca 100644 --- a/explores/rule_detections.explore.lkml +++ b/explores/rule_detections.explore.lkml @@ -1,6 +1,13 @@ include: "/views/refinements/rule_detections.view.lkml" explore: rule_detections { + + join: rule_detections__rulesets { + view_label: "Rule Detections: Rulesets" + sql: LEFT JOIN UNNEST(${rule_detections.rulesets}) as rule_detections__rulesets ;; + relationship: one_to_many + } + join: rule_detections__detection__assets { view_label: "Rule Detections: Detection Assets" sql: LEFT JOIN UNNEST(${rule_detections.detection__assets}) as rule_detections__detection__assets ;; diff --git a/explores/rulesets_with_rule_detections.explore.lkml b/explores/rulesets_with_rule_detections.explore.lkml new file mode 100644 index 0000000..6feb0da --- /dev/null +++ b/explores/rulesets_with_rule_detections.explore.lkml @@ -0,0 +1,6 @@ +include: "/views/custom/rulesets_with_rule_detections.view.lkml" + +explore: rulesets_with_rule_detections { + label: "Rulesets with Detections" + # extension: required +} diff --git a/explores/udm_enum_value_to_name_mapping.explore.lkml b/explores/udm_enum_value_to_name_mapping.explore.lkml index 7429e8e..e14c760 100644 --- a/explores/udm_enum_value_to_name_mapping.explore.lkml +++ b/explores/udm_enum_value_to_name_mapping.explore.lkml @@ -1,5 +1,5 @@ include: "/views/udm_enum_value_to_name_mapping.view.lkml" explore: udm_enum_value_to_name_mapping { - hidden: no + hidden: yes } diff --git a/explores/udm_events.explore.lkml b/explores/udm_events.explore.lkml index 3c54e09..179701b 100644 --- a/explores/udm_events.explore.lkml +++ b/explores/udm_events.explore.lkml @@ -421,6 +421,12 @@ explore: udm_events { relationship: one_to_many } + join: udm_events__intermediary__labels { + view_label: "Udm Events: Intermediary Labels" + sql: LEFT JOIN UNNEST(${udm_events__intermediary.labels}) as udm_events__intermediary__labels ;; + relationship: one_to_many + } + join: udm_events__network__dns__answers { view_label: "Udm Events: Network Dns Answers" sql: LEFT JOIN UNNEST(${udm_events.network__dns__answers}) as udm_events__network__dns__answers ;; @@ -499,12 +505,30 @@ explore: udm_events { relationship: one_to_many } + join: udm_events__intermediary__asset__nat_ip { + view_label: "Udm Events: Intermediary Asset Nat Ip" + sql: LEFT JOIN UNNEST(${udm_events__intermediary.asset__nat_ip}) as udm_events__intermediary__asset__nat_ip ;; + relationship: one_to_many + } + join: udm_events__network__dns__authority { view_label: "Udm Events: Network Dns Authority" sql: LEFT JOIN UNNEST(${udm_events.network__dns__authority}) as udm_events__network__dns__authority ;; relationship: one_to_many } + join: udm_events__network__dhcp__options { + view_label: "Udm Events: Network Dhcp Options" + sql: LEFT JOIN UNNEST(${udm_events.network__dhcp__options}) as udm_events__network__dhcp__options ;; + relationship: one_to_many + } + + join: udm_events__principal__user__department { + view_label: "Udm Events: Principal User Department" + sql: LEFT JOIN UNNEST(${udm_events.principal__user__department}) as udm_events__principal__user__department ;; + relationship: one_to_many + } + join: udm_events__observer__ip_location { view_label: "Udm Events: Observer Ip Location" sql: LEFT JOIN UNNEST(${udm_events.observer__ip_location}) as udm_events__observer__ip_location ;; @@ -571,9 +595,15 @@ explore: udm_events { relationship: one_to_many } - join: udm_events__about__process_ancestors { - view_label: "Udm Events: About Process Ancestors" - sql: LEFT JOIN UNNEST(${udm_events__about.process_ancestors}) as udm_events__about__process_ancestors ;; + join: udm_events__network__dns__additional { + view_label: "Udm Events: Network Dns Additional" + sql: LEFT JOIN UNNEST(${udm_events.network__dns__additional}) as udm_events__network__dns__additional ;; + relationship: one_to_many + } + + join: udm_events__network__dns__questions { + view_label: "Udm Events: Network Dns Questions" + sql: LEFT JOIN UNNEST(${udm_events.network__dns__questions}) as udm_events__network__dns__questions ;; relationship: one_to_many } @@ -631,6 +661,12 @@ explore: udm_events { relationship: one_to_many } + join: udm_events__about__process_ancestors { + view_label: "Udm Events: About Process Ancestors" + sql: LEFT JOIN UNNEST(${udm_events__about.process_ancestors}) as udm_events__about__process_ancestors ;; + relationship: one_to_many + } + join: udm_events__observer__process__file__names { view_label: "Udm Events: Observer Process File Names" sql: LEFT JOIN UNNEST(${udm_events.observer__process__file__names}) as udm_events__observer__process__file__names ;; @@ -643,6 +679,18 @@ explore: udm_events { relationship: one_to_many } + join: udm_events__observer__asset__hardware { + view_label: "Udm Events: Observer Asset Hardware" + sql: LEFT JOIN UNNEST(${udm_events.observer__asset__hardware}) as udm_events__observer__asset__hardware ;; + relationship: one_to_many + } + + join: udm_events__observer__user__phone_numbers { + view_label: "Udm Events: Observer User Phone Numbers" + sql: LEFT JOIN UNNEST(${udm_events.observer__user__phone_numbers}) as udm_events__observer__user__phone_numbers ;; + relationship: one_to_many + } + join: udm_events__src__group__email_addresses { view_label: "Udm Events: Src Group Email Addresses" sql: LEFT JOIN UNNEST(${udm_events.src__group__email_addresses}) as udm_events__src__group__email_addresses ;; diff --git a/explores/udm_events_aggregates.explore.lkml b/explores/udm_events_aggregates.explore.lkml index 23e5a61..607cf84 100644 --- a/explores/udm_events_aggregates.explore.lkml +++ b/explores/udm_events_aggregates.explore.lkml @@ -1,5 +1,5 @@ include: "/views/refinements/udm_events_aggregates.view.lkml" explore: udm_events_aggregates { - hidden: yes + # hidden: yes } diff --git a/explores/udm_events_gcs.explore.lkml b/explores/udm_events_gcs.explore.lkml deleted file mode 100644 index 3d09dd6..0000000 --- a/explores/udm_events_gcs.explore.lkml +++ /dev/null @@ -1,3171 +0,0 @@ -include: "/views/@{UDM_EVENTS_GCS}.view.lkml" - -explore: udm_events_gcs { - join: udm_events_gcs__src__ip__list { - view_label: "Udm Events Gcs: Src Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__ip__list}) as udm_events_gcs__src__ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__mac__list { - view_label: "Udm Events Gcs: Src Mac List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__mac__list}) as udm_events_gcs__src__mac__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list { - view_label: "Udm Events Gcs: About List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.about__list}) as udm_events_gcs__about__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__ip__list { - view_label: "Udm Events Gcs: Target Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__ip__list}) as udm_events_gcs__target__ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__nat_ip__list { - view_label: "Udm Events Gcs: Src Nat Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__nat_ip__list}) as udm_events_gcs__src__nat_ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__mac__list { - view_label: "Udm Events Gcs: Target Mac List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__mac__list}) as udm_events_gcs__target__mac__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__ip__list { - view_label: "Udm Events Gcs: Observer Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__ip__list}) as udm_events_gcs__observer__ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__ip__list { - view_label: "Udm Events Gcs: Principal Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__ip__list}) as udm_events_gcs__principal__ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__mac__list { - view_label: "Udm Events Gcs: Observer Mac List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__mac__list}) as udm_events_gcs__observer__mac__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__asset__ip__list { - view_label: "Udm Events Gcs: Src Asset Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__asset__ip__list}) as udm_events_gcs__src__asset__ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__mac__list { - view_label: "Udm Events Gcs: Principal Mac List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__mac__list}) as udm_events_gcs__principal__mac__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__asset__mac__list { - view_label: "Udm Events Gcs: Src Asset Mac List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__asset__mac__list}) as udm_events_gcs__src__asset__mac__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__nat_ip__list { - view_label: "Udm Events Gcs: Target Nat Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__nat_ip__list}) as udm_events_gcs__target__nat_ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__file__names__list { - view_label: "Udm Events Gcs: Src File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__file__names__list}) as udm_events_gcs__src__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__nat_ip__list { - view_label: "Udm Events Gcs: Observer Nat Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__nat_ip__list}) as udm_events_gcs__observer__nat_ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__asset__ip__list { - view_label: "Udm Events Gcs: Target Asset Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__asset__ip__list}) as udm_events_gcs__target__asset__ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__nat_ip__list { - view_label: "Udm Events Gcs: Principal Nat Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__nat_ip__list}) as udm_events_gcs__principal__nat_ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__asset__nat_ip__list { - view_label: "Udm Events Gcs: Src Asset Nat Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__asset__nat_ip__list}) as udm_events_gcs__src__asset__nat_ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list { - view_label: "Udm Events Gcs: Intermediary List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.intermediary__list}) as udm_events_gcs__intermediary__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__asset__mac__list { - view_label: "Udm Events Gcs: Target Asset Mac List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__asset__mac__list}) as udm_events_gcs__target__asset__mac__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__network__email__cc__list { - view_label: "Udm Events Gcs: Network Email Cc List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.network__email__cc__list}) as udm_events_gcs__network__email__cc__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__asset__ip__list { - view_label: "Udm Events Gcs: Observer Asset Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__asset__ip__list}) as udm_events_gcs__observer__asset__ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__file__names__list { - view_label: "Udm Events Gcs: Target File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__file__names__list}) as udm_events_gcs__target__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__network__email__bcc__list { - view_label: "Udm Events Gcs: Network Email Bcc List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.network__email__bcc__list}) as udm_events_gcs__network__email__bcc__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__asset__ip__list { - view_label: "Udm Events Gcs: Principal Asset Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__asset__ip__list}) as udm_events_gcs__principal__asset__ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__asset__mac__list { - view_label: "Udm Events Gcs: Observer Asset Mac List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__asset__mac__list}) as udm_events_gcs__observer__asset__mac__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__ip__list { - view_label: "Udm Events Gcs: About List Item Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__ip__list}) as udm_events_gcs__about__list__item__ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__network__email__to__list { - view_label: "Udm Events Gcs: Network Email To List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.network__email__to__list}) as udm_events_gcs__network__email__to__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__asset__mac__list { - view_label: "Udm Events Gcs: Principal Asset Mac List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__asset__mac__list}) as udm_events_gcs__principal__asset__mac__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__file__names__list { - view_label: "Udm Events Gcs: Observer File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__file__names__list}) as udm_events_gcs__observer__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__user__department__list { - view_label: "Udm Events Gcs: Src User Department List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__user__department__list}) as udm_events_gcs__src__user__department__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__mac__list { - view_label: "Udm Events Gcs: About List Item Mac List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__mac__list}) as udm_events_gcs__about__list__item__mac__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__asset__nat_ip__list { - view_label: "Udm Events Gcs: Target Asset Nat Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__asset__nat_ip__list}) as udm_events_gcs__target__asset__nat_ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__file__names__list { - view_label: "Udm Events Gcs: Principal File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__file__names__list}) as udm_events_gcs__principal__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__asset__nat_ip__list { - view_label: "Udm Events Gcs: Observer Asset Nat Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__asset__nat_ip__list}) as udm_events_gcs__observer__asset__nat_ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__additional__fields__list { - view_label: "Udm Events Gcs: Additional Fields List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.additional__fields__list}) as udm_events_gcs__additional__fields__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__network__email__subject__list { - view_label: "Udm Events Gcs: Network Email Subject List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.network__email__subject__list}) as udm_events_gcs__network__email__subject__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__asset__nat_ip__list { - view_label: "Udm Events Gcs: Principal Asset Nat Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__asset__nat_ip__list}) as udm_events_gcs__principal__asset__nat_ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process__file__names__list { - view_label: "Udm Events Gcs: Src Process File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__process__file__names__list}) as udm_events_gcs__src__process__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__asset__hardware__list { - view_label: "Udm Events Gcs: Src Asset Hardware List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__asset__hardware__list}) as udm_events_gcs__src__asset__hardware__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__user__phone_numbers__list { - view_label: "Udm Events Gcs: Src User Phone Numbers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__user__phone_numbers__list}) as udm_events_gcs__src__user__phone_numbers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__nat_ip__list { - view_label: "Udm Events Gcs: About List Item Nat Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__nat_ip__list}) as udm_events_gcs__about__list__item__nat_ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__user__department__list { - view_label: "Udm Events Gcs: Target User Department List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__user__department__list}) as udm_events_gcs__target__user__department__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__metadata__tags__tenant_id__list { - view_label: "Udm Events Gcs: Metadata Tags Tenant Id List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.metadata__tags__tenant_id__list}) as udm_events_gcs__metadata__tags__tenant_id__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__asset__software__list { - view_label: "Udm Events Gcs: Src Asset Software List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__asset__software__list}) as udm_events_gcs__src__asset__software__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list { - view_label: "Udm Events Gcs: Security Result List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.security_result__list}) as udm_events_gcs__security_result__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__network__dns__answers__list { - view_label: "Udm Events Gcs: Network Dns Answers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.network__dns__answers__list}) as udm_events_gcs__network__dns__answers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__user__department__list { - view_label: "Udm Events Gcs: Observer User Department List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__user__department__list}) as udm_events_gcs__observer__user__department__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__user__email_addresses__list { - view_label: "Udm Events Gcs: Src User Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__user__email_addresses__list}) as udm_events_gcs__src__user__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__asset__ip__list { - view_label: "Udm Events Gcs: About List Item Asset Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__asset__ip__list}) as udm_events_gcs__about__list__item__asset__ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__user__department__list { - view_label: "Udm Events Gcs: Principal User Department List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__user__department__list}) as udm_events_gcs__principal__user__department__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__extensions__auth__mechanism__list { - view_label: "Udm Events Gcs: Extensions Auth Mechanism List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.extensions__auth__mechanism__list}) as udm_events_gcs__extensions__auth__mechanism__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process_ancestors__list { - view_label: "Udm Events Gcs: Src Process Ancestors List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__process_ancestors__list}) as udm_events_gcs__src__process_ancestors__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__asset__mac__list { - view_label: "Udm Events Gcs: About List Item Asset Mac List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__asset__mac__list}) as udm_events_gcs__about__list__item__asset__mac__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__ip__list { - view_label: "Udm Events Gcs: Intermediary List Item Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__ip__list}) as udm_events_gcs__intermediary__list__item__ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process__file__names__list { - view_label: "Udm Events Gcs: Target Process File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__process__file__names__list}) as udm_events_gcs__target__process__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__asset__hardware__list { - view_label: "Udm Events Gcs: Target Asset Hardware List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__asset__hardware__list}) as udm_events_gcs__target__asset__hardware__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__user__phone_numbers__list { - view_label: "Udm Events Gcs: Target User Phone Numbers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__user__phone_numbers__list}) as udm_events_gcs__target__user__phone_numbers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__network__dns__authority__list { - view_label: "Udm Events Gcs: Network Dns Authority List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.network__dns__authority__list}) as udm_events_gcs__network__dns__authority__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__network__dhcp__options__list { - view_label: "Udm Events Gcs: Network Dhcp Options List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.network__dhcp__options__list}) as udm_events_gcs__network__dhcp__options__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Src File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__file__capabilities_tags__list}) as udm_events_gcs__src__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__investigation__comments__list { - view_label: "Udm Events Gcs: Src Investigation Comments List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__investigation__comments__list}) as udm_events_gcs__src__investigation__comments__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__user__group_identifiers__list { - view_label: "Udm Events Gcs: Src User Group Identifiers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__user__group_identifiers__list}) as udm_events_gcs__src__user__group_identifiers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__file__names__list { - view_label: "Udm Events Gcs: About List Item File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__file__names__list}) as udm_events_gcs__about__list__item__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__mac__list { - view_label: "Udm Events Gcs: Intermediary List Item Mac List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__mac__list}) as udm_events_gcs__intermediary__list__item__mac__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__asset__software__list { - view_label: "Udm Events Gcs: Target Asset Software List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__asset__software__list}) as udm_events_gcs__target__asset__software__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__network__dns__additional__list { - view_label: "Udm Events Gcs: Network Dns Additional List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.network__dns__additional__list}) as udm_events_gcs__network__dns__additional__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__network__dns__questions__list { - view_label: "Udm Events Gcs: Network Dns Questions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.network__dns__questions__list}) as udm_events_gcs__network__dns__questions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process__file__names__list { - view_label: "Udm Events Gcs: Observer Process File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__process__file__names__list}) as udm_events_gcs__observer__process__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__asset__hardware__list { - view_label: "Udm Events Gcs: Observer Asset Hardware List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__asset__hardware__list}) as udm_events_gcs__observer__asset__hardware__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__user__phone_numbers__list { - view_label: "Udm Events Gcs: Observer User Phone Numbers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__user__phone_numbers__list}) as udm_events_gcs__observer__user__phone_numbers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__group__email_addresses__list { - view_label: "Udm Events Gcs: Src Group Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__group__email_addresses__list}) as udm_events_gcs__src__group__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__resource_ancestors__list { - view_label: "Udm Events Gcs: Src Resource Ancestors List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__resource_ancestors__list}) as udm_events_gcs__src__resource_ancestors__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__user__email_addresses__list { - view_label: "Udm Events Gcs: Target User Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__user__email_addresses__list}) as udm_events_gcs__target__user__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process__file__names__list { - view_label: "Udm Events Gcs: Principal Process File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__process__file__names__list}) as udm_events_gcs__principal__process__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__asset__hardware__list { - view_label: "Udm Events Gcs: Principal Asset Hardware List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__asset__hardware__list}) as udm_events_gcs__principal__asset__hardware__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__user__phone_numbers__list { - view_label: "Udm Events Gcs: Principal User Phone Numbers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__user__phone_numbers__list}) as udm_events_gcs__principal__user__phone_numbers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__asset__software__list { - view_label: "Udm Events Gcs: Observer Asset Software List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__asset__software__list}) as udm_events_gcs__observer__asset__software__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__asset__nat_ip__list { - view_label: "Udm Events Gcs: About List Item Asset Nat Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__asset__nat_ip__list}) as udm_events_gcs__about__list__item__asset__nat_ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process_ancestors__list { - view_label: "Udm Events Gcs: Target Process Ancestors List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__process_ancestors__list}) as udm_events_gcs__target__process_ancestors__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__asset__software__list { - view_label: "Udm Events Gcs: Principal Asset Software List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__asset__software__list}) as udm_events_gcs__principal__asset__software__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__user__email_addresses__list { - view_label: "Udm Events Gcs: Observer User Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__user__email_addresses__list}) as udm_events_gcs__observer__user__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__metadata__ingestion_labels__list { - view_label: "Udm Events Gcs: Metadata Ingestion Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.metadata__ingestion_labels__list}) as udm_events_gcs__metadata__ingestion_labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__file__pe_file__section__list { - view_label: "Udm Events Gcs: Src File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__file__pe_file__section__list}) as udm_events_gcs__src__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__user__time_off__list { - view_label: "Udm Events Gcs: Src User Time Off List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__user__time_off__list}) as udm_events_gcs__src__user__time_off__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__user__attribute__roles__list { - view_label: "Udm Events Gcs: Src User Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__user__attribute__roles__list}) as udm_events_gcs__src__user__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__user__attribute__labels__list { - view_label: "Udm Events Gcs: Src User Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__user__attribute__labels__list}) as udm_events_gcs__src__user__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__nat_ip__list { - view_label: "Udm Events Gcs: Intermediary List Item Nat Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__nat_ip__list}) as udm_events_gcs__intermediary__list__item__nat_ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Target File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__file__capabilities_tags__list}) as udm_events_gcs__target__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__investigation__comments__list { - view_label: "Udm Events Gcs: Target Investigation Comments List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__investigation__comments__list}) as udm_events_gcs__target__investigation__comments__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__user__group_identifiers__list { - view_label: "Udm Events Gcs: Target User Group Identifiers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__user__group_identifiers__list}) as udm_events_gcs__target__user__group_identifiers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__user__email_addresses__list { - view_label: "Udm Events Gcs: Principal User Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__user__email_addresses__list}) as udm_events_gcs__principal__user__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process_ancestors__list { - view_label: "Udm Events Gcs: Observer Process Ancestors List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__process_ancestors__list}) as udm_events_gcs__observer__process_ancestors__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__asset__vulnerabilities__list { - view_label: "Udm Events Gcs: Src Asset Vulnerabilities List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__asset__vulnerabilities__list}) as udm_events_gcs__src__asset__vulnerabilities__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__asset__attribute__roles__list { - view_label: "Udm Events Gcs: Src Asset Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__asset__attribute__roles__list}) as udm_events_gcs__src__asset__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__asset__attribute__labels__list { - view_label: "Udm Events Gcs: Src Asset Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__asset__attribute__labels__list}) as udm_events_gcs__src__asset__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__group__email_addresses__list { - view_label: "Udm Events Gcs: Target Group Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__group__email_addresses__list}) as udm_events_gcs__target__group__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__resource_ancestors__list { - view_label: "Udm Events Gcs: Target Resource Ancestors List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__resource_ancestors__list}) as udm_events_gcs__target__resource_ancestors__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process_ancestors__list { - view_label: "Udm Events Gcs: Principal Process Ancestors List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__process_ancestors__list}) as udm_events_gcs__principal__process_ancestors__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Observer File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__file__capabilities_tags__list}) as udm_events_gcs__observer__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__investigation__comments__list { - view_label: "Udm Events Gcs: Observer Investigation Comments List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__investigation__comments__list}) as udm_events_gcs__observer__investigation__comments__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__user__group_identifiers__list { - view_label: "Udm Events Gcs: Observer User Group Identifiers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__user__group_identifiers__list}) as udm_events_gcs__observer__user__group_identifiers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__user_management_chain__list { - view_label: "Udm Events Gcs: Src User Management Chain List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__user_management_chain__list}) as udm_events_gcs__src__user_management_chain__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__user__department__list { - view_label: "Udm Events Gcs: About List Item User Department List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__user__department__list}) as udm_events_gcs__about__list__item__user__department__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__asset__ip__list { - view_label: "Udm Events Gcs: Intermediary List Item Asset Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__asset__ip__list}) as udm_events_gcs__intermediary__list__item__asset__ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Principal File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__file__capabilities_tags__list}) as udm_events_gcs__principal__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__investigation__comments__list { - view_label: "Udm Events Gcs: Principal Investigation Comments List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__investigation__comments__list}) as udm_events_gcs__principal__investigation__comments__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__user__group_identifiers__list { - view_label: "Udm Events Gcs: Principal User Group Identifiers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__user__group_identifiers__list}) as udm_events_gcs__principal__user__group_identifiers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__group__email_addresses__list { - view_label: "Udm Events Gcs: Observer Group Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__group__email_addresses__list}) as udm_events_gcs__observer__group__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__resource_ancestors__list { - view_label: "Udm Events Gcs: Observer Resource Ancestors List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__resource_ancestors__list}) as udm_events_gcs__observer__resource_ancestors__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Src File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__file__pe_file__imports__list}) as udm_events_gcs__src__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__group__attribute__roles__list { - view_label: "Udm Events Gcs: Src Group Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__group__attribute__roles__list}) as udm_events_gcs__src__group__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__group__attribute__labels__list { - view_label: "Udm Events Gcs: Src Group Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__group__attribute__labels__list}) as udm_events_gcs__src__group__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process__command_line_history__list { - view_label: "Udm Events Gcs: Src Process Command Line History List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__process__command_line_history__list}) as udm_events_gcs__src__process__command_line_history__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__asset__mac__list { - view_label: "Udm Events Gcs: Intermediary List Item Asset Mac List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__asset__mac__list}) as udm_events_gcs__intermediary__list__item__asset__mac__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__action__list { - view_label: "Udm Events Gcs: Security Result List Item Action List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__action__list}) as udm_events_gcs__security_result__list__item__action__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__file__pe_file__section__list { - view_label: "Udm Events Gcs: Target File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__file__pe_file__section__list}) as udm_events_gcs__target__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__user__time_off__list { - view_label: "Udm Events Gcs: Target User Time Off List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__user__time_off__list}) as udm_events_gcs__target__user__time_off__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__user__attribute__roles__list { - view_label: "Udm Events Gcs: Target User Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__user__attribute__roles__list}) as udm_events_gcs__target__user__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__user__attribute__labels__list { - view_label: "Udm Events Gcs: Target User Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__user__attribute__labels__list}) as udm_events_gcs__target__user__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__group__email_addresses__list { - view_label: "Udm Events Gcs: Principal Group Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__group__email_addresses__list}) as udm_events_gcs__principal__group__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__resource_ancestors__list { - view_label: "Udm Events Gcs: Principal Resource Ancestors List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__resource_ancestors__list}) as udm_events_gcs__principal__resource_ancestors__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Src File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__file__pe_file__resource__list}) as udm_events_gcs__src__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__resource__attribute__roles__list { - view_label: "Udm Events Gcs: Src Resource Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__resource__attribute__roles__list}) as udm_events_gcs__src__resource__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__resource__attribute__labels__list { - view_label: "Udm Events Gcs: Src Resource Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__resource__attribute__labels__list}) as udm_events_gcs__src__resource__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__file__names__list { - view_label: "Udm Events Gcs: Intermediary List Item File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__file__names__list}) as udm_events_gcs__intermediary__list__item__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__asset__vulnerabilities__list { - view_label: "Udm Events Gcs: Target Asset Vulnerabilities List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__asset__vulnerabilities__list}) as udm_events_gcs__target__asset__vulnerabilities__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__asset__attribute__roles__list { - view_label: "Udm Events Gcs: Target Asset Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__asset__attribute__roles__list}) as udm_events_gcs__target__asset__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__asset__attribute__labels__list { - view_label: "Udm Events Gcs: Target Asset Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__asset__attribute__labels__list}) as udm_events_gcs__target__asset__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__file__pe_file__section__list { - view_label: "Udm Events Gcs: Observer File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__file__pe_file__section__list}) as udm_events_gcs__observer__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__user__time_off__list { - view_label: "Udm Events Gcs: Observer User Time Off List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__user__time_off__list}) as udm_events_gcs__observer__user__time_off__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__user__attribute__roles__list { - view_label: "Udm Events Gcs: Observer User Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__user__attribute__roles__list}) as udm_events_gcs__observer__user__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__user__attribute__labels__list { - view_label: "Udm Events Gcs: Observer User Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__user__attribute__labels__list}) as udm_events_gcs__observer__user__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Src Process File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__process__file__capabilities_tags__list}) as udm_events_gcs__src__process__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process__file__names__list { - view_label: "Udm Events Gcs: About List Item Process File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__process__file__names__list}) as udm_events_gcs__about__list__item__process__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__asset__hardware__list { - view_label: "Udm Events Gcs: About List Item Asset Hardware List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__asset__hardware__list}) as udm_events_gcs__about__list__item__asset__hardware__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__user__phone_numbers__list { - view_label: "Udm Events Gcs: About List Item User Phone Numbers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__user__phone_numbers__list}) as udm_events_gcs__about__list__item__user__phone_numbers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__ip__list { - view_label: "Udm Events Gcs: Security Result List Item About Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__ip__list}) as udm_events_gcs__security_result__list__item__about__ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__category__list { - view_label: "Udm Events Gcs: Security Result List Item Category List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__category__list}) as udm_events_gcs__security_result__list__item__category__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__user_management_chain__list { - view_label: "Udm Events Gcs: Target User Management Chain List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__user_management_chain__list}) as udm_events_gcs__target__user_management_chain__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__file__pe_file__section__list { - view_label: "Udm Events Gcs: Principal File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__file__pe_file__section__list}) as udm_events_gcs__principal__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__user__time_off__list { - view_label: "Udm Events Gcs: Principal User Time Off List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__user__time_off__list}) as udm_events_gcs__principal__user__time_off__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__user__attribute__roles__list { - view_label: "Udm Events Gcs: Principal User Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__user__attribute__roles__list}) as udm_events_gcs__principal__user__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__user__attribute__labels__list { - view_label: "Udm Events Gcs: Principal User Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__user__attribute__labels__list}) as udm_events_gcs__principal__user__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__asset__vulnerabilities__list { - view_label: "Udm Events Gcs: Observer Asset Vulnerabilities List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__asset__vulnerabilities__list}) as udm_events_gcs__observer__asset__vulnerabilities__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__asset__attribute__roles__list { - view_label: "Udm Events Gcs: Observer Asset Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__asset__attribute__roles__list}) as udm_events_gcs__observer__asset__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__asset__attribute__labels__list { - view_label: "Udm Events Gcs: Observer Asset Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__asset__attribute__labels__list}) as udm_events_gcs__observer__asset__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__user__attribute__permissions__list { - view_label: "Udm Events Gcs: Src User Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__user__attribute__permissions__list}) as udm_events_gcs__src__user__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__asset__software__list { - view_label: "Udm Events Gcs: About List Item Asset Software List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__asset__software__list}) as udm_events_gcs__about__list__item__asset__software__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__asset__nat_ip__list { - view_label: "Udm Events Gcs: Intermediary List Item Asset Nat Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__asset__nat_ip__list}) as udm_events_gcs__intermediary__list__item__asset__nat_ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__mac__list { - view_label: "Udm Events Gcs: Security Result List Item About Mac List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__mac__list}) as udm_events_gcs__security_result__list__item__about__mac__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Target File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__file__pe_file__imports__list}) as udm_events_gcs__target__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__group__attribute__roles__list { - view_label: "Udm Events Gcs: Target Group Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__group__attribute__roles__list}) as udm_events_gcs__target__group__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__group__attribute__labels__list { - view_label: "Udm Events Gcs: Target Group Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__group__attribute__labels__list}) as udm_events_gcs__target__group__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process__command_line_history__list { - view_label: "Udm Events Gcs: Target Process Command Line History List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__process__command_line_history__list}) as udm_events_gcs__target__process__command_line_history__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__asset__vulnerabilities__list { - view_label: "Udm Events Gcs: Principal Asset Vulnerabilities List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__asset__vulnerabilities__list}) as udm_events_gcs__principal__asset__vulnerabilities__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__asset__attribute__roles__list { - view_label: "Udm Events Gcs: Principal Asset Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__asset__attribute__roles__list}) as udm_events_gcs__principal__asset__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__asset__attribute__labels__list { - view_label: "Udm Events Gcs: Principal Asset Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__asset__attribute__labels__list}) as udm_events_gcs__principal__asset__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__user_management_chain__list { - view_label: "Udm Events Gcs: Observer User Management Chain List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__user_management_chain__list}) as udm_events_gcs__observer__user_management_chain__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__asset__attribute__permissions__list { - view_label: "Udm Events Gcs: Src Asset Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__asset__attribute__permissions__list}) as udm_events_gcs__src__asset__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__user__email_addresses__list { - view_label: "Udm Events Gcs: About List Item User Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__user__email_addresses__list}) as udm_events_gcs__about__list__item__user__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Target File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__file__pe_file__resource__list}) as udm_events_gcs__target__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__resource__attribute__roles__list { - view_label: "Udm Events Gcs: Target Resource Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__resource__attribute__roles__list}) as udm_events_gcs__target__resource__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__resource__attribute__labels__list { - view_label: "Udm Events Gcs: Target Resource Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__resource__attribute__labels__list}) as udm_events_gcs__target__resource__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__network__tls__client__supported_ciphers__list { - view_label: "Udm Events Gcs: Network Tls Client Supported Ciphers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.network__tls__client__supported_ciphers__list}) as udm_events_gcs__network__tls__client__supported_ciphers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__user_management_chain__list { - view_label: "Udm Events Gcs: Principal User Management Chain List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__user_management_chain__list}) as udm_events_gcs__principal__user_management_chain__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Observer File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__file__pe_file__imports__list}) as udm_events_gcs__observer__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__group__attribute__roles__list { - view_label: "Udm Events Gcs: Observer Group Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__group__attribute__roles__list}) as udm_events_gcs__observer__group__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__group__attribute__labels__list { - view_label: "Udm Events Gcs: Observer Group Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__group__attribute__labels__list}) as udm_events_gcs__observer__group__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process__command_line_history__list { - view_label: "Udm Events Gcs: Observer Process Command Line History List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__process__command_line_history__list}) as udm_events_gcs__observer__process__command_line_history__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__extensions__vulns__vulnerabilities__list { - view_label: "Udm Events Gcs: Extensions Vulns Vulnerabilities List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.extensions__vulns__vulnerabilities__list}) as udm_events_gcs__extensions__vulns__vulnerabilities__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process__file__pe_file__section__list { - view_label: "Udm Events Gcs: Src Process File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__process__file__pe_file__section__list}) as udm_events_gcs__src__process__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process_ancestors__list { - view_label: "Udm Events Gcs: About List Item Process Ancestors List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__process_ancestors__list}) as udm_events_gcs__about__list__item__process_ancestors__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Target Process File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__process__file__capabilities_tags__list}) as udm_events_gcs__target__process__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Principal File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__file__pe_file__imports__list}) as udm_events_gcs__principal__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__group__attribute__roles__list { - view_label: "Udm Events Gcs: Principal Group Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__group__attribute__roles__list}) as udm_events_gcs__principal__group__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__group__attribute__labels__list { - view_label: "Udm Events Gcs: Principal Group Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__group__attribute__labels__list}) as udm_events_gcs__principal__group__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process__command_line_history__list { - view_label: "Udm Events Gcs: Principal Process Command Line History List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__process__command_line_history__list}) as udm_events_gcs__principal__process__command_line_history__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Observer File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__file__pe_file__resource__list}) as udm_events_gcs__observer__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__resource__attribute__roles__list { - view_label: "Udm Events Gcs: Observer Resource Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__resource__attribute__roles__list}) as udm_events_gcs__observer__resource__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__resource__attribute__labels__list { - view_label: "Udm Events Gcs: Observer Resource Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__resource__attribute__labels__list}) as udm_events_gcs__observer__resource__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Src File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__file__pe_file__signature_info__signer__list}) as udm_events_gcs__src__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__group__attribute__permissions__list { - view_label: "Udm Events Gcs: Src Group Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__group__attribute__permissions__list}) as udm_events_gcs__src__group__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__file__capabilities_tags__list { - view_label: "Udm Events Gcs: About List Item File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__file__capabilities_tags__list}) as udm_events_gcs__about__list__item__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__investigation__comments__list { - view_label: "Udm Events Gcs: About List Item Investigation Comments List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__investigation__comments__list}) as udm_events_gcs__about__list__item__investigation__comments__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__user__group_identifiers__list { - view_label: "Udm Events Gcs: About List Item User Group Identifiers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__user__group_identifiers__list}) as udm_events_gcs__about__list__item__user__group_identifiers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__user__department__list { - view_label: "Udm Events Gcs: Intermediary List Item User Department List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__user__department__list}) as udm_events_gcs__intermediary__list__item__user__department__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__nat_ip__list { - view_label: "Udm Events Gcs: Security Result List Item About Nat Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__nat_ip__list}) as udm_events_gcs__security_result__list__item__about__nat_ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__outcomes__list { - view_label: "Udm Events Gcs: Security Result List Item Outcomes List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__outcomes__list}) as udm_events_gcs__security_result__list__item__outcomes__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__user__attribute__permissions__list { - view_label: "Udm Events Gcs: Target User Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__user__attribute__permissions__list}) as udm_events_gcs__target__user__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Principal File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__file__pe_file__resource__list}) as udm_events_gcs__principal__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__resource__attribute__roles__list { - view_label: "Udm Events Gcs: Principal Resource Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__resource__attribute__roles__list}) as udm_events_gcs__principal__resource__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__resource__attribute__labels__list { - view_label: "Udm Events Gcs: Principal Resource Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__resource__attribute__labels__list}) as udm_events_gcs__principal__resource__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Observer Process File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__process__file__capabilities_tags__list}) as udm_events_gcs__observer__process__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__resource__attribute__permissions__list { - view_label: "Udm Events Gcs: Src Resource Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__resource__attribute__permissions__list}) as udm_events_gcs__src__resource__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__group__email_addresses__list { - view_label: "Udm Events Gcs: About List Item Group Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__group__email_addresses__list}) as udm_events_gcs__about__list__item__group__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__resource_ancestors__list { - view_label: "Udm Events Gcs: About List Item Resource Ancestors List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__resource_ancestors__list}) as udm_events_gcs__about__list__item__resource_ancestors__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__asset__attribute__permissions__list { - view_label: "Udm Events Gcs: Target Asset Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__asset__attribute__permissions__list}) as udm_events_gcs__target__asset__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Principal Process File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__process__file__capabilities_tags__list}) as udm_events_gcs__principal__process__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__user__attribute__permissions__list { - view_label: "Udm Events Gcs: Observer User Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__user__attribute__permissions__list}) as udm_events_gcs__observer__user__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Src Process File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__process__file__pe_file__imports__list}) as udm_events_gcs__src__process__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__asset__ip__list { - view_label: "Udm Events Gcs: Security Result List Item About Asset Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__asset__ip__list}) as udm_events_gcs__security_result__list__item__about__asset__ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process__file__pe_file__section__list { - view_label: "Udm Events Gcs: Target Process File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__process__file__pe_file__section__list}) as udm_events_gcs__target__process__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__user__attribute__permissions__list { - view_label: "Udm Events Gcs: Principal User Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__user__attribute__permissions__list}) as udm_events_gcs__principal__user__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__asset__attribute__permissions__list { - view_label: "Udm Events Gcs: Observer Asset Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__asset__attribute__permissions__list}) as udm_events_gcs__observer__asset__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Src File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__file__pe_file__resources_type_count__list}) as udm_events_gcs__src__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Src Process File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__process__file__pe_file__resource__list}) as udm_events_gcs__src__process__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__file__pe_file__section__list { - view_label: "Udm Events Gcs: About List Item File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__file__pe_file__section__list}) as udm_events_gcs__about__list__item__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__user__time_off__list { - view_label: "Udm Events Gcs: About List Item User Time Off List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__user__time_off__list}) as udm_events_gcs__about__list__item__user__time_off__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__user__attribute__roles__list { - view_label: "Udm Events Gcs: About List Item User Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__user__attribute__roles__list}) as udm_events_gcs__about__list__item__user__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__user__attribute__labels__list { - view_label: "Udm Events Gcs: About List Item User Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__user__attribute__labels__list}) as udm_events_gcs__about__list__item__user__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process__file__names__list { - view_label: "Udm Events Gcs: Intermediary List Item Process File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__process__file__names__list}) as udm_events_gcs__intermediary__list__item__process__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__asset__hardware__list { - view_label: "Udm Events Gcs: Intermediary List Item Asset Hardware List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__asset__hardware__list}) as udm_events_gcs__intermediary__list__item__asset__hardware__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__user__phone_numbers__list { - view_label: "Udm Events Gcs: Intermediary List Item User Phone Numbers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__user__phone_numbers__list}) as udm_events_gcs__intermediary__list__item__user__phone_numbers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__asset__mac__list { - view_label: "Udm Events Gcs: Security Result List Item About Asset Mac List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__asset__mac__list}) as udm_events_gcs__security_result__list__item__about__asset__mac__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__rule_labels__list { - view_label: "Udm Events Gcs: Security Result List Item Rule Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__rule_labels__list}) as udm_events_gcs__security_result__list__item__rule_labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Target File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__file__pe_file__signature_info__signer__list}) as udm_events_gcs__target__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__group__attribute__permissions__list { - view_label: "Udm Events Gcs: Target Group Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__group__attribute__permissions__list}) as udm_events_gcs__target__group__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__asset__attribute__permissions__list { - view_label: "Udm Events Gcs: Principal Asset Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__asset__attribute__permissions__list}) as udm_events_gcs__principal__asset__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process__file__pe_file__section__list { - view_label: "Udm Events Gcs: Observer Process File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__process__file__pe_file__section__list}) as udm_events_gcs__observer__process__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process_ancestors__list__item__file__names__list { - view_label: "Udm Events Gcs: Src Process Ancestors List Item File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__process_ancestors__list.item__file__names__list}) as udm_events_gcs__src__process_ancestors__list__item__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__asset__vulnerabilities__list { - view_label: "Udm Events Gcs: About List Item Asset Vulnerabilities List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__asset__vulnerabilities__list}) as udm_events_gcs__about__list__item__asset__vulnerabilities__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__asset__attribute__roles__list { - view_label: "Udm Events Gcs: About List Item Asset Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__asset__attribute__roles__list}) as udm_events_gcs__about__list__item__asset__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__asset__attribute__labels__list { - view_label: "Udm Events Gcs: About List Item Asset Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__asset__attribute__labels__list}) as udm_events_gcs__about__list__item__asset__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__asset__software__list { - view_label: "Udm Events Gcs: Intermediary List Item Asset Software List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__asset__software__list}) as udm_events_gcs__intermediary__list__item__asset__software__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__file__names__list { - view_label: "Udm Events Gcs: Security Result List Item About File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__file__names__list}) as udm_events_gcs__security_result__list__item__about__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__category_details__list { - view_label: "Udm Events Gcs: Security Result List Item Category Details List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__category_details__list}) as udm_events_gcs__security_result__list__item__category_details__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__resource__attribute__permissions__list { - view_label: "Udm Events Gcs: Target Resource Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__resource__attribute__permissions__list}) as udm_events_gcs__target__resource__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process__file__pe_file__section__list { - view_label: "Udm Events Gcs: Principal Process File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__process__file__pe_file__section__list}) as udm_events_gcs__principal__process__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Observer File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__file__pe_file__signature_info__signer__list}) as udm_events_gcs__observer__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__group__attribute__permissions__list { - view_label: "Udm Events Gcs: Observer Group Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__group__attribute__permissions__list}) as udm_events_gcs__observer__group__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__user_management_chain__list { - view_label: "Udm Events Gcs: About List Item User Management Chain List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__user_management_chain__list}) as udm_events_gcs__about__list__item__user_management_chain__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__user__email_addresses__list { - view_label: "Udm Events Gcs: Intermediary List Item User Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__user__email_addresses__list}) as udm_events_gcs__intermediary__list__item__user__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Target Process File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__process__file__pe_file__imports__list}) as udm_events_gcs__target__process__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Principal File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__file__pe_file__signature_info__signer__list}) as udm_events_gcs__principal__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__group__attribute__permissions__list { - view_label: "Udm Events Gcs: Principal Group Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__group__attribute__permissions__list}) as udm_events_gcs__principal__group__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__resource__attribute__permissions__list { - view_label: "Udm Events Gcs: Observer Resource Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__resource__attribute__permissions__list}) as udm_events_gcs__observer__resource__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Src File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__src__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__file__pe_file__imports__list { - view_label: "Udm Events Gcs: About List Item File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__file__pe_file__imports__list}) as udm_events_gcs__about__list__item__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__group__attribute__roles__list { - view_label: "Udm Events Gcs: About List Item Group Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__group__attribute__roles__list}) as udm_events_gcs__about__list__item__group__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__group__attribute__labels__list { - view_label: "Udm Events Gcs: About List Item Group Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__group__attribute__labels__list}) as udm_events_gcs__about__list__item__group__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process__command_line_history__list { - view_label: "Udm Events Gcs: About List Item Process Command Line History List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__process__command_line_history__list}) as udm_events_gcs__about__list__item__process__command_line_history__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process_ancestors__list { - view_label: "Udm Events Gcs: Intermediary List Item Process Ancestors List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__process_ancestors__list}) as udm_events_gcs__intermediary__list__item__process_ancestors__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__asset__nat_ip__list { - view_label: "Udm Events Gcs: Security Result List Item About Asset Nat Ip List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__asset__nat_ip__list}) as udm_events_gcs__security_result__list__item__about__asset__nat_ip__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Target File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__file__pe_file__resources_type_count__list}) as udm_events_gcs__target__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Target Process File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__process__file__pe_file__resource__list}) as udm_events_gcs__target__process__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__resource__attribute__permissions__list { - view_label: "Udm Events Gcs: Principal Resource Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__resource__attribute__permissions__list}) as udm_events_gcs__principal__resource__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Observer Process File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__process__file__pe_file__imports__list}) as udm_events_gcs__observer__process__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Src File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__file__pe_file__resources_language_count__list}) as udm_events_gcs__src__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__asset__software__list__item__permissions__list { - view_label: "Udm Events Gcs: Src Asset Software List Item Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__asset__software__list.item__permissions__list}) as udm_events_gcs__src__asset__software__list__item__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__file__pe_file__resource__list { - view_label: "Udm Events Gcs: About List Item File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__file__pe_file__resource__list}) as udm_events_gcs__about__list__item__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__resource__attribute__roles__list { - view_label: "Udm Events Gcs: About List Item Resource Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__resource__attribute__roles__list}) as udm_events_gcs__about__list__item__resource__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__resource__attribute__labels__list { - view_label: "Udm Events Gcs: About List Item Resource Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__resource__attribute__labels__list}) as udm_events_gcs__about__list__item__resource__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Intermediary List Item File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__file__capabilities_tags__list}) as udm_events_gcs__intermediary__list__item__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__investigation__comments__list { - view_label: "Udm Events Gcs: Intermediary List Item Investigation Comments List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__investigation__comments__list}) as udm_events_gcs__intermediary__list__item__investigation__comments__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__user__group_identifiers__list { - view_label: "Udm Events Gcs: Intermediary List Item User Group Identifiers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__user__group_identifiers__list}) as udm_events_gcs__intermediary__list__item__user__group_identifiers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process_ancestors__list__item__file__names__list { - view_label: "Udm Events Gcs: Target Process Ancestors List Item File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__process_ancestors__list.item__file__names__list}) as udm_events_gcs__target__process_ancestors__list__item__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Principal Process File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__process__file__pe_file__imports__list}) as udm_events_gcs__principal__process__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Observer File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__file__pe_file__resources_type_count__list}) as udm_events_gcs__observer__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Observer Process File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__process__file__pe_file__resource__list}) as udm_events_gcs__observer__process__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Src Process File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__process__file__pe_file__signature_info__signer__list}) as udm_events_gcs__src__process__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__user_management_chain__list__item__department__list { - view_label: "Udm Events Gcs: Src User Management Chain List Item Department List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__user_management_chain__list.item__department__list}) as udm_events_gcs__src__user_management_chain__list__item__department__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process__file__capabilities_tags__list { - view_label: "Udm Events Gcs: About List Item Process File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__process__file__capabilities_tags__list}) as udm_events_gcs__about__list__item__process__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__group__email_addresses__list { - view_label: "Udm Events Gcs: Intermediary List Item Group Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__group__email_addresses__list}) as udm_events_gcs__intermediary__list__item__group__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__resource_ancestors__list { - view_label: "Udm Events Gcs: Intermediary List Item Resource Ancestors List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__resource_ancestors__list}) as udm_events_gcs__intermediary__list__item__resource_ancestors__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__detection_fields__list { - view_label: "Udm Events Gcs: Security Result List Item Detection Fields List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__detection_fields__list}) as udm_events_gcs__security_result__list__item__detection_fields__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Principal File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__file__pe_file__resources_type_count__list}) as udm_events_gcs__principal__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Principal Process File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__process__file__pe_file__resource__list}) as udm_events_gcs__principal__process__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process_ancestors__list__item__file__names__list { - view_label: "Udm Events Gcs: Observer Process Ancestors List Item File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__process_ancestors__list.item__file__names__list}) as udm_events_gcs__observer__process_ancestors__list__item__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__user__attribute__permissions__list { - view_label: "Udm Events Gcs: About List Item User Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__user__attribute__permissions__list}) as udm_events_gcs__about__list__item__user__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__user__department__list { - view_label: "Udm Events Gcs: Security Result List Item About User Department List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__user__department__list}) as udm_events_gcs__security_result__list__item__about__user__department__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Target File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__target__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process_ancestors__list__item__file__names__list { - view_label: "Udm Events Gcs: Principal Process Ancestors List Item File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__process_ancestors__list.item__file__names__list}) as udm_events_gcs__principal__process_ancestors__list__item__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__asset__attribute__permissions__list { - view_label: "Udm Events Gcs: About List Item Asset Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__asset__attribute__permissions__list}) as udm_events_gcs__about__list__item__asset__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__file__pe_file__section__list { - view_label: "Udm Events Gcs: Intermediary List Item File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__file__pe_file__section__list}) as udm_events_gcs__intermediary__list__item__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__user__time_off__list { - view_label: "Udm Events Gcs: Intermediary List Item User Time Off List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__user__time_off__list}) as udm_events_gcs__intermediary__list__item__user__time_off__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__user__attribute__roles__list { - view_label: "Udm Events Gcs: Intermediary List Item User Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__user__attribute__roles__list}) as udm_events_gcs__intermediary__list__item__user__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__user__attribute__labels__list { - view_label: "Udm Events Gcs: Intermediary List Item User Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__user__attribute__labels__list}) as udm_events_gcs__intermediary__list__item__user__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Target File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__file__pe_file__resources_language_count__list}) as udm_events_gcs__target__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__asset__software__list__item__permissions__list { - view_label: "Udm Events Gcs: Target Asset Software List Item Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__asset__software__list.item__permissions__list}) as udm_events_gcs__target__asset__software__list__item__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Observer File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__observer__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Src Process File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__process__file__pe_file__resources_type_count__list}) as udm_events_gcs__src__process__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__user_management_chain__list__item__phone_numbers__list { - view_label: "Udm Events Gcs: Src User Management Chain List Item Phone Numbers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__user_management_chain__list.item__phone_numbers__list}) as udm_events_gcs__src__user_management_chain__list__item__phone_numbers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process__file__pe_file__section__list { - view_label: "Udm Events Gcs: About List Item Process File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__process__file__pe_file__section__list}) as udm_events_gcs__about__list__item__process__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__asset__vulnerabilities__list { - view_label: "Udm Events Gcs: Intermediary List Item Asset Vulnerabilities List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__asset__vulnerabilities__list}) as udm_events_gcs__intermediary__list__item__asset__vulnerabilities__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__asset__attribute__roles__list { - view_label: "Udm Events Gcs: Intermediary List Item Asset Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__asset__attribute__roles__list}) as udm_events_gcs__intermediary__list__item__asset__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__asset__attribute__labels__list { - view_label: "Udm Events Gcs: Intermediary List Item Asset Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__asset__attribute__labels__list}) as udm_events_gcs__intermediary__list__item__asset__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Target Process File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__process__file__pe_file__signature_info__signer__list}) as udm_events_gcs__target__process__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__user_management_chain__list__item__department__list { - view_label: "Udm Events Gcs: Target User Management Chain List Item Department List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__user_management_chain__list.item__department__list}) as udm_events_gcs__target__user_management_chain__list__item__department__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Principal File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__principal__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Observer File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__file__pe_file__resources_language_count__list}) as udm_events_gcs__observer__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__asset__software__list__item__permissions__list { - view_label: "Udm Events Gcs: Observer Asset Software List Item Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__asset__software__list.item__permissions__list}) as udm_events_gcs__observer__asset__software__list__item__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: About List Item File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__file__pe_file__signature_info__signer__list}) as udm_events_gcs__about__list__item__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__group__attribute__permissions__list { - view_label: "Udm Events Gcs: About List Item Group Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__group__attribute__permissions__list}) as udm_events_gcs__about__list__item__group__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__user_management_chain__list { - view_label: "Udm Events Gcs: Intermediary List Item User Management Chain List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__user_management_chain__list}) as udm_events_gcs__intermediary__list__item__user_management_chain__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process__file__names__list { - view_label: "Udm Events Gcs: Security Result List Item About Process File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__process__file__names__list}) as udm_events_gcs__security_result__list__item__about__process__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__asset__hardware__list { - view_label: "Udm Events Gcs: Security Result List Item About Asset Hardware List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__asset__hardware__list}) as udm_events_gcs__security_result__list__item__about__asset__hardware__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__user__phone_numbers__list { - view_label: "Udm Events Gcs: Security Result List Item About User Phone Numbers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__user__phone_numbers__list}) as udm_events_gcs__security_result__list__item__about__user__phone_numbers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Principal File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__file__pe_file__resources_language_count__list}) as udm_events_gcs__principal__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__asset__software__list__item__permissions__list { - view_label: "Udm Events Gcs: Principal Asset Software List Item Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__asset__software__list.item__permissions__list}) as udm_events_gcs__principal__asset__software__list__item__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Observer Process File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__process__file__pe_file__signature_info__signer__list}) as udm_events_gcs__observer__process__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__user_management_chain__list__item__department__list { - view_label: "Udm Events Gcs: Observer User Management Chain List Item Department List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__user_management_chain__list.item__department__list}) as udm_events_gcs__observer__user_management_chain__list__item__department__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__user_management_chain__list__item__email_addresses__list { - view_label: "Udm Events Gcs: Src User Management Chain List Item Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__user_management_chain__list.item__email_addresses__list}) as udm_events_gcs__src__user_management_chain__list__item__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__resource__attribute__permissions__list { - view_label: "Udm Events Gcs: About List Item Resource Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__resource__attribute__permissions__list}) as udm_events_gcs__about__list__item__resource__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Intermediary List Item File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__file__pe_file__imports__list}) as udm_events_gcs__intermediary__list__item__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__group__attribute__roles__list { - view_label: "Udm Events Gcs: Intermediary List Item Group Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__group__attribute__roles__list}) as udm_events_gcs__intermediary__list__item__group__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__group__attribute__labels__list { - view_label: "Udm Events Gcs: Intermediary List Item Group Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__group__attribute__labels__list}) as udm_events_gcs__intermediary__list__item__group__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process__command_line_history__list { - view_label: "Udm Events Gcs: Intermediary List Item Process Command Line History List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__process__command_line_history__list}) as udm_events_gcs__intermediary__list__item__process__command_line_history__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__asset__software__list { - view_label: "Udm Events Gcs: Security Result List Item About Asset Software List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__asset__software__list}) as udm_events_gcs__security_result__list__item__about__asset__software__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Principal Process File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__process__file__pe_file__signature_info__signer__list}) as udm_events_gcs__principal__process__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__user_management_chain__list__item__department__list { - view_label: "Udm Events Gcs: Principal User Management Chain List Item Department List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__user_management_chain__list.item__department__list}) as udm_events_gcs__principal__user_management_chain__list__item__department__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Src Process File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__process__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__src__process__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process_ancestors__list__item__command_line_history__list { - view_label: "Udm Events Gcs: Src Process Ancestors List Item Command Line History List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__process_ancestors__list.item__command_line_history__list}) as udm_events_gcs__src__process_ancestors__list__item__command_line_history__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process__file__pe_file__imports__list { - view_label: "Udm Events Gcs: About List Item Process File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__process__file__pe_file__imports__list}) as udm_events_gcs__about__list__item__process__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Intermediary List Item File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__file__pe_file__resource__list}) as udm_events_gcs__intermediary__list__item__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__resource__attribute__roles__list { - view_label: "Udm Events Gcs: Intermediary List Item Resource Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__resource__attribute__roles__list}) as udm_events_gcs__intermediary__list__item__resource__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__resource__attribute__labels__list { - view_label: "Udm Events Gcs: Intermediary List Item Resource Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__resource__attribute__labels__list}) as udm_events_gcs__intermediary__list__item__resource__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__user__email_addresses__list { - view_label: "Udm Events Gcs: Security Result List Item About User Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__user__email_addresses__list}) as udm_events_gcs__security_result__list__item__about__user__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Target Process File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__process__file__pe_file__resources_type_count__list}) as udm_events_gcs__target__process__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__user_management_chain__list__item__phone_numbers__list { - view_label: "Udm Events Gcs: Target User Management Chain List Item Phone Numbers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__user_management_chain__list.item__phone_numbers__list}) as udm_events_gcs__target__user_management_chain__list__item__phone_numbers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Src Process File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.src__process__file__pe_file__resources_language_count__list}) as udm_events_gcs__src__process__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__resource_ancestors__list__item__attribute__roles__list { - view_label: "Udm Events Gcs: Src Resource Ancestors List Item Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__resource_ancestors__list.item__attribute__roles__list}) as udm_events_gcs__src__resource_ancestors__list__item__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__resource_ancestors__list__item__attribute__labels__list { - view_label: "Udm Events Gcs: Src Resource Ancestors List Item Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__resource_ancestors__list.item__attribute__labels__list}) as udm_events_gcs__src__resource_ancestors__list__item__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__user_management_chain__list__item__group_identifiers__list { - view_label: "Udm Events Gcs: Src User Management Chain List Item Group Identifiers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__user_management_chain__list.item__group_identifiers__list}) as udm_events_gcs__src__user_management_chain__list__item__group_identifiers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: About List Item File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__file__pe_file__resources_type_count__list}) as udm_events_gcs__about__list__item__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process__file__pe_file__resource__list { - view_label: "Udm Events Gcs: About List Item Process File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__process__file__pe_file__resource__list}) as udm_events_gcs__about__list__item__process__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Intermediary List Item Process File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__process__file__capabilities_tags__list}) as udm_events_gcs__intermediary__list__item__process__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process_ancestors__list { - view_label: "Udm Events Gcs: Security Result List Item About Process Ancestors List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__process_ancestors__list}) as udm_events_gcs__security_result__list__item__about__process_ancestors__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Observer Process File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__process__file__pe_file__resources_type_count__list}) as udm_events_gcs__observer__process__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__user_management_chain__list__item__phone_numbers__list { - view_label: "Udm Events Gcs: Observer User Management Chain List Item Phone Numbers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__user_management_chain__list.item__phone_numbers__list}) as udm_events_gcs__observer__user_management_chain__list__item__phone_numbers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process_ancestors__list__item__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Src Process Ancestors List Item File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__process_ancestors__list.item__file__capabilities_tags__list}) as udm_events_gcs__src__process_ancestors__list__item__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process_ancestors__list__item__file__names__list { - view_label: "Udm Events Gcs: About List Item Process Ancestors List Item File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__process_ancestors__list.item__file__names__list}) as udm_events_gcs__about__list__item__process_ancestors__list__item__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__user__attribute__permissions__list { - view_label: "Udm Events Gcs: Intermediary List Item User Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__user__attribute__permissions__list}) as udm_events_gcs__intermediary__list__item__user__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Security Result List Item About File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__file__capabilities_tags__list}) as udm_events_gcs__security_result__list__item__about__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__investigation__comments__list { - view_label: "Udm Events Gcs: Security Result List Item About Investigation Comments List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__investigation__comments__list}) as udm_events_gcs__security_result__list__item__about__investigation__comments__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__user__group_identifiers__list { - view_label: "Udm Events Gcs: Security Result List Item About User Group Identifiers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__user__group_identifiers__list}) as udm_events_gcs__security_result__list__item__about__user__group_identifiers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__user_management_chain__list__item__email_addresses__list { - view_label: "Udm Events Gcs: Target User Management Chain List Item Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__user_management_chain__list.item__email_addresses__list}) as udm_events_gcs__target__user_management_chain__list__item__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Principal Process File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__process__file__pe_file__resources_type_count__list}) as udm_events_gcs__principal__process__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__user_management_chain__list__item__phone_numbers__list { - view_label: "Udm Events Gcs: Principal User Management Chain List Item Phone Numbers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__user_management_chain__list.item__phone_numbers__list}) as udm_events_gcs__principal__user_management_chain__list__item__phone_numbers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__asset__attribute__permissions__list { - view_label: "Udm Events Gcs: Intermediary List Item Asset Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__asset__attribute__permissions__list}) as udm_events_gcs__intermediary__list__item__asset__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__group__email_addresses__list { - view_label: "Udm Events Gcs: Security Result List Item About Group Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__group__email_addresses__list}) as udm_events_gcs__security_result__list__item__about__group__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__resource_ancestors__list { - view_label: "Udm Events Gcs: Security Result List Item About Resource Ancestors List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__resource_ancestors__list}) as udm_events_gcs__security_result__list__item__about__resource_ancestors__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Target Process File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__process__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__target__process__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process_ancestors__list__item__command_line_history__list { - view_label: "Udm Events Gcs: Target Process Ancestors List Item Command Line History List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__process_ancestors__list.item__command_line_history__list}) as udm_events_gcs__target__process_ancestors__list__item__command_line_history__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__user_management_chain__list__item__email_addresses__list { - view_label: "Udm Events Gcs: Observer User Management Chain List Item Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__user_management_chain__list.item__email_addresses__list}) as udm_events_gcs__observer__user_management_chain__list__item__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__user_management_chain__list__item__time_off__list { - view_label: "Udm Events Gcs: Src User Management Chain List Item Time Off List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__user_management_chain__list.item__time_off__list}) as udm_events_gcs__src__user_management_chain__list__item__time_off__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__user_management_chain__list__item__attribute__roles__list { - view_label: "Udm Events Gcs: Src User Management Chain List Item Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__user_management_chain__list.item__attribute__roles__list}) as udm_events_gcs__src__user_management_chain__list__item__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__user_management_chain__list__item__attribute__labels__list { - view_label: "Udm Events Gcs: Src User Management Chain List Item Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__user_management_chain__list.item__attribute__labels__list}) as udm_events_gcs__src__user_management_chain__list__item__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: About List Item File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__about__list__item__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process__file__pe_file__section__list { - view_label: "Udm Events Gcs: Intermediary List Item Process File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__process__file__pe_file__section__list}) as udm_events_gcs__intermediary__list__item__process__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Target Process File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.target__process__file__pe_file__resources_language_count__list}) as udm_events_gcs__target__process__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__resource_ancestors__list__item__attribute__roles__list { - view_label: "Udm Events Gcs: Target Resource Ancestors List Item Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__resource_ancestors__list.item__attribute__roles__list}) as udm_events_gcs__target__resource_ancestors__list__item__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__resource_ancestors__list__item__attribute__labels__list { - view_label: "Udm Events Gcs: Target Resource Ancestors List Item Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__resource_ancestors__list.item__attribute__labels__list}) as udm_events_gcs__target__resource_ancestors__list__item__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__user_management_chain__list__item__group_identifiers__list { - view_label: "Udm Events Gcs: Target User Management Chain List Item Group Identifiers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__user_management_chain__list.item__group_identifiers__list}) as udm_events_gcs__target__user_management_chain__list__item__group_identifiers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__user_management_chain__list__item__email_addresses__list { - view_label: "Udm Events Gcs: Principal User Management Chain List Item Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__user_management_chain__list.item__email_addresses__list}) as udm_events_gcs__principal__user_management_chain__list__item__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Observer Process File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__process__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__observer__process__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process_ancestors__list__item__command_line_history__list { - view_label: "Udm Events Gcs: Observer Process Ancestors List Item Command Line History List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__process_ancestors__list.item__command_line_history__list}) as udm_events_gcs__observer__process_ancestors__list__item__command_line_history__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process_ancestors__list__item__file__pe_file__section__list { - view_label: "Udm Events Gcs: Src Process Ancestors List Item File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__process_ancestors__list.item__file__pe_file__section__list}) as udm_events_gcs__src__process_ancestors__list__item__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: About List Item File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__file__pe_file__resources_language_count__list}) as udm_events_gcs__about__list__item__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__asset__software__list__item__permissions__list { - view_label: "Udm Events Gcs: About List Item Asset Software List Item Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__asset__software__list.item__permissions__list}) as udm_events_gcs__about__list__item__asset__software__list__item__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Intermediary List Item File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__file__pe_file__signature_info__signer__list}) as udm_events_gcs__intermediary__list__item__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__group__attribute__permissions__list { - view_label: "Udm Events Gcs: Intermediary List Item Group Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__group__attribute__permissions__list}) as udm_events_gcs__intermediary__list__item__group__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__file__pe_file__section__list { - view_label: "Udm Events Gcs: Security Result List Item About File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__file__pe_file__section__list}) as udm_events_gcs__security_result__list__item__about__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__user__time_off__list { - view_label: "Udm Events Gcs: Security Result List Item About User Time Off List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__user__time_off__list}) as udm_events_gcs__security_result__list__item__about__user__time_off__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__user__attribute__roles__list { - view_label: "Udm Events Gcs: Security Result List Item About User Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__user__attribute__roles__list}) as udm_events_gcs__security_result__list__item__about__user__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__user__attribute__labels__list { - view_label: "Udm Events Gcs: Security Result List Item About User Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__user__attribute__labels__list}) as udm_events_gcs__security_result__list__item__about__user__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process_ancestors__list__item__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Target Process Ancestors List Item File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__process_ancestors__list.item__file__capabilities_tags__list}) as udm_events_gcs__target__process_ancestors__list__item__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Principal Process File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__process__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__principal__process__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process_ancestors__list__item__command_line_history__list { - view_label: "Udm Events Gcs: Principal Process Ancestors List Item Command Line History List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__process_ancestors__list.item__command_line_history__list}) as udm_events_gcs__principal__process_ancestors__list__item__command_line_history__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Observer Process File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.observer__process__file__pe_file__resources_language_count__list}) as udm_events_gcs__observer__process__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__resource_ancestors__list__item__attribute__roles__list { - view_label: "Udm Events Gcs: Observer Resource Ancestors List Item Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__resource_ancestors__list.item__attribute__roles__list}) as udm_events_gcs__observer__resource_ancestors__list__item__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__resource_ancestors__list__item__attribute__labels__list { - view_label: "Udm Events Gcs: Observer Resource Ancestors List Item Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__resource_ancestors__list.item__attribute__labels__list}) as udm_events_gcs__observer__resource_ancestors__list__item__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__user_management_chain__list__item__group_identifiers__list { - view_label: "Udm Events Gcs: Observer User Management Chain List Item Group Identifiers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__user_management_chain__list.item__group_identifiers__list}) as udm_events_gcs__observer__user_management_chain__list__item__group_identifiers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: About List Item Process File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__process__file__pe_file__signature_info__signer__list}) as udm_events_gcs__about__list__item__process__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__user_management_chain__list__item__department__list { - view_label: "Udm Events Gcs: About List Item User Management Chain List Item Department List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__user_management_chain__list.item__department__list}) as udm_events_gcs__about__list__item__user_management_chain__list__item__department__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__resource__attribute__permissions__list { - view_label: "Udm Events Gcs: Intermediary List Item Resource Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__resource__attribute__permissions__list}) as udm_events_gcs__intermediary__list__item__resource__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__asset__vulnerabilities__list { - view_label: "Udm Events Gcs: Security Result List Item About Asset Vulnerabilities List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__asset__vulnerabilities__list}) as udm_events_gcs__security_result__list__item__about__asset__vulnerabilities__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__asset__attribute__roles__list { - view_label: "Udm Events Gcs: Security Result List Item About Asset Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__asset__attribute__roles__list}) as udm_events_gcs__security_result__list__item__about__asset__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__asset__attribute__labels__list { - view_label: "Udm Events Gcs: Security Result List Item About Asset Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__asset__attribute__labels__list}) as udm_events_gcs__security_result__list__item__about__asset__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Principal Process File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs.principal__process__file__pe_file__resources_language_count__list}) as udm_events_gcs__principal__process__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__resource_ancestors__list__item__attribute__roles__list { - view_label: "Udm Events Gcs: Principal Resource Ancestors List Item Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__resource_ancestors__list.item__attribute__roles__list}) as udm_events_gcs__principal__resource_ancestors__list__item__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__resource_ancestors__list__item__attribute__labels__list { - view_label: "Udm Events Gcs: Principal Resource Ancestors List Item Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__resource_ancestors__list.item__attribute__labels__list}) as udm_events_gcs__principal__resource_ancestors__list__item__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__user_management_chain__list__item__group_identifiers__list { - view_label: "Udm Events Gcs: Principal User Management Chain List Item Group Identifiers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__user_management_chain__list.item__group_identifiers__list}) as udm_events_gcs__principal__user_management_chain__list__item__group_identifiers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process_ancestors__list__item__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Observer Process Ancestors List Item File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__process_ancestors__list.item__file__capabilities_tags__list}) as udm_events_gcs__observer__process_ancestors__list__item__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__resource_ancestors__list__item__attribute__permissions__list { - view_label: "Udm Events Gcs: Src Resource Ancestors List Item Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__resource_ancestors__list.item__attribute__permissions__list}) as udm_events_gcs__src__resource_ancestors__list__item__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Intermediary List Item Process File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__process__file__pe_file__imports__list}) as udm_events_gcs__intermediary__list__item__process__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__user_management_chain__list { - view_label: "Udm Events Gcs: Security Result List Item About User Management Chain List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__user_management_chain__list}) as udm_events_gcs__security_result__list__item__about__user_management_chain__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__user_management_chain__list__item__time_off__list { - view_label: "Udm Events Gcs: Target User Management Chain List Item Time Off List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__user_management_chain__list.item__time_off__list}) as udm_events_gcs__target__user_management_chain__list__item__time_off__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__user_management_chain__list__item__attribute__roles__list { - view_label: "Udm Events Gcs: Target User Management Chain List Item Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__user_management_chain__list.item__attribute__roles__list}) as udm_events_gcs__target__user_management_chain__list__item__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__user_management_chain__list__item__attribute__labels__list { - view_label: "Udm Events Gcs: Target User Management Chain List Item Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__user_management_chain__list.item__attribute__labels__list}) as udm_events_gcs__target__user_management_chain__list__item__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process_ancestors__list__item__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Principal Process Ancestors List Item File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__process_ancestors__list.item__file__capabilities_tags__list}) as udm_events_gcs__principal__process_ancestors__list__item__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process_ancestors__list__item__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Src Process Ancestors List Item File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__process_ancestors__list.item__file__pe_file__imports__list}) as udm_events_gcs__src__process_ancestors__list__item__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Intermediary List Item File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__file__pe_file__resources_type_count__list}) as udm_events_gcs__intermediary__list__item__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Intermediary List Item Process File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__process__file__pe_file__resource__list}) as udm_events_gcs__intermediary__list__item__process__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Security Result List Item About File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__file__pe_file__imports__list}) as udm_events_gcs__security_result__list__item__about__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__group__attribute__roles__list { - view_label: "Udm Events Gcs: Security Result List Item About Group Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__group__attribute__roles__list}) as udm_events_gcs__security_result__list__item__about__group__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__group__attribute__labels__list { - view_label: "Udm Events Gcs: Security Result List Item About Group Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__group__attribute__labels__list}) as udm_events_gcs__security_result__list__item__about__group__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process__command_line_history__list { - view_label: "Udm Events Gcs: Security Result List Item About Process Command Line History List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__process__command_line_history__list}) as udm_events_gcs__security_result__list__item__about__process__command_line_history__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process_ancestors__list__item__file__pe_file__section__list { - view_label: "Udm Events Gcs: Target Process Ancestors List Item File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__process_ancestors__list.item__file__pe_file__section__list}) as udm_events_gcs__target__process_ancestors__list__item__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__user_management_chain__list__item__time_off__list { - view_label: "Udm Events Gcs: Observer User Management Chain List Item Time Off List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__user_management_chain__list.item__time_off__list}) as udm_events_gcs__observer__user_management_chain__list__item__time_off__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__user_management_chain__list__item__attribute__roles__list { - view_label: "Udm Events Gcs: Observer User Management Chain List Item Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__user_management_chain__list.item__attribute__roles__list}) as udm_events_gcs__observer__user_management_chain__list__item__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__user_management_chain__list__item__attribute__labels__list { - view_label: "Udm Events Gcs: Observer User Management Chain List Item Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__user_management_chain__list.item__attribute__labels__list}) as udm_events_gcs__observer__user_management_chain__list__item__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process_ancestors__list__item__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Src Process Ancestors List Item File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__process_ancestors__list.item__file__pe_file__resource__list}) as udm_events_gcs__src__process_ancestors__list__item__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: About List Item Process File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__process__file__pe_file__resources_type_count__list}) as udm_events_gcs__about__list__item__process__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__user_management_chain__list__item__phone_numbers__list { - view_label: "Udm Events Gcs: About List Item User Management Chain List Item Phone Numbers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__user_management_chain__list.item__phone_numbers__list}) as udm_events_gcs__about__list__item__user_management_chain__list__item__phone_numbers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__names__list { - view_label: "Udm Events Gcs: Intermediary List Item Process Ancestors List Item File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__process_ancestors__list.item__file__names__list}) as udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Security Result List Item About File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__file__pe_file__resource__list}) as udm_events_gcs__security_result__list__item__about__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__resource__attribute__roles__list { - view_label: "Udm Events Gcs: Security Result List Item About Resource Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__resource__attribute__roles__list}) as udm_events_gcs__security_result__list__item__about__resource__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__resource__attribute__labels__list { - view_label: "Udm Events Gcs: Security Result List Item About Resource Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__resource__attribute__labels__list}) as udm_events_gcs__security_result__list__item__about__resource__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__user_management_chain__list__item__time_off__list { - view_label: "Udm Events Gcs: Principal User Management Chain List Item Time Off List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__user_management_chain__list.item__time_off__list}) as udm_events_gcs__principal__user_management_chain__list__item__time_off__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__user_management_chain__list__item__attribute__roles__list { - view_label: "Udm Events Gcs: Principal User Management Chain List Item Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__user_management_chain__list.item__attribute__roles__list}) as udm_events_gcs__principal__user_management_chain__list__item__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__user_management_chain__list__item__attribute__labels__list { - view_label: "Udm Events Gcs: Principal User Management Chain List Item Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__user_management_chain__list.item__attribute__labels__list}) as udm_events_gcs__principal__user_management_chain__list__item__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__section__list { - view_label: "Udm Events Gcs: Observer Process Ancestors List Item File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__process_ancestors__list.item__file__pe_file__section__list}) as udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__user_management_chain__list__item__attribute__permissions__list { - view_label: "Udm Events Gcs: Src User Management Chain List Item Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__user_management_chain__list.item__attribute__permissions__list}) as udm_events_gcs__src__user_management_chain__list__item__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Security Result List Item About Process File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__process__file__capabilities_tags__list}) as udm_events_gcs__security_result__list__item__about__process__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__resource_ancestors__list__item__attribute__permissions__list { - view_label: "Udm Events Gcs: Target Resource Ancestors List Item Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__resource_ancestors__list.item__attribute__permissions__list}) as udm_events_gcs__target__resource_ancestors__list__item__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__section__list { - view_label: "Udm Events Gcs: Principal Process Ancestors List Item File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__process_ancestors__list.item__file__pe_file__section__list}) as udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__user_management_chain__list__item__email_addresses__list { - view_label: "Udm Events Gcs: About List Item User Management Chain List Item Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__user_management_chain__list.item__email_addresses__list}) as udm_events_gcs__about__list__item__user_management_chain__list__item__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Intermediary List Item File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__intermediary__list__item__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__user__attribute__permissions__list { - view_label: "Udm Events Gcs: Security Result List Item About User Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__user__attribute__permissions__list}) as udm_events_gcs__security_result__list__item__about__user__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process_ancestors__list__item__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Target Process Ancestors List Item File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__process_ancestors__list.item__file__pe_file__imports__list}) as udm_events_gcs__target__process_ancestors__list__item__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__resource_ancestors__list__item__attribute__permissions__list { - view_label: "Udm Events Gcs: Observer Resource Ancestors List Item Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__resource_ancestors__list.item__attribute__permissions__list}) as udm_events_gcs__observer__resource_ancestors__list__item__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: About List Item Process File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__process__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__about__list__item__process__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process_ancestors__list__item__command_line_history__list { - view_label: "Udm Events Gcs: About List Item Process Ancestors List Item Command Line History List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__process_ancestors__list.item__command_line_history__list}) as udm_events_gcs__about__list__item__process_ancestors__list__item__command_line_history__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Intermediary List Item File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__file__pe_file__resources_language_count__list}) as udm_events_gcs__intermediary__list__item__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__asset__software__list__item__permissions__list { - view_label: "Udm Events Gcs: Intermediary List Item Asset Software List Item Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__asset__software__list.item__permissions__list}) as udm_events_gcs__intermediary__list__item__asset__software__list__item__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__asset__attribute__permissions__list { - view_label: "Udm Events Gcs: Security Result List Item About Asset Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__asset__attribute__permissions__list}) as udm_events_gcs__security_result__list__item__about__asset__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process_ancestors__list__item__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Target Process Ancestors List Item File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__process_ancestors__list.item__file__pe_file__resource__list}) as udm_events_gcs__target__process_ancestors__list__item__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__resource_ancestors__list__item__attribute__permissions__list { - view_label: "Udm Events Gcs: Principal Resource Ancestors List Item Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__resource_ancestors__list.item__attribute__permissions__list}) as udm_events_gcs__principal__resource_ancestors__list__item__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Observer Process Ancestors List Item File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__process_ancestors__list.item__file__pe_file__imports__list}) as udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: About List Item Process File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list.item__process__file__pe_file__resources_language_count__list}) as udm_events_gcs__about__list__item__process__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__resource_ancestors__list__item__attribute__roles__list { - view_label: "Udm Events Gcs: About List Item Resource Ancestors List Item Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__resource_ancestors__list.item__attribute__roles__list}) as udm_events_gcs__about__list__item__resource_ancestors__list__item__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__resource_ancestors__list__item__attribute__labels__list { - view_label: "Udm Events Gcs: About List Item Resource Ancestors List Item Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__resource_ancestors__list.item__attribute__labels__list}) as udm_events_gcs__about__list__item__resource_ancestors__list__item__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__user_management_chain__list__item__group_identifiers__list { - view_label: "Udm Events Gcs: About List Item User Management Chain List Item Group Identifiers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__user_management_chain__list.item__group_identifiers__list}) as udm_events_gcs__about__list__item__user_management_chain__list__item__group_identifiers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Intermediary List Item Process File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__process__file__pe_file__signature_info__signer__list}) as udm_events_gcs__intermediary__list__item__process__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__user_management_chain__list__item__department__list { - view_label: "Udm Events Gcs: Intermediary List Item User Management Chain List Item Department List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__user_management_chain__list.item__department__list}) as udm_events_gcs__intermediary__list__item__user_management_chain__list__item__department__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process__file__pe_file__section__list { - view_label: "Udm Events Gcs: Security Result List Item About Process File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__process__file__pe_file__section__list}) as udm_events_gcs__security_result__list__item__about__process__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__user_management_chain__list__item__attribute__permissions__list { - view_label: "Udm Events Gcs: Target User Management Chain List Item Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__user_management_chain__list.item__attribute__permissions__list}) as udm_events_gcs__target__user_management_chain__list__item__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Principal Process Ancestors List Item File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__process_ancestors__list.item__file__pe_file__imports__list}) as udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Observer Process Ancestors List Item File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__process_ancestors__list.item__file__pe_file__resource__list}) as udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process_ancestors__list__item__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Src Process Ancestors List Item File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__process_ancestors__list.item__file__pe_file__signature_info__signer__list}) as udm_events_gcs__src__process_ancestors__list__item__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process_ancestors__list__item__file__capabilities_tags__list { - view_label: "Udm Events Gcs: About List Item Process Ancestors List Item File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__process_ancestors__list.item__file__capabilities_tags__list}) as udm_events_gcs__about__list__item__process_ancestors__list__item__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Security Result List Item About File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__file__pe_file__signature_info__signer__list}) as udm_events_gcs__security_result__list__item__about__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__group__attribute__permissions__list { - view_label: "Udm Events Gcs: Security Result List Item About Group Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__group__attribute__permissions__list}) as udm_events_gcs__security_result__list__item__about__group__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Principal Process Ancestors List Item File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__process_ancestors__list.item__file__pe_file__resource__list}) as udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__user_management_chain__list__item__attribute__permissions__list { - view_label: "Udm Events Gcs: Observer User Management Chain List Item Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__user_management_chain__list.item__attribute__permissions__list}) as udm_events_gcs__observer__user_management_chain__list__item__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__resource__attribute__permissions__list { - view_label: "Udm Events Gcs: Security Result List Item About Resource Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__resource__attribute__permissions__list}) as udm_events_gcs__security_result__list__item__about__resource__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__user_management_chain__list__item__attribute__permissions__list { - view_label: "Udm Events Gcs: Principal User Management Chain List Item Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__user_management_chain__list.item__attribute__permissions__list}) as udm_events_gcs__principal__user_management_chain__list__item__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__user_management_chain__list__item__time_off__list { - view_label: "Udm Events Gcs: About List Item User Management Chain List Item Time Off List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__user_management_chain__list.item__time_off__list}) as udm_events_gcs__about__list__item__user_management_chain__list__item__time_off__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__user_management_chain__list__item__attribute__roles__list { - view_label: "Udm Events Gcs: About List Item User Management Chain List Item Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__user_management_chain__list.item__attribute__roles__list}) as udm_events_gcs__about__list__item__user_management_chain__list__item__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__user_management_chain__list__item__attribute__labels__list { - view_label: "Udm Events Gcs: About List Item User Management Chain List Item Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__user_management_chain__list.item__attribute__labels__list}) as udm_events_gcs__about__list__item__user_management_chain__list__item__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Intermediary List Item Process File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__process__file__pe_file__resources_type_count__list}) as udm_events_gcs__intermediary__list__item__process__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__user_management_chain__list__item__phone_numbers__list { - view_label: "Udm Events Gcs: Intermediary List Item User Management Chain List Item Phone Numbers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__user_management_chain__list.item__phone_numbers__list}) as udm_events_gcs__intermediary__list__item__user_management_chain__list__item__phone_numbers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Security Result List Item About Process File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__process__file__pe_file__imports__list}) as udm_events_gcs__security_result__list__item__about__process__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process_ancestors__list__item__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Src Process Ancestors List Item File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__process_ancestors__list.item__file__pe_file__resources_type_count__list}) as udm_events_gcs__src__process_ancestors__list__item__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__section__list { - view_label: "Udm Events Gcs: About List Item Process Ancestors List Item File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__process_ancestors__list.item__file__pe_file__section__list}) as udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Security Result List Item About File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__file__pe_file__resources_type_count__list}) as udm_events_gcs__security_result__list__item__about__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Security Result List Item About Process File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__process__file__pe_file__resource__list}) as udm_events_gcs__security_result__list__item__about__process__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process_ancestors__list__item__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Target Process Ancestors List Item File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__process_ancestors__list.item__file__pe_file__signature_info__signer__list}) as udm_events_gcs__target__process_ancestors__list__item__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__user_management_chain__list__item__email_addresses__list { - view_label: "Udm Events Gcs: Intermediary List Item User Management Chain List Item Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__user_management_chain__list.item__email_addresses__list}) as udm_events_gcs__intermediary__list__item__user_management_chain__list__item__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__names__list { - view_label: "Udm Events Gcs: Security Result List Item About Process Ancestors List Item File Names List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__process_ancestors__list.item__file__names__list}) as udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__names__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Observer Process Ancestors List Item File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__process_ancestors__list.item__file__pe_file__signature_info__signer__list}) as udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__resource_ancestors__list__item__attribute__permissions__list { - view_label: "Udm Events Gcs: About List Item Resource Ancestors List Item Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__resource_ancestors__list.item__attribute__permissions__list}) as udm_events_gcs__about__list__item__resource_ancestors__list__item__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Intermediary List Item Process File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__process__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__intermediary__list__item__process__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__command_line_history__list { - view_label: "Udm Events Gcs: Intermediary List Item Process Ancestors List Item Command Line History List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__process_ancestors__list.item__command_line_history__list}) as udm_events_gcs__intermediary__list__item__process_ancestors__list__item__command_line_history__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Principal Process Ancestors List Item File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__process_ancestors__list.item__file__pe_file__signature_info__signer__list}) as udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Src Process Ancestors List Item File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__process_ancestors__list__item__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__src__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__imports__list { - view_label: "Udm Events Gcs: About List Item Process Ancestors List Item File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__process_ancestors__list.item__file__pe_file__imports__list}) as udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Intermediary List Item Process File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list.item__process__file__pe_file__resources_language_count__list}) as udm_events_gcs__intermediary__list__item__process__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__resource_ancestors__list__item__attribute__roles__list { - view_label: "Udm Events Gcs: Intermediary List Item Resource Ancestors List Item Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__resource_ancestors__list.item__attribute__roles__list}) as udm_events_gcs__intermediary__list__item__resource_ancestors__list__item__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__resource_ancestors__list__item__attribute__labels__list { - view_label: "Udm Events Gcs: Intermediary List Item Resource Ancestors List Item Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__resource_ancestors__list.item__attribute__labels__list}) as udm_events_gcs__intermediary__list__item__resource_ancestors__list__item__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__user_management_chain__list__item__group_identifiers__list { - view_label: "Udm Events Gcs: Intermediary List Item User Management Chain List Item Group Identifiers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__user_management_chain__list.item__group_identifiers__list}) as udm_events_gcs__intermediary__list__item__user_management_chain__list__item__group_identifiers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Security Result List Item About File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__security_result__list__item__about__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process_ancestors__list__item__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Target Process Ancestors List Item File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__process_ancestors__list.item__file__pe_file__resources_type_count__list}) as udm_events_gcs__target__process_ancestors__list__item__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__src__process_ancestors__list__item__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Src Process Ancestors List Item File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__src__process_ancestors__list.item__file__pe_file__resources_language_count__list}) as udm_events_gcs__src__process_ancestors__list__item__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__resource__list { - view_label: "Udm Events Gcs: About List Item Process Ancestors List Item File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__process_ancestors__list.item__file__pe_file__resource__list}) as udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Intermediary List Item Process Ancestors List Item File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__process_ancestors__list.item__file__capabilities_tags__list}) as udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Security Result List Item About File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__file__pe_file__resources_language_count__list}) as udm_events_gcs__security_result__list__item__about__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__asset__software__list__item__permissions__list { - view_label: "Udm Events Gcs: Security Result List Item About Asset Software List Item Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__asset__software__list.item__permissions__list}) as udm_events_gcs__security_result__list__item__about__asset__software__list__item__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Observer Process Ancestors List Item File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__process_ancestors__list.item__file__pe_file__resources_type_count__list}) as udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__user_management_chain__list__item__attribute__permissions__list { - view_label: "Udm Events Gcs: About List Item User Management Chain List Item Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__user_management_chain__list.item__attribute__permissions__list}) as udm_events_gcs__about__list__item__user_management_chain__list__item__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Security Result List Item About Process File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__process__file__pe_file__signature_info__signer__list}) as udm_events_gcs__security_result__list__item__about__process__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__department__list { - view_label: "Udm Events Gcs: Security Result List Item About User Management Chain List Item Department List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__user_management_chain__list.item__department__list}) as udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__department__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Principal Process Ancestors List Item File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__process_ancestors__list.item__file__pe_file__resources_type_count__list}) as udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__user_management_chain__list__item__time_off__list { - view_label: "Udm Events Gcs: Intermediary List Item User Management Chain List Item Time Off List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__user_management_chain__list.item__time_off__list}) as udm_events_gcs__intermediary__list__item__user_management_chain__list__item__time_off__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__user_management_chain__list__item__attribute__roles__list { - view_label: "Udm Events Gcs: Intermediary List Item User Management Chain List Item Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__user_management_chain__list.item__attribute__roles__list}) as udm_events_gcs__intermediary__list__item__user_management_chain__list__item__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__user_management_chain__list__item__attribute__labels__list { - view_label: "Udm Events Gcs: Intermediary List Item User Management Chain List Item Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__user_management_chain__list.item__attribute__labels__list}) as udm_events_gcs__intermediary__list__item__user_management_chain__list__item__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Target Process Ancestors List Item File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__process_ancestors__list__item__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__target__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__section__list { - view_label: "Udm Events Gcs: Intermediary List Item Process Ancestors List Item File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__process_ancestors__list.item__file__pe_file__section__list}) as udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__target__process_ancestors__list__item__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Target Process Ancestors List Item File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__target__process_ancestors__list.item__file__pe_file__resources_language_count__list}) as udm_events_gcs__target__process_ancestors__list__item__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Observer Process Ancestors List Item File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Security Result List Item About Process File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__process__file__pe_file__resources_type_count__list}) as udm_events_gcs__security_result__list__item__about__process__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__phone_numbers__list { - view_label: "Udm Events Gcs: Security Result List Item About User Management Chain List Item Phone Numbers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__user_management_chain__list.item__phone_numbers__list}) as udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__phone_numbers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Principal Process Ancestors List Item File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Observer Process Ancestors List Item File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__observer__process_ancestors__list.item__file__pe_file__resources_language_count__list}) as udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: About List Item Process Ancestors List Item File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__process_ancestors__list.item__file__pe_file__signature_info__signer__list}) as udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__resource_ancestors__list__item__attribute__permissions__list { - view_label: "Udm Events Gcs: Intermediary List Item Resource Ancestors List Item Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__resource_ancestors__list.item__attribute__permissions__list}) as udm_events_gcs__intermediary__list__item__resource_ancestors__list__item__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Principal Process Ancestors List Item File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__principal__process_ancestors__list.item__file__pe_file__resources_language_count__list}) as udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Intermediary List Item Process Ancestors List Item File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__process_ancestors__list.item__file__pe_file__imports__list}) as udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__email_addresses__list { - view_label: "Udm Events Gcs: Security Result List Item About User Management Chain List Item Email Addresses List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__user_management_chain__list.item__email_addresses__list}) as udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__email_addresses__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Intermediary List Item Process Ancestors List Item File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__process_ancestors__list.item__file__pe_file__resource__list}) as udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Security Result List Item About Process File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__process__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__security_result__list__item__about__process__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__command_line_history__list { - view_label: "Udm Events Gcs: Security Result List Item About Process Ancestors List Item Command Line History List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__process_ancestors__list.item__command_line_history__list}) as udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__command_line_history__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: About List Item Process Ancestors List Item File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__process_ancestors__list.item__file__pe_file__resources_type_count__list}) as udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__user_management_chain__list__item__attribute__permissions__list { - view_label: "Udm Events Gcs: Intermediary List Item User Management Chain List Item Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__user_management_chain__list.item__attribute__permissions__list}) as udm_events_gcs__intermediary__list__item__user_management_chain__list__item__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Security Result List Item About Process File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list.item__about__process__file__pe_file__resources_language_count__list}) as udm_events_gcs__security_result__list__item__about__process__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__resource_ancestors__list__item__attribute__roles__list { - view_label: "Udm Events Gcs: Security Result List Item About Resource Ancestors List Item Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__resource_ancestors__list.item__attribute__roles__list}) as udm_events_gcs__security_result__list__item__about__resource_ancestors__list__item__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__resource_ancestors__list__item__attribute__labels__list { - view_label: "Udm Events Gcs: Security Result List Item About Resource Ancestors List Item Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__resource_ancestors__list.item__attribute__labels__list}) as udm_events_gcs__security_result__list__item__about__resource_ancestors__list__item__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__group_identifiers__list { - view_label: "Udm Events Gcs: Security Result List Item About User Management Chain List Item Group Identifiers List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__user_management_chain__list.item__group_identifiers__list}) as udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__group_identifiers__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__capabilities_tags__list { - view_label: "Udm Events Gcs: Security Result List Item About Process Ancestors List Item File Capabilities Tags List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__process_ancestors__list.item__file__capabilities_tags__list}) as udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__capabilities_tags__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: About List Item Process Ancestors List Item File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__time_off__list { - view_label: "Udm Events Gcs: Security Result List Item About User Management Chain List Item Time Off List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__user_management_chain__list.item__time_off__list}) as udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__time_off__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__attribute__roles__list { - view_label: "Udm Events Gcs: Security Result List Item About User Management Chain List Item Attribute Roles List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__user_management_chain__list.item__attribute__roles__list}) as udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__attribute__roles__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__attribute__labels__list { - view_label: "Udm Events Gcs: Security Result List Item About User Management Chain List Item Attribute Labels List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__user_management_chain__list.item__attribute__labels__list}) as udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__attribute__labels__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: About List Item Process Ancestors List Item File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__about__list__item__process_ancestors__list.item__file__pe_file__resources_language_count__list}) as udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Intermediary List Item Process Ancestors List Item File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__process_ancestors__list.item__file__pe_file__signature_info__signer__list}) as udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__section__list { - view_label: "Udm Events Gcs: Security Result List Item About Process Ancestors List Item File Pe File Section List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__process_ancestors__list.item__file__pe_file__section__list}) as udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__section__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__resource_ancestors__list__item__attribute__permissions__list { - view_label: "Udm Events Gcs: Security Result List Item About Resource Ancestors List Item Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__resource_ancestors__list.item__attribute__permissions__list}) as udm_events_gcs__security_result__list__item__about__resource_ancestors__list__item__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Intermediary List Item Process Ancestors List Item File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__process_ancestors__list.item__file__pe_file__resources_type_count__list}) as udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__imports__list { - view_label: "Udm Events Gcs: Security Result List Item About Process Ancestors List Item File Pe File Imports List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__process_ancestors__list.item__file__pe_file__imports__list}) as udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__imports__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__resource__list { - view_label: "Udm Events Gcs: Security Result List Item About Process Ancestors List Item File Pe File Resource List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__process_ancestors__list.item__file__pe_file__resource__list}) as udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__resource__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__attribute__permissions__list { - view_label: "Udm Events Gcs: Security Result List Item About User Management Chain List Item Attribute Permissions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__user_management_chain__list.item__attribute__permissions__list}) as udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__attribute__permissions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Intermediary List Item Process Ancestors List Item File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Intermediary List Item Process Ancestors List Item File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__intermediary__list__item__process_ancestors__list.item__file__pe_file__resources_language_count__list}) as udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__signature_info__signer__list { - view_label: "Udm Events Gcs: Security Result List Item About Process Ancestors List Item File Pe File Signature Info Signer List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__process_ancestors__list.item__file__pe_file__signature_info__signer__list}) as udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__signature_info__signer__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__resources_type_count__list { - view_label: "Udm Events Gcs: Security Result List Item About Process Ancestors List Item File Pe File Resources Type Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__process_ancestors__list.item__file__pe_file__resources_type_count__list}) as udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__resources_type_count__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list { - view_label: "Udm Events Gcs: Security Result List Item About Process Ancestors List Item File Pe File Imports List Item Functions List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__imports__list.item__functions__list}) as udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list ;; - relationship: one_to_many - } - - join: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__resources_language_count__list { - view_label: "Udm Events Gcs: Security Result List Item About Process Ancestors List Item File Pe File Resources Language Count List" - sql: LEFT JOIN UNNEST(${udm_events_gcs__security_result__list__item__about__process_ancestors__list.item__file__pe_file__resources_language_count__list}) as udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__resources_language_count__list ;; - relationship: one_to_many - } -} diff --git a/explores/user_login_source_geo_ip.explore.lkml b/explores/user_login_source_geo_ip.explore.lkml deleted file mode 100644 index c7cd448..0000000 --- a/explores/user_login_source_geo_ip.explore.lkml +++ /dev/null @@ -1,5 +0,0 @@ -include: "/views/custom/user_login_source_geo_ip.view.lkml" - -explore: user_login_source_geo_ip { - hidden: yes -} diff --git a/manifest.lkml b/manifest.lkml index 015fd26..b68601c 100644 --- a/manifest.lkml +++ b/manifest.lkml @@ -1,3 +1,10 @@ +project_name: "looker-dashboards" + +constant: CONFIG_PROJECT_NAME { + value: "block-google-chronicle-config" + export: override_required +} + constant: CONNECTION_NAME{ value: "c4" export: override_required @@ -50,10 +57,6 @@ constant: UDM_EVENTS_AGGREGRATES{ value: "udm_events_aggregates" } -constant: UDM_EVENTS_GCS{ - value: "udm_events_gcs" -} - constant: EVENTS { value: "events" } diff --git a/views/custom/asset_rule_detections_with_udm_events.view.lkml b/views/custom/asset_rule_detections_with_udm_events.view.lkml index 1409ad9..a5d2f43 100644 --- a/views/custom/asset_rule_detections_with_udm_events.view.lkml +++ b/views/custom/asset_rule_detections_with_udm_events.view.lkml @@ -4,7 +4,7 @@ view: asset_rule_detections_with_udm_events { COALESCE(udm_events.principal.hostname, udm_events.principal.ip[SAFE_OFFSET(0)]) AS asset, TIMESTAMP_SECONDS(udm_events.metadata.event_timestamp.seconds) AS time, COUNT(*) AS udm_events_count - FROM `@{DATASET_NAME}.@{EVENTS}` AS udm_events + FROM `@{EVENTS}` AS udm_events WHERE (((COALESCE(udm_events.principal.hostname, udm_events.principal.ip[SAFE_OFFSET(0)])) IS NOT NULL)) AND {% condition period_filter %} TIMESTAMP_SECONDS(udm_events.metadata.event_timestamp.seconds) {% endcondition %} @@ -13,7 +13,7 @@ view: asset_rule_detections_with_udm_events { COALESCE(rule_detections__detection__assets.hostname, rule_detections__detection__assets.asset_ip_address) AS asset, TIMESTAMP_SECONDS(rule_detections__detection__detection_timestamp.seconds) AS time, COUNT(*) AS rule_detections_count - FROM `@{DATASET_NAME}.@{RULE_DETECTIONS}` AS rule_detections + FROM `@{RULE_DETECTIONS}` AS rule_detections LEFT JOIN UNNEST([rule_detections.detection]) as rule_detections__detection LEFT JOIN UNNEST([rule_detections__detection.detection_timestamp]) as rule_detections__detection__detection_timestamp LEFT JOIN UNNEST(rule_detections__detection.assets) as rule_detections__detection__assets diff --git a/views/custom/destination_geo_ip.view.lkml b/views/custom/destination_geo_ip.view.lkml deleted file mode 100644 index 926919c..0000000 --- a/views/custom/destination_geo_ip.view.lkml +++ /dev/null @@ -1,155 +0,0 @@ -view: destination_geo_ip { - derived_table: { - sql: SELECT - a.ts, - a.principal_hostname, - a.principal_ip, - a.target_ip, - IFNULL(city, 'Other') AS city, - IFNULL(countryLabel, 'Other') AS countryLabel, - latitude, - longitude - FROM - ( - SELECT - ts, - principal_hostname, - principal_ip, - target_ip, - NET.IPV4_TO_INT64(NET.IP_FROM_STRING(target_ip)) AS clientIpNum, - TRUNC(NET.IPV4_TO_INT64(NET.IP_FROM_STRING(target_ip))/(256*256)) AS classB - FROM - ( - SELECT - metadata.event_timestamp.seconds as ts, - principal.hostname as principal_hostname, - principal.ip[SAFE_OFFSET(0)] as principal_ip, - target.ip[SAFE_OFFSET(0)] as target_ip, - metadata.event_type as event_type - FROM - `@{DATASET_NAME}.@{UDM_EVENTS}` as udm_events - WHERE {% condition time_filter %} udm_events._PARTITIONTIME {% endcondition %} - AND {% condition time_filter %} TIMESTAMP_SECONDS(metadata.event_timestamp.seconds) {% endcondition %} - - ) as x - WHERE - ( - REGEXP_CONTAINS(target_ip, "\\d+\\.\\d+\\.\\d+\\.\\d+") - ) - ) AS A - - LEFT OUTER JOIN - `fh-bigquery.geocode.geolite_city_bq_b2b` AS b - ON - a.classB = b.classB - AND a.clientIpNum BETWEEN b.startIpNum AND b.endIpNum - WHERE - countryLabel != "Other" - ;; - } - - measure: count { - type: count - } - - dimension_group: event_timestamp { - type: time - timeframes: [ - raw, - time, - date, - week, - month, - hour, - minute, - year - ] - datatype: epoch - sql: ${TABLE}.ts ;; - } - - filter: time_filter { - type: date_time - } - - filter: period_filter { - label: "Filter for Period Dimension" - hidden: yes - type: date - description: "Use this filter to define the current and previous period for analysis - only to be used with the Period Dimension" - } - -# ${event_timestamp_raw} is the timestamp dimension we are building our reporting period off of - - dimension: period { - type: string - description: "The reporting period as selected by the Period Filter. Values - 'This Period' and 'Previous Period'. - Apply Filter 'This Period' to get values from current period." - sql: - CASE - WHEN {% date_start period_filter %} is not null AND {% date_end period_filter %} is not null /* date ranges or in the past x days */ - THEN - CASE - WHEN ${event_timestamp_raw} >= UNIX_SECONDS({% date_start period_filter %}) - AND ${event_timestamp_raw} <= UNIX_SECONDS({% date_end period_filter %}) - THEN 'This Period' - WHEN ${event_timestamp_raw} >= UNIX_SECONDS(TIMESTAMP_ADD({% date_start period_filter %}, INTERVAL 1 * (TIMESTAMP_DIFF({% date_start period_filter %},{% date_end period_filter %}, DAY)) DAY)) - AND ${event_timestamp_raw} <= UNIX_SECONDS(TIMESTAMP_ADD({% date_start period_filter %}, INTERVAL -1 DAY)) - THEN 'Previous Period' - END - END ;; - } - - - dimension: principal_hostname { - type: string - sql: ${TABLE}.principal_hostname ;; - } - - dimension: principal_ip { - type: string - sql: ${TABLE}.principal_ip ;; - } - - dimension: asset { - type: string - sql: COALESCE(${TABLE}.principal_hostname,${TABLE}.principal_ip) ;; - } - - dimension: target_ip { - type: string - sql: ${TABLE}.target_ip ;; - } - - dimension: target_port { - type: number - sql: ${TABLE}.target_port ;; - } - - dimension: city { - type: string - sql: ${TABLE}.city ;; - } - - dimension: country_label { - type: string - sql: ${TABLE}.countryLabel ;; - } - - dimension: latitude { - type: string - sql: ${TABLE}.latitude ;; - } - - dimension: longitude { - type: string - sql: ${TABLE}.longitude ;; - } - - dimension: location { - type: location - sql_latitude: ${TABLE}.latitude ;; - sql_longitude: ${TABLE}.longitude ;; - } - -} diff --git a/views/custom/global_threat_map_ioc.view.lkml b/views/custom/global_threat_map_ioc.view.lkml deleted file mode 100644 index 3c31fd9..0000000 --- a/views/custom/global_threat_map_ioc.view.lkml +++ /dev/null @@ -1,117 +0,0 @@ -include: "/views/ioc_matches.view" - -view: global_threat_map_ioc { - derived_table: { - sql: SELECT - a.ts, - a.ioc_matches_test_ioc_value, - IFNULL(city, 'Other') AS city, - IFNULL(countryLabel, 'Other') AS country, - latitude, - longitude - FROM - ( - SELECT - ts, - ioc_matches_test_ioc_value, - NET.IPV4_TO_INT64(NET.IP_FROM_STRING(ioc_matches_test_ioc_value)) AS clientIpNum, - TRUNC(NET.IPV4_TO_INT64(NET.IP_FROM_STRING(ioc_matches_test_ioc_value))/(256*256)) AS classB - FROM - ( - SELECT - ioc_ingest_time.seconds as ts, - ioc_value as ioc_matches_test_ioc_value, - ioc_type - FROM - `@{IOC_MATCHES}` - ) as x - WHERE - ( - REGEXP_CONTAINS(ioc_matches_test_ioc_value, "\\d+\\.\\d+\\.\\d+\\.\\d+") - AND ioc_type = 'IOC_TYPE_IP' - AND {% condition period_filter %} TIMESTAMP_SECONDS(ts) {% endcondition %} - ) - ) AS A - - LEFT OUTER JOIN - `fh-bigquery.geocode.geolite_city_bq_b2b` AS b - ON - a.classB = b.classB - AND a.clientIpNum BETWEEN b.startIpNum AND b.endIpNum - WHERE - countryLabel != "Other" -;; - } - - measure: count { - type: count - } - - dimension: ts { - type: number - sql: ${TABLE}.ts ;; - } - - dimension_group: event_timestamp{ - type: time - timeframes: [ - raw, - time, - date, - week, - month, - hour, - minute, - year - ] - datatype: epoch - sql: ${TABLE}.ts ;; - } - - filter: period_filter { - hidden: yes - type: date - description: "Use this filter to define the current and previous period for analysis" - } - - dimension: ioc_matches_test_ioc_value { - type: string - sql: ${TABLE}.ioc_matches_test_ioc_value ;; - link: { - label: "IOC Matches Dashboard" - url: "@{IOC_MATCHES_DASHBOARD}" - icon_url: "@{DASHBOARD_ICON_URL}" - } - link: { - label: "Investigate asset" - url: "@{CHRONICLE_URL}/assetResults?assetIdentifier={{value}}&assetType=ip" - icon_url: "@{CHRONICLE_ICON_URL}" - } - } - - dimension: city { - type: string - sql: ${TABLE}.city ;; - } - - dimension: country { - type: string - sql: ${TABLE}.country ;; - } - - dimension: latitude { - type: string - sql: ${TABLE}.latitude ;; - } - - dimension: longitude { - type: string - sql: ${TABLE}.longitude ;; - } - - dimension: location { - type: location - sql_latitude: ${TABLE}.latitude ;; - sql_longitude: ${TABLE}.longitude ;; - } -} diff --git a/views/custom/ingestion_metric_with_ingestion_stats.view.lkml b/views/custom/ingestion_metric_with_ingestion_stats.view.lkml index f009649..3434911 100644 --- a/views/custom/ingestion_metric_with_ingestion_stats.view.lkml +++ b/views/custom/ingestion_metric_with_ingestion_stats.view.lkml @@ -162,9 +162,9 @@ view: ingestion_metric_with_ingestion_stats { ELSE CASE WHEN ${TABLE}.component = 'Normalizer' AND ${TABLE}.state = 'failed_validation' - THEN round(${TABLE}.event_count/1000000, 0) + THEN ${TABLE}.event_count WHEN ${TABLE}.component = 'Normalizer' AND ${TABLE}.state = 'failed_parsing' - THEN round(${TABLE}.log_count/1000000, 0) + THEN ${TABLE}.log_count END END;; } @@ -244,11 +244,16 @@ view: ingestion_metric_with_ingestion_stats { END;; } - dimension: log_type { type: string sql: ${TABLE}.log_type ;; } + + dimension: gcp_log_type { + type: string + sql: CASE WHEN ${log_type} is not null and ${log_type} like 'GCP_%' THEN ${log_type} END;; + } + measure: count { type: count drill_fields: [] diff --git a/views/custom/rulesets_with_rule_detections.view.lkml b/views/custom/rulesets_with_rule_detections.view.lkml new file mode 100644 index 0000000..29e5d40 --- /dev/null +++ b/views/custom/rulesets_with_rule_detections.view.lkml @@ -0,0 +1,127 @@ +view: rulesets_with_rule_detections { + derived_table: { + sql: with lefttable AS ( +SELECT + rs1.ruleset_id as ruleset_id , + rs1.ruleset_name as ruleset_name, + rs1.ruleset_family_name as ruleset_family_name, + CASE rs2.alerting_status + WHEN 1 THEN 'NON_ALERTING' + WHEN 2 THEN 'ALERTING' + END AS broad_alerting, + CASE rs2.live_status + WHEN 1 THEN 'ENABLED' + WHEN 2 THEN 'DISABLED' + END AS broad_live, + CASE rs3.alerting_status + WHEN 1 THEN 'NON_ALERTING' + WHEN 2 THEN 'ALERTING' + END AS precise_alerting, + CASE rs3.live_status + WHEN 1 THEN 'ENABLED' + WHEN 2 THEN 'DISABLED' + END AS precise_live, +FROM + ( + SELECT DISTINCT (ruleset_id) AS ruleset_id, ruleset_name, ruleset_family_name + FROM `@{RULESETS}` + ) AS rs1 +LEFT JOIN `@{RULESETS}` AS rs2 + ON rs1.ruleset_id = rs2.ruleset_id AND rs2.uppercase_rule_status = 2 +LEFT JOIN `@{RULESETS}` AS rs3 + ON rs1.ruleset_id = rs3.ruleset_id AND rs3.uppercase_rule_status = 3 +), +righttable as( + SELECT + t1.rulesets[ + OFFSET + (0)].ruleset_name AS ruleset_name, + t1.detection as detection + FROM + `@{RULE_DETECTIONS}` AS t1 + WHERE + t1.rulesets IS NOT NULL + AND ARRAY_LENGTH(t1.rulesets) > 0) +select * from lefttable left join righttable using (ruleset_name) + ;; + } + dimension: ruleset_family_name { + type: string + sql: ${TABLE}.ruleset_family_name ;; + } + dimension: ruleset_name { + type: string + sql: ${TABLE}.ruleset_name ;; + } + + dimension: broad_alerting { + type: string + sql: ${TABLE}.broad_alerting ;; + } + dimension: broad_live { + type: string + sql: ${TABLE}.broad_live ;; + } + dimension: precise_alerting { + type: string + sql: ${TABLE}.precise_alerting ;; + } + dimension: precise_live { + type: string + sql: ${TABLE}.precise_live ;; + } + + dimension_group: detection__detection_timestamp { + type: time + timeframes: [ + raw, + date, + week, + month, + quarter, + year + ] + convert_tz: no + datatype: epoch + sql: ${TABLE}.detection.detection_timestamp.seconds ;; + } + + dimension: detection__detection_timestamp__seconds { + type: number + sql: ${TABLE}.detection.detection_timestamp.seconds ;; + group_label: "Detection Detection Timestamp" + group_item_label: "Seconds" + } + + dimension_group: event_timestamp { + type: time + timeframes: [ + raw, + time, + date, + week, + month, + hour, + minute, + year + ] + datatype: epoch + sql: ${detection__detection_timestamp__seconds} ;; + } + + measure: enabled_rulesets { + type: number + sql: count(DISTINCT CASE WHEN ((rulesets_with_rule_detections.precise_live) = 'ENABLED' or (rulesets_with_rule_detections.broad_live) = 'ENABLED') THEN rulesets_with_rule_detections.ruleset_name ELSE NULL END) ;; + } + + measure: latest_detection { + type: string + sql: max(${event_timestamp_time}) ;; + } + + measure: total_rulesets { + type: number + sql: count(DISTINCT(${ruleset_name})) ;; + } + + } diff --git a/views/custom/user_login_source_geo_ip.view.lkml b/views/custom/user_login_source_geo_ip.view.lkml deleted file mode 100644 index cc8b58c..0000000 --- a/views/custom/user_login_source_geo_ip.view.lkml +++ /dev/null @@ -1,107 +0,0 @@ -view: user_login_source_geo_ip { - derived_table: { - sql: SELECT - a.ts, - a.principal_ip, - a.target_ip, - IFNULL(city, 'Other') AS city, - IFNULL(countryLabel, 'Other') AS countryLabel, - latitude, - longitude, - FROM - ( - SELECT - ts, - principal_ip, - target_ip, - NET.IPV4_TO_INT64(NET.IP_FROM_STRING(principal_ip)) AS clientIpNum, - TRUNC(NET.IPV4_TO_INT64(NET.IP_FROM_STRING(principal_ip))/(256*256)) AS classB - FROM - ( - SELECT - event_hour as ts, - principal_ip as principal_ip, - target_ip as target_ip, - FROM - `@{DATASET_NAME}.@{UDM_EVENTS_AGGREGRATES}` as udm_events - WHERE {% condition time_filter %} event_hour{% endcondition %} - ) as x - WHERE - ( - REGEXP_CONTAINS(principal_ip, "\\d+\\.\\d+\\.\\d+\\.\\d+") - ) - ) AS A - - LEFT OUTER JOIN - `fh-bigquery.geocode.geolite_city_bq_b2b` AS b - ON - a.classB = b.classB - AND a.clientIpNum BETWEEN b.startIpNum AND b.endIpNum - WHERE - countryLabel != "Other" - ;; - } - - measure: count { - type: count - } - filter: time_filter { - type: date_time - } - - dimension_group: event_timestamp { - type: time - timeframes: [ - raw, - time, - date, - week, - month, - quarter, - year - ] - sql: ${TABLE}.ts ;; - } - - - dimension: principal_ip { - type: string - sql: ${TABLE}.principal_ip ;; - } - - dimension: target_ip { - type: string - sql: ${TABLE}.target_ip ;; - } - - dimension: target_port { - type: number - sql: ${TABLE}.target_port ;; - } - - dimension: city { - type: string - sql: ${TABLE}.city ;; - } - - dimension: country_label { - type: string - sql: ${TABLE}.countryLabel ;; - } - - dimension: latitude { - type: string - sql: ${TABLE}.latitude ;; - } - - dimension: longitude { - type: string - sql: ${TABLE}.longitude ;; - } - - dimension: location { - type: location - sql_latitude: ${TABLE}.latitude ;; - sql_longitude: ${TABLE}.longitude ;; - } -} diff --git a/views/custom/user_rule_detections_with_udm_events.view.lkml b/views/custom/user_rule_detections_with_udm_events.view.lkml index 1eb78d6..00d0070 100644 --- a/views/custom/user_rule_detections_with_udm_events.view.lkml +++ b/views/custom/user_rule_detections_with_udm_events.view.lkml @@ -4,7 +4,7 @@ view: user_rule_detections_with_udm_events { udm_events.principal.user.userid AS user_name, TIMESTAMP_SECONDS(udm_events.metadata.event_timestamp.seconds) AS time, COUNT(*) AS udm_events_count - FROM `@{DATASET_NAME}.@{EVENTS}` AS udm_events + FROM `@{EVENTS}` AS udm_events WHERE udm_events.principal.user.userid IS NOT NULL AND {% condition period_filter %} TIMESTAMP_SECONDS(udm_events.metadata.event_timestamp.seconds) {% endcondition %} GROUP BY 1, 2), @@ -12,7 +12,7 @@ view: user_rule_detections_with_udm_events { rule_detections__detection__users.user_name AS user_name, TIMESTAMP_SECONDS(rule_detections__detection__detection_timestamp.seconds) AS time, COUNT(*) AS rule_detections_count - FROM `@{DATASET_NAME}.@{RULE_DETECTIONS}` AS rule_detections + FROM `@{RULE_DETECTIONS}` AS rule_detections LEFT JOIN UNNEST([rule_detections.detection]) as rule_detections__detection LEFT JOIN UNNEST([rule_detections__detection.detection_timestamp]) as rule_detections__detection__detection_timestamp LEFT JOIN UNNEST(rule_detections__detection.users) as rule_detections__detection__users diff --git a/views/ingestion_metrics.view.lkml b/views/ingestion_metrics.view.lkml index 3f2d526..ea121d8 100644 --- a/views/ingestion_metrics.view.lkml +++ b/views/ingestion_metrics.view.lkml @@ -135,6 +135,11 @@ view: ingestion_metrics { sql: ${TABLE}.log_type ;; } + dimension: gcp_log_type { + type: string + sql: CASE WHEN ${log_type} is not null and ${log_type} like 'GCP_%' THEN ${log_type} END;; + } + dimension: log_volume { type: number sql: ${TABLE}.log_volume ;; diff --git a/views/ingestion_stats.view.lkml b/views/ingestion_stats.view.lkml index bca1884..500803f 100644 --- a/views/ingestion_stats.view.lkml +++ b/views/ingestion_stats.view.lkml @@ -1,5 +1,5 @@ view: ingestion_stats { - sql_table_name: `@{DATASET_NAME}.@{INGESTION_STATS}` + sql_table_name: `@{INGESTION_STATS}` ;; dimension_group: _partitiondate { diff --git a/views/ioc_matches.view.lkml b/views/ioc_matches.view.lkml index cb88ce8..dc452f2 100644 --- a/views/ioc_matches.view.lkml +++ b/views/ioc_matches.view.lkml @@ -1,5 +1,5 @@ view: ioc_matches { - sql_table_name: `@{DATASET_NAME}.@{IOC_MATCHES}` + sql_table_name: `@{IOC_MATCHES}` ;; dimension: asset__asset_ip_address { diff --git a/views/job_metadata.view.lkml b/views/job_metadata.view.lkml index e45b4d1..2e74d20 100644 --- a/views/job_metadata.view.lkml +++ b/views/job_metadata.view.lkml @@ -1,5 +1,5 @@ view: job_metadata { - sql_table_name: `@{DATASET_NAME}.@{JOB_METADATA}` + sql_table_name: `@{JOB_METADATA}` ;; dimension: customer_id { diff --git a/views/refinements/events.view.lkml b/views/refinements/events.view.lkml index e14dc02..245c070 100644 --- a/views/refinements/events.view.lkml +++ b/views/refinements/events.view.lkml @@ -175,6 +175,21 @@ view: +events { sql: COALESCE(${TABLE}.principal.hostname, ${TABLE}.principal.ip[SAFE_OFFSET(0)]) ;; } + dimension: principal__location__location { + type: location + sql_latitude: ${principal__location__region_latitude} ;; + sql_longitude: ${principal__location__region_longitude} ;; + group_label: "Principal Location" + group_item_label: "Location" + } + + dimension: target__location__location { + type: location + sql_latitude: ${target__location__region_latitude} ;; + sql_longitude: ${target__location__region_longitude} ;; + group_label: "Target Location" + group_item_label: "Location" + } dimension: full_domain { type: string diff --git a/views/refinements/ingestion_metrics.view.lkml b/views/refinements/ingestion_metrics.view.lkml index 34c288f..294839b 100644 --- a/views/refinements/ingestion_metrics.view.lkml +++ b/views/refinements/ingestion_metrics.view.lkml @@ -1,5 +1,4 @@ include: "/views/ingestion_metrics.view" - view: +ingestion_metrics { dimension_group: timestamp{ type: time @@ -162,4 +161,41 @@ view: +ingestion_metrics { type: string sql:COALESCE(${log_type},null);; } + + measure: last_heartbeat_max { + hidden: yes + type: date + sql: MAX(${last_heartbeat_raw}) ;; + } + measure: minutes_since_last_heartbeat { + type: number + sql: (datetime_diff(Current_timestamp(), TIMESTAMP(${last_heartbeat_max}), minute)) * 1 ;; + } + + measure: min_start_time { + type: date_time + sql: min(${TABLE}.start_time);; + } + + measure: max_end_time { + type: date_time + sql: max(${TABLE}.end_time);; + } + + measure: offered_gcp_log_type { + hidden : yes + type: number + sql: 43;; + } + + measure: ingested_gcp_log_type { + type: number + sql: count(DISTINCT${gcp_log_type}) ;; + } + + measure: gcp_log_types_used { + type: number + value_format_name: percent_0 + sql: ${ingested_gcp_log_type}/${offered_gcp_log_type};; + } } diff --git a/views/refinements/ingestion_stats.view.lkml b/views/refinements/ingestion_stats.view.lkml index 8b11786..b16f314 100644 --- a/views/refinements/ingestion_stats.view.lkml +++ b/views/refinements/ingestion_stats.view.lkml @@ -20,16 +20,11 @@ view: +ingestion_stats { measure: total_entry_number { type: sum sql: ${entry_number} ;; - link: { - label: "Data Ingestion and Health Dashboard" - url: "@{DATA_INGESTION_AND_HEALTH_DASHBOARD}" - icon_url: "@{DASHBOARD_ICON_URL}" - } - } - - measure: total_entry_number { - type: sum - sql: ${entry_number} ;; + # link: { + # label: "Data Ingestion and Health Dashboard" + # url: "@{DATA_INGESTION_AND_HEALTH_DASHBOARD}" + # icon_url: "@{DASHBOARD_ICON_URL}" + # } } measure: total_entry_number_in_million { @@ -40,11 +35,11 @@ view: +ingestion_stats { measure: total_entry_number_in_million_for_drill { type: sum sql: round(${entry_number}/1000000, 0) ;; - link: { - label: "Data Ingestion and Health Dashboard" - url: "@{DATA_INGESTION_AND_HEALTH_DASHBOARD}" - icon_url: "@{DASHBOARD_ICON_URL}" - } + # link: { + # label: "Data Ingestion and Health Dashboard" + # url: "@{DATA_INGESTION_AND_HEALTH_DASHBOARD}" + # icon_url: "@{DASHBOARD_ICON_URL}" + # } } measure: total_error_count_in_million { @@ -55,11 +50,11 @@ view: +ingestion_stats { measure: total_size_bytes { type: sum sql: ${size_bytes} ;; - link: { - label: "Data Ingestion and Health Dashboard" - url: "@{DATA_INGESTION_AND_HEALTH_DASHBOARD}" - icon_url: "@{DASHBOARD_ICON_URL}" - } + # link: { + # label: "Data Ingestion and Health Dashboard" + # url: "@{DATA_INGESTION_AND_HEALTH_DASHBOARD}" + # icon_url: "@{DASHBOARD_ICON_URL}" + # } } measure: total_size_bytes_GB { @@ -70,11 +65,11 @@ view: +ingestion_stats { measure: total_size_bytes_GB_for_drill { type: sum sql: round(${size_bytes}/1000/1000/1000, 2) ;; - link: { - label: "Data Ingestion and Health Dashboard" - url: "@{DATA_INGESTION_AND_HEALTH_DASHBOARD}" - icon_url: "@{DASHBOARD_ICON_URL}" - } + # link: { + # label: "Data Ingestion and Health Dashboard" + # url: "@{DATA_INGESTION_AND_HEALTH_DASHBOARD}" + # icon_url: "@{DASHBOARD_ICON_URL}" + # } } measure: total_size_bytes_GiB { @@ -138,10 +133,5 @@ view: +ingestion_stats { dimension: log_type_for_drill { type: string sql: ${log_type} ;; - link: { - label: "Data Ingestion and Health Dashboard" - # url: "@{DATA_INGESTION_AND_HEALTH_DASHBOARD}" - # icon_url: "@{DASHBOARD_ICON_URL}" - } } } diff --git a/views/refinements/rule_detections.view.lkml b/views/refinements/rule_detections.view.lkml index 2fc4998..b0eba80 100644 --- a/views/refinements/rule_detections.view.lkml +++ b/views/refinements/rule_detections.view.lkml @@ -11,7 +11,7 @@ view: +rule_detections { type: string sql: ${TABLE}.rule_name ;; link: { - label: "Investigate in Chronicle" + label: "Investigate rule detections" url: "@{CHRONICLE_URL}/ruleDetections?ruleId={{rule_detections.rule_id._value}}" icon_url: "@{RULE_DETECTIONS_PAGE_ICON_URL}" } @@ -30,11 +30,6 @@ view: +rule_detections { measure: count_for_drill { type: count - link: { - label: "Rule Detections Dashboard" - url: "@{RULE_DETECTIONS_DASHBOARD}" - icon_url: "@{DASHBOARD_ICON_URL}" - } } measure: count { @@ -91,6 +86,34 @@ view: +rule_detections { datatype: epoch sql: ${detection__detection_timestamp__seconds} ;; } + + dimension: risk_score { + type: string + sql: SELECT value FROM UNNEST(${TABLE}.detection.outcomes) WHERE name='risk_score' ;; + } + + dimension: rulesets { + hidden: yes + sql: ${TABLE}.rulesets ;; + group_label: "Rulesets" + } +} + +view: rule_detections__rulesets { + dimension: ruleset_id { + type: string + sql: ${TABLE}.ruleset_id ;; + } + + dimension: ruleset_name { + type: string + sql: ${TABLE}.ruleset_name ;; + } + + dimension: ruleset_family_name { + type: string + sql: ${TABLE}.ruleset_family_name ;; + } } view: +rule_detections__detection__users { diff --git a/views/refinements/udm_events.view.lkml b/views/refinements/udm_events.view.lkml index 6344ccb..03a126c 100644 --- a/views/refinements/udm_events.view.lkml +++ b/views/refinements/udm_events.view.lkml @@ -176,6 +176,22 @@ view: +udm_events { } + dimension: principal__location__location { + type: location + sql_latitude: ${principal__location__region_latitude} ;; + sql_longitude: ${principal__location__region_longitude} ;; + group_label: "Principal Location" + group_item_label: "Location" + } + + dimension: target__location__location { + type: location + sql_latitude: ${target__location__region_latitude} ;; + sql_longitude: ${target__location__region_longitude} ;; + group_label: "Target Location" + group_item_label: "Location" + } + dimension: full_domain { type: string sql: COALESCE(${TABLE}.network.dns.questions[SAFE_OFFSET(0)].name, ${TABLE}.target.hostname);; @@ -202,6 +218,26 @@ view: +udm_events { sql: ${network__ip_protocol__enum.enum_name} ;; } + dimension: principal__ip_location { + hidden: yes + sql: ${TABLE}.principal.ip_location ;; + } + + dimension: target__ip_location { + hidden: yes + sql: ${TABLE}.target.ip_location ;; + } + + dimension: src__ip_location { + hidden: yes + sql: ${TABLE}.src.ip_location ;; + } + + dimension: observer__ip_location { + hidden: yes + sql: ${TABLE}.observer.ip_location ;; + } + measure: count_all { description: "Count of all UDM events where a Count distinct is not used." type: number @@ -272,3 +308,35 @@ view: +udm_events__extensions__vulns__vulnerabilities { sql: ${udm_events__extensions__vulns__vulnerabilities__severity__enum.enum_name} ;; } } + +view: +udm_events__principal__ip_location { + dimension: location { + type: location + sql_latitude: ${TABLE}.region_latitude ;; + sql_longitude: ${TABLE}.region_longitude ;; + } +} + +view: +udm_events__target__ip_location { + dimension: location { + type: location + sql_latitude: ${TABLE}.region_latitude ;; + sql_longitude: ${TABLE}.region_longitude ;; + } +} + +view: +udm_events__src__ip_location { + dimension: location { + type: location + sql_latitude: ${TABLE}.region_latitude ;; + sql_longitude: ${TABLE}.region_longitude ;; + } +} + +view: +udm_events__observer__ip_location { + dimension: location { + type: location + sql_latitude: ${TABLE}.region_latitude ;; + sql_longitude: ${TABLE}.region_longitude ;; + } +} diff --git a/views/refinements/udm_events_aggregates.view.lkml b/views/refinements/udm_events_aggregates.view.lkml index 853e1aa..0f9a7d1 100644 --- a/views/refinements/udm_events_aggregates.view.lkml +++ b/views/refinements/udm_events_aggregates.view.lkml @@ -10,4 +10,20 @@ view: +udm_events_aggregates { icon_url: "@{USER_PAGE_ICON_URL}" } } + + dimension: principal_location__location { + type: location + sql_latitude: ${principal_location__region_latitude} ;; + sql_longitude: ${principal_location__region_longitude} ;; + group_label: "Principal Location" + group_item_label: "Location" + } + + dimension: target_location__location { + type: location + sql_latitude: ${target_location__region_latitude} ;; + sql_longitude: ${target_location__region_longitude} ;; + group_label: "Target Location" + group_item_label: "Location" + } } diff --git a/views/rule_detections.view.lkml b/views/rule_detections.view.lkml index 8b2ac21..1b3ecab 100644 --- a/views/rule_detections.view.lkml +++ b/views/rule_detections.view.lkml @@ -1,5 +1,5 @@ view: rule_detections { - sql_table_name: `@{DATASET_NAME}.@{RULE_DETECTIONS}` + sql_table_name: `@{RULE_DETECTIONS}` ;; dimension: detection__assets { @@ -60,6 +60,12 @@ view: rule_detections { group_item_label: "Nanos" } + dimension: detection_alert_type { + type: number + sql: ${TABLE}.detection.alert_type ;; + group_label: "Detection" + } + dimension: detection__detection_timestamp__seconds { type: number sql: ${TABLE}.detection.detection_timestamp.seconds ;; diff --git a/views/udm_enum_value_to_name_mapping.view.lkml b/views/udm_enum_value_to_name_mapping.view.lkml index 9390e62..3539e7a 100644 --- a/views/udm_enum_value_to_name_mapping.view.lkml +++ b/views/udm_enum_value_to_name_mapping.view.lkml @@ -1,5 +1,5 @@ view: udm_enum_value_to_name_mapping { - sql_table_name: `@{DATASET_NAME}.@{UDM_MAPPINGS}` + sql_table_name: `@{UDM_MAPPINGS}` ;; dimension: enum_name { diff --git a/views/udm_events.view.lkml b/views/udm_events.view.lkml index b01708a..e29048e 100644 --- a/views/udm_events.view.lkml +++ b/views/udm_events.view.lkml @@ -1,5 +1,5 @@ view: udm_events { - sql_table_name: `@{DATASET_NAME}.@{EVENTS}`;; + sql_table_name: `@{EVENTS}`;; dimension_group: _partitiondate { type: time @@ -36049,12 +36049,12 @@ view: udm_events__security_result { hidden: yes sql: detection_fields ;; } - + dimension: outcomes { hidden: yes sql: outcomes ;; } - + dimension: priority { type: number sql: priority ;; @@ -36085,6 +36085,16 @@ view: udm_events__security_result { sql: rule_name ;; } + dimension: rule_set { + type: string + sql: rule_set ;; + } + + dimension: rule_set_display_name { + type: string + sql: rule_set_display_name ;; + } + dimension: rule_type { type: string sql: rule_type ;; @@ -38428,12 +38438,12 @@ view: udm_events__security_result__outcomes { type: string sql: ${TABLE}.key ;; } - + dimension: source { type: string sql: ${TABLE}.source ;; } - + dimension: value { type: string sql: ${TABLE}.value ;; @@ -39595,24172 +39605,24172 @@ view: udm_events__observer__process_ancestors { } } - view: udm_events__src__domain__admin__phone_numbers { - dimension: udm_events__src__domain__admin__phone_numbers { - type: string - sql: udm_events__src__domain__admin__phone_numbers ;; - } - } - - view: udm_events__src__asset__vulnerabilities { - dimension: cve_description { - type: string - sql: ${TABLE}.cve_description ;; - } - - dimension: cve_id { - type: string - sql: ${TABLE}.cve_id ;; - } - - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - } - - dimension: cvss_vector { - type: string - sql: ${TABLE}.cvss_vector ;; - } - - dimension: cvss_version { - type: string - sql: ${TABLE}.cvss_version ;; - } - - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: first_found__nanos { - type: number - sql: ${TABLE}.first_found.nanos ;; - group_label: "First Found" - group_item_label: "Nanos" - } - - dimension: first_found__seconds { - type: number - sql: ${TABLE}.first_found.seconds ;; - group_label: "First Found" - group_item_label: "Seconds" - } - - dimension: last_found__nanos { - type: number - sql: ${TABLE}.last_found.nanos ;; - group_label: "Last Found" - group_item_label: "Nanos" - } - - dimension: last_found__seconds { - type: number - sql: ${TABLE}.last_found.seconds ;; - group_label: "Last Found" - group_item_label: "Seconds" - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: scan_end_time__nanos { - type: number - sql: ${TABLE}.scan_end_time.nanos ;; - group_label: "Scan End Time" - group_item_label: "Nanos" - } - - dimension: scan_end_time__seconds { - type: number - sql: ${TABLE}.scan_end_time.seconds ;; - group_label: "Scan End Time" - group_item_label: "Seconds" - } - - dimension: scan_start_time__nanos { - type: number - sql: ${TABLE}.scan_start_time.nanos ;; - group_label: "Scan Start Time" - group_item_label: "Nanos" - } - - dimension: scan_start_time__seconds { - type: number - sql: ${TABLE}.scan_start_time.seconds ;; - group_label: "Scan Start Time" - group_item_label: "Seconds" - } - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - } - - dimension: severity_details { - type: string - sql: ${TABLE}.severity_details ;; - } - - dimension: vendor { - type: string - sql: ${TABLE}.vendor ;; - } - - dimension: vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.vendor_knowledge_base_article_id ;; - } - - dimension: vendor_vulnerability_id { - type: string - sql: ${TABLE}.vendor_vulnerability_id ;; - } - } - - view: udm_events__src__asset__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__asset__ip { - dimension: udm_events__security_result__about__asset__ip { - type: string - sql: udm_events__security_result__about__asset__ip ;; - } - } - - view: udm_events__target__group__email_addresses { - dimension: udm_events__target__group__email_addresses { - type: string - sql: udm_events__target__group__email_addresses ;; - } - } - - view: udm_events__target__domain__admin__department { - dimension: udm_events__target__domain__admin__department { - type: string - sql: udm_events__target__domain__admin__department ;; - } - } - - view: udm_events__about__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__about__domain__tech__phone_numbers { - dimension: udm_events__about__domain__tech__phone_numbers { - type: string - sql: udm_events__about__domain__tech__phone_numbers ;; - } - } - - view: udm_events__about__domain__billing__department { - dimension: udm_events__about__domain__billing__department { - type: string - sql: udm_events__about__domain__billing__department ;; - } - } - - view: udm_events__about__domain__zone__phone_numbers { - dimension: udm_events__about__domain__zone__phone_numbers { - type: string - sql: udm_events__about__domain__zone__phone_numbers ;; - } - } - - view: udm_events__about__user__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__about__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__process__file__names { - dimension: udm_events__intermediary__process__file__names { - type: string - sql: udm_events__intermediary__process__file__names ;; - } - } - - view: udm_events__intermediary__domain__name_server { - dimension: udm_events__intermediary__domain__name_server { - type: string - sql: udm_events__intermediary__domain__name_server ;; - } - } - - view: udm_events__intermediary__asset__hardware { - dimension: cpu_clock_speed { - type: number - sql: ${TABLE}.cpu_clock_speed ;; - } - - dimension: cpu_max_clock_speed { - type: number - sql: ${TABLE}.cpu_max_clock_speed ;; - } - - dimension: cpu_model { - type: string - sql: ${TABLE}.cpu_model ;; - } - - dimension: cpu_number_cores { - type: number - sql: ${TABLE}.cpu_number_cores ;; - } - - dimension: cpu_platform { - type: string - sql: ${TABLE}.cpu_platform ;; - } - - dimension: manufacturer { - type: string - sql: ${TABLE}.manufacturer ;; - } - - dimension: model { - type: string - sql: ${TABLE}.model ;; - } - - dimension: ram { - type: number - sql: ${TABLE}.ram ;; - } - - dimension: serial_number { - type: string - sql: ${TABLE}.serial_number ;; - } - } - - view: udm_events__intermediary__user__phone_numbers { - dimension: udm_events__intermediary__user__phone_numbers { - type: string - sql: udm_events__intermediary__user__phone_numbers ;; - } - } - - view: udm_events__principal__resource_ancestors { - drill_fields: [id] - - dimension: id { - primary_key: yes - type: string - sql: ${TABLE}.id ;; - } - - dimension: attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.attribute.cloud.availability_zone ;; - group_label: "Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: attribute__cloud__environment { - type: number - sql: ${TABLE}.attribute.cloud.environment ;; - group_label: "Attribute Cloud" - group_item_label: "Environment" - } - - dimension: attribute__creation_time__nanos { - type: number - sql: ${TABLE}.attribute.creation_time.nanos ;; - group_label: "Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: attribute__creation_time__seconds { - type: number - sql: ${TABLE}.attribute.creation_time.seconds ;; - group_label: "Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: attribute__labels { - hidden: yes - sql: ${TABLE}.attribute.labels ;; - group_label: "Attribute" - group_item_label: "Labels" - } - - dimension: attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.attribute.last_update_time.nanos ;; - group_label: "Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.attribute.last_update_time.seconds ;; - group_label: "Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: attribute__permissions { - hidden: yes - sql: ${TABLE}.attribute.permissions ;; - group_label: "Attribute" - group_item_label: "Permissions" - } - - dimension: attribute__roles { - hidden: yes - sql: ${TABLE}.attribute.roles ;; - group_label: "Attribute" - group_item_label: "Roles" - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: parent { - type: string - sql: ${TABLE}.parent ;; - } - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - } - - dimension: resource_subtype { - type: string - sql: ${TABLE}.resource_subtype ;; - } - - dimension: resource_type { - type: number - sql: ${TABLE}.resource_type ;; - } - - dimension: type { - type: string - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__process_ancestors { - dimension: access_mask { - type: number - sql: ${TABLE}.access_mask ;; - } - - dimension: command_line { - type: string - sql: ${TABLE}.command_line ;; - } - - dimension: command_line_history { - hidden: yes - sql: ${TABLE}.command_line_history ;; - } - - dimension: file__ahash { - type: string - sql: ${TABLE}.file.ahash ;; - group_label: "File" - group_item_label: "Ahash" - } - - dimension: file__authentihash { - type: string - sql: ${TABLE}.file.authentihash ;; - group_label: "File" - group_item_label: "Authentihash" - } - - dimension: file__capabilities_tags { - hidden: yes - sql: ${TABLE}.file.capabilities_tags ;; - group_label: "File" - group_item_label: "Capabilities Tags" - } - - dimension: file__file_metadata__pe__import_hash { - type: string - sql: ${TABLE}.file.file_metadata.pe.import_hash ;; - group_label: "File File Metadata Pe" - group_item_label: "Import Hash" - } - - dimension: file__file_type { - type: number - sql: ${TABLE}.file.file_type ;; - group_label: "File" - group_item_label: "File Type" - } - - dimension: file__first_seen_time__nanos { - type: number - sql: ${TABLE}.file.first_seen_time.nanos ;; - group_label: "File First Seen Time" - group_item_label: "Nanos" - } - - dimension: file__first_seen_time__seconds { - type: number - sql: ${TABLE}.file.first_seen_time.seconds ;; - group_label: "File First Seen Time" - group_item_label: "Seconds" - } - - dimension: file__full_path { - type: string - sql: ${TABLE}.file.full_path ;; - group_label: "File" - group_item_label: "Full Path" - } - - dimension: file__last_modification_time__nanos { - type: number - sql: ${TABLE}.file.last_modification_time.nanos ;; - group_label: "File Last Modification Time" - group_item_label: "Nanos" - } - - dimension: file__last_modification_time__seconds { - type: number - sql: ${TABLE}.file.last_modification_time.seconds ;; - group_label: "File Last Modification Time" - group_item_label: "Seconds" - } - - dimension: file__last_seen_time__nanos { - type: number - sql: ${TABLE}.file.last_seen_time.nanos ;; - group_label: "File Last Seen Time" - group_item_label: "Nanos" - } - - dimension: file__last_seen_time__seconds { - type: number - sql: ${TABLE}.file.last_seen_time.seconds ;; - group_label: "File Last Seen Time" - group_item_label: "Seconds" - } - - dimension: file__md5 { - type: string - sql: ${TABLE}.file.md5 ;; - group_label: "File" - group_item_label: "Md5" - } - - dimension: file__mime_type { - type: string - sql: ${TABLE}.file.mime_type ;; - group_label: "File" - group_item_label: "Mime Type" - } - - dimension: file__names { - hidden: yes - sql: ${TABLE}.file.names ;; - group_label: "File" - group_item_label: "Names" - } - - dimension: file__pe_file__compilation_exiftool_time__nanos { - type: number - sql: ${TABLE}.file.pe_file.compilation_exiftool_time.nanos ;; - group_label: "File Pe File Compilation Exiftool Time" - group_item_label: "Nanos" - } - - dimension: file__pe_file__compilation_exiftool_time__seconds { - type: number - sql: ${TABLE}.file.pe_file.compilation_exiftool_time.seconds ;; - group_label: "File Pe File Compilation Exiftool Time" - group_item_label: "Seconds" - } - - dimension: file__pe_file__compilation_time__nanos { - type: number - sql: ${TABLE}.file.pe_file.compilation_time.nanos ;; - group_label: "File Pe File Compilation Time" - group_item_label: "Nanos" - } - - dimension: file__pe_file__compilation_time__seconds { - type: number - sql: ${TABLE}.file.pe_file.compilation_time.seconds ;; - group_label: "File Pe File Compilation Time" - group_item_label: "Seconds" - } - - dimension: file__pe_file__entry_point { - type: number - sql: ${TABLE}.file.pe_file.entry_point ;; - group_label: "File Pe File" - group_item_label: "Entry Point" - } - - dimension: file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.file.pe_file.entry_point_exiftool ;; - group_label: "File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: file__pe_file__imphash { - type: string - sql: ${TABLE}.file.pe_file.imphash ;; - group_label: "File Pe File" - group_item_label: "Imphash" - } - - dimension: file__pe_file__imports { - hidden: yes - sql: ${TABLE}.file.pe_file.imports ;; - group_label: "File Pe File" - group_item_label: "Imports" - } - - dimension: file__pe_file__resource { - hidden: yes - sql: ${TABLE}.file.pe_file.resource ;; - group_label: "File Pe File" - group_item_label: "Resource" - } - - dimension: file__pe_file__resources_language_count { - hidden: yes - sql: ${TABLE}.file.pe_file.resources_language_count ;; - group_label: "File Pe File" - group_item_label: "Resources Language Count" - } - - dimension: file__pe_file__resources_language_count_str { - hidden: yes - sql: ${TABLE}.file.pe_file.resources_language_count_str ;; - group_label: "File Pe File" - group_item_label: "Resources Language Count Str" - } - - dimension: file__pe_file__resources_type_count { - hidden: yes - sql: ${TABLE}.file.pe_file.resources_type_count ;; - group_label: "File Pe File" - group_item_label: "Resources Type Count" - } - - dimension: file__pe_file__resources_type_count_str { - hidden: yes - sql: ${TABLE}.file.pe_file.resources_type_count_str ;; - group_label: "File Pe File" - group_item_label: "Resources Type Count Str" - } - - dimension: file__pe_file__section { - hidden: yes - sql: ${TABLE}.file.pe_file.section ;; - group_label: "File Pe File" - group_item_label: "Section" - } - - dimension: file__pe_file__signature_info__signer { - hidden: yes - sql: ${TABLE}.file.pe_file.signature_info.signer ;; - group_label: "File Pe File Signature Info" - group_item_label: "Signer" - } - - dimension: file__pe_file__signature_info__signers { - hidden: yes - sql: ${TABLE}.file.pe_file.signature_info.signers ;; - group_label: "File Pe File Signature Info" - group_item_label: "Signers" - } - - dimension: file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.file.pe_file.signature_info.verification_message ;; - group_label: "File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.file.pe_file.signature_info.verified ;; - group_label: "File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: file__prevalence__day_count { - type: number - sql: ${TABLE}.file.prevalence.day_count ;; - group_label: "File Prevalence" - group_item_label: "Day Count" - } - - dimension: file__prevalence__day_max { - type: number - sql: ${TABLE}.file.prevalence.day_max ;; - group_label: "File Prevalence" - group_item_label: "Day Max" - } - - dimension: file__prevalence__day_max_sub_domains { - type: number - sql: ${TABLE}.file.prevalence.day_max_sub_domains ;; - group_label: "File Prevalence" - group_item_label: "Day Max Sub Domains" - } - - dimension: file__prevalence__rolling_max { - type: number - sql: ${TABLE}.file.prevalence.rolling_max ;; - group_label: "File Prevalence" - group_item_label: "Rolling Max" - } - - dimension: file__prevalence__rolling_max_sub_domains { - type: number - sql: ${TABLE}.file.prevalence.rolling_max_sub_domains ;; - group_label: "File Prevalence" - group_item_label: "Rolling Max Sub Domains" - } - - dimension: file__sha1 { - type: string - sql: ${TABLE}.file.sha1 ;; - group_label: "File" - group_item_label: "Sha1" - } - - dimension: file__sha256 { - type: string - sql: ${TABLE}.file.sha256 ;; - group_label: "File" - group_item_label: "Sha256" - } - - dimension: file__size { - type: number - sql: ${TABLE}.file.size ;; - group_label: "File" - group_item_label: "Size" - } - - dimension: file__ssdeep { - type: string - sql: ${TABLE}.file.ssdeep ;; - group_label: "File" - group_item_label: "Ssdeep" - } - - dimension: file__vhash { - type: string - sql: ${TABLE}.file.vhash ;; - group_label: "File" - group_item_label: "Vhash" - } - - dimension: parent_pid { - type: string - sql: ${TABLE}.parent_pid ;; - } - - dimension: pid { - type: string - sql: ${TABLE}.pid ;; - } - - dimension: product_specific_parent_process_id { - type: string - sql: ${TABLE}.product_specific_parent_process_id ;; - } - - dimension: product_specific_process_id { - type: string - sql: ${TABLE}.product_specific_process_id ;; - } - } - - view: udm_events__observer__file__capabilities_tags { - dimension: udm_events__observer__file__capabilities_tags { - type: string - sql: udm_events__observer__file__capabilities_tags ;; - } - } - - view: udm_events__observer__domain__tech__department { - dimension: udm_events__observer__domain__tech__department { - type: string - sql: udm_events__observer__domain__tech__department ;; - } - } - - view: udm_events__observer__domain__zone__department { - dimension: udm_events__observer__domain__zone__department { - type: string - sql: udm_events__observer__domain__zone__department ;; - } - } - - view: udm_events__observer__investigation__comments { - dimension: udm_events__observer__investigation__comments { - type: string - sql: udm_events__observer__investigation__comments ;; - } - } - - view: udm_events__observer__user__group_identifiers { - dimension: udm_events__observer__user__group_identifiers { - type: string - sql: udm_events__observer__user__group_identifiers ;; - } - } - - view: udm_events__src__user_management_chain { - dimension: account_type { - type: number - sql: ${TABLE}.account_type ;; - } - - dimension: attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.attribute.cloud.availability_zone ;; - group_label: "Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: attribute__cloud__environment { - type: number - sql: ${TABLE}.attribute.cloud.environment ;; - group_label: "Attribute Cloud" - group_item_label: "Environment" - } - - dimension: attribute__cloud__project__id { - type: string - sql: ${TABLE}.attribute.cloud.project.id ;; - group_label: "Attribute Cloud Project" - group_item_label: "ID" - } - - dimension: attribute__cloud__project__name { - type: string - sql: ${TABLE}.attribute.cloud.project.name ;; - group_label: "Attribute Cloud Project" - group_item_label: "Name" - } - - dimension: attribute__cloud__project__parent { - type: string - sql: ${TABLE}.attribute.cloud.project.parent ;; - group_label: "Attribute Cloud Project" - group_item_label: "Parent" - } - - dimension: attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.project.product_object_id ;; - group_label: "Attribute Cloud Project" - group_item_label: "Product Object ID" - } - - dimension: attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.attribute.cloud.project.resource_subtype ;; - group_label: "Attribute Cloud Project" - group_item_label: "Resource Subtype" - } - - dimension: attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.attribute.cloud.project.resource_type ;; - group_label: "Attribute Cloud Project" - group_item_label: "Resource Type" - } - - dimension: attribute__cloud__project__type { - type: string - sql: ${TABLE}.attribute.cloud.project.type ;; - group_label: "Attribute Cloud Project" - group_item_label: "Type" - } - - dimension: attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.id ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "ID" - } - - dimension: attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.attribute.cloud.vpc.name ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Name" - } - - dimension: attribute__cloud__vpc__parent { - type: string - sql: ${TABLE}.attribute.cloud.vpc.parent ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Parent" - } - - dimension: attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Product Object ID" - } - - dimension: attribute__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.attribute.cloud.vpc.resource_subtype ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Resource Subtype" - } - - dimension: attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.attribute.cloud.vpc.resource_type ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Resource Type" - } - - dimension: attribute__cloud__vpc__type { - type: string - sql: ${TABLE}.attribute.cloud.vpc.type ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Type" - } - - dimension: attribute__creation_time__nanos { - type: number - sql: ${TABLE}.attribute.creation_time.nanos ;; - group_label: "Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: attribute__creation_time__seconds { - type: number - sql: ${TABLE}.attribute.creation_time.seconds ;; - group_label: "Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: attribute__labels { - hidden: yes - sql: ${TABLE}.attribute.labels ;; - group_label: "Attribute" - group_item_label: "Labels" - } - - dimension: attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.attribute.last_update_time.nanos ;; - group_label: "Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.attribute.last_update_time.seconds ;; - group_label: "Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: attribute__permissions { - hidden: yes - sql: ${TABLE}.attribute.permissions ;; - group_label: "Attribute" - group_item_label: "Permissions" - } - - dimension: attribute__roles { - hidden: yes - sql: ${TABLE}.attribute.roles ;; - group_label: "Attribute" - group_item_label: "Roles" - } - - dimension: company_name { - type: string - sql: ${TABLE}.company_name ;; - } - - dimension: department { - hidden: yes - sql: ${TABLE}.department ;; - } - - dimension: email_addresses { - hidden: yes - sql: ${TABLE}.email_addresses ;; - } - - dimension: employee_id { - type: string - sql: ${TABLE}.employee_id ;; - } - - dimension: first_name { - type: string - sql: ${TABLE}.first_name ;; - } - - dimension: first_seen_time__nanos { - type: number - sql: ${TABLE}.first_seen_time.nanos ;; - group_label: "First Seen Time" - group_item_label: "Nanos" - } - - dimension: first_seen_time__seconds { - type: number - sql: ${TABLE}.first_seen_time.seconds ;; - group_label: "First Seen Time" - group_item_label: "Seconds" - } - - dimension: group_identifiers { - hidden: yes - sql: ${TABLE}.group_identifiers ;; - } - - dimension: groupid { - type: string - sql: ${TABLE}.groupid ;; - } - - dimension: hire_date__nanos { - type: number - sql: ${TABLE}.hire_date.nanos ;; - group_label: "Hire Date" - group_item_label: "Nanos" - } - - dimension: hire_date__seconds { - type: number - sql: ${TABLE}.hire_date.seconds ;; - group_label: "Hire Date" - group_item_label: "Seconds" - } - - dimension: last_name { - type: string - sql: ${TABLE}.last_name ;; - } - - dimension: middle_name { - type: string - sql: ${TABLE}.middle_name ;; - } - - dimension: office_address__city { - type: string - sql: ${TABLE}.office_address.city ;; - group_label: "Office Address" - group_item_label: "City" - } - - dimension: office_address__country_or_region { - type: string - sql: ${TABLE}.office_address.country_or_region ;; - group_label: "Office Address" - group_item_label: "Country or Region" - } - - dimension: office_address__desk_name { - type: string - sql: ${TABLE}.office_address.desk_name ;; - group_label: "Office Address" - group_item_label: "Desk Name" - } - - dimension: office_address__floor_name { - type: string - sql: ${TABLE}.office_address.floor_name ;; - group_label: "Office Address" - group_item_label: "Floor Name" - } - - dimension: office_address__name { - type: string - sql: ${TABLE}.office_address.name ;; - group_label: "Office Address" - group_item_label: "Name" - } - - dimension: office_address__region_latitude { - type: number - sql: ${TABLE}.office_address.region_latitude ;; - group_label: "Office Address" - group_item_label: "Region Latitude" - } - - dimension: office_address__region_longitude { - type: number - sql: ${TABLE}.office_address.region_longitude ;; - group_label: "Office Address" - group_item_label: "Region Longitude" - } - - dimension: office_address__state { - type: string - sql: ${TABLE}.office_address.state ;; - group_label: "Office Address" - group_item_label: "State" - } - - dimension: personal_address__city { - type: string - sql: ${TABLE}.personal_address.city ;; - group_label: "Personal Address" - group_item_label: "City" - } - - dimension: personal_address__country_or_region { - type: string - sql: ${TABLE}.personal_address.country_or_region ;; - group_label: "Personal Address" - group_item_label: "Country or Region" - } - - dimension: personal_address__desk_name { - type: string - sql: ${TABLE}.personal_address.desk_name ;; - group_label: "Personal Address" - group_item_label: "Desk Name" - } - - dimension: personal_address__floor_name { - type: string - sql: ${TABLE}.personal_address.floor_name ;; - group_label: "Personal Address" - group_item_label: "Floor Name" - } - - dimension: personal_address__name { - type: string - sql: ${TABLE}.personal_address.name ;; - group_label: "Personal Address" - group_item_label: "Name" - } - - dimension: personal_address__region_latitude { - type: number - sql: ${TABLE}.personal_address.region_latitude ;; - group_label: "Personal Address" - group_item_label: "Region Latitude" - } - - dimension: personal_address__region_longitude { - type: number - sql: ${TABLE}.personal_address.region_longitude ;; - group_label: "Personal Address" - group_item_label: "Region Longitude" - } - - dimension: personal_address__state { - type: string - sql: ${TABLE}.personal_address.state ;; - group_label: "Personal Address" - group_item_label: "State" - } - - dimension: phone_numbers { - hidden: yes - sql: ${TABLE}.phone_numbers ;; - } - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - } - - dimension: role_description { - type: string - sql: ${TABLE}.role_description ;; - } - - dimension: role_name { - type: string - sql: ${TABLE}.role_name ;; - } - - dimension: termination_date__nanos { - type: number - sql: ${TABLE}.termination_date.nanos ;; - group_label: "Termination Date" - group_item_label: "Nanos" - } - - dimension: termination_date__seconds { - type: number - sql: ${TABLE}.termination_date.seconds ;; - group_label: "Termination Date" - group_item_label: "Seconds" - } - - dimension: time_off { - hidden: yes - sql: ${TABLE}.time_off ;; - } - - dimension: title { - type: string - sql: ${TABLE}.title ;; - } - - dimension: user_authentication_status { - type: number - sql: ${TABLE}.user_authentication_status ;; - } - - dimension: user_display_name { - type: string - sql: ${TABLE}.user_display_name ;; - } - - dimension: user_role { - type: number - sql: ${TABLE}.user_role ;; - } - - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - } - - dimension: windows_sid { - type: string - sql: ${TABLE}.windows_sid ;; - } - } - - view: udm_events__src__domain__tech__email_addresses { - dimension: udm_events__src__domain__tech__email_addresses { - type: string - sql: udm_events__src__domain__tech__email_addresses ;; - } - } - - view: udm_events__src__domain__zone__email_addresses { - dimension: udm_events__src__domain__zone__email_addresses { - type: string - sql: udm_events__src__domain__zone__email_addresses ;; - } - } - - view: udm_events__security_result__about__asset__mac { - dimension: udm_events__security_result__about__asset__mac { - type: string - sql: udm_events__security_result__about__asset__mac ;; - } - } - - view: udm_events__security_result__rule_labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__domain__admin__phone_numbers { - dimension: udm_events__about__domain__admin__phone_numbers { - type: string - sql: udm_events__about__domain__admin__phone_numbers ;; - } - } - - view: udm_events__about__asset__vulnerabilities { - dimension: cve_description { - type: string - sql: ${TABLE}.cve_description ;; - } - - dimension: cve_id { - type: string - sql: ${TABLE}.cve_id ;; - } - - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - } - - dimension: cvss_vector { - type: string - sql: ${TABLE}.cvss_vector ;; - } - - dimension: cvss_version { - type: string - sql: ${TABLE}.cvss_version ;; - } - - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: first_found__nanos { - type: number - sql: ${TABLE}.first_found.nanos ;; - group_label: "First Found" - group_item_label: "Nanos" - } - - dimension: first_found__seconds { - type: number - sql: ${TABLE}.first_found.seconds ;; - group_label: "First Found" - group_item_label: "Seconds" - } - - dimension: last_found__nanos { - type: number - sql: ${TABLE}.last_found.nanos ;; - group_label: "Last Found" - group_item_label: "Nanos" - } - - dimension: last_found__seconds { - type: number - sql: ${TABLE}.last_found.seconds ;; - group_label: "Last Found" - group_item_label: "Seconds" - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: scan_end_time__nanos { - type: number - sql: ${TABLE}.scan_end_time.nanos ;; - group_label: "Scan End Time" - group_item_label: "Nanos" - } - - dimension: scan_end_time__seconds { - type: number - sql: ${TABLE}.scan_end_time.seconds ;; - group_label: "Scan End Time" - group_item_label: "Seconds" - } - - dimension: scan_start_time__nanos { - type: number - sql: ${TABLE}.scan_start_time.nanos ;; - group_label: "Scan Start Time" - group_item_label: "Nanos" - } - - dimension: scan_start_time__seconds { - type: number - sql: ${TABLE}.scan_start_time.seconds ;; - group_label: "Scan Start Time" - group_item_label: "Seconds" - } - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - } - - dimension: severity_details { - type: string - sql: ${TABLE}.severity_details ;; - } - - dimension: vendor { - type: string - sql: ${TABLE}.vendor ;; - } - - dimension: vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.vendor_knowledge_base_article_id ;; - } - - dimension: vendor_vulnerability_id { - type: string - sql: ${TABLE}.vendor_vulnerability_id ;; - } - } - - view: udm_events__about__asset__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__asset__software { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: permissions { - hidden: yes - sql: ${TABLE}.permissions ;; - } - - dimension: version { - type: string - sql: ${TABLE}.version ;; - } - } - - view: udm_events__principal__file__capabilities_tags { - dimension: udm_events__principal__file__capabilities_tags { - type: string - sql: udm_events__principal__file__capabilities_tags ;; - } - } - - view: udm_events__principal__domain__tech__department { - dimension: udm_events__principal__domain__tech__department { - type: string - sql: udm_events__principal__domain__tech__department ;; - } - } - - view: udm_events__principal__domain__zone__department { - dimension: udm_events__principal__domain__zone__department { - type: string - sql: udm_events__principal__domain__zone__department ;; - } +view: udm_events__src__domain__admin__phone_numbers { + dimension: udm_events__src__domain__admin__phone_numbers { + type: string + sql: udm_events__src__domain__admin__phone_numbers ;; } +} - view: udm_events__principal__investigation__comments { - dimension: udm_events__principal__investigation__comments { - type: string - sql: udm_events__principal__investigation__comments ;; - } +view: udm_events__src__asset__vulnerabilities { + dimension: cve_description { + type: string + sql: ${TABLE}.cve_description ;; } - view: udm_events__principal__user__group_identifiers { - dimension: udm_events__principal__user__group_identifiers { - type: string - sql: udm_events__principal__user__group_identifiers ;; - } + dimension: cve_id { + type: string + sql: ${TABLE}.cve_id ;; } - view: udm_events__observer__group__email_addresses { - dimension: udm_events__observer__group__email_addresses { - type: string - sql: udm_events__observer__group__email_addresses ;; - } + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; } - view: udm_events__observer__domain__admin__department { - dimension: udm_events__observer__domain__admin__department { - type: string - sql: udm_events__observer__domain__admin__department ;; - } + dimension: cvss_vector { + type: string + sql: ${TABLE}.cvss_vector ;; } - view: udm_events__src__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } + dimension: cvss_version { + type: string + sql: ${TABLE}.cvss_version ;; } - view: udm_events__src__group__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } + dimension: description { + type: string + sql: ${TABLE}.description ;; } - view: udm_events__src__group__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } + dimension: first_found__nanos { + type: number + sql: ${TABLE}.first_found.nanos ;; + group_label: "First Found" + group_item_label: "Nanos" } - view: udm_events__src__process__command_line_history { - dimension: udm_events__src__process__command_line_history { - type: string - sql: udm_events__src__process__command_line_history ;; - } + dimension: first_found__seconds { + type: number + sql: ${TABLE}.first_found.seconds ;; + group_label: "First Found" + group_item_label: "Seconds" } - view: udm_events__src__process_ancestors__file__names { - dimension: udm_events__src__process_ancestors__file__names { - type: string - sql: udm_events__src__process_ancestors__file__names ;; - } + dimension: last_found__nanos { + type: number + sql: ${TABLE}.last_found.nanos ;; + group_label: "Last Found" + group_item_label: "Nanos" } - view: udm_events__src__domain__admin__email_addresses { - dimension: udm_events__src__domain__admin__email_addresses { - type: string - sql: udm_events__src__domain__admin__email_addresses ;; - } + dimension: last_found__seconds { + type: number + sql: ${TABLE}.last_found.seconds ;; + group_label: "Last Found" + group_item_label: "Seconds" } - view: udm_events__src__domain__billing__phone_numbers { - dimension: udm_events__src__domain__billing__phone_numbers { - type: string - sql: udm_events__src__domain__billing__phone_numbers ;; - } + dimension: name { + type: string + sql: ${TABLE}.name ;; } - view: udm_events__src__domain__registrant__department { - dimension: udm_events__src__domain__registrant__department { - type: string - sql: udm_events__src__domain__registrant__department ;; - } + dimension: scan_end_time__nanos { + type: number + sql: ${TABLE}.scan_end_time.nanos ;; + group_label: "Scan End Time" + group_item_label: "Nanos" } - view: udm_events__security_result__about__file__names { - dimension: udm_events__security_result__about__file__names { - type: string - sql: udm_events__security_result__about__file__names ;; - } - } - - view: udm_events__security_result__about__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__category_details { - dimension: udm_events__security_result__category_details { - type: string - sql: udm_events__security_result__category_details ;; - } - } - - view: udm_events__target__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__target__domain__tech__phone_numbers { - dimension: udm_events__target__domain__tech__phone_numbers { - type: string - sql: udm_events__target__domain__tech__phone_numbers ;; - } - } - - view: udm_events__target__domain__billing__department { - dimension: udm_events__target__domain__billing__department { - type: string - sql: udm_events__target__domain__billing__department ;; - } - } - - view: udm_events__target__domain__zone__phone_numbers { - dimension: udm_events__target__domain__zone__phone_numbers { - type: string - sql: udm_events__target__domain__zone__phone_numbers ;; - } - } - - view: udm_events__target__user__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__target__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__user_management_chain { - dimension: account_type { - type: number - sql: ${TABLE}.account_type ;; - } - - dimension: attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.attribute.cloud.availability_zone ;; - group_label: "Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: attribute__cloud__environment { - type: number - sql: ${TABLE}.attribute.cloud.environment ;; - group_label: "Attribute Cloud" - group_item_label: "Environment" - } - - dimension: attribute__cloud__project__id { - type: string - sql: ${TABLE}.attribute.cloud.project.id ;; - group_label: "Attribute Cloud Project" - group_item_label: "ID" - } - - dimension: attribute__cloud__project__name { - type: string - sql: ${TABLE}.attribute.cloud.project.name ;; - group_label: "Attribute Cloud Project" - group_item_label: "Name" - } - - dimension: attribute__cloud__project__parent { - type: string - sql: ${TABLE}.attribute.cloud.project.parent ;; - group_label: "Attribute Cloud Project" - group_item_label: "Parent" - } - - dimension: attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.project.product_object_id ;; - group_label: "Attribute Cloud Project" - group_item_label: "Product Object ID" - } - - dimension: attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.attribute.cloud.project.resource_subtype ;; - group_label: "Attribute Cloud Project" - group_item_label: "Resource Subtype" - } - - dimension: attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.attribute.cloud.project.resource_type ;; - group_label: "Attribute Cloud Project" - group_item_label: "Resource Type" - } - - dimension: attribute__cloud__project__type { - type: string - sql: ${TABLE}.attribute.cloud.project.type ;; - group_label: "Attribute Cloud Project" - group_item_label: "Type" - } - - dimension: attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.id ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "ID" - } - - dimension: attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.attribute.cloud.vpc.name ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Name" - } - - dimension: attribute__cloud__vpc__parent { - type: string - sql: ${TABLE}.attribute.cloud.vpc.parent ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Parent" - } - - dimension: attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Product Object ID" - } - - dimension: attribute__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.attribute.cloud.vpc.resource_subtype ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Resource Subtype" - } - - dimension: attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.attribute.cloud.vpc.resource_type ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Resource Type" - } - - dimension: attribute__cloud__vpc__type { - type: string - sql: ${TABLE}.attribute.cloud.vpc.type ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Type" - } - - dimension: attribute__creation_time__nanos { - type: number - sql: ${TABLE}.attribute.creation_time.nanos ;; - group_label: "Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: attribute__creation_time__seconds { - type: number - sql: ${TABLE}.attribute.creation_time.seconds ;; - group_label: "Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: attribute__labels { - hidden: yes - sql: ${TABLE}.attribute.labels ;; - group_label: "Attribute" - group_item_label: "Labels" - } - - dimension: attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.attribute.last_update_time.nanos ;; - group_label: "Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.attribute.last_update_time.seconds ;; - group_label: "Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: attribute__permissions { - hidden: yes - sql: ${TABLE}.attribute.permissions ;; - group_label: "Attribute" - group_item_label: "Permissions" - } - - dimension: attribute__roles { - hidden: yes - sql: ${TABLE}.attribute.roles ;; - group_label: "Attribute" - group_item_label: "Roles" - } - - dimension: company_name { - type: string - sql: ${TABLE}.company_name ;; - } - - dimension: department { - hidden: yes - sql: ${TABLE}.department ;; - } - - dimension: email_addresses { - hidden: yes - sql: ${TABLE}.email_addresses ;; - } - - dimension: employee_id { - type: string - sql: ${TABLE}.employee_id ;; - } - - dimension: first_name { - type: string - sql: ${TABLE}.first_name ;; - } - - dimension: first_seen_time__nanos { - type: number - sql: ${TABLE}.first_seen_time.nanos ;; - group_label: "First Seen Time" - group_item_label: "Nanos" - } - - dimension: first_seen_time__seconds { - type: number - sql: ${TABLE}.first_seen_time.seconds ;; - group_label: "First Seen Time" - group_item_label: "Seconds" - } - - dimension: group_identifiers { - hidden: yes - sql: ${TABLE}.group_identifiers ;; - } - - dimension: groupid { - type: string - sql: ${TABLE}.groupid ;; - } - - dimension: hire_date__nanos { - type: number - sql: ${TABLE}.hire_date.nanos ;; - group_label: "Hire Date" - group_item_label: "Nanos" - } - - dimension: hire_date__seconds { - type: number - sql: ${TABLE}.hire_date.seconds ;; - group_label: "Hire Date" - group_item_label: "Seconds" - } - - dimension: last_name { - type: string - sql: ${TABLE}.last_name ;; - } - - dimension: middle_name { - type: string - sql: ${TABLE}.middle_name ;; - } - - dimension: office_address__city { - type: string - sql: ${TABLE}.office_address.city ;; - group_label: "Office Address" - group_item_label: "City" - } - - dimension: office_address__country_or_region { - type: string - sql: ${TABLE}.office_address.country_or_region ;; - group_label: "Office Address" - group_item_label: "Country or Region" - } - - dimension: office_address__desk_name { - type: string - sql: ${TABLE}.office_address.desk_name ;; - group_label: "Office Address" - group_item_label: "Desk Name" - } - - dimension: office_address__floor_name { - type: string - sql: ${TABLE}.office_address.floor_name ;; - group_label: "Office Address" - group_item_label: "Floor Name" - } - - dimension: office_address__name { - type: string - sql: ${TABLE}.office_address.name ;; - group_label: "Office Address" - group_item_label: "Name" - } - - dimension: office_address__region_latitude { - type: number - sql: ${TABLE}.office_address.region_latitude ;; - group_label: "Office Address" - group_item_label: "Region Latitude" - } - - dimension: office_address__region_longitude { - type: number - sql: ${TABLE}.office_address.region_longitude ;; - group_label: "Office Address" - group_item_label: "Region Longitude" - } - - dimension: office_address__state { - type: string - sql: ${TABLE}.office_address.state ;; - group_label: "Office Address" - group_item_label: "State" - } - - dimension: personal_address__city { - type: string - sql: ${TABLE}.personal_address.city ;; - group_label: "Personal Address" - group_item_label: "City" - } - - dimension: personal_address__country_or_region { - type: string - sql: ${TABLE}.personal_address.country_or_region ;; - group_label: "Personal Address" - group_item_label: "Country or Region" - } - - dimension: personal_address__desk_name { - type: string - sql: ${TABLE}.personal_address.desk_name ;; - group_label: "Personal Address" - group_item_label: "Desk Name" - } - - dimension: personal_address__floor_name { - type: string - sql: ${TABLE}.personal_address.floor_name ;; - group_label: "Personal Address" - group_item_label: "Floor Name" - } - - dimension: personal_address__name { - type: string - sql: ${TABLE}.personal_address.name ;; - group_label: "Personal Address" - group_item_label: "Name" - } - - dimension: personal_address__region_latitude { - type: number - sql: ${TABLE}.personal_address.region_latitude ;; - group_label: "Personal Address" - group_item_label: "Region Latitude" - } - - dimension: personal_address__region_longitude { - type: number - sql: ${TABLE}.personal_address.region_longitude ;; - group_label: "Personal Address" - group_item_label: "Region Longitude" - } - - dimension: personal_address__state { - type: string - sql: ${TABLE}.personal_address.state ;; - group_label: "Personal Address" - group_item_label: "State" - } - - dimension: phone_numbers { - hidden: yes - sql: ${TABLE}.phone_numbers ;; - } - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - } - - dimension: role_description { - type: string - sql: ${TABLE}.role_description ;; - } - - dimension: role_name { - type: string - sql: ${TABLE}.role_name ;; - } - - dimension: termination_date__nanos { - type: number - sql: ${TABLE}.termination_date.nanos ;; - group_label: "Termination Date" - group_item_label: "Nanos" - } - - dimension: termination_date__seconds { - type: number - sql: ${TABLE}.termination_date.seconds ;; - group_label: "Termination Date" - group_item_label: "Seconds" - } - - dimension: time_off { - hidden: yes - sql: ${TABLE}.time_off ;; - } - - dimension: title { - type: string - sql: ${TABLE}.title ;; - } - - dimension: user_authentication_status { - type: number - sql: ${TABLE}.user_authentication_status ;; - } - - dimension: user_display_name { - type: string - sql: ${TABLE}.user_display_name ;; - } - - dimension: user_role { - type: number - sql: ${TABLE}.user_role ;; - } - - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - } - - dimension: windows_sid { - type: string - sql: ${TABLE}.windows_sid ;; - } - } - - view: udm_events__about__domain__tech__email_addresses { - dimension: udm_events__about__domain__tech__email_addresses { - type: string - sql: udm_events__about__domain__tech__email_addresses ;; - } - } - - view: udm_events__about__domain__zone__email_addresses { - dimension: udm_events__about__domain__zone__email_addresses { - type: string - sql: udm_events__about__domain__zone__email_addresses ;; - } - } - - view: udm_events__intermediary__user__email_addresses { - dimension: udm_events__intermediary__user__email_addresses { - type: string - sql: udm_events__intermediary__user__email_addresses ;; - } - } - - view: udm_events__principal__group__email_addresses { - dimension: udm_events__principal__group__email_addresses { - type: string - sql: udm_events__principal__group__email_addresses ;; - } - } - - view: udm_events__principal__domain__admin__department { - dimension: udm_events__principal__domain__admin__department { - type: string - sql: udm_events__principal__domain__admin__department ;; - } - } - - view: udm_events__src__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__src__resource__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__domain__tech__group_identifiers { - dimension: udm_events__src__domain__tech__group_identifiers { - type: string - sql: udm_events__src__domain__tech__group_identifiers ;; - } - } - - view: udm_events__src__domain__zone__group_identifiers { - dimension: udm_events__src__domain__zone__group_identifiers { - type: string - sql: udm_events__src__domain__zone__group_identifiers ;; - } - } - - view: udm_events__target__domain__admin__phone_numbers { - dimension: udm_events__target__domain__admin__phone_numbers { - type: string - sql: udm_events__target__domain__admin__phone_numbers ;; - } - } - - view: udm_events__target__asset__vulnerabilities { - dimension: cve_description { - type: string - sql: ${TABLE}.cve_description ;; - } - - dimension: cve_id { - type: string - sql: ${TABLE}.cve_id ;; - } - - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - } - - dimension: cvss_vector { - type: string - sql: ${TABLE}.cvss_vector ;; - } - - dimension: cvss_version { - type: string - sql: ${TABLE}.cvss_version ;; - } - - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: first_found__nanos { - type: number - sql: ${TABLE}.first_found.nanos ;; - group_label: "First Found" - group_item_label: "Nanos" - } - - dimension: first_found__seconds { - type: number - sql: ${TABLE}.first_found.seconds ;; - group_label: "First Found" - group_item_label: "Seconds" - } - - dimension: last_found__nanos { - type: number - sql: ${TABLE}.last_found.nanos ;; - group_label: "Last Found" - group_item_label: "Nanos" - } - - dimension: last_found__seconds { - type: number - sql: ${TABLE}.last_found.seconds ;; - group_label: "Last Found" - group_item_label: "Seconds" - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: scan_end_time__nanos { - type: number - sql: ${TABLE}.scan_end_time.nanos ;; - group_label: "Scan End Time" - group_item_label: "Nanos" - } - - dimension: scan_end_time__seconds { - type: number - sql: ${TABLE}.scan_end_time.seconds ;; - group_label: "Scan End Time" - group_item_label: "Seconds" - } - - dimension: scan_start_time__nanos { - type: number - sql: ${TABLE}.scan_start_time.nanos ;; - group_label: "Scan Start Time" - group_item_label: "Nanos" - } - - dimension: scan_start_time__seconds { - type: number - sql: ${TABLE}.scan_start_time.seconds ;; - group_label: "Scan Start Time" - group_item_label: "Seconds" - } - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - } - - dimension: severity_details { - type: string - sql: ${TABLE}.severity_details ;; - } - - dimension: vendor { - type: string - sql: ${TABLE}.vendor ;; - } - - dimension: vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.vendor_knowledge_base_article_id ;; - } - - dimension: vendor_vulnerability_id { - type: string - sql: ${TABLE}.vendor_vulnerability_id ;; - } - } - - view: udm_events__target__asset__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__metadata__tags__data_tap_config_name { - dimension: udm_events__metadata__tags__data_tap_config_name { - type: string - sql: udm_events__metadata__tags__data_tap_config_name ;; - } - } - - view: udm_events__about__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__about__group__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__group__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__process__command_line_history { - dimension: udm_events__about__process__command_line_history { - type: string - sql: udm_events__about__process__command_line_history ;; - } - } - - view: udm_events__about__process_ancestors__file__names { - dimension: udm_events__about__process_ancestors__file__names { - type: string - sql: udm_events__about__process_ancestors__file__names ;; - } - } - - view: udm_events__about__domain__admin__email_addresses { - dimension: udm_events__about__domain__admin__email_addresses { - type: string - sql: udm_events__about__domain__admin__email_addresses ;; - } - } - - view: udm_events__about__domain__billing__phone_numbers { - dimension: udm_events__about__domain__billing__phone_numbers { - type: string - sql: udm_events__about__domain__billing__phone_numbers ;; - } - } - - view: udm_events__about__domain__registrant__department { - dimension: udm_events__about__domain__registrant__department { - type: string - sql: udm_events__about__domain__registrant__department ;; - } - } - - view: udm_events__intermediary__resource_ancestors { - drill_fields: [id] - - dimension: id { - primary_key: yes - type: string - sql: ${TABLE}.id ;; - } - - dimension: attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.attribute.cloud.availability_zone ;; - group_label: "Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: attribute__cloud__environment { - type: number - sql: ${TABLE}.attribute.cloud.environment ;; - group_label: "Attribute Cloud" - group_item_label: "Environment" - } - - dimension: attribute__creation_time__nanos { - type: number - sql: ${TABLE}.attribute.creation_time.nanos ;; - group_label: "Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: attribute__creation_time__seconds { - type: number - sql: ${TABLE}.attribute.creation_time.seconds ;; - group_label: "Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: attribute__labels { - hidden: yes - sql: ${TABLE}.attribute.labels ;; - group_label: "Attribute" - group_item_label: "Labels" - } - - dimension: attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.attribute.last_update_time.nanos ;; - group_label: "Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.attribute.last_update_time.seconds ;; - group_label: "Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: attribute__permissions { - hidden: yes - sql: ${TABLE}.attribute.permissions ;; - group_label: "Attribute" - group_item_label: "Permissions" - } - - dimension: attribute__roles { - hidden: yes - sql: ${TABLE}.attribute.roles ;; - group_label: "Attribute" - group_item_label: "Roles" - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: parent { - type: string - sql: ${TABLE}.parent ;; - } - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - } - - dimension: resource_subtype { - type: string - sql: ${TABLE}.resource_subtype ;; - } - - dimension: resource_type { - type: number - sql: ${TABLE}.resource_type ;; - } - - dimension: type { - type: string - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__process_ancestors { - dimension: access_mask { - type: number - sql: ${TABLE}.access_mask ;; - } - - dimension: command_line { - type: string - sql: ${TABLE}.command_line ;; - } - - dimension: command_line_history { - hidden: yes - sql: ${TABLE}.command_line_history ;; - } - - dimension: file__ahash { - type: string - sql: ${TABLE}.file.ahash ;; - group_label: "File" - group_item_label: "Ahash" - } - - dimension: file__authentihash { - type: string - sql: ${TABLE}.file.authentihash ;; - group_label: "File" - group_item_label: "Authentihash" - } - - dimension: file__capabilities_tags { - hidden: yes - sql: ${TABLE}.file.capabilities_tags ;; - group_label: "File" - group_item_label: "Capabilities Tags" - } - - dimension: file__file_metadata__pe__import_hash { - type: string - sql: ${TABLE}.file.file_metadata.pe.import_hash ;; - group_label: "File File Metadata Pe" - group_item_label: "Import Hash" - } - - dimension: file__file_type { - type: number - sql: ${TABLE}.file.file_type ;; - group_label: "File" - group_item_label: "File Type" - } - - dimension: file__first_seen_time__nanos { - type: number - sql: ${TABLE}.file.first_seen_time.nanos ;; - group_label: "File First Seen Time" - group_item_label: "Nanos" - } - - dimension: file__first_seen_time__seconds { - type: number - sql: ${TABLE}.file.first_seen_time.seconds ;; - group_label: "File First Seen Time" - group_item_label: "Seconds" - } - - dimension: file__full_path { - type: string - sql: ${TABLE}.file.full_path ;; - group_label: "File" - group_item_label: "Full Path" - } - - dimension: file__last_modification_time__nanos { - type: number - sql: ${TABLE}.file.last_modification_time.nanos ;; - group_label: "File Last Modification Time" - group_item_label: "Nanos" - } - - dimension: file__last_modification_time__seconds { - type: number - sql: ${TABLE}.file.last_modification_time.seconds ;; - group_label: "File Last Modification Time" - group_item_label: "Seconds" - } - - dimension: file__last_seen_time__nanos { - type: number - sql: ${TABLE}.file.last_seen_time.nanos ;; - group_label: "File Last Seen Time" - group_item_label: "Nanos" - } - - dimension: file__last_seen_time__seconds { - type: number - sql: ${TABLE}.file.last_seen_time.seconds ;; - group_label: "File Last Seen Time" - group_item_label: "Seconds" - } - - dimension: file__md5 { - type: string - sql: ${TABLE}.file.md5 ;; - group_label: "File" - group_item_label: "Md5" - } - - dimension: file__mime_type { - type: string - sql: ${TABLE}.file.mime_type ;; - group_label: "File" - group_item_label: "Mime Type" - } - - dimension: file__names { - hidden: yes - sql: ${TABLE}.file.names ;; - group_label: "File" - group_item_label: "Names" - } - - dimension: file__pe_file__compilation_exiftool_time__nanos { - type: number - sql: ${TABLE}.file.pe_file.compilation_exiftool_time.nanos ;; - group_label: "File Pe File Compilation Exiftool Time" - group_item_label: "Nanos" - } - - dimension: file__pe_file__compilation_exiftool_time__seconds { - type: number - sql: ${TABLE}.file.pe_file.compilation_exiftool_time.seconds ;; - group_label: "File Pe File Compilation Exiftool Time" - group_item_label: "Seconds" - } - - dimension: file__pe_file__compilation_time__nanos { - type: number - sql: ${TABLE}.file.pe_file.compilation_time.nanos ;; - group_label: "File Pe File Compilation Time" - group_item_label: "Nanos" - } - - dimension: file__pe_file__compilation_time__seconds { - type: number - sql: ${TABLE}.file.pe_file.compilation_time.seconds ;; - group_label: "File Pe File Compilation Time" - group_item_label: "Seconds" - } - - dimension: file__pe_file__entry_point { - type: number - sql: ${TABLE}.file.pe_file.entry_point ;; - group_label: "File Pe File" - group_item_label: "Entry Point" - } - - dimension: file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.file.pe_file.entry_point_exiftool ;; - group_label: "File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: file__pe_file__imphash { - type: string - sql: ${TABLE}.file.pe_file.imphash ;; - group_label: "File Pe File" - group_item_label: "Imphash" - } - - dimension: file__pe_file__imports { - hidden: yes - sql: ${TABLE}.file.pe_file.imports ;; - group_label: "File Pe File" - group_item_label: "Imports" - } - - dimension: file__pe_file__resource { - hidden: yes - sql: ${TABLE}.file.pe_file.resource ;; - group_label: "File Pe File" - group_item_label: "Resource" - } - - dimension: file__pe_file__resources_language_count { - hidden: yes - sql: ${TABLE}.file.pe_file.resources_language_count ;; - group_label: "File Pe File" - group_item_label: "Resources Language Count" - } - - dimension: file__pe_file__resources_language_count_str { - hidden: yes - sql: ${TABLE}.file.pe_file.resources_language_count_str ;; - group_label: "File Pe File" - group_item_label: "Resources Language Count Str" - } - - dimension: file__pe_file__resources_type_count { - hidden: yes - sql: ${TABLE}.file.pe_file.resources_type_count ;; - group_label: "File Pe File" - group_item_label: "Resources Type Count" - } - - dimension: file__pe_file__resources_type_count_str { - hidden: yes - sql: ${TABLE}.file.pe_file.resources_type_count_str ;; - group_label: "File Pe File" - group_item_label: "Resources Type Count Str" - } - - dimension: file__pe_file__section { - hidden: yes - sql: ${TABLE}.file.pe_file.section ;; - group_label: "File Pe File" - group_item_label: "Section" - } - - dimension: file__pe_file__signature_info__signer { - hidden: yes - sql: ${TABLE}.file.pe_file.signature_info.signer ;; - group_label: "File Pe File Signature Info" - group_item_label: "Signer" - } - - dimension: file__pe_file__signature_info__signers { - hidden: yes - sql: ${TABLE}.file.pe_file.signature_info.signers ;; - group_label: "File Pe File Signature Info" - group_item_label: "Signers" - } - - dimension: file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.file.pe_file.signature_info.verification_message ;; - group_label: "File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.file.pe_file.signature_info.verified ;; - group_label: "File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: file__prevalence__day_count { - type: number - sql: ${TABLE}.file.prevalence.day_count ;; - group_label: "File Prevalence" - group_item_label: "Day Count" - } - - dimension: file__prevalence__day_max { - type: number - sql: ${TABLE}.file.prevalence.day_max ;; - group_label: "File Prevalence" - group_item_label: "Day Max" - } - - dimension: file__prevalence__day_max_sub_domains { - type: number - sql: ${TABLE}.file.prevalence.day_max_sub_domains ;; - group_label: "File Prevalence" - group_item_label: "Day Max Sub Domains" - } - - dimension: file__prevalence__rolling_max { - type: number - sql: ${TABLE}.file.prevalence.rolling_max ;; - group_label: "File Prevalence" - group_item_label: "Rolling Max" - } - - dimension: file__prevalence__rolling_max_sub_domains { - type: number - sql: ${TABLE}.file.prevalence.rolling_max_sub_domains ;; - group_label: "File Prevalence" - group_item_label: "Rolling Max Sub Domains" - } - - dimension: file__sha1 { - type: string - sql: ${TABLE}.file.sha1 ;; - group_label: "File" - group_item_label: "Sha1" - } - - dimension: file__sha256 { - type: string - sql: ${TABLE}.file.sha256 ;; - group_label: "File" - group_item_label: "Sha256" - } - - dimension: file__size { - type: number - sql: ${TABLE}.file.size ;; - group_label: "File" - group_item_label: "Size" - } - - dimension: file__ssdeep { - type: string - sql: ${TABLE}.file.ssdeep ;; - group_label: "File" - group_item_label: "Ssdeep" - } - - dimension: file__vhash { - type: string - sql: ${TABLE}.file.vhash ;; - group_label: "File" - group_item_label: "Vhash" - } - - dimension: parent_pid { - type: string - sql: ${TABLE}.parent_pid ;; - } - - dimension: pid { - type: string - sql: ${TABLE}.pid ;; - } - - dimension: product_specific_parent_process_id { - type: string - sql: ${TABLE}.product_specific_parent_process_id ;; - } - - dimension: product_specific_process_id { - type: string - sql: ${TABLE}.product_specific_process_id ;; - } - } - - view: udm_events__observer__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__observer__domain__tech__phone_numbers { - dimension: udm_events__observer__domain__tech__phone_numbers { - type: string - sql: udm_events__observer__domain__tech__phone_numbers ;; - } - } - - view: udm_events__observer__domain__billing__department { - dimension: udm_events__observer__domain__billing__department { - type: string - sql: udm_events__observer__domain__billing__department ;; - } - } - - view: udm_events__observer__domain__zone__phone_numbers { - dimension: udm_events__observer__domain__zone__phone_numbers { - type: string - sql: udm_events__observer__domain__zone__phone_numbers ;; - } - } - - view: udm_events__observer__user__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__observer__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__cloud__vpc__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__cloud__vpc__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__file__pe_file__imports__functions { - dimension: udm_events__src__file__pe_file__imports__functions { - type: string - sql: udm_events__src__file__pe_file__imports__functions ;; - } - } - - view: udm_events__src__process__file__capabilities_tags { - dimension: udm_events__src__process__file__capabilities_tags { - type: string - sql: udm_events__src__process__file__capabilities_tags ;; - } - } - - view: udm_events__src__domain__admin__group_identifiers { - dimension: udm_events__src__domain__admin__group_identifiers { - type: string - sql: udm_events__src__domain__admin__group_identifiers ;; - } - } - - view: udm_events__src__domain__billing__email_addresses { - dimension: udm_events__src__domain__billing__email_addresses { - type: string - sql: udm_events__src__domain__billing__email_addresses ;; - } - } - - view: udm_events__security_result__about__asset__nat_ip { - dimension: udm_events__security_result__about__asset__nat_ip { - type: string - sql: udm_events__security_result__about__asset__nat_ip ;; - } - } - - view: udm_events__target__user_management_chain { - dimension: account_type { - type: number - sql: ${TABLE}.account_type ;; - } - - dimension: attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.attribute.cloud.availability_zone ;; - group_label: "Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: attribute__cloud__environment { - type: number - sql: ${TABLE}.attribute.cloud.environment ;; - group_label: "Attribute Cloud" - group_item_label: "Environment" - } - - dimension: attribute__cloud__project__id { - type: string - sql: ${TABLE}.attribute.cloud.project.id ;; - group_label: "Attribute Cloud Project" - group_item_label: "ID" - } - - dimension: attribute__cloud__project__name { - type: string - sql: ${TABLE}.attribute.cloud.project.name ;; - group_label: "Attribute Cloud Project" - group_item_label: "Name" - } - - dimension: attribute__cloud__project__parent { - type: string - sql: ${TABLE}.attribute.cloud.project.parent ;; - group_label: "Attribute Cloud Project" - group_item_label: "Parent" - } - - dimension: attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.project.product_object_id ;; - group_label: "Attribute Cloud Project" - group_item_label: "Product Object ID" - } - - dimension: attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.attribute.cloud.project.resource_subtype ;; - group_label: "Attribute Cloud Project" - group_item_label: "Resource Subtype" - } - - dimension: attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.attribute.cloud.project.resource_type ;; - group_label: "Attribute Cloud Project" - group_item_label: "Resource Type" - } - - dimension: attribute__cloud__project__type { - type: string - sql: ${TABLE}.attribute.cloud.project.type ;; - group_label: "Attribute Cloud Project" - group_item_label: "Type" - } - - dimension: attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.id ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "ID" - } - - dimension: attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.attribute.cloud.vpc.name ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Name" - } - - dimension: attribute__cloud__vpc__parent { - type: string - sql: ${TABLE}.attribute.cloud.vpc.parent ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Parent" - } - - dimension: attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Product Object ID" - } - - dimension: attribute__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.attribute.cloud.vpc.resource_subtype ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Resource Subtype" - } - - dimension: attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.attribute.cloud.vpc.resource_type ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Resource Type" - } - - dimension: attribute__cloud__vpc__type { - type: string - sql: ${TABLE}.attribute.cloud.vpc.type ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Type" - } - - dimension: attribute__creation_time__nanos { - type: number - sql: ${TABLE}.attribute.creation_time.nanos ;; - group_label: "Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: attribute__creation_time__seconds { - type: number - sql: ${TABLE}.attribute.creation_time.seconds ;; - group_label: "Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: attribute__labels { - hidden: yes - sql: ${TABLE}.attribute.labels ;; - group_label: "Attribute" - group_item_label: "Labels" - } - - dimension: attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.attribute.last_update_time.nanos ;; - group_label: "Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.attribute.last_update_time.seconds ;; - group_label: "Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: attribute__permissions { - hidden: yes - sql: ${TABLE}.attribute.permissions ;; - group_label: "Attribute" - group_item_label: "Permissions" - } - - dimension: attribute__roles { - hidden: yes - sql: ${TABLE}.attribute.roles ;; - group_label: "Attribute" - group_item_label: "Roles" - } - - dimension: company_name { - type: string - sql: ${TABLE}.company_name ;; - } - - dimension: department { - hidden: yes - sql: ${TABLE}.department ;; - } - - dimension: email_addresses { - hidden: yes - sql: ${TABLE}.email_addresses ;; - } - - dimension: employee_id { - type: string - sql: ${TABLE}.employee_id ;; - } - - dimension: first_name { - type: string - sql: ${TABLE}.first_name ;; - } - - dimension: first_seen_time__nanos { - type: number - sql: ${TABLE}.first_seen_time.nanos ;; - group_label: "First Seen Time" - group_item_label: "Nanos" - } - - dimension: first_seen_time__seconds { - type: number - sql: ${TABLE}.first_seen_time.seconds ;; - group_label: "First Seen Time" - group_item_label: "Seconds" - } - - dimension: group_identifiers { - hidden: yes - sql: ${TABLE}.group_identifiers ;; - } - - dimension: groupid { - type: string - sql: ${TABLE}.groupid ;; - } - - dimension: hire_date__nanos { - type: number - sql: ${TABLE}.hire_date.nanos ;; - group_label: "Hire Date" - group_item_label: "Nanos" - } - - dimension: hire_date__seconds { - type: number - sql: ${TABLE}.hire_date.seconds ;; - group_label: "Hire Date" - group_item_label: "Seconds" - } - - dimension: last_name { - type: string - sql: ${TABLE}.last_name ;; - } - - dimension: middle_name { - type: string - sql: ${TABLE}.middle_name ;; - } - - dimension: office_address__city { - type: string - sql: ${TABLE}.office_address.city ;; - group_label: "Office Address" - group_item_label: "City" - } - - dimension: office_address__country_or_region { - type: string - sql: ${TABLE}.office_address.country_or_region ;; - group_label: "Office Address" - group_item_label: "Country or Region" - } - - dimension: office_address__desk_name { - type: string - sql: ${TABLE}.office_address.desk_name ;; - group_label: "Office Address" - group_item_label: "Desk Name" - } - - dimension: office_address__floor_name { - type: string - sql: ${TABLE}.office_address.floor_name ;; - group_label: "Office Address" - group_item_label: "Floor Name" - } - - dimension: office_address__name { - type: string - sql: ${TABLE}.office_address.name ;; - group_label: "Office Address" - group_item_label: "Name" - } - - dimension: office_address__region_latitude { - type: number - sql: ${TABLE}.office_address.region_latitude ;; - group_label: "Office Address" - group_item_label: "Region Latitude" - } - - dimension: office_address__region_longitude { - type: number - sql: ${TABLE}.office_address.region_longitude ;; - group_label: "Office Address" - group_item_label: "Region Longitude" - } - - dimension: office_address__state { - type: string - sql: ${TABLE}.office_address.state ;; - group_label: "Office Address" - group_item_label: "State" - } - - dimension: personal_address__city { - type: string - sql: ${TABLE}.personal_address.city ;; - group_label: "Personal Address" - group_item_label: "City" - } - - dimension: personal_address__country_or_region { - type: string - sql: ${TABLE}.personal_address.country_or_region ;; - group_label: "Personal Address" - group_item_label: "Country or Region" - } - - dimension: personal_address__desk_name { - type: string - sql: ${TABLE}.personal_address.desk_name ;; - group_label: "Personal Address" - group_item_label: "Desk Name" - } - - dimension: personal_address__floor_name { - type: string - sql: ${TABLE}.personal_address.floor_name ;; - group_label: "Personal Address" - group_item_label: "Floor Name" - } - - dimension: personal_address__name { - type: string - sql: ${TABLE}.personal_address.name ;; - group_label: "Personal Address" - group_item_label: "Name" - } - - dimension: personal_address__region_latitude { - type: number - sql: ${TABLE}.personal_address.region_latitude ;; - group_label: "Personal Address" - group_item_label: "Region Latitude" - } - - dimension: personal_address__region_longitude { - type: number - sql: ${TABLE}.personal_address.region_longitude ;; - group_label: "Personal Address" - group_item_label: "Region Longitude" - } - - dimension: personal_address__state { - type: string - sql: ${TABLE}.personal_address.state ;; - group_label: "Personal Address" - group_item_label: "State" - } - - dimension: phone_numbers { - hidden: yes - sql: ${TABLE}.phone_numbers ;; - } - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - } - - dimension: role_description { - type: string - sql: ${TABLE}.role_description ;; - } - - dimension: role_name { - type: string - sql: ${TABLE}.role_name ;; - } - - dimension: termination_date__nanos { - type: number - sql: ${TABLE}.termination_date.nanos ;; - group_label: "Termination Date" - group_item_label: "Nanos" - } - - dimension: termination_date__seconds { - type: number - sql: ${TABLE}.termination_date.seconds ;; - group_label: "Termination Date" - group_item_label: "Seconds" - } - - dimension: time_off { - hidden: yes - sql: ${TABLE}.time_off ;; - } - - dimension: title { - type: string - sql: ${TABLE}.title ;; - } - - dimension: user_authentication_status { - type: number - sql: ${TABLE}.user_authentication_status ;; - } - - dimension: user_display_name { - type: string - sql: ${TABLE}.user_display_name ;; - } - - dimension: user_role { - type: number - sql: ${TABLE}.user_role ;; - } - - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - } - - dimension: windows_sid { - type: string - sql: ${TABLE}.windows_sid ;; - } - } - - view: udm_events__target__domain__tech__email_addresses { - dimension: udm_events__target__domain__tech__email_addresses { - type: string - sql: udm_events__target__domain__tech__email_addresses ;; - } - } - - view: udm_events__target__domain__zone__email_addresses { - dimension: udm_events__target__domain__zone__email_addresses { - type: string - sql: udm_events__target__domain__zone__email_addresses ;; - } - } - - view: udm_events__about__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__about__resource__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } + dimension: scan_end_time__seconds { + type: number + sql: ${TABLE}.scan_end_time.seconds ;; + group_label: "Scan End Time" + group_item_label: "Seconds" } - view: udm_events__about__domain__tech__group_identifiers { - dimension: udm_events__about__domain__tech__group_identifiers { - type: string - sql: udm_events__about__domain__tech__group_identifiers ;; - } + dimension: scan_start_time__nanos { + type: number + sql: ${TABLE}.scan_start_time.nanos ;; + group_label: "Scan Start Time" + group_item_label: "Nanos" } - view: udm_events__about__domain__zone__group_identifiers { - dimension: udm_events__about__domain__zone__group_identifiers { - type: string - sql: udm_events__about__domain__zone__group_identifiers ;; - } + dimension: scan_start_time__seconds { + type: number + sql: ${TABLE}.scan_start_time.seconds ;; + group_label: "Scan Start Time" + group_item_label: "Seconds" } - view: udm_events__intermediary__file__capabilities_tags { - dimension: udm_events__intermediary__file__capabilities_tags { - type: string - sql: udm_events__intermediary__file__capabilities_tags ;; - } - } - - view: udm_events__intermediary__domain__tech__department { - dimension: udm_events__intermediary__domain__tech__department { - type: string - sql: udm_events__intermediary__domain__tech__department ;; - } - } - - view: udm_events__intermediary__domain__zone__department { - dimension: udm_events__intermediary__domain__zone__department { - type: string - sql: udm_events__intermediary__domain__zone__department ;; - } - } - - view: udm_events__intermediary__investigation__comments { - dimension: udm_events__intermediary__investigation__comments { - type: string - sql: udm_events__intermediary__investigation__comments ;; - } - } - - view: udm_events__intermediary__user__group_identifiers { - dimension: udm_events__intermediary__user__group_identifiers { - type: string - sql: udm_events__intermediary__user__group_identifiers ;; - } - } - - view: udm_events__principal__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__principal__domain__tech__phone_numbers { - dimension: udm_events__principal__domain__tech__phone_numbers { - type: string - sql: udm_events__principal__domain__tech__phone_numbers ;; - } - } - - view: udm_events__principal__domain__billing__department { - dimension: udm_events__principal__domain__billing__department { - type: string - sql: udm_events__principal__domain__billing__department ;; - } - } - - view: udm_events__principal__domain__zone__phone_numbers { - dimension: udm_events__principal__domain__zone__phone_numbers { - type: string - sql: udm_events__principal__domain__zone__phone_numbers ;; - } - } - - view: udm_events__principal__user__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__principal__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__domain__admin__phone_numbers { - dimension: udm_events__observer__domain__admin__phone_numbers { - type: string - sql: udm_events__observer__domain__admin__phone_numbers ;; - } - } - - view: udm_events__observer__asset__vulnerabilities { - dimension: cve_description { - type: string - sql: ${TABLE}.cve_description ;; - } - - dimension: cve_id { - type: string - sql: ${TABLE}.cve_id ;; - } - - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - } - - dimension: cvss_vector { - type: string - sql: ${TABLE}.cvss_vector ;; - } - - dimension: cvss_version { - type: string - sql: ${TABLE}.cvss_version ;; - } - - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: first_found__nanos { - type: number - sql: ${TABLE}.first_found.nanos ;; - group_label: "First Found" - group_item_label: "Nanos" - } - - dimension: first_found__seconds { - type: number - sql: ${TABLE}.first_found.seconds ;; - group_label: "First Found" - group_item_label: "Seconds" - } - - dimension: last_found__nanos { - type: number - sql: ${TABLE}.last_found.nanos ;; - group_label: "Last Found" - group_item_label: "Nanos" - } - - dimension: last_found__seconds { - type: number - sql: ${TABLE}.last_found.seconds ;; - group_label: "Last Found" - group_item_label: "Seconds" - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: scan_end_time__nanos { - type: number - sql: ${TABLE}.scan_end_time.nanos ;; - group_label: "Scan End Time" - group_item_label: "Nanos" - } - - dimension: scan_end_time__seconds { - type: number - sql: ${TABLE}.scan_end_time.seconds ;; - group_label: "Scan End Time" - group_item_label: "Seconds" - } - - dimension: scan_start_time__nanos { - type: number - sql: ${TABLE}.scan_start_time.nanos ;; - group_label: "Scan Start Time" - group_item_label: "Nanos" - } - - dimension: scan_start_time__seconds { - type: number - sql: ${TABLE}.scan_start_time.seconds ;; - group_label: "Scan Start Time" - group_item_label: "Seconds" - } - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - } - - dimension: severity_details { - type: string - sql: ${TABLE}.severity_details ;; - } - - dimension: vendor { - type: string - sql: ${TABLE}.vendor ;; - } - - dimension: vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.vendor_knowledge_base_article_id ;; - } - - dimension: vendor_vulnerability_id { - type: string - sql: ${TABLE}.vendor_vulnerability_id ;; - } - } - - view: udm_events__observer__asset__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__domain__registrant__phone_numbers { - dimension: udm_events__src__domain__registrant__phone_numbers { - type: string - sql: udm_events__src__domain__registrant__phone_numbers ;; - } - } - - view: udm_events__src__asset__software__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__user__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } + dimension: severity { + type: number + sql: ${TABLE}.severity ;; } - view: udm_events__target__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__target__group__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } + dimension: severity_details { + type: string + sql: ${TABLE}.severity_details ;; } - view: udm_events__target__group__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } + dimension: vendor { + type: string + sql: ${TABLE}.vendor ;; } - view: udm_events__target__process__command_line_history { - dimension: udm_events__target__process__command_line_history { - type: string - sql: udm_events__target__process__command_line_history ;; - } + dimension: vendor_knowledge_base_article_id { + type: string + sql: ${TABLE}.vendor_knowledge_base_article_id ;; } - view: udm_events__target__process_ancestors__file__names { - dimension: udm_events__target__process_ancestors__file__names { - type: string - sql: udm_events__target__process_ancestors__file__names ;; - } + dimension: vendor_vulnerability_id { + type: string + sql: ${TABLE}.vendor_vulnerability_id ;; } +} - view: udm_events__target__domain__admin__email_addresses { - dimension: udm_events__target__domain__admin__email_addresses { - type: string - sql: udm_events__target__domain__admin__email_addresses ;; - } +view: udm_events__src__asset__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; } - view: udm_events__target__domain__billing__phone_numbers { - dimension: udm_events__target__domain__billing__phone_numbers { - type: string - sql: udm_events__target__domain__billing__phone_numbers ;; - } + dimension: name { + type: string + sql: ${TABLE}.name ;; } - view: udm_events__target__domain__registrant__department { - dimension: udm_events__target__domain__registrant__department { - type: string - sql: udm_events__target__domain__registrant__department ;; - } + dimension: type { + type: number + sql: ${TABLE}.type ;; } +} - view: udm_events__about__cloud__vpc__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } +view: udm_events__src__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; } - view: udm_events__about__cloud__vpc__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__file__pe_file__imports__functions { - dimension: udm_events__about__file__pe_file__imports__functions { - type: string - sql: udm_events__about__file__pe_file__imports__functions ;; - } - } - - view: udm_events__about__process__file__capabilities_tags { - dimension: udm_events__about__process__file__capabilities_tags { - type: string - sql: udm_events__about__process__file__capabilities_tags ;; - } - } - - view: udm_events__about__domain__admin__group_identifiers { - dimension: udm_events__about__domain__admin__group_identifiers { - type: string - sql: udm_events__about__domain__admin__group_identifiers ;; - } - } - - view: udm_events__about__domain__billing__email_addresses { - dimension: udm_events__about__domain__billing__email_addresses { - type: string - sql: udm_events__about__domain__billing__email_addresses ;; - } - } - - view: udm_events__intermediary__group__email_addresses { - dimension: udm_events__intermediary__group__email_addresses { - type: string - sql: udm_events__intermediary__group__email_addresses ;; - } - } - - view: udm_events__intermediary__domain__admin__department { - dimension: udm_events__intermediary__domain__admin__department { - type: string - sql: udm_events__intermediary__domain__admin__department ;; - } - } - - view: udm_events__network__tls__client__supported_ciphers { - dimension: udm_events__network__tls__client__supported_ciphers { - type: string - sql: udm_events__network__tls__client__supported_ciphers ;; - } - } - - view: udm_events__principal__domain__admin__phone_numbers { - dimension: udm_events__principal__domain__admin__phone_numbers { - type: string - sql: udm_events__principal__domain__admin__phone_numbers ;; - } - } - - view: udm_events__principal__asset__vulnerabilities { - dimension: cve_description { - type: string - sql: ${TABLE}.cve_description ;; - } - - dimension: cve_id { - type: string - sql: ${TABLE}.cve_id ;; - } - - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - } - - dimension: cvss_vector { - type: string - sql: ${TABLE}.cvss_vector ;; - } - - dimension: cvss_version { - type: string - sql: ${TABLE}.cvss_version ;; - } - - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: first_found__nanos { - type: number - sql: ${TABLE}.first_found.nanos ;; - group_label: "First Found" - group_item_label: "Nanos" - } - - dimension: first_found__seconds { - type: number - sql: ${TABLE}.first_found.seconds ;; - group_label: "First Found" - group_item_label: "Seconds" - } - - dimension: last_found__nanos { - type: number - sql: ${TABLE}.last_found.nanos ;; - group_label: "Last Found" - group_item_label: "Nanos" - } - - dimension: last_found__seconds { - type: number - sql: ${TABLE}.last_found.seconds ;; - group_label: "Last Found" - group_item_label: "Seconds" - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: scan_end_time__nanos { - type: number - sql: ${TABLE}.scan_end_time.nanos ;; - group_label: "Scan End Time" - group_item_label: "Nanos" - } - - dimension: scan_end_time__seconds { - type: number - sql: ${TABLE}.scan_end_time.seconds ;; - group_label: "Scan End Time" - group_item_label: "Seconds" - } - - dimension: scan_start_time__nanos { - type: number - sql: ${TABLE}.scan_start_time.nanos ;; - group_label: "Scan Start Time" - group_item_label: "Nanos" - } - - dimension: scan_start_time__seconds { - type: number - sql: ${TABLE}.scan_start_time.seconds ;; - group_label: "Scan Start Time" - group_item_label: "Seconds" - } - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - } - - dimension: severity_details { - type: string - sql: ${TABLE}.severity_details ;; - } - - dimension: vendor { - type: string - sql: ${TABLE}.vendor ;; - } - - dimension: vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.vendor_knowledge_base_article_id ;; - } - - dimension: vendor_vulnerability_id { - type: string - sql: ${TABLE}.vendor_vulnerability_id ;; - } - } - - view: udm_events__principal__asset__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__user_management_chain { - dimension: account_type { - type: number - sql: ${TABLE}.account_type ;; - } - - dimension: attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.attribute.cloud.availability_zone ;; - group_label: "Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: attribute__cloud__environment { - type: number - sql: ${TABLE}.attribute.cloud.environment ;; - group_label: "Attribute Cloud" - group_item_label: "Environment" - } - - dimension: attribute__cloud__project__id { - type: string - sql: ${TABLE}.attribute.cloud.project.id ;; - group_label: "Attribute Cloud Project" - group_item_label: "ID" - } - - dimension: attribute__cloud__project__name { - type: string - sql: ${TABLE}.attribute.cloud.project.name ;; - group_label: "Attribute Cloud Project" - group_item_label: "Name" - } - - dimension: attribute__cloud__project__parent { - type: string - sql: ${TABLE}.attribute.cloud.project.parent ;; - group_label: "Attribute Cloud Project" - group_item_label: "Parent" - } - - dimension: attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.project.product_object_id ;; - group_label: "Attribute Cloud Project" - group_item_label: "Product Object ID" - } - - dimension: attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.attribute.cloud.project.resource_subtype ;; - group_label: "Attribute Cloud Project" - group_item_label: "Resource Subtype" - } - - dimension: attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.attribute.cloud.project.resource_type ;; - group_label: "Attribute Cloud Project" - group_item_label: "Resource Type" - } - - dimension: attribute__cloud__project__type { - type: string - sql: ${TABLE}.attribute.cloud.project.type ;; - group_label: "Attribute Cloud Project" - group_item_label: "Type" - } - - dimension: attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.id ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "ID" - } - - dimension: attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.attribute.cloud.vpc.name ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Name" - } - - dimension: attribute__cloud__vpc__parent { - type: string - sql: ${TABLE}.attribute.cloud.vpc.parent ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Parent" - } - - dimension: attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Product Object ID" - } - - dimension: attribute__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.attribute.cloud.vpc.resource_subtype ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Resource Subtype" - } - - dimension: attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.attribute.cloud.vpc.resource_type ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Resource Type" - } - - dimension: attribute__cloud__vpc__type { - type: string - sql: ${TABLE}.attribute.cloud.vpc.type ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Type" - } - - dimension: attribute__creation_time__nanos { - type: number - sql: ${TABLE}.attribute.creation_time.nanos ;; - group_label: "Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: attribute__creation_time__seconds { - type: number - sql: ${TABLE}.attribute.creation_time.seconds ;; - group_label: "Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: attribute__labels { - hidden: yes - sql: ${TABLE}.attribute.labels ;; - group_label: "Attribute" - group_item_label: "Labels" - } - - dimension: attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.attribute.last_update_time.nanos ;; - group_label: "Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.attribute.last_update_time.seconds ;; - group_label: "Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: attribute__permissions { - hidden: yes - sql: ${TABLE}.attribute.permissions ;; - group_label: "Attribute" - group_item_label: "Permissions" - } - - dimension: attribute__roles { - hidden: yes - sql: ${TABLE}.attribute.roles ;; - group_label: "Attribute" - group_item_label: "Roles" - } - - dimension: company_name { - type: string - sql: ${TABLE}.company_name ;; - } - - dimension: department { - hidden: yes - sql: ${TABLE}.department ;; - } - - dimension: email_addresses { - hidden: yes - sql: ${TABLE}.email_addresses ;; - } - - dimension: employee_id { - type: string - sql: ${TABLE}.employee_id ;; - } - - dimension: first_name { - type: string - sql: ${TABLE}.first_name ;; - } - - dimension: first_seen_time__nanos { - type: number - sql: ${TABLE}.first_seen_time.nanos ;; - group_label: "First Seen Time" - group_item_label: "Nanos" - } - - dimension: first_seen_time__seconds { - type: number - sql: ${TABLE}.first_seen_time.seconds ;; - group_label: "First Seen Time" - group_item_label: "Seconds" - } - - dimension: group_identifiers { - hidden: yes - sql: ${TABLE}.group_identifiers ;; - } - - dimension: groupid { - type: string - sql: ${TABLE}.groupid ;; - } - - dimension: hire_date__nanos { - type: number - sql: ${TABLE}.hire_date.nanos ;; - group_label: "Hire Date" - group_item_label: "Nanos" - } - - dimension: hire_date__seconds { - type: number - sql: ${TABLE}.hire_date.seconds ;; - group_label: "Hire Date" - group_item_label: "Seconds" - } - - dimension: last_name { - type: string - sql: ${TABLE}.last_name ;; - } - - dimension: middle_name { - type: string - sql: ${TABLE}.middle_name ;; - } - - dimension: office_address__city { - type: string - sql: ${TABLE}.office_address.city ;; - group_label: "Office Address" - group_item_label: "City" - } - - dimension: office_address__country_or_region { - type: string - sql: ${TABLE}.office_address.country_or_region ;; - group_label: "Office Address" - group_item_label: "Country or Region" - } - - dimension: office_address__desk_name { - type: string - sql: ${TABLE}.office_address.desk_name ;; - group_label: "Office Address" - group_item_label: "Desk Name" - } - - dimension: office_address__floor_name { - type: string - sql: ${TABLE}.office_address.floor_name ;; - group_label: "Office Address" - group_item_label: "Floor Name" - } - - dimension: office_address__name { - type: string - sql: ${TABLE}.office_address.name ;; - group_label: "Office Address" - group_item_label: "Name" - } - - dimension: office_address__region_latitude { - type: number - sql: ${TABLE}.office_address.region_latitude ;; - group_label: "Office Address" - group_item_label: "Region Latitude" - } - - dimension: office_address__region_longitude { - type: number - sql: ${TABLE}.office_address.region_longitude ;; - group_label: "Office Address" - group_item_label: "Region Longitude" - } - - dimension: office_address__state { - type: string - sql: ${TABLE}.office_address.state ;; - group_label: "Office Address" - group_item_label: "State" - } - - dimension: personal_address__city { - type: string - sql: ${TABLE}.personal_address.city ;; - group_label: "Personal Address" - group_item_label: "City" - } - - dimension: personal_address__country_or_region { - type: string - sql: ${TABLE}.personal_address.country_or_region ;; - group_label: "Personal Address" - group_item_label: "Country or Region" - } - - dimension: personal_address__desk_name { - type: string - sql: ${TABLE}.personal_address.desk_name ;; - group_label: "Personal Address" - group_item_label: "Desk Name" - } - - dimension: personal_address__floor_name { - type: string - sql: ${TABLE}.personal_address.floor_name ;; - group_label: "Personal Address" - group_item_label: "Floor Name" - } - - dimension: personal_address__name { - type: string - sql: ${TABLE}.personal_address.name ;; - group_label: "Personal Address" - group_item_label: "Name" - } - - dimension: personal_address__region_latitude { - type: number - sql: ${TABLE}.personal_address.region_latitude ;; - group_label: "Personal Address" - group_item_label: "Region Latitude" - } - - dimension: personal_address__region_longitude { - type: number - sql: ${TABLE}.personal_address.region_longitude ;; - group_label: "Personal Address" - group_item_label: "Region Longitude" - } - - dimension: personal_address__state { - type: string - sql: ${TABLE}.personal_address.state ;; - group_label: "Personal Address" - group_item_label: "State" - } - - dimension: phone_numbers { - hidden: yes - sql: ${TABLE}.phone_numbers ;; - } - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - } - - dimension: role_description { - type: string - sql: ${TABLE}.role_description ;; - } - - dimension: role_name { - type: string - sql: ${TABLE}.role_name ;; - } - - dimension: termination_date__nanos { - type: number - sql: ${TABLE}.termination_date.nanos ;; - group_label: "Termination Date" - group_item_label: "Nanos" - } - - dimension: termination_date__seconds { - type: number - sql: ${TABLE}.termination_date.seconds ;; - group_label: "Termination Date" - group_item_label: "Seconds" - } - - dimension: time_off { - hidden: yes - sql: ${TABLE}.time_off ;; - } - - dimension: title { - type: string - sql: ${TABLE}.title ;; - } - - dimension: user_authentication_status { - type: number - sql: ${TABLE}.user_authentication_status ;; - } - - dimension: user_display_name { - type: string - sql: ${TABLE}.user_display_name ;; - } - - dimension: user_role { - type: number - sql: ${TABLE}.user_role ;; - } - - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - } - - dimension: windows_sid { - type: string - sql: ${TABLE}.windows_sid ;; - } - } - - view: udm_events__observer__domain__tech__email_addresses { - dimension: udm_events__observer__domain__tech__email_addresses { - type: string - sql: udm_events__observer__domain__tech__email_addresses ;; - } - } - - view: udm_events__observer__domain__zone__email_addresses { - dimension: udm_events__observer__domain__zone__email_addresses { - type: string - sql: udm_events__observer__domain__zone__email_addresses ;; - } - } - - view: udm_events__src__user_management_chain__department { - dimension: udm_events__src__user_management_chain__department { - type: string - sql: udm_events__src__user_management_chain__department ;; - } - } - - view: udm_events__src__domain__tech__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__src__domain__tech__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__domain__tech__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__domain__billing__group_identifiers { - dimension: udm_events__src__domain__billing__group_identifiers { - type: string - sql: udm_events__src__domain__billing__group_identifiers ;; - } - } - - view: udm_events__src__domain__zone__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__src__domain__zone__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__domain__zone__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__asset__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__detection_fields { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__target__resource__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__domain__tech__group_identifiers { - dimension: udm_events__target__domain__tech__group_identifiers { - type: string - sql: udm_events__target__domain__tech__group_identifiers ;; - } - } - - view: udm_events__target__domain__zone__group_identifiers { - dimension: udm_events__target__domain__zone__group_identifiers { - type: string - sql: udm_events__target__domain__zone__group_identifiers ;; - } - } - - view: udm_events__about__domain__registrant__phone_numbers { - dimension: udm_events__about__domain__registrant__phone_numbers { - type: string - sql: udm_events__about__domain__registrant__phone_numbers ;; - } - } - - view: udm_events__about__asset__software__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__user__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__user_management_chain { - dimension: account_type { - type: number - sql: ${TABLE}.account_type ;; - } - - dimension: attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.attribute.cloud.availability_zone ;; - group_label: "Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: attribute__cloud__environment { - type: number - sql: ${TABLE}.attribute.cloud.environment ;; - group_label: "Attribute Cloud" - group_item_label: "Environment" - } - - dimension: attribute__cloud__project__id { - type: string - sql: ${TABLE}.attribute.cloud.project.id ;; - group_label: "Attribute Cloud Project" - group_item_label: "ID" - } - - dimension: attribute__cloud__project__name { - type: string - sql: ${TABLE}.attribute.cloud.project.name ;; - group_label: "Attribute Cloud Project" - group_item_label: "Name" - } - - dimension: attribute__cloud__project__parent { - type: string - sql: ${TABLE}.attribute.cloud.project.parent ;; - group_label: "Attribute Cloud Project" - group_item_label: "Parent" - } - - dimension: attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.project.product_object_id ;; - group_label: "Attribute Cloud Project" - group_item_label: "Product Object ID" - } - - dimension: attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.attribute.cloud.project.resource_subtype ;; - group_label: "Attribute Cloud Project" - group_item_label: "Resource Subtype" - } - - dimension: attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.attribute.cloud.project.resource_type ;; - group_label: "Attribute Cloud Project" - group_item_label: "Resource Type" - } - - dimension: attribute__cloud__project__type { - type: string - sql: ${TABLE}.attribute.cloud.project.type ;; - group_label: "Attribute Cloud Project" - group_item_label: "Type" - } - - dimension: attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.id ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "ID" - } - - dimension: attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.attribute.cloud.vpc.name ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Name" - } - - dimension: attribute__cloud__vpc__parent { - type: string - sql: ${TABLE}.attribute.cloud.vpc.parent ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Parent" - } - - dimension: attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Product Object ID" - } - - dimension: attribute__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.attribute.cloud.vpc.resource_subtype ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Resource Subtype" - } - - dimension: attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.attribute.cloud.vpc.resource_type ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Resource Type" - } - - dimension: attribute__cloud__vpc__type { - type: string - sql: ${TABLE}.attribute.cloud.vpc.type ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Type" - } - - dimension: attribute__creation_time__nanos { - type: number - sql: ${TABLE}.attribute.creation_time.nanos ;; - group_label: "Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: attribute__creation_time__seconds { - type: number - sql: ${TABLE}.attribute.creation_time.seconds ;; - group_label: "Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: attribute__labels { - hidden: yes - sql: ${TABLE}.attribute.labels ;; - group_label: "Attribute" - group_item_label: "Labels" - } - - dimension: attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.attribute.last_update_time.nanos ;; - group_label: "Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.attribute.last_update_time.seconds ;; - group_label: "Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: attribute__permissions { - hidden: yes - sql: ${TABLE}.attribute.permissions ;; - group_label: "Attribute" - group_item_label: "Permissions" - } - - dimension: attribute__roles { - hidden: yes - sql: ${TABLE}.attribute.roles ;; - group_label: "Attribute" - group_item_label: "Roles" - } - - dimension: company_name { - type: string - sql: ${TABLE}.company_name ;; - } - - dimension: department { - hidden: yes - sql: ${TABLE}.department ;; - } - - dimension: email_addresses { - hidden: yes - sql: ${TABLE}.email_addresses ;; - } - - dimension: employee_id { - type: string - sql: ${TABLE}.employee_id ;; - } - - dimension: first_name { - type: string - sql: ${TABLE}.first_name ;; - } - - dimension: first_seen_time__nanos { - type: number - sql: ${TABLE}.first_seen_time.nanos ;; - group_label: "First Seen Time" - group_item_label: "Nanos" - } - - dimension: first_seen_time__seconds { - type: number - sql: ${TABLE}.first_seen_time.seconds ;; - group_label: "First Seen Time" - group_item_label: "Seconds" - } - - dimension: group_identifiers { - hidden: yes - sql: ${TABLE}.group_identifiers ;; - } - - dimension: groupid { - type: string - sql: ${TABLE}.groupid ;; - } - - dimension: hire_date__nanos { - type: number - sql: ${TABLE}.hire_date.nanos ;; - group_label: "Hire Date" - group_item_label: "Nanos" - } - - dimension: hire_date__seconds { - type: number - sql: ${TABLE}.hire_date.seconds ;; - group_label: "Hire Date" - group_item_label: "Seconds" - } - - dimension: last_name { - type: string - sql: ${TABLE}.last_name ;; - } - - dimension: middle_name { - type: string - sql: ${TABLE}.middle_name ;; - } - - dimension: office_address__city { - type: string - sql: ${TABLE}.office_address.city ;; - group_label: "Office Address" - group_item_label: "City" - } - - dimension: office_address__country_or_region { - type: string - sql: ${TABLE}.office_address.country_or_region ;; - group_label: "Office Address" - group_item_label: "Country or Region" - } - - dimension: office_address__desk_name { - type: string - sql: ${TABLE}.office_address.desk_name ;; - group_label: "Office Address" - group_item_label: "Desk Name" - } - - dimension: office_address__floor_name { - type: string - sql: ${TABLE}.office_address.floor_name ;; - group_label: "Office Address" - group_item_label: "Floor Name" - } - - dimension: office_address__name { - type: string - sql: ${TABLE}.office_address.name ;; - group_label: "Office Address" - group_item_label: "Name" - } - - dimension: office_address__region_latitude { - type: number - sql: ${TABLE}.office_address.region_latitude ;; - group_label: "Office Address" - group_item_label: "Region Latitude" - } - - dimension: office_address__region_longitude { - type: number - sql: ${TABLE}.office_address.region_longitude ;; - group_label: "Office Address" - group_item_label: "Region Longitude" - } - - dimension: office_address__state { - type: string - sql: ${TABLE}.office_address.state ;; - group_label: "Office Address" - group_item_label: "State" - } - - dimension: personal_address__city { - type: string - sql: ${TABLE}.personal_address.city ;; - group_label: "Personal Address" - group_item_label: "City" - } - - dimension: personal_address__country_or_region { - type: string - sql: ${TABLE}.personal_address.country_or_region ;; - group_label: "Personal Address" - group_item_label: "Country or Region" - } - - dimension: personal_address__desk_name { - type: string - sql: ${TABLE}.personal_address.desk_name ;; - group_label: "Personal Address" - group_item_label: "Desk Name" - } - - dimension: personal_address__floor_name { - type: string - sql: ${TABLE}.personal_address.floor_name ;; - group_label: "Personal Address" - group_item_label: "Floor Name" - } - - dimension: personal_address__name { - type: string - sql: ${TABLE}.personal_address.name ;; - group_label: "Personal Address" - group_item_label: "Name" - } - - dimension: personal_address__region_latitude { - type: number - sql: ${TABLE}.personal_address.region_latitude ;; - group_label: "Personal Address" - group_item_label: "Region Latitude" - } - - dimension: personal_address__region_longitude { - type: number - sql: ${TABLE}.personal_address.region_longitude ;; - group_label: "Personal Address" - group_item_label: "Region Longitude" - } - - dimension: personal_address__state { - type: string - sql: ${TABLE}.personal_address.state ;; - group_label: "Personal Address" - group_item_label: "State" - } - - dimension: phone_numbers { - hidden: yes - sql: ${TABLE}.phone_numbers ;; - } - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - } - - dimension: role_description { - type: string - sql: ${TABLE}.role_description ;; - } - - dimension: role_name { - type: string - sql: ${TABLE}.role_name ;; - } - - dimension: termination_date__nanos { - type: number - sql: ${TABLE}.termination_date.nanos ;; - group_label: "Termination Date" - group_item_label: "Nanos" - } - - dimension: termination_date__seconds { - type: number - sql: ${TABLE}.termination_date.seconds ;; - group_label: "Termination Date" - group_item_label: "Seconds" - } - - dimension: time_off { - hidden: yes - sql: ${TABLE}.time_off ;; - } - - dimension: title { - type: string - sql: ${TABLE}.title ;; - } - - dimension: user_authentication_status { - type: number - sql: ${TABLE}.user_authentication_status ;; - } - - dimension: user_display_name { - type: string - sql: ${TABLE}.user_display_name ;; - } - - dimension: user_role { - type: number - sql: ${TABLE}.user_role ;; - } - - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - } - - dimension: windows_sid { - type: string - sql: ${TABLE}.windows_sid ;; - } - } - - view: udm_events__principal__domain__tech__email_addresses { - dimension: udm_events__principal__domain__tech__email_addresses { - type: string - sql: udm_events__principal__domain__tech__email_addresses ;; - } - } - - view: udm_events__principal__domain__zone__email_addresses { - dimension: udm_events__principal__domain__zone__email_addresses { - type: string - sql: udm_events__principal__domain__zone__email_addresses ;; - } - } - - view: udm_events__observer__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__observer__group__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__group__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__process__command_line_history { - dimension: udm_events__observer__process__command_line_history { - type: string - sql: udm_events__observer__process__command_line_history ;; - } - } - - view: udm_events__observer__process_ancestors__file__names { - dimension: udm_events__observer__process_ancestors__file__names { - type: string - sql: udm_events__observer__process_ancestors__file__names ;; - } - } - - view: udm_events__observer__domain__admin__email_addresses { - dimension: udm_events__observer__domain__admin__email_addresses { - type: string - sql: udm_events__observer__domain__admin__email_addresses ;; - } - } - - view: udm_events__observer__domain__billing__phone_numbers { - dimension: udm_events__observer__domain__billing__phone_numbers { - type: string - sql: udm_events__observer__domain__billing__phone_numbers ;; - } - } - - view: udm_events__observer__domain__registrant__department { - dimension: udm_events__observer__domain__registrant__department { - type: string - sql: udm_events__observer__domain__registrant__department ;; - } - } - - view: udm_events__src__process__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__src__domain__admin__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__src__domain__admin__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__domain__admin__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__domain__registrant__email_addresses { - dimension: udm_events__src__domain__registrant__email_addresses { - type: string - sql: udm_events__src__domain__registrant__email_addresses ;; - } - } - - view: udm_events__security_result__about__user__department { - dimension: udm_events__security_result__about__user__department { - type: string - sql: udm_events__security_result__about__user__department ;; - } - } - - view: udm_events__target__cloud__vpc__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__cloud__vpc__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__file__pe_file__imports__functions { - dimension: udm_events__target__file__pe_file__imports__functions { - type: string - sql: udm_events__target__file__pe_file__imports__functions ;; - } - } - - view: udm_events__target__process__file__capabilities_tags { - dimension: udm_events__target__process__file__capabilities_tags { - type: string - sql: udm_events__target__process__file__capabilities_tags ;; - } - } - - view: udm_events__target__domain__admin__group_identifiers { - dimension: udm_events__target__domain__admin__group_identifiers { - type: string - sql: udm_events__target__domain__admin__group_identifiers ;; - } - } - - view: udm_events__target__domain__billing__email_addresses { - dimension: udm_events__target__domain__billing__email_addresses { - type: string - sql: udm_events__target__domain__billing__email_addresses ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities { - dimension: about__administrative_domain { - type: string - sql: ${TABLE}.about.administrative_domain ;; - group_label: "About" - group_item_label: "Administrative Domain" - } - - dimension: about__application { - type: string - sql: ${TABLE}.about.application ;; - group_label: "About" - group_item_label: "Application" - } - - dimension: about__artifact__first_seen_time__nanos { - type: number - sql: ${TABLE}.about.artifact.first_seen_time.nanos ;; - group_label: "About Artifact First Seen Time" - group_item_label: "Nanos" - } - - dimension: about__artifact__first_seen_time__seconds { - type: number - sql: ${TABLE}.about.artifact.first_seen_time.seconds ;; - group_label: "About Artifact First Seen Time" - group_item_label: "Seconds" - } - - dimension: about__artifact__ip { - type: string - sql: ${TABLE}.about.artifact.ip ;; - group_label: "About Artifact" - group_item_label: "IP" - } - - dimension: about__artifact__last_seen_time__nanos { - type: number - sql: ${TABLE}.about.artifact.last_seen_time.nanos ;; - group_label: "About Artifact Last Seen Time" - group_item_label: "Nanos" - } - - dimension: about__artifact__last_seen_time__seconds { - type: number - sql: ${TABLE}.about.artifact.last_seen_time.seconds ;; - group_label: "About Artifact Last Seen Time" - group_item_label: "Seconds" - } - - dimension: about__artifact__prevalence__day_count { - type: number - sql: ${TABLE}.about.artifact.prevalence.day_count ;; - group_label: "About Artifact Prevalence" - group_item_label: "Day Count" - } - - dimension: about__artifact__prevalence__day_max { - type: number - sql: ${TABLE}.about.artifact.prevalence.day_max ;; - group_label: "About Artifact Prevalence" - group_item_label: "Day Max" - } - - dimension: about__artifact__prevalence__day_max_sub_domains { - type: number - sql: ${TABLE}.about.artifact.prevalence.day_max_sub_domains ;; - group_label: "About Artifact Prevalence" - group_item_label: "Day Max Sub Domains" - } - - dimension: about__artifact__prevalence__rolling_max { - type: number - sql: ${TABLE}.about.artifact.prevalence.rolling_max ;; - group_label: "About Artifact Prevalence" - group_item_label: "Rolling Max" - } - - dimension: about__artifact__prevalence__rolling_max_sub_domains { - type: number - sql: ${TABLE}.about.artifact.prevalence.rolling_max_sub_domains ;; - group_label: "About Artifact Prevalence" - group_item_label: "Rolling Max Sub Domains" - } - - dimension: about__asset__asset_id { - type: string - sql: ${TABLE}.about.asset.asset_id ;; - group_label: "About Asset" - group_item_label: "Asset ID" - } - - dimension: about__asset__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.availability_zone ;; - group_label: "About Asset Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: about__asset__attribute__cloud__environment { - type: number - sql: ${TABLE}.about.asset.attribute.cloud.environment ;; - group_label: "About Asset Attribute Cloud" - group_item_label: "Environment" - } - - dimension: about__asset__attribute__cloud__project__id { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.project.id ;; - group_label: "About Asset Attribute Cloud Project" - group_item_label: "ID" - } - - dimension: about__asset__attribute__cloud__project__name { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.project.name ;; - group_label: "About Asset Attribute Cloud Project" - group_item_label: "Name" - } - - dimension: about__asset__attribute__cloud__project__parent { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.project.parent ;; - group_label: "About Asset Attribute Cloud Project" - group_item_label: "Parent" - } - - dimension: about__asset__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.project.product_object_id ;; - group_label: "About Asset Attribute Cloud Project" - group_item_label: "Product Object ID" - } - - dimension: about__asset__attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.project.resource_subtype ;; - group_label: "About Asset Attribute Cloud Project" - group_item_label: "Resource Subtype" - } - - dimension: about__asset__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.about.asset.attribute.cloud.project.resource_type ;; - group_label: "About Asset Attribute Cloud Project" - group_item_label: "Resource Type" - } - - dimension: about__asset__attribute__cloud__project__type { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.project.type ;; - group_label: "About Asset Attribute Cloud Project" - group_item_label: "Type" - } - - dimension: about__asset__attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.vpc.id ;; - group_label: "About Asset Attribute Cloud Vpc" - group_item_label: "ID" - } - - dimension: about__asset__attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.vpc.name ;; - group_label: "About Asset Attribute Cloud Vpc" - group_item_label: "Name" - } - - dimension: about__asset__attribute__cloud__vpc__parent { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.vpc.parent ;; - group_label: "About Asset Attribute Cloud Vpc" - group_item_label: "Parent" - } - - dimension: about__asset__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.vpc.product_object_id ;; - group_label: "About Asset Attribute Cloud Vpc" - group_item_label: "Product Object ID" - } - - dimension: about__asset__attribute__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.vpc.resource_subtype ;; - group_label: "About Asset Attribute Cloud Vpc" - group_item_label: "Resource Subtype" - } - - dimension: about__asset__attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.about.asset.attribute.cloud.vpc.resource_type ;; - group_label: "About Asset Attribute Cloud Vpc" - group_item_label: "Resource Type" - } - - dimension: about__asset__attribute__cloud__vpc__type { - type: string - sql: ${TABLE}.about.asset.attribute.cloud.vpc.type ;; - group_label: "About Asset Attribute Cloud Vpc" - group_item_label: "Type" - } - - dimension: about__asset__attribute__creation_time__nanos { - type: number - sql: ${TABLE}.about.asset.attribute.creation_time.nanos ;; - group_label: "About Asset Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: about__asset__attribute__creation_time__seconds { - type: number - sql: ${TABLE}.about.asset.attribute.creation_time.seconds ;; - group_label: "About Asset Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: about__asset__attribute__labels { - hidden: yes - sql: ${TABLE}.about.asset.attribute.labels ;; - group_label: "About Asset Attribute" - group_item_label: "Labels" - } - - dimension: about__asset__attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.about.asset.attribute.last_update_time.nanos ;; - group_label: "About Asset Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: about__asset__attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.about.asset.attribute.last_update_time.seconds ;; - group_label: "About Asset Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: about__asset__attribute__permissions { - hidden: yes - sql: ${TABLE}.about.asset.attribute.permissions ;; - group_label: "About Asset Attribute" - group_item_label: "Permissions" - } - - dimension: about__asset__attribute__roles { - hidden: yes - sql: ${TABLE}.about.asset.attribute.roles ;; - group_label: "About Asset Attribute" - group_item_label: "Roles" - } - - dimension: about__asset__category { - type: string - sql: ${TABLE}.about.asset.category ;; - group_label: "About Asset" - group_item_label: "Category" - } - - dimension: about__asset__creation_time__nanos { - type: number - sql: ${TABLE}.about.asset.creation_time.nanos ;; - group_label: "About Asset Creation Time" - group_item_label: "Nanos" - } - - dimension: about__asset__creation_time__seconds { - type: number - sql: ${TABLE}.about.asset.creation_time.seconds ;; - group_label: "About Asset Creation Time" - group_item_label: "Seconds" - } - - dimension: about__asset__deployment_status { - type: number - sql: ${TABLE}.about.asset.deployment_status ;; - group_label: "About Asset" - group_item_label: "Deployment Status" - } - - dimension: about__asset__first_discover_time__nanos { - type: number - sql: ${TABLE}.about.asset.first_discover_time.nanos ;; - group_label: "About Asset First Discover Time" - group_item_label: "Nanos" - } - - dimension: about__asset__first_discover_time__seconds { - type: number - sql: ${TABLE}.about.asset.first_discover_time.seconds ;; - group_label: "About Asset First Discover Time" - group_item_label: "Seconds" - } - - dimension: about__asset__first_seen_time__nanos { - type: number - sql: ${TABLE}.about.asset.first_seen_time.nanos ;; - group_label: "About Asset First Seen Time" - group_item_label: "Nanos" - } - - dimension: about__asset__first_seen_time__seconds { - type: number - sql: ${TABLE}.about.asset.first_seen_time.seconds ;; - group_label: "About Asset First Seen Time" - group_item_label: "Seconds" - } - - dimension: about__asset__hardware { - hidden: yes - sql: ${TABLE}.about.asset.hardware ;; - group_label: "About Asset" - group_item_label: "Hardware" - } - - dimension: about__asset__hostname { - type: string - sql: ${TABLE}.about.asset.hostname ;; - group_label: "About Asset" - group_item_label: "Hostname" - } - - dimension: about__asset__ip { - hidden: yes - sql: ${TABLE}.about.asset.ip ;; - group_label: "About Asset" - group_item_label: "IP" - } - - dimension: about__asset__labels { - hidden: yes - sql: ${TABLE}.about.asset.labels ;; - group_label: "About Asset" - group_item_label: "Labels" - } - - dimension: about__asset__last_boot_time__nanos { - type: number - sql: ${TABLE}.about.asset.last_boot_time.nanos ;; - group_label: "About Asset Last Boot Time" - group_item_label: "Nanos" - } - - dimension: about__asset__last_boot_time__seconds { - type: number - sql: ${TABLE}.about.asset.last_boot_time.seconds ;; - group_label: "About Asset Last Boot Time" - group_item_label: "Seconds" - } - - dimension: about__asset__last_discover_time__nanos { - type: number - sql: ${TABLE}.about.asset.last_discover_time.nanos ;; - group_label: "About Asset Last Discover Time" - group_item_label: "Nanos" - } - - dimension: about__asset__last_discover_time__seconds { - type: number - sql: ${TABLE}.about.asset.last_discover_time.seconds ;; - group_label: "About Asset Last Discover Time" - group_item_label: "Seconds" - } - - dimension: about__asset__location__city { - type: string - sql: ${TABLE}.about.asset.location.city ;; - group_label: "About Asset Location" - group_item_label: "City" - } - - dimension: about__asset__location__country_or_region { - type: string - sql: ${TABLE}.about.asset.location.country_or_region ;; - group_label: "About Asset Location" - group_item_label: "Country or Region" - } - - dimension: about__asset__location__desk_name { - type: string - sql: ${TABLE}.about.asset.location.desk_name ;; - group_label: "About Asset Location" - group_item_label: "Desk Name" - } - - dimension: about__asset__location__floor_name { - type: string - sql: ${TABLE}.about.asset.location.floor_name ;; - group_label: "About Asset Location" - group_item_label: "Floor Name" - } - - dimension: about__asset__location__name { - type: string - sql: ${TABLE}.about.asset.location.name ;; - group_label: "About Asset Location" - group_item_label: "Name" - } - - dimension: about__asset__location__region_latitude { - type: number - sql: ${TABLE}.about.asset.location.region_latitude ;; - group_label: "About Asset Location" - group_item_label: "Region Latitude" - } - - dimension: about__asset__location__region_longitude { - type: number - sql: ${TABLE}.about.asset.location.region_longitude ;; - group_label: "About Asset Location" - group_item_label: "Region Longitude" - } - - dimension: about__asset__location__state { - type: string - sql: ${TABLE}.about.asset.location.state ;; - group_label: "About Asset Location" - group_item_label: "State" - } - - dimension: about__asset__mac { - hidden: yes - sql: ${TABLE}.about.asset.mac ;; - group_label: "About Asset" - group_item_label: "Mac" - } - - dimension: about__asset__nat_ip { - hidden: yes - sql: ${TABLE}.about.asset.nat_ip ;; - group_label: "About Asset" - group_item_label: "Nat IP" - } - - dimension: about__asset__network_domain { - type: string - sql: ${TABLE}.about.asset.network_domain ;; - group_label: "About Asset" - group_item_label: "Network Domain" - } - - dimension: about__asset__platform_software__platform { - type: number - sql: ${TABLE}.about.asset.platform_software.platform ;; - group_label: "About Asset Platform Software" - group_item_label: "Platform" - } - - dimension: about__asset__platform_software__platform_patch_level { - type: string - sql: ${TABLE}.about.asset.platform_software.platform_patch_level ;; - group_label: "About Asset Platform Software" - group_item_label: "Platform Patch Level" - } - - dimension: about__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.about.asset.platform_software.platform_version ;; - group_label: "About Asset Platform Software" - group_item_label: "Platform Version" - } - - dimension: about__asset__product_object_id { - type: string - sql: ${TABLE}.about.asset.product_object_id ;; - group_label: "About Asset" - group_item_label: "Product Object ID" - } - - dimension: about__asset__software { - hidden: yes - sql: ${TABLE}.about.asset.software ;; - group_label: "About Asset" - group_item_label: "Software" - } - - dimension: about__asset__system_last_update_time__nanos { - type: number - sql: ${TABLE}.about.asset.system_last_update_time.nanos ;; - group_label: "About Asset System Last Update Time" - group_item_label: "Nanos" - } - - dimension: about__asset__system_last_update_time__seconds { - type: number - sql: ${TABLE}.about.asset.system_last_update_time.seconds ;; - group_label: "About Asset System Last Update Time" - group_item_label: "Seconds" - } - - dimension: about__asset__type { - type: number - sql: ${TABLE}.about.asset.type ;; - group_label: "About Asset" - group_item_label: "Type" - } - - dimension: about__asset_id { - type: string - sql: ${TABLE}.about.asset_id ;; - group_label: "About" - group_item_label: "Asset ID" - } - - dimension: about__cloud__availability_zone { - type: string - sql: ${TABLE}.about.cloud.availability_zone ;; - group_label: "About Cloud" - group_item_label: "Availability Zone" - } - - dimension: about__cloud__environment { - type: number - sql: ${TABLE}.about.cloud.environment ;; - group_label: "About Cloud" - group_item_label: "Environment" - } - - dimension: about__cloud__project__attribute__creation_time__nanos { - type: number - sql: ${TABLE}.about.cloud.project.attribute.creation_time.nanos ;; - group_label: "About Cloud Project Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: about__cloud__project__attribute__creation_time__seconds { - type: number - sql: ${TABLE}.about.cloud.project.attribute.creation_time.seconds ;; - group_label: "About Cloud Project Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: about__cloud__project__attribute__labels { - hidden: yes - sql: ${TABLE}.about.cloud.project.attribute.labels ;; - group_label: "About Cloud Project Attribute" - group_item_label: "Labels" - } - - dimension: about__cloud__project__attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.about.cloud.project.attribute.last_update_time.nanos ;; - group_label: "About Cloud Project Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: about__cloud__project__attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.about.cloud.project.attribute.last_update_time.seconds ;; - group_label: "About Cloud Project Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: about__cloud__project__attribute__permissions { - hidden: yes - sql: ${TABLE}.about.cloud.project.attribute.permissions ;; - group_label: "About Cloud Project Attribute" - group_item_label: "Permissions" - } - - dimension: about__cloud__project__attribute__roles { - hidden: yes - sql: ${TABLE}.about.cloud.project.attribute.roles ;; - group_label: "About Cloud Project Attribute" - group_item_label: "Roles" - } - - dimension: about__cloud__project__id { - type: string - sql: ${TABLE}.about.cloud.project.id ;; - group_label: "About Cloud Project" - group_item_label: "ID" - } - - dimension: about__cloud__project__name { - type: string - sql: ${TABLE}.about.cloud.project.name ;; - group_label: "About Cloud Project" - group_item_label: "Name" - } - - dimension: about__cloud__project__parent { - type: string - sql: ${TABLE}.about.cloud.project.parent ;; - group_label: "About Cloud Project" - group_item_label: "Parent" - } - - dimension: about__cloud__project__product_object_id { - type: string - sql: ${TABLE}.about.cloud.project.product_object_id ;; - group_label: "About Cloud Project" - group_item_label: "Product Object ID" - } - - dimension: about__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.about.cloud.project.resource_subtype ;; - group_label: "About Cloud Project" - group_item_label: "Resource Subtype" - } - - dimension: about__cloud__project__resource_type { - type: number - sql: ${TABLE}.about.cloud.project.resource_type ;; - group_label: "About Cloud Project" - group_item_label: "Resource Type" - } - - dimension: about__cloud__project__type { - type: string - sql: ${TABLE}.about.cloud.project.type ;; - group_label: "About Cloud Project" - group_item_label: "Type" - } - - dimension: about__cloud__vpc__attribute__creation_time__nanos { - type: number - sql: ${TABLE}.about.cloud.vpc.attribute.creation_time.nanos ;; - group_label: "About Cloud Vpc Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: about__cloud__vpc__attribute__creation_time__seconds { - type: number - sql: ${TABLE}.about.cloud.vpc.attribute.creation_time.seconds ;; - group_label: "About Cloud Vpc Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: about__cloud__vpc__attribute__labels { - hidden: yes - sql: ${TABLE}.about.cloud.vpc.attribute.labels ;; - group_label: "About Cloud Vpc Attribute" - group_item_label: "Labels" - } - - dimension: about__cloud__vpc__attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.about.cloud.vpc.attribute.last_update_time.nanos ;; - group_label: "About Cloud Vpc Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: about__cloud__vpc__attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.about.cloud.vpc.attribute.last_update_time.seconds ;; - group_label: "About Cloud Vpc Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: about__cloud__vpc__attribute__permissions { - hidden: yes - sql: ${TABLE}.about.cloud.vpc.attribute.permissions ;; - group_label: "About Cloud Vpc Attribute" - group_item_label: "Permissions" - } - - dimension: about__cloud__vpc__attribute__roles { - hidden: yes - sql: ${TABLE}.about.cloud.vpc.attribute.roles ;; - group_label: "About Cloud Vpc Attribute" - group_item_label: "Roles" - } - - dimension: about__cloud__vpc__id { - type: string - sql: ${TABLE}.about.cloud.vpc.id ;; - group_label: "About Cloud Vpc" - group_item_label: "ID" - } - - dimension: about__cloud__vpc__name { - type: string - sql: ${TABLE}.about.cloud.vpc.name ;; - group_label: "About Cloud Vpc" - group_item_label: "Name" - } - - dimension: about__cloud__vpc__parent { - type: string - sql: ${TABLE}.about.cloud.vpc.parent ;; - group_label: "About Cloud Vpc" - group_item_label: "Parent" - } - - dimension: about__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.about.cloud.vpc.product_object_id ;; - group_label: "About Cloud Vpc" - group_item_label: "Product Object ID" - } - - dimension: about__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.about.cloud.vpc.resource_subtype ;; - group_label: "About Cloud Vpc" - group_item_label: "Resource Subtype" - } - - dimension: about__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.about.cloud.vpc.resource_type ;; - group_label: "About Cloud Vpc" - group_item_label: "Resource Type" - } - - dimension: about__cloud__vpc__type { - type: string - sql: ${TABLE}.about.cloud.vpc.type ;; - group_label: "About Cloud Vpc" - group_item_label: "Type" - } - - dimension: about__domain__admin__account_type { - type: number - sql: ${TABLE}.about.domain.admin.account_type ;; - group_label: "About Domain Admin" - group_item_label: "Account Type" - } - - dimension: about__domain__admin__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.about.domain.admin.attribute.cloud.availability_zone ;; - group_label: "About Domain Admin Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: about__domain__admin__attribute__cloud__environment { - type: number - sql: ${TABLE}.about.domain.admin.attribute.cloud.environment ;; - group_label: "About Domain Admin Attribute Cloud" - group_item_label: "Environment" - } - - dimension: about__domain__admin__attribute__cloud__project__id { - type: string - sql: ${TABLE}.about.domain.admin.attribute.cloud.project.id ;; - group_label: "About Domain Admin Attribute Cloud Project" - group_item_label: "ID" - } - - dimension: about__domain__admin__attribute__cloud__project__name { - type: string - sql: ${TABLE}.about.domain.admin.attribute.cloud.project.name ;; - group_label: "About Domain Admin Attribute Cloud Project" - group_item_label: "Name" - } - - dimension: about__domain__admin__attribute__cloud__project__parent { - type: string - sql: ${TABLE}.about.domain.admin.attribute.cloud.project.parent ;; - group_label: "About Domain Admin Attribute Cloud Project" - group_item_label: "Parent" - } - - dimension: about__domain__admin__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.about.domain.admin.attribute.cloud.project.product_object_id ;; - group_label: "About Domain Admin Attribute Cloud Project" - group_item_label: "Product Object ID" - } - - dimension: about__domain__admin__attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.about.domain.admin.attribute.cloud.project.resource_subtype ;; - group_label: "About Domain Admin Attribute Cloud Project" - group_item_label: "Resource Subtype" - } - - dimension: about__domain__admin__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.about.domain.admin.attribute.cloud.project.resource_type ;; - group_label: "About Domain Admin Attribute Cloud Project" - group_item_label: "Resource Type" - } - - dimension: about__domain__admin__attribute__cloud__project__type { - type: string - sql: ${TABLE}.about.domain.admin.attribute.cloud.project.type ;; - group_label: "About Domain Admin Attribute Cloud Project" - group_item_label: "Type" - } - - dimension: about__domain__admin__attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.about.domain.admin.attribute.cloud.vpc.id ;; - group_label: "About Domain Admin Attribute Cloud Vpc" - group_item_label: "ID" - } - - dimension: about__domain__admin__attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.about.domain.admin.attribute.cloud.vpc.name ;; - group_label: "About Domain Admin Attribute Cloud Vpc" - group_item_label: "Name" - } - - dimension: about__domain__admin__attribute__cloud__vpc__parent { - type: string - sql: ${TABLE}.about.domain.admin.attribute.cloud.vpc.parent ;; - group_label: "About Domain Admin Attribute Cloud Vpc" - group_item_label: "Parent" - } - - dimension: about__domain__admin__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.about.domain.admin.attribute.cloud.vpc.product_object_id ;; - group_label: "About Domain Admin Attribute Cloud Vpc" - group_item_label: "Product Object ID" - } - - dimension: about__domain__admin__attribute__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.about.domain.admin.attribute.cloud.vpc.resource_subtype ;; - group_label: "About Domain Admin Attribute Cloud Vpc" - group_item_label: "Resource Subtype" - } - - dimension: about__domain__admin__attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.about.domain.admin.attribute.cloud.vpc.resource_type ;; - group_label: "About Domain Admin Attribute Cloud Vpc" - group_item_label: "Resource Type" - } - - dimension: about__domain__admin__attribute__cloud__vpc__type { - type: string - sql: ${TABLE}.about.domain.admin.attribute.cloud.vpc.type ;; - group_label: "About Domain Admin Attribute Cloud Vpc" - group_item_label: "Type" - } - - dimension: about__domain__admin__attribute__creation_time__nanos { - type: number - sql: ${TABLE}.about.domain.admin.attribute.creation_time.nanos ;; - group_label: "About Domain Admin Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: about__domain__admin__attribute__creation_time__seconds { - type: number - sql: ${TABLE}.about.domain.admin.attribute.creation_time.seconds ;; - group_label: "About Domain Admin Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: about__domain__admin__attribute__labels { - hidden: yes - sql: ${TABLE}.about.domain.admin.attribute.labels ;; - group_label: "About Domain Admin Attribute" - group_item_label: "Labels" - } - - dimension: about__domain__admin__attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.about.domain.admin.attribute.last_update_time.nanos ;; - group_label: "About Domain Admin Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: about__domain__admin__attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.about.domain.admin.attribute.last_update_time.seconds ;; - group_label: "About Domain Admin Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: about__domain__admin__attribute__permissions { - hidden: yes - sql: ${TABLE}.about.domain.admin.attribute.permissions ;; - group_label: "About Domain Admin Attribute" - group_item_label: "Permissions" - } - - dimension: about__domain__admin__attribute__roles { - hidden: yes - sql: ${TABLE}.about.domain.admin.attribute.roles ;; - group_label: "About Domain Admin Attribute" - group_item_label: "Roles" - } - - dimension: about__domain__admin__company_name { - type: string - sql: ${TABLE}.about.domain.admin.company_name ;; - group_label: "About Domain Admin" - group_item_label: "Company Name" - } - - dimension: about__domain__admin__department { - hidden: yes - sql: ${TABLE}.about.domain.admin.department ;; - group_label: "About Domain Admin" - group_item_label: "Department" - } - - dimension: about__domain__admin__email_addresses { - hidden: yes - sql: ${TABLE}.about.domain.admin.email_addresses ;; - group_label: "About Domain Admin" - group_item_label: "Email Addresses" - } - - dimension: about__domain__admin__employee_id { - type: string - sql: ${TABLE}.about.domain.admin.employee_id ;; - group_label: "About Domain Admin" - group_item_label: "Employee ID" - } - - dimension: about__domain__admin__first_name { - type: string - sql: ${TABLE}.about.domain.admin.first_name ;; - group_label: "About Domain Admin" - group_item_label: "First Name" - } - - dimension: about__domain__admin__first_seen_time__nanos { - type: number - sql: ${TABLE}.about.domain.admin.first_seen_time.nanos ;; - group_label: "About Domain Admin First Seen Time" - group_item_label: "Nanos" - } - - dimension: about__domain__admin__first_seen_time__seconds { - type: number - sql: ${TABLE}.about.domain.admin.first_seen_time.seconds ;; - group_label: "About Domain Admin First Seen Time" - group_item_label: "Seconds" - } - - dimension: about__domain__admin__group_identifiers { - hidden: yes - sql: ${TABLE}.about.domain.admin.group_identifiers ;; - group_label: "About Domain Admin" - group_item_label: "Group Identifiers" - } - - dimension: about__domain__admin__groupid { - type: string - sql: ${TABLE}.about.domain.admin.groupid ;; - group_label: "About Domain Admin" - group_item_label: "Groupid" - } - - dimension: about__domain__admin__hire_date__nanos { - type: number - sql: ${TABLE}.about.domain.admin.hire_date.nanos ;; - group_label: "About Domain Admin Hire Date" - group_item_label: "Nanos" - } - - dimension: about__domain__admin__hire_date__seconds { - type: number - sql: ${TABLE}.about.domain.admin.hire_date.seconds ;; - group_label: "About Domain Admin Hire Date" - group_item_label: "Seconds" - } - - dimension: about__domain__admin__last_name { - type: string - sql: ${TABLE}.about.domain.admin.last_name ;; - group_label: "About Domain Admin" - group_item_label: "Last Name" - } - - dimension: about__domain__admin__middle_name { - type: string - sql: ${TABLE}.about.domain.admin.middle_name ;; - group_label: "About Domain Admin" - group_item_label: "Middle Name" - } - - dimension: about__domain__admin__office_address__city { - type: string - sql: ${TABLE}.about.domain.admin.office_address.city ;; - group_label: "About Domain Admin Office Address" - group_item_label: "City" - } - - dimension: about__domain__admin__office_address__country_or_region { - type: string - sql: ${TABLE}.about.domain.admin.office_address.country_or_region ;; - group_label: "About Domain Admin Office Address" - group_item_label: "Country or Region" - } - - dimension: about__domain__admin__office_address__desk_name { - type: string - sql: ${TABLE}.about.domain.admin.office_address.desk_name ;; - group_label: "About Domain Admin Office Address" - group_item_label: "Desk Name" - } - - dimension: about__domain__admin__office_address__floor_name { - type: string - sql: ${TABLE}.about.domain.admin.office_address.floor_name ;; - group_label: "About Domain Admin Office Address" - group_item_label: "Floor Name" - } - - dimension: about__domain__admin__office_address__name { - type: string - sql: ${TABLE}.about.domain.admin.office_address.name ;; - group_label: "About Domain Admin Office Address" - group_item_label: "Name" - } - - dimension: about__domain__admin__office_address__region_latitude { - type: number - sql: ${TABLE}.about.domain.admin.office_address.region_latitude ;; - group_label: "About Domain Admin Office Address" - group_item_label: "Region Latitude" - } - - dimension: about__domain__admin__office_address__region_longitude { - type: number - sql: ${TABLE}.about.domain.admin.office_address.region_longitude ;; - group_label: "About Domain Admin Office Address" - group_item_label: "Region Longitude" - } - - dimension: about__domain__admin__office_address__state { - type: string - sql: ${TABLE}.about.domain.admin.office_address.state ;; - group_label: "About Domain Admin Office Address" - group_item_label: "State" - } - - dimension: about__domain__admin__personal_address__city { - type: string - sql: ${TABLE}.about.domain.admin.personal_address.city ;; - group_label: "About Domain Admin Personal Address" - group_item_label: "City" - } - - dimension: about__domain__admin__personal_address__country_or_region { - type: string - sql: ${TABLE}.about.domain.admin.personal_address.country_or_region ;; - group_label: "About Domain Admin Personal Address" - group_item_label: "Country or Region" - } - - dimension: about__domain__admin__personal_address__desk_name { - type: string - sql: ${TABLE}.about.domain.admin.personal_address.desk_name ;; - group_label: "About Domain Admin Personal Address" - group_item_label: "Desk Name" - } - - dimension: about__domain__admin__personal_address__floor_name { - type: string - sql: ${TABLE}.about.domain.admin.personal_address.floor_name ;; - group_label: "About Domain Admin Personal Address" - group_item_label: "Floor Name" - } - - dimension: about__domain__admin__personal_address__name { - type: string - sql: ${TABLE}.about.domain.admin.personal_address.name ;; - group_label: "About Domain Admin Personal Address" - group_item_label: "Name" - } - - dimension: about__domain__admin__personal_address__region_latitude { - type: number - sql: ${TABLE}.about.domain.admin.personal_address.region_latitude ;; - group_label: "About Domain Admin Personal Address" - group_item_label: "Region Latitude" - } - - dimension: about__domain__admin__personal_address__region_longitude { - type: number - sql: ${TABLE}.about.domain.admin.personal_address.region_longitude ;; - group_label: "About Domain Admin Personal Address" - group_item_label: "Region Longitude" - } - - dimension: about__domain__admin__personal_address__state { - type: string - sql: ${TABLE}.about.domain.admin.personal_address.state ;; - group_label: "About Domain Admin Personal Address" - group_item_label: "State" - } - - dimension: about__domain__admin__phone_numbers { - hidden: yes - sql: ${TABLE}.about.domain.admin.phone_numbers ;; - group_label: "About Domain Admin" - group_item_label: "Phone Numbers" - } - - dimension: about__domain__admin__product_object_id { - type: string - sql: ${TABLE}.about.domain.admin.product_object_id ;; - group_label: "About Domain Admin" - group_item_label: "Product Object ID" - } - - dimension: about__domain__admin__role_description { - type: string - sql: ${TABLE}.about.domain.admin.role_description ;; - group_label: "About Domain Admin" - group_item_label: "Role Description" - } - - dimension: about__domain__admin__role_name { - type: string - sql: ${TABLE}.about.domain.admin.role_name ;; - group_label: "About Domain Admin" - group_item_label: "Role Name" - } - - dimension: about__domain__admin__termination_date__nanos { - type: number - sql: ${TABLE}.about.domain.admin.termination_date.nanos ;; - group_label: "About Domain Admin Termination Date" - group_item_label: "Nanos" - } - - dimension: about__domain__admin__termination_date__seconds { - type: number - sql: ${TABLE}.about.domain.admin.termination_date.seconds ;; - group_label: "About Domain Admin Termination Date" - group_item_label: "Seconds" - } - - dimension: about__domain__admin__time_off { - hidden: yes - sql: ${TABLE}.about.domain.admin.time_off ;; - group_label: "About Domain Admin" - group_item_label: "Time Off" - } - - dimension: about__domain__admin__title { - type: string - sql: ${TABLE}.about.domain.admin.title ;; - group_label: "About Domain Admin" - group_item_label: "Title" - } - - dimension: about__domain__admin__user_authentication_status { - type: number - sql: ${TABLE}.about.domain.admin.user_authentication_status ;; - group_label: "About Domain Admin" - group_item_label: "User Authentication Status" - } - - dimension: about__domain__admin__user_display_name { - type: string - sql: ${TABLE}.about.domain.admin.user_display_name ;; - group_label: "About Domain Admin" - group_item_label: "User Display Name" - } - - dimension: about__domain__admin__user_role { - type: number - sql: ${TABLE}.about.domain.admin.user_role ;; - group_label: "About Domain Admin" - group_item_label: "User Role" - } - - dimension: about__domain__admin__userid { - type: string - sql: ${TABLE}.about.domain.admin.userid ;; - group_label: "About Domain Admin" - group_item_label: "Userid" - } - - dimension: about__domain__admin__windows_sid { - type: string - sql: ${TABLE}.about.domain.admin.windows_sid ;; - group_label: "About Domain Admin" - group_item_label: "Windows Sid" - } - - dimension: about__domain__audit_update_time__nanos { - type: number - sql: ${TABLE}.about.domain.audit_update_time.nanos ;; - group_label: "About Domain Audit Update Time" - group_item_label: "Nanos" - } - - dimension: about__domain__audit_update_time__seconds { - type: number - sql: ${TABLE}.about.domain.audit_update_time.seconds ;; - group_label: "About Domain Audit Update Time" - group_item_label: "Seconds" - } - - dimension: about__domain__billing__account_type { - type: number - sql: ${TABLE}.about.domain.billing.account_type ;; - group_label: "About Domain Billing" - group_item_label: "Account Type" - } - - dimension: about__domain__billing__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.about.domain.billing.attribute.cloud.availability_zone ;; - group_label: "About Domain Billing Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: about__domain__billing__attribute__cloud__environment { - type: number - sql: ${TABLE}.about.domain.billing.attribute.cloud.environment ;; - group_label: "About Domain Billing Attribute Cloud" - group_item_label: "Environment" - } - - dimension: about__domain__billing__attribute__cloud__project__id { - type: string - sql: ${TABLE}.about.domain.billing.attribute.cloud.project.id ;; - group_label: "About Domain Billing Attribute Cloud Project" - group_item_label: "ID" - } - - dimension: about__domain__billing__attribute__cloud__project__name { - type: string - sql: ${TABLE}.about.domain.billing.attribute.cloud.project.name ;; - group_label: "About Domain Billing Attribute Cloud Project" - group_item_label: "Name" - } - - dimension: about__domain__billing__attribute__cloud__project__parent { - type: string - sql: ${TABLE}.about.domain.billing.attribute.cloud.project.parent ;; - group_label: "About Domain Billing Attribute Cloud Project" - group_item_label: "Parent" - } - - dimension: about__domain__billing__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.about.domain.billing.attribute.cloud.project.product_object_id ;; - group_label: "About Domain Billing Attribute Cloud Project" - group_item_label: "Product Object ID" - } - - dimension: about__domain__billing__attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.about.domain.billing.attribute.cloud.project.resource_subtype ;; - group_label: "About Domain Billing Attribute Cloud Project" - group_item_label: "Resource Subtype" - } - - dimension: about__domain__billing__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.about.domain.billing.attribute.cloud.project.resource_type ;; - group_label: "About Domain Billing Attribute Cloud Project" - group_item_label: "Resource Type" - } - - dimension: about__domain__billing__attribute__cloud__project__type { - type: string - sql: ${TABLE}.about.domain.billing.attribute.cloud.project.type ;; - group_label: "About Domain Billing Attribute Cloud Project" - group_item_label: "Type" - } - - dimension: about__domain__billing__attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.about.domain.billing.attribute.cloud.vpc.id ;; - group_label: "About Domain Billing Attribute Cloud Vpc" - group_item_label: "ID" - } - - dimension: about__domain__billing__attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.about.domain.billing.attribute.cloud.vpc.name ;; - group_label: "About Domain Billing Attribute Cloud Vpc" - group_item_label: "Name" - } - - dimension: about__domain__billing__attribute__cloud__vpc__parent { - type: string - sql: ${TABLE}.about.domain.billing.attribute.cloud.vpc.parent ;; - group_label: "About Domain Billing Attribute Cloud Vpc" - group_item_label: "Parent" - } - - dimension: about__domain__billing__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.about.domain.billing.attribute.cloud.vpc.product_object_id ;; - group_label: "About Domain Billing Attribute Cloud Vpc" - group_item_label: "Product Object ID" - } - - dimension: about__domain__billing__attribute__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.about.domain.billing.attribute.cloud.vpc.resource_subtype ;; - group_label: "About Domain Billing Attribute Cloud Vpc" - group_item_label: "Resource Subtype" - } - - dimension: about__domain__billing__attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.about.domain.billing.attribute.cloud.vpc.resource_type ;; - group_label: "About Domain Billing Attribute Cloud Vpc" - group_item_label: "Resource Type" - } - - dimension: about__domain__billing__attribute__cloud__vpc__type { - type: string - sql: ${TABLE}.about.domain.billing.attribute.cloud.vpc.type ;; - group_label: "About Domain Billing Attribute Cloud Vpc" - group_item_label: "Type" - } - - dimension: about__domain__billing__attribute__creation_time__nanos { - type: number - sql: ${TABLE}.about.domain.billing.attribute.creation_time.nanos ;; - group_label: "About Domain Billing Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: about__domain__billing__attribute__creation_time__seconds { - type: number - sql: ${TABLE}.about.domain.billing.attribute.creation_time.seconds ;; - group_label: "About Domain Billing Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: about__domain__billing__attribute__labels { - hidden: yes - sql: ${TABLE}.about.domain.billing.attribute.labels ;; - group_label: "About Domain Billing Attribute" - group_item_label: "Labels" - } - - dimension: about__domain__billing__attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.about.domain.billing.attribute.last_update_time.nanos ;; - group_label: "About Domain Billing Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: about__domain__billing__attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.about.domain.billing.attribute.last_update_time.seconds ;; - group_label: "About Domain Billing Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: about__domain__billing__attribute__permissions { - hidden: yes - sql: ${TABLE}.about.domain.billing.attribute.permissions ;; - group_label: "About Domain Billing Attribute" - group_item_label: "Permissions" - } - - dimension: about__domain__billing__attribute__roles { - hidden: yes - sql: ${TABLE}.about.domain.billing.attribute.roles ;; - group_label: "About Domain Billing Attribute" - group_item_label: "Roles" - } - - dimension: about__domain__billing__company_name { - type: string - sql: ${TABLE}.about.domain.billing.company_name ;; - group_label: "About Domain Billing" - group_item_label: "Company Name" - } - - dimension: about__domain__billing__department { - hidden: yes - sql: ${TABLE}.about.domain.billing.department ;; - group_label: "About Domain Billing" - group_item_label: "Department" - } - - dimension: about__domain__billing__email_addresses { - hidden: yes - sql: ${TABLE}.about.domain.billing.email_addresses ;; - group_label: "About Domain Billing" - group_item_label: "Email Addresses" - } - - dimension: about__domain__billing__employee_id { - type: string - sql: ${TABLE}.about.domain.billing.employee_id ;; - group_label: "About Domain Billing" - group_item_label: "Employee ID" - } - - dimension: about__domain__billing__first_name { - type: string - sql: ${TABLE}.about.domain.billing.first_name ;; - group_label: "About Domain Billing" - group_item_label: "First Name" - } - - dimension: about__domain__billing__first_seen_time__nanos { - type: number - sql: ${TABLE}.about.domain.billing.first_seen_time.nanos ;; - group_label: "About Domain Billing First Seen Time" - group_item_label: "Nanos" - } - - dimension: about__domain__billing__first_seen_time__seconds { - type: number - sql: ${TABLE}.about.domain.billing.first_seen_time.seconds ;; - group_label: "About Domain Billing First Seen Time" - group_item_label: "Seconds" - } - - dimension: about__domain__billing__group_identifiers { - hidden: yes - sql: ${TABLE}.about.domain.billing.group_identifiers ;; - group_label: "About Domain Billing" - group_item_label: "Group Identifiers" - } - - dimension: about__domain__billing__groupid { - type: string - sql: ${TABLE}.about.domain.billing.groupid ;; - group_label: "About Domain Billing" - group_item_label: "Groupid" - } - - dimension: about__domain__billing__hire_date__nanos { - type: number - sql: ${TABLE}.about.domain.billing.hire_date.nanos ;; - group_label: "About Domain Billing Hire Date" - group_item_label: "Nanos" - } - - dimension: about__domain__billing__hire_date__seconds { - type: number - sql: ${TABLE}.about.domain.billing.hire_date.seconds ;; - group_label: "About Domain Billing Hire Date" - group_item_label: "Seconds" - } - - dimension: about__domain__billing__last_name { - type: string - sql: ${TABLE}.about.domain.billing.last_name ;; - group_label: "About Domain Billing" - group_item_label: "Last Name" - } - - dimension: about__domain__billing__middle_name { - type: string - sql: ${TABLE}.about.domain.billing.middle_name ;; - group_label: "About Domain Billing" - group_item_label: "Middle Name" - } - - dimension: about__domain__billing__office_address__city { - type: string - sql: ${TABLE}.about.domain.billing.office_address.city ;; - group_label: "About Domain Billing Office Address" - group_item_label: "City" - } - - dimension: about__domain__billing__office_address__country_or_region { - type: string - sql: ${TABLE}.about.domain.billing.office_address.country_or_region ;; - group_label: "About Domain Billing Office Address" - group_item_label: "Country or Region" - } - - dimension: about__domain__billing__office_address__desk_name { - type: string - sql: ${TABLE}.about.domain.billing.office_address.desk_name ;; - group_label: "About Domain Billing Office Address" - group_item_label: "Desk Name" - } - - dimension: about__domain__billing__office_address__floor_name { - type: string - sql: ${TABLE}.about.domain.billing.office_address.floor_name ;; - group_label: "About Domain Billing Office Address" - group_item_label: "Floor Name" - } - - dimension: about__domain__billing__office_address__name { - type: string - sql: ${TABLE}.about.domain.billing.office_address.name ;; - group_label: "About Domain Billing Office Address" - group_item_label: "Name" - } - - dimension: about__domain__billing__office_address__region_latitude { - type: number - sql: ${TABLE}.about.domain.billing.office_address.region_latitude ;; - group_label: "About Domain Billing Office Address" - group_item_label: "Region Latitude" - } - - dimension: about__domain__billing__office_address__region_longitude { - type: number - sql: ${TABLE}.about.domain.billing.office_address.region_longitude ;; - group_label: "About Domain Billing Office Address" - group_item_label: "Region Longitude" - } - - dimension: about__domain__billing__office_address__state { - type: string - sql: ${TABLE}.about.domain.billing.office_address.state ;; - group_label: "About Domain Billing Office Address" - group_item_label: "State" - } - - dimension: about__domain__billing__personal_address__city { - type: string - sql: ${TABLE}.about.domain.billing.personal_address.city ;; - group_label: "About Domain Billing Personal Address" - group_item_label: "City" - } - - dimension: about__domain__billing__personal_address__country_or_region { - type: string - sql: ${TABLE}.about.domain.billing.personal_address.country_or_region ;; - group_label: "About Domain Billing Personal Address" - group_item_label: "Country or Region" - } - - dimension: about__domain__billing__personal_address__desk_name { - type: string - sql: ${TABLE}.about.domain.billing.personal_address.desk_name ;; - group_label: "About Domain Billing Personal Address" - group_item_label: "Desk Name" - } - - dimension: about__domain__billing__personal_address__floor_name { - type: string - sql: ${TABLE}.about.domain.billing.personal_address.floor_name ;; - group_label: "About Domain Billing Personal Address" - group_item_label: "Floor Name" - } - - dimension: about__domain__billing__personal_address__name { - type: string - sql: ${TABLE}.about.domain.billing.personal_address.name ;; - group_label: "About Domain Billing Personal Address" - group_item_label: "Name" - } - - dimension: about__domain__billing__personal_address__region_latitude { - type: number - sql: ${TABLE}.about.domain.billing.personal_address.region_latitude ;; - group_label: "About Domain Billing Personal Address" - group_item_label: "Region Latitude" - } - - dimension: about__domain__billing__personal_address__region_longitude { - type: number - sql: ${TABLE}.about.domain.billing.personal_address.region_longitude ;; - group_label: "About Domain Billing Personal Address" - group_item_label: "Region Longitude" - } - - dimension: about__domain__billing__personal_address__state { - type: string - sql: ${TABLE}.about.domain.billing.personal_address.state ;; - group_label: "About Domain Billing Personal Address" - group_item_label: "State" - } - - dimension: about__domain__billing__phone_numbers { - hidden: yes - sql: ${TABLE}.about.domain.billing.phone_numbers ;; - group_label: "About Domain Billing" - group_item_label: "Phone Numbers" - } - - dimension: about__domain__billing__product_object_id { - type: string - sql: ${TABLE}.about.domain.billing.product_object_id ;; - group_label: "About Domain Billing" - group_item_label: "Product Object ID" - } - - dimension: about__domain__billing__role_description { - type: string - sql: ${TABLE}.about.domain.billing.role_description ;; - group_label: "About Domain Billing" - group_item_label: "Role Description" - } - - dimension: about__domain__billing__role_name { - type: string - sql: ${TABLE}.about.domain.billing.role_name ;; - group_label: "About Domain Billing" - group_item_label: "Role Name" - } - - dimension: about__domain__billing__termination_date__nanos { - type: number - sql: ${TABLE}.about.domain.billing.termination_date.nanos ;; - group_label: "About Domain Billing Termination Date" - group_item_label: "Nanos" - } - - dimension: about__domain__billing__termination_date__seconds { - type: number - sql: ${TABLE}.about.domain.billing.termination_date.seconds ;; - group_label: "About Domain Billing Termination Date" - group_item_label: "Seconds" - } - - dimension: about__domain__billing__time_off { - hidden: yes - sql: ${TABLE}.about.domain.billing.time_off ;; - group_label: "About Domain Billing" - group_item_label: "Time Off" - } - - dimension: about__domain__billing__title { - type: string - sql: ${TABLE}.about.domain.billing.title ;; - group_label: "About Domain Billing" - group_item_label: "Title" - } - - dimension: about__domain__billing__user_authentication_status { - type: number - sql: ${TABLE}.about.domain.billing.user_authentication_status ;; - group_label: "About Domain Billing" - group_item_label: "User Authentication Status" - } - - dimension: about__domain__billing__user_display_name { - type: string - sql: ${TABLE}.about.domain.billing.user_display_name ;; - group_label: "About Domain Billing" - group_item_label: "User Display Name" - } - - dimension: about__domain__billing__user_role { - type: number - sql: ${TABLE}.about.domain.billing.user_role ;; - group_label: "About Domain Billing" - group_item_label: "User Role" - } - - dimension: about__domain__billing__userid { - type: string - sql: ${TABLE}.about.domain.billing.userid ;; - group_label: "About Domain Billing" - group_item_label: "Userid" - } - - dimension: about__domain__billing__windows_sid { - type: string - sql: ${TABLE}.about.domain.billing.windows_sid ;; - group_label: "About Domain Billing" - group_item_label: "Windows Sid" - } - - dimension: about__domain__contact_email { - type: string - sql: ${TABLE}.about.domain.contact_email ;; - group_label: "About Domain" - group_item_label: "Contact Email" - } - - dimension: about__domain__creation_time__nanos { - type: number - sql: ${TABLE}.about.domain.creation_time.nanos ;; - group_label: "About Domain Creation Time" - group_item_label: "Nanos" - } - - dimension: about__domain__creation_time__seconds { - type: number - sql: ${TABLE}.about.domain.creation_time.seconds ;; - group_label: "About Domain Creation Time" - group_item_label: "Seconds" - } - - dimension: about__domain__expiration_time__nanos { - type: number - sql: ${TABLE}.about.domain.expiration_time.nanos ;; - group_label: "About Domain Expiration Time" - group_item_label: "Nanos" - } - - dimension: about__domain__expiration_time__seconds { - type: number - sql: ${TABLE}.about.domain.expiration_time.seconds ;; - group_label: "About Domain Expiration Time" - group_item_label: "Seconds" - } - - dimension: about__domain__first_seen_time__nanos { - type: number - sql: ${TABLE}.about.domain.first_seen_time.nanos ;; - group_label: "About Domain First Seen Time" - group_item_label: "Nanos" - } - - dimension: about__domain__first_seen_time__seconds { - type: number - sql: ${TABLE}.about.domain.first_seen_time.seconds ;; - group_label: "About Domain First Seen Time" - group_item_label: "Seconds" - } - - dimension: about__domain__iana_registrar_id { - type: number - sql: ${TABLE}.about.domain.iana_registrar_id ;; - group_label: "About Domain" - group_item_label: "Iana Registrar ID" - } - - dimension: about__domain__last_seen_time__nanos { - type: number - sql: ${TABLE}.about.domain.last_seen_time.nanos ;; - group_label: "About Domain Last Seen Time" - group_item_label: "Nanos" - } - - dimension: about__domain__last_seen_time__seconds { - type: number - sql: ${TABLE}.about.domain.last_seen_time.seconds ;; - group_label: "About Domain Last Seen Time" - group_item_label: "Seconds" - } - - dimension: about__domain__name { - type: string - sql: ${TABLE}.about.domain.name ;; - group_label: "About Domain" - group_item_label: "Name" - } - - dimension: about__domain__name_server { - hidden: yes - sql: ${TABLE}.about.domain.name_server ;; - group_label: "About Domain" - group_item_label: "Name Server" - } - - dimension: about__domain__prevalence__day_count { - type: number - sql: ${TABLE}.about.domain.prevalence.day_count ;; - group_label: "About Domain Prevalence" - group_item_label: "Day Count" - } - - dimension: about__domain__prevalence__day_max { - type: number - sql: ${TABLE}.about.domain.prevalence.day_max ;; - group_label: "About Domain Prevalence" - group_item_label: "Day Max" - } - - dimension: about__domain__prevalence__day_max_sub_domains { - type: number - sql: ${TABLE}.about.domain.prevalence.day_max_sub_domains ;; - group_label: "About Domain Prevalence" - group_item_label: "Day Max Sub Domains" - } - - dimension: about__domain__prevalence__rolling_max { - type: number - sql: ${TABLE}.about.domain.prevalence.rolling_max ;; - group_label: "About Domain Prevalence" - group_item_label: "Rolling Max" - } - - dimension: about__domain__prevalence__rolling_max_sub_domains { - type: number - sql: ${TABLE}.about.domain.prevalence.rolling_max_sub_domains ;; - group_label: "About Domain Prevalence" - group_item_label: "Rolling Max Sub Domains" - } - - dimension: about__domain__private_registration { - type: yesno - sql: ${TABLE}.about.domain.private_registration ;; - group_label: "About Domain" - group_item_label: "Private Registration" - } - - dimension: about__domain__registrant__account_type { - type: number - sql: ${TABLE}.about.domain.registrant.account_type ;; - group_label: "About Domain Registrant" - group_item_label: "Account Type" - } - - dimension: about__domain__registrant__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.about.domain.registrant.attribute.cloud.availability_zone ;; - group_label: "About Domain Registrant Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: about__domain__registrant__attribute__cloud__environment { - type: number - sql: ${TABLE}.about.domain.registrant.attribute.cloud.environment ;; - group_label: "About Domain Registrant Attribute Cloud" - group_item_label: "Environment" - } - - dimension: about__domain__registrant__attribute__cloud__project__id { - type: string - sql: ${TABLE}.about.domain.registrant.attribute.cloud.project.id ;; - group_label: "About Domain Registrant Attribute Cloud Project" - group_item_label: "ID" - } - - dimension: about__domain__registrant__attribute__cloud__project__name { - type: string - sql: ${TABLE}.about.domain.registrant.attribute.cloud.project.name ;; - group_label: "About Domain Registrant Attribute Cloud Project" - group_item_label: "Name" - } - - dimension: about__domain__registrant__attribute__cloud__project__parent { - type: string - sql: ${TABLE}.about.domain.registrant.attribute.cloud.project.parent ;; - group_label: "About Domain Registrant Attribute Cloud Project" - group_item_label: "Parent" - } - - dimension: about__domain__registrant__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.about.domain.registrant.attribute.cloud.project.product_object_id ;; - group_label: "About Domain Registrant Attribute Cloud Project" - group_item_label: "Product Object ID" - } - - dimension: about__domain__registrant__attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.about.domain.registrant.attribute.cloud.project.resource_subtype ;; - group_label: "About Domain Registrant Attribute Cloud Project" - group_item_label: "Resource Subtype" - } - - dimension: about__domain__registrant__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.about.domain.registrant.attribute.cloud.project.resource_type ;; - group_label: "About Domain Registrant Attribute Cloud Project" - group_item_label: "Resource Type" - } - - dimension: about__domain__registrant__attribute__cloud__project__type { - type: string - sql: ${TABLE}.about.domain.registrant.attribute.cloud.project.type ;; - group_label: "About Domain Registrant Attribute Cloud Project" - group_item_label: "Type" - } - - dimension: about__domain__registrant__attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.about.domain.registrant.attribute.cloud.vpc.id ;; - group_label: "About Domain Registrant Attribute Cloud Vpc" - group_item_label: "ID" - } - - dimension: about__domain__registrant__attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.about.domain.registrant.attribute.cloud.vpc.name ;; - group_label: "About Domain Registrant Attribute Cloud Vpc" - group_item_label: "Name" - } - - dimension: about__domain__registrant__attribute__cloud__vpc__parent { - type: string - sql: ${TABLE}.about.domain.registrant.attribute.cloud.vpc.parent ;; - group_label: "About Domain Registrant Attribute Cloud Vpc" - group_item_label: "Parent" - } - - dimension: about__domain__registrant__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.about.domain.registrant.attribute.cloud.vpc.product_object_id ;; - group_label: "About Domain Registrant Attribute Cloud Vpc" - group_item_label: "Product Object ID" - } - - dimension: about__domain__registrant__attribute__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.about.domain.registrant.attribute.cloud.vpc.resource_subtype ;; - group_label: "About Domain Registrant Attribute Cloud Vpc" - group_item_label: "Resource Subtype" - } - - dimension: about__domain__registrant__attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.about.domain.registrant.attribute.cloud.vpc.resource_type ;; - group_label: "About Domain Registrant Attribute Cloud Vpc" - group_item_label: "Resource Type" - } - - dimension: about__domain__registrant__attribute__cloud__vpc__type { - type: string - sql: ${TABLE}.about.domain.registrant.attribute.cloud.vpc.type ;; - group_label: "About Domain Registrant Attribute Cloud Vpc" - group_item_label: "Type" - } - - dimension: about__domain__registrant__attribute__creation_time__nanos { - type: number - sql: ${TABLE}.about.domain.registrant.attribute.creation_time.nanos ;; - group_label: "About Domain Registrant Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: about__domain__registrant__attribute__creation_time__seconds { - type: number - sql: ${TABLE}.about.domain.registrant.attribute.creation_time.seconds ;; - group_label: "About Domain Registrant Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: about__domain__registrant__attribute__labels { - hidden: yes - sql: ${TABLE}.about.domain.registrant.attribute.labels ;; - group_label: "About Domain Registrant Attribute" - group_item_label: "Labels" - } - - dimension: about__domain__registrant__attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.about.domain.registrant.attribute.last_update_time.nanos ;; - group_label: "About Domain Registrant Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: about__domain__registrant__attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.about.domain.registrant.attribute.last_update_time.seconds ;; - group_label: "About Domain Registrant Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: about__domain__registrant__attribute__permissions { - hidden: yes - sql: ${TABLE}.about.domain.registrant.attribute.permissions ;; - group_label: "About Domain Registrant Attribute" - group_item_label: "Permissions" - } - - dimension: about__domain__registrant__attribute__roles { - hidden: yes - sql: ${TABLE}.about.domain.registrant.attribute.roles ;; - group_label: "About Domain Registrant Attribute" - group_item_label: "Roles" - } - - dimension: about__domain__registrant__company_name { - type: string - sql: ${TABLE}.about.domain.registrant.company_name ;; - group_label: "About Domain Registrant" - group_item_label: "Company Name" - } - - dimension: about__domain__registrant__department { - hidden: yes - sql: ${TABLE}.about.domain.registrant.department ;; - group_label: "About Domain Registrant" - group_item_label: "Department" - } - - dimension: about__domain__registrant__email_addresses { - hidden: yes - sql: ${TABLE}.about.domain.registrant.email_addresses ;; - group_label: "About Domain Registrant" - group_item_label: "Email Addresses" - } - - dimension: about__domain__registrant__employee_id { - type: string - sql: ${TABLE}.about.domain.registrant.employee_id ;; - group_label: "About Domain Registrant" - group_item_label: "Employee ID" - } - - dimension: about__domain__registrant__first_name { - type: string - sql: ${TABLE}.about.domain.registrant.first_name ;; - group_label: "About Domain Registrant" - group_item_label: "First Name" - } - - dimension: about__domain__registrant__first_seen_time__nanos { - type: number - sql: ${TABLE}.about.domain.registrant.first_seen_time.nanos ;; - group_label: "About Domain Registrant First Seen Time" - group_item_label: "Nanos" - } - - dimension: about__domain__registrant__first_seen_time__seconds { - type: number - sql: ${TABLE}.about.domain.registrant.first_seen_time.seconds ;; - group_label: "About Domain Registrant First Seen Time" - group_item_label: "Seconds" - } - - dimension: about__domain__registrant__group_identifiers { - hidden: yes - sql: ${TABLE}.about.domain.registrant.group_identifiers ;; - group_label: "About Domain Registrant" - group_item_label: "Group Identifiers" - } - - dimension: about__domain__registrant__groupid { - type: string - sql: ${TABLE}.about.domain.registrant.groupid ;; - group_label: "About Domain Registrant" - group_item_label: "Groupid" - } - - dimension: about__domain__registrant__hire_date__nanos { - type: number - sql: ${TABLE}.about.domain.registrant.hire_date.nanos ;; - group_label: "About Domain Registrant Hire Date" - group_item_label: "Nanos" - } - - dimension: about__domain__registrant__hire_date__seconds { - type: number - sql: ${TABLE}.about.domain.registrant.hire_date.seconds ;; - group_label: "About Domain Registrant Hire Date" - group_item_label: "Seconds" - } - - dimension: about__domain__registrant__last_name { - type: string - sql: ${TABLE}.about.domain.registrant.last_name ;; - group_label: "About Domain Registrant" - group_item_label: "Last Name" - } - - dimension: about__domain__registrant__middle_name { - type: string - sql: ${TABLE}.about.domain.registrant.middle_name ;; - group_label: "About Domain Registrant" - group_item_label: "Middle Name" - } - - dimension: about__domain__registrant__office_address__city { - type: string - sql: ${TABLE}.about.domain.registrant.office_address.city ;; - group_label: "About Domain Registrant Office Address" - group_item_label: "City" - } - - dimension: about__domain__registrant__office_address__country_or_region { - type: string - sql: ${TABLE}.about.domain.registrant.office_address.country_or_region ;; - group_label: "About Domain Registrant Office Address" - group_item_label: "Country or Region" - } - - dimension: about__domain__registrant__office_address__desk_name { - type: string - sql: ${TABLE}.about.domain.registrant.office_address.desk_name ;; - group_label: "About Domain Registrant Office Address" - group_item_label: "Desk Name" - } - - dimension: about__domain__registrant__office_address__floor_name { - type: string - sql: ${TABLE}.about.domain.registrant.office_address.floor_name ;; - group_label: "About Domain Registrant Office Address" - group_item_label: "Floor Name" - } - - dimension: about__domain__registrant__office_address__name { - type: string - sql: ${TABLE}.about.domain.registrant.office_address.name ;; - group_label: "About Domain Registrant Office Address" - group_item_label: "Name" - } - - dimension: about__domain__registrant__office_address__region_latitude { - type: number - sql: ${TABLE}.about.domain.registrant.office_address.region_latitude ;; - group_label: "About Domain Registrant Office Address" - group_item_label: "Region Latitude" - } - - dimension: about__domain__registrant__office_address__region_longitude { - type: number - sql: ${TABLE}.about.domain.registrant.office_address.region_longitude ;; - group_label: "About Domain Registrant Office Address" - group_item_label: "Region Longitude" - } - - dimension: about__domain__registrant__office_address__state { - type: string - sql: ${TABLE}.about.domain.registrant.office_address.state ;; - group_label: "About Domain Registrant Office Address" - group_item_label: "State" - } - - dimension: about__domain__registrant__personal_address__city { - type: string - sql: ${TABLE}.about.domain.registrant.personal_address.city ;; - group_label: "About Domain Registrant Personal Address" - group_item_label: "City" - } - - dimension: about__domain__registrant__personal_address__country_or_region { - type: string - sql: ${TABLE}.about.domain.registrant.personal_address.country_or_region ;; - group_label: "About Domain Registrant Personal Address" - group_item_label: "Country or Region" - } - - dimension: about__domain__registrant__personal_address__desk_name { - type: string - sql: ${TABLE}.about.domain.registrant.personal_address.desk_name ;; - group_label: "About Domain Registrant Personal Address" - group_item_label: "Desk Name" - } - - dimension: about__domain__registrant__personal_address__floor_name { - type: string - sql: ${TABLE}.about.domain.registrant.personal_address.floor_name ;; - group_label: "About Domain Registrant Personal Address" - group_item_label: "Floor Name" - } - - dimension: about__domain__registrant__personal_address__name { - type: string - sql: ${TABLE}.about.domain.registrant.personal_address.name ;; - group_label: "About Domain Registrant Personal Address" - group_item_label: "Name" - } - - dimension: about__domain__registrant__personal_address__region_latitude { - type: number - sql: ${TABLE}.about.domain.registrant.personal_address.region_latitude ;; - group_label: "About Domain Registrant Personal Address" - group_item_label: "Region Latitude" - } - - dimension: about__domain__registrant__personal_address__region_longitude { - type: number - sql: ${TABLE}.about.domain.registrant.personal_address.region_longitude ;; - group_label: "About Domain Registrant Personal Address" - group_item_label: "Region Longitude" - } - - dimension: about__domain__registrant__personal_address__state { - type: string - sql: ${TABLE}.about.domain.registrant.personal_address.state ;; - group_label: "About Domain Registrant Personal Address" - group_item_label: "State" - } - - dimension: about__domain__registrant__phone_numbers { - hidden: yes - sql: ${TABLE}.about.domain.registrant.phone_numbers ;; - group_label: "About Domain Registrant" - group_item_label: "Phone Numbers" - } - - dimension: about__domain__registrant__product_object_id { - type: string - sql: ${TABLE}.about.domain.registrant.product_object_id ;; - group_label: "About Domain Registrant" - group_item_label: "Product Object ID" - } - - dimension: about__domain__registrant__role_description { - type: string - sql: ${TABLE}.about.domain.registrant.role_description ;; - group_label: "About Domain Registrant" - group_item_label: "Role Description" - } - - dimension: about__domain__registrant__role_name { - type: string - sql: ${TABLE}.about.domain.registrant.role_name ;; - group_label: "About Domain Registrant" - group_item_label: "Role Name" - } - - dimension: about__domain__registrant__termination_date__nanos { - type: number - sql: ${TABLE}.about.domain.registrant.termination_date.nanos ;; - group_label: "About Domain Registrant Termination Date" - group_item_label: "Nanos" - } - - dimension: about__domain__registrant__termination_date__seconds { - type: number - sql: ${TABLE}.about.domain.registrant.termination_date.seconds ;; - group_label: "About Domain Registrant Termination Date" - group_item_label: "Seconds" - } - - dimension: about__domain__registrant__time_off { - hidden: yes - sql: ${TABLE}.about.domain.registrant.time_off ;; - group_label: "About Domain Registrant" - group_item_label: "Time Off" - } - - dimension: about__domain__registrant__title { - type: string - sql: ${TABLE}.about.domain.registrant.title ;; - group_label: "About Domain Registrant" - group_item_label: "Title" - } - - dimension: about__domain__registrant__user_authentication_status { - type: number - sql: ${TABLE}.about.domain.registrant.user_authentication_status ;; - group_label: "About Domain Registrant" - group_item_label: "User Authentication Status" - } - - dimension: about__domain__registrant__user_display_name { - type: string - sql: ${TABLE}.about.domain.registrant.user_display_name ;; - group_label: "About Domain Registrant" - group_item_label: "User Display Name" - } - - dimension: about__domain__registrant__user_role { - type: number - sql: ${TABLE}.about.domain.registrant.user_role ;; - group_label: "About Domain Registrant" - group_item_label: "User Role" - } - - dimension: about__domain__registrant__userid { - type: string - sql: ${TABLE}.about.domain.registrant.userid ;; - group_label: "About Domain Registrant" - group_item_label: "Userid" - } - - dimension: about__domain__registrant__windows_sid { - type: string - sql: ${TABLE}.about.domain.registrant.windows_sid ;; - group_label: "About Domain Registrant" - group_item_label: "Windows Sid" - } - - dimension: about__domain__registrar { - type: string - sql: ${TABLE}.about.domain.registrar ;; - group_label: "About Domain" - group_item_label: "Registrar" - } - - dimension: about__domain__registry_data_raw_text { - type: string - sql: ${TABLE}.about.domain.registry_data_raw_text ;; - group_label: "About Domain" - group_item_label: "Registry Data Raw Text" - } - - dimension: about__domain__status { - type: string - sql: ${TABLE}.about.domain.status ;; - group_label: "About Domain" - group_item_label: "Status" - } - - dimension: about__domain__tech__account_type { - type: number - sql: ${TABLE}.about.domain.tech.account_type ;; - group_label: "About Domain Tech" - group_item_label: "Account Type" - } - - dimension: about__domain__tech__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.about.domain.tech.attribute.cloud.availability_zone ;; - group_label: "About Domain Tech Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: about__domain__tech__attribute__cloud__environment { - type: number - sql: ${TABLE}.about.domain.tech.attribute.cloud.environment ;; - group_label: "About Domain Tech Attribute Cloud" - group_item_label: "Environment" - } - - dimension: about__domain__tech__attribute__cloud__project__id { - type: string - sql: ${TABLE}.about.domain.tech.attribute.cloud.project.id ;; - group_label: "About Domain Tech Attribute Cloud Project" - group_item_label: "ID" - } - - dimension: about__domain__tech__attribute__cloud__project__name { - type: string - sql: ${TABLE}.about.domain.tech.attribute.cloud.project.name ;; - group_label: "About Domain Tech Attribute Cloud Project" - group_item_label: "Name" - } - - dimension: about__domain__tech__attribute__cloud__project__parent { - type: string - sql: ${TABLE}.about.domain.tech.attribute.cloud.project.parent ;; - group_label: "About Domain Tech Attribute Cloud Project" - group_item_label: "Parent" - } - - dimension: about__domain__tech__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.about.domain.tech.attribute.cloud.project.product_object_id ;; - group_label: "About Domain Tech Attribute Cloud Project" - group_item_label: "Product Object ID" - } - - dimension: about__domain__tech__attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.about.domain.tech.attribute.cloud.project.resource_subtype ;; - group_label: "About Domain Tech Attribute Cloud Project" - group_item_label: "Resource Subtype" - } - - dimension: about__domain__tech__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.about.domain.tech.attribute.cloud.project.resource_type ;; - group_label: "About Domain Tech Attribute Cloud Project" - group_item_label: "Resource Type" - } - - dimension: about__domain__tech__attribute__cloud__project__type { - type: string - sql: ${TABLE}.about.domain.tech.attribute.cloud.project.type ;; - group_label: "About Domain Tech Attribute Cloud Project" - group_item_label: "Type" - } - - dimension: about__domain__tech__attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.about.domain.tech.attribute.cloud.vpc.id ;; - group_label: "About Domain Tech Attribute Cloud Vpc" - group_item_label: "ID" - } - - dimension: about__domain__tech__attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.about.domain.tech.attribute.cloud.vpc.name ;; - group_label: "About Domain Tech Attribute Cloud Vpc" - group_item_label: "Name" - } - - dimension: about__domain__tech__attribute__cloud__vpc__parent { - type: string - sql: ${TABLE}.about.domain.tech.attribute.cloud.vpc.parent ;; - group_label: "About Domain Tech Attribute Cloud Vpc" - group_item_label: "Parent" - } - - dimension: about__domain__tech__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.about.domain.tech.attribute.cloud.vpc.product_object_id ;; - group_label: "About Domain Tech Attribute Cloud Vpc" - group_item_label: "Product Object ID" - } - - dimension: about__domain__tech__attribute__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.about.domain.tech.attribute.cloud.vpc.resource_subtype ;; - group_label: "About Domain Tech Attribute Cloud Vpc" - group_item_label: "Resource Subtype" - } - - dimension: about__domain__tech__attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.about.domain.tech.attribute.cloud.vpc.resource_type ;; - group_label: "About Domain Tech Attribute Cloud Vpc" - group_item_label: "Resource Type" - } - - dimension: about__domain__tech__attribute__cloud__vpc__type { - type: string - sql: ${TABLE}.about.domain.tech.attribute.cloud.vpc.type ;; - group_label: "About Domain Tech Attribute Cloud Vpc" - group_item_label: "Type" - } - - dimension: about__domain__tech__attribute__creation_time__nanos { - type: number - sql: ${TABLE}.about.domain.tech.attribute.creation_time.nanos ;; - group_label: "About Domain Tech Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: about__domain__tech__attribute__creation_time__seconds { - type: number - sql: ${TABLE}.about.domain.tech.attribute.creation_time.seconds ;; - group_label: "About Domain Tech Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: about__domain__tech__attribute__labels { - hidden: yes - sql: ${TABLE}.about.domain.tech.attribute.labels ;; - group_label: "About Domain Tech Attribute" - group_item_label: "Labels" - } - - dimension: about__domain__tech__attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.about.domain.tech.attribute.last_update_time.nanos ;; - group_label: "About Domain Tech Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: about__domain__tech__attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.about.domain.tech.attribute.last_update_time.seconds ;; - group_label: "About Domain Tech Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: about__domain__tech__attribute__permissions { - hidden: yes - sql: ${TABLE}.about.domain.tech.attribute.permissions ;; - group_label: "About Domain Tech Attribute" - group_item_label: "Permissions" - } - - dimension: about__domain__tech__attribute__roles { - hidden: yes - sql: ${TABLE}.about.domain.tech.attribute.roles ;; - group_label: "About Domain Tech Attribute" - group_item_label: "Roles" - } - - dimension: about__domain__tech__company_name { - type: string - sql: ${TABLE}.about.domain.tech.company_name ;; - group_label: "About Domain Tech" - group_item_label: "Company Name" - } - - dimension: about__domain__tech__department { - hidden: yes - sql: ${TABLE}.about.domain.tech.department ;; - group_label: "About Domain Tech" - group_item_label: "Department" - } - - dimension: about__domain__tech__email_addresses { - hidden: yes - sql: ${TABLE}.about.domain.tech.email_addresses ;; - group_label: "About Domain Tech" - group_item_label: "Email Addresses" - } - - dimension: about__domain__tech__employee_id { - type: string - sql: ${TABLE}.about.domain.tech.employee_id ;; - group_label: "About Domain Tech" - group_item_label: "Employee ID" - } - - dimension: about__domain__tech__first_name { - type: string - sql: ${TABLE}.about.domain.tech.first_name ;; - group_label: "About Domain Tech" - group_item_label: "First Name" - } - - dimension: about__domain__tech__first_seen_time__nanos { - type: number - sql: ${TABLE}.about.domain.tech.first_seen_time.nanos ;; - group_label: "About Domain Tech First Seen Time" - group_item_label: "Nanos" - } - - dimension: about__domain__tech__first_seen_time__seconds { - type: number - sql: ${TABLE}.about.domain.tech.first_seen_time.seconds ;; - group_label: "About Domain Tech First Seen Time" - group_item_label: "Seconds" - } - - dimension: about__domain__tech__group_identifiers { - hidden: yes - sql: ${TABLE}.about.domain.tech.group_identifiers ;; - group_label: "About Domain Tech" - group_item_label: "Group Identifiers" - } - - dimension: about__domain__tech__groupid { - type: string - sql: ${TABLE}.about.domain.tech.groupid ;; - group_label: "About Domain Tech" - group_item_label: "Groupid" - } - - dimension: about__domain__tech__hire_date__nanos { - type: number - sql: ${TABLE}.about.domain.tech.hire_date.nanos ;; - group_label: "About Domain Tech Hire Date" - group_item_label: "Nanos" - } - - dimension: about__domain__tech__hire_date__seconds { - type: number - sql: ${TABLE}.about.domain.tech.hire_date.seconds ;; - group_label: "About Domain Tech Hire Date" - group_item_label: "Seconds" - } - - dimension: about__domain__tech__last_name { - type: string - sql: ${TABLE}.about.domain.tech.last_name ;; - group_label: "About Domain Tech" - group_item_label: "Last Name" - } - - dimension: about__domain__tech__middle_name { - type: string - sql: ${TABLE}.about.domain.tech.middle_name ;; - group_label: "About Domain Tech" - group_item_label: "Middle Name" - } - - dimension: about__domain__tech__office_address__city { - type: string - sql: ${TABLE}.about.domain.tech.office_address.city ;; - group_label: "About Domain Tech Office Address" - group_item_label: "City" - } - - dimension: about__domain__tech__office_address__country_or_region { - type: string - sql: ${TABLE}.about.domain.tech.office_address.country_or_region ;; - group_label: "About Domain Tech Office Address" - group_item_label: "Country or Region" - } - - dimension: about__domain__tech__office_address__desk_name { - type: string - sql: ${TABLE}.about.domain.tech.office_address.desk_name ;; - group_label: "About Domain Tech Office Address" - group_item_label: "Desk Name" - } - - dimension: about__domain__tech__office_address__floor_name { - type: string - sql: ${TABLE}.about.domain.tech.office_address.floor_name ;; - group_label: "About Domain Tech Office Address" - group_item_label: "Floor Name" - } - - dimension: about__domain__tech__office_address__name { - type: string - sql: ${TABLE}.about.domain.tech.office_address.name ;; - group_label: "About Domain Tech Office Address" - group_item_label: "Name" - } - - dimension: about__domain__tech__office_address__region_latitude { - type: number - sql: ${TABLE}.about.domain.tech.office_address.region_latitude ;; - group_label: "About Domain Tech Office Address" - group_item_label: "Region Latitude" - } - - dimension: about__domain__tech__office_address__region_longitude { - type: number - sql: ${TABLE}.about.domain.tech.office_address.region_longitude ;; - group_label: "About Domain Tech Office Address" - group_item_label: "Region Longitude" - } - - dimension: about__domain__tech__office_address__state { - type: string - sql: ${TABLE}.about.domain.tech.office_address.state ;; - group_label: "About Domain Tech Office Address" - group_item_label: "State" - } - - dimension: about__domain__tech__personal_address__city { - type: string - sql: ${TABLE}.about.domain.tech.personal_address.city ;; - group_label: "About Domain Tech Personal Address" - group_item_label: "City" - } - - dimension: about__domain__tech__personal_address__country_or_region { - type: string - sql: ${TABLE}.about.domain.tech.personal_address.country_or_region ;; - group_label: "About Domain Tech Personal Address" - group_item_label: "Country or Region" - } - - dimension: about__domain__tech__personal_address__desk_name { - type: string - sql: ${TABLE}.about.domain.tech.personal_address.desk_name ;; - group_label: "About Domain Tech Personal Address" - group_item_label: "Desk Name" - } - - dimension: about__domain__tech__personal_address__floor_name { - type: string - sql: ${TABLE}.about.domain.tech.personal_address.floor_name ;; - group_label: "About Domain Tech Personal Address" - group_item_label: "Floor Name" - } - - dimension: about__domain__tech__personal_address__name { - type: string - sql: ${TABLE}.about.domain.tech.personal_address.name ;; - group_label: "About Domain Tech Personal Address" - group_item_label: "Name" - } - - dimension: about__domain__tech__personal_address__region_latitude { - type: number - sql: ${TABLE}.about.domain.tech.personal_address.region_latitude ;; - group_label: "About Domain Tech Personal Address" - group_item_label: "Region Latitude" - } - - dimension: about__domain__tech__personal_address__region_longitude { - type: number - sql: ${TABLE}.about.domain.tech.personal_address.region_longitude ;; - group_label: "About Domain Tech Personal Address" - group_item_label: "Region Longitude" - } - - dimension: about__domain__tech__personal_address__state { - type: string - sql: ${TABLE}.about.domain.tech.personal_address.state ;; - group_label: "About Domain Tech Personal Address" - group_item_label: "State" - } - - dimension: about__domain__tech__phone_numbers { - hidden: yes - sql: ${TABLE}.about.domain.tech.phone_numbers ;; - group_label: "About Domain Tech" - group_item_label: "Phone Numbers" - } - - dimension: about__domain__tech__product_object_id { - type: string - sql: ${TABLE}.about.domain.tech.product_object_id ;; - group_label: "About Domain Tech" - group_item_label: "Product Object ID" - } - - dimension: about__domain__tech__role_description { - type: string - sql: ${TABLE}.about.domain.tech.role_description ;; - group_label: "About Domain Tech" - group_item_label: "Role Description" - } - - dimension: about__domain__tech__role_name { - type: string - sql: ${TABLE}.about.domain.tech.role_name ;; - group_label: "About Domain Tech" - group_item_label: "Role Name" - } - - dimension: about__domain__tech__termination_date__nanos { - type: number - sql: ${TABLE}.about.domain.tech.termination_date.nanos ;; - group_label: "About Domain Tech Termination Date" - group_item_label: "Nanos" - } - - dimension: about__domain__tech__termination_date__seconds { - type: number - sql: ${TABLE}.about.domain.tech.termination_date.seconds ;; - group_label: "About Domain Tech Termination Date" - group_item_label: "Seconds" - } - - dimension: about__domain__tech__time_off { - hidden: yes - sql: ${TABLE}.about.domain.tech.time_off ;; - group_label: "About Domain Tech" - group_item_label: "Time Off" - } - - dimension: about__domain__tech__title { - type: string - sql: ${TABLE}.about.domain.tech.title ;; - group_label: "About Domain Tech" - group_item_label: "Title" - } - - dimension: about__domain__tech__user_authentication_status { - type: number - sql: ${TABLE}.about.domain.tech.user_authentication_status ;; - group_label: "About Domain Tech" - group_item_label: "User Authentication Status" - } - - dimension: about__domain__tech__user_display_name { - type: string - sql: ${TABLE}.about.domain.tech.user_display_name ;; - group_label: "About Domain Tech" - group_item_label: "User Display Name" - } - - dimension: about__domain__tech__user_role { - type: number - sql: ${TABLE}.about.domain.tech.user_role ;; - group_label: "About Domain Tech" - group_item_label: "User Role" - } - - dimension: about__domain__tech__userid { - type: string - sql: ${TABLE}.about.domain.tech.userid ;; - group_label: "About Domain Tech" - group_item_label: "Userid" - } - - dimension: about__domain__tech__windows_sid { - type: string - sql: ${TABLE}.about.domain.tech.windows_sid ;; - group_label: "About Domain Tech" - group_item_label: "Windows Sid" - } - - dimension: about__domain__update_time__nanos { - type: number - sql: ${TABLE}.about.domain.update_time.nanos ;; - group_label: "About Domain Update Time" - group_item_label: "Nanos" - } - - dimension: about__domain__update_time__seconds { - type: number - sql: ${TABLE}.about.domain.update_time.seconds ;; - group_label: "About Domain Update Time" - group_item_label: "Seconds" - } - - dimension: about__domain__whois_record_raw_text { - type: string - sql: ${TABLE}.about.domain.whois_record_raw_text ;; - group_label: "About Domain" - group_item_label: "Whois Record Raw Text" - } - - dimension: about__domain__whois_server { - type: string - sql: ${TABLE}.about.domain.whois_server ;; - group_label: "About Domain" - group_item_label: "Whois Server" - } - - dimension: about__domain__zone__account_type { - type: number - sql: ${TABLE}.about.domain.zone.account_type ;; - group_label: "About Domain Zone" - group_item_label: "Account Type" - } - - dimension: about__domain__zone__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.about.domain.zone.attribute.cloud.availability_zone ;; - group_label: "About Domain Zone Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: about__domain__zone__attribute__cloud__environment { - type: number - sql: ${TABLE}.about.domain.zone.attribute.cloud.environment ;; - group_label: "About Domain Zone Attribute Cloud" - group_item_label: "Environment" - } - - dimension: about__domain__zone__attribute__cloud__project__id { - type: string - sql: ${TABLE}.about.domain.zone.attribute.cloud.project.id ;; - group_label: "About Domain Zone Attribute Cloud Project" - group_item_label: "ID" - } - - dimension: about__domain__zone__attribute__cloud__project__name { - type: string - sql: ${TABLE}.about.domain.zone.attribute.cloud.project.name ;; - group_label: "About Domain Zone Attribute Cloud Project" - group_item_label: "Name" - } - - dimension: about__domain__zone__attribute__cloud__project__parent { - type: string - sql: ${TABLE}.about.domain.zone.attribute.cloud.project.parent ;; - group_label: "About Domain Zone Attribute Cloud Project" - group_item_label: "Parent" - } - - dimension: about__domain__zone__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.about.domain.zone.attribute.cloud.project.product_object_id ;; - group_label: "About Domain Zone Attribute Cloud Project" - group_item_label: "Product Object ID" - } - - dimension: about__domain__zone__attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.about.domain.zone.attribute.cloud.project.resource_subtype ;; - group_label: "About Domain Zone Attribute Cloud Project" - group_item_label: "Resource Subtype" - } - - dimension: about__domain__zone__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.about.domain.zone.attribute.cloud.project.resource_type ;; - group_label: "About Domain Zone Attribute Cloud Project" - group_item_label: "Resource Type" - } - - dimension: about__domain__zone__attribute__cloud__project__type { - type: string - sql: ${TABLE}.about.domain.zone.attribute.cloud.project.type ;; - group_label: "About Domain Zone Attribute Cloud Project" - group_item_label: "Type" - } - - dimension: about__domain__zone__attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.about.domain.zone.attribute.cloud.vpc.id ;; - group_label: "About Domain Zone Attribute Cloud Vpc" - group_item_label: "ID" - } - - dimension: about__domain__zone__attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.about.domain.zone.attribute.cloud.vpc.name ;; - group_label: "About Domain Zone Attribute Cloud Vpc" - group_item_label: "Name" - } - - dimension: about__domain__zone__attribute__cloud__vpc__parent { - type: string - sql: ${TABLE}.about.domain.zone.attribute.cloud.vpc.parent ;; - group_label: "About Domain Zone Attribute Cloud Vpc" - group_item_label: "Parent" - } - - dimension: about__domain__zone__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.about.domain.zone.attribute.cloud.vpc.product_object_id ;; - group_label: "About Domain Zone Attribute Cloud Vpc" - group_item_label: "Product Object ID" - } - - dimension: about__domain__zone__attribute__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.about.domain.zone.attribute.cloud.vpc.resource_subtype ;; - group_label: "About Domain Zone Attribute Cloud Vpc" - group_item_label: "Resource Subtype" - } - - dimension: about__domain__zone__attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.about.domain.zone.attribute.cloud.vpc.resource_type ;; - group_label: "About Domain Zone Attribute Cloud Vpc" - group_item_label: "Resource Type" - } - - dimension: about__domain__zone__attribute__cloud__vpc__type { - type: string - sql: ${TABLE}.about.domain.zone.attribute.cloud.vpc.type ;; - group_label: "About Domain Zone Attribute Cloud Vpc" - group_item_label: "Type" - } - - dimension: about__domain__zone__attribute__creation_time__nanos { - type: number - sql: ${TABLE}.about.domain.zone.attribute.creation_time.nanos ;; - group_label: "About Domain Zone Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: about__domain__zone__attribute__creation_time__seconds { - type: number - sql: ${TABLE}.about.domain.zone.attribute.creation_time.seconds ;; - group_label: "About Domain Zone Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: about__domain__zone__attribute__labels { - hidden: yes - sql: ${TABLE}.about.domain.zone.attribute.labels ;; - group_label: "About Domain Zone Attribute" - group_item_label: "Labels" - } - - dimension: about__domain__zone__attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.about.domain.zone.attribute.last_update_time.nanos ;; - group_label: "About Domain Zone Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: about__domain__zone__attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.about.domain.zone.attribute.last_update_time.seconds ;; - group_label: "About Domain Zone Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: about__domain__zone__attribute__permissions { - hidden: yes - sql: ${TABLE}.about.domain.zone.attribute.permissions ;; - group_label: "About Domain Zone Attribute" - group_item_label: "Permissions" - } - - dimension: about__domain__zone__attribute__roles { - hidden: yes - sql: ${TABLE}.about.domain.zone.attribute.roles ;; - group_label: "About Domain Zone Attribute" - group_item_label: "Roles" - } - - dimension: about__domain__zone__company_name { - type: string - sql: ${TABLE}.about.domain.zone.company_name ;; - group_label: "About Domain Zone" - group_item_label: "Company Name" - } - - dimension: about__domain__zone__department { - hidden: yes - sql: ${TABLE}.about.domain.zone.department ;; - group_label: "About Domain Zone" - group_item_label: "Department" - } - - dimension: about__domain__zone__email_addresses { - hidden: yes - sql: ${TABLE}.about.domain.zone.email_addresses ;; - group_label: "About Domain Zone" - group_item_label: "Email Addresses" - } - - dimension: about__domain__zone__employee_id { - type: string - sql: ${TABLE}.about.domain.zone.employee_id ;; - group_label: "About Domain Zone" - group_item_label: "Employee ID" - } - - dimension: about__domain__zone__first_name { - type: string - sql: ${TABLE}.about.domain.zone.first_name ;; - group_label: "About Domain Zone" - group_item_label: "First Name" - } - - dimension: about__domain__zone__first_seen_time__nanos { - type: number - sql: ${TABLE}.about.domain.zone.first_seen_time.nanos ;; - group_label: "About Domain Zone First Seen Time" - group_item_label: "Nanos" - } - - dimension: about__domain__zone__first_seen_time__seconds { - type: number - sql: ${TABLE}.about.domain.zone.first_seen_time.seconds ;; - group_label: "About Domain Zone First Seen Time" - group_item_label: "Seconds" - } - - dimension: about__domain__zone__group_identifiers { - hidden: yes - sql: ${TABLE}.about.domain.zone.group_identifiers ;; - group_label: "About Domain Zone" - group_item_label: "Group Identifiers" - } - - dimension: about__domain__zone__groupid { - type: string - sql: ${TABLE}.about.domain.zone.groupid ;; - group_label: "About Domain Zone" - group_item_label: "Groupid" - } - - dimension: about__domain__zone__hire_date__nanos { - type: number - sql: ${TABLE}.about.domain.zone.hire_date.nanos ;; - group_label: "About Domain Zone Hire Date" - group_item_label: "Nanos" - } - - dimension: about__domain__zone__hire_date__seconds { - type: number - sql: ${TABLE}.about.domain.zone.hire_date.seconds ;; - group_label: "About Domain Zone Hire Date" - group_item_label: "Seconds" - } - - dimension: about__domain__zone__last_name { - type: string - sql: ${TABLE}.about.domain.zone.last_name ;; - group_label: "About Domain Zone" - group_item_label: "Last Name" - } - - dimension: about__domain__zone__middle_name { - type: string - sql: ${TABLE}.about.domain.zone.middle_name ;; - group_label: "About Domain Zone" - group_item_label: "Middle Name" - } - - dimension: about__domain__zone__office_address__city { - type: string - sql: ${TABLE}.about.domain.zone.office_address.city ;; - group_label: "About Domain Zone Office Address" - group_item_label: "City" - } - - dimension: about__domain__zone__office_address__country_or_region { - type: string - sql: ${TABLE}.about.domain.zone.office_address.country_or_region ;; - group_label: "About Domain Zone Office Address" - group_item_label: "Country or Region" - } - - dimension: about__domain__zone__office_address__desk_name { - type: string - sql: ${TABLE}.about.domain.zone.office_address.desk_name ;; - group_label: "About Domain Zone Office Address" - group_item_label: "Desk Name" - } - - dimension: about__domain__zone__office_address__floor_name { - type: string - sql: ${TABLE}.about.domain.zone.office_address.floor_name ;; - group_label: "About Domain Zone Office Address" - group_item_label: "Floor Name" - } - - dimension: about__domain__zone__office_address__name { - type: string - sql: ${TABLE}.about.domain.zone.office_address.name ;; - group_label: "About Domain Zone Office Address" - group_item_label: "Name" - } - - dimension: about__domain__zone__office_address__region_latitude { - type: number - sql: ${TABLE}.about.domain.zone.office_address.region_latitude ;; - group_label: "About Domain Zone Office Address" - group_item_label: "Region Latitude" - } - - dimension: about__domain__zone__office_address__region_longitude { - type: number - sql: ${TABLE}.about.domain.zone.office_address.region_longitude ;; - group_label: "About Domain Zone Office Address" - group_item_label: "Region Longitude" - } - - dimension: about__domain__zone__office_address__state { - type: string - sql: ${TABLE}.about.domain.zone.office_address.state ;; - group_label: "About Domain Zone Office Address" - group_item_label: "State" - } - - dimension: about__domain__zone__personal_address__city { - type: string - sql: ${TABLE}.about.domain.zone.personal_address.city ;; - group_label: "About Domain Zone Personal Address" - group_item_label: "City" - } - - dimension: about__domain__zone__personal_address__country_or_region { - type: string - sql: ${TABLE}.about.domain.zone.personal_address.country_or_region ;; - group_label: "About Domain Zone Personal Address" - group_item_label: "Country or Region" - } - - dimension: about__domain__zone__personal_address__desk_name { - type: string - sql: ${TABLE}.about.domain.zone.personal_address.desk_name ;; - group_label: "About Domain Zone Personal Address" - group_item_label: "Desk Name" - } - - dimension: about__domain__zone__personal_address__floor_name { - type: string - sql: ${TABLE}.about.domain.zone.personal_address.floor_name ;; - group_label: "About Domain Zone Personal Address" - group_item_label: "Floor Name" - } - - dimension: about__domain__zone__personal_address__name { - type: string - sql: ${TABLE}.about.domain.zone.personal_address.name ;; - group_label: "About Domain Zone Personal Address" - group_item_label: "Name" - } - - dimension: about__domain__zone__personal_address__region_latitude { - type: number - sql: ${TABLE}.about.domain.zone.personal_address.region_latitude ;; - group_label: "About Domain Zone Personal Address" - group_item_label: "Region Latitude" - } - - dimension: about__domain__zone__personal_address__region_longitude { - type: number - sql: ${TABLE}.about.domain.zone.personal_address.region_longitude ;; - group_label: "About Domain Zone Personal Address" - group_item_label: "Region Longitude" - } - - dimension: about__domain__zone__personal_address__state { - type: string - sql: ${TABLE}.about.domain.zone.personal_address.state ;; - group_label: "About Domain Zone Personal Address" - group_item_label: "State" - } - - dimension: about__domain__zone__phone_numbers { - hidden: yes - sql: ${TABLE}.about.domain.zone.phone_numbers ;; - group_label: "About Domain Zone" - group_item_label: "Phone Numbers" - } - - dimension: about__domain__zone__product_object_id { - type: string - sql: ${TABLE}.about.domain.zone.product_object_id ;; - group_label: "About Domain Zone" - group_item_label: "Product Object ID" - } - - dimension: about__domain__zone__role_description { - type: string - sql: ${TABLE}.about.domain.zone.role_description ;; - group_label: "About Domain Zone" - group_item_label: "Role Description" - } - - dimension: about__domain__zone__role_name { - type: string - sql: ${TABLE}.about.domain.zone.role_name ;; - group_label: "About Domain Zone" - group_item_label: "Role Name" - } - - dimension: about__domain__zone__termination_date__nanos { - type: number - sql: ${TABLE}.about.domain.zone.termination_date.nanos ;; - group_label: "About Domain Zone Termination Date" - group_item_label: "Nanos" - } - - dimension: about__domain__zone__termination_date__seconds { - type: number - sql: ${TABLE}.about.domain.zone.termination_date.seconds ;; - group_label: "About Domain Zone Termination Date" - group_item_label: "Seconds" - } - - dimension: about__domain__zone__time_off { - hidden: yes - sql: ${TABLE}.about.domain.zone.time_off ;; - group_label: "About Domain Zone" - group_item_label: "Time Off" - } - - dimension: about__domain__zone__title { - type: string - sql: ${TABLE}.about.domain.zone.title ;; - group_label: "About Domain Zone" - group_item_label: "Title" - } - - dimension: about__domain__zone__user_authentication_status { - type: number - sql: ${TABLE}.about.domain.zone.user_authentication_status ;; - group_label: "About Domain Zone" - group_item_label: "User Authentication Status" - } - - dimension: about__domain__zone__user_display_name { - type: string - sql: ${TABLE}.about.domain.zone.user_display_name ;; - group_label: "About Domain Zone" - group_item_label: "User Display Name" - } - - dimension: about__domain__zone__user_role { - type: number - sql: ${TABLE}.about.domain.zone.user_role ;; - group_label: "About Domain Zone" - group_item_label: "User Role" - } - - dimension: about__domain__zone__userid { - type: string - sql: ${TABLE}.about.domain.zone.userid ;; - group_label: "About Domain Zone" - group_item_label: "Userid" - } - - dimension: about__domain__zone__windows_sid { - type: string - sql: ${TABLE}.about.domain.zone.windows_sid ;; - group_label: "About Domain Zone" - group_item_label: "Windows Sid" - } - - dimension: about__email { - type: string - sql: ${TABLE}.about.email ;; - group_label: "About" - group_item_label: "Email" - } - - dimension: about__file__ahash { - type: string - sql: ${TABLE}.about.file.ahash ;; - group_label: "About File" - group_item_label: "Ahash" - } - - dimension: about__file__authentihash { - type: string - sql: ${TABLE}.about.file.authentihash ;; - group_label: "About File" - group_item_label: "Authentihash" - } - - dimension: about__file__capabilities_tags { - hidden: yes - sql: ${TABLE}.about.file.capabilities_tags ;; - group_label: "About File" - group_item_label: "Capabilities Tags" - } - - dimension: about__file__file_metadata__pe__import_hash { - type: string - sql: ${TABLE}.about.file.file_metadata.pe.import_hash ;; - group_label: "About File File Metadata Pe" - group_item_label: "Import Hash" - } - - dimension: about__file__file_type { - type: number - sql: ${TABLE}.about.file.file_type ;; - group_label: "About File" - group_item_label: "File Type" - } - - dimension: about__file__first_seen_time__nanos { - type: number - sql: ${TABLE}.about.file.first_seen_time.nanos ;; - group_label: "About File First Seen Time" - group_item_label: "Nanos" - } - - dimension: about__file__first_seen_time__seconds { - type: number - sql: ${TABLE}.about.file.first_seen_time.seconds ;; - group_label: "About File First Seen Time" - group_item_label: "Seconds" - } - - dimension: about__file__full_path { - type: string - sql: ${TABLE}.about.file.full_path ;; - group_label: "About File" - group_item_label: "Full Path" - } - - dimension: about__file__last_modification_time__nanos { - type: number - sql: ${TABLE}.about.file.last_modification_time.nanos ;; - group_label: "About File Last Modification Time" - group_item_label: "Nanos" - } - - dimension: about__file__last_modification_time__seconds { - type: number - sql: ${TABLE}.about.file.last_modification_time.seconds ;; - group_label: "About File Last Modification Time" - group_item_label: "Seconds" - } - - dimension: about__file__last_seen_time__nanos { - type: number - sql: ${TABLE}.about.file.last_seen_time.nanos ;; - group_label: "About File Last Seen Time" - group_item_label: "Nanos" - } - - dimension: about__file__last_seen_time__seconds { - type: number - sql: ${TABLE}.about.file.last_seen_time.seconds ;; - group_label: "About File Last Seen Time" - group_item_label: "Seconds" - } - - dimension: about__file__md5 { - type: string - sql: ${TABLE}.about.file.md5 ;; - group_label: "About File" - group_item_label: "Md5" - } - - dimension: about__file__mime_type { - type: string - sql: ${TABLE}.about.file.mime_type ;; - group_label: "About File" - group_item_label: "Mime Type" - } - - dimension: about__file__names { - hidden: yes - sql: ${TABLE}.about.file.names ;; - group_label: "About File" - group_item_label: "Names" - } - - dimension: about__file__pe_file__compilation_exiftool_time__nanos { - type: number - sql: ${TABLE}.about.file.pe_file.compilation_exiftool_time.nanos ;; - group_label: "About File Pe File Compilation Exiftool Time" - group_item_label: "Nanos" - } - - dimension: about__file__pe_file__compilation_exiftool_time__seconds { - type: number - sql: ${TABLE}.about.file.pe_file.compilation_exiftool_time.seconds ;; - group_label: "About File Pe File Compilation Exiftool Time" - group_item_label: "Seconds" - } - - dimension: about__file__pe_file__compilation_time__nanos { - type: number - sql: ${TABLE}.about.file.pe_file.compilation_time.nanos ;; - group_label: "About File Pe File Compilation Time" - group_item_label: "Nanos" - } - - dimension: about__file__pe_file__compilation_time__seconds { - type: number - sql: ${TABLE}.about.file.pe_file.compilation_time.seconds ;; - group_label: "About File Pe File Compilation Time" - group_item_label: "Seconds" - } - - dimension: about__file__pe_file__entry_point { - type: number - sql: ${TABLE}.about.file.pe_file.entry_point ;; - group_label: "About File Pe File" - group_item_label: "Entry Point" - } - - dimension: about__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.about.file.pe_file.entry_point_exiftool ;; - group_label: "About File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: about__file__pe_file__imphash { - type: string - sql: ${TABLE}.about.file.pe_file.imphash ;; - group_label: "About File Pe File" - group_item_label: "Imphash" - } - - dimension: about__file__pe_file__imports { - hidden: yes - sql: ${TABLE}.about.file.pe_file.imports ;; - group_label: "About File Pe File" - group_item_label: "Imports" - } - - dimension: about__file__pe_file__resource { - hidden: yes - sql: ${TABLE}.about.file.pe_file.resource ;; - group_label: "About File Pe File" - group_item_label: "Resource" - } - - dimension: about__file__pe_file__resources_language_count { - hidden: yes - sql: ${TABLE}.about.file.pe_file.resources_language_count ;; - group_label: "About File Pe File" - group_item_label: "Resources Language Count" - } - - dimension: about__file__pe_file__resources_language_count_str { - hidden: yes - sql: ${TABLE}.about.file.pe_file.resources_language_count_str ;; - group_label: "About File Pe File" - group_item_label: "Resources Language Count Str" - } - - dimension: about__file__pe_file__resources_type_count { - hidden: yes - sql: ${TABLE}.about.file.pe_file.resources_type_count ;; - group_label: "About File Pe File" - group_item_label: "Resources Type Count" - } - - dimension: about__file__pe_file__resources_type_count_str { - hidden: yes - sql: ${TABLE}.about.file.pe_file.resources_type_count_str ;; - group_label: "About File Pe File" - group_item_label: "Resources Type Count Str" - } - - dimension: about__file__pe_file__section { - hidden: yes - sql: ${TABLE}.about.file.pe_file.section ;; - group_label: "About File Pe File" - group_item_label: "Section" - } - - dimension: about__file__pe_file__signature_info__signer { - hidden: yes - sql: ${TABLE}.about.file.pe_file.signature_info.signer ;; - group_label: "About File Pe File Signature Info" - group_item_label: "Signer" - } - - dimension: about__file__pe_file__signature_info__signers { - hidden: yes - sql: ${TABLE}.about.file.pe_file.signature_info.signers ;; - group_label: "About File Pe File Signature Info" - group_item_label: "Signers" - } - - dimension: about__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.about.file.pe_file.signature_info.verification_message ;; - group_label: "About File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: about__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.about.file.pe_file.signature_info.verified ;; - group_label: "About File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: about__file__prevalence__day_count { - type: number - sql: ${TABLE}.about.file.prevalence.day_count ;; - group_label: "About File Prevalence" - group_item_label: "Day Count" - } - - dimension: about__file__prevalence__day_max { - type: number - sql: ${TABLE}.about.file.prevalence.day_max ;; - group_label: "About File Prevalence" - group_item_label: "Day Max" - } - - dimension: about__file__prevalence__day_max_sub_domains { - type: number - sql: ${TABLE}.about.file.prevalence.day_max_sub_domains ;; - group_label: "About File Prevalence" - group_item_label: "Day Max Sub Domains" - } - - dimension: about__file__prevalence__rolling_max { - type: number - sql: ${TABLE}.about.file.prevalence.rolling_max ;; - group_label: "About File Prevalence" - group_item_label: "Rolling Max" - } - - dimension: about__file__prevalence__rolling_max_sub_domains { - type: number - sql: ${TABLE}.about.file.prevalence.rolling_max_sub_domains ;; - group_label: "About File Prevalence" - group_item_label: "Rolling Max Sub Domains" - } - - dimension: about__file__sha1 { - type: string - sql: ${TABLE}.about.file.sha1 ;; - group_label: "About File" - group_item_label: "Sha1" - } - - dimension: about__file__sha256 { - type: string - sql: ${TABLE}.about.file.sha256 ;; - group_label: "About File" - group_item_label: "Sha256" - } - - dimension: about__file__size { - type: number - sql: ${TABLE}.about.file.size ;; - group_label: "About File" - group_item_label: "Size" - } - - dimension: about__file__ssdeep { - type: string - sql: ${TABLE}.about.file.ssdeep ;; - group_label: "About File" - group_item_label: "Ssdeep" - } - - dimension: about__file__vhash { - type: string - sql: ${TABLE}.about.file.vhash ;; - group_label: "About File" - group_item_label: "Vhash" - } - - dimension: about__group__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.about.`group`.attribute.cloud.availability_zone ;; - group_label: "About Group Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: about__group__attribute__cloud__environment { - type: number - sql: ${TABLE}.about.`group`.attribute.cloud.environment ;; - group_label: "About Group Attribute Cloud" - group_item_label: "Environment" - } - - dimension: about__group__attribute__cloud__project__id { - type: string - sql: ${TABLE}.about.`group`.attribute.cloud.project.id ;; - group_label: "About Group Attribute Cloud Project" - group_item_label: "ID" - } - - dimension: about__group__attribute__cloud__project__name { - type: string - sql: ${TABLE}.about.`group`.attribute.cloud.project.name ;; - group_label: "About Group Attribute Cloud Project" - group_item_label: "Name" - } - - dimension: about__group__attribute__cloud__project__parent { - type: string - sql: ${TABLE}.about.`group`.attribute.cloud.project.parent ;; - group_label: "About Group Attribute Cloud Project" - group_item_label: "Parent" - } - - dimension: about__group__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.about.`group`.attribute.cloud.project.product_object_id ;; - group_label: "About Group Attribute Cloud Project" - group_item_label: "Product Object ID" - } - - dimension: about__group__attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.about.`group`.attribute.cloud.project.resource_subtype ;; - group_label: "About Group Attribute Cloud Project" - group_item_label: "Resource Subtype" - } - - dimension: about__group__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.about.`group`.attribute.cloud.project.resource_type ;; - group_label: "About Group Attribute Cloud Project" - group_item_label: "Resource Type" - } - - dimension: about__group__attribute__cloud__project__type { - type: string - sql: ${TABLE}.about.`group`.attribute.cloud.project.type ;; - group_label: "About Group Attribute Cloud Project" - group_item_label: "Type" - } - - dimension: about__group__attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.about.`group`.attribute.cloud.vpc.id ;; - group_label: "About Group Attribute Cloud Vpc" - group_item_label: "ID" - } - - dimension: about__group__attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.about.`group`.attribute.cloud.vpc.name ;; - group_label: "About Group Attribute Cloud Vpc" - group_item_label: "Name" - } - - dimension: about__group__attribute__cloud__vpc__parent { - type: string - sql: ${TABLE}.about.`group`.attribute.cloud.vpc.parent ;; - group_label: "About Group Attribute Cloud Vpc" - group_item_label: "Parent" - } - - dimension: about__group__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.about.`group`.attribute.cloud.vpc.product_object_id ;; - group_label: "About Group Attribute Cloud Vpc" - group_item_label: "Product Object ID" - } - - dimension: about__group__attribute__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.about.`group`.attribute.cloud.vpc.resource_subtype ;; - group_label: "About Group Attribute Cloud Vpc" - group_item_label: "Resource Subtype" - } - - dimension: about__group__attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.about.`group`.attribute.cloud.vpc.resource_type ;; - group_label: "About Group Attribute Cloud Vpc" - group_item_label: "Resource Type" - } - - dimension: about__group__attribute__cloud__vpc__type { - type: string - sql: ${TABLE}.about.`group`.attribute.cloud.vpc.type ;; - group_label: "About Group Attribute Cloud Vpc" - group_item_label: "Type" - } - - dimension: about__group__attribute__creation_time__nanos { - type: number - sql: ${TABLE}.about.`group`.attribute.creation_time.nanos ;; - group_label: "About Group Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: about__group__attribute__creation_time__seconds { - type: number - sql: ${TABLE}.about.`group`.attribute.creation_time.seconds ;; - group_label: "About Group Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: about__group__attribute__labels { - hidden: yes - sql: ${TABLE}.about.group.attribute.labels ;; - group_label: "About Group Attribute" - group_item_label: "Labels" - } - - dimension: about__group__attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.about.`group`.attribute.last_update_time.nanos ;; - group_label: "About Group Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: about__group__attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.about.`group`.attribute.last_update_time.seconds ;; - group_label: "About Group Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: about__group__attribute__permissions { - hidden: yes - sql: ${TABLE}.about.group.attribute.permissions ;; - group_label: "About Group Attribute" - group_item_label: "Permissions" - } - - dimension: about__group__attribute__roles { - hidden: yes - sql: ${TABLE}.about.group.attribute.roles ;; - group_label: "About Group Attribute" - group_item_label: "Roles" - } - - dimension: about__group__creation_time__nanos { - type: number - sql: ${TABLE}.about.`group`.creation_time.nanos ;; - group_label: "About Group Creation Time" - group_item_label: "Nanos" - } - - dimension: about__group__creation_time__seconds { - type: number - sql: ${TABLE}.about.`group`.creation_time.seconds ;; - group_label: "About Group Creation Time" - group_item_label: "Seconds" - } - - dimension: about__group__email_addresses { - hidden: yes - sql: ${TABLE}.about.group.email_addresses ;; - group_label: "About Group" - group_item_label: "Email Addresses" - } - - dimension: about__group__group_display_name { - type: string - sql: ${TABLE}.about.`group`.group_display_name ;; - group_label: "About Group" - group_item_label: "Group Display Name" - } - - dimension: about__group__product_object_id { - type: string - sql: ${TABLE}.about.`group`.product_object_id ;; - group_label: "About Group" - group_item_label: "Product Object ID" - } - - dimension: about__group__windows_sid { - type: string - sql: ${TABLE}.about.`group`.windows_sid ;; - group_label: "About Group" - group_item_label: "Windows Sid" - } - - dimension: about__hostname { - type: string - sql: ${TABLE}.about.hostname ;; - group_label: "About" - group_item_label: "Hostname" - } - - dimension: about__investigation__comments { - hidden: yes - sql: ${TABLE}.about.investigation.comments ;; - group_label: "About Investigation" - group_item_label: "Comments" - } - - dimension: about__investigation__priority { - type: number - sql: ${TABLE}.about.investigation.priority ;; - group_label: "About Investigation" - group_item_label: "Priority" - } - - dimension: about__investigation__reason { - type: number - sql: ${TABLE}.about.investigation.reason ;; - group_label: "About Investigation" - group_item_label: "Reason" - } - - dimension: about__investigation__reputation { - type: number - sql: ${TABLE}.about.investigation.reputation ;; - group_label: "About Investigation" - group_item_label: "Reputation" - } - - dimension: about__investigation__risk_score { - type: number - sql: ${TABLE}.about.investigation.risk_score ;; - group_label: "About Investigation" - group_item_label: "Risk Score" - } - - dimension: about__investigation__root_cause { - type: string - sql: ${TABLE}.about.investigation.root_cause ;; - group_label: "About Investigation" - group_item_label: "Root Cause" - } - - dimension: about__investigation__severity_score { - type: number - sql: ${TABLE}.about.investigation.severity_score ;; - group_label: "About Investigation" - group_item_label: "Severity Score" - } - - dimension: about__investigation__status { - type: number - sql: ${TABLE}.about.investigation.status ;; - group_label: "About Investigation" - group_item_label: "Status" - } - - dimension: about__investigation__verdict { - type: number - sql: ${TABLE}.about.investigation.verdict ;; - group_label: "About Investigation" - group_item_label: "Verdict" - } - - dimension: about__ip { - hidden: yes - sql: ${TABLE}.about.ip ;; - group_label: "About" - group_item_label: "IP" - } - - dimension: about__ip_location { - hidden: yes - sql: ${TABLE}.about.ip_location ;; - group_label: "About" - group_item_label: "IP Location" - } - - dimension: about__labels { - hidden: yes - sql: ${TABLE}.about.labels ;; - group_label: "About" - group_item_label: "Labels" - } - - dimension: about__location__city { - type: string - sql: ${TABLE}.about.location.city ;; - group_label: "About Location" - group_item_label: "City" - } - - dimension: about__location__country_or_region { - type: string - sql: ${TABLE}.about.location.country_or_region ;; - group_label: "About Location" - group_item_label: "Country or Region" - } - - dimension: about__location__desk_name { - type: string - sql: ${TABLE}.about.location.desk_name ;; - group_label: "About Location" - group_item_label: "Desk Name" - } - - dimension: about__location__floor_name { - type: string - sql: ${TABLE}.about.location.floor_name ;; - group_label: "About Location" - group_item_label: "Floor Name" - } - - dimension: about__location__name { - type: string - sql: ${TABLE}.about.location.name ;; - group_label: "About Location" - group_item_label: "Name" - } - - dimension: about__location__region_latitude { - type: number - sql: ${TABLE}.about.location.region_latitude ;; - group_label: "About Location" - group_item_label: "Region Latitude" - } - - dimension: about__location__region_longitude { - type: number - sql: ${TABLE}.about.location.region_longitude ;; - group_label: "About Location" - group_item_label: "Region Longitude" - } - - dimension: about__location__state { - type: string - sql: ${TABLE}.about.location.state ;; - group_label: "About Location" - group_item_label: "State" - } - - dimension: about__mac { - hidden: yes - sql: ${TABLE}.about.mac ;; - group_label: "About" - group_item_label: "Mac" - } - - dimension: about__namespace { - type: string - sql: ${TABLE}.about.namespace ;; - group_label: "About" - group_item_label: "Namespace" - } - - dimension: about__nat_ip { - hidden: yes - sql: ${TABLE}.about.nat_ip ;; - group_label: "About" - group_item_label: "Nat IP" - } - - dimension: about__nat_port { - type: number - sql: ${TABLE}.about.nat_port ;; - group_label: "About" - group_item_label: "Nat Port" - } - - dimension: about__object_reference__id { - type: string - sql: ${TABLE}.about.object_reference.id ;; - group_label: "About Object Reference" - group_item_label: "ID" - } - - dimension: about__object_reference__namespace { - type: number - sql: ${TABLE}.about.object_reference.namespace ;; - group_label: "About Object Reference" - group_item_label: "Namespace" - } - - dimension: about__platform { - type: number - sql: ${TABLE}.about.platform ;; - group_label: "About" - group_item_label: "Platform" - } - - dimension: about__platform_patch_level { - type: string - sql: ${TABLE}.about.platform_patch_level ;; - group_label: "About" - group_item_label: "Platform Patch Level" - } - - dimension: about__platform_version { - type: string - sql: ${TABLE}.about.platform_version ;; - group_label: "About" - group_item_label: "Platform Version" - } - - dimension: about__port { - type: number - sql: ${TABLE}.about.port ;; - group_label: "About" - group_item_label: "Port" - } - - dimension: about__process__access_mask { - type: number - sql: ${TABLE}.about.process.access_mask ;; - group_label: "About Process" - group_item_label: "Access Mask" - } - - dimension: about__process__command_line { - type: string - sql: ${TABLE}.about.process.command_line ;; - group_label: "About Process" - group_item_label: "Command Line" - } - - dimension: about__process__command_line_history { - hidden: yes - sql: ${TABLE}.about.process.command_line_history ;; - group_label: "About Process" - group_item_label: "Command Line History" - } - - dimension: about__process__file__ahash { - type: string - sql: ${TABLE}.about.process.file.ahash ;; - group_label: "About Process File" - group_item_label: "Ahash" - } - - dimension: about__process__file__authentihash { - type: string - sql: ${TABLE}.about.process.file.authentihash ;; - group_label: "About Process File" - group_item_label: "Authentihash" - } - - dimension: about__process__file__capabilities_tags { - hidden: yes - sql: ${TABLE}.about.process.file.capabilities_tags ;; - group_label: "About Process File" - group_item_label: "Capabilities Tags" - } - - dimension: about__process__file__file_metadata__pe__import_hash { - type: string - sql: ${TABLE}.about.process.file.file_metadata.pe.import_hash ;; - group_label: "About Process File File Metadata Pe" - group_item_label: "Import Hash" - } - - dimension: about__process__file__file_type { - type: number - sql: ${TABLE}.about.process.file.file_type ;; - group_label: "About Process File" - group_item_label: "File Type" - } - - dimension: about__process__file__first_seen_time__nanos { - type: number - sql: ${TABLE}.about.process.file.first_seen_time.nanos ;; - group_label: "About Process File First Seen Time" - group_item_label: "Nanos" - } - - dimension: about__process__file__first_seen_time__seconds { - type: number - sql: ${TABLE}.about.process.file.first_seen_time.seconds ;; - group_label: "About Process File First Seen Time" - group_item_label: "Seconds" - } - - dimension: about__process__file__full_path { - type: string - sql: ${TABLE}.about.process.file.full_path ;; - group_label: "About Process File" - group_item_label: "Full Path" - } - - dimension: about__process__file__last_modification_time__nanos { - type: number - sql: ${TABLE}.about.process.file.last_modification_time.nanos ;; - group_label: "About Process File Last Modification Time" - group_item_label: "Nanos" - } - - dimension: about__process__file__last_modification_time__seconds { - type: number - sql: ${TABLE}.about.process.file.last_modification_time.seconds ;; - group_label: "About Process File Last Modification Time" - group_item_label: "Seconds" - } - - dimension: about__process__file__last_seen_time__nanos { - type: number - sql: ${TABLE}.about.process.file.last_seen_time.nanos ;; - group_label: "About Process File Last Seen Time" - group_item_label: "Nanos" - } - - dimension: about__process__file__last_seen_time__seconds { - type: number - sql: ${TABLE}.about.process.file.last_seen_time.seconds ;; - group_label: "About Process File Last Seen Time" - group_item_label: "Seconds" - } - - dimension: about__process__file__md5 { - type: string - sql: ${TABLE}.about.process.file.md5 ;; - group_label: "About Process File" - group_item_label: "Md5" - } - - dimension: about__process__file__mime_type { - type: string - sql: ${TABLE}.about.process.file.mime_type ;; - group_label: "About Process File" - group_item_label: "Mime Type" - } - - dimension: about__process__file__names { - hidden: yes - sql: ${TABLE}.about.process.file.names ;; - group_label: "About Process File" - group_item_label: "Names" - } - - dimension: about__process__file__pe_file__compilation_exiftool_time__nanos { - type: number - sql: ${TABLE}.about.process.file.pe_file.compilation_exiftool_time.nanos ;; - group_label: "About Process File Pe File Compilation Exiftool Time" - group_item_label: "Nanos" - } - - dimension: about__process__file__pe_file__compilation_exiftool_time__seconds { - type: number - sql: ${TABLE}.about.process.file.pe_file.compilation_exiftool_time.seconds ;; - group_label: "About Process File Pe File Compilation Exiftool Time" - group_item_label: "Seconds" - } - - dimension: about__process__file__pe_file__compilation_time__nanos { - type: number - sql: ${TABLE}.about.process.file.pe_file.compilation_time.nanos ;; - group_label: "About Process File Pe File Compilation Time" - group_item_label: "Nanos" - } - - dimension: about__process__file__pe_file__compilation_time__seconds { - type: number - sql: ${TABLE}.about.process.file.pe_file.compilation_time.seconds ;; - group_label: "About Process File Pe File Compilation Time" - group_item_label: "Seconds" - } - - dimension: about__process__file__pe_file__entry_point { - type: number - sql: ${TABLE}.about.process.file.pe_file.entry_point ;; - group_label: "About Process File Pe File" - group_item_label: "Entry Point" - } - - dimension: about__process__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.about.process.file.pe_file.entry_point_exiftool ;; - group_label: "About Process File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: about__process__file__pe_file__imphash { - type: string - sql: ${TABLE}.about.process.file.pe_file.imphash ;; - group_label: "About Process File Pe File" - group_item_label: "Imphash" - } - - dimension: about__process__file__pe_file__imports { - hidden: yes - sql: ${TABLE}.about.process.file.pe_file.imports ;; - group_label: "About Process File Pe File" - group_item_label: "Imports" - } - - dimension: about__process__file__pe_file__resource { - hidden: yes - sql: ${TABLE}.about.process.file.pe_file.resource ;; - group_label: "About Process File Pe File" - group_item_label: "Resource" - } - - dimension: about__process__file__pe_file__resources_language_count { - hidden: yes - sql: ${TABLE}.about.process.file.pe_file.resources_language_count ;; - group_label: "About Process File Pe File" - group_item_label: "Resources Language Count" - } - - dimension: about__process__file__pe_file__resources_language_count_str { - hidden: yes - sql: ${TABLE}.about.process.file.pe_file.resources_language_count_str ;; - group_label: "About Process File Pe File" - group_item_label: "Resources Language Count Str" - } - - dimension: about__process__file__pe_file__resources_type_count { - hidden: yes - sql: ${TABLE}.about.process.file.pe_file.resources_type_count ;; - group_label: "About Process File Pe File" - group_item_label: "Resources Type Count" - } - - dimension: about__process__file__pe_file__resources_type_count_str { - hidden: yes - sql: ${TABLE}.about.process.file.pe_file.resources_type_count_str ;; - group_label: "About Process File Pe File" - group_item_label: "Resources Type Count Str" - } - - dimension: about__process__file__pe_file__section { - hidden: yes - sql: ${TABLE}.about.process.file.pe_file.section ;; - group_label: "About Process File Pe File" - group_item_label: "Section" - } - - dimension: about__process__file__pe_file__signature_info__signer { - hidden: yes - sql: ${TABLE}.about.process.file.pe_file.signature_info.signer ;; - group_label: "About Process File Pe File Signature Info" - group_item_label: "Signer" - } - - dimension: about__process__file__pe_file__signature_info__signers { - hidden: yes - sql: ${TABLE}.about.process.file.pe_file.signature_info.signers ;; - group_label: "About Process File Pe File Signature Info" - group_item_label: "Signers" - } - - dimension: about__process__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.about.process.file.pe_file.signature_info.verification_message ;; - group_label: "About Process File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: about__process__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.about.process.file.pe_file.signature_info.verified ;; - group_label: "About Process File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: about__process__file__prevalence__day_count { - type: number - sql: ${TABLE}.about.process.file.prevalence.day_count ;; - group_label: "About Process File Prevalence" - group_item_label: "Day Count" - } - - dimension: about__process__file__prevalence__day_max { - type: number - sql: ${TABLE}.about.process.file.prevalence.day_max ;; - group_label: "About Process File Prevalence" - group_item_label: "Day Max" - } - - dimension: about__process__file__prevalence__day_max_sub_domains { - type: number - sql: ${TABLE}.about.process.file.prevalence.day_max_sub_domains ;; - group_label: "About Process File Prevalence" - group_item_label: "Day Max Sub Domains" - } - - dimension: about__process__file__prevalence__rolling_max { - type: number - sql: ${TABLE}.about.process.file.prevalence.rolling_max ;; - group_label: "About Process File Prevalence" - group_item_label: "Rolling Max" - } - - dimension: about__process__file__prevalence__rolling_max_sub_domains { - type: number - sql: ${TABLE}.about.process.file.prevalence.rolling_max_sub_domains ;; - group_label: "About Process File Prevalence" - group_item_label: "Rolling Max Sub Domains" - } - - dimension: about__process__file__sha1 { - type: string - sql: ${TABLE}.about.process.file.sha1 ;; - group_label: "About Process File" - group_item_label: "Sha1" - } - - dimension: about__process__file__sha256 { - type: string - sql: ${TABLE}.about.process.file.sha256 ;; - group_label: "About Process File" - group_item_label: "Sha256" - } - - dimension: about__process__file__size { - type: number - sql: ${TABLE}.about.process.file.size ;; - group_label: "About Process File" - group_item_label: "Size" - } - - dimension: about__process__file__ssdeep { - type: string - sql: ${TABLE}.about.process.file.ssdeep ;; - group_label: "About Process File" - group_item_label: "Ssdeep" - } - - dimension: about__process__file__vhash { - type: string - sql: ${TABLE}.about.process.file.vhash ;; - group_label: "About Process File" - group_item_label: "Vhash" - } - - dimension: about__process__parent_pid { - type: string - sql: ${TABLE}.about.process.parent_pid ;; - group_label: "About Process" - group_item_label: "Parent Pid" - } - - dimension: about__process__pid { - type: string - sql: ${TABLE}.about.process.pid ;; - group_label: "About Process" - group_item_label: "Pid" - } - - dimension: about__process__product_specific_parent_process_id { - type: string - sql: ${TABLE}.about.process.product_specific_parent_process_id ;; - group_label: "About Process" - group_item_label: "Product Specific Parent Process ID" - } - - dimension: about__process__product_specific_process_id { - type: string - sql: ${TABLE}.about.process.product_specific_process_id ;; - group_label: "About Process" - group_item_label: "Product Specific Process ID" - } - - dimension: about__process_ancestors { - hidden: yes - sql: ${TABLE}.about.process_ancestors ;; - group_label: "About" - group_item_label: "Process Ancestors" - } - - dimension: about__registry__registry_key { - type: string - sql: ${TABLE}.about.registry.registry_key ;; - group_label: "About Registry" - group_item_label: "Registry Key" - } - - dimension: about__registry__registry_value_data { - type: string - sql: ${TABLE}.about.registry.registry_value_data ;; - group_label: "About Registry" - group_item_label: "Registry Value Data" - } - - dimension: about__registry__registry_value_name { - type: string - sql: ${TABLE}.about.registry.registry_value_name ;; - group_label: "About Registry" - group_item_label: "Registry Value Name" - } - - dimension: about__resource__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.about.resource.attribute.cloud.availability_zone ;; - group_label: "About Resource Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: about__resource__attribute__cloud__environment { - type: number - sql: ${TABLE}.about.resource.attribute.cloud.environment ;; - group_label: "About Resource Attribute Cloud" - group_item_label: "Environment" - } - - dimension: about__resource__attribute__creation_time__nanos { - type: number - sql: ${TABLE}.about.resource.attribute.creation_time.nanos ;; - group_label: "About Resource Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: about__resource__attribute__creation_time__seconds { - type: number - sql: ${TABLE}.about.resource.attribute.creation_time.seconds ;; - group_label: "About Resource Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: about__resource__attribute__labels { - hidden: yes - sql: ${TABLE}.about.resource.attribute.labels ;; - group_label: "About Resource Attribute" - group_item_label: "Labels" - } - - dimension: about__resource__attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.about.resource.attribute.last_update_time.nanos ;; - group_label: "About Resource Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: about__resource__attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.about.resource.attribute.last_update_time.seconds ;; - group_label: "About Resource Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: about__resource__attribute__permissions { - hidden: yes - sql: ${TABLE}.about.resource.attribute.permissions ;; - group_label: "About Resource Attribute" - group_item_label: "Permissions" - } - - dimension: about__resource__attribute__roles { - hidden: yes - sql: ${TABLE}.about.resource.attribute.roles ;; - group_label: "About Resource Attribute" - group_item_label: "Roles" - } - - dimension: about__resource__id { - type: string - sql: ${TABLE}.about.resource.id ;; - group_label: "About Resource" - group_item_label: "ID" - } - - dimension: about__resource__name { - type: string - sql: ${TABLE}.about.resource.name ;; - group_label: "About Resource" - group_item_label: "Name" - } - - dimension: about__resource__parent { - type: string - sql: ${TABLE}.about.resource.parent ;; - group_label: "About Resource" - group_item_label: "Parent" - } - - dimension: about__resource__product_object_id { - type: string - sql: ${TABLE}.about.resource.product_object_id ;; - group_label: "About Resource" - group_item_label: "Product Object ID" - } - - dimension: about__resource__resource_subtype { - type: string - sql: ${TABLE}.about.resource.resource_subtype ;; - group_label: "About Resource" - group_item_label: "Resource Subtype" - } - - dimension: about__resource__resource_type { - type: number - sql: ${TABLE}.about.resource.resource_type ;; - group_label: "About Resource" - group_item_label: "Resource Type" - } - - dimension: about__resource__type { - type: string - sql: ${TABLE}.about.resource.type ;; - group_label: "About Resource" - group_item_label: "Type" - } - - dimension: about__resource_ancestors { - hidden: yes - sql: ${TABLE}.about.resource_ancestors ;; - group_label: "About" - group_item_label: "Resource Ancestors" - } - - dimension: about__url { - type: string - sql: ${TABLE}.about.url ;; - group_label: "About" - group_item_label: "URL" - } - - dimension: about__user__account_type { - type: number - sql: ${TABLE}.about.user.account_type ;; - group_label: "About User" - group_item_label: "Account Type" - } - - dimension: about__user__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.about.user.attribute.cloud.availability_zone ;; - group_label: "About User Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: about__user__attribute__cloud__environment { - type: number - sql: ${TABLE}.about.user.attribute.cloud.environment ;; - group_label: "About User Attribute Cloud" - group_item_label: "Environment" - } - - dimension: about__user__attribute__cloud__project__id { - type: string - sql: ${TABLE}.about.user.attribute.cloud.project.id ;; - group_label: "About User Attribute Cloud Project" - group_item_label: "ID" - } - - dimension: about__user__attribute__cloud__project__name { - type: string - sql: ${TABLE}.about.user.attribute.cloud.project.name ;; - group_label: "About User Attribute Cloud Project" - group_item_label: "Name" - } - - dimension: about__user__attribute__cloud__project__parent { - type: string - sql: ${TABLE}.about.user.attribute.cloud.project.parent ;; - group_label: "About User Attribute Cloud Project" - group_item_label: "Parent" - } - - dimension: about__user__attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.about.user.attribute.cloud.project.product_object_id ;; - group_label: "About User Attribute Cloud Project" - group_item_label: "Product Object ID" - } - - dimension: about__user__attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.about.user.attribute.cloud.project.resource_subtype ;; - group_label: "About User Attribute Cloud Project" - group_item_label: "Resource Subtype" - } - - dimension: about__user__attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.about.user.attribute.cloud.project.resource_type ;; - group_label: "About User Attribute Cloud Project" - group_item_label: "Resource Type" - } - - dimension: about__user__attribute__cloud__project__type { - type: string - sql: ${TABLE}.about.user.attribute.cloud.project.type ;; - group_label: "About User Attribute Cloud Project" - group_item_label: "Type" - } - - dimension: about__user__attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.about.user.attribute.cloud.vpc.id ;; - group_label: "About User Attribute Cloud Vpc" - group_item_label: "ID" - } - - dimension: about__user__attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.about.user.attribute.cloud.vpc.name ;; - group_label: "About User Attribute Cloud Vpc" - group_item_label: "Name" - } - - dimension: about__user__attribute__cloud__vpc__parent { - type: string - sql: ${TABLE}.about.user.attribute.cloud.vpc.parent ;; - group_label: "About User Attribute Cloud Vpc" - group_item_label: "Parent" - } - - dimension: about__user__attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.about.user.attribute.cloud.vpc.product_object_id ;; - group_label: "About User Attribute Cloud Vpc" - group_item_label: "Product Object ID" - } - - dimension: about__user__attribute__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.about.user.attribute.cloud.vpc.resource_subtype ;; - group_label: "About User Attribute Cloud Vpc" - group_item_label: "Resource Subtype" - } - - dimension: about__user__attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.about.user.attribute.cloud.vpc.resource_type ;; - group_label: "About User Attribute Cloud Vpc" - group_item_label: "Resource Type" - } - - dimension: about__user__attribute__cloud__vpc__type { - type: string - sql: ${TABLE}.about.user.attribute.cloud.vpc.type ;; - group_label: "About User Attribute Cloud Vpc" - group_item_label: "Type" - } - - dimension: about__user__attribute__creation_time__nanos { - type: number - sql: ${TABLE}.about.user.attribute.creation_time.nanos ;; - group_label: "About User Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: about__user__attribute__creation_time__seconds { - type: number - sql: ${TABLE}.about.user.attribute.creation_time.seconds ;; - group_label: "About User Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: about__user__attribute__labels { - hidden: yes - sql: ${TABLE}.about.user.attribute.labels ;; - group_label: "About User Attribute" - group_item_label: "Labels" - } - - dimension: about__user__attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.about.user.attribute.last_update_time.nanos ;; - group_label: "About User Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: about__user__attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.about.user.attribute.last_update_time.seconds ;; - group_label: "About User Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: about__user__attribute__permissions { - hidden: yes - sql: ${TABLE}.about.user.attribute.permissions ;; - group_label: "About User Attribute" - group_item_label: "Permissions" - } - - dimension: about__user__attribute__roles { - hidden: yes - sql: ${TABLE}.about.user.attribute.roles ;; - group_label: "About User Attribute" - group_item_label: "Roles" - } - - dimension: about__user__company_name { - type: string - sql: ${TABLE}.about.user.company_name ;; - group_label: "About User" - group_item_label: "Company Name" - } - - dimension: about__user__department { - hidden: yes - sql: ${TABLE}.about.user.department ;; - group_label: "About User" - group_item_label: "Department" - } - - dimension: about__user__email_addresses { - hidden: yes - sql: ${TABLE}.about.user.email_addresses ;; - group_label: "About User" - group_item_label: "Email Addresses" - } - - dimension: about__user__employee_id { - type: string - sql: ${TABLE}.about.user.employee_id ;; - group_label: "About User" - group_item_label: "Employee ID" - } - - dimension: about__user__first_name { - type: string - sql: ${TABLE}.about.user.first_name ;; - group_label: "About User" - group_item_label: "First Name" - } - - dimension: about__user__first_seen_time__nanos { - type: number - sql: ${TABLE}.about.user.first_seen_time.nanos ;; - group_label: "About User First Seen Time" - group_item_label: "Nanos" - } - - dimension: about__user__first_seen_time__seconds { - type: number - sql: ${TABLE}.about.user.first_seen_time.seconds ;; - group_label: "About User First Seen Time" - group_item_label: "Seconds" - } - - dimension: about__user__group_identifiers { - hidden: yes - sql: ${TABLE}.about.user.group_identifiers ;; - group_label: "About User" - group_item_label: "Group Identifiers" - } - - dimension: about__user__groupid { - type: string - sql: ${TABLE}.about.user.groupid ;; - group_label: "About User" - group_item_label: "Groupid" - } - - dimension: about__user__hire_date__nanos { - type: number - sql: ${TABLE}.about.user.hire_date.nanos ;; - group_label: "About User Hire Date" - group_item_label: "Nanos" - } - - dimension: about__user__hire_date__seconds { - type: number - sql: ${TABLE}.about.user.hire_date.seconds ;; - group_label: "About User Hire Date" - group_item_label: "Seconds" - } - - dimension: about__user__last_name { - type: string - sql: ${TABLE}.about.user.last_name ;; - group_label: "About User" - group_item_label: "Last Name" - } - - dimension: about__user__middle_name { - type: string - sql: ${TABLE}.about.user.middle_name ;; - group_label: "About User" - group_item_label: "Middle Name" - } - - dimension: about__user__office_address__city { - type: string - sql: ${TABLE}.about.user.office_address.city ;; - group_label: "About User Office Address" - group_item_label: "City" - } - - dimension: about__user__office_address__country_or_region { - type: string - sql: ${TABLE}.about.user.office_address.country_or_region ;; - group_label: "About User Office Address" - group_item_label: "Country or Region" - } - - dimension: about__user__office_address__desk_name { - type: string - sql: ${TABLE}.about.user.office_address.desk_name ;; - group_label: "About User Office Address" - group_item_label: "Desk Name" - } - - dimension: about__user__office_address__floor_name { - type: string - sql: ${TABLE}.about.user.office_address.floor_name ;; - group_label: "About User Office Address" - group_item_label: "Floor Name" - } - - dimension: about__user__office_address__name { - type: string - sql: ${TABLE}.about.user.office_address.name ;; - group_label: "About User Office Address" - group_item_label: "Name" - } - - dimension: about__user__office_address__region_latitude { - type: number - sql: ${TABLE}.about.user.office_address.region_latitude ;; - group_label: "About User Office Address" - group_item_label: "Region Latitude" - } - - dimension: about__user__office_address__region_longitude { - type: number - sql: ${TABLE}.about.user.office_address.region_longitude ;; - group_label: "About User Office Address" - group_item_label: "Region Longitude" - } - - dimension: about__user__office_address__state { - type: string - sql: ${TABLE}.about.user.office_address.state ;; - group_label: "About User Office Address" - group_item_label: "State" - } - - dimension: about__user__personal_address__city { - type: string - sql: ${TABLE}.about.user.personal_address.city ;; - group_label: "About User Personal Address" - group_item_label: "City" - } - - dimension: about__user__personal_address__country_or_region { - type: string - sql: ${TABLE}.about.user.personal_address.country_or_region ;; - group_label: "About User Personal Address" - group_item_label: "Country or Region" - } - - dimension: about__user__personal_address__desk_name { - type: string - sql: ${TABLE}.about.user.personal_address.desk_name ;; - group_label: "About User Personal Address" - group_item_label: "Desk Name" - } - - dimension: about__user__personal_address__floor_name { - type: string - sql: ${TABLE}.about.user.personal_address.floor_name ;; - group_label: "About User Personal Address" - group_item_label: "Floor Name" - } - - dimension: about__user__personal_address__name { - type: string - sql: ${TABLE}.about.user.personal_address.name ;; - group_label: "About User Personal Address" - group_item_label: "Name" - } - - dimension: about__user__personal_address__region_latitude { - type: number - sql: ${TABLE}.about.user.personal_address.region_latitude ;; - group_label: "About User Personal Address" - group_item_label: "Region Latitude" - } - - dimension: about__user__personal_address__region_longitude { - type: number - sql: ${TABLE}.about.user.personal_address.region_longitude ;; - group_label: "About User Personal Address" - group_item_label: "Region Longitude" - } - - dimension: about__user__personal_address__state { - type: string - sql: ${TABLE}.about.user.personal_address.state ;; - group_label: "About User Personal Address" - group_item_label: "State" - } - - dimension: about__user__phone_numbers { - hidden: yes - sql: ${TABLE}.about.user.phone_numbers ;; - group_label: "About User" - group_item_label: "Phone Numbers" - } - - dimension: about__user__product_object_id { - type: string - sql: ${TABLE}.about.user.product_object_id ;; - group_label: "About User" - group_item_label: "Product Object ID" - } - - dimension: about__user__role_description { - type: string - sql: ${TABLE}.about.user.role_description ;; - group_label: "About User" - group_item_label: "Role Description" - } - - dimension: about__user__role_name { - type: string - sql: ${TABLE}.about.user.role_name ;; - group_label: "About User" - group_item_label: "Role Name" - } - - dimension: about__user__termination_date__nanos { - type: number - sql: ${TABLE}.about.user.termination_date.nanos ;; - group_label: "About User Termination Date" - group_item_label: "Nanos" - } - - dimension: about__user__termination_date__seconds { - type: number - sql: ${TABLE}.about.user.termination_date.seconds ;; - group_label: "About User Termination Date" - group_item_label: "Seconds" - } - - dimension: about__user__time_off { - hidden: yes - sql: ${TABLE}.about.user.time_off ;; - group_label: "About User" - group_item_label: "Time Off" - } - - dimension: about__user__title { - type: string - sql: ${TABLE}.about.user.title ;; - group_label: "About User" - group_item_label: "Title" - } - - dimension: about__user__user_authentication_status { - type: number - sql: ${TABLE}.about.user.user_authentication_status ;; - group_label: "About User" - group_item_label: "User Authentication Status" - } - - dimension: about__user__user_display_name { - type: string - sql: ${TABLE}.about.user.user_display_name ;; - group_label: "About User" - group_item_label: "User Display Name" - } - - dimension: about__user__user_role { - type: number - sql: ${TABLE}.about.user.user_role ;; - group_label: "About User" - group_item_label: "User Role" - } - - dimension: about__user__userid { - type: string - sql: ${TABLE}.about.user.userid ;; - group_label: "About User" - group_item_label: "Userid" - } - - dimension: about__user__windows_sid { - type: string - sql: ${TABLE}.about.user.windows_sid ;; - group_label: "About User" - group_item_label: "Windows Sid" - } - - dimension: about__user_management_chain { - hidden: yes - sql: ${TABLE}.about.user_management_chain ;; - group_label: "About" - group_item_label: "User Management Chain" - } - - dimension: cve_description { - type: string - sql: ${TABLE}.cve_description ;; - } - - dimension: cve_id { - type: string - sql: ${TABLE}.cve_id ;; - } - - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - } - - dimension: cvss_vector { - type: string - sql: ${TABLE}.cvss_vector ;; - } - - dimension: cvss_version { - type: string - sql: ${TABLE}.cvss_version ;; - } - - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: first_found__nanos { - type: number - sql: ${TABLE}.first_found.nanos ;; - group_label: "First Found" - group_item_label: "Nanos" - } - - dimension: first_found__seconds { - type: number - sql: ${TABLE}.first_found.seconds ;; - group_label: "First Found" - group_item_label: "Seconds" - } - - dimension: last_found__nanos { - type: number - sql: ${TABLE}.last_found.nanos ;; - group_label: "Last Found" - group_item_label: "Nanos" - } - - dimension: last_found__seconds { - type: number - sql: ${TABLE}.last_found.seconds ;; - group_label: "Last Found" - group_item_label: "Seconds" - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: scan_end_time__nanos { - type: number - sql: ${TABLE}.scan_end_time.nanos ;; - group_label: "Scan End Time" - group_item_label: "Nanos" - } - - dimension: scan_end_time__seconds { - type: number - sql: ${TABLE}.scan_end_time.seconds ;; - group_label: "Scan End Time" - group_item_label: "Seconds" - } - - dimension: scan_start_time__nanos { - type: number - sql: ${TABLE}.scan_start_time.nanos ;; - group_label: "Scan Start Time" - group_item_label: "Nanos" - } - - dimension: scan_start_time__seconds { - type: number - sql: ${TABLE}.scan_start_time.seconds ;; - group_label: "Scan Start Time" - group_item_label: "Seconds" - } - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - } - - dimension: severity_details { - type: string - sql: ${TABLE}.severity_details ;; - } - - dimension: vendor { - type: string - sql: ${TABLE}.vendor ;; - } - - dimension: vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.vendor_knowledge_base_article_id ;; - } - - dimension: vendor_vulnerability_id { - type: string - sql: ${TABLE}.vendor_vulnerability_id ;; - } - } - - view: udm_events__about__user_management_chain__department { - dimension: udm_events__about__user_management_chain__department { - type: string - sql: udm_events__about__user_management_chain__department ;; - } - } - - view: udm_events__about__domain__tech__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__about__domain__tech__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__domain__tech__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__domain__billing__group_identifiers { - dimension: udm_events__about__domain__billing__group_identifiers { - type: string - sql: udm_events__about__domain__billing__group_identifiers ;; - } - } - - view: udm_events__about__domain__zone__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__about__domain__zone__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__domain__zone__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__asset__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__intermediary__domain__tech__phone_numbers { - dimension: udm_events__intermediary__domain__tech__phone_numbers { - type: string - sql: udm_events__intermediary__domain__tech__phone_numbers ;; - } - } - - view: udm_events__intermediary__domain__billing__department { - dimension: udm_events__intermediary__domain__billing__department { - type: string - sql: udm_events__intermediary__domain__billing__department ;; - } - } - - view: udm_events__intermediary__domain__zone__phone_numbers { - dimension: udm_events__intermediary__domain__zone__phone_numbers { - type: string - sql: udm_events__intermediary__domain__zone__phone_numbers ;; - } - } - - view: udm_events__intermediary__user__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__intermediary__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__principal__group__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__group__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__process__command_line_history { - dimension: udm_events__principal__process__command_line_history { - type: string - sql: udm_events__principal__process__command_line_history ;; - } - } - - view: udm_events__principal__process_ancestors__file__names { - dimension: udm_events__principal__process_ancestors__file__names { - type: string - sql: udm_events__principal__process_ancestors__file__names ;; - } - } - - view: udm_events__principal__domain__admin__email_addresses { - dimension: udm_events__principal__domain__admin__email_addresses { - type: string - sql: udm_events__principal__domain__admin__email_addresses ;; - } - } - - view: udm_events__principal__domain__billing__phone_numbers { - dimension: udm_events__principal__domain__billing__phone_numbers { - type: string - sql: udm_events__principal__domain__billing__phone_numbers ;; - } - } - - view: udm_events__principal__domain__registrant__department { - dimension: udm_events__principal__domain__registrant__department { - type: string - sql: udm_events__principal__domain__registrant__department ;; - } + dimension: source { + type: string + sql: ${TABLE}.source ;; } - view: udm_events__observer__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__observer__resource__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__domain__tech__group_identifiers { - dimension: udm_events__observer__domain__tech__group_identifiers { - type: string - sql: udm_events__observer__domain__tech__group_identifiers ;; - } - } - - view: udm_events__observer__domain__zone__group_identifiers { - dimension: udm_events__observer__domain__zone__group_identifiers { - type: string - sql: udm_events__observer__domain__zone__group_identifiers ;; - } - } - - view: udm_events__src__cloud__project__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__cloud__project__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__file__pe_file__signature_info__signer { - dimension: udm_events__src__file__pe_file__signature_info__signer { - type: string - sql: udm_events__src__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__src__group__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__ip_location { - dimension: city { - type: string - sql: ${TABLE}.city ;; - } - - dimension: country_or_region { - type: string - sql: ${TABLE}.country_or_region ;; - } - - dimension: desk_name { - type: string - sql: ${TABLE}.desk_name ;; - } - - dimension: floor_name { - type: string - sql: ${TABLE}.floor_name ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: region_latitude { - type: number - sql: ${TABLE}.region_latitude ;; - } - - dimension: region_longitude { - type: number - sql: ${TABLE}.region_longitude ;; - } - - dimension: state { - type: string - sql: ${TABLE}.state ;; - } - } - - view: udm_events__security_result__about__asset__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__domain__registrant__phone_numbers { - dimension: udm_events__target__domain__registrant__phone_numbers { - type: string - sql: udm_events__target__domain__registrant__phone_numbers ;; - } - } - - view: udm_events__target__asset__software__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__user__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__process__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__about__domain__admin__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__about__domain__admin__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__domain__admin__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__domain__registrant__email_addresses { - dimension: udm_events__about__domain__registrant__email_addresses { - type: string - sql: udm_events__about__domain__registrant__email_addresses ;; - } - } - - view: udm_events__intermediary__domain__admin__phone_numbers { - dimension: udm_events__intermediary__domain__admin__phone_numbers { - type: string - sql: udm_events__intermediary__domain__admin__phone_numbers ;; - } - } - - view: udm_events__intermediary__asset__vulnerabilities { - dimension: cve_description { - type: string - sql: ${TABLE}.cve_description ;; - } - - dimension: cve_id { - type: string - sql: ${TABLE}.cve_id ;; - } - - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - } - - dimension: cvss_vector { - type: string - sql: ${TABLE}.cvss_vector ;; - } - - dimension: cvss_version { - type: string - sql: ${TABLE}.cvss_version ;; - } - - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: first_found__nanos { - type: number - sql: ${TABLE}.first_found.nanos ;; - group_label: "First Found" - group_item_label: "Nanos" - } - - dimension: first_found__seconds { - type: number - sql: ${TABLE}.first_found.seconds ;; - group_label: "First Found" - group_item_label: "Seconds" - } - - dimension: last_found__nanos { - type: number - sql: ${TABLE}.last_found.nanos ;; - group_label: "Last Found" - group_item_label: "Nanos" - } - - dimension: last_found__seconds { - type: number - sql: ${TABLE}.last_found.seconds ;; - group_label: "Last Found" - group_item_label: "Seconds" - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: scan_end_time__nanos { - type: number - sql: ${TABLE}.scan_end_time.nanos ;; - group_label: "Scan End Time" - group_item_label: "Nanos" - } - - dimension: scan_end_time__seconds { - type: number - sql: ${TABLE}.scan_end_time.seconds ;; - group_label: "Scan End Time" - group_item_label: "Seconds" - } - - dimension: scan_start_time__nanos { - type: number - sql: ${TABLE}.scan_start_time.nanos ;; - group_label: "Scan Start Time" - group_item_label: "Nanos" - } - - dimension: scan_start_time__seconds { - type: number - sql: ${TABLE}.scan_start_time.seconds ;; - group_label: "Scan Start Time" - group_item_label: "Seconds" - } - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - } - - dimension: severity_details { - type: string - sql: ${TABLE}.severity_details ;; - } - - dimension: vendor { - type: string - sql: ${TABLE}.vendor ;; - } - - dimension: vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.vendor_knowledge_base_article_id ;; - } - - dimension: vendor_vulnerability_id { - type: string - sql: ${TABLE}.vendor_vulnerability_id ;; - } - } - - view: udm_events__intermediary__asset__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__principal__resource__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } + dimension: value { + type: string + sql: ${TABLE}.value ;; } +} - view: udm_events__principal__domain__tech__group_identifiers { - dimension: udm_events__principal__domain__tech__group_identifiers { - type: string - sql: udm_events__principal__domain__tech__group_identifiers ;; - } - } - - view: udm_events__principal__domain__zone__group_identifiers { - dimension: udm_events__principal__domain__zone__group_identifiers { - type: string - sql: udm_events__principal__domain__zone__group_identifiers ;; - } - } - - view: udm_events__observer__cloud__vpc__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__cloud__vpc__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__file__pe_file__imports__functions { - dimension: udm_events__observer__file__pe_file__imports__functions { - type: string - sql: udm_events__observer__file__pe_file__imports__functions ;; - } - } - - view: udm_events__observer__process__file__capabilities_tags { - dimension: udm_events__observer__process__file__capabilities_tags { - type: string - sql: udm_events__observer__process__file__capabilities_tags ;; - } - } - - view: udm_events__observer__domain__admin__group_identifiers { - dimension: udm_events__observer__domain__admin__group_identifiers { - type: string - sql: udm_events__observer__domain__admin__group_identifiers ;; - } - } - - view: udm_events__observer__domain__billing__email_addresses { - dimension: udm_events__observer__domain__billing__email_addresses { - type: string - sql: udm_events__observer__domain__billing__email_addresses ;; - } - } - - view: udm_events__src__resource__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__user_management_chain__phone_numbers { - dimension: udm_events__src__user_management_chain__phone_numbers { - type: string - sql: udm_events__src__user_management_chain__phone_numbers ;; - } - } - - view: udm_events__src__domain__billing__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__src__domain__billing__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__domain__billing__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__domain__registrant__group_identifiers { - dimension: udm_events__src__domain__registrant__group_identifiers { - type: string - sql: udm_events__src__domain__registrant__group_identifiers ;; - } - } - - view: udm_events__target__user_management_chain__department { - dimension: udm_events__target__user_management_chain__department { - type: string - sql: udm_events__target__user_management_chain__department ;; - } - } - - view: udm_events__target__domain__tech__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__target__domain__tech__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__domain__tech__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__domain__billing__group_identifiers { - dimension: udm_events__target__domain__billing__group_identifiers { - type: string - sql: udm_events__target__domain__billing__group_identifiers ;; - } - } - - view: udm_events__target__domain__zone__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__target__domain__zone__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__domain__zone__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__asset__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__cloud__project__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__cloud__project__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__file__pe_file__signature_info__signer { - dimension: udm_events__about__file__pe_file__signature_info__signer { - type: string - sql: udm_events__about__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__about__group__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__user_management_chain { - dimension: account_type { - type: number - sql: ${TABLE}.account_type ;; - } - - dimension: attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.attribute.cloud.availability_zone ;; - group_label: "Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: attribute__cloud__environment { - type: number - sql: ${TABLE}.attribute.cloud.environment ;; - group_label: "Attribute Cloud" - group_item_label: "Environment" - } - - dimension: attribute__cloud__project__id { - type: string - sql: ${TABLE}.attribute.cloud.project.id ;; - group_label: "Attribute Cloud Project" - group_item_label: "ID" - } - - dimension: attribute__cloud__project__name { - type: string - sql: ${TABLE}.attribute.cloud.project.name ;; - group_label: "Attribute Cloud Project" - group_item_label: "Name" - } - - dimension: attribute__cloud__project__parent { - type: string - sql: ${TABLE}.attribute.cloud.project.parent ;; - group_label: "Attribute Cloud Project" - group_item_label: "Parent" - } - - dimension: attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.project.product_object_id ;; - group_label: "Attribute Cloud Project" - group_item_label: "Product Object ID" - } - - dimension: attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.attribute.cloud.project.resource_subtype ;; - group_label: "Attribute Cloud Project" - group_item_label: "Resource Subtype" - } - - dimension: attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.attribute.cloud.project.resource_type ;; - group_label: "Attribute Cloud Project" - group_item_label: "Resource Type" - } - - dimension: attribute__cloud__project__type { - type: string - sql: ${TABLE}.attribute.cloud.project.type ;; - group_label: "Attribute Cloud Project" - group_item_label: "Type" - } - - dimension: attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.id ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "ID" - } - - dimension: attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.attribute.cloud.vpc.name ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Name" - } - - dimension: attribute__cloud__vpc__parent { - type: string - sql: ${TABLE}.attribute.cloud.vpc.parent ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Parent" - } - - dimension: attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Product Object ID" - } - - dimension: attribute__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.attribute.cloud.vpc.resource_subtype ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Resource Subtype" - } - - dimension: attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.attribute.cloud.vpc.resource_type ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Resource Type" - } - - dimension: attribute__cloud__vpc__type { - type: string - sql: ${TABLE}.attribute.cloud.vpc.type ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Type" - } - - dimension: attribute__creation_time__nanos { - type: number - sql: ${TABLE}.attribute.creation_time.nanos ;; - group_label: "Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: attribute__creation_time__seconds { - type: number - sql: ${TABLE}.attribute.creation_time.seconds ;; - group_label: "Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: attribute__labels { - hidden: yes - sql: ${TABLE}.attribute.labels ;; - group_label: "Attribute" - group_item_label: "Labels" - } - - dimension: attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.attribute.last_update_time.nanos ;; - group_label: "Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.attribute.last_update_time.seconds ;; - group_label: "Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: attribute__permissions { - hidden: yes - sql: ${TABLE}.attribute.permissions ;; - group_label: "Attribute" - group_item_label: "Permissions" - } - - dimension: attribute__roles { - hidden: yes - sql: ${TABLE}.attribute.roles ;; - group_label: "Attribute" - group_item_label: "Roles" - } - - dimension: company_name { - type: string - sql: ${TABLE}.company_name ;; - } - - dimension: department { - hidden: yes - sql: ${TABLE}.department ;; - } - - dimension: email_addresses { - hidden: yes - sql: ${TABLE}.email_addresses ;; - } - - dimension: employee_id { - type: string - sql: ${TABLE}.employee_id ;; - } - - dimension: first_name { - type: string - sql: ${TABLE}.first_name ;; - } - - dimension: first_seen_time__nanos { - type: number - sql: ${TABLE}.first_seen_time.nanos ;; - group_label: "First Seen Time" - group_item_label: "Nanos" - } - - dimension: first_seen_time__seconds { - type: number - sql: ${TABLE}.first_seen_time.seconds ;; - group_label: "First Seen Time" - group_item_label: "Seconds" - } - - dimension: group_identifiers { - hidden: yes - sql: ${TABLE}.group_identifiers ;; - } - - dimension: groupid { - type: string - sql: ${TABLE}.groupid ;; - } - - dimension: hire_date__nanos { - type: number - sql: ${TABLE}.hire_date.nanos ;; - group_label: "Hire Date" - group_item_label: "Nanos" - } - - dimension: hire_date__seconds { - type: number - sql: ${TABLE}.hire_date.seconds ;; - group_label: "Hire Date" - group_item_label: "Seconds" - } - - dimension: last_name { - type: string - sql: ${TABLE}.last_name ;; - } - - dimension: middle_name { - type: string - sql: ${TABLE}.middle_name ;; - } - - dimension: office_address__city { - type: string - sql: ${TABLE}.office_address.city ;; - group_label: "Office Address" - group_item_label: "City" - } - - dimension: office_address__country_or_region { - type: string - sql: ${TABLE}.office_address.country_or_region ;; - group_label: "Office Address" - group_item_label: "Country or Region" - } - - dimension: office_address__desk_name { - type: string - sql: ${TABLE}.office_address.desk_name ;; - group_label: "Office Address" - group_item_label: "Desk Name" - } - - dimension: office_address__floor_name { - type: string - sql: ${TABLE}.office_address.floor_name ;; - group_label: "Office Address" - group_item_label: "Floor Name" - } - - dimension: office_address__name { - type: string - sql: ${TABLE}.office_address.name ;; - group_label: "Office Address" - group_item_label: "Name" - } - - dimension: office_address__region_latitude { - type: number - sql: ${TABLE}.office_address.region_latitude ;; - group_label: "Office Address" - group_item_label: "Region Latitude" - } - - dimension: office_address__region_longitude { - type: number - sql: ${TABLE}.office_address.region_longitude ;; - group_label: "Office Address" - group_item_label: "Region Longitude" - } - - dimension: office_address__state { - type: string - sql: ${TABLE}.office_address.state ;; - group_label: "Office Address" - group_item_label: "State" - } - - dimension: personal_address__city { - type: string - sql: ${TABLE}.personal_address.city ;; - group_label: "Personal Address" - group_item_label: "City" - } - - dimension: personal_address__country_or_region { - type: string - sql: ${TABLE}.personal_address.country_or_region ;; - group_label: "Personal Address" - group_item_label: "Country or Region" - } - - dimension: personal_address__desk_name { - type: string - sql: ${TABLE}.personal_address.desk_name ;; - group_label: "Personal Address" - group_item_label: "Desk Name" - } - - dimension: personal_address__floor_name { - type: string - sql: ${TABLE}.personal_address.floor_name ;; - group_label: "Personal Address" - group_item_label: "Floor Name" - } - - dimension: personal_address__name { - type: string - sql: ${TABLE}.personal_address.name ;; - group_label: "Personal Address" - group_item_label: "Name" - } - - dimension: personal_address__region_latitude { - type: number - sql: ${TABLE}.personal_address.region_latitude ;; - group_label: "Personal Address" - group_item_label: "Region Latitude" - } - - dimension: personal_address__region_longitude { - type: number - sql: ${TABLE}.personal_address.region_longitude ;; - group_label: "Personal Address" - group_item_label: "Region Longitude" - } - - dimension: personal_address__state { - type: string - sql: ${TABLE}.personal_address.state ;; - group_label: "Personal Address" - group_item_label: "State" - } - - dimension: phone_numbers { - hidden: yes - sql: ${TABLE}.phone_numbers ;; - } - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - } - - dimension: role_description { - type: string - sql: ${TABLE}.role_description ;; - } - - dimension: role_name { - type: string - sql: ${TABLE}.role_name ;; - } - - dimension: termination_date__nanos { - type: number - sql: ${TABLE}.termination_date.nanos ;; - group_label: "Termination Date" - group_item_label: "Nanos" - } - - dimension: termination_date__seconds { - type: number - sql: ${TABLE}.termination_date.seconds ;; - group_label: "Termination Date" - group_item_label: "Seconds" - } - - dimension: time_off { - hidden: yes - sql: ${TABLE}.time_off ;; - } - - dimension: title { - type: string - sql: ${TABLE}.title ;; - } - - dimension: user_authentication_status { - type: number - sql: ${TABLE}.user_authentication_status ;; - } - - dimension: user_display_name { - type: string - sql: ${TABLE}.user_display_name ;; - } - - dimension: user_role { - type: number - sql: ${TABLE}.user_role ;; - } - - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - } - - dimension: windows_sid { - type: string - sql: ${TABLE}.windows_sid ;; - } - } - - view: udm_events__intermediary__domain__tech__email_addresses { - dimension: udm_events__intermediary__domain__tech__email_addresses { - type: string - sql: udm_events__intermediary__domain__tech__email_addresses ;; - } - } - - view: udm_events__intermediary__domain__zone__email_addresses { - dimension: udm_events__intermediary__domain__zone__email_addresses { - type: string - sql: udm_events__intermediary__domain__zone__email_addresses ;; - } - } - - view: udm_events__principal__cloud__vpc__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__cloud__vpc__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__file__pe_file__imports__functions { - dimension: udm_events__principal__file__pe_file__imports__functions { - type: string - sql: udm_events__principal__file__pe_file__imports__functions ;; - } - } - - view: udm_events__principal__process__file__capabilities_tags { - dimension: udm_events__principal__process__file__capabilities_tags { - type: string - sql: udm_events__principal__process__file__capabilities_tags ;; - } +view: udm_events__security_result__about__asset__ip { + dimension: udm_events__security_result__about__asset__ip { + type: string + sql: udm_events__security_result__about__asset__ip ;; } +} - view: udm_events__principal__domain__admin__group_identifiers { - dimension: udm_events__principal__domain__admin__group_identifiers { - type: string - sql: udm_events__principal__domain__admin__group_identifiers ;; - } - } - - view: udm_events__principal__domain__billing__email_addresses { - dimension: udm_events__principal__domain__billing__email_addresses { - type: string - sql: udm_events__principal__domain__billing__email_addresses ;; - } +view: udm_events__target__group__email_addresses { + dimension: udm_events__target__group__email_addresses { + type: string + sql: udm_events__target__group__email_addresses ;; } +} - view: udm_events__observer__domain__registrant__phone_numbers { - dimension: udm_events__observer__domain__registrant__phone_numbers { - type: string - sql: udm_events__observer__domain__registrant__phone_numbers ;; - } +view: udm_events__target__domain__admin__department { + dimension: udm_events__target__domain__admin__department { + type: string + sql: udm_events__target__domain__admin__department ;; } +} - view: udm_events__observer__asset__software__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } +view: udm_events__about__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; } - view: udm_events__observer__user__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__cloud__vpc__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__process__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__security_result__about__process__file__names { - dimension: udm_events__security_result__about__process__file__names { - type: string - sql: udm_events__security_result__about__process__file__names ;; - } - } - - view: udm_events__security_result__about__domain__name_server { - dimension: udm_events__security_result__about__domain__name_server { - type: string - sql: udm_events__security_result__about__domain__name_server ;; - } - } - - view: udm_events__security_result__about__asset__hardware { - dimension: cpu_clock_speed { - type: number - sql: ${TABLE}.cpu_clock_speed ;; - } - - dimension: cpu_max_clock_speed { - type: number - sql: ${TABLE}.cpu_max_clock_speed ;; - } - - dimension: cpu_model { - type: string - sql: ${TABLE}.cpu_model ;; - } - - dimension: cpu_number_cores { - type: number - sql: ${TABLE}.cpu_number_cores ;; - } - - dimension: cpu_platform { - type: string - sql: ${TABLE}.cpu_platform ;; - } - - dimension: manufacturer { - type: string - sql: ${TABLE}.manufacturer ;; - } - - dimension: model { - type: string - sql: ${TABLE}.model ;; - } - - dimension: ram { - type: number - sql: ${TABLE}.ram ;; - } - - dimension: serial_number { - type: string - sql: ${TABLE}.serial_number ;; - } - } - - view: udm_events__security_result__about__user__phone_numbers { - dimension: udm_events__security_result__about__user__phone_numbers { - type: string - sql: udm_events__security_result__about__user__phone_numbers ;; - } - } - - view: udm_events__target__process__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__target__domain__admin__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__target__domain__admin__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__domain__admin__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__domain__registrant__email_addresses { - dimension: udm_events__target__domain__registrant__email_addresses { - type: string - sql: udm_events__target__domain__registrant__email_addresses ;; - } - } - - view: udm_events__about__resource__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__user_management_chain__phone_numbers { - dimension: udm_events__about__user_management_chain__phone_numbers { - type: string - sql: udm_events__about__user_management_chain__phone_numbers ;; - } - } - - view: udm_events__about__domain__billing__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__about__domain__billing__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__domain__billing__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__domain__registrant__group_identifiers { - dimension: udm_events__about__domain__registrant__group_identifiers { - type: string - sql: udm_events__about__domain__registrant__group_identifiers ;; - } - } - - view: udm_events__intermediary__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__intermediary__group__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__group__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__process__command_line_history { - dimension: udm_events__intermediary__process__command_line_history { - type: string - sql: udm_events__intermediary__process__command_line_history ;; - } - } - - view: udm_events__intermediary__process_ancestors__file__names { - dimension: udm_events__intermediary__process_ancestors__file__names { - type: string - sql: udm_events__intermediary__process_ancestors__file__names ;; - } - } - - view: udm_events__intermediary__domain__admin__email_addresses { - dimension: udm_events__intermediary__domain__admin__email_addresses { - type: string - sql: udm_events__intermediary__domain__admin__email_addresses ;; - } - } - - view: udm_events__intermediary__domain__billing__phone_numbers { - dimension: udm_events__intermediary__domain__billing__phone_numbers { - type: string - sql: udm_events__intermediary__domain__billing__phone_numbers ;; - } - } - - view: udm_events__intermediary__domain__registrant__department { - dimension: udm_events__intermediary__domain__registrant__department { - type: string - sql: udm_events__intermediary__domain__registrant__department ;; - } - } - - view: udm_events__principal__domain__registrant__phone_numbers { - dimension: udm_events__principal__domain__registrant__phone_numbers { - type: string - sql: udm_events__principal__domain__registrant__phone_numbers ;; - } - } - - view: udm_events__principal__asset__software__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__user__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__user_management_chain__department { - dimension: udm_events__observer__user_management_chain__department { - type: string - sql: udm_events__observer__user_management_chain__department ;; - } - } - - view: udm_events__observer__domain__tech__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__observer__domain__tech__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__domain__tech__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__domain__billing__group_identifiers { - dimension: udm_events__observer__domain__billing__group_identifiers { - type: string - sql: udm_events__observer__domain__billing__group_identifiers ;; - } - } - - view: udm_events__observer__domain__zone__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__observer__domain__zone__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__domain__zone__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__asset__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__process__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__src__user_management_chain__email_addresses { - dimension: udm_events__src__user_management_chain__email_addresses { - type: string - sql: udm_events__src__user_management_chain__email_addresses ;; - } - } - - view: udm_events__security_result__about__asset__software { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: permissions { - hidden: yes - sql: ${TABLE}.permissions ;; - } - - dimension: version { - type: string - sql: ${TABLE}.version ;; - } - } - - view: udm_events__target__cloud__project__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__cloud__project__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__file__pe_file__signature_info__signer { - dimension: udm_events__target__file__pe_file__signature_info__signer { - type: string - sql: udm_events__target__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__target__group__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__ip { - dimension: udm_events__extensions__vulns__vulnerabilities__about__ip { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__ip ;; - } - } - - view: udm_events__about__cloud__vpc__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; } - view: udm_events__about__process__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__intermediary__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__intermediary__resource__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__domain__tech__group_identifiers { - dimension: udm_events__intermediary__domain__tech__group_identifiers { - type: string - sql: udm_events__intermediary__domain__tech__group_identifiers ;; - } - } - - view: udm_events__intermediary__domain__zone__group_identifiers { - dimension: udm_events__intermediary__domain__zone__group_identifiers { - type: string - sql: udm_events__intermediary__domain__zone__group_identifiers ;; - } - } - - view: udm_events__principal__user_management_chain__department { - dimension: udm_events__principal__user_management_chain__department { - type: string - sql: udm_events__principal__user_management_chain__department ;; - } - } - - view: udm_events__principal__domain__tech__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__principal__domain__tech__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__domain__tech__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__domain__billing__group_identifiers { - dimension: udm_events__principal__domain__billing__group_identifiers { - type: string - sql: udm_events__principal__domain__billing__group_identifiers ;; - } - } - - view: udm_events__principal__domain__zone__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__principal__domain__zone__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__domain__zone__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__asset__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__process__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__observer__domain__admin__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__observer__domain__admin__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__domain__admin__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__domain__registrant__email_addresses { - dimension: udm_events__observer__domain__registrant__email_addresses { - type: string - sql: udm_events__observer__domain__registrant__email_addresses ;; - } - } - - view: udm_events__src__process__file__pe_file__imports__functions { - dimension: udm_events__src__process__file__pe_file__imports__functions { - type: string - sql: udm_events__src__process__file__pe_file__imports__functions ;; - } - } - - view: udm_events__src__process_ancestors__command_line_history { - dimension: udm_events__src__process_ancestors__command_line_history { - type: string - sql: udm_events__src__process_ancestors__command_line_history ;; - } - } - - view: udm_events__src__domain__tech__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__domain__zone__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__domain__registrant__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__src__domain__registrant__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__domain__registrant__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__user__email_addresses { - dimension: udm_events__security_result__about__user__email_addresses { - type: string - sql: udm_events__security_result__about__user__email_addresses ;; - } - } - - view: udm_events__target__resource__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__user_management_chain__phone_numbers { - dimension: udm_events__target__user_management_chain__phone_numbers { - type: string - sql: udm_events__target__user_management_chain__phone_numbers ;; - } - } - - view: udm_events__target__domain__billing__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__target__domain__billing__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__domain__billing__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__domain__registrant__group_identifiers { - dimension: udm_events__target__domain__registrant__group_identifiers { - type: string - sql: udm_events__target__domain__registrant__group_identifiers ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__mac { - dimension: udm_events__extensions__vulns__vulnerabilities__about__mac { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__mac ;; - } - } - - view: udm_events__about__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__process__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__about__user_management_chain__email_addresses { - dimension: udm_events__about__user_management_chain__email_addresses { - type: string - sql: udm_events__about__user_management_chain__email_addresses ;; - } - } - - view: udm_events__intermediary__cloud__vpc__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__cloud__vpc__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__file__pe_file__imports__functions { - dimension: udm_events__intermediary__file__pe_file__imports__functions { - type: string - sql: udm_events__intermediary__file__pe_file__imports__functions ;; - } - } - - view: udm_events__intermediary__process__file__capabilities_tags { - dimension: udm_events__intermediary__process__file__capabilities_tags { - type: string - sql: udm_events__intermediary__process__file__capabilities_tags ;; - } - } - - view: udm_events__intermediary__domain__admin__group_identifiers { - dimension: udm_events__intermediary__domain__admin__group_identifiers { - type: string - sql: udm_events__intermediary__domain__admin__group_identifiers ;; - } - } - - view: udm_events__intermediary__domain__billing__email_addresses { - dimension: udm_events__intermediary__domain__billing__email_addresses { - type: string - sql: udm_events__intermediary__domain__billing__email_addresses ;; - } - } - - view: udm_events__principal__process__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__principal__domain__admin__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__principal__domain__admin__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__domain__admin__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__domain__registrant__email_addresses { - dimension: udm_events__principal__domain__registrant__email_addresses { - type: string - sql: udm_events__principal__domain__registrant__email_addresses ;; - } - } - - view: udm_events__observer__cloud__project__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__cloud__project__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__file__pe_file__signature_info__signer { - dimension: udm_events__observer__file__pe_file__signature_info__signer { - type: string - sql: udm_events__observer__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__observer__group__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__resource_ancestors__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__resource_ancestors__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__user_management_chain__group_identifiers { - dimension: udm_events__src__user_management_chain__group_identifiers { - type: string - sql: udm_events__src__user_management_chain__group_identifiers ;; - } - } - - view: udm_events__src__domain__admin__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__resource_ancestors { - drill_fields: [id] - - dimension: id { - primary_key: yes - type: string - sql: ${TABLE}.id ;; - } - - dimension: attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.attribute.cloud.availability_zone ;; - group_label: "Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: attribute__cloud__environment { - type: number - sql: ${TABLE}.attribute.cloud.environment ;; - group_label: "Attribute Cloud" - group_item_label: "Environment" - } - - dimension: attribute__creation_time__nanos { - type: number - sql: ${TABLE}.attribute.creation_time.nanos ;; - group_label: "Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: attribute__creation_time__seconds { - type: number - sql: ${TABLE}.attribute.creation_time.seconds ;; - group_label: "Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: attribute__labels { - hidden: yes - sql: ${TABLE}.attribute.labels ;; - group_label: "Attribute" - group_item_label: "Labels" - } - - dimension: attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.attribute.last_update_time.nanos ;; - group_label: "Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.attribute.last_update_time.seconds ;; - group_label: "Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: attribute__permissions { - hidden: yes - sql: ${TABLE}.attribute.permissions ;; - group_label: "Attribute" - group_item_label: "Permissions" - } - - dimension: attribute__roles { - hidden: yes - sql: ${TABLE}.attribute.roles ;; - group_label: "Attribute" - group_item_label: "Roles" - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: parent { - type: string - sql: ${TABLE}.parent ;; - } - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - } - - dimension: resource_subtype { - type: string - sql: ${TABLE}.resource_subtype ;; - } - - dimension: resource_type { - type: number - sql: ${TABLE}.resource_type ;; - } - - dimension: type { - type: string - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__process_ancestors { - dimension: access_mask { - type: number - sql: ${TABLE}.access_mask ;; - } - - dimension: command_line { - type: string - sql: ${TABLE}.command_line ;; - } - - dimension: command_line_history { - hidden: yes - sql: ${TABLE}.command_line_history ;; - } - - dimension: file__ahash { - type: string - sql: ${TABLE}.file.ahash ;; - group_label: "File" - group_item_label: "Ahash" - } - - dimension: file__authentihash { - type: string - sql: ${TABLE}.file.authentihash ;; - group_label: "File" - group_item_label: "Authentihash" - } - - dimension: file__capabilities_tags { - hidden: yes - sql: ${TABLE}.file.capabilities_tags ;; - group_label: "File" - group_item_label: "Capabilities Tags" - } - - dimension: file__file_metadata__pe__import_hash { - type: string - sql: ${TABLE}.file.file_metadata.pe.import_hash ;; - group_label: "File File Metadata Pe" - group_item_label: "Import Hash" - } - - dimension: file__file_type { - type: number - sql: ${TABLE}.file.file_type ;; - group_label: "File" - group_item_label: "File Type" - } - - dimension: file__first_seen_time__nanos { - type: number - sql: ${TABLE}.file.first_seen_time.nanos ;; - group_label: "File First Seen Time" - group_item_label: "Nanos" - } - - dimension: file__first_seen_time__seconds { - type: number - sql: ${TABLE}.file.first_seen_time.seconds ;; - group_label: "File First Seen Time" - group_item_label: "Seconds" - } - - dimension: file__full_path { - type: string - sql: ${TABLE}.file.full_path ;; - group_label: "File" - group_item_label: "Full Path" - } - - dimension: file__last_modification_time__nanos { - type: number - sql: ${TABLE}.file.last_modification_time.nanos ;; - group_label: "File Last Modification Time" - group_item_label: "Nanos" - } - - dimension: file__last_modification_time__seconds { - type: number - sql: ${TABLE}.file.last_modification_time.seconds ;; - group_label: "File Last Modification Time" - group_item_label: "Seconds" - } - - dimension: file__last_seen_time__nanos { - type: number - sql: ${TABLE}.file.last_seen_time.nanos ;; - group_label: "File Last Seen Time" - group_item_label: "Nanos" - } - - dimension: file__last_seen_time__seconds { - type: number - sql: ${TABLE}.file.last_seen_time.seconds ;; - group_label: "File Last Seen Time" - group_item_label: "Seconds" - } - - dimension: file__md5 { - type: string - sql: ${TABLE}.file.md5 ;; - group_label: "File" - group_item_label: "Md5" - } - - dimension: file__mime_type { - type: string - sql: ${TABLE}.file.mime_type ;; - group_label: "File" - group_item_label: "Mime Type" - } - - dimension: file__names { - hidden: yes - sql: ${TABLE}.file.names ;; - group_label: "File" - group_item_label: "Names" - } - - dimension: file__pe_file__compilation_exiftool_time__nanos { - type: number - sql: ${TABLE}.file.pe_file.compilation_exiftool_time.nanos ;; - group_label: "File Pe File Compilation Exiftool Time" - group_item_label: "Nanos" - } - - dimension: file__pe_file__compilation_exiftool_time__seconds { - type: number - sql: ${TABLE}.file.pe_file.compilation_exiftool_time.seconds ;; - group_label: "File Pe File Compilation Exiftool Time" - group_item_label: "Seconds" - } - - dimension: file__pe_file__compilation_time__nanos { - type: number - sql: ${TABLE}.file.pe_file.compilation_time.nanos ;; - group_label: "File Pe File Compilation Time" - group_item_label: "Nanos" - } - - dimension: file__pe_file__compilation_time__seconds { - type: number - sql: ${TABLE}.file.pe_file.compilation_time.seconds ;; - group_label: "File Pe File Compilation Time" - group_item_label: "Seconds" - } - - dimension: file__pe_file__entry_point { - type: number - sql: ${TABLE}.file.pe_file.entry_point ;; - group_label: "File Pe File" - group_item_label: "Entry Point" - } - - dimension: file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.file.pe_file.entry_point_exiftool ;; - group_label: "File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: file__pe_file__imphash { - type: string - sql: ${TABLE}.file.pe_file.imphash ;; - group_label: "File Pe File" - group_item_label: "Imphash" - } - - dimension: file__pe_file__imports { - hidden: yes - sql: ${TABLE}.file.pe_file.imports ;; - group_label: "File Pe File" - group_item_label: "Imports" - } - - dimension: file__pe_file__resource { - hidden: yes - sql: ${TABLE}.file.pe_file.resource ;; - group_label: "File Pe File" - group_item_label: "Resource" - } - - dimension: file__pe_file__resources_language_count { - hidden: yes - sql: ${TABLE}.file.pe_file.resources_language_count ;; - group_label: "File Pe File" - group_item_label: "Resources Language Count" - } - - dimension: file__pe_file__resources_language_count_str { - hidden: yes - sql: ${TABLE}.file.pe_file.resources_language_count_str ;; - group_label: "File Pe File" - group_item_label: "Resources Language Count Str" - } - - dimension: file__pe_file__resources_type_count { - hidden: yes - sql: ${TABLE}.file.pe_file.resources_type_count ;; - group_label: "File Pe File" - group_item_label: "Resources Type Count" - } - - dimension: file__pe_file__resources_type_count_str { - hidden: yes - sql: ${TABLE}.file.pe_file.resources_type_count_str ;; - group_label: "File Pe File" - group_item_label: "Resources Type Count Str" - } - - dimension: file__pe_file__section { - hidden: yes - sql: ${TABLE}.file.pe_file.section ;; - group_label: "File Pe File" - group_item_label: "Section" - } - - dimension: file__pe_file__signature_info__signer { - hidden: yes - sql: ${TABLE}.file.pe_file.signature_info.signer ;; - group_label: "File Pe File Signature Info" - group_item_label: "Signer" - } - - dimension: file__pe_file__signature_info__signers { - hidden: yes - sql: ${TABLE}.file.pe_file.signature_info.signers ;; - group_label: "File Pe File Signature Info" - group_item_label: "Signers" - } - - dimension: file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.file.pe_file.signature_info.verification_message ;; - group_label: "File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.file.pe_file.signature_info.verified ;; - group_label: "File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: file__prevalence__day_count { - type: number - sql: ${TABLE}.file.prevalence.day_count ;; - group_label: "File Prevalence" - group_item_label: "Day Count" - } - - dimension: file__prevalence__day_max { - type: number - sql: ${TABLE}.file.prevalence.day_max ;; - group_label: "File Prevalence" - group_item_label: "Day Max" - } - - dimension: file__prevalence__day_max_sub_domains { - type: number - sql: ${TABLE}.file.prevalence.day_max_sub_domains ;; - group_label: "File Prevalence" - group_item_label: "Day Max Sub Domains" - } - - dimension: file__prevalence__rolling_max { - type: number - sql: ${TABLE}.file.prevalence.rolling_max ;; - group_label: "File Prevalence" - group_item_label: "Rolling Max" - } - - dimension: file__prevalence__rolling_max_sub_domains { - type: number - sql: ${TABLE}.file.prevalence.rolling_max_sub_domains ;; - group_label: "File Prevalence" - group_item_label: "Rolling Max Sub Domains" - } - - dimension: file__sha1 { - type: string - sql: ${TABLE}.file.sha1 ;; - group_label: "File" - group_item_label: "Sha1" - } - - dimension: file__sha256 { - type: string - sql: ${TABLE}.file.sha256 ;; - group_label: "File" - group_item_label: "Sha256" - } - - dimension: file__size { - type: number - sql: ${TABLE}.file.size ;; - group_label: "File" - group_item_label: "Size" - } - - dimension: file__ssdeep { - type: string - sql: ${TABLE}.file.ssdeep ;; - group_label: "File" - group_item_label: "Ssdeep" - } - - dimension: file__vhash { - type: string - sql: ${TABLE}.file.vhash ;; - group_label: "File" - group_item_label: "Vhash" - } - - dimension: parent_pid { - type: string - sql: ${TABLE}.parent_pid ;; - } - - dimension: pid { - type: string - sql: ${TABLE}.pid ;; - } - - dimension: product_specific_parent_process_id { - type: string - sql: ${TABLE}.product_specific_parent_process_id ;; - } - - dimension: product_specific_process_id { - type: string - sql: ${TABLE}.product_specific_process_id ;; - } - } - - view: udm_events__target__cloud__vpc__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__process__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__about__process__file__pe_file__imports__functions { - dimension: udm_events__about__process__file__pe_file__imports__functions { - type: string - sql: udm_events__about__process__file__pe_file__imports__functions ;; - } - } - - view: udm_events__about__process_ancestors__command_line_history { - dimension: udm_events__about__process_ancestors__command_line_history { - type: string - sql: udm_events__about__process_ancestors__command_line_history ;; - } - } - - view: udm_events__about__domain__tech__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__domain__zone__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__domain__registrant__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__about__domain__registrant__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__domain__registrant__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__domain__registrant__phone_numbers { - dimension: udm_events__intermediary__domain__registrant__phone_numbers { - type: string - sql: udm_events__intermediary__domain__registrant__phone_numbers ;; - } - } - - view: udm_events__intermediary__asset__software__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__user__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__cloud__project__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__cloud__project__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__file__pe_file__signature_info__signer { - dimension: udm_events__principal__file__pe_file__signature_info__signer { - type: string - sql: udm_events__principal__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__principal__group__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__resource__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__user_management_chain__phone_numbers { - dimension: udm_events__observer__user_management_chain__phone_numbers { - type: string - sql: udm_events__observer__user_management_chain__phone_numbers ;; - } - } - - view: udm_events__observer__domain__billing__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__observer__domain__billing__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__domain__billing__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__domain__registrant__group_identifiers { - dimension: udm_events__observer__domain__registrant__group_identifiers { - type: string - sql: udm_events__observer__domain__registrant__group_identifiers ;; - } - } - - view: udm_events__src__cloud__project__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__src__process_ancestors__file__capabilities_tags { - dimension: udm_events__src__process_ancestors__file__capabilities_tags { - type: string - sql: udm_events__src__process_ancestors__file__capabilities_tags ;; - } - } - - view: udm_events__security_result__about__file__capabilities_tags { - dimension: udm_events__security_result__about__file__capabilities_tags { - type: string - sql: udm_events__security_result__about__file__capabilities_tags ;; - } - } - - view: udm_events__security_result__about__domain__tech__department { - dimension: udm_events__security_result__about__domain__tech__department { - type: string - sql: udm_events__security_result__about__domain__tech__department ;; - } - } - - view: udm_events__security_result__about__domain__zone__department { - dimension: udm_events__security_result__about__domain__zone__department { - type: string - sql: udm_events__security_result__about__domain__zone__department ;; - } + dimension: name { + type: string + sql: ${TABLE}.name ;; } - view: udm_events__security_result__about__investigation__comments { - dimension: udm_events__security_result__about__investigation__comments { - type: string - sql: udm_events__security_result__about__investigation__comments ;; - } + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; } - view: udm_events__security_result__about__user__group_identifiers { - dimension: udm_events__security_result__about__user__group_identifiers { - type: string - sql: udm_events__security_result__about__user__group_identifiers ;; - } + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; } +} - view: udm_events__target__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } +view: udm_events__about__domain__tech__phone_numbers { + dimension: udm_events__about__domain__tech__phone_numbers { + type: string + sql: udm_events__about__domain__tech__phone_numbers ;; } +} - view: udm_events__target__process__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__target__user_management_chain__email_addresses { - dimension: udm_events__target__user_management_chain__email_addresses { - type: string - sql: udm_events__target__user_management_chain__email_addresses ;; - } - } - - view: udm_events__about__resource_ancestors__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__resource_ancestors__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__user_management_chain__group_identifiers { - dimension: udm_events__about__user_management_chain__group_identifiers { - type: string - sql: udm_events__about__user_management_chain__group_identifiers ;; - } - } - - view: udm_events__about__domain__admin__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__user_management_chain__department { - dimension: udm_events__intermediary__user_management_chain__department { - type: string - sql: udm_events__intermediary__user_management_chain__department ;; - } - } - - view: udm_events__intermediary__domain__tech__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__intermediary__domain__tech__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__domain__tech__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__domain__billing__group_identifiers { - dimension: udm_events__intermediary__domain__billing__group_identifiers { - type: string - sql: udm_events__intermediary__domain__billing__group_identifiers ;; - } - } - - view: udm_events__intermediary__domain__zone__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__intermediary__domain__zone__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__domain__zone__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__asset__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__resource__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__user_management_chain__phone_numbers { - dimension: udm_events__principal__user_management_chain__phone_numbers { - type: string - sql: udm_events__principal__user_management_chain__phone_numbers ;; - } - } - - view: udm_events__principal__domain__billing__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__principal__domain__billing__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__domain__billing__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__domain__registrant__group_identifiers { - dimension: udm_events__principal__domain__registrant__group_identifiers { - type: string - sql: udm_events__principal__domain__registrant__group_identifiers ;; - } - } - - view: udm_events__observer__cloud__vpc__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__process__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__src__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__domain__billing__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__group__email_addresses { - dimension: udm_events__security_result__about__group__email_addresses { - type: string - sql: udm_events__security_result__about__group__email_addresses ;; - } - } - - view: udm_events__security_result__about__domain__admin__department { - dimension: udm_events__security_result__about__domain__admin__department { - type: string - sql: udm_events__security_result__about__domain__admin__department ;; - } - } - - view: udm_events__target__process__file__pe_file__imports__functions { - dimension: udm_events__target__process__file__pe_file__imports__functions { - type: string - sql: udm_events__target__process__file__pe_file__imports__functions ;; - } - } - - view: udm_events__target__process_ancestors__command_line_history { - dimension: udm_events__target__process_ancestors__command_line_history { - type: string - sql: udm_events__target__process_ancestors__command_line_history ;; - } - } - - view: udm_events__target__domain__tech__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__domain__zone__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__domain__registrant__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__target__domain__registrant__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__domain__registrant__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__nat_ip { - dimension: udm_events__extensions__vulns__vulnerabilities__about__nat_ip { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__nat_ip ;; - } - } - - view: udm_events__about__cloud__project__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__about__process_ancestors__file__capabilities_tags { - dimension: udm_events__about__process_ancestors__file__capabilities_tags { - type: string - sql: udm_events__about__process_ancestors__file__capabilities_tags ;; - } - } - - view: udm_events__intermediary__process__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__intermediary__domain__admin__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__intermediary__domain__admin__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__domain__admin__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__domain__registrant__email_addresses { - dimension: udm_events__intermediary__domain__registrant__email_addresses { - type: string - sql: udm_events__intermediary__domain__registrant__email_addresses ;; - } - } - - view: udm_events__principal__cloud__vpc__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__process__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__observer__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__process__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__observer__user_management_chain__email_addresses { - dimension: udm_events__observer__user_management_chain__email_addresses { - type: string - sql: udm_events__observer__user_management_chain__email_addresses ;; - } - } - - view: udm_events__src__process__file__pe_file__signature_info__signer { - dimension: udm_events__src__process__file__pe_file__signature_info__signer { - type: string - sql: udm_events__src__process__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__src__user_management_chain__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__src__user_management_chain__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__user_management_chain__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__resource_ancestors__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__resource_ancestors__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__user_management_chain__group_identifiers { - dimension: udm_events__target__user_management_chain__group_identifiers { - type: string - sql: udm_events__target__user_management_chain__group_identifiers ;; - } - } - - view: udm_events__target__domain__admin__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__domain__billing__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__cloud__project__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__cloud__project__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__file__pe_file__signature_info__signer { - dimension: udm_events__intermediary__file__pe_file__signature_info__signer { - type: string - sql: udm_events__intermediary__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__intermediary__group__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__process__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__principal__user_management_chain__email_addresses { - dimension: udm_events__principal__user_management_chain__email_addresses { - type: string - sql: udm_events__principal__user_management_chain__email_addresses ;; - } - } - - view: udm_events__observer__process__file__pe_file__imports__functions { - dimension: udm_events__observer__process__file__pe_file__imports__functions { - type: string - sql: udm_events__observer__process__file__pe_file__imports__functions ;; - } - } - - view: udm_events__observer__process_ancestors__command_line_history { - dimension: udm_events__observer__process_ancestors__command_line_history { - type: string - sql: udm_events__observer__process_ancestors__command_line_history ;; - } - } - - view: udm_events__observer__domain__tech__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__domain__zone__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__domain__registrant__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__observer__domain__registrant__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__domain__registrant__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__process_ancestors__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__security_result__about__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__security_result__about__domain__tech__phone_numbers { - dimension: udm_events__security_result__about__domain__tech__phone_numbers { - type: string - sql: udm_events__security_result__about__domain__tech__phone_numbers ;; - } - } - - view: udm_events__security_result__about__domain__billing__department { - dimension: udm_events__security_result__about__domain__billing__department { - type: string - sql: udm_events__security_result__about__domain__billing__department ;; - } - } - - view: udm_events__security_result__about__domain__zone__phone_numbers { - dimension: udm_events__security_result__about__domain__zone__phone_numbers { - type: string - sql: udm_events__security_result__about__domain__zone__phone_numbers ;; - } - } - - view: udm_events__security_result__about__user__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__security_result__about__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__cloud__project__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__target__process_ancestors__file__capabilities_tags { - dimension: udm_events__target__process_ancestors__file__capabilities_tags { - type: string - sql: udm_events__target__process_ancestors__file__capabilities_tags ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__asset__ip { - dimension: udm_events__extensions__vulns__vulnerabilities__about__asset__ip { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__asset__ip ;; - } - } - - view: udm_events__about__process__file__pe_file__signature_info__signer { - dimension: udm_events__about__process__file__pe_file__signature_info__signer { - type: string - sql: udm_events__about__process__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__about__user_management_chain__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__about__user_management_chain__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__user_management_chain__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__resource__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__user_management_chain__phone_numbers { - dimension: udm_events__intermediary__user_management_chain__phone_numbers { - type: string - sql: udm_events__intermediary__user_management_chain__phone_numbers ;; - } - } - - view: udm_events__intermediary__domain__billing__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__intermediary__domain__billing__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__domain__billing__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__domain__registrant__group_identifiers { - dimension: udm_events__intermediary__domain__registrant__group_identifiers { - type: string - sql: udm_events__intermediary__domain__registrant__group_identifiers ;; - } - } - - view: udm_events__principal__process__file__pe_file__imports__functions { - dimension: udm_events__principal__process__file__pe_file__imports__functions { - type: string - sql: udm_events__principal__process__file__pe_file__imports__functions ;; - } - } - - view: udm_events__principal__process_ancestors__command_line_history { - dimension: udm_events__principal__process_ancestors__command_line_history { - type: string - sql: udm_events__principal__process_ancestors__command_line_history ;; - } - } - - view: udm_events__principal__domain__tech__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__domain__zone__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__domain__registrant__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__principal__domain__registrant__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__domain__registrant__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__resource_ancestors__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__resource_ancestors__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__user_management_chain__group_identifiers { - dimension: udm_events__observer__user_management_chain__group_identifiers { - type: string - sql: udm_events__observer__user_management_chain__group_identifiers ;; - } - } - - view: udm_events__observer__domain__admin__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__domain__registrant__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__domain__admin__phone_numbers { - dimension: udm_events__security_result__about__domain__admin__phone_numbers { - type: string - sql: udm_events__security_result__about__domain__admin__phone_numbers ;; - } - } - - view: udm_events__security_result__about__asset__vulnerabilities { - dimension: cve_description { - type: string - sql: ${TABLE}.cve_description ;; - } - - dimension: cve_id { - type: string - sql: ${TABLE}.cve_id ;; - } - - dimension: cvss_base_score { - type: number - sql: ${TABLE}.cvss_base_score ;; - } - - dimension: cvss_vector { - type: string - sql: ${TABLE}.cvss_vector ;; - } - - dimension: cvss_version { - type: string - sql: ${TABLE}.cvss_version ;; - } - - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: first_found__nanos { - type: number - sql: ${TABLE}.first_found.nanos ;; - group_label: "First Found" - group_item_label: "Nanos" - } - - dimension: first_found__seconds { - type: number - sql: ${TABLE}.first_found.seconds ;; - group_label: "First Found" - group_item_label: "Seconds" - } - - dimension: last_found__nanos { - type: number - sql: ${TABLE}.last_found.nanos ;; - group_label: "Last Found" - group_item_label: "Nanos" - } - - dimension: last_found__seconds { - type: number - sql: ${TABLE}.last_found.seconds ;; - group_label: "Last Found" - group_item_label: "Seconds" - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: scan_end_time__nanos { - type: number - sql: ${TABLE}.scan_end_time.nanos ;; - group_label: "Scan End Time" - group_item_label: "Nanos" - } - - dimension: scan_end_time__seconds { - type: number - sql: ${TABLE}.scan_end_time.seconds ;; - group_label: "Scan End Time" - group_item_label: "Seconds" - } - - dimension: scan_start_time__nanos { - type: number - sql: ${TABLE}.scan_start_time.nanos ;; - group_label: "Scan Start Time" - group_item_label: "Nanos" - } - - dimension: scan_start_time__seconds { - type: number - sql: ${TABLE}.scan_start_time.seconds ;; - group_label: "Scan Start Time" - group_item_label: "Seconds" - } - - dimension: severity { - type: number - sql: ${TABLE}.severity ;; - } - - dimension: severity_details { - type: string - sql: ${TABLE}.severity_details ;; - } - - dimension: vendor { - type: string - sql: ${TABLE}.vendor ;; - } - - dimension: vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.vendor_knowledge_base_article_id ;; - } - - dimension: vendor_vulnerability_id { - type: string - sql: ${TABLE}.vendor_vulnerability_id ;; - } - } - - view: udm_events__security_result__about__asset__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__domain__billing__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__asset__mac { - dimension: udm_events__extensions__vulns__vulnerabilities__about__asset__mac { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__asset__mac ;; - } - } - - view: udm_events__about__process_ancestors__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__intermediary__cloud__vpc__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__process__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__principal__resource_ancestors__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__resource_ancestors__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__user_management_chain__group_identifiers { - dimension: udm_events__principal__user_management_chain__group_identifiers { - type: string - sql: udm_events__principal__user_management_chain__group_identifiers ;; - } - } - - view: udm_events__principal__domain__admin__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__cloud__project__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__observer__process_ancestors__file__capabilities_tags { - dimension: udm_events__observer__process_ancestors__file__capabilities_tags { - type: string - sql: udm_events__observer__process_ancestors__file__capabilities_tags ;; - } - } - - view: udm_events__src__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__process__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__resource_ancestors__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__user_management_chain { - dimension: account_type { - type: number - sql: ${TABLE}.account_type ;; - } - - dimension: attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.attribute.cloud.availability_zone ;; - group_label: "Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: attribute__cloud__environment { - type: number - sql: ${TABLE}.attribute.cloud.environment ;; - group_label: "Attribute Cloud" - group_item_label: "Environment" - } - - dimension: attribute__cloud__project__id { - type: string - sql: ${TABLE}.attribute.cloud.project.id ;; - group_label: "Attribute Cloud Project" - group_item_label: "ID" - } - - dimension: attribute__cloud__project__name { - type: string - sql: ${TABLE}.attribute.cloud.project.name ;; - group_label: "Attribute Cloud Project" - group_item_label: "Name" - } - - dimension: attribute__cloud__project__parent { - type: string - sql: ${TABLE}.attribute.cloud.project.parent ;; - group_label: "Attribute Cloud Project" - group_item_label: "Parent" - } - - dimension: attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.project.product_object_id ;; - group_label: "Attribute Cloud Project" - group_item_label: "Product Object ID" - } - - dimension: attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.attribute.cloud.project.resource_subtype ;; - group_label: "Attribute Cloud Project" - group_item_label: "Resource Subtype" - } - - dimension: attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.attribute.cloud.project.resource_type ;; - group_label: "Attribute Cloud Project" - group_item_label: "Resource Type" - } - - dimension: attribute__cloud__project__type { - type: string - sql: ${TABLE}.attribute.cloud.project.type ;; - group_label: "Attribute Cloud Project" - group_item_label: "Type" - } - - dimension: attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.id ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "ID" - } - - dimension: attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.attribute.cloud.vpc.name ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Name" - } - - dimension: attribute__cloud__vpc__parent { - type: string - sql: ${TABLE}.attribute.cloud.vpc.parent ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Parent" - } - - dimension: attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Product Object ID" - } - - dimension: attribute__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.attribute.cloud.vpc.resource_subtype ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Resource Subtype" - } - - dimension: attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.attribute.cloud.vpc.resource_type ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Resource Type" - } - - dimension: attribute__cloud__vpc__type { - type: string - sql: ${TABLE}.attribute.cloud.vpc.type ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Type" - } - - dimension: attribute__creation_time__nanos { - type: number - sql: ${TABLE}.attribute.creation_time.nanos ;; - group_label: "Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: attribute__creation_time__seconds { - type: number - sql: ${TABLE}.attribute.creation_time.seconds ;; - group_label: "Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: attribute__labels { - hidden: yes - sql: ${TABLE}.attribute.labels ;; - group_label: "Attribute" - group_item_label: "Labels" - } - - dimension: attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.attribute.last_update_time.nanos ;; - group_label: "Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.attribute.last_update_time.seconds ;; - group_label: "Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: attribute__permissions { - hidden: yes - sql: ${TABLE}.attribute.permissions ;; - group_label: "Attribute" - group_item_label: "Permissions" - } - - dimension: attribute__roles { - hidden: yes - sql: ${TABLE}.attribute.roles ;; - group_label: "Attribute" - group_item_label: "Roles" - } - - dimension: company_name { - type: string - sql: ${TABLE}.company_name ;; - } - - dimension: department { - hidden: yes - sql: ${TABLE}.department ;; - } - - dimension: email_addresses { - hidden: yes - sql: ${TABLE}.email_addresses ;; - } - - dimension: employee_id { - type: string - sql: ${TABLE}.employee_id ;; - } - - dimension: first_name { - type: string - sql: ${TABLE}.first_name ;; - } - - dimension: first_seen_time__nanos { - type: number - sql: ${TABLE}.first_seen_time.nanos ;; - group_label: "First Seen Time" - group_item_label: "Nanos" - } - - dimension: first_seen_time__seconds { - type: number - sql: ${TABLE}.first_seen_time.seconds ;; - group_label: "First Seen Time" - group_item_label: "Seconds" - } - - dimension: group_identifiers { - hidden: yes - sql: ${TABLE}.group_identifiers ;; - } - - dimension: groupid { - type: string - sql: ${TABLE}.groupid ;; - } - - dimension: hire_date__nanos { - type: number - sql: ${TABLE}.hire_date.nanos ;; - group_label: "Hire Date" - group_item_label: "Nanos" - } - - dimension: hire_date__seconds { - type: number - sql: ${TABLE}.hire_date.seconds ;; - group_label: "Hire Date" - group_item_label: "Seconds" - } - - dimension: last_name { - type: string - sql: ${TABLE}.last_name ;; - } - - dimension: middle_name { - type: string - sql: ${TABLE}.middle_name ;; - } - - dimension: office_address__city { - type: string - sql: ${TABLE}.office_address.city ;; - group_label: "Office Address" - group_item_label: "City" - } - - dimension: office_address__country_or_region { - type: string - sql: ${TABLE}.office_address.country_or_region ;; - group_label: "Office Address" - group_item_label: "Country or Region" - } - - dimension: office_address__desk_name { - type: string - sql: ${TABLE}.office_address.desk_name ;; - group_label: "Office Address" - group_item_label: "Desk Name" - } - - dimension: office_address__floor_name { - type: string - sql: ${TABLE}.office_address.floor_name ;; - group_label: "Office Address" - group_item_label: "Floor Name" - } - - dimension: office_address__name { - type: string - sql: ${TABLE}.office_address.name ;; - group_label: "Office Address" - group_item_label: "Name" - } - - dimension: office_address__region_latitude { - type: number - sql: ${TABLE}.office_address.region_latitude ;; - group_label: "Office Address" - group_item_label: "Region Latitude" - } - - dimension: office_address__region_longitude { - type: number - sql: ${TABLE}.office_address.region_longitude ;; - group_label: "Office Address" - group_item_label: "Region Longitude" - } - - dimension: office_address__state { - type: string - sql: ${TABLE}.office_address.state ;; - group_label: "Office Address" - group_item_label: "State" - } - - dimension: personal_address__city { - type: string - sql: ${TABLE}.personal_address.city ;; - group_label: "Personal Address" - group_item_label: "City" - } - - dimension: personal_address__country_or_region { - type: string - sql: ${TABLE}.personal_address.country_or_region ;; - group_label: "Personal Address" - group_item_label: "Country or Region" - } - - dimension: personal_address__desk_name { - type: string - sql: ${TABLE}.personal_address.desk_name ;; - group_label: "Personal Address" - group_item_label: "Desk Name" - } - - dimension: personal_address__floor_name { - type: string - sql: ${TABLE}.personal_address.floor_name ;; - group_label: "Personal Address" - group_item_label: "Floor Name" - } - - dimension: personal_address__name { - type: string - sql: ${TABLE}.personal_address.name ;; - group_label: "Personal Address" - group_item_label: "Name" - } - - dimension: personal_address__region_latitude { - type: number - sql: ${TABLE}.personal_address.region_latitude ;; - group_label: "Personal Address" - group_item_label: "Region Latitude" - } - - dimension: personal_address__region_longitude { - type: number - sql: ${TABLE}.personal_address.region_longitude ;; - group_label: "Personal Address" - group_item_label: "Region Longitude" - } - - dimension: personal_address__state { - type: string - sql: ${TABLE}.personal_address.state ;; - group_label: "Personal Address" - group_item_label: "State" - } - - dimension: phone_numbers { - hidden: yes - sql: ${TABLE}.phone_numbers ;; - } - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - } - - dimension: role_description { - type: string - sql: ${TABLE}.role_description ;; - } - - dimension: role_name { - type: string - sql: ${TABLE}.role_name ;; - } - - dimension: termination_date__nanos { - type: number - sql: ${TABLE}.termination_date.nanos ;; - group_label: "Termination Date" - group_item_label: "Nanos" - } - - dimension: termination_date__seconds { - type: number - sql: ${TABLE}.termination_date.seconds ;; - group_label: "Termination Date" - group_item_label: "Seconds" - } - - dimension: time_off { - hidden: yes - sql: ${TABLE}.time_off ;; - } - - dimension: title { - type: string - sql: ${TABLE}.title ;; - } - - dimension: user_authentication_status { - type: number - sql: ${TABLE}.user_authentication_status ;; - } - - dimension: user_display_name { - type: string - sql: ${TABLE}.user_display_name ;; - } - - dimension: user_role { - type: number - sql: ${TABLE}.user_role ;; - } - - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - } - - dimension: windows_sid { - type: string - sql: ${TABLE}.windows_sid ;; - } - } - - view: udm_events__security_result__about__domain__tech__email_addresses { - dimension: udm_events__security_result__about__domain__tech__email_addresses { - type: string - sql: udm_events__security_result__about__domain__tech__email_addresses ;; - } - } - - view: udm_events__security_result__about__domain__zone__email_addresses { - dimension: udm_events__security_result__about__domain__zone__email_addresses { - type: string - sql: udm_events__security_result__about__domain__zone__email_addresses ;; - } - } - - view: udm_events__target__process__file__pe_file__signature_info__signer { - dimension: udm_events__target__process__file__pe_file__signature_info__signer { - type: string - sql: udm_events__target__process__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__target__user_management_chain__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__target__user_management_chain__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__user_management_chain__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__file__names { - dimension: udm_events__extensions__vulns__vulnerabilities__about__file__names { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__file__names ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__domain__registrant__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__process__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__intermediary__user_management_chain__email_addresses { - dimension: udm_events__intermediary__user_management_chain__email_addresses { - type: string - sql: udm_events__intermediary__user_management_chain__email_addresses ;; - } - } - - view: udm_events__principal__cloud__project__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__principal__process_ancestors__file__capabilities_tags { - dimension: udm_events__principal__process_ancestors__file__capabilities_tags { - type: string - sql: udm_events__principal__process_ancestors__file__capabilities_tags ;; - } - } - - view: udm_events__observer__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } +view: udm_events__about__domain__billing__department { + dimension: udm_events__about__domain__billing__department { + type: string + sql: udm_events__about__domain__billing__department ;; } +} - view: udm_events__observer__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } +view: udm_events__about__domain__zone__phone_numbers { + dimension: udm_events__about__domain__zone__phone_numbers { + type: string + sql: udm_events__about__domain__zone__phone_numbers ;; } +} - view: udm_events__observer__domain__billing__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } +view: udm_events__about__user__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; } - view: udm_events__src__process_ancestors__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" } - view: udm_events__security_result__about__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__security_result__about__group__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__group__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__process__command_line_history { - dimension: udm_events__security_result__about__process__command_line_history { - type: string - sql: udm_events__security_result__about__process__command_line_history ;; - } - } - - view: udm_events__security_result__about__process_ancestors__file__names { - dimension: udm_events__security_result__about__process_ancestors__file__names { - type: string - sql: udm_events__security_result__about__process_ancestors__file__names ;; - } - } - - view: udm_events__security_result__about__domain__admin__email_addresses { - dimension: udm_events__security_result__about__domain__admin__email_addresses { - type: string - sql: udm_events__security_result__about__domain__admin__email_addresses ;; - } + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" } - view: udm_events__security_result__about__domain__billing__phone_numbers { - dimension: udm_events__security_result__about__domain__billing__phone_numbers { - type: string - sql: udm_events__security_result__about__domain__billing__phone_numbers ;; - } - } - - view: udm_events__security_result__about__domain__registrant__department { - dimension: udm_events__security_result__about__domain__registrant__department { - type: string - sql: udm_events__security_result__about__domain__registrant__department ;; - } + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" } - view: udm_events__target__process_ancestors__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__about__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__process__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__resource_ancestors__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__process__file__pe_file__imports__functions { - dimension: udm_events__intermediary__process__file__pe_file__imports__functions { - type: string - sql: udm_events__intermediary__process__file__pe_file__imports__functions ;; - } - } - - view: udm_events__intermediary__process_ancestors__command_line_history { - dimension: udm_events__intermediary__process_ancestors__command_line_history { - type: string - sql: udm_events__intermediary__process_ancestors__command_line_history ;; - } - } - - view: udm_events__intermediary__domain__tech__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__domain__zone__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__domain__registrant__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__intermediary__domain__registrant__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__domain__registrant__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__domain__billing__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__process__file__pe_file__signature_info__signer { - dimension: udm_events__observer__process__file__pe_file__signature_info__signer { - type: string - sql: udm_events__observer__process__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__observer__user_management_chain__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__observer__user_management_chain__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__user_management_chain__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__process_ancestors__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__security_result__about__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__security_result__about__resource__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__domain__tech__group_identifiers { - dimension: udm_events__security_result__about__domain__tech__group_identifiers { - type: string - sql: udm_events__security_result__about__domain__tech__group_identifiers ;; - } - } - - view: udm_events__security_result__about__domain__zone__group_identifiers { - dimension: udm_events__security_result__about__domain__zone__group_identifiers { - type: string - sql: udm_events__security_result__about__domain__zone__group_identifiers ;; - } - } - - view: udm_events__target__domain__registrant__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__asset__nat_ip { - dimension: udm_events__extensions__vulns__vulnerabilities__about__asset__nat_ip { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__asset__nat_ip ;; - } - } - - view: udm_events__about__process_ancestors__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__intermediary__resource_ancestors__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__resource_ancestors__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__user_management_chain__group_identifiers { - dimension: udm_events__intermediary__user_management_chain__group_identifiers { - type: string - sql: udm_events__intermediary__user_management_chain__group_identifiers ;; - } - } - - view: udm_events__intermediary__domain__admin__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__process__file__pe_file__signature_info__signer { - dimension: udm_events__principal__process__file__pe_file__signature_info__signer { - type: string - sql: udm_events__principal__process__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__principal__user_management_chain__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__principal__user_management_chain__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__user_management_chain__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__process_ancestors__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__src__process__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__src__user_management_chain__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__process_ancestors__file__pe_file__imports__functions { - dimension: udm_events__src__process_ancestors__file__pe_file__imports__functions { - type: string - sql: udm_events__src__process_ancestors__file__pe_file__imports__functions ;; - } - } - - view: udm_events__security_result__about__cloud__vpc__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__cloud__vpc__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__file__pe_file__imports__functions { - dimension: udm_events__security_result__about__file__pe_file__imports__functions { - type: string - sql: udm_events__security_result__about__file__pe_file__imports__functions ;; - } - } - - view: udm_events__security_result__about__process__file__capabilities_tags { - dimension: udm_events__security_result__about__process__file__capabilities_tags { - type: string - sql: udm_events__security_result__about__process__file__capabilities_tags ;; - } - } - - view: udm_events__security_result__about__domain__admin__group_identifiers { - dimension: udm_events__security_result__about__domain__admin__group_identifiers { - type: string - sql: udm_events__security_result__about__domain__admin__group_identifiers ;; - } - } - - view: udm_events__security_result__about__domain__billing__email_addresses { - dimension: udm_events__security_result__about__domain__billing__email_addresses { - type: string - sql: udm_events__security_result__about__domain__billing__email_addresses ;; - } - } - - view: udm_events__target__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__process__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__resource_ancestors__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__process_ancestors__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__intermediary__cloud__project__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__intermediary__process_ancestors__file__capabilities_tags { - dimension: udm_events__intermediary__process_ancestors__file__capabilities_tags { - type: string - sql: udm_events__intermediary__process_ancestors__file__capabilities_tags ;; - } - } - - view: udm_events__principal__process_ancestors__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__observer__domain__registrant__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__src__process__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__process__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__domain__registrant__phone_numbers { - dimension: udm_events__security_result__about__domain__registrant__phone_numbers { - type: string - sql: udm_events__security_result__about__domain__registrant__phone_numbers ;; - } - } - - view: udm_events__security_result__about__asset__software__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__user__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__process_ancestors__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" } +} - view: udm_events__about__process__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__about__user_management_chain__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } +view: udm_events__about__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; } - view: udm_events__about__process_ancestors__file__pe_file__imports__functions { - dimension: udm_events__about__process_ancestors__file__pe_file__imports__functions { - type: string - sql: udm_events__about__process_ancestors__file__pe_file__imports__functions ;; - } - } - - view: udm_events__intermediary__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__domain__billing__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__domain__registrant__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__process__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__resource_ancestors__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__user_management_chain__department { - dimension: udm_events__security_result__about__user_management_chain__department { - type: string - sql: udm_events__security_result__about__user_management_chain__department ;; - } - } - - view: udm_events__security_result__about__domain__tech__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__security_result__about__domain__tech__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__domain__tech__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__domain__billing__group_identifiers { - dimension: udm_events__security_result__about__domain__billing__group_identifiers { - type: string - sql: udm_events__security_result__about__domain__billing__group_identifiers ;; - } - } - - view: udm_events__security_result__about__domain__zone__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__security_result__about__domain__zone__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__domain__zone__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__asset__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__process_ancestors__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__user__department { - dimension: udm_events__extensions__vulns__vulnerabilities__about__user__department { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__user__department ;; - } - } - - view: udm_events__about__process__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__process__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__process__file__pe_file__signature_info__signer { - dimension: udm_events__intermediary__process__file__pe_file__signature_info__signer { - type: string - sql: udm_events__intermediary__process__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__intermediary__user_management_chain__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__intermediary__user_management_chain__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__user_management_chain__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__process__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__resource_ancestors__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__process_ancestors__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__security_result__about__process__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__security_result__about__domain__admin__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__security_result__about__domain__admin__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__domain__admin__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__domain__registrant__email_addresses { - dimension: udm_events__security_result__about__domain__registrant__email_addresses { - type: string - sql: udm_events__security_result__about__domain__registrant__email_addresses ;; - } - } - - view: udm_events__target__process__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__target__user_management_chain__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__process_ancestors__file__pe_file__imports__functions { - dimension: udm_events__target__process_ancestors__file__pe_file__imports__functions { - type: string - sql: udm_events__target__process_ancestors__file__pe_file__imports__functions ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__ip_location { - dimension: city { - type: string - sql: ${TABLE}.city ;; - } - - dimension: country_or_region { - type: string - sql: ${TABLE}.country_or_region ;; - } - - dimension: desk_name { - type: string - sql: ${TABLE}.desk_name ;; - } - - dimension: floor_name { - type: string - sql: ${TABLE}.floor_name ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: region_latitude { - type: number - sql: ${TABLE}.region_latitude ;; - } - - dimension: region_longitude { - type: number - sql: ${TABLE}.region_longitude ;; - } - - dimension: state { - type: string - sql: ${TABLE}.state ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__asset__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__process_ancestors__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__principal__process_ancestors__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__observer__process_ancestors__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__src__process_ancestors__file__pe_file__signature_info__signer { - dimension: udm_events__src__process_ancestors__file__pe_file__signature_info__signer { - type: string - sql: udm_events__src__process_ancestors__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__security_result__about__cloud__project__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__cloud__project__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__file__pe_file__signature_info__signer { - dimension: udm_events__security_result__about__file__pe_file__signature_info__signer { - type: string - sql: udm_events__security_result__about__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__security_result__about__group__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__process__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__process__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__domain__registrant__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__process_ancestors__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__observer__process__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__observer__user_management_chain__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__observer__process_ancestors__file__pe_file__imports__functions { - dimension: udm_events__observer__process_ancestors__file__pe_file__imports__functions { - type: string - sql: udm_events__observer__process_ancestors__file__pe_file__imports__functions ;; - } - } - - view: udm_events__src__process__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__resource__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__user_management_chain__phone_numbers { - dimension: udm_events__security_result__about__user_management_chain__phone_numbers { - type: string - sql: udm_events__security_result__about__user_management_chain__phone_numbers ;; - } - } - - view: udm_events__security_result__about__domain__billing__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__security_result__about__domain__billing__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__domain__billing__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__domain__registrant__group_identifiers { - dimension: udm_events__security_result__about__domain__registrant__group_identifiers { - type: string - sql: udm_events__security_result__about__domain__registrant__group_identifiers ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__process__file__names { - dimension: udm_events__extensions__vulns__vulnerabilities__about__process__file__names { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__process__file__names ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__name_server { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__name_server { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__name_server ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__asset__hardware { - dimension: cpu_clock_speed { - type: number - sql: ${TABLE}.cpu_clock_speed ;; - } - - dimension: cpu_max_clock_speed { - type: number - sql: ${TABLE}.cpu_max_clock_speed ;; - } - - dimension: cpu_model { - type: string - sql: ${TABLE}.cpu_model ;; - } - - dimension: cpu_number_cores { - type: number - sql: ${TABLE}.cpu_number_cores ;; - } - - dimension: cpu_platform { - type: string - sql: ${TABLE}.cpu_platform ;; - } - - dimension: manufacturer { - type: string - sql: ${TABLE}.manufacturer ;; - } - - dimension: model { - type: string - sql: ${TABLE}.model ;; - } - - dimension: ram { - type: number - sql: ${TABLE}.ram ;; - } - - dimension: serial_number { - type: string - sql: ${TABLE}.serial_number ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__user__phone_numbers { - dimension: udm_events__extensions__vulns__vulnerabilities__about__user__phone_numbers { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__user__phone_numbers ;; - } - } - - view: udm_events__about__process_ancestors__file__pe_file__signature_info__signer { - dimension: udm_events__about__process_ancestors__file__pe_file__signature_info__signer { - type: string - sql: udm_events__about__process_ancestors__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__intermediary__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__process__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__resource_ancestors__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__principal__process__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__principal__user_management_chain__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } + dimension: name { + type: string + sql: ${TABLE}.name ;; } - view: udm_events__principal__process_ancestors__file__pe_file__imports__functions { - dimension: udm_events__principal__process_ancestors__file__pe_file__imports__functions { - type: string - sql: udm_events__principal__process_ancestors__file__pe_file__imports__functions ;; - } - } - - view: udm_events__observer__process__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__process__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__cloud__vpc__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } + dimension: type { + type: number + sql: ${TABLE}.type ;; } +} - view: udm_events__security_result__about__process__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } +view: udm_events__about__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; } - view: udm_events__extensions__vulns__vulnerabilities__about__asset__software { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: permissions { - hidden: yes - sql: ${TABLE}.permissions ;; - } - - dimension: version { - type: string - sql: ${TABLE}.version ;; - } - } - - view: udm_events__about__process__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__process_ancestors__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__principal__process__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__process__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__src__process_ancestors__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } + dimension: source { + type: string + sql: ${TABLE}.source ;; } - view: udm_events__security_result__about__process__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__security_result__about__user_management_chain__email_addresses { - dimension: udm_events__security_result__about__user_management_chain__email_addresses { - type: string - sql: udm_events__security_result__about__user_management_chain__email_addresses ;; - } - } - - view: udm_events__target__process_ancestors__file__pe_file__signature_info__signer { - dimension: udm_events__target__process_ancestors__file__pe_file__signature_info__signer { - type: string - sql: udm_events__target__process_ancestors__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__user__email_addresses { - dimension: udm_events__extensions__vulns__vulnerabilities__about__user__email_addresses { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__user__email_addresses ;; - } - } - - view: udm_events__intermediary__process_ancestors__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__security_result__about__process__file__pe_file__imports__functions { - dimension: udm_events__security_result__about__process__file__pe_file__imports__functions { - type: string - sql: udm_events__security_result__about__process__file__pe_file__imports__functions ;; - } - } - - view: udm_events__security_result__about__process_ancestors__command_line_history { - dimension: udm_events__security_result__about__process_ancestors__command_line_history { - type: string - sql: udm_events__security_result__about__process_ancestors__command_line_history ;; - } - } - - view: udm_events__security_result__about__domain__tech__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__domain__zone__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__domain__registrant__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__security_result__about__domain__registrant__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__domain__registrant__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__process__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__resource_ancestors { - drill_fields: [id] - - dimension: id { - primary_key: yes - type: string - sql: ${TABLE}.id ;; - } - - dimension: attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.attribute.cloud.availability_zone ;; - group_label: "Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: attribute__cloud__environment { - type: number - sql: ${TABLE}.attribute.cloud.environment ;; - group_label: "Attribute Cloud" - group_item_label: "Environment" - } - - dimension: attribute__creation_time__nanos { - type: number - sql: ${TABLE}.attribute.creation_time.nanos ;; - group_label: "Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: attribute__creation_time__seconds { - type: number - sql: ${TABLE}.attribute.creation_time.seconds ;; - group_label: "Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: attribute__labels { - hidden: yes - sql: ${TABLE}.attribute.labels ;; - group_label: "Attribute" - group_item_label: "Labels" - } - - dimension: attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.attribute.last_update_time.nanos ;; - group_label: "Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.attribute.last_update_time.seconds ;; - group_label: "Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: attribute__permissions { - hidden: yes - sql: ${TABLE}.attribute.permissions ;; - group_label: "Attribute" - group_item_label: "Permissions" - } - - dimension: attribute__roles { - hidden: yes - sql: ${TABLE}.attribute.roles ;; - group_label: "Attribute" - group_item_label: "Roles" - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: parent { - type: string - sql: ${TABLE}.parent ;; - } - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - } - - dimension: resource_subtype { - type: string - sql: ${TABLE}.resource_subtype ;; - } - - dimension: resource_type { - type: number - sql: ${TABLE}.resource_type ;; - } - - dimension: type { - type: string - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors { - dimension: access_mask { - type: number - sql: ${TABLE}.access_mask ;; - } - - dimension: command_line { - type: string - sql: ${TABLE}.command_line ;; - } - - dimension: command_line_history { - hidden: yes - sql: ${TABLE}.command_line_history ;; - } - - dimension: file__ahash { - type: string - sql: ${TABLE}.file.ahash ;; - group_label: "File" - group_item_label: "Ahash" - } - - dimension: file__authentihash { - type: string - sql: ${TABLE}.file.authentihash ;; - group_label: "File" - group_item_label: "Authentihash" - } - - dimension: file__capabilities_tags { - hidden: yes - sql: ${TABLE}.file.capabilities_tags ;; - group_label: "File" - group_item_label: "Capabilities Tags" - } - - dimension: file__file_metadata__pe__import_hash { - type: string - sql: ${TABLE}.file.file_metadata.pe.import_hash ;; - group_label: "File File Metadata Pe" - group_item_label: "Import Hash" - } - - dimension: file__file_type { - type: number - sql: ${TABLE}.file.file_type ;; - group_label: "File" - group_item_label: "File Type" - } - - dimension: file__first_seen_time__nanos { - type: number - sql: ${TABLE}.file.first_seen_time.nanos ;; - group_label: "File First Seen Time" - group_item_label: "Nanos" - } - - dimension: file__first_seen_time__seconds { - type: number - sql: ${TABLE}.file.first_seen_time.seconds ;; - group_label: "File First Seen Time" - group_item_label: "Seconds" - } - - dimension: file__full_path { - type: string - sql: ${TABLE}.file.full_path ;; - group_label: "File" - group_item_label: "Full Path" - } - - dimension: file__last_modification_time__nanos { - type: number - sql: ${TABLE}.file.last_modification_time.nanos ;; - group_label: "File Last Modification Time" - group_item_label: "Nanos" - } - - dimension: file__last_modification_time__seconds { - type: number - sql: ${TABLE}.file.last_modification_time.seconds ;; - group_label: "File Last Modification Time" - group_item_label: "Seconds" - } - - dimension: file__last_seen_time__nanos { - type: number - sql: ${TABLE}.file.last_seen_time.nanos ;; - group_label: "File Last Seen Time" - group_item_label: "Nanos" - } - - dimension: file__last_seen_time__seconds { - type: number - sql: ${TABLE}.file.last_seen_time.seconds ;; - group_label: "File Last Seen Time" - group_item_label: "Seconds" - } - - dimension: file__md5 { - type: string - sql: ${TABLE}.file.md5 ;; - group_label: "File" - group_item_label: "Md5" - } - - dimension: file__mime_type { - type: string - sql: ${TABLE}.file.mime_type ;; - group_label: "File" - group_item_label: "Mime Type" - } - - dimension: file__names { - hidden: yes - sql: ${TABLE}.file.names ;; - group_label: "File" - group_item_label: "Names" - } - - dimension: file__pe_file__compilation_exiftool_time__nanos { - type: number - sql: ${TABLE}.file.pe_file.compilation_exiftool_time.nanos ;; - group_label: "File Pe File Compilation Exiftool Time" - group_item_label: "Nanos" - } - - dimension: file__pe_file__compilation_exiftool_time__seconds { - type: number - sql: ${TABLE}.file.pe_file.compilation_exiftool_time.seconds ;; - group_label: "File Pe File Compilation Exiftool Time" - group_item_label: "Seconds" - } - - dimension: file__pe_file__compilation_time__nanos { - type: number - sql: ${TABLE}.file.pe_file.compilation_time.nanos ;; - group_label: "File Pe File Compilation Time" - group_item_label: "Nanos" - } - - dimension: file__pe_file__compilation_time__seconds { - type: number - sql: ${TABLE}.file.pe_file.compilation_time.seconds ;; - group_label: "File Pe File Compilation Time" - group_item_label: "Seconds" - } - - dimension: file__pe_file__entry_point { - type: number - sql: ${TABLE}.file.pe_file.entry_point ;; - group_label: "File Pe File" - group_item_label: "Entry Point" - } - - dimension: file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.file.pe_file.entry_point_exiftool ;; - group_label: "File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: file__pe_file__imphash { - type: string - sql: ${TABLE}.file.pe_file.imphash ;; - group_label: "File Pe File" - group_item_label: "Imphash" - } - - dimension: file__pe_file__imports { - hidden: yes - sql: ${TABLE}.file.pe_file.imports ;; - group_label: "File Pe File" - group_item_label: "Imports" - } - - dimension: file__pe_file__resource { - hidden: yes - sql: ${TABLE}.file.pe_file.resource ;; - group_label: "File Pe File" - group_item_label: "Resource" - } - - dimension: file__pe_file__resources_language_count { - hidden: yes - sql: ${TABLE}.file.pe_file.resources_language_count ;; - group_label: "File Pe File" - group_item_label: "Resources Language Count" - } - - dimension: file__pe_file__resources_language_count_str { - hidden: yes - sql: ${TABLE}.file.pe_file.resources_language_count_str ;; - group_label: "File Pe File" - group_item_label: "Resources Language Count Str" - } - - dimension: file__pe_file__resources_type_count { - hidden: yes - sql: ${TABLE}.file.pe_file.resources_type_count ;; - group_label: "File Pe File" - group_item_label: "Resources Type Count" - } - - dimension: file__pe_file__resources_type_count_str { - hidden: yes - sql: ${TABLE}.file.pe_file.resources_type_count_str ;; - group_label: "File Pe File" - group_item_label: "Resources Type Count Str" - } - - dimension: file__pe_file__section { - hidden: yes - sql: ${TABLE}.file.pe_file.section ;; - group_label: "File Pe File" - group_item_label: "Section" - } - - dimension: file__pe_file__signature_info__signer { - hidden: yes - sql: ${TABLE}.file.pe_file.signature_info.signer ;; - group_label: "File Pe File Signature Info" - group_item_label: "Signer" - } - - dimension: file__pe_file__signature_info__signers { - hidden: yes - sql: ${TABLE}.file.pe_file.signature_info.signers ;; - group_label: "File Pe File Signature Info" - group_item_label: "Signers" - } - - dimension: file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.file.pe_file.signature_info.verification_message ;; - group_label: "File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.file.pe_file.signature_info.verified ;; - group_label: "File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: file__prevalence__day_count { - type: number - sql: ${TABLE}.file.prevalence.day_count ;; - group_label: "File Prevalence" - group_item_label: "Day Count" - } - - dimension: file__prevalence__day_max { - type: number - sql: ${TABLE}.file.prevalence.day_max ;; - group_label: "File Prevalence" - group_item_label: "Day Max" - } - - dimension: file__prevalence__day_max_sub_domains { - type: number - sql: ${TABLE}.file.prevalence.day_max_sub_domains ;; - group_label: "File Prevalence" - group_item_label: "Day Max Sub Domains" - } - - dimension: file__prevalence__rolling_max { - type: number - sql: ${TABLE}.file.prevalence.rolling_max ;; - group_label: "File Prevalence" - group_item_label: "Rolling Max" - } - - dimension: file__prevalence__rolling_max_sub_domains { - type: number - sql: ${TABLE}.file.prevalence.rolling_max_sub_domains ;; - group_label: "File Prevalence" - group_item_label: "Rolling Max Sub Domains" - } - - dimension: file__sha1 { - type: string - sql: ${TABLE}.file.sha1 ;; - group_label: "File" - group_item_label: "Sha1" - } - - dimension: file__sha256 { - type: string - sql: ${TABLE}.file.sha256 ;; - group_label: "File" - group_item_label: "Sha256" - } - - dimension: file__size { - type: number - sql: ${TABLE}.file.size ;; - group_label: "File" - group_item_label: "Size" - } - - dimension: file__ssdeep { - type: string - sql: ${TABLE}.file.ssdeep ;; - group_label: "File" - group_item_label: "Ssdeep" - } - - dimension: file__vhash { - type: string - sql: ${TABLE}.file.vhash ;; - group_label: "File" - group_item_label: "Vhash" - } - - dimension: parent_pid { - type: string - sql: ${TABLE}.parent_pid ;; - } - - dimension: pid { - type: string - sql: ${TABLE}.pid ;; - } - - dimension: product_specific_parent_process_id { - type: string - sql: ${TABLE}.product_specific_parent_process_id ;; - } - - dimension: product_specific_process_id { - type: string - sql: ${TABLE}.product_specific_process_id ;; - } - } - - view: udm_events__about__process_ancestors__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__process__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__intermediary__user_management_chain__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__process_ancestors__file__pe_file__imports__functions { - dimension: udm_events__intermediary__process_ancestors__file__pe_file__imports__functions { - type: string - sql: udm_events__intermediary__process_ancestors__file__pe_file__imports__functions ;; - } - } - - view: udm_events__observer__process_ancestors__file__pe_file__signature_info__signer { - dimension: udm_events__observer__process_ancestors__file__pe_file__signature_info__signer { - type: string - sql: udm_events__observer__process_ancestors__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__security_result__about__resource_ancestors__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__resource_ancestors__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } + dimension: value { + type: string + sql: ${TABLE}.value ;; } +} - view: udm_events__security_result__about__user_management_chain__group_identifiers { - dimension: udm_events__security_result__about__user_management_chain__group_identifiers { - type: string - sql: udm_events__security_result__about__user_management_chain__group_identifiers ;; - } +view: udm_events__intermediary__process__file__names { + dimension: udm_events__intermediary__process__file__names { + type: string + sql: udm_events__intermediary__process__file__names ;; } +} - view: udm_events__security_result__about__domain__admin__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } +view: udm_events__intermediary__domain__name_server { + dimension: udm_events__intermediary__domain__name_server { + type: string + sql: udm_events__intermediary__domain__name_server ;; } +} - view: udm_events__extensions__vulns__vulnerabilities__about__file__capabilities_tags { - dimension: udm_events__extensions__vulns__vulnerabilities__about__file__capabilities_tags { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__file__capabilities_tags ;; - } +view: udm_events__intermediary__asset__hardware { + dimension: cpu_clock_speed { + type: number + sql: ${TABLE}.cpu_clock_speed ;; } - view: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__department { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__department { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__department ;; - } + dimension: cpu_max_clock_speed { + type: number + sql: ${TABLE}.cpu_max_clock_speed ;; } - view: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__department { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__department { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__department ;; - } + dimension: cpu_model { + type: string + sql: ${TABLE}.cpu_model ;; } - view: udm_events__extensions__vulns__vulnerabilities__about__investigation__comments { - dimension: udm_events__extensions__vulns__vulnerabilities__about__investigation__comments { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__investigation__comments ;; - } + dimension: cpu_number_cores { + type: number + sql: ${TABLE}.cpu_number_cores ;; } - view: udm_events__extensions__vulns__vulnerabilities__about__user__group_identifiers { - dimension: udm_events__extensions__vulns__vulnerabilities__about__user__group_identifiers { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__user__group_identifiers ;; - } + dimension: cpu_platform { + type: string + sql: ${TABLE}.cpu_platform ;; } - view: udm_events__intermediary__process__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } + dimension: manufacturer { + type: string + sql: ${TABLE}.manufacturer ;; } - view: udm_events__intermediary__process__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } + dimension: model { + type: string + sql: ${TABLE}.model ;; } - view: udm_events__principal__process_ancestors__file__pe_file__signature_info__signer { - dimension: udm_events__principal__process_ancestors__file__pe_file__signature_info__signer { - type: string - sql: udm_events__principal__process_ancestors__file__pe_file__signature_info__signer ;; - } + dimension: ram { + type: number + sql: ${TABLE}.ram ;; } - view: udm_events__observer__process__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } + dimension: serial_number { + type: string + sql: ${TABLE}.serial_number ;; } +} - view: udm_events__src__process_ancestors__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } +view: udm_events__intermediary__user__phone_numbers { + dimension: udm_events__intermediary__user__phone_numbers { + type: string + sql: udm_events__intermediary__user__phone_numbers ;; } +} - view: udm_events__security_result__about__cloud__project__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } +view: udm_events__principal__resource_ancestors { + drill_fields: [id] - dimension: type { - type: number - sql: ${TABLE}.type ;; - } + dimension: id { + primary_key: yes + type: string + sql: ${TABLE}.id ;; } - view: udm_events__security_result__about__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } + dimension: attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.attribute.cloud.availability_zone ;; + group_label: "Attribute Cloud" + group_item_label: "Availability Zone" } - view: udm_events__security_result__about__process_ancestors__file__capabilities_tags { - dimension: udm_events__security_result__about__process_ancestors__file__capabilities_tags { - type: string - sql: udm_events__security_result__about__process_ancestors__file__capabilities_tags ;; - } + dimension: attribute__cloud__environment { + type: number + sql: ${TABLE}.attribute.cloud.environment ;; + group_label: "Attribute Cloud" + group_item_label: "Environment" } - view: udm_events__target__process_ancestors__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__group__email_addresses { - dimension: udm_events__extensions__vulns__vulnerabilities__about__group__email_addresses { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__group__email_addresses ;; - } + dimension: attribute__creation_time__nanos { + type: number + sql: ${TABLE}.attribute.creation_time.nanos ;; + group_label: "Attribute Creation Time" + group_item_label: "Nanos" } - view: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__department { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__department { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__department ;; - } + dimension: attribute__creation_time__seconds { + type: number + sql: ${TABLE}.attribute.creation_time.seconds ;; + group_label: "Attribute Creation Time" + group_item_label: "Seconds" } - view: udm_events__principal__process__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } + dimension: attribute__labels { + hidden: yes + sql: ${TABLE}.attribute.labels ;; + group_label: "Attribute" + group_item_label: "Labels" } - view: udm_events__src__process_ancestors__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } + dimension: attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.attribute.last_update_time.nanos ;; + group_label: "Attribute Last Update Time" + group_item_label: "Nanos" } - view: udm_events__src__process_ancestors__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__domain__billing__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__about__process_ancestors__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__observer__process_ancestors__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__process__file__pe_file__signature_info__signer { - dimension: udm_events__security_result__about__process__file__pe_file__signature_info__signer { - type: string - sql: udm_events__security_result__about__process__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__security_result__about__user_management_chain__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__security_result__about__user_management_chain__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__user_management_chain__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__phone_numbers { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__phone_numbers { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__phone_numbers ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__department { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__department { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__department ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__phone_numbers { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__phone_numbers { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__phone_numbers ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__user__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__user__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__user__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__process_ancestors__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__about__process_ancestors__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__process_ancestors__file__pe_file__signature_info__signer { - dimension: udm_events__intermediary__process_ancestors__file__pe_file__signature_info__signer { - type: string - sql: udm_events__intermediary__process_ancestors__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__principal__process_ancestors__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__process_ancestors__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__target__process_ancestors__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__phone_numbers { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__phone_numbers { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__phone_numbers ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__asset__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__asset__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__process__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__domain__registrant__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__target__process_ancestors__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__target__process_ancestors__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain { - dimension: account_type { - type: number - sql: ${TABLE}.account_type ;; - } - - dimension: attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.attribute.cloud.availability_zone ;; - group_label: "Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: attribute__cloud__environment { - type: number - sql: ${TABLE}.attribute.cloud.environment ;; - group_label: "Attribute Cloud" - group_item_label: "Environment" - } - - dimension: attribute__cloud__project__id { - type: string - sql: ${TABLE}.attribute.cloud.project.id ;; - group_label: "Attribute Cloud Project" - group_item_label: "ID" - } - - dimension: attribute__cloud__project__name { - type: string - sql: ${TABLE}.attribute.cloud.project.name ;; - group_label: "Attribute Cloud Project" - group_item_label: "Name" - } - - dimension: attribute__cloud__project__parent { - type: string - sql: ${TABLE}.attribute.cloud.project.parent ;; - group_label: "Attribute Cloud Project" - group_item_label: "Parent" - } - - dimension: attribute__cloud__project__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.project.product_object_id ;; - group_label: "Attribute Cloud Project" - group_item_label: "Product Object ID" - } - - dimension: attribute__cloud__project__resource_subtype { - type: string - sql: ${TABLE}.attribute.cloud.project.resource_subtype ;; - group_label: "Attribute Cloud Project" - group_item_label: "Resource Subtype" - } - - dimension: attribute__cloud__project__resource_type { - type: number - sql: ${TABLE}.attribute.cloud.project.resource_type ;; - group_label: "Attribute Cloud Project" - group_item_label: "Resource Type" - } - - dimension: attribute__cloud__project__type { - type: string - sql: ${TABLE}.attribute.cloud.project.type ;; - group_label: "Attribute Cloud Project" - group_item_label: "Type" - } - - dimension: attribute__cloud__vpc__id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.id ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "ID" - } - - dimension: attribute__cloud__vpc__name { - type: string - sql: ${TABLE}.attribute.cloud.vpc.name ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Name" - } - - dimension: attribute__cloud__vpc__parent { - type: string - sql: ${TABLE}.attribute.cloud.vpc.parent ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Parent" - } - - dimension: attribute__cloud__vpc__product_object_id { - type: string - sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Product Object ID" - } - - dimension: attribute__cloud__vpc__resource_subtype { - type: string - sql: ${TABLE}.attribute.cloud.vpc.resource_subtype ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Resource Subtype" - } - - dimension: attribute__cloud__vpc__resource_type { - type: number - sql: ${TABLE}.attribute.cloud.vpc.resource_type ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Resource Type" - } - - dimension: attribute__cloud__vpc__type { - type: string - sql: ${TABLE}.attribute.cloud.vpc.type ;; - group_label: "Attribute Cloud Vpc" - group_item_label: "Type" - } - - dimension: attribute__creation_time__nanos { - type: number - sql: ${TABLE}.attribute.creation_time.nanos ;; - group_label: "Attribute Creation Time" - group_item_label: "Nanos" - } - - dimension: attribute__creation_time__seconds { - type: number - sql: ${TABLE}.attribute.creation_time.seconds ;; - group_label: "Attribute Creation Time" - group_item_label: "Seconds" - } - - dimension: attribute__labels { - hidden: yes - sql: ${TABLE}.attribute.labels ;; - group_label: "Attribute" - group_item_label: "Labels" - } - - dimension: attribute__last_update_time__nanos { - type: number - sql: ${TABLE}.attribute.last_update_time.nanos ;; - group_label: "Attribute Last Update Time" - group_item_label: "Nanos" - } - - dimension: attribute__last_update_time__seconds { - type: number - sql: ${TABLE}.attribute.last_update_time.seconds ;; - group_label: "Attribute Last Update Time" - group_item_label: "Seconds" - } - - dimension: attribute__permissions { - hidden: yes - sql: ${TABLE}.attribute.permissions ;; - group_label: "Attribute" - group_item_label: "Permissions" - } - - dimension: attribute__roles { - hidden: yes - sql: ${TABLE}.attribute.roles ;; - group_label: "Attribute" - group_item_label: "Roles" - } - - dimension: company_name { - type: string - sql: ${TABLE}.company_name ;; - } - - dimension: department { - hidden: yes - sql: ${TABLE}.department ;; - } - - dimension: email_addresses { - hidden: yes - sql: ${TABLE}.email_addresses ;; - } - - dimension: employee_id { - type: string - sql: ${TABLE}.employee_id ;; - } - - dimension: first_name { - type: string - sql: ${TABLE}.first_name ;; - } - - dimension: first_seen_time__nanos { - type: number - sql: ${TABLE}.first_seen_time.nanos ;; - group_label: "First Seen Time" - group_item_label: "Nanos" - } - - dimension: first_seen_time__seconds { - type: number - sql: ${TABLE}.first_seen_time.seconds ;; - group_label: "First Seen Time" - group_item_label: "Seconds" - } - - dimension: group_identifiers { - hidden: yes - sql: ${TABLE}.group_identifiers ;; - } - - dimension: groupid { - type: string - sql: ${TABLE}.groupid ;; - } - - dimension: hire_date__nanos { - type: number - sql: ${TABLE}.hire_date.nanos ;; - group_label: "Hire Date" - group_item_label: "Nanos" - } - - dimension: hire_date__seconds { - type: number - sql: ${TABLE}.hire_date.seconds ;; - group_label: "Hire Date" - group_item_label: "Seconds" - } - - dimension: last_name { - type: string - sql: ${TABLE}.last_name ;; - } - - dimension: middle_name { - type: string - sql: ${TABLE}.middle_name ;; - } - - dimension: office_address__city { - type: string - sql: ${TABLE}.office_address.city ;; - group_label: "Office Address" - group_item_label: "City" - } - - dimension: office_address__country_or_region { - type: string - sql: ${TABLE}.office_address.country_or_region ;; - group_label: "Office Address" - group_item_label: "Country or Region" - } - - dimension: office_address__desk_name { - type: string - sql: ${TABLE}.office_address.desk_name ;; - group_label: "Office Address" - group_item_label: "Desk Name" - } - - dimension: office_address__floor_name { - type: string - sql: ${TABLE}.office_address.floor_name ;; - group_label: "Office Address" - group_item_label: "Floor Name" - } - - dimension: office_address__name { - type: string - sql: ${TABLE}.office_address.name ;; - group_label: "Office Address" - group_item_label: "Name" - } - - dimension: office_address__region_latitude { - type: number - sql: ${TABLE}.office_address.region_latitude ;; - group_label: "Office Address" - group_item_label: "Region Latitude" - } - - dimension: office_address__region_longitude { - type: number - sql: ${TABLE}.office_address.region_longitude ;; - group_label: "Office Address" - group_item_label: "Region Longitude" - } - - dimension: office_address__state { - type: string - sql: ${TABLE}.office_address.state ;; - group_label: "Office Address" - group_item_label: "State" - } - - dimension: personal_address__city { - type: string - sql: ${TABLE}.personal_address.city ;; - group_label: "Personal Address" - group_item_label: "City" - } - - dimension: personal_address__country_or_region { - type: string - sql: ${TABLE}.personal_address.country_or_region ;; - group_label: "Personal Address" - group_item_label: "Country or Region" - } - - dimension: personal_address__desk_name { - type: string - sql: ${TABLE}.personal_address.desk_name ;; - group_label: "Personal Address" - group_item_label: "Desk Name" - } - - dimension: personal_address__floor_name { - type: string - sql: ${TABLE}.personal_address.floor_name ;; - group_label: "Personal Address" - group_item_label: "Floor Name" - } - - dimension: personal_address__name { - type: string - sql: ${TABLE}.personal_address.name ;; - group_label: "Personal Address" - group_item_label: "Name" - } - - dimension: personal_address__region_latitude { - type: number - sql: ${TABLE}.personal_address.region_latitude ;; - group_label: "Personal Address" - group_item_label: "Region Latitude" - } - - dimension: personal_address__region_longitude { - type: number - sql: ${TABLE}.personal_address.region_longitude ;; - group_label: "Personal Address" - group_item_label: "Region Longitude" - } - - dimension: personal_address__state { - type: string - sql: ${TABLE}.personal_address.state ;; - group_label: "Personal Address" - group_item_label: "State" - } - - dimension: phone_numbers { - hidden: yes - sql: ${TABLE}.phone_numbers ;; - } - - dimension: product_object_id { - type: string - sql: ${TABLE}.product_object_id ;; - } - - dimension: role_description { - type: string - sql: ${TABLE}.role_description ;; - } - - dimension: role_name { - type: string - sql: ${TABLE}.role_name ;; - } - - dimension: termination_date__nanos { - type: number - sql: ${TABLE}.termination_date.nanos ;; - group_label: "Termination Date" - group_item_label: "Nanos" - } - - dimension: termination_date__seconds { - type: number - sql: ${TABLE}.termination_date.seconds ;; - group_label: "Termination Date" - group_item_label: "Seconds" - } - - dimension: time_off { - hidden: yes - sql: ${TABLE}.time_off ;; - } - - dimension: title { - type: string - sql: ${TABLE}.title ;; - } - - dimension: user_authentication_status { - type: number - sql: ${TABLE}.user_authentication_status ;; - } - - dimension: user_display_name { - type: string - sql: ${TABLE}.user_display_name ;; - } - - dimension: user_role { - type: number - sql: ${TABLE}.user_role ;; - } - - dimension: userid { - type: string - sql: ${TABLE}.userid ;; - } - - dimension: windows_sid { - type: string - sql: ${TABLE}.windows_sid ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__email_addresses { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__email_addresses { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__email_addresses ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__email_addresses { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__email_addresses { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__email_addresses ;; - } - } - - view: udm_events__observer__process_ancestors__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__src__process_ancestors__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__process__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } + dimension: attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.attribute.last_update_time.seconds ;; + group_label: "Attribute Last Update Time" + group_item_label: "Seconds" } - view: udm_events__security_result__about__resource_ancestors__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } + dimension: attribute__permissions { + hidden: yes + sql: ${TABLE}.attribute.permissions ;; + group_label: "Attribute" + group_item_label: "Permissions" } - view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } + dimension: attribute__roles { + hidden: yes + sql: ${TABLE}.attribute.roles ;; + group_label: "Attribute" + group_item_label: "Roles" } - view: udm_events__extensions__vulns__vulnerabilities__about__group__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } + dimension: name { + type: string + sql: ${TABLE}.name ;; } - view: udm_events__extensions__vulns__vulnerabilities__about__group__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } + dimension: parent { + type: string + sql: ${TABLE}.parent ;; } - view: udm_events__extensions__vulns__vulnerabilities__about__process__command_line_history { - dimension: udm_events__extensions__vulns__vulnerabilities__about__process__command_line_history { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__process__command_line_history ;; - } + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; } - view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__names { - dimension: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__names { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__names ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__email_addresses { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__email_addresses { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__email_addresses ;; - } + dimension: resource_subtype { + type: string + sql: ${TABLE}.resource_subtype ;; } - view: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__phone_numbers { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__phone_numbers { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__phone_numbers ;; - } + dimension: resource_type { + type: number + sql: ${TABLE}.resource_type ;; } - view: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__department { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__department { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__department ;; - } + dimension: type { + type: string + sql: ${TABLE}.type ;; } +} - view: udm_events__intermediary__process_ancestors__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } +view: udm_events__principal__process_ancestors { + dimension: access_mask { + type: number + sql: ${TABLE}.access_mask ;; } - view: udm_events__principal__process_ancestors__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } + dimension: command_line { + type: string + sql: ${TABLE}.command_line ;; } - view: udm_events__observer__process_ancestors__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } + dimension: command_line_history { + hidden: yes + sql: ${TABLE}.command_line_history ;; } - view: udm_events__observer__process_ancestors__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } + dimension: file__ahash { + type: string + sql: ${TABLE}.file.ahash ;; + group_label: "File" + group_item_label: "Ahash" } - view: udm_events__security_result__about__process_ancestors__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } + dimension: file__authentihash { + type: string + sql: ${TABLE}.file.authentihash ;; + group_label: "File" + group_item_label: "Authentihash" } - view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__resource__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__resource__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__group_identifiers { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__group_identifiers { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__group_identifiers ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__group_identifiers { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__group_identifiers { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__group_identifiers ;; - } - } - - view: udm_events__about__process_ancestors__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__process_ancestors__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__principal__process_ancestors__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } + dimension: file__capabilities_tags { + hidden: yes + sql: ${TABLE}.file.capabilities_tags ;; + group_label: "File" + group_item_label: "Capabilities Tags" + } - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } + dimension: file__file_metadata__pe__import_hash { + type: string + sql: ${TABLE}.file.file_metadata.pe.import_hash ;; + group_label: "File File Metadata Pe" + group_item_label: "Import Hash" + } - view: udm_events__security_result__about__process_ancestors__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } + dimension: file__file_type { + type: number + sql: ${TABLE}.file.file_type ;; + group_label: "File" + group_item_label: "File Type" + } - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } + dimension: file__first_seen_time__nanos { + type: number + sql: ${TABLE}.file.first_seen_time.nanos ;; + group_label: "File First Seen Time" + group_item_label: "Nanos" + } - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } + dimension: file__first_seen_time__seconds { + type: number + sql: ${TABLE}.file.first_seen_time.seconds ;; + group_label: "File First Seen Time" + group_item_label: "Seconds" } - view: udm_events__extensions__vulns__vulnerabilities__about__cloud__vpc__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } + dimension: file__full_path { + type: string + sql: ${TABLE}.file.full_path ;; + group_label: "File" + group_item_label: "Full Path" + } - dimension: name { - type: string - sql: ${TABLE}.name ;; - } + dimension: file__last_modification_time__nanos { + type: number + sql: ${TABLE}.file.last_modification_time.nanos ;; + group_label: "File Last Modification Time" + group_item_label: "Nanos" + } - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } + dimension: file__last_modification_time__seconds { + type: number + sql: ${TABLE}.file.last_modification_time.seconds ;; + group_label: "File Last Modification Time" + group_item_label: "Seconds" + } - view: udm_events__extensions__vulns__vulnerabilities__about__cloud__vpc__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } + dimension: file__last_seen_time__nanos { + type: number + sql: ${TABLE}.file.last_seen_time.nanos ;; + group_label: "File Last Seen Time" + group_item_label: "Nanos" + } - dimension: value { - type: string - sql: ${TABLE}.value ;; - } + dimension: file__last_seen_time__seconds { + type: number + sql: ${TABLE}.file.last_seen_time.seconds ;; + group_label: "File Last Seen Time" + group_item_label: "Seconds" } - view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__imports__functions { - dimension: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__imports__functions { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__imports__functions ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__process__file__capabilities_tags { - dimension: udm_events__extensions__vulns__vulnerabilities__about__process__file__capabilities_tags { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__process__file__capabilities_tags ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__group_identifiers { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__group_identifiers { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__group_identifiers ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__email_addresses { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__email_addresses { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__email_addresses ;; - } + dimension: file__md5 { + type: string + sql: ${TABLE}.file.md5 ;; + group_label: "File" + group_item_label: "Md5" } - view: udm_events__security_result__about__process__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__security_result__about__user_management_chain__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } + dimension: file__mime_type { + type: string + sql: ${TABLE}.file.mime_type ;; + group_label: "File" + group_item_label: "Mime Type" + } - view: udm_events__security_result__about__process_ancestors__file__pe_file__imports__functions { - dimension: udm_events__security_result__about__process_ancestors__file__pe_file__imports__functions { - type: string - sql: udm_events__security_result__about__process_ancestors__file__pe_file__imports__functions ;; - } + dimension: file__names { + hidden: yes + sql: ${TABLE}.file.names ;; + group_label: "File" + group_item_label: "Names" } - view: udm_events__target__process_ancestors__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } + dimension: file__pe_file__compilation_exiftool_time__nanos { + type: number + sql: ${TABLE}.file.pe_file.compilation_exiftool_time.nanos ;; + group_label: "File Pe File Compilation Exiftool Time" + group_item_label: "Nanos" + } - dimension: source { - type: string - sql: ${TABLE}.source ;; - } + dimension: file__pe_file__compilation_exiftool_time__seconds { + type: number + sql: ${TABLE}.file.pe_file.compilation_exiftool_time.seconds ;; + group_label: "File Pe File Compilation Exiftool Time" + group_item_label: "Seconds" + } - dimension: value { - type: string - sql: ${TABLE}.value ;; - } + dimension: file__pe_file__compilation_time__nanos { + type: number + sql: ${TABLE}.file.pe_file.compilation_time.nanos ;; + group_label: "File Pe File Compilation Time" + group_item_label: "Nanos" } - view: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__phone_numbers { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__phone_numbers { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__phone_numbers ;; - } + dimension: file__pe_file__compilation_time__seconds { + type: number + sql: ${TABLE}.file.pe_file.compilation_time.seconds ;; + group_label: "File Pe File Compilation Time" + group_item_label: "Seconds" } - view: udm_events__extensions__vulns__vulnerabilities__about__asset__software__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__user__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__process_ancestors__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__security_result__about__process__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__process__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__department { - dimension: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__department { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__department ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__group_identifiers { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__group_identifiers { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__group_identifiers ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__asset__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__intermediary__process_ancestors__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__intermediary__process_ancestors__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__observer__process_ancestors__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__email_addresses { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__email_addresses { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__email_addresses ;; - } - } - - view: udm_events__principal__process_ancestors__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__cloud__project__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__cloud__project__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__signature_info__signer { - dimension: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__signature_info__signer { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__group__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__process_ancestors__file__pe_file__signature_info__signer { - dimension: udm_events__security_result__about__process_ancestors__file__pe_file__signature_info__signer { - type: string - sql: udm_events__security_result__about__process_ancestors__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__resource__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__phone_numbers { - dimension: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__phone_numbers { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__phone_numbers ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__group_identifiers { - dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__group_identifiers { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__group_identifiers ;; - } - } - - view: udm_events__security_result__about__process__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__cloud__vpc__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__intermediary__process_ancestors__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } + dimension: file__pe_file__entry_point { + type: number + sql: ${TABLE}.file.pe_file.entry_point ;; + group_label: "File Pe File" + group_item_label: "Entry Point" } - view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__email_addresses { - dimension: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__email_addresses { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__email_addresses ;; - } - } - - view: udm_events__security_result__about__process_ancestors__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__imports__functions { - dimension: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__imports__functions { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__imports__functions ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__command_line_history { - dimension: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__command_line_history { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__command_line_history ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__resource_ancestors__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__resource_ancestors__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__group_identifiers { - dimension: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__group_identifiers { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__group_identifiers ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__cloud__project__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } + dimension: file__pe_file__entry_point_exiftool { + type: number + sql: ${TABLE}.file.pe_file.entry_point_exiftool ;; + group_label: "File Pe File" + group_item_label: "Entry Point Exiftool" } - view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__capabilities_tags { - dimension: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__capabilities_tags { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__capabilities_tags ;; - } - } - - view: udm_events__security_result__about__process_ancestors__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__process_ancestors__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__security_result__about__process_ancestors__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__signature_info__signer { - dimension: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__signature_info__signer { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__signature_info__signer ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__time_off { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: interval__end_time__nanos { - type: number - sql: ${TABLE}.`interval`.end_time.nanos ;; - group_label: "Interval End Time" - group_item_label: "Nanos" - } - - dimension: interval__end_time__seconds { - type: number - sql: ${TABLE}.`interval`.end_time.seconds ;; - group_label: "Interval End Time" - group_item_label: "Seconds" - } - - dimension: interval__start_time__nanos { - type: number - sql: ${TABLE}.`interval`.start_time.nanos ;; - group_label: "Interval Start Time" - group_item_label: "Nanos" - } - - dimension: interval__start_time__seconds { - type: number - sql: ${TABLE}.`interval`.start_time.seconds ;; - group_label: "Interval Start Time" - group_item_label: "Seconds" - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__attribute__roles { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__attribute__labels { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__section { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: md5_hex { - type: string - sql: ${TABLE}.md5_hex ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: raw_size_bytes { - type: number - sql: ${TABLE}.raw_size_bytes ;; - } - - dimension: virtual_size_bytes { - type: number - sql: ${TABLE}.virtual_size_bytes ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__resource_ancestors__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__security_result__about__process_ancestors__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } - - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__imports { - dimension: functions { - hidden: yes - sql: ${TABLE}.functions ;; - } - - dimension: library { - type: string - sql: ${TABLE}.library ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__resource { - dimension: entropy { - type: number - sql: ${TABLE}.entropy ;; - } - - dimension: file_type { - type: string - sql: ${TABLE}.file_type ;; - } - - dimension: filetype_magic { - type: string - sql: ${TABLE}.filetype_magic ;; - } - - dimension: language_code { - type: string - sql: ${TABLE}.language_code ;; - } - - dimension: resource_type { - type: string - sql: ${TABLE}.resource_type ;; - } - - dimension: sha256_hex { - type: string - sql: ${TABLE}.sha256_hex ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__attribute__permissions { - dimension: description { - type: string - sql: ${TABLE}.description ;; - } - - dimension: name { - type: string - sql: ${TABLE}.name ;; - } - - dimension: type { - type: number - sql: ${TABLE}.type ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__imports__functions { - dimension: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__imports__functions { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__imports__functions ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } + dimension: file__pe_file__imphash { + type: string + sql: ${TABLE}.file.pe_file.imphash ;; + group_label: "File Pe File" + group_item_label: "Imphash" + } - dimension: value { - type: string - sql: ${TABLE}.value ;; - } - } - - view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__signature_info__signer { - dimension: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__signature_info__signer { - type: string - sql: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__signature_info__signer ;; - } + dimension: file__pe_file__imports { + hidden: yes + sql: ${TABLE}.file.pe_file.imports ;; + group_label: "File Pe File" + group_item_label: "Imports" } - view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } + dimension: file__pe_file__resource { + hidden: yes + sql: ${TABLE}.file.pe_file.resource ;; + group_label: "File Pe File" + group_item_label: "Resource" + } - dimension: value { - type: string - sql: ${TABLE}.value ;; - } + dimension: file__pe_file__resources_language_count { + hidden: yes + sql: ${TABLE}.file.pe_file.resources_language_count ;; + group_label: "File Pe File" + group_item_label: "Resources Language Count" } - view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__resources_type_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } + dimension: file__pe_file__resources_language_count_str { + hidden: yes + sql: ${TABLE}.file.pe_file.resources_language_count_str ;; + group_label: "File Pe File" + group_item_label: "Resources Language Count Str" + } - dimension: value { - type: number - sql: ${TABLE}.value ;; - } + dimension: file__pe_file__resources_type_count { + hidden: yes + sql: ${TABLE}.file.pe_file.resources_type_count ;; + group_label: "File Pe File" + group_item_label: "Resources Type Count" } - view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__signature_info__signers { - dimension: name { - type: string - sql: ${TABLE}.name ;; - } + dimension: file__pe_file__resources_type_count_str { + hidden: yes + sql: ${TABLE}.file.pe_file.resources_type_count_str ;; + group_label: "File Pe File" + group_item_label: "Resources Type Count Str" } - view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__resources_language_count { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: value { - type: number - sql: ${TABLE}.value ;; - } + dimension: file__pe_file__section { + hidden: yes + sql: ${TABLE}.file.pe_file.section ;; + group_label: "File Pe File" + group_item_label: "Section" } - view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__resources_type_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } + dimension: file__pe_file__signature_info__signer { + hidden: yes + sql: ${TABLE}.file.pe_file.signature_info.signer ;; + group_label: "File Pe File Signature Info" + group_item_label: "Signer" + } - dimension: source { - type: string - sql: ${TABLE}.source ;; - } + dimension: file__pe_file__signature_info__signers { + hidden: yes + sql: ${TABLE}.file.pe_file.signature_info.signers ;; + group_label: "File Pe File Signature Info" + group_item_label: "Signers" + } - dimension: value { - type: string - sql: ${TABLE}.value ;; - } + dimension: file__pe_file__signature_info__verification_message { + type: string + sql: ${TABLE}.file.pe_file.signature_info.verification_message ;; + group_label: "File Pe File Signature Info" + group_item_label: "Verification Message" } - view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__resources_language_count_str { - dimension: key { - type: string - sql: ${TABLE}.key ;; - } - - dimension: source { - type: string - sql: ${TABLE}.source ;; - } + dimension: file__pe_file__signature_info__verified { + type: yesno + sql: ${TABLE}.file.pe_file.signature_info.verified ;; + group_label: "File Pe File Signature Info" + group_item_label: "Verified" + } + + dimension: file__prevalence__day_count { + type: number + sql: ${TABLE}.file.prevalence.day_count ;; + group_label: "File Prevalence" + group_item_label: "Day Count" + } + + dimension: file__prevalence__day_max { + type: number + sql: ${TABLE}.file.prevalence.day_max ;; + group_label: "File Prevalence" + group_item_label: "Day Max" + } + + dimension: file__prevalence__day_max_sub_domains { + type: number + sql: ${TABLE}.file.prevalence.day_max_sub_domains ;; + group_label: "File Prevalence" + group_item_label: "Day Max Sub Domains" + } + + dimension: file__prevalence__rolling_max { + type: number + sql: ${TABLE}.file.prevalence.rolling_max ;; + group_label: "File Prevalence" + group_item_label: "Rolling Max" + } + + dimension: file__prevalence__rolling_max_sub_domains { + type: number + sql: ${TABLE}.file.prevalence.rolling_max_sub_domains ;; + group_label: "File Prevalence" + group_item_label: "Rolling Max Sub Domains" + } + + dimension: file__sha1 { + type: string + sql: ${TABLE}.file.sha1 ;; + group_label: "File" + group_item_label: "Sha1" + } + + dimension: file__sha256 { + type: string + sql: ${TABLE}.file.sha256 ;; + group_label: "File" + group_item_label: "Sha256" + } + + dimension: file__size { + type: number + sql: ${TABLE}.file.size ;; + group_label: "File" + group_item_label: "Size" + } + + dimension: file__ssdeep { + type: string + sql: ${TABLE}.file.ssdeep ;; + group_label: "File" + group_item_label: "Ssdeep" + } + + dimension: file__vhash { + type: string + sql: ${TABLE}.file.vhash ;; + group_label: "File" + group_item_label: "Vhash" + } + + dimension: parent_pid { + type: string + sql: ${TABLE}.parent_pid ;; + } + + dimension: pid { + type: string + sql: ${TABLE}.pid ;; + } + + dimension: product_specific_parent_process_id { + type: string + sql: ${TABLE}.product_specific_parent_process_id ;; + } + + dimension: product_specific_process_id { + type: string + sql: ${TABLE}.product_specific_process_id ;; + } +} + +view: udm_events__observer__file__capabilities_tags { + dimension: udm_events__observer__file__capabilities_tags { + type: string + sql: udm_events__observer__file__capabilities_tags ;; + } +} + +view: udm_events__observer__domain__tech__department { + dimension: udm_events__observer__domain__tech__department { + type: string + sql: udm_events__observer__domain__tech__department ;; + } +} + +view: udm_events__observer__domain__zone__department { + dimension: udm_events__observer__domain__zone__department { + type: string + sql: udm_events__observer__domain__zone__department ;; + } +} + +view: udm_events__observer__investigation__comments { + dimension: udm_events__observer__investigation__comments { + type: string + sql: udm_events__observer__investigation__comments ;; + } +} + +view: udm_events__observer__user__group_identifiers { + dimension: udm_events__observer__user__group_identifiers { + type: string + sql: udm_events__observer__user__group_identifiers ;; + } +} + +view: udm_events__src__user_management_chain { + dimension: account_type { + type: number + sql: ${TABLE}.account_type ;; + } + + dimension: attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.attribute.cloud.availability_zone ;; + group_label: "Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: attribute__cloud__environment { + type: number + sql: ${TABLE}.attribute.cloud.environment ;; + group_label: "Attribute Cloud" + group_item_label: "Environment" + } + + dimension: attribute__cloud__project__id { + type: string + sql: ${TABLE}.attribute.cloud.project.id ;; + group_label: "Attribute Cloud Project" + group_item_label: "ID" + } + + dimension: attribute__cloud__project__name { + type: string + sql: ${TABLE}.attribute.cloud.project.name ;; + group_label: "Attribute Cloud Project" + group_item_label: "Name" + } + + dimension: attribute__cloud__project__parent { + type: string + sql: ${TABLE}.attribute.cloud.project.parent ;; + group_label: "Attribute Cloud Project" + group_item_label: "Parent" + } + + dimension: attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.project.product_object_id ;; + group_label: "Attribute Cloud Project" + group_item_label: "Product Object ID" + } + + dimension: attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.attribute.cloud.project.resource_subtype ;; + group_label: "Attribute Cloud Project" + group_item_label: "Resource Subtype" + } + + dimension: attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.attribute.cloud.project.resource_type ;; + group_label: "Attribute Cloud Project" + group_item_label: "Resource Type" + } + + dimension: attribute__cloud__project__type { + type: string + sql: ${TABLE}.attribute.cloud.project.type ;; + group_label: "Attribute Cloud Project" + group_item_label: "Type" + } + + dimension: attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.id ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "ID" + } + + dimension: attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.attribute.cloud.vpc.name ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Name" + } + + dimension: attribute__cloud__vpc__parent { + type: string + sql: ${TABLE}.attribute.cloud.vpc.parent ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Parent" + } + + dimension: attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Product Object ID" + } + + dimension: attribute__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.attribute.cloud.vpc.resource_subtype ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Resource Subtype" + } + + dimension: attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.attribute.cloud.vpc.resource_type ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Resource Type" + } + + dimension: attribute__cloud__vpc__type { + type: string + sql: ${TABLE}.attribute.cloud.vpc.type ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Type" + } + + dimension: attribute__creation_time__nanos { + type: number + sql: ${TABLE}.attribute.creation_time.nanos ;; + group_label: "Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: attribute__creation_time__seconds { + type: number + sql: ${TABLE}.attribute.creation_time.seconds ;; + group_label: "Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: attribute__labels { + hidden: yes + sql: ${TABLE}.attribute.labels ;; + group_label: "Attribute" + group_item_label: "Labels" + } + + dimension: attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.attribute.last_update_time.nanos ;; + group_label: "Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.attribute.last_update_time.seconds ;; + group_label: "Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: attribute__permissions { + hidden: yes + sql: ${TABLE}.attribute.permissions ;; + group_label: "Attribute" + group_item_label: "Permissions" + } + + dimension: attribute__roles { + hidden: yes + sql: ${TABLE}.attribute.roles ;; + group_label: "Attribute" + group_item_label: "Roles" + } + + dimension: company_name { + type: string + sql: ${TABLE}.company_name ;; + } + + dimension: department { + hidden: yes + sql: ${TABLE}.department ;; + } + + dimension: email_addresses { + hidden: yes + sql: ${TABLE}.email_addresses ;; + } + + dimension: employee_id { + type: string + sql: ${TABLE}.employee_id ;; + } + + dimension: first_name { + type: string + sql: ${TABLE}.first_name ;; + } + + dimension: first_seen_time__nanos { + type: number + sql: ${TABLE}.first_seen_time.nanos ;; + group_label: "First Seen Time" + group_item_label: "Nanos" + } + + dimension: first_seen_time__seconds { + type: number + sql: ${TABLE}.first_seen_time.seconds ;; + group_label: "First Seen Time" + group_item_label: "Seconds" + } + + dimension: group_identifiers { + hidden: yes + sql: ${TABLE}.group_identifiers ;; + } + + dimension: groupid { + type: string + sql: ${TABLE}.groupid ;; + } + + dimension: hire_date__nanos { + type: number + sql: ${TABLE}.hire_date.nanos ;; + group_label: "Hire Date" + group_item_label: "Nanos" + } + + dimension: hire_date__seconds { + type: number + sql: ${TABLE}.hire_date.seconds ;; + group_label: "Hire Date" + group_item_label: "Seconds" + } + + dimension: last_name { + type: string + sql: ${TABLE}.last_name ;; + } + + dimension: middle_name { + type: string + sql: ${TABLE}.middle_name ;; + } + + dimension: office_address__city { + type: string + sql: ${TABLE}.office_address.city ;; + group_label: "Office Address" + group_item_label: "City" + } + + dimension: office_address__country_or_region { + type: string + sql: ${TABLE}.office_address.country_or_region ;; + group_label: "Office Address" + group_item_label: "Country or Region" + } + + dimension: office_address__desk_name { + type: string + sql: ${TABLE}.office_address.desk_name ;; + group_label: "Office Address" + group_item_label: "Desk Name" + } + + dimension: office_address__floor_name { + type: string + sql: ${TABLE}.office_address.floor_name ;; + group_label: "Office Address" + group_item_label: "Floor Name" + } + + dimension: office_address__name { + type: string + sql: ${TABLE}.office_address.name ;; + group_label: "Office Address" + group_item_label: "Name" + } + + dimension: office_address__region_latitude { + type: number + sql: ${TABLE}.office_address.region_latitude ;; + group_label: "Office Address" + group_item_label: "Region Latitude" + } + + dimension: office_address__region_longitude { + type: number + sql: ${TABLE}.office_address.region_longitude ;; + group_label: "Office Address" + group_item_label: "Region Longitude" + } + + dimension: office_address__state { + type: string + sql: ${TABLE}.office_address.state ;; + group_label: "Office Address" + group_item_label: "State" + } + + dimension: personal_address__city { + type: string + sql: ${TABLE}.personal_address.city ;; + group_label: "Personal Address" + group_item_label: "City" + } + + dimension: personal_address__country_or_region { + type: string + sql: ${TABLE}.personal_address.country_or_region ;; + group_label: "Personal Address" + group_item_label: "Country or Region" + } + + dimension: personal_address__desk_name { + type: string + sql: ${TABLE}.personal_address.desk_name ;; + group_label: "Personal Address" + group_item_label: "Desk Name" + } + + dimension: personal_address__floor_name { + type: string + sql: ${TABLE}.personal_address.floor_name ;; + group_label: "Personal Address" + group_item_label: "Floor Name" + } + + dimension: personal_address__name { + type: string + sql: ${TABLE}.personal_address.name ;; + group_label: "Personal Address" + group_item_label: "Name" + } + + dimension: personal_address__region_latitude { + type: number + sql: ${TABLE}.personal_address.region_latitude ;; + group_label: "Personal Address" + group_item_label: "Region Latitude" + } + + dimension: personal_address__region_longitude { + type: number + sql: ${TABLE}.personal_address.region_longitude ;; + group_label: "Personal Address" + group_item_label: "Region Longitude" + } + + dimension: personal_address__state { + type: string + sql: ${TABLE}.personal_address.state ;; + group_label: "Personal Address" + group_item_label: "State" + } + + dimension: phone_numbers { + hidden: yes + sql: ${TABLE}.phone_numbers ;; + } + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + } + + dimension: role_description { + type: string + sql: ${TABLE}.role_description ;; + } + + dimension: role_name { + type: string + sql: ${TABLE}.role_name ;; + } + + dimension: termination_date__nanos { + type: number + sql: ${TABLE}.termination_date.nanos ;; + group_label: "Termination Date" + group_item_label: "Nanos" + } + + dimension: termination_date__seconds { + type: number + sql: ${TABLE}.termination_date.seconds ;; + group_label: "Termination Date" + group_item_label: "Seconds" + } + + dimension: time_off { + hidden: yes + sql: ${TABLE}.time_off ;; + } + + dimension: title { + type: string + sql: ${TABLE}.title ;; + } + + dimension: user_authentication_status { + type: number + sql: ${TABLE}.user_authentication_status ;; + } + + dimension: user_display_name { + type: string + sql: ${TABLE}.user_display_name ;; + } + + dimension: user_role { + type: number + sql: ${TABLE}.user_role ;; + } + + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + } + + dimension: windows_sid { + type: string + sql: ${TABLE}.windows_sid ;; + } +} + +view: udm_events__src__domain__tech__email_addresses { + dimension: udm_events__src__domain__tech__email_addresses { + type: string + sql: udm_events__src__domain__tech__email_addresses ;; + } +} + +view: udm_events__src__domain__zone__email_addresses { + dimension: udm_events__src__domain__zone__email_addresses { + type: string + sql: udm_events__src__domain__zone__email_addresses ;; + } +} + +view: udm_events__security_result__about__asset__mac { + dimension: udm_events__security_result__about__asset__mac { + type: string + sql: udm_events__security_result__about__asset__mac ;; + } +} + +view: udm_events__security_result__rule_labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__domain__admin__phone_numbers { + dimension: udm_events__about__domain__admin__phone_numbers { + type: string + sql: udm_events__about__domain__admin__phone_numbers ;; + } +} + +view: udm_events__about__asset__vulnerabilities { + dimension: cve_description { + type: string + sql: ${TABLE}.cve_description ;; + } + + dimension: cve_id { + type: string + sql: ${TABLE}.cve_id ;; + } + + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + } + + dimension: cvss_vector { + type: string + sql: ${TABLE}.cvss_vector ;; + } + + dimension: cvss_version { + type: string + sql: ${TABLE}.cvss_version ;; + } + + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: first_found__nanos { + type: number + sql: ${TABLE}.first_found.nanos ;; + group_label: "First Found" + group_item_label: "Nanos" + } + + dimension: first_found__seconds { + type: number + sql: ${TABLE}.first_found.seconds ;; + group_label: "First Found" + group_item_label: "Seconds" + } + + dimension: last_found__nanos { + type: number + sql: ${TABLE}.last_found.nanos ;; + group_label: "Last Found" + group_item_label: "Nanos" + } + + dimension: last_found__seconds { + type: number + sql: ${TABLE}.last_found.seconds ;; + group_label: "Last Found" + group_item_label: "Seconds" + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: scan_end_time__nanos { + type: number + sql: ${TABLE}.scan_end_time.nanos ;; + group_label: "Scan End Time" + group_item_label: "Nanos" + } + + dimension: scan_end_time__seconds { + type: number + sql: ${TABLE}.scan_end_time.seconds ;; + group_label: "Scan End Time" + group_item_label: "Seconds" + } + + dimension: scan_start_time__nanos { + type: number + sql: ${TABLE}.scan_start_time.nanos ;; + group_label: "Scan Start Time" + group_item_label: "Nanos" + } + + dimension: scan_start_time__seconds { + type: number + sql: ${TABLE}.scan_start_time.seconds ;; + group_label: "Scan Start Time" + group_item_label: "Seconds" + } + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + } + + dimension: severity_details { + type: string + sql: ${TABLE}.severity_details ;; + } + + dimension: vendor { + type: string + sql: ${TABLE}.vendor ;; + } + + dimension: vendor_knowledge_base_article_id { + type: string + sql: ${TABLE}.vendor_knowledge_base_article_id ;; + } + + dimension: vendor_vulnerability_id { + type: string + sql: ${TABLE}.vendor_vulnerability_id ;; + } +} + +view: udm_events__about__asset__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__asset__software { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: permissions { + hidden: yes + sql: ${TABLE}.permissions ;; + } + + dimension: version { + type: string + sql: ${TABLE}.version ;; + } +} + +view: udm_events__principal__file__capabilities_tags { + dimension: udm_events__principal__file__capabilities_tags { + type: string + sql: udm_events__principal__file__capabilities_tags ;; + } +} + +view: udm_events__principal__domain__tech__department { + dimension: udm_events__principal__domain__tech__department { + type: string + sql: udm_events__principal__domain__tech__department ;; + } +} + +view: udm_events__principal__domain__zone__department { + dimension: udm_events__principal__domain__zone__department { + type: string + sql: udm_events__principal__domain__zone__department ;; + } +} + +view: udm_events__principal__investigation__comments { + dimension: udm_events__principal__investigation__comments { + type: string + sql: udm_events__principal__investigation__comments ;; + } +} + +view: udm_events__principal__user__group_identifiers { + dimension: udm_events__principal__user__group_identifiers { + type: string + sql: udm_events__principal__user__group_identifiers ;; + } +} + +view: udm_events__observer__group__email_addresses { + dimension: udm_events__observer__group__email_addresses { + type: string + sql: udm_events__observer__group__email_addresses ;; + } +} + +view: udm_events__observer__domain__admin__department { + dimension: udm_events__observer__domain__admin__department { + type: string + sql: udm_events__observer__domain__admin__department ;; + } +} + +view: udm_events__src__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__src__group__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__group__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__process__command_line_history { + dimension: udm_events__src__process__command_line_history { + type: string + sql: udm_events__src__process__command_line_history ;; + } +} + +view: udm_events__src__process_ancestors__file__names { + dimension: udm_events__src__process_ancestors__file__names { + type: string + sql: udm_events__src__process_ancestors__file__names ;; + } +} + +view: udm_events__src__domain__admin__email_addresses { + dimension: udm_events__src__domain__admin__email_addresses { + type: string + sql: udm_events__src__domain__admin__email_addresses ;; + } +} + +view: udm_events__src__domain__billing__phone_numbers { + dimension: udm_events__src__domain__billing__phone_numbers { + type: string + sql: udm_events__src__domain__billing__phone_numbers ;; + } +} + +view: udm_events__src__domain__registrant__department { + dimension: udm_events__src__domain__registrant__department { + type: string + sql: udm_events__src__domain__registrant__department ;; + } +} + +view: udm_events__security_result__about__file__names { + dimension: udm_events__security_result__about__file__names { + type: string + sql: udm_events__security_result__about__file__names ;; + } +} + +view: udm_events__security_result__about__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__category_details { + dimension: udm_events__security_result__category_details { + type: string + sql: udm_events__security_result__category_details ;; + } +} + +view: udm_events__target__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__target__domain__tech__phone_numbers { + dimension: udm_events__target__domain__tech__phone_numbers { + type: string + sql: udm_events__target__domain__tech__phone_numbers ;; + } +} + +view: udm_events__target__domain__billing__department { + dimension: udm_events__target__domain__billing__department { + type: string + sql: udm_events__target__domain__billing__department ;; + } +} + +view: udm_events__target__domain__zone__phone_numbers { + dimension: udm_events__target__domain__zone__phone_numbers { + type: string + sql: udm_events__target__domain__zone__phone_numbers ;; + } +} + +view: udm_events__target__user__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__target__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__user_management_chain { + dimension: account_type { + type: number + sql: ${TABLE}.account_type ;; + } + + dimension: attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.attribute.cloud.availability_zone ;; + group_label: "Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: attribute__cloud__environment { + type: number + sql: ${TABLE}.attribute.cloud.environment ;; + group_label: "Attribute Cloud" + group_item_label: "Environment" + } + + dimension: attribute__cloud__project__id { + type: string + sql: ${TABLE}.attribute.cloud.project.id ;; + group_label: "Attribute Cloud Project" + group_item_label: "ID" + } + + dimension: attribute__cloud__project__name { + type: string + sql: ${TABLE}.attribute.cloud.project.name ;; + group_label: "Attribute Cloud Project" + group_item_label: "Name" + } + + dimension: attribute__cloud__project__parent { + type: string + sql: ${TABLE}.attribute.cloud.project.parent ;; + group_label: "Attribute Cloud Project" + group_item_label: "Parent" + } + + dimension: attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.project.product_object_id ;; + group_label: "Attribute Cloud Project" + group_item_label: "Product Object ID" + } + + dimension: attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.attribute.cloud.project.resource_subtype ;; + group_label: "Attribute Cloud Project" + group_item_label: "Resource Subtype" + } + + dimension: attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.attribute.cloud.project.resource_type ;; + group_label: "Attribute Cloud Project" + group_item_label: "Resource Type" + } + + dimension: attribute__cloud__project__type { + type: string + sql: ${TABLE}.attribute.cloud.project.type ;; + group_label: "Attribute Cloud Project" + group_item_label: "Type" + } + + dimension: attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.id ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "ID" + } + + dimension: attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.attribute.cloud.vpc.name ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Name" + } + + dimension: attribute__cloud__vpc__parent { + type: string + sql: ${TABLE}.attribute.cloud.vpc.parent ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Parent" + } + + dimension: attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Product Object ID" + } + + dimension: attribute__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.attribute.cloud.vpc.resource_subtype ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Resource Subtype" + } + + dimension: attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.attribute.cloud.vpc.resource_type ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Resource Type" + } + + dimension: attribute__cloud__vpc__type { + type: string + sql: ${TABLE}.attribute.cloud.vpc.type ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Type" + } + + dimension: attribute__creation_time__nanos { + type: number + sql: ${TABLE}.attribute.creation_time.nanos ;; + group_label: "Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: attribute__creation_time__seconds { + type: number + sql: ${TABLE}.attribute.creation_time.seconds ;; + group_label: "Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: attribute__labels { + hidden: yes + sql: ${TABLE}.attribute.labels ;; + group_label: "Attribute" + group_item_label: "Labels" + } + + dimension: attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.attribute.last_update_time.nanos ;; + group_label: "Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.attribute.last_update_time.seconds ;; + group_label: "Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: attribute__permissions { + hidden: yes + sql: ${TABLE}.attribute.permissions ;; + group_label: "Attribute" + group_item_label: "Permissions" + } + + dimension: attribute__roles { + hidden: yes + sql: ${TABLE}.attribute.roles ;; + group_label: "Attribute" + group_item_label: "Roles" + } + + dimension: company_name { + type: string + sql: ${TABLE}.company_name ;; + } + + dimension: department { + hidden: yes + sql: ${TABLE}.department ;; + } + + dimension: email_addresses { + hidden: yes + sql: ${TABLE}.email_addresses ;; + } + + dimension: employee_id { + type: string + sql: ${TABLE}.employee_id ;; + } + + dimension: first_name { + type: string + sql: ${TABLE}.first_name ;; + } + + dimension: first_seen_time__nanos { + type: number + sql: ${TABLE}.first_seen_time.nanos ;; + group_label: "First Seen Time" + group_item_label: "Nanos" + } + + dimension: first_seen_time__seconds { + type: number + sql: ${TABLE}.first_seen_time.seconds ;; + group_label: "First Seen Time" + group_item_label: "Seconds" + } + + dimension: group_identifiers { + hidden: yes + sql: ${TABLE}.group_identifiers ;; + } + + dimension: groupid { + type: string + sql: ${TABLE}.groupid ;; + } + + dimension: hire_date__nanos { + type: number + sql: ${TABLE}.hire_date.nanos ;; + group_label: "Hire Date" + group_item_label: "Nanos" + } + + dimension: hire_date__seconds { + type: number + sql: ${TABLE}.hire_date.seconds ;; + group_label: "Hire Date" + group_item_label: "Seconds" + } + + dimension: last_name { + type: string + sql: ${TABLE}.last_name ;; + } + + dimension: middle_name { + type: string + sql: ${TABLE}.middle_name ;; + } + + dimension: office_address__city { + type: string + sql: ${TABLE}.office_address.city ;; + group_label: "Office Address" + group_item_label: "City" + } + + dimension: office_address__country_or_region { + type: string + sql: ${TABLE}.office_address.country_or_region ;; + group_label: "Office Address" + group_item_label: "Country or Region" + } + + dimension: office_address__desk_name { + type: string + sql: ${TABLE}.office_address.desk_name ;; + group_label: "Office Address" + group_item_label: "Desk Name" + } + + dimension: office_address__floor_name { + type: string + sql: ${TABLE}.office_address.floor_name ;; + group_label: "Office Address" + group_item_label: "Floor Name" + } + + dimension: office_address__name { + type: string + sql: ${TABLE}.office_address.name ;; + group_label: "Office Address" + group_item_label: "Name" + } + + dimension: office_address__region_latitude { + type: number + sql: ${TABLE}.office_address.region_latitude ;; + group_label: "Office Address" + group_item_label: "Region Latitude" + } + + dimension: office_address__region_longitude { + type: number + sql: ${TABLE}.office_address.region_longitude ;; + group_label: "Office Address" + group_item_label: "Region Longitude" + } + + dimension: office_address__state { + type: string + sql: ${TABLE}.office_address.state ;; + group_label: "Office Address" + group_item_label: "State" + } + + dimension: personal_address__city { + type: string + sql: ${TABLE}.personal_address.city ;; + group_label: "Personal Address" + group_item_label: "City" + } + + dimension: personal_address__country_or_region { + type: string + sql: ${TABLE}.personal_address.country_or_region ;; + group_label: "Personal Address" + group_item_label: "Country or Region" + } + + dimension: personal_address__desk_name { + type: string + sql: ${TABLE}.personal_address.desk_name ;; + group_label: "Personal Address" + group_item_label: "Desk Name" + } + + dimension: personal_address__floor_name { + type: string + sql: ${TABLE}.personal_address.floor_name ;; + group_label: "Personal Address" + group_item_label: "Floor Name" + } + + dimension: personal_address__name { + type: string + sql: ${TABLE}.personal_address.name ;; + group_label: "Personal Address" + group_item_label: "Name" + } + + dimension: personal_address__region_latitude { + type: number + sql: ${TABLE}.personal_address.region_latitude ;; + group_label: "Personal Address" + group_item_label: "Region Latitude" + } + + dimension: personal_address__region_longitude { + type: number + sql: ${TABLE}.personal_address.region_longitude ;; + group_label: "Personal Address" + group_item_label: "Region Longitude" + } + + dimension: personal_address__state { + type: string + sql: ${TABLE}.personal_address.state ;; + group_label: "Personal Address" + group_item_label: "State" + } + + dimension: phone_numbers { + hidden: yes + sql: ${TABLE}.phone_numbers ;; + } + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + } + + dimension: role_description { + type: string + sql: ${TABLE}.role_description ;; + } + + dimension: role_name { + type: string + sql: ${TABLE}.role_name ;; + } + + dimension: termination_date__nanos { + type: number + sql: ${TABLE}.termination_date.nanos ;; + group_label: "Termination Date" + group_item_label: "Nanos" + } + + dimension: termination_date__seconds { + type: number + sql: ${TABLE}.termination_date.seconds ;; + group_label: "Termination Date" + group_item_label: "Seconds" + } + + dimension: time_off { + hidden: yes + sql: ${TABLE}.time_off ;; + } + + dimension: title { + type: string + sql: ${TABLE}.title ;; + } + + dimension: user_authentication_status { + type: number + sql: ${TABLE}.user_authentication_status ;; + } + + dimension: user_display_name { + type: string + sql: ${TABLE}.user_display_name ;; + } + + dimension: user_role { + type: number + sql: ${TABLE}.user_role ;; + } + + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + } + + dimension: windows_sid { + type: string + sql: ${TABLE}.windows_sid ;; + } +} + +view: udm_events__about__domain__tech__email_addresses { + dimension: udm_events__about__domain__tech__email_addresses { + type: string + sql: udm_events__about__domain__tech__email_addresses ;; + } +} + +view: udm_events__about__domain__zone__email_addresses { + dimension: udm_events__about__domain__zone__email_addresses { + type: string + sql: udm_events__about__domain__zone__email_addresses ;; + } +} + +view: udm_events__intermediary__user__email_addresses { + dimension: udm_events__intermediary__user__email_addresses { + type: string + sql: udm_events__intermediary__user__email_addresses ;; + } +} + +view: udm_events__principal__group__email_addresses { + dimension: udm_events__principal__group__email_addresses { + type: string + sql: udm_events__principal__group__email_addresses ;; + } +} + +view: udm_events__principal__domain__admin__department { + dimension: udm_events__principal__domain__admin__department { + type: string + sql: udm_events__principal__domain__admin__department ;; + } +} + +view: udm_events__src__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__src__resource__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__domain__tech__group_identifiers { + dimension: udm_events__src__domain__tech__group_identifiers { + type: string + sql: udm_events__src__domain__tech__group_identifiers ;; + } +} + +view: udm_events__src__domain__zone__group_identifiers { + dimension: udm_events__src__domain__zone__group_identifiers { + type: string + sql: udm_events__src__domain__zone__group_identifiers ;; + } +} + +view: udm_events__target__domain__admin__phone_numbers { + dimension: udm_events__target__domain__admin__phone_numbers { + type: string + sql: udm_events__target__domain__admin__phone_numbers ;; + } +} + +view: udm_events__target__asset__vulnerabilities { + dimension: cve_description { + type: string + sql: ${TABLE}.cve_description ;; + } + + dimension: cve_id { + type: string + sql: ${TABLE}.cve_id ;; + } + + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + } + + dimension: cvss_vector { + type: string + sql: ${TABLE}.cvss_vector ;; + } + + dimension: cvss_version { + type: string + sql: ${TABLE}.cvss_version ;; + } + + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: first_found__nanos { + type: number + sql: ${TABLE}.first_found.nanos ;; + group_label: "First Found" + group_item_label: "Nanos" + } + + dimension: first_found__seconds { + type: number + sql: ${TABLE}.first_found.seconds ;; + group_label: "First Found" + group_item_label: "Seconds" + } + + dimension: last_found__nanos { + type: number + sql: ${TABLE}.last_found.nanos ;; + group_label: "Last Found" + group_item_label: "Nanos" + } + + dimension: last_found__seconds { + type: number + sql: ${TABLE}.last_found.seconds ;; + group_label: "Last Found" + group_item_label: "Seconds" + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: scan_end_time__nanos { + type: number + sql: ${TABLE}.scan_end_time.nanos ;; + group_label: "Scan End Time" + group_item_label: "Nanos" + } + + dimension: scan_end_time__seconds { + type: number + sql: ${TABLE}.scan_end_time.seconds ;; + group_label: "Scan End Time" + group_item_label: "Seconds" + } + + dimension: scan_start_time__nanos { + type: number + sql: ${TABLE}.scan_start_time.nanos ;; + group_label: "Scan Start Time" + group_item_label: "Nanos" + } + + dimension: scan_start_time__seconds { + type: number + sql: ${TABLE}.scan_start_time.seconds ;; + group_label: "Scan Start Time" + group_item_label: "Seconds" + } + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + } + + dimension: severity_details { + type: string + sql: ${TABLE}.severity_details ;; + } + + dimension: vendor { + type: string + sql: ${TABLE}.vendor ;; + } + + dimension: vendor_knowledge_base_article_id { + type: string + sql: ${TABLE}.vendor_knowledge_base_article_id ;; + } + + dimension: vendor_vulnerability_id { + type: string + sql: ${TABLE}.vendor_vulnerability_id ;; + } +} + +view: udm_events__target__asset__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__metadata__tags__data_tap_config_name { + dimension: udm_events__metadata__tags__data_tap_config_name { + type: string + sql: udm_events__metadata__tags__data_tap_config_name ;; + } +} + +view: udm_events__about__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__about__group__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__group__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__process__command_line_history { + dimension: udm_events__about__process__command_line_history { + type: string + sql: udm_events__about__process__command_line_history ;; + } +} + +view: udm_events__about__process_ancestors__file__names { + dimension: udm_events__about__process_ancestors__file__names { + type: string + sql: udm_events__about__process_ancestors__file__names ;; + } +} + +view: udm_events__about__domain__admin__email_addresses { + dimension: udm_events__about__domain__admin__email_addresses { + type: string + sql: udm_events__about__domain__admin__email_addresses ;; + } +} + +view: udm_events__about__domain__billing__phone_numbers { + dimension: udm_events__about__domain__billing__phone_numbers { + type: string + sql: udm_events__about__domain__billing__phone_numbers ;; + } +} + +view: udm_events__about__domain__registrant__department { + dimension: udm_events__about__domain__registrant__department { + type: string + sql: udm_events__about__domain__registrant__department ;; + } +} + +view: udm_events__intermediary__resource_ancestors { + drill_fields: [id] + + dimension: id { + primary_key: yes + type: string + sql: ${TABLE}.id ;; + } + + dimension: attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.attribute.cloud.availability_zone ;; + group_label: "Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: attribute__cloud__environment { + type: number + sql: ${TABLE}.attribute.cloud.environment ;; + group_label: "Attribute Cloud" + group_item_label: "Environment" + } + + dimension: attribute__creation_time__nanos { + type: number + sql: ${TABLE}.attribute.creation_time.nanos ;; + group_label: "Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: attribute__creation_time__seconds { + type: number + sql: ${TABLE}.attribute.creation_time.seconds ;; + group_label: "Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: attribute__labels { + hidden: yes + sql: ${TABLE}.attribute.labels ;; + group_label: "Attribute" + group_item_label: "Labels" + } + + dimension: attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.attribute.last_update_time.nanos ;; + group_label: "Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.attribute.last_update_time.seconds ;; + group_label: "Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: attribute__permissions { + hidden: yes + sql: ${TABLE}.attribute.permissions ;; + group_label: "Attribute" + group_item_label: "Permissions" + } + + dimension: attribute__roles { + hidden: yes + sql: ${TABLE}.attribute.roles ;; + group_label: "Attribute" + group_item_label: "Roles" + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: parent { + type: string + sql: ${TABLE}.parent ;; + } + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + } + + dimension: resource_subtype { + type: string + sql: ${TABLE}.resource_subtype ;; + } + + dimension: resource_type { + type: number + sql: ${TABLE}.resource_type ;; + } + + dimension: type { + type: string + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__process_ancestors { + dimension: access_mask { + type: number + sql: ${TABLE}.access_mask ;; + } + + dimension: command_line { + type: string + sql: ${TABLE}.command_line ;; + } + + dimension: command_line_history { + hidden: yes + sql: ${TABLE}.command_line_history ;; + } + + dimension: file__ahash { + type: string + sql: ${TABLE}.file.ahash ;; + group_label: "File" + group_item_label: "Ahash" + } + + dimension: file__authentihash { + type: string + sql: ${TABLE}.file.authentihash ;; + group_label: "File" + group_item_label: "Authentihash" + } + + dimension: file__capabilities_tags { + hidden: yes + sql: ${TABLE}.file.capabilities_tags ;; + group_label: "File" + group_item_label: "Capabilities Tags" + } + + dimension: file__file_metadata__pe__import_hash { + type: string + sql: ${TABLE}.file.file_metadata.pe.import_hash ;; + group_label: "File File Metadata Pe" + group_item_label: "Import Hash" + } + + dimension: file__file_type { + type: number + sql: ${TABLE}.file.file_type ;; + group_label: "File" + group_item_label: "File Type" + } + + dimension: file__first_seen_time__nanos { + type: number + sql: ${TABLE}.file.first_seen_time.nanos ;; + group_label: "File First Seen Time" + group_item_label: "Nanos" + } + + dimension: file__first_seen_time__seconds { + type: number + sql: ${TABLE}.file.first_seen_time.seconds ;; + group_label: "File First Seen Time" + group_item_label: "Seconds" + } + + dimension: file__full_path { + type: string + sql: ${TABLE}.file.full_path ;; + group_label: "File" + group_item_label: "Full Path" + } + + dimension: file__last_modification_time__nanos { + type: number + sql: ${TABLE}.file.last_modification_time.nanos ;; + group_label: "File Last Modification Time" + group_item_label: "Nanos" + } + + dimension: file__last_modification_time__seconds { + type: number + sql: ${TABLE}.file.last_modification_time.seconds ;; + group_label: "File Last Modification Time" + group_item_label: "Seconds" + } + + dimension: file__last_seen_time__nanos { + type: number + sql: ${TABLE}.file.last_seen_time.nanos ;; + group_label: "File Last Seen Time" + group_item_label: "Nanos" + } + + dimension: file__last_seen_time__seconds { + type: number + sql: ${TABLE}.file.last_seen_time.seconds ;; + group_label: "File Last Seen Time" + group_item_label: "Seconds" + } + + dimension: file__md5 { + type: string + sql: ${TABLE}.file.md5 ;; + group_label: "File" + group_item_label: "Md5" + } + + dimension: file__mime_type { + type: string + sql: ${TABLE}.file.mime_type ;; + group_label: "File" + group_item_label: "Mime Type" + } + + dimension: file__names { + hidden: yes + sql: ${TABLE}.file.names ;; + group_label: "File" + group_item_label: "Names" + } + + dimension: file__pe_file__compilation_exiftool_time__nanos { + type: number + sql: ${TABLE}.file.pe_file.compilation_exiftool_time.nanos ;; + group_label: "File Pe File Compilation Exiftool Time" + group_item_label: "Nanos" + } + + dimension: file__pe_file__compilation_exiftool_time__seconds { + type: number + sql: ${TABLE}.file.pe_file.compilation_exiftool_time.seconds ;; + group_label: "File Pe File Compilation Exiftool Time" + group_item_label: "Seconds" + } + + dimension: file__pe_file__compilation_time__nanos { + type: number + sql: ${TABLE}.file.pe_file.compilation_time.nanos ;; + group_label: "File Pe File Compilation Time" + group_item_label: "Nanos" + } + + dimension: file__pe_file__compilation_time__seconds { + type: number + sql: ${TABLE}.file.pe_file.compilation_time.seconds ;; + group_label: "File Pe File Compilation Time" + group_item_label: "Seconds" + } + + dimension: file__pe_file__entry_point { + type: number + sql: ${TABLE}.file.pe_file.entry_point ;; + group_label: "File Pe File" + group_item_label: "Entry Point" + } + + dimension: file__pe_file__entry_point_exiftool { + type: number + sql: ${TABLE}.file.pe_file.entry_point_exiftool ;; + group_label: "File Pe File" + group_item_label: "Entry Point Exiftool" + } + + dimension: file__pe_file__imphash { + type: string + sql: ${TABLE}.file.pe_file.imphash ;; + group_label: "File Pe File" + group_item_label: "Imphash" + } + + dimension: file__pe_file__imports { + hidden: yes + sql: ${TABLE}.file.pe_file.imports ;; + group_label: "File Pe File" + group_item_label: "Imports" + } + + dimension: file__pe_file__resource { + hidden: yes + sql: ${TABLE}.file.pe_file.resource ;; + group_label: "File Pe File" + group_item_label: "Resource" + } + + dimension: file__pe_file__resources_language_count { + hidden: yes + sql: ${TABLE}.file.pe_file.resources_language_count ;; + group_label: "File Pe File" + group_item_label: "Resources Language Count" + } + + dimension: file__pe_file__resources_language_count_str { + hidden: yes + sql: ${TABLE}.file.pe_file.resources_language_count_str ;; + group_label: "File Pe File" + group_item_label: "Resources Language Count Str" + } + + dimension: file__pe_file__resources_type_count { + hidden: yes + sql: ${TABLE}.file.pe_file.resources_type_count ;; + group_label: "File Pe File" + group_item_label: "Resources Type Count" + } + + dimension: file__pe_file__resources_type_count_str { + hidden: yes + sql: ${TABLE}.file.pe_file.resources_type_count_str ;; + group_label: "File Pe File" + group_item_label: "Resources Type Count Str" + } + + dimension: file__pe_file__section { + hidden: yes + sql: ${TABLE}.file.pe_file.section ;; + group_label: "File Pe File" + group_item_label: "Section" + } + + dimension: file__pe_file__signature_info__signer { + hidden: yes + sql: ${TABLE}.file.pe_file.signature_info.signer ;; + group_label: "File Pe File Signature Info" + group_item_label: "Signer" + } + + dimension: file__pe_file__signature_info__signers { + hidden: yes + sql: ${TABLE}.file.pe_file.signature_info.signers ;; + group_label: "File Pe File Signature Info" + group_item_label: "Signers" + } + + dimension: file__pe_file__signature_info__verification_message { + type: string + sql: ${TABLE}.file.pe_file.signature_info.verification_message ;; + group_label: "File Pe File Signature Info" + group_item_label: "Verification Message" + } + + dimension: file__pe_file__signature_info__verified { + type: yesno + sql: ${TABLE}.file.pe_file.signature_info.verified ;; + group_label: "File Pe File Signature Info" + group_item_label: "Verified" + } + + dimension: file__prevalence__day_count { + type: number + sql: ${TABLE}.file.prevalence.day_count ;; + group_label: "File Prevalence" + group_item_label: "Day Count" + } + + dimension: file__prevalence__day_max { + type: number + sql: ${TABLE}.file.prevalence.day_max ;; + group_label: "File Prevalence" + group_item_label: "Day Max" + } + + dimension: file__prevalence__day_max_sub_domains { + type: number + sql: ${TABLE}.file.prevalence.day_max_sub_domains ;; + group_label: "File Prevalence" + group_item_label: "Day Max Sub Domains" + } + + dimension: file__prevalence__rolling_max { + type: number + sql: ${TABLE}.file.prevalence.rolling_max ;; + group_label: "File Prevalence" + group_item_label: "Rolling Max" + } + + dimension: file__prevalence__rolling_max_sub_domains { + type: number + sql: ${TABLE}.file.prevalence.rolling_max_sub_domains ;; + group_label: "File Prevalence" + group_item_label: "Rolling Max Sub Domains" + } + + dimension: file__sha1 { + type: string + sql: ${TABLE}.file.sha1 ;; + group_label: "File" + group_item_label: "Sha1" + } + + dimension: file__sha256 { + type: string + sql: ${TABLE}.file.sha256 ;; + group_label: "File" + group_item_label: "Sha256" + } + + dimension: file__size { + type: number + sql: ${TABLE}.file.size ;; + group_label: "File" + group_item_label: "Size" + } + + dimension: file__ssdeep { + type: string + sql: ${TABLE}.file.ssdeep ;; + group_label: "File" + group_item_label: "Ssdeep" + } + + dimension: file__vhash { + type: string + sql: ${TABLE}.file.vhash ;; + group_label: "File" + group_item_label: "Vhash" + } + + dimension: parent_pid { + type: string + sql: ${TABLE}.parent_pid ;; + } + + dimension: pid { + type: string + sql: ${TABLE}.pid ;; + } + + dimension: product_specific_parent_process_id { + type: string + sql: ${TABLE}.product_specific_parent_process_id ;; + } + + dimension: product_specific_process_id { + type: string + sql: ${TABLE}.product_specific_process_id ;; + } +} + +view: udm_events__observer__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__observer__domain__tech__phone_numbers { + dimension: udm_events__observer__domain__tech__phone_numbers { + type: string + sql: udm_events__observer__domain__tech__phone_numbers ;; + } +} + +view: udm_events__observer__domain__billing__department { + dimension: udm_events__observer__domain__billing__department { + type: string + sql: udm_events__observer__domain__billing__department ;; + } +} + +view: udm_events__observer__domain__zone__phone_numbers { + dimension: udm_events__observer__domain__zone__phone_numbers { + type: string + sql: udm_events__observer__domain__zone__phone_numbers ;; + } +} + +view: udm_events__observer__user__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__observer__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__cloud__vpc__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__cloud__vpc__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__file__pe_file__imports__functions { + dimension: udm_events__src__file__pe_file__imports__functions { + type: string + sql: udm_events__src__file__pe_file__imports__functions ;; + } +} + +view: udm_events__src__process__file__capabilities_tags { + dimension: udm_events__src__process__file__capabilities_tags { + type: string + sql: udm_events__src__process__file__capabilities_tags ;; + } +} + +view: udm_events__src__domain__admin__group_identifiers { + dimension: udm_events__src__domain__admin__group_identifiers { + type: string + sql: udm_events__src__domain__admin__group_identifiers ;; + } +} + +view: udm_events__src__domain__billing__email_addresses { + dimension: udm_events__src__domain__billing__email_addresses { + type: string + sql: udm_events__src__domain__billing__email_addresses ;; + } +} + +view: udm_events__security_result__about__asset__nat_ip { + dimension: udm_events__security_result__about__asset__nat_ip { + type: string + sql: udm_events__security_result__about__asset__nat_ip ;; + } +} + +view: udm_events__target__user_management_chain { + dimension: account_type { + type: number + sql: ${TABLE}.account_type ;; + } + + dimension: attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.attribute.cloud.availability_zone ;; + group_label: "Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: attribute__cloud__environment { + type: number + sql: ${TABLE}.attribute.cloud.environment ;; + group_label: "Attribute Cloud" + group_item_label: "Environment" + } + + dimension: attribute__cloud__project__id { + type: string + sql: ${TABLE}.attribute.cloud.project.id ;; + group_label: "Attribute Cloud Project" + group_item_label: "ID" + } + + dimension: attribute__cloud__project__name { + type: string + sql: ${TABLE}.attribute.cloud.project.name ;; + group_label: "Attribute Cloud Project" + group_item_label: "Name" + } + + dimension: attribute__cloud__project__parent { + type: string + sql: ${TABLE}.attribute.cloud.project.parent ;; + group_label: "Attribute Cloud Project" + group_item_label: "Parent" + } + + dimension: attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.project.product_object_id ;; + group_label: "Attribute Cloud Project" + group_item_label: "Product Object ID" + } + + dimension: attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.attribute.cloud.project.resource_subtype ;; + group_label: "Attribute Cloud Project" + group_item_label: "Resource Subtype" + } + + dimension: attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.attribute.cloud.project.resource_type ;; + group_label: "Attribute Cloud Project" + group_item_label: "Resource Type" + } + + dimension: attribute__cloud__project__type { + type: string + sql: ${TABLE}.attribute.cloud.project.type ;; + group_label: "Attribute Cloud Project" + group_item_label: "Type" + } + + dimension: attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.id ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "ID" + } + + dimension: attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.attribute.cloud.vpc.name ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Name" + } + + dimension: attribute__cloud__vpc__parent { + type: string + sql: ${TABLE}.attribute.cloud.vpc.parent ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Parent" + } + + dimension: attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Product Object ID" + } + + dimension: attribute__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.attribute.cloud.vpc.resource_subtype ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Resource Subtype" + } + + dimension: attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.attribute.cloud.vpc.resource_type ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Resource Type" + } + + dimension: attribute__cloud__vpc__type { + type: string + sql: ${TABLE}.attribute.cloud.vpc.type ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Type" + } + + dimension: attribute__creation_time__nanos { + type: number + sql: ${TABLE}.attribute.creation_time.nanos ;; + group_label: "Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: attribute__creation_time__seconds { + type: number + sql: ${TABLE}.attribute.creation_time.seconds ;; + group_label: "Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: attribute__labels { + hidden: yes + sql: ${TABLE}.attribute.labels ;; + group_label: "Attribute" + group_item_label: "Labels" + } + + dimension: attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.attribute.last_update_time.nanos ;; + group_label: "Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.attribute.last_update_time.seconds ;; + group_label: "Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: attribute__permissions { + hidden: yes + sql: ${TABLE}.attribute.permissions ;; + group_label: "Attribute" + group_item_label: "Permissions" + } + + dimension: attribute__roles { + hidden: yes + sql: ${TABLE}.attribute.roles ;; + group_label: "Attribute" + group_item_label: "Roles" + } + + dimension: company_name { + type: string + sql: ${TABLE}.company_name ;; + } + + dimension: department { + hidden: yes + sql: ${TABLE}.department ;; + } + + dimension: email_addresses { + hidden: yes + sql: ${TABLE}.email_addresses ;; + } + + dimension: employee_id { + type: string + sql: ${TABLE}.employee_id ;; + } + + dimension: first_name { + type: string + sql: ${TABLE}.first_name ;; + } + + dimension: first_seen_time__nanos { + type: number + sql: ${TABLE}.first_seen_time.nanos ;; + group_label: "First Seen Time" + group_item_label: "Nanos" + } + + dimension: first_seen_time__seconds { + type: number + sql: ${TABLE}.first_seen_time.seconds ;; + group_label: "First Seen Time" + group_item_label: "Seconds" + } + + dimension: group_identifiers { + hidden: yes + sql: ${TABLE}.group_identifiers ;; + } + + dimension: groupid { + type: string + sql: ${TABLE}.groupid ;; + } + + dimension: hire_date__nanos { + type: number + sql: ${TABLE}.hire_date.nanos ;; + group_label: "Hire Date" + group_item_label: "Nanos" + } + + dimension: hire_date__seconds { + type: number + sql: ${TABLE}.hire_date.seconds ;; + group_label: "Hire Date" + group_item_label: "Seconds" + } + + dimension: last_name { + type: string + sql: ${TABLE}.last_name ;; + } + + dimension: middle_name { + type: string + sql: ${TABLE}.middle_name ;; + } + + dimension: office_address__city { + type: string + sql: ${TABLE}.office_address.city ;; + group_label: "Office Address" + group_item_label: "City" + } + + dimension: office_address__country_or_region { + type: string + sql: ${TABLE}.office_address.country_or_region ;; + group_label: "Office Address" + group_item_label: "Country or Region" + } + + dimension: office_address__desk_name { + type: string + sql: ${TABLE}.office_address.desk_name ;; + group_label: "Office Address" + group_item_label: "Desk Name" + } + + dimension: office_address__floor_name { + type: string + sql: ${TABLE}.office_address.floor_name ;; + group_label: "Office Address" + group_item_label: "Floor Name" + } + + dimension: office_address__name { + type: string + sql: ${TABLE}.office_address.name ;; + group_label: "Office Address" + group_item_label: "Name" + } + + dimension: office_address__region_latitude { + type: number + sql: ${TABLE}.office_address.region_latitude ;; + group_label: "Office Address" + group_item_label: "Region Latitude" + } + + dimension: office_address__region_longitude { + type: number + sql: ${TABLE}.office_address.region_longitude ;; + group_label: "Office Address" + group_item_label: "Region Longitude" + } + + dimension: office_address__state { + type: string + sql: ${TABLE}.office_address.state ;; + group_label: "Office Address" + group_item_label: "State" + } + + dimension: personal_address__city { + type: string + sql: ${TABLE}.personal_address.city ;; + group_label: "Personal Address" + group_item_label: "City" + } + + dimension: personal_address__country_or_region { + type: string + sql: ${TABLE}.personal_address.country_or_region ;; + group_label: "Personal Address" + group_item_label: "Country or Region" + } + + dimension: personal_address__desk_name { + type: string + sql: ${TABLE}.personal_address.desk_name ;; + group_label: "Personal Address" + group_item_label: "Desk Name" + } + + dimension: personal_address__floor_name { + type: string + sql: ${TABLE}.personal_address.floor_name ;; + group_label: "Personal Address" + group_item_label: "Floor Name" + } + + dimension: personal_address__name { + type: string + sql: ${TABLE}.personal_address.name ;; + group_label: "Personal Address" + group_item_label: "Name" + } + + dimension: personal_address__region_latitude { + type: number + sql: ${TABLE}.personal_address.region_latitude ;; + group_label: "Personal Address" + group_item_label: "Region Latitude" + } + + dimension: personal_address__region_longitude { + type: number + sql: ${TABLE}.personal_address.region_longitude ;; + group_label: "Personal Address" + group_item_label: "Region Longitude" + } + + dimension: personal_address__state { + type: string + sql: ${TABLE}.personal_address.state ;; + group_label: "Personal Address" + group_item_label: "State" + } + + dimension: phone_numbers { + hidden: yes + sql: ${TABLE}.phone_numbers ;; + } + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + } + + dimension: role_description { + type: string + sql: ${TABLE}.role_description ;; + } + + dimension: role_name { + type: string + sql: ${TABLE}.role_name ;; + } + + dimension: termination_date__nanos { + type: number + sql: ${TABLE}.termination_date.nanos ;; + group_label: "Termination Date" + group_item_label: "Nanos" + } + + dimension: termination_date__seconds { + type: number + sql: ${TABLE}.termination_date.seconds ;; + group_label: "Termination Date" + group_item_label: "Seconds" + } + + dimension: time_off { + hidden: yes + sql: ${TABLE}.time_off ;; + } + + dimension: title { + type: string + sql: ${TABLE}.title ;; + } + + dimension: user_authentication_status { + type: number + sql: ${TABLE}.user_authentication_status ;; + } + + dimension: user_display_name { + type: string + sql: ${TABLE}.user_display_name ;; + } + + dimension: user_role { + type: number + sql: ${TABLE}.user_role ;; + } + + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + } + + dimension: windows_sid { + type: string + sql: ${TABLE}.windows_sid ;; + } +} + +view: udm_events__target__domain__tech__email_addresses { + dimension: udm_events__target__domain__tech__email_addresses { + type: string + sql: udm_events__target__domain__tech__email_addresses ;; + } +} + +view: udm_events__target__domain__zone__email_addresses { + dimension: udm_events__target__domain__zone__email_addresses { + type: string + sql: udm_events__target__domain__zone__email_addresses ;; + } +} + +view: udm_events__about__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__about__resource__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__domain__tech__group_identifiers { + dimension: udm_events__about__domain__tech__group_identifiers { + type: string + sql: udm_events__about__domain__tech__group_identifiers ;; + } +} + +view: udm_events__about__domain__zone__group_identifiers { + dimension: udm_events__about__domain__zone__group_identifiers { + type: string + sql: udm_events__about__domain__zone__group_identifiers ;; + } +} + +view: udm_events__intermediary__file__capabilities_tags { + dimension: udm_events__intermediary__file__capabilities_tags { + type: string + sql: udm_events__intermediary__file__capabilities_tags ;; + } +} + +view: udm_events__intermediary__domain__tech__department { + dimension: udm_events__intermediary__domain__tech__department { + type: string + sql: udm_events__intermediary__domain__tech__department ;; + } +} + +view: udm_events__intermediary__domain__zone__department { + dimension: udm_events__intermediary__domain__zone__department { + type: string + sql: udm_events__intermediary__domain__zone__department ;; + } +} + +view: udm_events__intermediary__investigation__comments { + dimension: udm_events__intermediary__investigation__comments { + type: string + sql: udm_events__intermediary__investigation__comments ;; + } +} + +view: udm_events__intermediary__user__group_identifiers { + dimension: udm_events__intermediary__user__group_identifiers { + type: string + sql: udm_events__intermediary__user__group_identifiers ;; + } +} + +view: udm_events__principal__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__principal__domain__tech__phone_numbers { + dimension: udm_events__principal__domain__tech__phone_numbers { + type: string + sql: udm_events__principal__domain__tech__phone_numbers ;; + } +} + +view: udm_events__principal__domain__billing__department { + dimension: udm_events__principal__domain__billing__department { + type: string + sql: udm_events__principal__domain__billing__department ;; + } +} + +view: udm_events__principal__domain__zone__phone_numbers { + dimension: udm_events__principal__domain__zone__phone_numbers { + type: string + sql: udm_events__principal__domain__zone__phone_numbers ;; + } +} + +view: udm_events__principal__user__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__principal__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__domain__admin__phone_numbers { + dimension: udm_events__observer__domain__admin__phone_numbers { + type: string + sql: udm_events__observer__domain__admin__phone_numbers ;; + } +} + +view: udm_events__observer__asset__vulnerabilities { + dimension: cve_description { + type: string + sql: ${TABLE}.cve_description ;; + } + + dimension: cve_id { + type: string + sql: ${TABLE}.cve_id ;; + } + + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + } + + dimension: cvss_vector { + type: string + sql: ${TABLE}.cvss_vector ;; + } + + dimension: cvss_version { + type: string + sql: ${TABLE}.cvss_version ;; + } + + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: first_found__nanos { + type: number + sql: ${TABLE}.first_found.nanos ;; + group_label: "First Found" + group_item_label: "Nanos" + } + + dimension: first_found__seconds { + type: number + sql: ${TABLE}.first_found.seconds ;; + group_label: "First Found" + group_item_label: "Seconds" + } + + dimension: last_found__nanos { + type: number + sql: ${TABLE}.last_found.nanos ;; + group_label: "Last Found" + group_item_label: "Nanos" + } + + dimension: last_found__seconds { + type: number + sql: ${TABLE}.last_found.seconds ;; + group_label: "Last Found" + group_item_label: "Seconds" + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: scan_end_time__nanos { + type: number + sql: ${TABLE}.scan_end_time.nanos ;; + group_label: "Scan End Time" + group_item_label: "Nanos" + } + + dimension: scan_end_time__seconds { + type: number + sql: ${TABLE}.scan_end_time.seconds ;; + group_label: "Scan End Time" + group_item_label: "Seconds" + } + + dimension: scan_start_time__nanos { + type: number + sql: ${TABLE}.scan_start_time.nanos ;; + group_label: "Scan Start Time" + group_item_label: "Nanos" + } + + dimension: scan_start_time__seconds { + type: number + sql: ${TABLE}.scan_start_time.seconds ;; + group_label: "Scan Start Time" + group_item_label: "Seconds" + } + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + } + + dimension: severity_details { + type: string + sql: ${TABLE}.severity_details ;; + } + + dimension: vendor { + type: string + sql: ${TABLE}.vendor ;; + } + + dimension: vendor_knowledge_base_article_id { + type: string + sql: ${TABLE}.vendor_knowledge_base_article_id ;; + } + + dimension: vendor_vulnerability_id { + type: string + sql: ${TABLE}.vendor_vulnerability_id ;; + } +} + +view: udm_events__observer__asset__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__domain__registrant__phone_numbers { + dimension: udm_events__src__domain__registrant__phone_numbers { + type: string + sql: udm_events__src__domain__registrant__phone_numbers ;; + } +} + +view: udm_events__src__asset__software__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__user__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__target__group__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__group__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__process__command_line_history { + dimension: udm_events__target__process__command_line_history { + type: string + sql: udm_events__target__process__command_line_history ;; + } +} + +view: udm_events__target__process_ancestors__file__names { + dimension: udm_events__target__process_ancestors__file__names { + type: string + sql: udm_events__target__process_ancestors__file__names ;; + } +} + +view: udm_events__target__domain__admin__email_addresses { + dimension: udm_events__target__domain__admin__email_addresses { + type: string + sql: udm_events__target__domain__admin__email_addresses ;; + } +} + +view: udm_events__target__domain__billing__phone_numbers { + dimension: udm_events__target__domain__billing__phone_numbers { + type: string + sql: udm_events__target__domain__billing__phone_numbers ;; + } +} + +view: udm_events__target__domain__registrant__department { + dimension: udm_events__target__domain__registrant__department { + type: string + sql: udm_events__target__domain__registrant__department ;; + } +} + +view: udm_events__about__cloud__vpc__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__cloud__vpc__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__file__pe_file__imports__functions { + dimension: udm_events__about__file__pe_file__imports__functions { + type: string + sql: udm_events__about__file__pe_file__imports__functions ;; + } +} + +view: udm_events__about__process__file__capabilities_tags { + dimension: udm_events__about__process__file__capabilities_tags { + type: string + sql: udm_events__about__process__file__capabilities_tags ;; + } +} + +view: udm_events__about__domain__admin__group_identifiers { + dimension: udm_events__about__domain__admin__group_identifiers { + type: string + sql: udm_events__about__domain__admin__group_identifiers ;; + } +} + +view: udm_events__about__domain__billing__email_addresses { + dimension: udm_events__about__domain__billing__email_addresses { + type: string + sql: udm_events__about__domain__billing__email_addresses ;; + } +} + +view: udm_events__intermediary__group__email_addresses { + dimension: udm_events__intermediary__group__email_addresses { + type: string + sql: udm_events__intermediary__group__email_addresses ;; + } +} + +view: udm_events__intermediary__domain__admin__department { + dimension: udm_events__intermediary__domain__admin__department { + type: string + sql: udm_events__intermediary__domain__admin__department ;; + } +} + +view: udm_events__network__tls__client__supported_ciphers { + dimension: udm_events__network__tls__client__supported_ciphers { + type: string + sql: udm_events__network__tls__client__supported_ciphers ;; + } +} + +view: udm_events__principal__domain__admin__phone_numbers { + dimension: udm_events__principal__domain__admin__phone_numbers { + type: string + sql: udm_events__principal__domain__admin__phone_numbers ;; + } +} + +view: udm_events__principal__asset__vulnerabilities { + dimension: cve_description { + type: string + sql: ${TABLE}.cve_description ;; + } + + dimension: cve_id { + type: string + sql: ${TABLE}.cve_id ;; + } + + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + } + + dimension: cvss_vector { + type: string + sql: ${TABLE}.cvss_vector ;; + } + + dimension: cvss_version { + type: string + sql: ${TABLE}.cvss_version ;; + } + + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: first_found__nanos { + type: number + sql: ${TABLE}.first_found.nanos ;; + group_label: "First Found" + group_item_label: "Nanos" + } + + dimension: first_found__seconds { + type: number + sql: ${TABLE}.first_found.seconds ;; + group_label: "First Found" + group_item_label: "Seconds" + } + + dimension: last_found__nanos { + type: number + sql: ${TABLE}.last_found.nanos ;; + group_label: "Last Found" + group_item_label: "Nanos" + } + + dimension: last_found__seconds { + type: number + sql: ${TABLE}.last_found.seconds ;; + group_label: "Last Found" + group_item_label: "Seconds" + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: scan_end_time__nanos { + type: number + sql: ${TABLE}.scan_end_time.nanos ;; + group_label: "Scan End Time" + group_item_label: "Nanos" + } + + dimension: scan_end_time__seconds { + type: number + sql: ${TABLE}.scan_end_time.seconds ;; + group_label: "Scan End Time" + group_item_label: "Seconds" + } + + dimension: scan_start_time__nanos { + type: number + sql: ${TABLE}.scan_start_time.nanos ;; + group_label: "Scan Start Time" + group_item_label: "Nanos" + } + + dimension: scan_start_time__seconds { + type: number + sql: ${TABLE}.scan_start_time.seconds ;; + group_label: "Scan Start Time" + group_item_label: "Seconds" + } + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + } + + dimension: severity_details { + type: string + sql: ${TABLE}.severity_details ;; + } + + dimension: vendor { + type: string + sql: ${TABLE}.vendor ;; + } + + dimension: vendor_knowledge_base_article_id { + type: string + sql: ${TABLE}.vendor_knowledge_base_article_id ;; + } + + dimension: vendor_vulnerability_id { + type: string + sql: ${TABLE}.vendor_vulnerability_id ;; + } +} + +view: udm_events__principal__asset__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__user_management_chain { + dimension: account_type { + type: number + sql: ${TABLE}.account_type ;; + } + + dimension: attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.attribute.cloud.availability_zone ;; + group_label: "Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: attribute__cloud__environment { + type: number + sql: ${TABLE}.attribute.cloud.environment ;; + group_label: "Attribute Cloud" + group_item_label: "Environment" + } + + dimension: attribute__cloud__project__id { + type: string + sql: ${TABLE}.attribute.cloud.project.id ;; + group_label: "Attribute Cloud Project" + group_item_label: "ID" + } + + dimension: attribute__cloud__project__name { + type: string + sql: ${TABLE}.attribute.cloud.project.name ;; + group_label: "Attribute Cloud Project" + group_item_label: "Name" + } + + dimension: attribute__cloud__project__parent { + type: string + sql: ${TABLE}.attribute.cloud.project.parent ;; + group_label: "Attribute Cloud Project" + group_item_label: "Parent" + } + + dimension: attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.project.product_object_id ;; + group_label: "Attribute Cloud Project" + group_item_label: "Product Object ID" + } + + dimension: attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.attribute.cloud.project.resource_subtype ;; + group_label: "Attribute Cloud Project" + group_item_label: "Resource Subtype" + } + + dimension: attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.attribute.cloud.project.resource_type ;; + group_label: "Attribute Cloud Project" + group_item_label: "Resource Type" + } + + dimension: attribute__cloud__project__type { + type: string + sql: ${TABLE}.attribute.cloud.project.type ;; + group_label: "Attribute Cloud Project" + group_item_label: "Type" + } + + dimension: attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.id ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "ID" + } + + dimension: attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.attribute.cloud.vpc.name ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Name" + } + + dimension: attribute__cloud__vpc__parent { + type: string + sql: ${TABLE}.attribute.cloud.vpc.parent ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Parent" + } + + dimension: attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Product Object ID" + } + + dimension: attribute__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.attribute.cloud.vpc.resource_subtype ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Resource Subtype" + } + + dimension: attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.attribute.cloud.vpc.resource_type ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Resource Type" + } + + dimension: attribute__cloud__vpc__type { + type: string + sql: ${TABLE}.attribute.cloud.vpc.type ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Type" + } + + dimension: attribute__creation_time__nanos { + type: number + sql: ${TABLE}.attribute.creation_time.nanos ;; + group_label: "Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: attribute__creation_time__seconds { + type: number + sql: ${TABLE}.attribute.creation_time.seconds ;; + group_label: "Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: attribute__labels { + hidden: yes + sql: ${TABLE}.attribute.labels ;; + group_label: "Attribute" + group_item_label: "Labels" + } + + dimension: attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.attribute.last_update_time.nanos ;; + group_label: "Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.attribute.last_update_time.seconds ;; + group_label: "Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: attribute__permissions { + hidden: yes + sql: ${TABLE}.attribute.permissions ;; + group_label: "Attribute" + group_item_label: "Permissions" + } + + dimension: attribute__roles { + hidden: yes + sql: ${TABLE}.attribute.roles ;; + group_label: "Attribute" + group_item_label: "Roles" + } + + dimension: company_name { + type: string + sql: ${TABLE}.company_name ;; + } + + dimension: department { + hidden: yes + sql: ${TABLE}.department ;; + } + + dimension: email_addresses { + hidden: yes + sql: ${TABLE}.email_addresses ;; + } + + dimension: employee_id { + type: string + sql: ${TABLE}.employee_id ;; + } + + dimension: first_name { + type: string + sql: ${TABLE}.first_name ;; + } + + dimension: first_seen_time__nanos { + type: number + sql: ${TABLE}.first_seen_time.nanos ;; + group_label: "First Seen Time" + group_item_label: "Nanos" + } + + dimension: first_seen_time__seconds { + type: number + sql: ${TABLE}.first_seen_time.seconds ;; + group_label: "First Seen Time" + group_item_label: "Seconds" + } + + dimension: group_identifiers { + hidden: yes + sql: ${TABLE}.group_identifiers ;; + } + + dimension: groupid { + type: string + sql: ${TABLE}.groupid ;; + } + + dimension: hire_date__nanos { + type: number + sql: ${TABLE}.hire_date.nanos ;; + group_label: "Hire Date" + group_item_label: "Nanos" + } + + dimension: hire_date__seconds { + type: number + sql: ${TABLE}.hire_date.seconds ;; + group_label: "Hire Date" + group_item_label: "Seconds" + } + + dimension: last_name { + type: string + sql: ${TABLE}.last_name ;; + } + + dimension: middle_name { + type: string + sql: ${TABLE}.middle_name ;; + } + + dimension: office_address__city { + type: string + sql: ${TABLE}.office_address.city ;; + group_label: "Office Address" + group_item_label: "City" + } + + dimension: office_address__country_or_region { + type: string + sql: ${TABLE}.office_address.country_or_region ;; + group_label: "Office Address" + group_item_label: "Country or Region" + } + + dimension: office_address__desk_name { + type: string + sql: ${TABLE}.office_address.desk_name ;; + group_label: "Office Address" + group_item_label: "Desk Name" + } + + dimension: office_address__floor_name { + type: string + sql: ${TABLE}.office_address.floor_name ;; + group_label: "Office Address" + group_item_label: "Floor Name" + } + + dimension: office_address__name { + type: string + sql: ${TABLE}.office_address.name ;; + group_label: "Office Address" + group_item_label: "Name" + } + + dimension: office_address__region_latitude { + type: number + sql: ${TABLE}.office_address.region_latitude ;; + group_label: "Office Address" + group_item_label: "Region Latitude" + } + + dimension: office_address__region_longitude { + type: number + sql: ${TABLE}.office_address.region_longitude ;; + group_label: "Office Address" + group_item_label: "Region Longitude" + } + + dimension: office_address__state { + type: string + sql: ${TABLE}.office_address.state ;; + group_label: "Office Address" + group_item_label: "State" + } + + dimension: personal_address__city { + type: string + sql: ${TABLE}.personal_address.city ;; + group_label: "Personal Address" + group_item_label: "City" + } + + dimension: personal_address__country_or_region { + type: string + sql: ${TABLE}.personal_address.country_or_region ;; + group_label: "Personal Address" + group_item_label: "Country or Region" + } + + dimension: personal_address__desk_name { + type: string + sql: ${TABLE}.personal_address.desk_name ;; + group_label: "Personal Address" + group_item_label: "Desk Name" + } + + dimension: personal_address__floor_name { + type: string + sql: ${TABLE}.personal_address.floor_name ;; + group_label: "Personal Address" + group_item_label: "Floor Name" + } + + dimension: personal_address__name { + type: string + sql: ${TABLE}.personal_address.name ;; + group_label: "Personal Address" + group_item_label: "Name" + } + + dimension: personal_address__region_latitude { + type: number + sql: ${TABLE}.personal_address.region_latitude ;; + group_label: "Personal Address" + group_item_label: "Region Latitude" + } + + dimension: personal_address__region_longitude { + type: number + sql: ${TABLE}.personal_address.region_longitude ;; + group_label: "Personal Address" + group_item_label: "Region Longitude" + } + + dimension: personal_address__state { + type: string + sql: ${TABLE}.personal_address.state ;; + group_label: "Personal Address" + group_item_label: "State" + } + + dimension: phone_numbers { + hidden: yes + sql: ${TABLE}.phone_numbers ;; + } + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + } + + dimension: role_description { + type: string + sql: ${TABLE}.role_description ;; + } + + dimension: role_name { + type: string + sql: ${TABLE}.role_name ;; + } + + dimension: termination_date__nanos { + type: number + sql: ${TABLE}.termination_date.nanos ;; + group_label: "Termination Date" + group_item_label: "Nanos" + } + + dimension: termination_date__seconds { + type: number + sql: ${TABLE}.termination_date.seconds ;; + group_label: "Termination Date" + group_item_label: "Seconds" + } + + dimension: time_off { + hidden: yes + sql: ${TABLE}.time_off ;; + } + + dimension: title { + type: string + sql: ${TABLE}.title ;; + } + + dimension: user_authentication_status { + type: number + sql: ${TABLE}.user_authentication_status ;; + } + + dimension: user_display_name { + type: string + sql: ${TABLE}.user_display_name ;; + } + + dimension: user_role { + type: number + sql: ${TABLE}.user_role ;; + } + + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + } + + dimension: windows_sid { + type: string + sql: ${TABLE}.windows_sid ;; + } +} + +view: udm_events__observer__domain__tech__email_addresses { + dimension: udm_events__observer__domain__tech__email_addresses { + type: string + sql: udm_events__observer__domain__tech__email_addresses ;; + } +} + +view: udm_events__observer__domain__zone__email_addresses { + dimension: udm_events__observer__domain__zone__email_addresses { + type: string + sql: udm_events__observer__domain__zone__email_addresses ;; + } +} + +view: udm_events__src__user_management_chain__department { + dimension: udm_events__src__user_management_chain__department { + type: string + sql: udm_events__src__user_management_chain__department ;; + } +} + +view: udm_events__src__domain__tech__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__src__domain__tech__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__domain__tech__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__domain__billing__group_identifiers { + dimension: udm_events__src__domain__billing__group_identifiers { + type: string + sql: udm_events__src__domain__billing__group_identifiers ;; + } +} + +view: udm_events__src__domain__zone__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__src__domain__zone__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__domain__zone__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__asset__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__detection_fields { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__target__resource__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__domain__tech__group_identifiers { + dimension: udm_events__target__domain__tech__group_identifiers { + type: string + sql: udm_events__target__domain__tech__group_identifiers ;; + } +} + +view: udm_events__target__domain__zone__group_identifiers { + dimension: udm_events__target__domain__zone__group_identifiers { + type: string + sql: udm_events__target__domain__zone__group_identifiers ;; + } +} + +view: udm_events__about__domain__registrant__phone_numbers { + dimension: udm_events__about__domain__registrant__phone_numbers { + type: string + sql: udm_events__about__domain__registrant__phone_numbers ;; + } +} + +view: udm_events__about__asset__software__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__user__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__user_management_chain { + dimension: account_type { + type: number + sql: ${TABLE}.account_type ;; + } + + dimension: attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.attribute.cloud.availability_zone ;; + group_label: "Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: attribute__cloud__environment { + type: number + sql: ${TABLE}.attribute.cloud.environment ;; + group_label: "Attribute Cloud" + group_item_label: "Environment" + } + + dimension: attribute__cloud__project__id { + type: string + sql: ${TABLE}.attribute.cloud.project.id ;; + group_label: "Attribute Cloud Project" + group_item_label: "ID" + } + + dimension: attribute__cloud__project__name { + type: string + sql: ${TABLE}.attribute.cloud.project.name ;; + group_label: "Attribute Cloud Project" + group_item_label: "Name" + } + + dimension: attribute__cloud__project__parent { + type: string + sql: ${TABLE}.attribute.cloud.project.parent ;; + group_label: "Attribute Cloud Project" + group_item_label: "Parent" + } + + dimension: attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.project.product_object_id ;; + group_label: "Attribute Cloud Project" + group_item_label: "Product Object ID" + } + + dimension: attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.attribute.cloud.project.resource_subtype ;; + group_label: "Attribute Cloud Project" + group_item_label: "Resource Subtype" + } + + dimension: attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.attribute.cloud.project.resource_type ;; + group_label: "Attribute Cloud Project" + group_item_label: "Resource Type" + } + + dimension: attribute__cloud__project__type { + type: string + sql: ${TABLE}.attribute.cloud.project.type ;; + group_label: "Attribute Cloud Project" + group_item_label: "Type" + } + + dimension: attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.id ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "ID" + } + + dimension: attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.attribute.cloud.vpc.name ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Name" + } + + dimension: attribute__cloud__vpc__parent { + type: string + sql: ${TABLE}.attribute.cloud.vpc.parent ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Parent" + } + + dimension: attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Product Object ID" + } + + dimension: attribute__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.attribute.cloud.vpc.resource_subtype ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Resource Subtype" + } + + dimension: attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.attribute.cloud.vpc.resource_type ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Resource Type" + } + + dimension: attribute__cloud__vpc__type { + type: string + sql: ${TABLE}.attribute.cloud.vpc.type ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Type" + } + + dimension: attribute__creation_time__nanos { + type: number + sql: ${TABLE}.attribute.creation_time.nanos ;; + group_label: "Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: attribute__creation_time__seconds { + type: number + sql: ${TABLE}.attribute.creation_time.seconds ;; + group_label: "Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: attribute__labels { + hidden: yes + sql: ${TABLE}.attribute.labels ;; + group_label: "Attribute" + group_item_label: "Labels" + } + + dimension: attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.attribute.last_update_time.nanos ;; + group_label: "Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.attribute.last_update_time.seconds ;; + group_label: "Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: attribute__permissions { + hidden: yes + sql: ${TABLE}.attribute.permissions ;; + group_label: "Attribute" + group_item_label: "Permissions" + } + + dimension: attribute__roles { + hidden: yes + sql: ${TABLE}.attribute.roles ;; + group_label: "Attribute" + group_item_label: "Roles" + } + + dimension: company_name { + type: string + sql: ${TABLE}.company_name ;; + } + + dimension: department { + hidden: yes + sql: ${TABLE}.department ;; + } + + dimension: email_addresses { + hidden: yes + sql: ${TABLE}.email_addresses ;; + } + + dimension: employee_id { + type: string + sql: ${TABLE}.employee_id ;; + } + + dimension: first_name { + type: string + sql: ${TABLE}.first_name ;; + } + + dimension: first_seen_time__nanos { + type: number + sql: ${TABLE}.first_seen_time.nanos ;; + group_label: "First Seen Time" + group_item_label: "Nanos" + } + + dimension: first_seen_time__seconds { + type: number + sql: ${TABLE}.first_seen_time.seconds ;; + group_label: "First Seen Time" + group_item_label: "Seconds" + } + + dimension: group_identifiers { + hidden: yes + sql: ${TABLE}.group_identifiers ;; + } + + dimension: groupid { + type: string + sql: ${TABLE}.groupid ;; + } + + dimension: hire_date__nanos { + type: number + sql: ${TABLE}.hire_date.nanos ;; + group_label: "Hire Date" + group_item_label: "Nanos" + } + + dimension: hire_date__seconds { + type: number + sql: ${TABLE}.hire_date.seconds ;; + group_label: "Hire Date" + group_item_label: "Seconds" + } + + dimension: last_name { + type: string + sql: ${TABLE}.last_name ;; + } + + dimension: middle_name { + type: string + sql: ${TABLE}.middle_name ;; + } + + dimension: office_address__city { + type: string + sql: ${TABLE}.office_address.city ;; + group_label: "Office Address" + group_item_label: "City" + } + + dimension: office_address__country_or_region { + type: string + sql: ${TABLE}.office_address.country_or_region ;; + group_label: "Office Address" + group_item_label: "Country or Region" + } + + dimension: office_address__desk_name { + type: string + sql: ${TABLE}.office_address.desk_name ;; + group_label: "Office Address" + group_item_label: "Desk Name" + } + + dimension: office_address__floor_name { + type: string + sql: ${TABLE}.office_address.floor_name ;; + group_label: "Office Address" + group_item_label: "Floor Name" + } + + dimension: office_address__name { + type: string + sql: ${TABLE}.office_address.name ;; + group_label: "Office Address" + group_item_label: "Name" + } + + dimension: office_address__region_latitude { + type: number + sql: ${TABLE}.office_address.region_latitude ;; + group_label: "Office Address" + group_item_label: "Region Latitude" + } + + dimension: office_address__region_longitude { + type: number + sql: ${TABLE}.office_address.region_longitude ;; + group_label: "Office Address" + group_item_label: "Region Longitude" + } + + dimension: office_address__state { + type: string + sql: ${TABLE}.office_address.state ;; + group_label: "Office Address" + group_item_label: "State" + } + + dimension: personal_address__city { + type: string + sql: ${TABLE}.personal_address.city ;; + group_label: "Personal Address" + group_item_label: "City" + } + + dimension: personal_address__country_or_region { + type: string + sql: ${TABLE}.personal_address.country_or_region ;; + group_label: "Personal Address" + group_item_label: "Country or Region" + } + + dimension: personal_address__desk_name { + type: string + sql: ${TABLE}.personal_address.desk_name ;; + group_label: "Personal Address" + group_item_label: "Desk Name" + } + + dimension: personal_address__floor_name { + type: string + sql: ${TABLE}.personal_address.floor_name ;; + group_label: "Personal Address" + group_item_label: "Floor Name" + } + + dimension: personal_address__name { + type: string + sql: ${TABLE}.personal_address.name ;; + group_label: "Personal Address" + group_item_label: "Name" + } + + dimension: personal_address__region_latitude { + type: number + sql: ${TABLE}.personal_address.region_latitude ;; + group_label: "Personal Address" + group_item_label: "Region Latitude" + } + + dimension: personal_address__region_longitude { + type: number + sql: ${TABLE}.personal_address.region_longitude ;; + group_label: "Personal Address" + group_item_label: "Region Longitude" + } + + dimension: personal_address__state { + type: string + sql: ${TABLE}.personal_address.state ;; + group_label: "Personal Address" + group_item_label: "State" + } + + dimension: phone_numbers { + hidden: yes + sql: ${TABLE}.phone_numbers ;; + } + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + } + + dimension: role_description { + type: string + sql: ${TABLE}.role_description ;; + } + + dimension: role_name { + type: string + sql: ${TABLE}.role_name ;; + } + + dimension: termination_date__nanos { + type: number + sql: ${TABLE}.termination_date.nanos ;; + group_label: "Termination Date" + group_item_label: "Nanos" + } + + dimension: termination_date__seconds { + type: number + sql: ${TABLE}.termination_date.seconds ;; + group_label: "Termination Date" + group_item_label: "Seconds" + } + + dimension: time_off { + hidden: yes + sql: ${TABLE}.time_off ;; + } + + dimension: title { + type: string + sql: ${TABLE}.title ;; + } + + dimension: user_authentication_status { + type: number + sql: ${TABLE}.user_authentication_status ;; + } + + dimension: user_display_name { + type: string + sql: ${TABLE}.user_display_name ;; + } + + dimension: user_role { + type: number + sql: ${TABLE}.user_role ;; + } + + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + } + + dimension: windows_sid { + type: string + sql: ${TABLE}.windows_sid ;; + } +} + +view: udm_events__principal__domain__tech__email_addresses { + dimension: udm_events__principal__domain__tech__email_addresses { + type: string + sql: udm_events__principal__domain__tech__email_addresses ;; + } +} + +view: udm_events__principal__domain__zone__email_addresses { + dimension: udm_events__principal__domain__zone__email_addresses { + type: string + sql: udm_events__principal__domain__zone__email_addresses ;; + } +} + +view: udm_events__observer__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__observer__group__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__group__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__process__command_line_history { + dimension: udm_events__observer__process__command_line_history { + type: string + sql: udm_events__observer__process__command_line_history ;; + } +} + +view: udm_events__observer__process_ancestors__file__names { + dimension: udm_events__observer__process_ancestors__file__names { + type: string + sql: udm_events__observer__process_ancestors__file__names ;; + } +} + +view: udm_events__observer__domain__admin__email_addresses { + dimension: udm_events__observer__domain__admin__email_addresses { + type: string + sql: udm_events__observer__domain__admin__email_addresses ;; + } +} + +view: udm_events__observer__domain__billing__phone_numbers { + dimension: udm_events__observer__domain__billing__phone_numbers { + type: string + sql: udm_events__observer__domain__billing__phone_numbers ;; + } +} + +view: udm_events__observer__domain__registrant__department { + dimension: udm_events__observer__domain__registrant__department { + type: string + sql: udm_events__observer__domain__registrant__department ;; + } +} + +view: udm_events__src__process__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__src__domain__admin__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__src__domain__admin__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__domain__admin__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__domain__registrant__email_addresses { + dimension: udm_events__src__domain__registrant__email_addresses { + type: string + sql: udm_events__src__domain__registrant__email_addresses ;; + } +} + +view: udm_events__security_result__about__user__department { + dimension: udm_events__security_result__about__user__department { + type: string + sql: udm_events__security_result__about__user__department ;; + } +} + +view: udm_events__target__cloud__vpc__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__cloud__vpc__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__file__pe_file__imports__functions { + dimension: udm_events__target__file__pe_file__imports__functions { + type: string + sql: udm_events__target__file__pe_file__imports__functions ;; + } +} + +view: udm_events__target__process__file__capabilities_tags { + dimension: udm_events__target__process__file__capabilities_tags { + type: string + sql: udm_events__target__process__file__capabilities_tags ;; + } +} + +view: udm_events__target__domain__admin__group_identifiers { + dimension: udm_events__target__domain__admin__group_identifiers { + type: string + sql: udm_events__target__domain__admin__group_identifiers ;; + } +} + +view: udm_events__target__domain__billing__email_addresses { + dimension: udm_events__target__domain__billing__email_addresses { + type: string + sql: udm_events__target__domain__billing__email_addresses ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities { + dimension: about__administrative_domain { + type: string + sql: ${TABLE}.about.administrative_domain ;; + group_label: "About" + group_item_label: "Administrative Domain" + } + + dimension: about__application { + type: string + sql: ${TABLE}.about.application ;; + group_label: "About" + group_item_label: "Application" + } + + dimension: about__artifact__first_seen_time__nanos { + type: number + sql: ${TABLE}.about.artifact.first_seen_time.nanos ;; + group_label: "About Artifact First Seen Time" + group_item_label: "Nanos" + } + + dimension: about__artifact__first_seen_time__seconds { + type: number + sql: ${TABLE}.about.artifact.first_seen_time.seconds ;; + group_label: "About Artifact First Seen Time" + group_item_label: "Seconds" + } + + dimension: about__artifact__ip { + type: string + sql: ${TABLE}.about.artifact.ip ;; + group_label: "About Artifact" + group_item_label: "IP" + } + + dimension: about__artifact__last_seen_time__nanos { + type: number + sql: ${TABLE}.about.artifact.last_seen_time.nanos ;; + group_label: "About Artifact Last Seen Time" + group_item_label: "Nanos" + } + + dimension: about__artifact__last_seen_time__seconds { + type: number + sql: ${TABLE}.about.artifact.last_seen_time.seconds ;; + group_label: "About Artifact Last Seen Time" + group_item_label: "Seconds" + } + + dimension: about__artifact__prevalence__day_count { + type: number + sql: ${TABLE}.about.artifact.prevalence.day_count ;; + group_label: "About Artifact Prevalence" + group_item_label: "Day Count" + } + + dimension: about__artifact__prevalence__day_max { + type: number + sql: ${TABLE}.about.artifact.prevalence.day_max ;; + group_label: "About Artifact Prevalence" + group_item_label: "Day Max" + } + + dimension: about__artifact__prevalence__day_max_sub_domains { + type: number + sql: ${TABLE}.about.artifact.prevalence.day_max_sub_domains ;; + group_label: "About Artifact Prevalence" + group_item_label: "Day Max Sub Domains" + } + + dimension: about__artifact__prevalence__rolling_max { + type: number + sql: ${TABLE}.about.artifact.prevalence.rolling_max ;; + group_label: "About Artifact Prevalence" + group_item_label: "Rolling Max" + } + + dimension: about__artifact__prevalence__rolling_max_sub_domains { + type: number + sql: ${TABLE}.about.artifact.prevalence.rolling_max_sub_domains ;; + group_label: "About Artifact Prevalence" + group_item_label: "Rolling Max Sub Domains" + } + + dimension: about__asset__asset_id { + type: string + sql: ${TABLE}.about.asset.asset_id ;; + group_label: "About Asset" + group_item_label: "Asset ID" + } + + dimension: about__asset__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.availability_zone ;; + group_label: "About Asset Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: about__asset__attribute__cloud__environment { + type: number + sql: ${TABLE}.about.asset.attribute.cloud.environment ;; + group_label: "About Asset Attribute Cloud" + group_item_label: "Environment" + } + + dimension: about__asset__attribute__cloud__project__id { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.project.id ;; + group_label: "About Asset Attribute Cloud Project" + group_item_label: "ID" + } + + dimension: about__asset__attribute__cloud__project__name { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.project.name ;; + group_label: "About Asset Attribute Cloud Project" + group_item_label: "Name" + } + + dimension: about__asset__attribute__cloud__project__parent { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.project.parent ;; + group_label: "About Asset Attribute Cloud Project" + group_item_label: "Parent" + } + + dimension: about__asset__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.project.product_object_id ;; + group_label: "About Asset Attribute Cloud Project" + group_item_label: "Product Object ID" + } + + dimension: about__asset__attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.project.resource_subtype ;; + group_label: "About Asset Attribute Cloud Project" + group_item_label: "Resource Subtype" + } + + dimension: about__asset__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.about.asset.attribute.cloud.project.resource_type ;; + group_label: "About Asset Attribute Cloud Project" + group_item_label: "Resource Type" + } + + dimension: about__asset__attribute__cloud__project__type { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.project.type ;; + group_label: "About Asset Attribute Cloud Project" + group_item_label: "Type" + } + + dimension: about__asset__attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.vpc.id ;; + group_label: "About Asset Attribute Cloud Vpc" + group_item_label: "ID" + } + + dimension: about__asset__attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.vpc.name ;; + group_label: "About Asset Attribute Cloud Vpc" + group_item_label: "Name" + } + + dimension: about__asset__attribute__cloud__vpc__parent { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.vpc.parent ;; + group_label: "About Asset Attribute Cloud Vpc" + group_item_label: "Parent" + } + + dimension: about__asset__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.vpc.product_object_id ;; + group_label: "About Asset Attribute Cloud Vpc" + group_item_label: "Product Object ID" + } + + dimension: about__asset__attribute__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.vpc.resource_subtype ;; + group_label: "About Asset Attribute Cloud Vpc" + group_item_label: "Resource Subtype" + } + + dimension: about__asset__attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.about.asset.attribute.cloud.vpc.resource_type ;; + group_label: "About Asset Attribute Cloud Vpc" + group_item_label: "Resource Type" + } + + dimension: about__asset__attribute__cloud__vpc__type { + type: string + sql: ${TABLE}.about.asset.attribute.cloud.vpc.type ;; + group_label: "About Asset Attribute Cloud Vpc" + group_item_label: "Type" + } + + dimension: about__asset__attribute__creation_time__nanos { + type: number + sql: ${TABLE}.about.asset.attribute.creation_time.nanos ;; + group_label: "About Asset Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: about__asset__attribute__creation_time__seconds { + type: number + sql: ${TABLE}.about.asset.attribute.creation_time.seconds ;; + group_label: "About Asset Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: about__asset__attribute__labels { + hidden: yes + sql: ${TABLE}.about.asset.attribute.labels ;; + group_label: "About Asset Attribute" + group_item_label: "Labels" + } + + dimension: about__asset__attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.about.asset.attribute.last_update_time.nanos ;; + group_label: "About Asset Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: about__asset__attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.about.asset.attribute.last_update_time.seconds ;; + group_label: "About Asset Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: about__asset__attribute__permissions { + hidden: yes + sql: ${TABLE}.about.asset.attribute.permissions ;; + group_label: "About Asset Attribute" + group_item_label: "Permissions" + } + + dimension: about__asset__attribute__roles { + hidden: yes + sql: ${TABLE}.about.asset.attribute.roles ;; + group_label: "About Asset Attribute" + group_item_label: "Roles" + } + + dimension: about__asset__category { + type: string + sql: ${TABLE}.about.asset.category ;; + group_label: "About Asset" + group_item_label: "Category" + } + + dimension: about__asset__creation_time__nanos { + type: number + sql: ${TABLE}.about.asset.creation_time.nanos ;; + group_label: "About Asset Creation Time" + group_item_label: "Nanos" + } + + dimension: about__asset__creation_time__seconds { + type: number + sql: ${TABLE}.about.asset.creation_time.seconds ;; + group_label: "About Asset Creation Time" + group_item_label: "Seconds" + } + + dimension: about__asset__deployment_status { + type: number + sql: ${TABLE}.about.asset.deployment_status ;; + group_label: "About Asset" + group_item_label: "Deployment Status" + } + + dimension: about__asset__first_discover_time__nanos { + type: number + sql: ${TABLE}.about.asset.first_discover_time.nanos ;; + group_label: "About Asset First Discover Time" + group_item_label: "Nanos" + } + + dimension: about__asset__first_discover_time__seconds { + type: number + sql: ${TABLE}.about.asset.first_discover_time.seconds ;; + group_label: "About Asset First Discover Time" + group_item_label: "Seconds" + } + + dimension: about__asset__first_seen_time__nanos { + type: number + sql: ${TABLE}.about.asset.first_seen_time.nanos ;; + group_label: "About Asset First Seen Time" + group_item_label: "Nanos" + } + + dimension: about__asset__first_seen_time__seconds { + type: number + sql: ${TABLE}.about.asset.first_seen_time.seconds ;; + group_label: "About Asset First Seen Time" + group_item_label: "Seconds" + } + + dimension: about__asset__hardware { + hidden: yes + sql: ${TABLE}.about.asset.hardware ;; + group_label: "About Asset" + group_item_label: "Hardware" + } + + dimension: about__asset__hostname { + type: string + sql: ${TABLE}.about.asset.hostname ;; + group_label: "About Asset" + group_item_label: "Hostname" + } + + dimension: about__asset__ip { + hidden: yes + sql: ${TABLE}.about.asset.ip ;; + group_label: "About Asset" + group_item_label: "IP" + } + + dimension: about__asset__labels { + hidden: yes + sql: ${TABLE}.about.asset.labels ;; + group_label: "About Asset" + group_item_label: "Labels" + } + + dimension: about__asset__last_boot_time__nanos { + type: number + sql: ${TABLE}.about.asset.last_boot_time.nanos ;; + group_label: "About Asset Last Boot Time" + group_item_label: "Nanos" + } + + dimension: about__asset__last_boot_time__seconds { + type: number + sql: ${TABLE}.about.asset.last_boot_time.seconds ;; + group_label: "About Asset Last Boot Time" + group_item_label: "Seconds" + } + + dimension: about__asset__last_discover_time__nanos { + type: number + sql: ${TABLE}.about.asset.last_discover_time.nanos ;; + group_label: "About Asset Last Discover Time" + group_item_label: "Nanos" + } + + dimension: about__asset__last_discover_time__seconds { + type: number + sql: ${TABLE}.about.asset.last_discover_time.seconds ;; + group_label: "About Asset Last Discover Time" + group_item_label: "Seconds" + } + + dimension: about__asset__location__city { + type: string + sql: ${TABLE}.about.asset.location.city ;; + group_label: "About Asset Location" + group_item_label: "City" + } + + dimension: about__asset__location__country_or_region { + type: string + sql: ${TABLE}.about.asset.location.country_or_region ;; + group_label: "About Asset Location" + group_item_label: "Country or Region" + } + + dimension: about__asset__location__desk_name { + type: string + sql: ${TABLE}.about.asset.location.desk_name ;; + group_label: "About Asset Location" + group_item_label: "Desk Name" + } + + dimension: about__asset__location__floor_name { + type: string + sql: ${TABLE}.about.asset.location.floor_name ;; + group_label: "About Asset Location" + group_item_label: "Floor Name" + } + + dimension: about__asset__location__name { + type: string + sql: ${TABLE}.about.asset.location.name ;; + group_label: "About Asset Location" + group_item_label: "Name" + } + + dimension: about__asset__location__region_latitude { + type: number + sql: ${TABLE}.about.asset.location.region_latitude ;; + group_label: "About Asset Location" + group_item_label: "Region Latitude" + } + + dimension: about__asset__location__region_longitude { + type: number + sql: ${TABLE}.about.asset.location.region_longitude ;; + group_label: "About Asset Location" + group_item_label: "Region Longitude" + } + + dimension: about__asset__location__state { + type: string + sql: ${TABLE}.about.asset.location.state ;; + group_label: "About Asset Location" + group_item_label: "State" + } + + dimension: about__asset__mac { + hidden: yes + sql: ${TABLE}.about.asset.mac ;; + group_label: "About Asset" + group_item_label: "Mac" + } + + dimension: about__asset__nat_ip { + hidden: yes + sql: ${TABLE}.about.asset.nat_ip ;; + group_label: "About Asset" + group_item_label: "Nat IP" + } + + dimension: about__asset__network_domain { + type: string + sql: ${TABLE}.about.asset.network_domain ;; + group_label: "About Asset" + group_item_label: "Network Domain" + } + + dimension: about__asset__platform_software__platform { + type: number + sql: ${TABLE}.about.asset.platform_software.platform ;; + group_label: "About Asset Platform Software" + group_item_label: "Platform" + } + + dimension: about__asset__platform_software__platform_patch_level { + type: string + sql: ${TABLE}.about.asset.platform_software.platform_patch_level ;; + group_label: "About Asset Platform Software" + group_item_label: "Platform Patch Level" + } + + dimension: about__asset__platform_software__platform_version { + type: string + sql: ${TABLE}.about.asset.platform_software.platform_version ;; + group_label: "About Asset Platform Software" + group_item_label: "Platform Version" + } + + dimension: about__asset__product_object_id { + type: string + sql: ${TABLE}.about.asset.product_object_id ;; + group_label: "About Asset" + group_item_label: "Product Object ID" + } + + dimension: about__asset__software { + hidden: yes + sql: ${TABLE}.about.asset.software ;; + group_label: "About Asset" + group_item_label: "Software" + } + + dimension: about__asset__system_last_update_time__nanos { + type: number + sql: ${TABLE}.about.asset.system_last_update_time.nanos ;; + group_label: "About Asset System Last Update Time" + group_item_label: "Nanos" + } + + dimension: about__asset__system_last_update_time__seconds { + type: number + sql: ${TABLE}.about.asset.system_last_update_time.seconds ;; + group_label: "About Asset System Last Update Time" + group_item_label: "Seconds" + } + + dimension: about__asset__type { + type: number + sql: ${TABLE}.about.asset.type ;; + group_label: "About Asset" + group_item_label: "Type" + } + + dimension: about__asset_id { + type: string + sql: ${TABLE}.about.asset_id ;; + group_label: "About" + group_item_label: "Asset ID" + } + + dimension: about__cloud__availability_zone { + type: string + sql: ${TABLE}.about.cloud.availability_zone ;; + group_label: "About Cloud" + group_item_label: "Availability Zone" + } + + dimension: about__cloud__environment { + type: number + sql: ${TABLE}.about.cloud.environment ;; + group_label: "About Cloud" + group_item_label: "Environment" + } + + dimension: about__cloud__project__attribute__creation_time__nanos { + type: number + sql: ${TABLE}.about.cloud.project.attribute.creation_time.nanos ;; + group_label: "About Cloud Project Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: about__cloud__project__attribute__creation_time__seconds { + type: number + sql: ${TABLE}.about.cloud.project.attribute.creation_time.seconds ;; + group_label: "About Cloud Project Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: about__cloud__project__attribute__labels { + hidden: yes + sql: ${TABLE}.about.cloud.project.attribute.labels ;; + group_label: "About Cloud Project Attribute" + group_item_label: "Labels" + } + + dimension: about__cloud__project__attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.about.cloud.project.attribute.last_update_time.nanos ;; + group_label: "About Cloud Project Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: about__cloud__project__attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.about.cloud.project.attribute.last_update_time.seconds ;; + group_label: "About Cloud Project Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: about__cloud__project__attribute__permissions { + hidden: yes + sql: ${TABLE}.about.cloud.project.attribute.permissions ;; + group_label: "About Cloud Project Attribute" + group_item_label: "Permissions" + } + + dimension: about__cloud__project__attribute__roles { + hidden: yes + sql: ${TABLE}.about.cloud.project.attribute.roles ;; + group_label: "About Cloud Project Attribute" + group_item_label: "Roles" + } + + dimension: about__cloud__project__id { + type: string + sql: ${TABLE}.about.cloud.project.id ;; + group_label: "About Cloud Project" + group_item_label: "ID" + } + + dimension: about__cloud__project__name { + type: string + sql: ${TABLE}.about.cloud.project.name ;; + group_label: "About Cloud Project" + group_item_label: "Name" + } + + dimension: about__cloud__project__parent { + type: string + sql: ${TABLE}.about.cloud.project.parent ;; + group_label: "About Cloud Project" + group_item_label: "Parent" + } + + dimension: about__cloud__project__product_object_id { + type: string + sql: ${TABLE}.about.cloud.project.product_object_id ;; + group_label: "About Cloud Project" + group_item_label: "Product Object ID" + } + + dimension: about__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.about.cloud.project.resource_subtype ;; + group_label: "About Cloud Project" + group_item_label: "Resource Subtype" + } + + dimension: about__cloud__project__resource_type { + type: number + sql: ${TABLE}.about.cloud.project.resource_type ;; + group_label: "About Cloud Project" + group_item_label: "Resource Type" + } + + dimension: about__cloud__project__type { + type: string + sql: ${TABLE}.about.cloud.project.type ;; + group_label: "About Cloud Project" + group_item_label: "Type" + } + + dimension: about__cloud__vpc__attribute__creation_time__nanos { + type: number + sql: ${TABLE}.about.cloud.vpc.attribute.creation_time.nanos ;; + group_label: "About Cloud Vpc Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: about__cloud__vpc__attribute__creation_time__seconds { + type: number + sql: ${TABLE}.about.cloud.vpc.attribute.creation_time.seconds ;; + group_label: "About Cloud Vpc Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: about__cloud__vpc__attribute__labels { + hidden: yes + sql: ${TABLE}.about.cloud.vpc.attribute.labels ;; + group_label: "About Cloud Vpc Attribute" + group_item_label: "Labels" + } + + dimension: about__cloud__vpc__attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.about.cloud.vpc.attribute.last_update_time.nanos ;; + group_label: "About Cloud Vpc Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: about__cloud__vpc__attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.about.cloud.vpc.attribute.last_update_time.seconds ;; + group_label: "About Cloud Vpc Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: about__cloud__vpc__attribute__permissions { + hidden: yes + sql: ${TABLE}.about.cloud.vpc.attribute.permissions ;; + group_label: "About Cloud Vpc Attribute" + group_item_label: "Permissions" + } + + dimension: about__cloud__vpc__attribute__roles { + hidden: yes + sql: ${TABLE}.about.cloud.vpc.attribute.roles ;; + group_label: "About Cloud Vpc Attribute" + group_item_label: "Roles" + } + + dimension: about__cloud__vpc__id { + type: string + sql: ${TABLE}.about.cloud.vpc.id ;; + group_label: "About Cloud Vpc" + group_item_label: "ID" + } + + dimension: about__cloud__vpc__name { + type: string + sql: ${TABLE}.about.cloud.vpc.name ;; + group_label: "About Cloud Vpc" + group_item_label: "Name" + } + + dimension: about__cloud__vpc__parent { + type: string + sql: ${TABLE}.about.cloud.vpc.parent ;; + group_label: "About Cloud Vpc" + group_item_label: "Parent" + } + + dimension: about__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.about.cloud.vpc.product_object_id ;; + group_label: "About Cloud Vpc" + group_item_label: "Product Object ID" + } + + dimension: about__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.about.cloud.vpc.resource_subtype ;; + group_label: "About Cloud Vpc" + group_item_label: "Resource Subtype" + } + + dimension: about__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.about.cloud.vpc.resource_type ;; + group_label: "About Cloud Vpc" + group_item_label: "Resource Type" + } + + dimension: about__cloud__vpc__type { + type: string + sql: ${TABLE}.about.cloud.vpc.type ;; + group_label: "About Cloud Vpc" + group_item_label: "Type" + } + + dimension: about__domain__admin__account_type { + type: number + sql: ${TABLE}.about.domain.admin.account_type ;; + group_label: "About Domain Admin" + group_item_label: "Account Type" + } + + dimension: about__domain__admin__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.about.domain.admin.attribute.cloud.availability_zone ;; + group_label: "About Domain Admin Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: about__domain__admin__attribute__cloud__environment { + type: number + sql: ${TABLE}.about.domain.admin.attribute.cloud.environment ;; + group_label: "About Domain Admin Attribute Cloud" + group_item_label: "Environment" + } + + dimension: about__domain__admin__attribute__cloud__project__id { + type: string + sql: ${TABLE}.about.domain.admin.attribute.cloud.project.id ;; + group_label: "About Domain Admin Attribute Cloud Project" + group_item_label: "ID" + } + + dimension: about__domain__admin__attribute__cloud__project__name { + type: string + sql: ${TABLE}.about.domain.admin.attribute.cloud.project.name ;; + group_label: "About Domain Admin Attribute Cloud Project" + group_item_label: "Name" + } + + dimension: about__domain__admin__attribute__cloud__project__parent { + type: string + sql: ${TABLE}.about.domain.admin.attribute.cloud.project.parent ;; + group_label: "About Domain Admin Attribute Cloud Project" + group_item_label: "Parent" + } + + dimension: about__domain__admin__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.about.domain.admin.attribute.cloud.project.product_object_id ;; + group_label: "About Domain Admin Attribute Cloud Project" + group_item_label: "Product Object ID" + } + + dimension: about__domain__admin__attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.about.domain.admin.attribute.cloud.project.resource_subtype ;; + group_label: "About Domain Admin Attribute Cloud Project" + group_item_label: "Resource Subtype" + } + + dimension: about__domain__admin__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.about.domain.admin.attribute.cloud.project.resource_type ;; + group_label: "About Domain Admin Attribute Cloud Project" + group_item_label: "Resource Type" + } + + dimension: about__domain__admin__attribute__cloud__project__type { + type: string + sql: ${TABLE}.about.domain.admin.attribute.cloud.project.type ;; + group_label: "About Domain Admin Attribute Cloud Project" + group_item_label: "Type" + } + + dimension: about__domain__admin__attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.about.domain.admin.attribute.cloud.vpc.id ;; + group_label: "About Domain Admin Attribute Cloud Vpc" + group_item_label: "ID" + } + + dimension: about__domain__admin__attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.about.domain.admin.attribute.cloud.vpc.name ;; + group_label: "About Domain Admin Attribute Cloud Vpc" + group_item_label: "Name" + } + + dimension: about__domain__admin__attribute__cloud__vpc__parent { + type: string + sql: ${TABLE}.about.domain.admin.attribute.cloud.vpc.parent ;; + group_label: "About Domain Admin Attribute Cloud Vpc" + group_item_label: "Parent" + } + + dimension: about__domain__admin__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.about.domain.admin.attribute.cloud.vpc.product_object_id ;; + group_label: "About Domain Admin Attribute Cloud Vpc" + group_item_label: "Product Object ID" + } + + dimension: about__domain__admin__attribute__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.about.domain.admin.attribute.cloud.vpc.resource_subtype ;; + group_label: "About Domain Admin Attribute Cloud Vpc" + group_item_label: "Resource Subtype" + } + + dimension: about__domain__admin__attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.about.domain.admin.attribute.cloud.vpc.resource_type ;; + group_label: "About Domain Admin Attribute Cloud Vpc" + group_item_label: "Resource Type" + } + + dimension: about__domain__admin__attribute__cloud__vpc__type { + type: string + sql: ${TABLE}.about.domain.admin.attribute.cloud.vpc.type ;; + group_label: "About Domain Admin Attribute Cloud Vpc" + group_item_label: "Type" + } + + dimension: about__domain__admin__attribute__creation_time__nanos { + type: number + sql: ${TABLE}.about.domain.admin.attribute.creation_time.nanos ;; + group_label: "About Domain Admin Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: about__domain__admin__attribute__creation_time__seconds { + type: number + sql: ${TABLE}.about.domain.admin.attribute.creation_time.seconds ;; + group_label: "About Domain Admin Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: about__domain__admin__attribute__labels { + hidden: yes + sql: ${TABLE}.about.domain.admin.attribute.labels ;; + group_label: "About Domain Admin Attribute" + group_item_label: "Labels" + } + + dimension: about__domain__admin__attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.about.domain.admin.attribute.last_update_time.nanos ;; + group_label: "About Domain Admin Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: about__domain__admin__attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.about.domain.admin.attribute.last_update_time.seconds ;; + group_label: "About Domain Admin Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: about__domain__admin__attribute__permissions { + hidden: yes + sql: ${TABLE}.about.domain.admin.attribute.permissions ;; + group_label: "About Domain Admin Attribute" + group_item_label: "Permissions" + } + + dimension: about__domain__admin__attribute__roles { + hidden: yes + sql: ${TABLE}.about.domain.admin.attribute.roles ;; + group_label: "About Domain Admin Attribute" + group_item_label: "Roles" + } + + dimension: about__domain__admin__company_name { + type: string + sql: ${TABLE}.about.domain.admin.company_name ;; + group_label: "About Domain Admin" + group_item_label: "Company Name" + } + + dimension: about__domain__admin__department { + hidden: yes + sql: ${TABLE}.about.domain.admin.department ;; + group_label: "About Domain Admin" + group_item_label: "Department" + } + + dimension: about__domain__admin__email_addresses { + hidden: yes + sql: ${TABLE}.about.domain.admin.email_addresses ;; + group_label: "About Domain Admin" + group_item_label: "Email Addresses" + } + + dimension: about__domain__admin__employee_id { + type: string + sql: ${TABLE}.about.domain.admin.employee_id ;; + group_label: "About Domain Admin" + group_item_label: "Employee ID" + } + + dimension: about__domain__admin__first_name { + type: string + sql: ${TABLE}.about.domain.admin.first_name ;; + group_label: "About Domain Admin" + group_item_label: "First Name" + } + + dimension: about__domain__admin__first_seen_time__nanos { + type: number + sql: ${TABLE}.about.domain.admin.first_seen_time.nanos ;; + group_label: "About Domain Admin First Seen Time" + group_item_label: "Nanos" + } + + dimension: about__domain__admin__first_seen_time__seconds { + type: number + sql: ${TABLE}.about.domain.admin.first_seen_time.seconds ;; + group_label: "About Domain Admin First Seen Time" + group_item_label: "Seconds" + } + + dimension: about__domain__admin__group_identifiers { + hidden: yes + sql: ${TABLE}.about.domain.admin.group_identifiers ;; + group_label: "About Domain Admin" + group_item_label: "Group Identifiers" + } + + dimension: about__domain__admin__groupid { + type: string + sql: ${TABLE}.about.domain.admin.groupid ;; + group_label: "About Domain Admin" + group_item_label: "Groupid" + } + + dimension: about__domain__admin__hire_date__nanos { + type: number + sql: ${TABLE}.about.domain.admin.hire_date.nanos ;; + group_label: "About Domain Admin Hire Date" + group_item_label: "Nanos" + } + + dimension: about__domain__admin__hire_date__seconds { + type: number + sql: ${TABLE}.about.domain.admin.hire_date.seconds ;; + group_label: "About Domain Admin Hire Date" + group_item_label: "Seconds" + } + + dimension: about__domain__admin__last_name { + type: string + sql: ${TABLE}.about.domain.admin.last_name ;; + group_label: "About Domain Admin" + group_item_label: "Last Name" + } + + dimension: about__domain__admin__middle_name { + type: string + sql: ${TABLE}.about.domain.admin.middle_name ;; + group_label: "About Domain Admin" + group_item_label: "Middle Name" + } + + dimension: about__domain__admin__office_address__city { + type: string + sql: ${TABLE}.about.domain.admin.office_address.city ;; + group_label: "About Domain Admin Office Address" + group_item_label: "City" + } + + dimension: about__domain__admin__office_address__country_or_region { + type: string + sql: ${TABLE}.about.domain.admin.office_address.country_or_region ;; + group_label: "About Domain Admin Office Address" + group_item_label: "Country or Region" + } + + dimension: about__domain__admin__office_address__desk_name { + type: string + sql: ${TABLE}.about.domain.admin.office_address.desk_name ;; + group_label: "About Domain Admin Office Address" + group_item_label: "Desk Name" + } + + dimension: about__domain__admin__office_address__floor_name { + type: string + sql: ${TABLE}.about.domain.admin.office_address.floor_name ;; + group_label: "About Domain Admin Office Address" + group_item_label: "Floor Name" + } + + dimension: about__domain__admin__office_address__name { + type: string + sql: ${TABLE}.about.domain.admin.office_address.name ;; + group_label: "About Domain Admin Office Address" + group_item_label: "Name" + } + + dimension: about__domain__admin__office_address__region_latitude { + type: number + sql: ${TABLE}.about.domain.admin.office_address.region_latitude ;; + group_label: "About Domain Admin Office Address" + group_item_label: "Region Latitude" + } + + dimension: about__domain__admin__office_address__region_longitude { + type: number + sql: ${TABLE}.about.domain.admin.office_address.region_longitude ;; + group_label: "About Domain Admin Office Address" + group_item_label: "Region Longitude" + } + + dimension: about__domain__admin__office_address__state { + type: string + sql: ${TABLE}.about.domain.admin.office_address.state ;; + group_label: "About Domain Admin Office Address" + group_item_label: "State" + } + + dimension: about__domain__admin__personal_address__city { + type: string + sql: ${TABLE}.about.domain.admin.personal_address.city ;; + group_label: "About Domain Admin Personal Address" + group_item_label: "City" + } + + dimension: about__domain__admin__personal_address__country_or_region { + type: string + sql: ${TABLE}.about.domain.admin.personal_address.country_or_region ;; + group_label: "About Domain Admin Personal Address" + group_item_label: "Country or Region" + } + + dimension: about__domain__admin__personal_address__desk_name { + type: string + sql: ${TABLE}.about.domain.admin.personal_address.desk_name ;; + group_label: "About Domain Admin Personal Address" + group_item_label: "Desk Name" + } + + dimension: about__domain__admin__personal_address__floor_name { + type: string + sql: ${TABLE}.about.domain.admin.personal_address.floor_name ;; + group_label: "About Domain Admin Personal Address" + group_item_label: "Floor Name" + } + + dimension: about__domain__admin__personal_address__name { + type: string + sql: ${TABLE}.about.domain.admin.personal_address.name ;; + group_label: "About Domain Admin Personal Address" + group_item_label: "Name" + } + + dimension: about__domain__admin__personal_address__region_latitude { + type: number + sql: ${TABLE}.about.domain.admin.personal_address.region_latitude ;; + group_label: "About Domain Admin Personal Address" + group_item_label: "Region Latitude" + } + + dimension: about__domain__admin__personal_address__region_longitude { + type: number + sql: ${TABLE}.about.domain.admin.personal_address.region_longitude ;; + group_label: "About Domain Admin Personal Address" + group_item_label: "Region Longitude" + } + + dimension: about__domain__admin__personal_address__state { + type: string + sql: ${TABLE}.about.domain.admin.personal_address.state ;; + group_label: "About Domain Admin Personal Address" + group_item_label: "State" + } + + dimension: about__domain__admin__phone_numbers { + hidden: yes + sql: ${TABLE}.about.domain.admin.phone_numbers ;; + group_label: "About Domain Admin" + group_item_label: "Phone Numbers" + } + + dimension: about__domain__admin__product_object_id { + type: string + sql: ${TABLE}.about.domain.admin.product_object_id ;; + group_label: "About Domain Admin" + group_item_label: "Product Object ID" + } + + dimension: about__domain__admin__role_description { + type: string + sql: ${TABLE}.about.domain.admin.role_description ;; + group_label: "About Domain Admin" + group_item_label: "Role Description" + } + + dimension: about__domain__admin__role_name { + type: string + sql: ${TABLE}.about.domain.admin.role_name ;; + group_label: "About Domain Admin" + group_item_label: "Role Name" + } + + dimension: about__domain__admin__termination_date__nanos { + type: number + sql: ${TABLE}.about.domain.admin.termination_date.nanos ;; + group_label: "About Domain Admin Termination Date" + group_item_label: "Nanos" + } + + dimension: about__domain__admin__termination_date__seconds { + type: number + sql: ${TABLE}.about.domain.admin.termination_date.seconds ;; + group_label: "About Domain Admin Termination Date" + group_item_label: "Seconds" + } + + dimension: about__domain__admin__time_off { + hidden: yes + sql: ${TABLE}.about.domain.admin.time_off ;; + group_label: "About Domain Admin" + group_item_label: "Time Off" + } + + dimension: about__domain__admin__title { + type: string + sql: ${TABLE}.about.domain.admin.title ;; + group_label: "About Domain Admin" + group_item_label: "Title" + } + + dimension: about__domain__admin__user_authentication_status { + type: number + sql: ${TABLE}.about.domain.admin.user_authentication_status ;; + group_label: "About Domain Admin" + group_item_label: "User Authentication Status" + } + + dimension: about__domain__admin__user_display_name { + type: string + sql: ${TABLE}.about.domain.admin.user_display_name ;; + group_label: "About Domain Admin" + group_item_label: "User Display Name" + } + + dimension: about__domain__admin__user_role { + type: number + sql: ${TABLE}.about.domain.admin.user_role ;; + group_label: "About Domain Admin" + group_item_label: "User Role" + } + + dimension: about__domain__admin__userid { + type: string + sql: ${TABLE}.about.domain.admin.userid ;; + group_label: "About Domain Admin" + group_item_label: "Userid" + } + + dimension: about__domain__admin__windows_sid { + type: string + sql: ${TABLE}.about.domain.admin.windows_sid ;; + group_label: "About Domain Admin" + group_item_label: "Windows Sid" + } + + dimension: about__domain__audit_update_time__nanos { + type: number + sql: ${TABLE}.about.domain.audit_update_time.nanos ;; + group_label: "About Domain Audit Update Time" + group_item_label: "Nanos" + } + + dimension: about__domain__audit_update_time__seconds { + type: number + sql: ${TABLE}.about.domain.audit_update_time.seconds ;; + group_label: "About Domain Audit Update Time" + group_item_label: "Seconds" + } + + dimension: about__domain__billing__account_type { + type: number + sql: ${TABLE}.about.domain.billing.account_type ;; + group_label: "About Domain Billing" + group_item_label: "Account Type" + } + + dimension: about__domain__billing__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.about.domain.billing.attribute.cloud.availability_zone ;; + group_label: "About Domain Billing Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: about__domain__billing__attribute__cloud__environment { + type: number + sql: ${TABLE}.about.domain.billing.attribute.cloud.environment ;; + group_label: "About Domain Billing Attribute Cloud" + group_item_label: "Environment" + } + + dimension: about__domain__billing__attribute__cloud__project__id { + type: string + sql: ${TABLE}.about.domain.billing.attribute.cloud.project.id ;; + group_label: "About Domain Billing Attribute Cloud Project" + group_item_label: "ID" + } + + dimension: about__domain__billing__attribute__cloud__project__name { + type: string + sql: ${TABLE}.about.domain.billing.attribute.cloud.project.name ;; + group_label: "About Domain Billing Attribute Cloud Project" + group_item_label: "Name" + } + + dimension: about__domain__billing__attribute__cloud__project__parent { + type: string + sql: ${TABLE}.about.domain.billing.attribute.cloud.project.parent ;; + group_label: "About Domain Billing Attribute Cloud Project" + group_item_label: "Parent" + } + + dimension: about__domain__billing__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.about.domain.billing.attribute.cloud.project.product_object_id ;; + group_label: "About Domain Billing Attribute Cloud Project" + group_item_label: "Product Object ID" + } + + dimension: about__domain__billing__attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.about.domain.billing.attribute.cloud.project.resource_subtype ;; + group_label: "About Domain Billing Attribute Cloud Project" + group_item_label: "Resource Subtype" + } + + dimension: about__domain__billing__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.about.domain.billing.attribute.cloud.project.resource_type ;; + group_label: "About Domain Billing Attribute Cloud Project" + group_item_label: "Resource Type" + } + + dimension: about__domain__billing__attribute__cloud__project__type { + type: string + sql: ${TABLE}.about.domain.billing.attribute.cloud.project.type ;; + group_label: "About Domain Billing Attribute Cloud Project" + group_item_label: "Type" + } + + dimension: about__domain__billing__attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.about.domain.billing.attribute.cloud.vpc.id ;; + group_label: "About Domain Billing Attribute Cloud Vpc" + group_item_label: "ID" + } + + dimension: about__domain__billing__attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.about.domain.billing.attribute.cloud.vpc.name ;; + group_label: "About Domain Billing Attribute Cloud Vpc" + group_item_label: "Name" + } + + dimension: about__domain__billing__attribute__cloud__vpc__parent { + type: string + sql: ${TABLE}.about.domain.billing.attribute.cloud.vpc.parent ;; + group_label: "About Domain Billing Attribute Cloud Vpc" + group_item_label: "Parent" + } + + dimension: about__domain__billing__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.about.domain.billing.attribute.cloud.vpc.product_object_id ;; + group_label: "About Domain Billing Attribute Cloud Vpc" + group_item_label: "Product Object ID" + } + + dimension: about__domain__billing__attribute__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.about.domain.billing.attribute.cloud.vpc.resource_subtype ;; + group_label: "About Domain Billing Attribute Cloud Vpc" + group_item_label: "Resource Subtype" + } + + dimension: about__domain__billing__attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.about.domain.billing.attribute.cloud.vpc.resource_type ;; + group_label: "About Domain Billing Attribute Cloud Vpc" + group_item_label: "Resource Type" + } + + dimension: about__domain__billing__attribute__cloud__vpc__type { + type: string + sql: ${TABLE}.about.domain.billing.attribute.cloud.vpc.type ;; + group_label: "About Domain Billing Attribute Cloud Vpc" + group_item_label: "Type" + } + + dimension: about__domain__billing__attribute__creation_time__nanos { + type: number + sql: ${TABLE}.about.domain.billing.attribute.creation_time.nanos ;; + group_label: "About Domain Billing Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: about__domain__billing__attribute__creation_time__seconds { + type: number + sql: ${TABLE}.about.domain.billing.attribute.creation_time.seconds ;; + group_label: "About Domain Billing Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: about__domain__billing__attribute__labels { + hidden: yes + sql: ${TABLE}.about.domain.billing.attribute.labels ;; + group_label: "About Domain Billing Attribute" + group_item_label: "Labels" + } + + dimension: about__domain__billing__attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.about.domain.billing.attribute.last_update_time.nanos ;; + group_label: "About Domain Billing Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: about__domain__billing__attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.about.domain.billing.attribute.last_update_time.seconds ;; + group_label: "About Domain Billing Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: about__domain__billing__attribute__permissions { + hidden: yes + sql: ${TABLE}.about.domain.billing.attribute.permissions ;; + group_label: "About Domain Billing Attribute" + group_item_label: "Permissions" + } + + dimension: about__domain__billing__attribute__roles { + hidden: yes + sql: ${TABLE}.about.domain.billing.attribute.roles ;; + group_label: "About Domain Billing Attribute" + group_item_label: "Roles" + } + + dimension: about__domain__billing__company_name { + type: string + sql: ${TABLE}.about.domain.billing.company_name ;; + group_label: "About Domain Billing" + group_item_label: "Company Name" + } + + dimension: about__domain__billing__department { + hidden: yes + sql: ${TABLE}.about.domain.billing.department ;; + group_label: "About Domain Billing" + group_item_label: "Department" + } + + dimension: about__domain__billing__email_addresses { + hidden: yes + sql: ${TABLE}.about.domain.billing.email_addresses ;; + group_label: "About Domain Billing" + group_item_label: "Email Addresses" + } + + dimension: about__domain__billing__employee_id { + type: string + sql: ${TABLE}.about.domain.billing.employee_id ;; + group_label: "About Domain Billing" + group_item_label: "Employee ID" + } + + dimension: about__domain__billing__first_name { + type: string + sql: ${TABLE}.about.domain.billing.first_name ;; + group_label: "About Domain Billing" + group_item_label: "First Name" + } + + dimension: about__domain__billing__first_seen_time__nanos { + type: number + sql: ${TABLE}.about.domain.billing.first_seen_time.nanos ;; + group_label: "About Domain Billing First Seen Time" + group_item_label: "Nanos" + } + + dimension: about__domain__billing__first_seen_time__seconds { + type: number + sql: ${TABLE}.about.domain.billing.first_seen_time.seconds ;; + group_label: "About Domain Billing First Seen Time" + group_item_label: "Seconds" + } + + dimension: about__domain__billing__group_identifiers { + hidden: yes + sql: ${TABLE}.about.domain.billing.group_identifiers ;; + group_label: "About Domain Billing" + group_item_label: "Group Identifiers" + } + + dimension: about__domain__billing__groupid { + type: string + sql: ${TABLE}.about.domain.billing.groupid ;; + group_label: "About Domain Billing" + group_item_label: "Groupid" + } + + dimension: about__domain__billing__hire_date__nanos { + type: number + sql: ${TABLE}.about.domain.billing.hire_date.nanos ;; + group_label: "About Domain Billing Hire Date" + group_item_label: "Nanos" + } + + dimension: about__domain__billing__hire_date__seconds { + type: number + sql: ${TABLE}.about.domain.billing.hire_date.seconds ;; + group_label: "About Domain Billing Hire Date" + group_item_label: "Seconds" + } + + dimension: about__domain__billing__last_name { + type: string + sql: ${TABLE}.about.domain.billing.last_name ;; + group_label: "About Domain Billing" + group_item_label: "Last Name" + } + + dimension: about__domain__billing__middle_name { + type: string + sql: ${TABLE}.about.domain.billing.middle_name ;; + group_label: "About Domain Billing" + group_item_label: "Middle Name" + } + + dimension: about__domain__billing__office_address__city { + type: string + sql: ${TABLE}.about.domain.billing.office_address.city ;; + group_label: "About Domain Billing Office Address" + group_item_label: "City" + } + + dimension: about__domain__billing__office_address__country_or_region { + type: string + sql: ${TABLE}.about.domain.billing.office_address.country_or_region ;; + group_label: "About Domain Billing Office Address" + group_item_label: "Country or Region" + } + + dimension: about__domain__billing__office_address__desk_name { + type: string + sql: ${TABLE}.about.domain.billing.office_address.desk_name ;; + group_label: "About Domain Billing Office Address" + group_item_label: "Desk Name" + } + + dimension: about__domain__billing__office_address__floor_name { + type: string + sql: ${TABLE}.about.domain.billing.office_address.floor_name ;; + group_label: "About Domain Billing Office Address" + group_item_label: "Floor Name" + } + + dimension: about__domain__billing__office_address__name { + type: string + sql: ${TABLE}.about.domain.billing.office_address.name ;; + group_label: "About Domain Billing Office Address" + group_item_label: "Name" + } + + dimension: about__domain__billing__office_address__region_latitude { + type: number + sql: ${TABLE}.about.domain.billing.office_address.region_latitude ;; + group_label: "About Domain Billing Office Address" + group_item_label: "Region Latitude" + } + + dimension: about__domain__billing__office_address__region_longitude { + type: number + sql: ${TABLE}.about.domain.billing.office_address.region_longitude ;; + group_label: "About Domain Billing Office Address" + group_item_label: "Region Longitude" + } + + dimension: about__domain__billing__office_address__state { + type: string + sql: ${TABLE}.about.domain.billing.office_address.state ;; + group_label: "About Domain Billing Office Address" + group_item_label: "State" + } + + dimension: about__domain__billing__personal_address__city { + type: string + sql: ${TABLE}.about.domain.billing.personal_address.city ;; + group_label: "About Domain Billing Personal Address" + group_item_label: "City" + } + + dimension: about__domain__billing__personal_address__country_or_region { + type: string + sql: ${TABLE}.about.domain.billing.personal_address.country_or_region ;; + group_label: "About Domain Billing Personal Address" + group_item_label: "Country or Region" + } + + dimension: about__domain__billing__personal_address__desk_name { + type: string + sql: ${TABLE}.about.domain.billing.personal_address.desk_name ;; + group_label: "About Domain Billing Personal Address" + group_item_label: "Desk Name" + } + + dimension: about__domain__billing__personal_address__floor_name { + type: string + sql: ${TABLE}.about.domain.billing.personal_address.floor_name ;; + group_label: "About Domain Billing Personal Address" + group_item_label: "Floor Name" + } + + dimension: about__domain__billing__personal_address__name { + type: string + sql: ${TABLE}.about.domain.billing.personal_address.name ;; + group_label: "About Domain Billing Personal Address" + group_item_label: "Name" + } + + dimension: about__domain__billing__personal_address__region_latitude { + type: number + sql: ${TABLE}.about.domain.billing.personal_address.region_latitude ;; + group_label: "About Domain Billing Personal Address" + group_item_label: "Region Latitude" + } + + dimension: about__domain__billing__personal_address__region_longitude { + type: number + sql: ${TABLE}.about.domain.billing.personal_address.region_longitude ;; + group_label: "About Domain Billing Personal Address" + group_item_label: "Region Longitude" + } + + dimension: about__domain__billing__personal_address__state { + type: string + sql: ${TABLE}.about.domain.billing.personal_address.state ;; + group_label: "About Domain Billing Personal Address" + group_item_label: "State" + } + + dimension: about__domain__billing__phone_numbers { + hidden: yes + sql: ${TABLE}.about.domain.billing.phone_numbers ;; + group_label: "About Domain Billing" + group_item_label: "Phone Numbers" + } + + dimension: about__domain__billing__product_object_id { + type: string + sql: ${TABLE}.about.domain.billing.product_object_id ;; + group_label: "About Domain Billing" + group_item_label: "Product Object ID" + } + + dimension: about__domain__billing__role_description { + type: string + sql: ${TABLE}.about.domain.billing.role_description ;; + group_label: "About Domain Billing" + group_item_label: "Role Description" + } + + dimension: about__domain__billing__role_name { + type: string + sql: ${TABLE}.about.domain.billing.role_name ;; + group_label: "About Domain Billing" + group_item_label: "Role Name" + } + + dimension: about__domain__billing__termination_date__nanos { + type: number + sql: ${TABLE}.about.domain.billing.termination_date.nanos ;; + group_label: "About Domain Billing Termination Date" + group_item_label: "Nanos" + } + + dimension: about__domain__billing__termination_date__seconds { + type: number + sql: ${TABLE}.about.domain.billing.termination_date.seconds ;; + group_label: "About Domain Billing Termination Date" + group_item_label: "Seconds" + } + + dimension: about__domain__billing__time_off { + hidden: yes + sql: ${TABLE}.about.domain.billing.time_off ;; + group_label: "About Domain Billing" + group_item_label: "Time Off" + } + + dimension: about__domain__billing__title { + type: string + sql: ${TABLE}.about.domain.billing.title ;; + group_label: "About Domain Billing" + group_item_label: "Title" + } + + dimension: about__domain__billing__user_authentication_status { + type: number + sql: ${TABLE}.about.domain.billing.user_authentication_status ;; + group_label: "About Domain Billing" + group_item_label: "User Authentication Status" + } + + dimension: about__domain__billing__user_display_name { + type: string + sql: ${TABLE}.about.domain.billing.user_display_name ;; + group_label: "About Domain Billing" + group_item_label: "User Display Name" + } + + dimension: about__domain__billing__user_role { + type: number + sql: ${TABLE}.about.domain.billing.user_role ;; + group_label: "About Domain Billing" + group_item_label: "User Role" + } + + dimension: about__domain__billing__userid { + type: string + sql: ${TABLE}.about.domain.billing.userid ;; + group_label: "About Domain Billing" + group_item_label: "Userid" + } + + dimension: about__domain__billing__windows_sid { + type: string + sql: ${TABLE}.about.domain.billing.windows_sid ;; + group_label: "About Domain Billing" + group_item_label: "Windows Sid" + } + + dimension: about__domain__contact_email { + type: string + sql: ${TABLE}.about.domain.contact_email ;; + group_label: "About Domain" + group_item_label: "Contact Email" + } + + dimension: about__domain__creation_time__nanos { + type: number + sql: ${TABLE}.about.domain.creation_time.nanos ;; + group_label: "About Domain Creation Time" + group_item_label: "Nanos" + } + + dimension: about__domain__creation_time__seconds { + type: number + sql: ${TABLE}.about.domain.creation_time.seconds ;; + group_label: "About Domain Creation Time" + group_item_label: "Seconds" + } + + dimension: about__domain__expiration_time__nanos { + type: number + sql: ${TABLE}.about.domain.expiration_time.nanos ;; + group_label: "About Domain Expiration Time" + group_item_label: "Nanos" + } + + dimension: about__domain__expiration_time__seconds { + type: number + sql: ${TABLE}.about.domain.expiration_time.seconds ;; + group_label: "About Domain Expiration Time" + group_item_label: "Seconds" + } + + dimension: about__domain__first_seen_time__nanos { + type: number + sql: ${TABLE}.about.domain.first_seen_time.nanos ;; + group_label: "About Domain First Seen Time" + group_item_label: "Nanos" + } + + dimension: about__domain__first_seen_time__seconds { + type: number + sql: ${TABLE}.about.domain.first_seen_time.seconds ;; + group_label: "About Domain First Seen Time" + group_item_label: "Seconds" + } + + dimension: about__domain__iana_registrar_id { + type: number + sql: ${TABLE}.about.domain.iana_registrar_id ;; + group_label: "About Domain" + group_item_label: "Iana Registrar ID" + } + + dimension: about__domain__last_seen_time__nanos { + type: number + sql: ${TABLE}.about.domain.last_seen_time.nanos ;; + group_label: "About Domain Last Seen Time" + group_item_label: "Nanos" + } + + dimension: about__domain__last_seen_time__seconds { + type: number + sql: ${TABLE}.about.domain.last_seen_time.seconds ;; + group_label: "About Domain Last Seen Time" + group_item_label: "Seconds" + } + + dimension: about__domain__name { + type: string + sql: ${TABLE}.about.domain.name ;; + group_label: "About Domain" + group_item_label: "Name" + } + + dimension: about__domain__name_server { + hidden: yes + sql: ${TABLE}.about.domain.name_server ;; + group_label: "About Domain" + group_item_label: "Name Server" + } + + dimension: about__domain__prevalence__day_count { + type: number + sql: ${TABLE}.about.domain.prevalence.day_count ;; + group_label: "About Domain Prevalence" + group_item_label: "Day Count" + } + + dimension: about__domain__prevalence__day_max { + type: number + sql: ${TABLE}.about.domain.prevalence.day_max ;; + group_label: "About Domain Prevalence" + group_item_label: "Day Max" + } + + dimension: about__domain__prevalence__day_max_sub_domains { + type: number + sql: ${TABLE}.about.domain.prevalence.day_max_sub_domains ;; + group_label: "About Domain Prevalence" + group_item_label: "Day Max Sub Domains" + } + + dimension: about__domain__prevalence__rolling_max { + type: number + sql: ${TABLE}.about.domain.prevalence.rolling_max ;; + group_label: "About Domain Prevalence" + group_item_label: "Rolling Max" + } + + dimension: about__domain__prevalence__rolling_max_sub_domains { + type: number + sql: ${TABLE}.about.domain.prevalence.rolling_max_sub_domains ;; + group_label: "About Domain Prevalence" + group_item_label: "Rolling Max Sub Domains" + } + + dimension: about__domain__private_registration { + type: yesno + sql: ${TABLE}.about.domain.private_registration ;; + group_label: "About Domain" + group_item_label: "Private Registration" + } + + dimension: about__domain__registrant__account_type { + type: number + sql: ${TABLE}.about.domain.registrant.account_type ;; + group_label: "About Domain Registrant" + group_item_label: "Account Type" + } + + dimension: about__domain__registrant__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.about.domain.registrant.attribute.cloud.availability_zone ;; + group_label: "About Domain Registrant Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: about__domain__registrant__attribute__cloud__environment { + type: number + sql: ${TABLE}.about.domain.registrant.attribute.cloud.environment ;; + group_label: "About Domain Registrant Attribute Cloud" + group_item_label: "Environment" + } + + dimension: about__domain__registrant__attribute__cloud__project__id { + type: string + sql: ${TABLE}.about.domain.registrant.attribute.cloud.project.id ;; + group_label: "About Domain Registrant Attribute Cloud Project" + group_item_label: "ID" + } + + dimension: about__domain__registrant__attribute__cloud__project__name { + type: string + sql: ${TABLE}.about.domain.registrant.attribute.cloud.project.name ;; + group_label: "About Domain Registrant Attribute Cloud Project" + group_item_label: "Name" + } + + dimension: about__domain__registrant__attribute__cloud__project__parent { + type: string + sql: ${TABLE}.about.domain.registrant.attribute.cloud.project.parent ;; + group_label: "About Domain Registrant Attribute Cloud Project" + group_item_label: "Parent" + } + + dimension: about__domain__registrant__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.about.domain.registrant.attribute.cloud.project.product_object_id ;; + group_label: "About Domain Registrant Attribute Cloud Project" + group_item_label: "Product Object ID" + } + + dimension: about__domain__registrant__attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.about.domain.registrant.attribute.cloud.project.resource_subtype ;; + group_label: "About Domain Registrant Attribute Cloud Project" + group_item_label: "Resource Subtype" + } + + dimension: about__domain__registrant__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.about.domain.registrant.attribute.cloud.project.resource_type ;; + group_label: "About Domain Registrant Attribute Cloud Project" + group_item_label: "Resource Type" + } + + dimension: about__domain__registrant__attribute__cloud__project__type { + type: string + sql: ${TABLE}.about.domain.registrant.attribute.cloud.project.type ;; + group_label: "About Domain Registrant Attribute Cloud Project" + group_item_label: "Type" + } + + dimension: about__domain__registrant__attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.about.domain.registrant.attribute.cloud.vpc.id ;; + group_label: "About Domain Registrant Attribute Cloud Vpc" + group_item_label: "ID" + } + + dimension: about__domain__registrant__attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.about.domain.registrant.attribute.cloud.vpc.name ;; + group_label: "About Domain Registrant Attribute Cloud Vpc" + group_item_label: "Name" + } + + dimension: about__domain__registrant__attribute__cloud__vpc__parent { + type: string + sql: ${TABLE}.about.domain.registrant.attribute.cloud.vpc.parent ;; + group_label: "About Domain Registrant Attribute Cloud Vpc" + group_item_label: "Parent" + } + + dimension: about__domain__registrant__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.about.domain.registrant.attribute.cloud.vpc.product_object_id ;; + group_label: "About Domain Registrant Attribute Cloud Vpc" + group_item_label: "Product Object ID" + } + + dimension: about__domain__registrant__attribute__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.about.domain.registrant.attribute.cloud.vpc.resource_subtype ;; + group_label: "About Domain Registrant Attribute Cloud Vpc" + group_item_label: "Resource Subtype" + } + + dimension: about__domain__registrant__attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.about.domain.registrant.attribute.cloud.vpc.resource_type ;; + group_label: "About Domain Registrant Attribute Cloud Vpc" + group_item_label: "Resource Type" + } + + dimension: about__domain__registrant__attribute__cloud__vpc__type { + type: string + sql: ${TABLE}.about.domain.registrant.attribute.cloud.vpc.type ;; + group_label: "About Domain Registrant Attribute Cloud Vpc" + group_item_label: "Type" + } + + dimension: about__domain__registrant__attribute__creation_time__nanos { + type: number + sql: ${TABLE}.about.domain.registrant.attribute.creation_time.nanos ;; + group_label: "About Domain Registrant Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: about__domain__registrant__attribute__creation_time__seconds { + type: number + sql: ${TABLE}.about.domain.registrant.attribute.creation_time.seconds ;; + group_label: "About Domain Registrant Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: about__domain__registrant__attribute__labels { + hidden: yes + sql: ${TABLE}.about.domain.registrant.attribute.labels ;; + group_label: "About Domain Registrant Attribute" + group_item_label: "Labels" + } + + dimension: about__domain__registrant__attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.about.domain.registrant.attribute.last_update_time.nanos ;; + group_label: "About Domain Registrant Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: about__domain__registrant__attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.about.domain.registrant.attribute.last_update_time.seconds ;; + group_label: "About Domain Registrant Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: about__domain__registrant__attribute__permissions { + hidden: yes + sql: ${TABLE}.about.domain.registrant.attribute.permissions ;; + group_label: "About Domain Registrant Attribute" + group_item_label: "Permissions" + } + + dimension: about__domain__registrant__attribute__roles { + hidden: yes + sql: ${TABLE}.about.domain.registrant.attribute.roles ;; + group_label: "About Domain Registrant Attribute" + group_item_label: "Roles" + } + + dimension: about__domain__registrant__company_name { + type: string + sql: ${TABLE}.about.domain.registrant.company_name ;; + group_label: "About Domain Registrant" + group_item_label: "Company Name" + } + + dimension: about__domain__registrant__department { + hidden: yes + sql: ${TABLE}.about.domain.registrant.department ;; + group_label: "About Domain Registrant" + group_item_label: "Department" + } + + dimension: about__domain__registrant__email_addresses { + hidden: yes + sql: ${TABLE}.about.domain.registrant.email_addresses ;; + group_label: "About Domain Registrant" + group_item_label: "Email Addresses" + } + + dimension: about__domain__registrant__employee_id { + type: string + sql: ${TABLE}.about.domain.registrant.employee_id ;; + group_label: "About Domain Registrant" + group_item_label: "Employee ID" + } + + dimension: about__domain__registrant__first_name { + type: string + sql: ${TABLE}.about.domain.registrant.first_name ;; + group_label: "About Domain Registrant" + group_item_label: "First Name" + } + + dimension: about__domain__registrant__first_seen_time__nanos { + type: number + sql: ${TABLE}.about.domain.registrant.first_seen_time.nanos ;; + group_label: "About Domain Registrant First Seen Time" + group_item_label: "Nanos" + } + + dimension: about__domain__registrant__first_seen_time__seconds { + type: number + sql: ${TABLE}.about.domain.registrant.first_seen_time.seconds ;; + group_label: "About Domain Registrant First Seen Time" + group_item_label: "Seconds" + } + + dimension: about__domain__registrant__group_identifiers { + hidden: yes + sql: ${TABLE}.about.domain.registrant.group_identifiers ;; + group_label: "About Domain Registrant" + group_item_label: "Group Identifiers" + } + + dimension: about__domain__registrant__groupid { + type: string + sql: ${TABLE}.about.domain.registrant.groupid ;; + group_label: "About Domain Registrant" + group_item_label: "Groupid" + } + + dimension: about__domain__registrant__hire_date__nanos { + type: number + sql: ${TABLE}.about.domain.registrant.hire_date.nanos ;; + group_label: "About Domain Registrant Hire Date" + group_item_label: "Nanos" + } + + dimension: about__domain__registrant__hire_date__seconds { + type: number + sql: ${TABLE}.about.domain.registrant.hire_date.seconds ;; + group_label: "About Domain Registrant Hire Date" + group_item_label: "Seconds" + } + + dimension: about__domain__registrant__last_name { + type: string + sql: ${TABLE}.about.domain.registrant.last_name ;; + group_label: "About Domain Registrant" + group_item_label: "Last Name" + } + + dimension: about__domain__registrant__middle_name { + type: string + sql: ${TABLE}.about.domain.registrant.middle_name ;; + group_label: "About Domain Registrant" + group_item_label: "Middle Name" + } + + dimension: about__domain__registrant__office_address__city { + type: string + sql: ${TABLE}.about.domain.registrant.office_address.city ;; + group_label: "About Domain Registrant Office Address" + group_item_label: "City" + } + + dimension: about__domain__registrant__office_address__country_or_region { + type: string + sql: ${TABLE}.about.domain.registrant.office_address.country_or_region ;; + group_label: "About Domain Registrant Office Address" + group_item_label: "Country or Region" + } + + dimension: about__domain__registrant__office_address__desk_name { + type: string + sql: ${TABLE}.about.domain.registrant.office_address.desk_name ;; + group_label: "About Domain Registrant Office Address" + group_item_label: "Desk Name" + } + + dimension: about__domain__registrant__office_address__floor_name { + type: string + sql: ${TABLE}.about.domain.registrant.office_address.floor_name ;; + group_label: "About Domain Registrant Office Address" + group_item_label: "Floor Name" + } + + dimension: about__domain__registrant__office_address__name { + type: string + sql: ${TABLE}.about.domain.registrant.office_address.name ;; + group_label: "About Domain Registrant Office Address" + group_item_label: "Name" + } + + dimension: about__domain__registrant__office_address__region_latitude { + type: number + sql: ${TABLE}.about.domain.registrant.office_address.region_latitude ;; + group_label: "About Domain Registrant Office Address" + group_item_label: "Region Latitude" + } + + dimension: about__domain__registrant__office_address__region_longitude { + type: number + sql: ${TABLE}.about.domain.registrant.office_address.region_longitude ;; + group_label: "About Domain Registrant Office Address" + group_item_label: "Region Longitude" + } + + dimension: about__domain__registrant__office_address__state { + type: string + sql: ${TABLE}.about.domain.registrant.office_address.state ;; + group_label: "About Domain Registrant Office Address" + group_item_label: "State" + } + + dimension: about__domain__registrant__personal_address__city { + type: string + sql: ${TABLE}.about.domain.registrant.personal_address.city ;; + group_label: "About Domain Registrant Personal Address" + group_item_label: "City" + } + + dimension: about__domain__registrant__personal_address__country_or_region { + type: string + sql: ${TABLE}.about.domain.registrant.personal_address.country_or_region ;; + group_label: "About Domain Registrant Personal Address" + group_item_label: "Country or Region" + } + + dimension: about__domain__registrant__personal_address__desk_name { + type: string + sql: ${TABLE}.about.domain.registrant.personal_address.desk_name ;; + group_label: "About Domain Registrant Personal Address" + group_item_label: "Desk Name" + } + + dimension: about__domain__registrant__personal_address__floor_name { + type: string + sql: ${TABLE}.about.domain.registrant.personal_address.floor_name ;; + group_label: "About Domain Registrant Personal Address" + group_item_label: "Floor Name" + } + + dimension: about__domain__registrant__personal_address__name { + type: string + sql: ${TABLE}.about.domain.registrant.personal_address.name ;; + group_label: "About Domain Registrant Personal Address" + group_item_label: "Name" + } + + dimension: about__domain__registrant__personal_address__region_latitude { + type: number + sql: ${TABLE}.about.domain.registrant.personal_address.region_latitude ;; + group_label: "About Domain Registrant Personal Address" + group_item_label: "Region Latitude" + } + + dimension: about__domain__registrant__personal_address__region_longitude { + type: number + sql: ${TABLE}.about.domain.registrant.personal_address.region_longitude ;; + group_label: "About Domain Registrant Personal Address" + group_item_label: "Region Longitude" + } + + dimension: about__domain__registrant__personal_address__state { + type: string + sql: ${TABLE}.about.domain.registrant.personal_address.state ;; + group_label: "About Domain Registrant Personal Address" + group_item_label: "State" + } + + dimension: about__domain__registrant__phone_numbers { + hidden: yes + sql: ${TABLE}.about.domain.registrant.phone_numbers ;; + group_label: "About Domain Registrant" + group_item_label: "Phone Numbers" + } + + dimension: about__domain__registrant__product_object_id { + type: string + sql: ${TABLE}.about.domain.registrant.product_object_id ;; + group_label: "About Domain Registrant" + group_item_label: "Product Object ID" + } + + dimension: about__domain__registrant__role_description { + type: string + sql: ${TABLE}.about.domain.registrant.role_description ;; + group_label: "About Domain Registrant" + group_item_label: "Role Description" + } + + dimension: about__domain__registrant__role_name { + type: string + sql: ${TABLE}.about.domain.registrant.role_name ;; + group_label: "About Domain Registrant" + group_item_label: "Role Name" + } + + dimension: about__domain__registrant__termination_date__nanos { + type: number + sql: ${TABLE}.about.domain.registrant.termination_date.nanos ;; + group_label: "About Domain Registrant Termination Date" + group_item_label: "Nanos" + } + + dimension: about__domain__registrant__termination_date__seconds { + type: number + sql: ${TABLE}.about.domain.registrant.termination_date.seconds ;; + group_label: "About Domain Registrant Termination Date" + group_item_label: "Seconds" + } + + dimension: about__domain__registrant__time_off { + hidden: yes + sql: ${TABLE}.about.domain.registrant.time_off ;; + group_label: "About Domain Registrant" + group_item_label: "Time Off" + } + + dimension: about__domain__registrant__title { + type: string + sql: ${TABLE}.about.domain.registrant.title ;; + group_label: "About Domain Registrant" + group_item_label: "Title" + } + + dimension: about__domain__registrant__user_authentication_status { + type: number + sql: ${TABLE}.about.domain.registrant.user_authentication_status ;; + group_label: "About Domain Registrant" + group_item_label: "User Authentication Status" + } + + dimension: about__domain__registrant__user_display_name { + type: string + sql: ${TABLE}.about.domain.registrant.user_display_name ;; + group_label: "About Domain Registrant" + group_item_label: "User Display Name" + } + + dimension: about__domain__registrant__user_role { + type: number + sql: ${TABLE}.about.domain.registrant.user_role ;; + group_label: "About Domain Registrant" + group_item_label: "User Role" + } + + dimension: about__domain__registrant__userid { + type: string + sql: ${TABLE}.about.domain.registrant.userid ;; + group_label: "About Domain Registrant" + group_item_label: "Userid" + } + + dimension: about__domain__registrant__windows_sid { + type: string + sql: ${TABLE}.about.domain.registrant.windows_sid ;; + group_label: "About Domain Registrant" + group_item_label: "Windows Sid" + } + + dimension: about__domain__registrar { + type: string + sql: ${TABLE}.about.domain.registrar ;; + group_label: "About Domain" + group_item_label: "Registrar" + } + + dimension: about__domain__registry_data_raw_text { + type: string + sql: ${TABLE}.about.domain.registry_data_raw_text ;; + group_label: "About Domain" + group_item_label: "Registry Data Raw Text" + } + + dimension: about__domain__status { + type: string + sql: ${TABLE}.about.domain.status ;; + group_label: "About Domain" + group_item_label: "Status" + } + + dimension: about__domain__tech__account_type { + type: number + sql: ${TABLE}.about.domain.tech.account_type ;; + group_label: "About Domain Tech" + group_item_label: "Account Type" + } + + dimension: about__domain__tech__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.about.domain.tech.attribute.cloud.availability_zone ;; + group_label: "About Domain Tech Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: about__domain__tech__attribute__cloud__environment { + type: number + sql: ${TABLE}.about.domain.tech.attribute.cloud.environment ;; + group_label: "About Domain Tech Attribute Cloud" + group_item_label: "Environment" + } + + dimension: about__domain__tech__attribute__cloud__project__id { + type: string + sql: ${TABLE}.about.domain.tech.attribute.cloud.project.id ;; + group_label: "About Domain Tech Attribute Cloud Project" + group_item_label: "ID" + } + + dimension: about__domain__tech__attribute__cloud__project__name { + type: string + sql: ${TABLE}.about.domain.tech.attribute.cloud.project.name ;; + group_label: "About Domain Tech Attribute Cloud Project" + group_item_label: "Name" + } + + dimension: about__domain__tech__attribute__cloud__project__parent { + type: string + sql: ${TABLE}.about.domain.tech.attribute.cloud.project.parent ;; + group_label: "About Domain Tech Attribute Cloud Project" + group_item_label: "Parent" + } + + dimension: about__domain__tech__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.about.domain.tech.attribute.cloud.project.product_object_id ;; + group_label: "About Domain Tech Attribute Cloud Project" + group_item_label: "Product Object ID" + } + + dimension: about__domain__tech__attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.about.domain.tech.attribute.cloud.project.resource_subtype ;; + group_label: "About Domain Tech Attribute Cloud Project" + group_item_label: "Resource Subtype" + } + + dimension: about__domain__tech__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.about.domain.tech.attribute.cloud.project.resource_type ;; + group_label: "About Domain Tech Attribute Cloud Project" + group_item_label: "Resource Type" + } + + dimension: about__domain__tech__attribute__cloud__project__type { + type: string + sql: ${TABLE}.about.domain.tech.attribute.cloud.project.type ;; + group_label: "About Domain Tech Attribute Cloud Project" + group_item_label: "Type" + } + + dimension: about__domain__tech__attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.about.domain.tech.attribute.cloud.vpc.id ;; + group_label: "About Domain Tech Attribute Cloud Vpc" + group_item_label: "ID" + } + + dimension: about__domain__tech__attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.about.domain.tech.attribute.cloud.vpc.name ;; + group_label: "About Domain Tech Attribute Cloud Vpc" + group_item_label: "Name" + } + + dimension: about__domain__tech__attribute__cloud__vpc__parent { + type: string + sql: ${TABLE}.about.domain.tech.attribute.cloud.vpc.parent ;; + group_label: "About Domain Tech Attribute Cloud Vpc" + group_item_label: "Parent" + } + + dimension: about__domain__tech__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.about.domain.tech.attribute.cloud.vpc.product_object_id ;; + group_label: "About Domain Tech Attribute Cloud Vpc" + group_item_label: "Product Object ID" + } + + dimension: about__domain__tech__attribute__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.about.domain.tech.attribute.cloud.vpc.resource_subtype ;; + group_label: "About Domain Tech Attribute Cloud Vpc" + group_item_label: "Resource Subtype" + } + + dimension: about__domain__tech__attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.about.domain.tech.attribute.cloud.vpc.resource_type ;; + group_label: "About Domain Tech Attribute Cloud Vpc" + group_item_label: "Resource Type" + } + + dimension: about__domain__tech__attribute__cloud__vpc__type { + type: string + sql: ${TABLE}.about.domain.tech.attribute.cloud.vpc.type ;; + group_label: "About Domain Tech Attribute Cloud Vpc" + group_item_label: "Type" + } + + dimension: about__domain__tech__attribute__creation_time__nanos { + type: number + sql: ${TABLE}.about.domain.tech.attribute.creation_time.nanos ;; + group_label: "About Domain Tech Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: about__domain__tech__attribute__creation_time__seconds { + type: number + sql: ${TABLE}.about.domain.tech.attribute.creation_time.seconds ;; + group_label: "About Domain Tech Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: about__domain__tech__attribute__labels { + hidden: yes + sql: ${TABLE}.about.domain.tech.attribute.labels ;; + group_label: "About Domain Tech Attribute" + group_item_label: "Labels" + } + + dimension: about__domain__tech__attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.about.domain.tech.attribute.last_update_time.nanos ;; + group_label: "About Domain Tech Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: about__domain__tech__attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.about.domain.tech.attribute.last_update_time.seconds ;; + group_label: "About Domain Tech Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: about__domain__tech__attribute__permissions { + hidden: yes + sql: ${TABLE}.about.domain.tech.attribute.permissions ;; + group_label: "About Domain Tech Attribute" + group_item_label: "Permissions" + } + + dimension: about__domain__tech__attribute__roles { + hidden: yes + sql: ${TABLE}.about.domain.tech.attribute.roles ;; + group_label: "About Domain Tech Attribute" + group_item_label: "Roles" + } + + dimension: about__domain__tech__company_name { + type: string + sql: ${TABLE}.about.domain.tech.company_name ;; + group_label: "About Domain Tech" + group_item_label: "Company Name" + } + + dimension: about__domain__tech__department { + hidden: yes + sql: ${TABLE}.about.domain.tech.department ;; + group_label: "About Domain Tech" + group_item_label: "Department" + } + + dimension: about__domain__tech__email_addresses { + hidden: yes + sql: ${TABLE}.about.domain.tech.email_addresses ;; + group_label: "About Domain Tech" + group_item_label: "Email Addresses" + } + + dimension: about__domain__tech__employee_id { + type: string + sql: ${TABLE}.about.domain.tech.employee_id ;; + group_label: "About Domain Tech" + group_item_label: "Employee ID" + } + + dimension: about__domain__tech__first_name { + type: string + sql: ${TABLE}.about.domain.tech.first_name ;; + group_label: "About Domain Tech" + group_item_label: "First Name" + } + + dimension: about__domain__tech__first_seen_time__nanos { + type: number + sql: ${TABLE}.about.domain.tech.first_seen_time.nanos ;; + group_label: "About Domain Tech First Seen Time" + group_item_label: "Nanos" + } + + dimension: about__domain__tech__first_seen_time__seconds { + type: number + sql: ${TABLE}.about.domain.tech.first_seen_time.seconds ;; + group_label: "About Domain Tech First Seen Time" + group_item_label: "Seconds" + } + + dimension: about__domain__tech__group_identifiers { + hidden: yes + sql: ${TABLE}.about.domain.tech.group_identifiers ;; + group_label: "About Domain Tech" + group_item_label: "Group Identifiers" + } + + dimension: about__domain__tech__groupid { + type: string + sql: ${TABLE}.about.domain.tech.groupid ;; + group_label: "About Domain Tech" + group_item_label: "Groupid" + } + + dimension: about__domain__tech__hire_date__nanos { + type: number + sql: ${TABLE}.about.domain.tech.hire_date.nanos ;; + group_label: "About Domain Tech Hire Date" + group_item_label: "Nanos" + } + + dimension: about__domain__tech__hire_date__seconds { + type: number + sql: ${TABLE}.about.domain.tech.hire_date.seconds ;; + group_label: "About Domain Tech Hire Date" + group_item_label: "Seconds" + } + + dimension: about__domain__tech__last_name { + type: string + sql: ${TABLE}.about.domain.tech.last_name ;; + group_label: "About Domain Tech" + group_item_label: "Last Name" + } + + dimension: about__domain__tech__middle_name { + type: string + sql: ${TABLE}.about.domain.tech.middle_name ;; + group_label: "About Domain Tech" + group_item_label: "Middle Name" + } + + dimension: about__domain__tech__office_address__city { + type: string + sql: ${TABLE}.about.domain.tech.office_address.city ;; + group_label: "About Domain Tech Office Address" + group_item_label: "City" + } + + dimension: about__domain__tech__office_address__country_or_region { + type: string + sql: ${TABLE}.about.domain.tech.office_address.country_or_region ;; + group_label: "About Domain Tech Office Address" + group_item_label: "Country or Region" + } + + dimension: about__domain__tech__office_address__desk_name { + type: string + sql: ${TABLE}.about.domain.tech.office_address.desk_name ;; + group_label: "About Domain Tech Office Address" + group_item_label: "Desk Name" + } + + dimension: about__domain__tech__office_address__floor_name { + type: string + sql: ${TABLE}.about.domain.tech.office_address.floor_name ;; + group_label: "About Domain Tech Office Address" + group_item_label: "Floor Name" + } + + dimension: about__domain__tech__office_address__name { + type: string + sql: ${TABLE}.about.domain.tech.office_address.name ;; + group_label: "About Domain Tech Office Address" + group_item_label: "Name" + } + + dimension: about__domain__tech__office_address__region_latitude { + type: number + sql: ${TABLE}.about.domain.tech.office_address.region_latitude ;; + group_label: "About Domain Tech Office Address" + group_item_label: "Region Latitude" + } + + dimension: about__domain__tech__office_address__region_longitude { + type: number + sql: ${TABLE}.about.domain.tech.office_address.region_longitude ;; + group_label: "About Domain Tech Office Address" + group_item_label: "Region Longitude" + } + + dimension: about__domain__tech__office_address__state { + type: string + sql: ${TABLE}.about.domain.tech.office_address.state ;; + group_label: "About Domain Tech Office Address" + group_item_label: "State" + } + + dimension: about__domain__tech__personal_address__city { + type: string + sql: ${TABLE}.about.domain.tech.personal_address.city ;; + group_label: "About Domain Tech Personal Address" + group_item_label: "City" + } + + dimension: about__domain__tech__personal_address__country_or_region { + type: string + sql: ${TABLE}.about.domain.tech.personal_address.country_or_region ;; + group_label: "About Domain Tech Personal Address" + group_item_label: "Country or Region" + } + + dimension: about__domain__tech__personal_address__desk_name { + type: string + sql: ${TABLE}.about.domain.tech.personal_address.desk_name ;; + group_label: "About Domain Tech Personal Address" + group_item_label: "Desk Name" + } + + dimension: about__domain__tech__personal_address__floor_name { + type: string + sql: ${TABLE}.about.domain.tech.personal_address.floor_name ;; + group_label: "About Domain Tech Personal Address" + group_item_label: "Floor Name" + } + + dimension: about__domain__tech__personal_address__name { + type: string + sql: ${TABLE}.about.domain.tech.personal_address.name ;; + group_label: "About Domain Tech Personal Address" + group_item_label: "Name" + } + + dimension: about__domain__tech__personal_address__region_latitude { + type: number + sql: ${TABLE}.about.domain.tech.personal_address.region_latitude ;; + group_label: "About Domain Tech Personal Address" + group_item_label: "Region Latitude" + } + + dimension: about__domain__tech__personal_address__region_longitude { + type: number + sql: ${TABLE}.about.domain.tech.personal_address.region_longitude ;; + group_label: "About Domain Tech Personal Address" + group_item_label: "Region Longitude" + } + + dimension: about__domain__tech__personal_address__state { + type: string + sql: ${TABLE}.about.domain.tech.personal_address.state ;; + group_label: "About Domain Tech Personal Address" + group_item_label: "State" + } + + dimension: about__domain__tech__phone_numbers { + hidden: yes + sql: ${TABLE}.about.domain.tech.phone_numbers ;; + group_label: "About Domain Tech" + group_item_label: "Phone Numbers" + } + + dimension: about__domain__tech__product_object_id { + type: string + sql: ${TABLE}.about.domain.tech.product_object_id ;; + group_label: "About Domain Tech" + group_item_label: "Product Object ID" + } + + dimension: about__domain__tech__role_description { + type: string + sql: ${TABLE}.about.domain.tech.role_description ;; + group_label: "About Domain Tech" + group_item_label: "Role Description" + } + + dimension: about__domain__tech__role_name { + type: string + sql: ${TABLE}.about.domain.tech.role_name ;; + group_label: "About Domain Tech" + group_item_label: "Role Name" + } + + dimension: about__domain__tech__termination_date__nanos { + type: number + sql: ${TABLE}.about.domain.tech.termination_date.nanos ;; + group_label: "About Domain Tech Termination Date" + group_item_label: "Nanos" + } + + dimension: about__domain__tech__termination_date__seconds { + type: number + sql: ${TABLE}.about.domain.tech.termination_date.seconds ;; + group_label: "About Domain Tech Termination Date" + group_item_label: "Seconds" + } + + dimension: about__domain__tech__time_off { + hidden: yes + sql: ${TABLE}.about.domain.tech.time_off ;; + group_label: "About Domain Tech" + group_item_label: "Time Off" + } + + dimension: about__domain__tech__title { + type: string + sql: ${TABLE}.about.domain.tech.title ;; + group_label: "About Domain Tech" + group_item_label: "Title" + } + + dimension: about__domain__tech__user_authentication_status { + type: number + sql: ${TABLE}.about.domain.tech.user_authentication_status ;; + group_label: "About Domain Tech" + group_item_label: "User Authentication Status" + } + + dimension: about__domain__tech__user_display_name { + type: string + sql: ${TABLE}.about.domain.tech.user_display_name ;; + group_label: "About Domain Tech" + group_item_label: "User Display Name" + } + + dimension: about__domain__tech__user_role { + type: number + sql: ${TABLE}.about.domain.tech.user_role ;; + group_label: "About Domain Tech" + group_item_label: "User Role" + } + + dimension: about__domain__tech__userid { + type: string + sql: ${TABLE}.about.domain.tech.userid ;; + group_label: "About Domain Tech" + group_item_label: "Userid" + } + + dimension: about__domain__tech__windows_sid { + type: string + sql: ${TABLE}.about.domain.tech.windows_sid ;; + group_label: "About Domain Tech" + group_item_label: "Windows Sid" + } + + dimension: about__domain__update_time__nanos { + type: number + sql: ${TABLE}.about.domain.update_time.nanos ;; + group_label: "About Domain Update Time" + group_item_label: "Nanos" + } + + dimension: about__domain__update_time__seconds { + type: number + sql: ${TABLE}.about.domain.update_time.seconds ;; + group_label: "About Domain Update Time" + group_item_label: "Seconds" + } + + dimension: about__domain__whois_record_raw_text { + type: string + sql: ${TABLE}.about.domain.whois_record_raw_text ;; + group_label: "About Domain" + group_item_label: "Whois Record Raw Text" + } + + dimension: about__domain__whois_server { + type: string + sql: ${TABLE}.about.domain.whois_server ;; + group_label: "About Domain" + group_item_label: "Whois Server" + } + + dimension: about__domain__zone__account_type { + type: number + sql: ${TABLE}.about.domain.zone.account_type ;; + group_label: "About Domain Zone" + group_item_label: "Account Type" + } + + dimension: about__domain__zone__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.about.domain.zone.attribute.cloud.availability_zone ;; + group_label: "About Domain Zone Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: about__domain__zone__attribute__cloud__environment { + type: number + sql: ${TABLE}.about.domain.zone.attribute.cloud.environment ;; + group_label: "About Domain Zone Attribute Cloud" + group_item_label: "Environment" + } + + dimension: about__domain__zone__attribute__cloud__project__id { + type: string + sql: ${TABLE}.about.domain.zone.attribute.cloud.project.id ;; + group_label: "About Domain Zone Attribute Cloud Project" + group_item_label: "ID" + } + + dimension: about__domain__zone__attribute__cloud__project__name { + type: string + sql: ${TABLE}.about.domain.zone.attribute.cloud.project.name ;; + group_label: "About Domain Zone Attribute Cloud Project" + group_item_label: "Name" + } + + dimension: about__domain__zone__attribute__cloud__project__parent { + type: string + sql: ${TABLE}.about.domain.zone.attribute.cloud.project.parent ;; + group_label: "About Domain Zone Attribute Cloud Project" + group_item_label: "Parent" + } + + dimension: about__domain__zone__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.about.domain.zone.attribute.cloud.project.product_object_id ;; + group_label: "About Domain Zone Attribute Cloud Project" + group_item_label: "Product Object ID" + } + + dimension: about__domain__zone__attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.about.domain.zone.attribute.cloud.project.resource_subtype ;; + group_label: "About Domain Zone Attribute Cloud Project" + group_item_label: "Resource Subtype" + } + + dimension: about__domain__zone__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.about.domain.zone.attribute.cloud.project.resource_type ;; + group_label: "About Domain Zone Attribute Cloud Project" + group_item_label: "Resource Type" + } + + dimension: about__domain__zone__attribute__cloud__project__type { + type: string + sql: ${TABLE}.about.domain.zone.attribute.cloud.project.type ;; + group_label: "About Domain Zone Attribute Cloud Project" + group_item_label: "Type" + } + + dimension: about__domain__zone__attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.about.domain.zone.attribute.cloud.vpc.id ;; + group_label: "About Domain Zone Attribute Cloud Vpc" + group_item_label: "ID" + } + + dimension: about__domain__zone__attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.about.domain.zone.attribute.cloud.vpc.name ;; + group_label: "About Domain Zone Attribute Cloud Vpc" + group_item_label: "Name" + } + + dimension: about__domain__zone__attribute__cloud__vpc__parent { + type: string + sql: ${TABLE}.about.domain.zone.attribute.cloud.vpc.parent ;; + group_label: "About Domain Zone Attribute Cloud Vpc" + group_item_label: "Parent" + } + + dimension: about__domain__zone__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.about.domain.zone.attribute.cloud.vpc.product_object_id ;; + group_label: "About Domain Zone Attribute Cloud Vpc" + group_item_label: "Product Object ID" + } + + dimension: about__domain__zone__attribute__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.about.domain.zone.attribute.cloud.vpc.resource_subtype ;; + group_label: "About Domain Zone Attribute Cloud Vpc" + group_item_label: "Resource Subtype" + } + + dimension: about__domain__zone__attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.about.domain.zone.attribute.cloud.vpc.resource_type ;; + group_label: "About Domain Zone Attribute Cloud Vpc" + group_item_label: "Resource Type" + } + + dimension: about__domain__zone__attribute__cloud__vpc__type { + type: string + sql: ${TABLE}.about.domain.zone.attribute.cloud.vpc.type ;; + group_label: "About Domain Zone Attribute Cloud Vpc" + group_item_label: "Type" + } + + dimension: about__domain__zone__attribute__creation_time__nanos { + type: number + sql: ${TABLE}.about.domain.zone.attribute.creation_time.nanos ;; + group_label: "About Domain Zone Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: about__domain__zone__attribute__creation_time__seconds { + type: number + sql: ${TABLE}.about.domain.zone.attribute.creation_time.seconds ;; + group_label: "About Domain Zone Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: about__domain__zone__attribute__labels { + hidden: yes + sql: ${TABLE}.about.domain.zone.attribute.labels ;; + group_label: "About Domain Zone Attribute" + group_item_label: "Labels" + } + + dimension: about__domain__zone__attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.about.domain.zone.attribute.last_update_time.nanos ;; + group_label: "About Domain Zone Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: about__domain__zone__attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.about.domain.zone.attribute.last_update_time.seconds ;; + group_label: "About Domain Zone Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: about__domain__zone__attribute__permissions { + hidden: yes + sql: ${TABLE}.about.domain.zone.attribute.permissions ;; + group_label: "About Domain Zone Attribute" + group_item_label: "Permissions" + } + + dimension: about__domain__zone__attribute__roles { + hidden: yes + sql: ${TABLE}.about.domain.zone.attribute.roles ;; + group_label: "About Domain Zone Attribute" + group_item_label: "Roles" + } + + dimension: about__domain__zone__company_name { + type: string + sql: ${TABLE}.about.domain.zone.company_name ;; + group_label: "About Domain Zone" + group_item_label: "Company Name" + } + + dimension: about__domain__zone__department { + hidden: yes + sql: ${TABLE}.about.domain.zone.department ;; + group_label: "About Domain Zone" + group_item_label: "Department" + } + + dimension: about__domain__zone__email_addresses { + hidden: yes + sql: ${TABLE}.about.domain.zone.email_addresses ;; + group_label: "About Domain Zone" + group_item_label: "Email Addresses" + } + + dimension: about__domain__zone__employee_id { + type: string + sql: ${TABLE}.about.domain.zone.employee_id ;; + group_label: "About Domain Zone" + group_item_label: "Employee ID" + } + + dimension: about__domain__zone__first_name { + type: string + sql: ${TABLE}.about.domain.zone.first_name ;; + group_label: "About Domain Zone" + group_item_label: "First Name" + } + + dimension: about__domain__zone__first_seen_time__nanos { + type: number + sql: ${TABLE}.about.domain.zone.first_seen_time.nanos ;; + group_label: "About Domain Zone First Seen Time" + group_item_label: "Nanos" + } + + dimension: about__domain__zone__first_seen_time__seconds { + type: number + sql: ${TABLE}.about.domain.zone.first_seen_time.seconds ;; + group_label: "About Domain Zone First Seen Time" + group_item_label: "Seconds" + } + + dimension: about__domain__zone__group_identifiers { + hidden: yes + sql: ${TABLE}.about.domain.zone.group_identifiers ;; + group_label: "About Domain Zone" + group_item_label: "Group Identifiers" + } + + dimension: about__domain__zone__groupid { + type: string + sql: ${TABLE}.about.domain.zone.groupid ;; + group_label: "About Domain Zone" + group_item_label: "Groupid" + } + + dimension: about__domain__zone__hire_date__nanos { + type: number + sql: ${TABLE}.about.domain.zone.hire_date.nanos ;; + group_label: "About Domain Zone Hire Date" + group_item_label: "Nanos" + } + + dimension: about__domain__zone__hire_date__seconds { + type: number + sql: ${TABLE}.about.domain.zone.hire_date.seconds ;; + group_label: "About Domain Zone Hire Date" + group_item_label: "Seconds" + } + + dimension: about__domain__zone__last_name { + type: string + sql: ${TABLE}.about.domain.zone.last_name ;; + group_label: "About Domain Zone" + group_item_label: "Last Name" + } + + dimension: about__domain__zone__middle_name { + type: string + sql: ${TABLE}.about.domain.zone.middle_name ;; + group_label: "About Domain Zone" + group_item_label: "Middle Name" + } + + dimension: about__domain__zone__office_address__city { + type: string + sql: ${TABLE}.about.domain.zone.office_address.city ;; + group_label: "About Domain Zone Office Address" + group_item_label: "City" + } + + dimension: about__domain__zone__office_address__country_or_region { + type: string + sql: ${TABLE}.about.domain.zone.office_address.country_or_region ;; + group_label: "About Domain Zone Office Address" + group_item_label: "Country or Region" + } + + dimension: about__domain__zone__office_address__desk_name { + type: string + sql: ${TABLE}.about.domain.zone.office_address.desk_name ;; + group_label: "About Domain Zone Office Address" + group_item_label: "Desk Name" + } + + dimension: about__domain__zone__office_address__floor_name { + type: string + sql: ${TABLE}.about.domain.zone.office_address.floor_name ;; + group_label: "About Domain Zone Office Address" + group_item_label: "Floor Name" + } + + dimension: about__domain__zone__office_address__name { + type: string + sql: ${TABLE}.about.domain.zone.office_address.name ;; + group_label: "About Domain Zone Office Address" + group_item_label: "Name" + } + + dimension: about__domain__zone__office_address__region_latitude { + type: number + sql: ${TABLE}.about.domain.zone.office_address.region_latitude ;; + group_label: "About Domain Zone Office Address" + group_item_label: "Region Latitude" + } + + dimension: about__domain__zone__office_address__region_longitude { + type: number + sql: ${TABLE}.about.domain.zone.office_address.region_longitude ;; + group_label: "About Domain Zone Office Address" + group_item_label: "Region Longitude" + } + + dimension: about__domain__zone__office_address__state { + type: string + sql: ${TABLE}.about.domain.zone.office_address.state ;; + group_label: "About Domain Zone Office Address" + group_item_label: "State" + } + + dimension: about__domain__zone__personal_address__city { + type: string + sql: ${TABLE}.about.domain.zone.personal_address.city ;; + group_label: "About Domain Zone Personal Address" + group_item_label: "City" + } + + dimension: about__domain__zone__personal_address__country_or_region { + type: string + sql: ${TABLE}.about.domain.zone.personal_address.country_or_region ;; + group_label: "About Domain Zone Personal Address" + group_item_label: "Country or Region" + } + + dimension: about__domain__zone__personal_address__desk_name { + type: string + sql: ${TABLE}.about.domain.zone.personal_address.desk_name ;; + group_label: "About Domain Zone Personal Address" + group_item_label: "Desk Name" + } + + dimension: about__domain__zone__personal_address__floor_name { + type: string + sql: ${TABLE}.about.domain.zone.personal_address.floor_name ;; + group_label: "About Domain Zone Personal Address" + group_item_label: "Floor Name" + } + + dimension: about__domain__zone__personal_address__name { + type: string + sql: ${TABLE}.about.domain.zone.personal_address.name ;; + group_label: "About Domain Zone Personal Address" + group_item_label: "Name" + } + + dimension: about__domain__zone__personal_address__region_latitude { + type: number + sql: ${TABLE}.about.domain.zone.personal_address.region_latitude ;; + group_label: "About Domain Zone Personal Address" + group_item_label: "Region Latitude" + } + + dimension: about__domain__zone__personal_address__region_longitude { + type: number + sql: ${TABLE}.about.domain.zone.personal_address.region_longitude ;; + group_label: "About Domain Zone Personal Address" + group_item_label: "Region Longitude" + } + + dimension: about__domain__zone__personal_address__state { + type: string + sql: ${TABLE}.about.domain.zone.personal_address.state ;; + group_label: "About Domain Zone Personal Address" + group_item_label: "State" + } + + dimension: about__domain__zone__phone_numbers { + hidden: yes + sql: ${TABLE}.about.domain.zone.phone_numbers ;; + group_label: "About Domain Zone" + group_item_label: "Phone Numbers" + } + + dimension: about__domain__zone__product_object_id { + type: string + sql: ${TABLE}.about.domain.zone.product_object_id ;; + group_label: "About Domain Zone" + group_item_label: "Product Object ID" + } + + dimension: about__domain__zone__role_description { + type: string + sql: ${TABLE}.about.domain.zone.role_description ;; + group_label: "About Domain Zone" + group_item_label: "Role Description" + } + + dimension: about__domain__zone__role_name { + type: string + sql: ${TABLE}.about.domain.zone.role_name ;; + group_label: "About Domain Zone" + group_item_label: "Role Name" + } + + dimension: about__domain__zone__termination_date__nanos { + type: number + sql: ${TABLE}.about.domain.zone.termination_date.nanos ;; + group_label: "About Domain Zone Termination Date" + group_item_label: "Nanos" + } + + dimension: about__domain__zone__termination_date__seconds { + type: number + sql: ${TABLE}.about.domain.zone.termination_date.seconds ;; + group_label: "About Domain Zone Termination Date" + group_item_label: "Seconds" + } + + dimension: about__domain__zone__time_off { + hidden: yes + sql: ${TABLE}.about.domain.zone.time_off ;; + group_label: "About Domain Zone" + group_item_label: "Time Off" + } + + dimension: about__domain__zone__title { + type: string + sql: ${TABLE}.about.domain.zone.title ;; + group_label: "About Domain Zone" + group_item_label: "Title" + } + + dimension: about__domain__zone__user_authentication_status { + type: number + sql: ${TABLE}.about.domain.zone.user_authentication_status ;; + group_label: "About Domain Zone" + group_item_label: "User Authentication Status" + } + + dimension: about__domain__zone__user_display_name { + type: string + sql: ${TABLE}.about.domain.zone.user_display_name ;; + group_label: "About Domain Zone" + group_item_label: "User Display Name" + } + + dimension: about__domain__zone__user_role { + type: number + sql: ${TABLE}.about.domain.zone.user_role ;; + group_label: "About Domain Zone" + group_item_label: "User Role" + } + + dimension: about__domain__zone__userid { + type: string + sql: ${TABLE}.about.domain.zone.userid ;; + group_label: "About Domain Zone" + group_item_label: "Userid" + } + + dimension: about__domain__zone__windows_sid { + type: string + sql: ${TABLE}.about.domain.zone.windows_sid ;; + group_label: "About Domain Zone" + group_item_label: "Windows Sid" + } + + dimension: about__email { + type: string + sql: ${TABLE}.about.email ;; + group_label: "About" + group_item_label: "Email" + } + + dimension: about__file__ahash { + type: string + sql: ${TABLE}.about.file.ahash ;; + group_label: "About File" + group_item_label: "Ahash" + } + + dimension: about__file__authentihash { + type: string + sql: ${TABLE}.about.file.authentihash ;; + group_label: "About File" + group_item_label: "Authentihash" + } + + dimension: about__file__capabilities_tags { + hidden: yes + sql: ${TABLE}.about.file.capabilities_tags ;; + group_label: "About File" + group_item_label: "Capabilities Tags" + } + + dimension: about__file__file_metadata__pe__import_hash { + type: string + sql: ${TABLE}.about.file.file_metadata.pe.import_hash ;; + group_label: "About File File Metadata Pe" + group_item_label: "Import Hash" + } + + dimension: about__file__file_type { + type: number + sql: ${TABLE}.about.file.file_type ;; + group_label: "About File" + group_item_label: "File Type" + } + + dimension: about__file__first_seen_time__nanos { + type: number + sql: ${TABLE}.about.file.first_seen_time.nanos ;; + group_label: "About File First Seen Time" + group_item_label: "Nanos" + } + + dimension: about__file__first_seen_time__seconds { + type: number + sql: ${TABLE}.about.file.first_seen_time.seconds ;; + group_label: "About File First Seen Time" + group_item_label: "Seconds" + } + + dimension: about__file__full_path { + type: string + sql: ${TABLE}.about.file.full_path ;; + group_label: "About File" + group_item_label: "Full Path" + } + + dimension: about__file__last_modification_time__nanos { + type: number + sql: ${TABLE}.about.file.last_modification_time.nanos ;; + group_label: "About File Last Modification Time" + group_item_label: "Nanos" + } + + dimension: about__file__last_modification_time__seconds { + type: number + sql: ${TABLE}.about.file.last_modification_time.seconds ;; + group_label: "About File Last Modification Time" + group_item_label: "Seconds" + } + + dimension: about__file__last_seen_time__nanos { + type: number + sql: ${TABLE}.about.file.last_seen_time.nanos ;; + group_label: "About File Last Seen Time" + group_item_label: "Nanos" + } + + dimension: about__file__last_seen_time__seconds { + type: number + sql: ${TABLE}.about.file.last_seen_time.seconds ;; + group_label: "About File Last Seen Time" + group_item_label: "Seconds" + } + + dimension: about__file__md5 { + type: string + sql: ${TABLE}.about.file.md5 ;; + group_label: "About File" + group_item_label: "Md5" + } + + dimension: about__file__mime_type { + type: string + sql: ${TABLE}.about.file.mime_type ;; + group_label: "About File" + group_item_label: "Mime Type" + } + + dimension: about__file__names { + hidden: yes + sql: ${TABLE}.about.file.names ;; + group_label: "About File" + group_item_label: "Names" + } + + dimension: about__file__pe_file__compilation_exiftool_time__nanos { + type: number + sql: ${TABLE}.about.file.pe_file.compilation_exiftool_time.nanos ;; + group_label: "About File Pe File Compilation Exiftool Time" + group_item_label: "Nanos" + } + + dimension: about__file__pe_file__compilation_exiftool_time__seconds { + type: number + sql: ${TABLE}.about.file.pe_file.compilation_exiftool_time.seconds ;; + group_label: "About File Pe File Compilation Exiftool Time" + group_item_label: "Seconds" + } + + dimension: about__file__pe_file__compilation_time__nanos { + type: number + sql: ${TABLE}.about.file.pe_file.compilation_time.nanos ;; + group_label: "About File Pe File Compilation Time" + group_item_label: "Nanos" + } + + dimension: about__file__pe_file__compilation_time__seconds { + type: number + sql: ${TABLE}.about.file.pe_file.compilation_time.seconds ;; + group_label: "About File Pe File Compilation Time" + group_item_label: "Seconds" + } + + dimension: about__file__pe_file__entry_point { + type: number + sql: ${TABLE}.about.file.pe_file.entry_point ;; + group_label: "About File Pe File" + group_item_label: "Entry Point" + } + + dimension: about__file__pe_file__entry_point_exiftool { + type: number + sql: ${TABLE}.about.file.pe_file.entry_point_exiftool ;; + group_label: "About File Pe File" + group_item_label: "Entry Point Exiftool" + } + + dimension: about__file__pe_file__imphash { + type: string + sql: ${TABLE}.about.file.pe_file.imphash ;; + group_label: "About File Pe File" + group_item_label: "Imphash" + } + + dimension: about__file__pe_file__imports { + hidden: yes + sql: ${TABLE}.about.file.pe_file.imports ;; + group_label: "About File Pe File" + group_item_label: "Imports" + } + + dimension: about__file__pe_file__resource { + hidden: yes + sql: ${TABLE}.about.file.pe_file.resource ;; + group_label: "About File Pe File" + group_item_label: "Resource" + } + + dimension: about__file__pe_file__resources_language_count { + hidden: yes + sql: ${TABLE}.about.file.pe_file.resources_language_count ;; + group_label: "About File Pe File" + group_item_label: "Resources Language Count" + } + + dimension: about__file__pe_file__resources_language_count_str { + hidden: yes + sql: ${TABLE}.about.file.pe_file.resources_language_count_str ;; + group_label: "About File Pe File" + group_item_label: "Resources Language Count Str" + } + + dimension: about__file__pe_file__resources_type_count { + hidden: yes + sql: ${TABLE}.about.file.pe_file.resources_type_count ;; + group_label: "About File Pe File" + group_item_label: "Resources Type Count" + } + + dimension: about__file__pe_file__resources_type_count_str { + hidden: yes + sql: ${TABLE}.about.file.pe_file.resources_type_count_str ;; + group_label: "About File Pe File" + group_item_label: "Resources Type Count Str" + } + + dimension: about__file__pe_file__section { + hidden: yes + sql: ${TABLE}.about.file.pe_file.section ;; + group_label: "About File Pe File" + group_item_label: "Section" + } + + dimension: about__file__pe_file__signature_info__signer { + hidden: yes + sql: ${TABLE}.about.file.pe_file.signature_info.signer ;; + group_label: "About File Pe File Signature Info" + group_item_label: "Signer" + } + + dimension: about__file__pe_file__signature_info__signers { + hidden: yes + sql: ${TABLE}.about.file.pe_file.signature_info.signers ;; + group_label: "About File Pe File Signature Info" + group_item_label: "Signers" + } + + dimension: about__file__pe_file__signature_info__verification_message { + type: string + sql: ${TABLE}.about.file.pe_file.signature_info.verification_message ;; + group_label: "About File Pe File Signature Info" + group_item_label: "Verification Message" + } + + dimension: about__file__pe_file__signature_info__verified { + type: yesno + sql: ${TABLE}.about.file.pe_file.signature_info.verified ;; + group_label: "About File Pe File Signature Info" + group_item_label: "Verified" + } + + dimension: about__file__prevalence__day_count { + type: number + sql: ${TABLE}.about.file.prevalence.day_count ;; + group_label: "About File Prevalence" + group_item_label: "Day Count" + } + + dimension: about__file__prevalence__day_max { + type: number + sql: ${TABLE}.about.file.prevalence.day_max ;; + group_label: "About File Prevalence" + group_item_label: "Day Max" + } + + dimension: about__file__prevalence__day_max_sub_domains { + type: number + sql: ${TABLE}.about.file.prevalence.day_max_sub_domains ;; + group_label: "About File Prevalence" + group_item_label: "Day Max Sub Domains" + } + + dimension: about__file__prevalence__rolling_max { + type: number + sql: ${TABLE}.about.file.prevalence.rolling_max ;; + group_label: "About File Prevalence" + group_item_label: "Rolling Max" + } + + dimension: about__file__prevalence__rolling_max_sub_domains { + type: number + sql: ${TABLE}.about.file.prevalence.rolling_max_sub_domains ;; + group_label: "About File Prevalence" + group_item_label: "Rolling Max Sub Domains" + } + + dimension: about__file__sha1 { + type: string + sql: ${TABLE}.about.file.sha1 ;; + group_label: "About File" + group_item_label: "Sha1" + } + + dimension: about__file__sha256 { + type: string + sql: ${TABLE}.about.file.sha256 ;; + group_label: "About File" + group_item_label: "Sha256" + } + + dimension: about__file__size { + type: number + sql: ${TABLE}.about.file.size ;; + group_label: "About File" + group_item_label: "Size" + } + + dimension: about__file__ssdeep { + type: string + sql: ${TABLE}.about.file.ssdeep ;; + group_label: "About File" + group_item_label: "Ssdeep" + } + + dimension: about__file__vhash { + type: string + sql: ${TABLE}.about.file.vhash ;; + group_label: "About File" + group_item_label: "Vhash" + } + + dimension: about__group__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.about.`group`.attribute.cloud.availability_zone ;; + group_label: "About Group Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: about__group__attribute__cloud__environment { + type: number + sql: ${TABLE}.about.`group`.attribute.cloud.environment ;; + group_label: "About Group Attribute Cloud" + group_item_label: "Environment" + } + + dimension: about__group__attribute__cloud__project__id { + type: string + sql: ${TABLE}.about.`group`.attribute.cloud.project.id ;; + group_label: "About Group Attribute Cloud Project" + group_item_label: "ID" + } + + dimension: about__group__attribute__cloud__project__name { + type: string + sql: ${TABLE}.about.`group`.attribute.cloud.project.name ;; + group_label: "About Group Attribute Cloud Project" + group_item_label: "Name" + } + + dimension: about__group__attribute__cloud__project__parent { + type: string + sql: ${TABLE}.about.`group`.attribute.cloud.project.parent ;; + group_label: "About Group Attribute Cloud Project" + group_item_label: "Parent" + } + + dimension: about__group__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.about.`group`.attribute.cloud.project.product_object_id ;; + group_label: "About Group Attribute Cloud Project" + group_item_label: "Product Object ID" + } + + dimension: about__group__attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.about.`group`.attribute.cloud.project.resource_subtype ;; + group_label: "About Group Attribute Cloud Project" + group_item_label: "Resource Subtype" + } + + dimension: about__group__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.about.`group`.attribute.cloud.project.resource_type ;; + group_label: "About Group Attribute Cloud Project" + group_item_label: "Resource Type" + } + + dimension: about__group__attribute__cloud__project__type { + type: string + sql: ${TABLE}.about.`group`.attribute.cloud.project.type ;; + group_label: "About Group Attribute Cloud Project" + group_item_label: "Type" + } + + dimension: about__group__attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.about.`group`.attribute.cloud.vpc.id ;; + group_label: "About Group Attribute Cloud Vpc" + group_item_label: "ID" + } + + dimension: about__group__attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.about.`group`.attribute.cloud.vpc.name ;; + group_label: "About Group Attribute Cloud Vpc" + group_item_label: "Name" + } + + dimension: about__group__attribute__cloud__vpc__parent { + type: string + sql: ${TABLE}.about.`group`.attribute.cloud.vpc.parent ;; + group_label: "About Group Attribute Cloud Vpc" + group_item_label: "Parent" + } + + dimension: about__group__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.about.`group`.attribute.cloud.vpc.product_object_id ;; + group_label: "About Group Attribute Cloud Vpc" + group_item_label: "Product Object ID" + } + + dimension: about__group__attribute__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.about.`group`.attribute.cloud.vpc.resource_subtype ;; + group_label: "About Group Attribute Cloud Vpc" + group_item_label: "Resource Subtype" + } + + dimension: about__group__attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.about.`group`.attribute.cloud.vpc.resource_type ;; + group_label: "About Group Attribute Cloud Vpc" + group_item_label: "Resource Type" + } + + dimension: about__group__attribute__cloud__vpc__type { + type: string + sql: ${TABLE}.about.`group`.attribute.cloud.vpc.type ;; + group_label: "About Group Attribute Cloud Vpc" + group_item_label: "Type" + } + + dimension: about__group__attribute__creation_time__nanos { + type: number + sql: ${TABLE}.about.`group`.attribute.creation_time.nanos ;; + group_label: "About Group Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: about__group__attribute__creation_time__seconds { + type: number + sql: ${TABLE}.about.`group`.attribute.creation_time.seconds ;; + group_label: "About Group Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: about__group__attribute__labels { + hidden: yes + sql: ${TABLE}.about.group.attribute.labels ;; + group_label: "About Group Attribute" + group_item_label: "Labels" + } + + dimension: about__group__attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.about.`group`.attribute.last_update_time.nanos ;; + group_label: "About Group Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: about__group__attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.about.`group`.attribute.last_update_time.seconds ;; + group_label: "About Group Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: about__group__attribute__permissions { + hidden: yes + sql: ${TABLE}.about.group.attribute.permissions ;; + group_label: "About Group Attribute" + group_item_label: "Permissions" + } + + dimension: about__group__attribute__roles { + hidden: yes + sql: ${TABLE}.about.group.attribute.roles ;; + group_label: "About Group Attribute" + group_item_label: "Roles" + } + + dimension: about__group__creation_time__nanos { + type: number + sql: ${TABLE}.about.`group`.creation_time.nanos ;; + group_label: "About Group Creation Time" + group_item_label: "Nanos" + } + + dimension: about__group__creation_time__seconds { + type: number + sql: ${TABLE}.about.`group`.creation_time.seconds ;; + group_label: "About Group Creation Time" + group_item_label: "Seconds" + } + + dimension: about__group__email_addresses { + hidden: yes + sql: ${TABLE}.about.group.email_addresses ;; + group_label: "About Group" + group_item_label: "Email Addresses" + } + + dimension: about__group__group_display_name { + type: string + sql: ${TABLE}.about.`group`.group_display_name ;; + group_label: "About Group" + group_item_label: "Group Display Name" + } + + dimension: about__group__product_object_id { + type: string + sql: ${TABLE}.about.`group`.product_object_id ;; + group_label: "About Group" + group_item_label: "Product Object ID" + } + + dimension: about__group__windows_sid { + type: string + sql: ${TABLE}.about.`group`.windows_sid ;; + group_label: "About Group" + group_item_label: "Windows Sid" + } + + dimension: about__hostname { + type: string + sql: ${TABLE}.about.hostname ;; + group_label: "About" + group_item_label: "Hostname" + } + + dimension: about__investigation__comments { + hidden: yes + sql: ${TABLE}.about.investigation.comments ;; + group_label: "About Investigation" + group_item_label: "Comments" + } + + dimension: about__investigation__priority { + type: number + sql: ${TABLE}.about.investigation.priority ;; + group_label: "About Investigation" + group_item_label: "Priority" + } + + dimension: about__investigation__reason { + type: number + sql: ${TABLE}.about.investigation.reason ;; + group_label: "About Investigation" + group_item_label: "Reason" + } + + dimension: about__investigation__reputation { + type: number + sql: ${TABLE}.about.investigation.reputation ;; + group_label: "About Investigation" + group_item_label: "Reputation" + } + + dimension: about__investigation__risk_score { + type: number + sql: ${TABLE}.about.investigation.risk_score ;; + group_label: "About Investigation" + group_item_label: "Risk Score" + } + + dimension: about__investigation__root_cause { + type: string + sql: ${TABLE}.about.investigation.root_cause ;; + group_label: "About Investigation" + group_item_label: "Root Cause" + } + + dimension: about__investigation__severity_score { + type: number + sql: ${TABLE}.about.investigation.severity_score ;; + group_label: "About Investigation" + group_item_label: "Severity Score" + } + + dimension: about__investigation__status { + type: number + sql: ${TABLE}.about.investigation.status ;; + group_label: "About Investigation" + group_item_label: "Status" + } + + dimension: about__investigation__verdict { + type: number + sql: ${TABLE}.about.investigation.verdict ;; + group_label: "About Investigation" + group_item_label: "Verdict" + } + + dimension: about__ip { + hidden: yes + sql: ${TABLE}.about.ip ;; + group_label: "About" + group_item_label: "IP" + } + + dimension: about__ip_location { + hidden: yes + sql: ${TABLE}.about.ip_location ;; + group_label: "About" + group_item_label: "IP Location" + } + + dimension: about__labels { + hidden: yes + sql: ${TABLE}.about.labels ;; + group_label: "About" + group_item_label: "Labels" + } + + dimension: about__location__city { + type: string + sql: ${TABLE}.about.location.city ;; + group_label: "About Location" + group_item_label: "City" + } + + dimension: about__location__country_or_region { + type: string + sql: ${TABLE}.about.location.country_or_region ;; + group_label: "About Location" + group_item_label: "Country or Region" + } + + dimension: about__location__desk_name { + type: string + sql: ${TABLE}.about.location.desk_name ;; + group_label: "About Location" + group_item_label: "Desk Name" + } + + dimension: about__location__floor_name { + type: string + sql: ${TABLE}.about.location.floor_name ;; + group_label: "About Location" + group_item_label: "Floor Name" + } + + dimension: about__location__name { + type: string + sql: ${TABLE}.about.location.name ;; + group_label: "About Location" + group_item_label: "Name" + } + + dimension: about__location__region_latitude { + type: number + sql: ${TABLE}.about.location.region_latitude ;; + group_label: "About Location" + group_item_label: "Region Latitude" + } + + dimension: about__location__region_longitude { + type: number + sql: ${TABLE}.about.location.region_longitude ;; + group_label: "About Location" + group_item_label: "Region Longitude" + } + + dimension: about__location__state { + type: string + sql: ${TABLE}.about.location.state ;; + group_label: "About Location" + group_item_label: "State" + } + + dimension: about__mac { + hidden: yes + sql: ${TABLE}.about.mac ;; + group_label: "About" + group_item_label: "Mac" + } + + dimension: about__namespace { + type: string + sql: ${TABLE}.about.namespace ;; + group_label: "About" + group_item_label: "Namespace" + } + + dimension: about__nat_ip { + hidden: yes + sql: ${TABLE}.about.nat_ip ;; + group_label: "About" + group_item_label: "Nat IP" + } + + dimension: about__nat_port { + type: number + sql: ${TABLE}.about.nat_port ;; + group_label: "About" + group_item_label: "Nat Port" + } + + dimension: about__object_reference__id { + type: string + sql: ${TABLE}.about.object_reference.id ;; + group_label: "About Object Reference" + group_item_label: "ID" + } + + dimension: about__object_reference__namespace { + type: number + sql: ${TABLE}.about.object_reference.namespace ;; + group_label: "About Object Reference" + group_item_label: "Namespace" + } + + dimension: about__platform { + type: number + sql: ${TABLE}.about.platform ;; + group_label: "About" + group_item_label: "Platform" + } + + dimension: about__platform_patch_level { + type: string + sql: ${TABLE}.about.platform_patch_level ;; + group_label: "About" + group_item_label: "Platform Patch Level" + } + + dimension: about__platform_version { + type: string + sql: ${TABLE}.about.platform_version ;; + group_label: "About" + group_item_label: "Platform Version" + } + + dimension: about__port { + type: number + sql: ${TABLE}.about.port ;; + group_label: "About" + group_item_label: "Port" + } + + dimension: about__process__access_mask { + type: number + sql: ${TABLE}.about.process.access_mask ;; + group_label: "About Process" + group_item_label: "Access Mask" + } + + dimension: about__process__command_line { + type: string + sql: ${TABLE}.about.process.command_line ;; + group_label: "About Process" + group_item_label: "Command Line" + } + + dimension: about__process__command_line_history { + hidden: yes + sql: ${TABLE}.about.process.command_line_history ;; + group_label: "About Process" + group_item_label: "Command Line History" + } + + dimension: about__process__file__ahash { + type: string + sql: ${TABLE}.about.process.file.ahash ;; + group_label: "About Process File" + group_item_label: "Ahash" + } + + dimension: about__process__file__authentihash { + type: string + sql: ${TABLE}.about.process.file.authentihash ;; + group_label: "About Process File" + group_item_label: "Authentihash" + } + + dimension: about__process__file__capabilities_tags { + hidden: yes + sql: ${TABLE}.about.process.file.capabilities_tags ;; + group_label: "About Process File" + group_item_label: "Capabilities Tags" + } + + dimension: about__process__file__file_metadata__pe__import_hash { + type: string + sql: ${TABLE}.about.process.file.file_metadata.pe.import_hash ;; + group_label: "About Process File File Metadata Pe" + group_item_label: "Import Hash" + } + + dimension: about__process__file__file_type { + type: number + sql: ${TABLE}.about.process.file.file_type ;; + group_label: "About Process File" + group_item_label: "File Type" + } + + dimension: about__process__file__first_seen_time__nanos { + type: number + sql: ${TABLE}.about.process.file.first_seen_time.nanos ;; + group_label: "About Process File First Seen Time" + group_item_label: "Nanos" + } + + dimension: about__process__file__first_seen_time__seconds { + type: number + sql: ${TABLE}.about.process.file.first_seen_time.seconds ;; + group_label: "About Process File First Seen Time" + group_item_label: "Seconds" + } + + dimension: about__process__file__full_path { + type: string + sql: ${TABLE}.about.process.file.full_path ;; + group_label: "About Process File" + group_item_label: "Full Path" + } + + dimension: about__process__file__last_modification_time__nanos { + type: number + sql: ${TABLE}.about.process.file.last_modification_time.nanos ;; + group_label: "About Process File Last Modification Time" + group_item_label: "Nanos" + } + + dimension: about__process__file__last_modification_time__seconds { + type: number + sql: ${TABLE}.about.process.file.last_modification_time.seconds ;; + group_label: "About Process File Last Modification Time" + group_item_label: "Seconds" + } + + dimension: about__process__file__last_seen_time__nanos { + type: number + sql: ${TABLE}.about.process.file.last_seen_time.nanos ;; + group_label: "About Process File Last Seen Time" + group_item_label: "Nanos" + } + + dimension: about__process__file__last_seen_time__seconds { + type: number + sql: ${TABLE}.about.process.file.last_seen_time.seconds ;; + group_label: "About Process File Last Seen Time" + group_item_label: "Seconds" + } + + dimension: about__process__file__md5 { + type: string + sql: ${TABLE}.about.process.file.md5 ;; + group_label: "About Process File" + group_item_label: "Md5" + } + + dimension: about__process__file__mime_type { + type: string + sql: ${TABLE}.about.process.file.mime_type ;; + group_label: "About Process File" + group_item_label: "Mime Type" + } + + dimension: about__process__file__names { + hidden: yes + sql: ${TABLE}.about.process.file.names ;; + group_label: "About Process File" + group_item_label: "Names" + } + + dimension: about__process__file__pe_file__compilation_exiftool_time__nanos { + type: number + sql: ${TABLE}.about.process.file.pe_file.compilation_exiftool_time.nanos ;; + group_label: "About Process File Pe File Compilation Exiftool Time" + group_item_label: "Nanos" + } + + dimension: about__process__file__pe_file__compilation_exiftool_time__seconds { + type: number + sql: ${TABLE}.about.process.file.pe_file.compilation_exiftool_time.seconds ;; + group_label: "About Process File Pe File Compilation Exiftool Time" + group_item_label: "Seconds" + } + + dimension: about__process__file__pe_file__compilation_time__nanos { + type: number + sql: ${TABLE}.about.process.file.pe_file.compilation_time.nanos ;; + group_label: "About Process File Pe File Compilation Time" + group_item_label: "Nanos" + } + + dimension: about__process__file__pe_file__compilation_time__seconds { + type: number + sql: ${TABLE}.about.process.file.pe_file.compilation_time.seconds ;; + group_label: "About Process File Pe File Compilation Time" + group_item_label: "Seconds" + } + + dimension: about__process__file__pe_file__entry_point { + type: number + sql: ${TABLE}.about.process.file.pe_file.entry_point ;; + group_label: "About Process File Pe File" + group_item_label: "Entry Point" + } + + dimension: about__process__file__pe_file__entry_point_exiftool { + type: number + sql: ${TABLE}.about.process.file.pe_file.entry_point_exiftool ;; + group_label: "About Process File Pe File" + group_item_label: "Entry Point Exiftool" + } + + dimension: about__process__file__pe_file__imphash { + type: string + sql: ${TABLE}.about.process.file.pe_file.imphash ;; + group_label: "About Process File Pe File" + group_item_label: "Imphash" + } + + dimension: about__process__file__pe_file__imports { + hidden: yes + sql: ${TABLE}.about.process.file.pe_file.imports ;; + group_label: "About Process File Pe File" + group_item_label: "Imports" + } + + dimension: about__process__file__pe_file__resource { + hidden: yes + sql: ${TABLE}.about.process.file.pe_file.resource ;; + group_label: "About Process File Pe File" + group_item_label: "Resource" + } + + dimension: about__process__file__pe_file__resources_language_count { + hidden: yes + sql: ${TABLE}.about.process.file.pe_file.resources_language_count ;; + group_label: "About Process File Pe File" + group_item_label: "Resources Language Count" + } + + dimension: about__process__file__pe_file__resources_language_count_str { + hidden: yes + sql: ${TABLE}.about.process.file.pe_file.resources_language_count_str ;; + group_label: "About Process File Pe File" + group_item_label: "Resources Language Count Str" + } + + dimension: about__process__file__pe_file__resources_type_count { + hidden: yes + sql: ${TABLE}.about.process.file.pe_file.resources_type_count ;; + group_label: "About Process File Pe File" + group_item_label: "Resources Type Count" + } + + dimension: about__process__file__pe_file__resources_type_count_str { + hidden: yes + sql: ${TABLE}.about.process.file.pe_file.resources_type_count_str ;; + group_label: "About Process File Pe File" + group_item_label: "Resources Type Count Str" + } + + dimension: about__process__file__pe_file__section { + hidden: yes + sql: ${TABLE}.about.process.file.pe_file.section ;; + group_label: "About Process File Pe File" + group_item_label: "Section" + } + + dimension: about__process__file__pe_file__signature_info__signer { + hidden: yes + sql: ${TABLE}.about.process.file.pe_file.signature_info.signer ;; + group_label: "About Process File Pe File Signature Info" + group_item_label: "Signer" + } + + dimension: about__process__file__pe_file__signature_info__signers { + hidden: yes + sql: ${TABLE}.about.process.file.pe_file.signature_info.signers ;; + group_label: "About Process File Pe File Signature Info" + group_item_label: "Signers" + } + + dimension: about__process__file__pe_file__signature_info__verification_message { + type: string + sql: ${TABLE}.about.process.file.pe_file.signature_info.verification_message ;; + group_label: "About Process File Pe File Signature Info" + group_item_label: "Verification Message" + } + + dimension: about__process__file__pe_file__signature_info__verified { + type: yesno + sql: ${TABLE}.about.process.file.pe_file.signature_info.verified ;; + group_label: "About Process File Pe File Signature Info" + group_item_label: "Verified" + } + + dimension: about__process__file__prevalence__day_count { + type: number + sql: ${TABLE}.about.process.file.prevalence.day_count ;; + group_label: "About Process File Prevalence" + group_item_label: "Day Count" + } + + dimension: about__process__file__prevalence__day_max { + type: number + sql: ${TABLE}.about.process.file.prevalence.day_max ;; + group_label: "About Process File Prevalence" + group_item_label: "Day Max" + } + + dimension: about__process__file__prevalence__day_max_sub_domains { + type: number + sql: ${TABLE}.about.process.file.prevalence.day_max_sub_domains ;; + group_label: "About Process File Prevalence" + group_item_label: "Day Max Sub Domains" + } + + dimension: about__process__file__prevalence__rolling_max { + type: number + sql: ${TABLE}.about.process.file.prevalence.rolling_max ;; + group_label: "About Process File Prevalence" + group_item_label: "Rolling Max" + } + + dimension: about__process__file__prevalence__rolling_max_sub_domains { + type: number + sql: ${TABLE}.about.process.file.prevalence.rolling_max_sub_domains ;; + group_label: "About Process File Prevalence" + group_item_label: "Rolling Max Sub Domains" + } + + dimension: about__process__file__sha1 { + type: string + sql: ${TABLE}.about.process.file.sha1 ;; + group_label: "About Process File" + group_item_label: "Sha1" + } + + dimension: about__process__file__sha256 { + type: string + sql: ${TABLE}.about.process.file.sha256 ;; + group_label: "About Process File" + group_item_label: "Sha256" + } + + dimension: about__process__file__size { + type: number + sql: ${TABLE}.about.process.file.size ;; + group_label: "About Process File" + group_item_label: "Size" + } + + dimension: about__process__file__ssdeep { + type: string + sql: ${TABLE}.about.process.file.ssdeep ;; + group_label: "About Process File" + group_item_label: "Ssdeep" + } + + dimension: about__process__file__vhash { + type: string + sql: ${TABLE}.about.process.file.vhash ;; + group_label: "About Process File" + group_item_label: "Vhash" + } + + dimension: about__process__parent_pid { + type: string + sql: ${TABLE}.about.process.parent_pid ;; + group_label: "About Process" + group_item_label: "Parent Pid" + } + + dimension: about__process__pid { + type: string + sql: ${TABLE}.about.process.pid ;; + group_label: "About Process" + group_item_label: "Pid" + } + + dimension: about__process__product_specific_parent_process_id { + type: string + sql: ${TABLE}.about.process.product_specific_parent_process_id ;; + group_label: "About Process" + group_item_label: "Product Specific Parent Process ID" + } + + dimension: about__process__product_specific_process_id { + type: string + sql: ${TABLE}.about.process.product_specific_process_id ;; + group_label: "About Process" + group_item_label: "Product Specific Process ID" + } + + dimension: about__process_ancestors { + hidden: yes + sql: ${TABLE}.about.process_ancestors ;; + group_label: "About" + group_item_label: "Process Ancestors" + } + + dimension: about__registry__registry_key { + type: string + sql: ${TABLE}.about.registry.registry_key ;; + group_label: "About Registry" + group_item_label: "Registry Key" + } + + dimension: about__registry__registry_value_data { + type: string + sql: ${TABLE}.about.registry.registry_value_data ;; + group_label: "About Registry" + group_item_label: "Registry Value Data" + } + + dimension: about__registry__registry_value_name { + type: string + sql: ${TABLE}.about.registry.registry_value_name ;; + group_label: "About Registry" + group_item_label: "Registry Value Name" + } + + dimension: about__resource__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.about.resource.attribute.cloud.availability_zone ;; + group_label: "About Resource Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: about__resource__attribute__cloud__environment { + type: number + sql: ${TABLE}.about.resource.attribute.cloud.environment ;; + group_label: "About Resource Attribute Cloud" + group_item_label: "Environment" + } + + dimension: about__resource__attribute__creation_time__nanos { + type: number + sql: ${TABLE}.about.resource.attribute.creation_time.nanos ;; + group_label: "About Resource Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: about__resource__attribute__creation_time__seconds { + type: number + sql: ${TABLE}.about.resource.attribute.creation_time.seconds ;; + group_label: "About Resource Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: about__resource__attribute__labels { + hidden: yes + sql: ${TABLE}.about.resource.attribute.labels ;; + group_label: "About Resource Attribute" + group_item_label: "Labels" + } + + dimension: about__resource__attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.about.resource.attribute.last_update_time.nanos ;; + group_label: "About Resource Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: about__resource__attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.about.resource.attribute.last_update_time.seconds ;; + group_label: "About Resource Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: about__resource__attribute__permissions { + hidden: yes + sql: ${TABLE}.about.resource.attribute.permissions ;; + group_label: "About Resource Attribute" + group_item_label: "Permissions" + } + + dimension: about__resource__attribute__roles { + hidden: yes + sql: ${TABLE}.about.resource.attribute.roles ;; + group_label: "About Resource Attribute" + group_item_label: "Roles" + } + + dimension: about__resource__id { + type: string + sql: ${TABLE}.about.resource.id ;; + group_label: "About Resource" + group_item_label: "ID" + } + + dimension: about__resource__name { + type: string + sql: ${TABLE}.about.resource.name ;; + group_label: "About Resource" + group_item_label: "Name" + } + + dimension: about__resource__parent { + type: string + sql: ${TABLE}.about.resource.parent ;; + group_label: "About Resource" + group_item_label: "Parent" + } + + dimension: about__resource__product_object_id { + type: string + sql: ${TABLE}.about.resource.product_object_id ;; + group_label: "About Resource" + group_item_label: "Product Object ID" + } + + dimension: about__resource__resource_subtype { + type: string + sql: ${TABLE}.about.resource.resource_subtype ;; + group_label: "About Resource" + group_item_label: "Resource Subtype" + } + + dimension: about__resource__resource_type { + type: number + sql: ${TABLE}.about.resource.resource_type ;; + group_label: "About Resource" + group_item_label: "Resource Type" + } + + dimension: about__resource__type { + type: string + sql: ${TABLE}.about.resource.type ;; + group_label: "About Resource" + group_item_label: "Type" + } + + dimension: about__resource_ancestors { + hidden: yes + sql: ${TABLE}.about.resource_ancestors ;; + group_label: "About" + group_item_label: "Resource Ancestors" + } + + dimension: about__url { + type: string + sql: ${TABLE}.about.url ;; + group_label: "About" + group_item_label: "URL" + } + + dimension: about__user__account_type { + type: number + sql: ${TABLE}.about.user.account_type ;; + group_label: "About User" + group_item_label: "Account Type" + } + + dimension: about__user__attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.about.user.attribute.cloud.availability_zone ;; + group_label: "About User Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: about__user__attribute__cloud__environment { + type: number + sql: ${TABLE}.about.user.attribute.cloud.environment ;; + group_label: "About User Attribute Cloud" + group_item_label: "Environment" + } + + dimension: about__user__attribute__cloud__project__id { + type: string + sql: ${TABLE}.about.user.attribute.cloud.project.id ;; + group_label: "About User Attribute Cloud Project" + group_item_label: "ID" + } + + dimension: about__user__attribute__cloud__project__name { + type: string + sql: ${TABLE}.about.user.attribute.cloud.project.name ;; + group_label: "About User Attribute Cloud Project" + group_item_label: "Name" + } + + dimension: about__user__attribute__cloud__project__parent { + type: string + sql: ${TABLE}.about.user.attribute.cloud.project.parent ;; + group_label: "About User Attribute Cloud Project" + group_item_label: "Parent" + } + + dimension: about__user__attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.about.user.attribute.cloud.project.product_object_id ;; + group_label: "About User Attribute Cloud Project" + group_item_label: "Product Object ID" + } + + dimension: about__user__attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.about.user.attribute.cloud.project.resource_subtype ;; + group_label: "About User Attribute Cloud Project" + group_item_label: "Resource Subtype" + } + + dimension: about__user__attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.about.user.attribute.cloud.project.resource_type ;; + group_label: "About User Attribute Cloud Project" + group_item_label: "Resource Type" + } + + dimension: about__user__attribute__cloud__project__type { + type: string + sql: ${TABLE}.about.user.attribute.cloud.project.type ;; + group_label: "About User Attribute Cloud Project" + group_item_label: "Type" + } + + dimension: about__user__attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.about.user.attribute.cloud.vpc.id ;; + group_label: "About User Attribute Cloud Vpc" + group_item_label: "ID" + } + + dimension: about__user__attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.about.user.attribute.cloud.vpc.name ;; + group_label: "About User Attribute Cloud Vpc" + group_item_label: "Name" + } + + dimension: about__user__attribute__cloud__vpc__parent { + type: string + sql: ${TABLE}.about.user.attribute.cloud.vpc.parent ;; + group_label: "About User Attribute Cloud Vpc" + group_item_label: "Parent" + } + + dimension: about__user__attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.about.user.attribute.cloud.vpc.product_object_id ;; + group_label: "About User Attribute Cloud Vpc" + group_item_label: "Product Object ID" + } + + dimension: about__user__attribute__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.about.user.attribute.cloud.vpc.resource_subtype ;; + group_label: "About User Attribute Cloud Vpc" + group_item_label: "Resource Subtype" + } + + dimension: about__user__attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.about.user.attribute.cloud.vpc.resource_type ;; + group_label: "About User Attribute Cloud Vpc" + group_item_label: "Resource Type" + } + + dimension: about__user__attribute__cloud__vpc__type { + type: string + sql: ${TABLE}.about.user.attribute.cloud.vpc.type ;; + group_label: "About User Attribute Cloud Vpc" + group_item_label: "Type" + } + + dimension: about__user__attribute__creation_time__nanos { + type: number + sql: ${TABLE}.about.user.attribute.creation_time.nanos ;; + group_label: "About User Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: about__user__attribute__creation_time__seconds { + type: number + sql: ${TABLE}.about.user.attribute.creation_time.seconds ;; + group_label: "About User Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: about__user__attribute__labels { + hidden: yes + sql: ${TABLE}.about.user.attribute.labels ;; + group_label: "About User Attribute" + group_item_label: "Labels" + } + + dimension: about__user__attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.about.user.attribute.last_update_time.nanos ;; + group_label: "About User Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: about__user__attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.about.user.attribute.last_update_time.seconds ;; + group_label: "About User Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: about__user__attribute__permissions { + hidden: yes + sql: ${TABLE}.about.user.attribute.permissions ;; + group_label: "About User Attribute" + group_item_label: "Permissions" + } + + dimension: about__user__attribute__roles { + hidden: yes + sql: ${TABLE}.about.user.attribute.roles ;; + group_label: "About User Attribute" + group_item_label: "Roles" + } + + dimension: about__user__company_name { + type: string + sql: ${TABLE}.about.user.company_name ;; + group_label: "About User" + group_item_label: "Company Name" + } + + dimension: about__user__department { + hidden: yes + sql: ${TABLE}.about.user.department ;; + group_label: "About User" + group_item_label: "Department" + } + + dimension: about__user__email_addresses { + hidden: yes + sql: ${TABLE}.about.user.email_addresses ;; + group_label: "About User" + group_item_label: "Email Addresses" + } + + dimension: about__user__employee_id { + type: string + sql: ${TABLE}.about.user.employee_id ;; + group_label: "About User" + group_item_label: "Employee ID" + } + + dimension: about__user__first_name { + type: string + sql: ${TABLE}.about.user.first_name ;; + group_label: "About User" + group_item_label: "First Name" + } + + dimension: about__user__first_seen_time__nanos { + type: number + sql: ${TABLE}.about.user.first_seen_time.nanos ;; + group_label: "About User First Seen Time" + group_item_label: "Nanos" + } + + dimension: about__user__first_seen_time__seconds { + type: number + sql: ${TABLE}.about.user.first_seen_time.seconds ;; + group_label: "About User First Seen Time" + group_item_label: "Seconds" + } + + dimension: about__user__group_identifiers { + hidden: yes + sql: ${TABLE}.about.user.group_identifiers ;; + group_label: "About User" + group_item_label: "Group Identifiers" + } + + dimension: about__user__groupid { + type: string + sql: ${TABLE}.about.user.groupid ;; + group_label: "About User" + group_item_label: "Groupid" + } + + dimension: about__user__hire_date__nanos { + type: number + sql: ${TABLE}.about.user.hire_date.nanos ;; + group_label: "About User Hire Date" + group_item_label: "Nanos" + } + + dimension: about__user__hire_date__seconds { + type: number + sql: ${TABLE}.about.user.hire_date.seconds ;; + group_label: "About User Hire Date" + group_item_label: "Seconds" + } + + dimension: about__user__last_name { + type: string + sql: ${TABLE}.about.user.last_name ;; + group_label: "About User" + group_item_label: "Last Name" + } + + dimension: about__user__middle_name { + type: string + sql: ${TABLE}.about.user.middle_name ;; + group_label: "About User" + group_item_label: "Middle Name" + } + + dimension: about__user__office_address__city { + type: string + sql: ${TABLE}.about.user.office_address.city ;; + group_label: "About User Office Address" + group_item_label: "City" + } + + dimension: about__user__office_address__country_or_region { + type: string + sql: ${TABLE}.about.user.office_address.country_or_region ;; + group_label: "About User Office Address" + group_item_label: "Country or Region" + } + + dimension: about__user__office_address__desk_name { + type: string + sql: ${TABLE}.about.user.office_address.desk_name ;; + group_label: "About User Office Address" + group_item_label: "Desk Name" + } + + dimension: about__user__office_address__floor_name { + type: string + sql: ${TABLE}.about.user.office_address.floor_name ;; + group_label: "About User Office Address" + group_item_label: "Floor Name" + } + + dimension: about__user__office_address__name { + type: string + sql: ${TABLE}.about.user.office_address.name ;; + group_label: "About User Office Address" + group_item_label: "Name" + } + + dimension: about__user__office_address__region_latitude { + type: number + sql: ${TABLE}.about.user.office_address.region_latitude ;; + group_label: "About User Office Address" + group_item_label: "Region Latitude" + } + + dimension: about__user__office_address__region_longitude { + type: number + sql: ${TABLE}.about.user.office_address.region_longitude ;; + group_label: "About User Office Address" + group_item_label: "Region Longitude" + } + + dimension: about__user__office_address__state { + type: string + sql: ${TABLE}.about.user.office_address.state ;; + group_label: "About User Office Address" + group_item_label: "State" + } + + dimension: about__user__personal_address__city { + type: string + sql: ${TABLE}.about.user.personal_address.city ;; + group_label: "About User Personal Address" + group_item_label: "City" + } + + dimension: about__user__personal_address__country_or_region { + type: string + sql: ${TABLE}.about.user.personal_address.country_or_region ;; + group_label: "About User Personal Address" + group_item_label: "Country or Region" + } + + dimension: about__user__personal_address__desk_name { + type: string + sql: ${TABLE}.about.user.personal_address.desk_name ;; + group_label: "About User Personal Address" + group_item_label: "Desk Name" + } + + dimension: about__user__personal_address__floor_name { + type: string + sql: ${TABLE}.about.user.personal_address.floor_name ;; + group_label: "About User Personal Address" + group_item_label: "Floor Name" + } + + dimension: about__user__personal_address__name { + type: string + sql: ${TABLE}.about.user.personal_address.name ;; + group_label: "About User Personal Address" + group_item_label: "Name" + } + + dimension: about__user__personal_address__region_latitude { + type: number + sql: ${TABLE}.about.user.personal_address.region_latitude ;; + group_label: "About User Personal Address" + group_item_label: "Region Latitude" + } + + dimension: about__user__personal_address__region_longitude { + type: number + sql: ${TABLE}.about.user.personal_address.region_longitude ;; + group_label: "About User Personal Address" + group_item_label: "Region Longitude" + } + + dimension: about__user__personal_address__state { + type: string + sql: ${TABLE}.about.user.personal_address.state ;; + group_label: "About User Personal Address" + group_item_label: "State" + } + + dimension: about__user__phone_numbers { + hidden: yes + sql: ${TABLE}.about.user.phone_numbers ;; + group_label: "About User" + group_item_label: "Phone Numbers" + } + + dimension: about__user__product_object_id { + type: string + sql: ${TABLE}.about.user.product_object_id ;; + group_label: "About User" + group_item_label: "Product Object ID" + } + + dimension: about__user__role_description { + type: string + sql: ${TABLE}.about.user.role_description ;; + group_label: "About User" + group_item_label: "Role Description" + } + + dimension: about__user__role_name { + type: string + sql: ${TABLE}.about.user.role_name ;; + group_label: "About User" + group_item_label: "Role Name" + } + + dimension: about__user__termination_date__nanos { + type: number + sql: ${TABLE}.about.user.termination_date.nanos ;; + group_label: "About User Termination Date" + group_item_label: "Nanos" + } + + dimension: about__user__termination_date__seconds { + type: number + sql: ${TABLE}.about.user.termination_date.seconds ;; + group_label: "About User Termination Date" + group_item_label: "Seconds" + } + + dimension: about__user__time_off { + hidden: yes + sql: ${TABLE}.about.user.time_off ;; + group_label: "About User" + group_item_label: "Time Off" + } + + dimension: about__user__title { + type: string + sql: ${TABLE}.about.user.title ;; + group_label: "About User" + group_item_label: "Title" + } + + dimension: about__user__user_authentication_status { + type: number + sql: ${TABLE}.about.user.user_authentication_status ;; + group_label: "About User" + group_item_label: "User Authentication Status" + } + + dimension: about__user__user_display_name { + type: string + sql: ${TABLE}.about.user.user_display_name ;; + group_label: "About User" + group_item_label: "User Display Name" + } + + dimension: about__user__user_role { + type: number + sql: ${TABLE}.about.user.user_role ;; + group_label: "About User" + group_item_label: "User Role" + } + + dimension: about__user__userid { + type: string + sql: ${TABLE}.about.user.userid ;; + group_label: "About User" + group_item_label: "Userid" + } + + dimension: about__user__windows_sid { + type: string + sql: ${TABLE}.about.user.windows_sid ;; + group_label: "About User" + group_item_label: "Windows Sid" + } + + dimension: about__user_management_chain { + hidden: yes + sql: ${TABLE}.about.user_management_chain ;; + group_label: "About" + group_item_label: "User Management Chain" + } + + dimension: cve_description { + type: string + sql: ${TABLE}.cve_description ;; + } + + dimension: cve_id { + type: string + sql: ${TABLE}.cve_id ;; + } + + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + } + + dimension: cvss_vector { + type: string + sql: ${TABLE}.cvss_vector ;; + } + + dimension: cvss_version { + type: string + sql: ${TABLE}.cvss_version ;; + } + + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: first_found__nanos { + type: number + sql: ${TABLE}.first_found.nanos ;; + group_label: "First Found" + group_item_label: "Nanos" + } + + dimension: first_found__seconds { + type: number + sql: ${TABLE}.first_found.seconds ;; + group_label: "First Found" + group_item_label: "Seconds" + } + + dimension: last_found__nanos { + type: number + sql: ${TABLE}.last_found.nanos ;; + group_label: "Last Found" + group_item_label: "Nanos" + } + + dimension: last_found__seconds { + type: number + sql: ${TABLE}.last_found.seconds ;; + group_label: "Last Found" + group_item_label: "Seconds" + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: scan_end_time__nanos { + type: number + sql: ${TABLE}.scan_end_time.nanos ;; + group_label: "Scan End Time" + group_item_label: "Nanos" + } + + dimension: scan_end_time__seconds { + type: number + sql: ${TABLE}.scan_end_time.seconds ;; + group_label: "Scan End Time" + group_item_label: "Seconds" + } + + dimension: scan_start_time__nanos { + type: number + sql: ${TABLE}.scan_start_time.nanos ;; + group_label: "Scan Start Time" + group_item_label: "Nanos" + } + + dimension: scan_start_time__seconds { + type: number + sql: ${TABLE}.scan_start_time.seconds ;; + group_label: "Scan Start Time" + group_item_label: "Seconds" + } + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + } + + dimension: severity_details { + type: string + sql: ${TABLE}.severity_details ;; + } + + dimension: vendor { + type: string + sql: ${TABLE}.vendor ;; + } + + dimension: vendor_knowledge_base_article_id { + type: string + sql: ${TABLE}.vendor_knowledge_base_article_id ;; + } + + dimension: vendor_vulnerability_id { + type: string + sql: ${TABLE}.vendor_vulnerability_id ;; + } +} + +view: udm_events__about__user_management_chain__department { + dimension: udm_events__about__user_management_chain__department { + type: string + sql: udm_events__about__user_management_chain__department ;; + } +} + +view: udm_events__about__domain__tech__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__about__domain__tech__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__domain__tech__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__domain__billing__group_identifiers { + dimension: udm_events__about__domain__billing__group_identifiers { + type: string + sql: udm_events__about__domain__billing__group_identifiers ;; + } +} + +view: udm_events__about__domain__zone__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__about__domain__zone__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__domain__zone__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__asset__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__intermediary__domain__tech__phone_numbers { + dimension: udm_events__intermediary__domain__tech__phone_numbers { + type: string + sql: udm_events__intermediary__domain__tech__phone_numbers ;; + } +} + +view: udm_events__intermediary__domain__billing__department { + dimension: udm_events__intermediary__domain__billing__department { + type: string + sql: udm_events__intermediary__domain__billing__department ;; + } +} + +view: udm_events__intermediary__domain__zone__phone_numbers { + dimension: udm_events__intermediary__domain__zone__phone_numbers { + type: string + sql: udm_events__intermediary__domain__zone__phone_numbers ;; + } +} + +view: udm_events__intermediary__user__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__intermediary__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__principal__group__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__group__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__process__command_line_history { + dimension: udm_events__principal__process__command_line_history { + type: string + sql: udm_events__principal__process__command_line_history ;; + } +} + +view: udm_events__principal__process_ancestors__file__names { + dimension: udm_events__principal__process_ancestors__file__names { + type: string + sql: udm_events__principal__process_ancestors__file__names ;; + } +} + +view: udm_events__principal__domain__admin__email_addresses { + dimension: udm_events__principal__domain__admin__email_addresses { + type: string + sql: udm_events__principal__domain__admin__email_addresses ;; + } +} + +view: udm_events__principal__domain__billing__phone_numbers { + dimension: udm_events__principal__domain__billing__phone_numbers { + type: string + sql: udm_events__principal__domain__billing__phone_numbers ;; + } +} + +view: udm_events__principal__domain__registrant__department { + dimension: udm_events__principal__domain__registrant__department { + type: string + sql: udm_events__principal__domain__registrant__department ;; + } +} + +view: udm_events__observer__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__observer__resource__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__domain__tech__group_identifiers { + dimension: udm_events__observer__domain__tech__group_identifiers { + type: string + sql: udm_events__observer__domain__tech__group_identifiers ;; + } +} + +view: udm_events__observer__domain__zone__group_identifiers { + dimension: udm_events__observer__domain__zone__group_identifiers { + type: string + sql: udm_events__observer__domain__zone__group_identifiers ;; + } +} + +view: udm_events__src__cloud__project__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__cloud__project__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__file__pe_file__signature_info__signer { + dimension: udm_events__src__file__pe_file__signature_info__signer { + type: string + sql: udm_events__src__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__src__group__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__ip_location { + dimension: city { + type: string + sql: ${TABLE}.city ;; + } + + dimension: country_or_region { + type: string + sql: ${TABLE}.country_or_region ;; + } + + dimension: desk_name { + type: string + sql: ${TABLE}.desk_name ;; + } + + dimension: floor_name { + type: string + sql: ${TABLE}.floor_name ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: region_latitude { + type: number + sql: ${TABLE}.region_latitude ;; + } + + dimension: region_longitude { + type: number + sql: ${TABLE}.region_longitude ;; + } + + dimension: state { + type: string + sql: ${TABLE}.state ;; + } +} + +view: udm_events__security_result__about__asset__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__domain__registrant__phone_numbers { + dimension: udm_events__target__domain__registrant__phone_numbers { + type: string + sql: udm_events__target__domain__registrant__phone_numbers ;; + } +} + +view: udm_events__target__asset__software__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__user__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__process__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__about__domain__admin__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__about__domain__admin__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__domain__admin__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__domain__registrant__email_addresses { + dimension: udm_events__about__domain__registrant__email_addresses { + type: string + sql: udm_events__about__domain__registrant__email_addresses ;; + } +} + +view: udm_events__intermediary__domain__admin__phone_numbers { + dimension: udm_events__intermediary__domain__admin__phone_numbers { + type: string + sql: udm_events__intermediary__domain__admin__phone_numbers ;; + } +} + +view: udm_events__intermediary__asset__vulnerabilities { + dimension: cve_description { + type: string + sql: ${TABLE}.cve_description ;; + } + + dimension: cve_id { + type: string + sql: ${TABLE}.cve_id ;; + } + + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + } + + dimension: cvss_vector { + type: string + sql: ${TABLE}.cvss_vector ;; + } + + dimension: cvss_version { + type: string + sql: ${TABLE}.cvss_version ;; + } + + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: first_found__nanos { + type: number + sql: ${TABLE}.first_found.nanos ;; + group_label: "First Found" + group_item_label: "Nanos" + } + + dimension: first_found__seconds { + type: number + sql: ${TABLE}.first_found.seconds ;; + group_label: "First Found" + group_item_label: "Seconds" + } + + dimension: last_found__nanos { + type: number + sql: ${TABLE}.last_found.nanos ;; + group_label: "Last Found" + group_item_label: "Nanos" + } + + dimension: last_found__seconds { + type: number + sql: ${TABLE}.last_found.seconds ;; + group_label: "Last Found" + group_item_label: "Seconds" + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: scan_end_time__nanos { + type: number + sql: ${TABLE}.scan_end_time.nanos ;; + group_label: "Scan End Time" + group_item_label: "Nanos" + } + + dimension: scan_end_time__seconds { + type: number + sql: ${TABLE}.scan_end_time.seconds ;; + group_label: "Scan End Time" + group_item_label: "Seconds" + } + + dimension: scan_start_time__nanos { + type: number + sql: ${TABLE}.scan_start_time.nanos ;; + group_label: "Scan Start Time" + group_item_label: "Nanos" + } + + dimension: scan_start_time__seconds { + type: number + sql: ${TABLE}.scan_start_time.seconds ;; + group_label: "Scan Start Time" + group_item_label: "Seconds" + } + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + } + + dimension: severity_details { + type: string + sql: ${TABLE}.severity_details ;; + } + + dimension: vendor { + type: string + sql: ${TABLE}.vendor ;; + } + + dimension: vendor_knowledge_base_article_id { + type: string + sql: ${TABLE}.vendor_knowledge_base_article_id ;; + } + + dimension: vendor_vulnerability_id { + type: string + sql: ${TABLE}.vendor_vulnerability_id ;; + } +} + +view: udm_events__intermediary__asset__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__principal__resource__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__domain__tech__group_identifiers { + dimension: udm_events__principal__domain__tech__group_identifiers { + type: string + sql: udm_events__principal__domain__tech__group_identifiers ;; + } +} + +view: udm_events__principal__domain__zone__group_identifiers { + dimension: udm_events__principal__domain__zone__group_identifiers { + type: string + sql: udm_events__principal__domain__zone__group_identifiers ;; + } +} + +view: udm_events__observer__cloud__vpc__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__cloud__vpc__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__file__pe_file__imports__functions { + dimension: udm_events__observer__file__pe_file__imports__functions { + type: string + sql: udm_events__observer__file__pe_file__imports__functions ;; + } +} + +view: udm_events__observer__process__file__capabilities_tags { + dimension: udm_events__observer__process__file__capabilities_tags { + type: string + sql: udm_events__observer__process__file__capabilities_tags ;; + } +} + +view: udm_events__observer__domain__admin__group_identifiers { + dimension: udm_events__observer__domain__admin__group_identifiers { + type: string + sql: udm_events__observer__domain__admin__group_identifiers ;; + } +} + +view: udm_events__observer__domain__billing__email_addresses { + dimension: udm_events__observer__domain__billing__email_addresses { + type: string + sql: udm_events__observer__domain__billing__email_addresses ;; + } +} + +view: udm_events__src__resource__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__user_management_chain__phone_numbers { + dimension: udm_events__src__user_management_chain__phone_numbers { + type: string + sql: udm_events__src__user_management_chain__phone_numbers ;; + } +} + +view: udm_events__src__domain__billing__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__src__domain__billing__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__domain__billing__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__domain__registrant__group_identifiers { + dimension: udm_events__src__domain__registrant__group_identifiers { + type: string + sql: udm_events__src__domain__registrant__group_identifiers ;; + } +} + +view: udm_events__target__user_management_chain__department { + dimension: udm_events__target__user_management_chain__department { + type: string + sql: udm_events__target__user_management_chain__department ;; + } +} + +view: udm_events__target__domain__tech__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__target__domain__tech__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__domain__tech__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__domain__billing__group_identifiers { + dimension: udm_events__target__domain__billing__group_identifiers { + type: string + sql: udm_events__target__domain__billing__group_identifiers ;; + } +} + +view: udm_events__target__domain__zone__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__target__domain__zone__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__domain__zone__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__asset__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__cloud__project__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__cloud__project__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__file__pe_file__signature_info__signer { + dimension: udm_events__about__file__pe_file__signature_info__signer { + type: string + sql: udm_events__about__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__about__group__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__user_management_chain { + dimension: account_type { + type: number + sql: ${TABLE}.account_type ;; + } + + dimension: attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.attribute.cloud.availability_zone ;; + group_label: "Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: attribute__cloud__environment { + type: number + sql: ${TABLE}.attribute.cloud.environment ;; + group_label: "Attribute Cloud" + group_item_label: "Environment" + } + + dimension: attribute__cloud__project__id { + type: string + sql: ${TABLE}.attribute.cloud.project.id ;; + group_label: "Attribute Cloud Project" + group_item_label: "ID" + } + + dimension: attribute__cloud__project__name { + type: string + sql: ${TABLE}.attribute.cloud.project.name ;; + group_label: "Attribute Cloud Project" + group_item_label: "Name" + } + + dimension: attribute__cloud__project__parent { + type: string + sql: ${TABLE}.attribute.cloud.project.parent ;; + group_label: "Attribute Cloud Project" + group_item_label: "Parent" + } + + dimension: attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.project.product_object_id ;; + group_label: "Attribute Cloud Project" + group_item_label: "Product Object ID" + } + + dimension: attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.attribute.cloud.project.resource_subtype ;; + group_label: "Attribute Cloud Project" + group_item_label: "Resource Subtype" + } + + dimension: attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.attribute.cloud.project.resource_type ;; + group_label: "Attribute Cloud Project" + group_item_label: "Resource Type" + } + + dimension: attribute__cloud__project__type { + type: string + sql: ${TABLE}.attribute.cloud.project.type ;; + group_label: "Attribute Cloud Project" + group_item_label: "Type" + } + + dimension: attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.id ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "ID" + } + + dimension: attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.attribute.cloud.vpc.name ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Name" + } + + dimension: attribute__cloud__vpc__parent { + type: string + sql: ${TABLE}.attribute.cloud.vpc.parent ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Parent" + } + + dimension: attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Product Object ID" + } + + dimension: attribute__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.attribute.cloud.vpc.resource_subtype ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Resource Subtype" + } + + dimension: attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.attribute.cloud.vpc.resource_type ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Resource Type" + } + + dimension: attribute__cloud__vpc__type { + type: string + sql: ${TABLE}.attribute.cloud.vpc.type ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Type" + } + + dimension: attribute__creation_time__nanos { + type: number + sql: ${TABLE}.attribute.creation_time.nanos ;; + group_label: "Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: attribute__creation_time__seconds { + type: number + sql: ${TABLE}.attribute.creation_time.seconds ;; + group_label: "Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: attribute__labels { + hidden: yes + sql: ${TABLE}.attribute.labels ;; + group_label: "Attribute" + group_item_label: "Labels" + } + + dimension: attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.attribute.last_update_time.nanos ;; + group_label: "Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.attribute.last_update_time.seconds ;; + group_label: "Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: attribute__permissions { + hidden: yes + sql: ${TABLE}.attribute.permissions ;; + group_label: "Attribute" + group_item_label: "Permissions" + } + + dimension: attribute__roles { + hidden: yes + sql: ${TABLE}.attribute.roles ;; + group_label: "Attribute" + group_item_label: "Roles" + } + + dimension: company_name { + type: string + sql: ${TABLE}.company_name ;; + } + + dimension: department { + hidden: yes + sql: ${TABLE}.department ;; + } + + dimension: email_addresses { + hidden: yes + sql: ${TABLE}.email_addresses ;; + } + + dimension: employee_id { + type: string + sql: ${TABLE}.employee_id ;; + } + + dimension: first_name { + type: string + sql: ${TABLE}.first_name ;; + } + + dimension: first_seen_time__nanos { + type: number + sql: ${TABLE}.first_seen_time.nanos ;; + group_label: "First Seen Time" + group_item_label: "Nanos" + } + + dimension: first_seen_time__seconds { + type: number + sql: ${TABLE}.first_seen_time.seconds ;; + group_label: "First Seen Time" + group_item_label: "Seconds" + } + + dimension: group_identifiers { + hidden: yes + sql: ${TABLE}.group_identifiers ;; + } + + dimension: groupid { + type: string + sql: ${TABLE}.groupid ;; + } + + dimension: hire_date__nanos { + type: number + sql: ${TABLE}.hire_date.nanos ;; + group_label: "Hire Date" + group_item_label: "Nanos" + } + + dimension: hire_date__seconds { + type: number + sql: ${TABLE}.hire_date.seconds ;; + group_label: "Hire Date" + group_item_label: "Seconds" + } + + dimension: last_name { + type: string + sql: ${TABLE}.last_name ;; + } + + dimension: middle_name { + type: string + sql: ${TABLE}.middle_name ;; + } + + dimension: office_address__city { + type: string + sql: ${TABLE}.office_address.city ;; + group_label: "Office Address" + group_item_label: "City" + } + + dimension: office_address__country_or_region { + type: string + sql: ${TABLE}.office_address.country_or_region ;; + group_label: "Office Address" + group_item_label: "Country or Region" + } + + dimension: office_address__desk_name { + type: string + sql: ${TABLE}.office_address.desk_name ;; + group_label: "Office Address" + group_item_label: "Desk Name" + } + + dimension: office_address__floor_name { + type: string + sql: ${TABLE}.office_address.floor_name ;; + group_label: "Office Address" + group_item_label: "Floor Name" + } + + dimension: office_address__name { + type: string + sql: ${TABLE}.office_address.name ;; + group_label: "Office Address" + group_item_label: "Name" + } + + dimension: office_address__region_latitude { + type: number + sql: ${TABLE}.office_address.region_latitude ;; + group_label: "Office Address" + group_item_label: "Region Latitude" + } + + dimension: office_address__region_longitude { + type: number + sql: ${TABLE}.office_address.region_longitude ;; + group_label: "Office Address" + group_item_label: "Region Longitude" + } + + dimension: office_address__state { + type: string + sql: ${TABLE}.office_address.state ;; + group_label: "Office Address" + group_item_label: "State" + } + + dimension: personal_address__city { + type: string + sql: ${TABLE}.personal_address.city ;; + group_label: "Personal Address" + group_item_label: "City" + } + + dimension: personal_address__country_or_region { + type: string + sql: ${TABLE}.personal_address.country_or_region ;; + group_label: "Personal Address" + group_item_label: "Country or Region" + } + + dimension: personal_address__desk_name { + type: string + sql: ${TABLE}.personal_address.desk_name ;; + group_label: "Personal Address" + group_item_label: "Desk Name" + } + + dimension: personal_address__floor_name { + type: string + sql: ${TABLE}.personal_address.floor_name ;; + group_label: "Personal Address" + group_item_label: "Floor Name" + } + + dimension: personal_address__name { + type: string + sql: ${TABLE}.personal_address.name ;; + group_label: "Personal Address" + group_item_label: "Name" + } + + dimension: personal_address__region_latitude { + type: number + sql: ${TABLE}.personal_address.region_latitude ;; + group_label: "Personal Address" + group_item_label: "Region Latitude" + } + + dimension: personal_address__region_longitude { + type: number + sql: ${TABLE}.personal_address.region_longitude ;; + group_label: "Personal Address" + group_item_label: "Region Longitude" + } + + dimension: personal_address__state { + type: string + sql: ${TABLE}.personal_address.state ;; + group_label: "Personal Address" + group_item_label: "State" + } + + dimension: phone_numbers { + hidden: yes + sql: ${TABLE}.phone_numbers ;; + } + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + } + + dimension: role_description { + type: string + sql: ${TABLE}.role_description ;; + } + + dimension: role_name { + type: string + sql: ${TABLE}.role_name ;; + } + + dimension: termination_date__nanos { + type: number + sql: ${TABLE}.termination_date.nanos ;; + group_label: "Termination Date" + group_item_label: "Nanos" + } + + dimension: termination_date__seconds { + type: number + sql: ${TABLE}.termination_date.seconds ;; + group_label: "Termination Date" + group_item_label: "Seconds" + } + + dimension: time_off { + hidden: yes + sql: ${TABLE}.time_off ;; + } + + dimension: title { + type: string + sql: ${TABLE}.title ;; + } + + dimension: user_authentication_status { + type: number + sql: ${TABLE}.user_authentication_status ;; + } + + dimension: user_display_name { + type: string + sql: ${TABLE}.user_display_name ;; + } + + dimension: user_role { + type: number + sql: ${TABLE}.user_role ;; + } + + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + } + + dimension: windows_sid { + type: string + sql: ${TABLE}.windows_sid ;; + } +} + +view: udm_events__intermediary__domain__tech__email_addresses { + dimension: udm_events__intermediary__domain__tech__email_addresses { + type: string + sql: udm_events__intermediary__domain__tech__email_addresses ;; + } +} + +view: udm_events__intermediary__domain__zone__email_addresses { + dimension: udm_events__intermediary__domain__zone__email_addresses { + type: string + sql: udm_events__intermediary__domain__zone__email_addresses ;; + } +} + +view: udm_events__principal__cloud__vpc__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__cloud__vpc__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__file__pe_file__imports__functions { + dimension: udm_events__principal__file__pe_file__imports__functions { + type: string + sql: udm_events__principal__file__pe_file__imports__functions ;; + } +} + +view: udm_events__principal__process__file__capabilities_tags { + dimension: udm_events__principal__process__file__capabilities_tags { + type: string + sql: udm_events__principal__process__file__capabilities_tags ;; + } +} + +view: udm_events__principal__domain__admin__group_identifiers { + dimension: udm_events__principal__domain__admin__group_identifiers { + type: string + sql: udm_events__principal__domain__admin__group_identifiers ;; + } +} + +view: udm_events__principal__domain__billing__email_addresses { + dimension: udm_events__principal__domain__billing__email_addresses { + type: string + sql: udm_events__principal__domain__billing__email_addresses ;; + } +} + +view: udm_events__observer__domain__registrant__phone_numbers { + dimension: udm_events__observer__domain__registrant__phone_numbers { + type: string + sql: udm_events__observer__domain__registrant__phone_numbers ;; + } +} + +view: udm_events__observer__asset__software__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__user__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__cloud__vpc__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__process__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__security_result__about__process__file__names { + dimension: udm_events__security_result__about__process__file__names { + type: string + sql: udm_events__security_result__about__process__file__names ;; + } +} + +view: udm_events__security_result__about__domain__name_server { + dimension: udm_events__security_result__about__domain__name_server { + type: string + sql: udm_events__security_result__about__domain__name_server ;; + } +} + +view: udm_events__security_result__about__asset__hardware { + dimension: cpu_clock_speed { + type: number + sql: ${TABLE}.cpu_clock_speed ;; + } + + dimension: cpu_max_clock_speed { + type: number + sql: ${TABLE}.cpu_max_clock_speed ;; + } + + dimension: cpu_model { + type: string + sql: ${TABLE}.cpu_model ;; + } + + dimension: cpu_number_cores { + type: number + sql: ${TABLE}.cpu_number_cores ;; + } + + dimension: cpu_platform { + type: string + sql: ${TABLE}.cpu_platform ;; + } + + dimension: manufacturer { + type: string + sql: ${TABLE}.manufacturer ;; + } + + dimension: model { + type: string + sql: ${TABLE}.model ;; + } + + dimension: ram { + type: number + sql: ${TABLE}.ram ;; + } + + dimension: serial_number { + type: string + sql: ${TABLE}.serial_number ;; + } +} + +view: udm_events__security_result__about__user__phone_numbers { + dimension: udm_events__security_result__about__user__phone_numbers { + type: string + sql: udm_events__security_result__about__user__phone_numbers ;; + } +} + +view: udm_events__target__process__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__target__domain__admin__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__target__domain__admin__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__domain__admin__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__domain__registrant__email_addresses { + dimension: udm_events__target__domain__registrant__email_addresses { + type: string + sql: udm_events__target__domain__registrant__email_addresses ;; + } +} + +view: udm_events__about__resource__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__user_management_chain__phone_numbers { + dimension: udm_events__about__user_management_chain__phone_numbers { + type: string + sql: udm_events__about__user_management_chain__phone_numbers ;; + } +} + +view: udm_events__about__domain__billing__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__about__domain__billing__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__domain__billing__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__domain__registrant__group_identifiers { + dimension: udm_events__about__domain__registrant__group_identifiers { + type: string + sql: udm_events__about__domain__registrant__group_identifiers ;; + } +} + +view: udm_events__intermediary__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__intermediary__group__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__group__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__process__command_line_history { + dimension: udm_events__intermediary__process__command_line_history { + type: string + sql: udm_events__intermediary__process__command_line_history ;; + } +} + +view: udm_events__intermediary__process_ancestors__file__names { + dimension: udm_events__intermediary__process_ancestors__file__names { + type: string + sql: udm_events__intermediary__process_ancestors__file__names ;; + } +} + +view: udm_events__intermediary__domain__admin__email_addresses { + dimension: udm_events__intermediary__domain__admin__email_addresses { + type: string + sql: udm_events__intermediary__domain__admin__email_addresses ;; + } +} + +view: udm_events__intermediary__domain__billing__phone_numbers { + dimension: udm_events__intermediary__domain__billing__phone_numbers { + type: string + sql: udm_events__intermediary__domain__billing__phone_numbers ;; + } +} + +view: udm_events__intermediary__domain__registrant__department { + dimension: udm_events__intermediary__domain__registrant__department { + type: string + sql: udm_events__intermediary__domain__registrant__department ;; + } +} + +view: udm_events__principal__domain__registrant__phone_numbers { + dimension: udm_events__principal__domain__registrant__phone_numbers { + type: string + sql: udm_events__principal__domain__registrant__phone_numbers ;; + } +} + +view: udm_events__principal__asset__software__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__user__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__user_management_chain__department { + dimension: udm_events__observer__user_management_chain__department { + type: string + sql: udm_events__observer__user_management_chain__department ;; + } +} + +view: udm_events__observer__domain__tech__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__observer__domain__tech__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__domain__tech__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__domain__billing__group_identifiers { + dimension: udm_events__observer__domain__billing__group_identifiers { + type: string + sql: udm_events__observer__domain__billing__group_identifiers ;; + } +} + +view: udm_events__observer__domain__zone__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__observer__domain__zone__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__domain__zone__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__asset__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__process__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__src__user_management_chain__email_addresses { + dimension: udm_events__src__user_management_chain__email_addresses { + type: string + sql: udm_events__src__user_management_chain__email_addresses ;; + } +} + +view: udm_events__security_result__about__asset__software { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: permissions { + hidden: yes + sql: ${TABLE}.permissions ;; + } + + dimension: version { + type: string + sql: ${TABLE}.version ;; + } +} + +view: udm_events__target__cloud__project__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__cloud__project__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__file__pe_file__signature_info__signer { + dimension: udm_events__target__file__pe_file__signature_info__signer { + type: string + sql: udm_events__target__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__target__group__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__ip { + dimension: udm_events__extensions__vulns__vulnerabilities__about__ip { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__ip ;; + } +} + +view: udm_events__about__cloud__vpc__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__process__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__intermediary__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__intermediary__resource__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__domain__tech__group_identifiers { + dimension: udm_events__intermediary__domain__tech__group_identifiers { + type: string + sql: udm_events__intermediary__domain__tech__group_identifiers ;; + } +} + +view: udm_events__intermediary__domain__zone__group_identifiers { + dimension: udm_events__intermediary__domain__zone__group_identifiers { + type: string + sql: udm_events__intermediary__domain__zone__group_identifiers ;; + } +} + +view: udm_events__principal__user_management_chain__department { + dimension: udm_events__principal__user_management_chain__department { + type: string + sql: udm_events__principal__user_management_chain__department ;; + } +} + +view: udm_events__principal__domain__tech__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__principal__domain__tech__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__domain__tech__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__domain__billing__group_identifiers { + dimension: udm_events__principal__domain__billing__group_identifiers { + type: string + sql: udm_events__principal__domain__billing__group_identifiers ;; + } +} + +view: udm_events__principal__domain__zone__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__principal__domain__zone__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__domain__zone__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__asset__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__process__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__observer__domain__admin__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__observer__domain__admin__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__domain__admin__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__domain__registrant__email_addresses { + dimension: udm_events__observer__domain__registrant__email_addresses { + type: string + sql: udm_events__observer__domain__registrant__email_addresses ;; + } +} + +view: udm_events__src__process__file__pe_file__imports__functions { + dimension: udm_events__src__process__file__pe_file__imports__functions { + type: string + sql: udm_events__src__process__file__pe_file__imports__functions ;; + } +} + +view: udm_events__src__process_ancestors__command_line_history { + dimension: udm_events__src__process_ancestors__command_line_history { + type: string + sql: udm_events__src__process_ancestors__command_line_history ;; + } +} + +view: udm_events__src__domain__tech__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__domain__zone__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__domain__registrant__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__src__domain__registrant__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__domain__registrant__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__user__email_addresses { + dimension: udm_events__security_result__about__user__email_addresses { + type: string + sql: udm_events__security_result__about__user__email_addresses ;; + } +} + +view: udm_events__target__resource__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__user_management_chain__phone_numbers { + dimension: udm_events__target__user_management_chain__phone_numbers { + type: string + sql: udm_events__target__user_management_chain__phone_numbers ;; + } +} + +view: udm_events__target__domain__billing__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__target__domain__billing__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__domain__billing__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__domain__registrant__group_identifiers { + dimension: udm_events__target__domain__registrant__group_identifiers { + type: string + sql: udm_events__target__domain__registrant__group_identifiers ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__mac { + dimension: udm_events__extensions__vulns__vulnerabilities__about__mac { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__mac ;; + } +} + +view: udm_events__about__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__process__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__about__user_management_chain__email_addresses { + dimension: udm_events__about__user_management_chain__email_addresses { + type: string + sql: udm_events__about__user_management_chain__email_addresses ;; + } +} + +view: udm_events__intermediary__cloud__vpc__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__cloud__vpc__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__file__pe_file__imports__functions { + dimension: udm_events__intermediary__file__pe_file__imports__functions { + type: string + sql: udm_events__intermediary__file__pe_file__imports__functions ;; + } +} + +view: udm_events__intermediary__process__file__capabilities_tags { + dimension: udm_events__intermediary__process__file__capabilities_tags { + type: string + sql: udm_events__intermediary__process__file__capabilities_tags ;; + } +} + +view: udm_events__intermediary__domain__admin__group_identifiers { + dimension: udm_events__intermediary__domain__admin__group_identifiers { + type: string + sql: udm_events__intermediary__domain__admin__group_identifiers ;; + } +} + +view: udm_events__intermediary__domain__billing__email_addresses { + dimension: udm_events__intermediary__domain__billing__email_addresses { + type: string + sql: udm_events__intermediary__domain__billing__email_addresses ;; + } +} + +view: udm_events__principal__process__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__principal__domain__admin__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__principal__domain__admin__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__domain__admin__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__domain__registrant__email_addresses { + dimension: udm_events__principal__domain__registrant__email_addresses { + type: string + sql: udm_events__principal__domain__registrant__email_addresses ;; + } +} + +view: udm_events__observer__cloud__project__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__cloud__project__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__file__pe_file__signature_info__signer { + dimension: udm_events__observer__file__pe_file__signature_info__signer { + type: string + sql: udm_events__observer__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__observer__group__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__resource_ancestors__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__resource_ancestors__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__user_management_chain__group_identifiers { + dimension: udm_events__src__user_management_chain__group_identifiers { + type: string + sql: udm_events__src__user_management_chain__group_identifiers ;; + } +} + +view: udm_events__src__domain__admin__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__resource_ancestors { + drill_fields: [id] + + dimension: id { + primary_key: yes + type: string + sql: ${TABLE}.id ;; + } + + dimension: attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.attribute.cloud.availability_zone ;; + group_label: "Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: attribute__cloud__environment { + type: number + sql: ${TABLE}.attribute.cloud.environment ;; + group_label: "Attribute Cloud" + group_item_label: "Environment" + } + + dimension: attribute__creation_time__nanos { + type: number + sql: ${TABLE}.attribute.creation_time.nanos ;; + group_label: "Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: attribute__creation_time__seconds { + type: number + sql: ${TABLE}.attribute.creation_time.seconds ;; + group_label: "Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: attribute__labels { + hidden: yes + sql: ${TABLE}.attribute.labels ;; + group_label: "Attribute" + group_item_label: "Labels" + } + + dimension: attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.attribute.last_update_time.nanos ;; + group_label: "Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.attribute.last_update_time.seconds ;; + group_label: "Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: attribute__permissions { + hidden: yes + sql: ${TABLE}.attribute.permissions ;; + group_label: "Attribute" + group_item_label: "Permissions" + } + + dimension: attribute__roles { + hidden: yes + sql: ${TABLE}.attribute.roles ;; + group_label: "Attribute" + group_item_label: "Roles" + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: parent { + type: string + sql: ${TABLE}.parent ;; + } + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + } + + dimension: resource_subtype { + type: string + sql: ${TABLE}.resource_subtype ;; + } + + dimension: resource_type { + type: number + sql: ${TABLE}.resource_type ;; + } + + dimension: type { + type: string + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__process_ancestors { + dimension: access_mask { + type: number + sql: ${TABLE}.access_mask ;; + } + + dimension: command_line { + type: string + sql: ${TABLE}.command_line ;; + } + + dimension: command_line_history { + hidden: yes + sql: ${TABLE}.command_line_history ;; + } + + dimension: file__ahash { + type: string + sql: ${TABLE}.file.ahash ;; + group_label: "File" + group_item_label: "Ahash" + } + + dimension: file__authentihash { + type: string + sql: ${TABLE}.file.authentihash ;; + group_label: "File" + group_item_label: "Authentihash" + } + + dimension: file__capabilities_tags { + hidden: yes + sql: ${TABLE}.file.capabilities_tags ;; + group_label: "File" + group_item_label: "Capabilities Tags" + } + + dimension: file__file_metadata__pe__import_hash { + type: string + sql: ${TABLE}.file.file_metadata.pe.import_hash ;; + group_label: "File File Metadata Pe" + group_item_label: "Import Hash" + } + + dimension: file__file_type { + type: number + sql: ${TABLE}.file.file_type ;; + group_label: "File" + group_item_label: "File Type" + } + + dimension: file__first_seen_time__nanos { + type: number + sql: ${TABLE}.file.first_seen_time.nanos ;; + group_label: "File First Seen Time" + group_item_label: "Nanos" + } + + dimension: file__first_seen_time__seconds { + type: number + sql: ${TABLE}.file.first_seen_time.seconds ;; + group_label: "File First Seen Time" + group_item_label: "Seconds" + } + + dimension: file__full_path { + type: string + sql: ${TABLE}.file.full_path ;; + group_label: "File" + group_item_label: "Full Path" + } + + dimension: file__last_modification_time__nanos { + type: number + sql: ${TABLE}.file.last_modification_time.nanos ;; + group_label: "File Last Modification Time" + group_item_label: "Nanos" + } + + dimension: file__last_modification_time__seconds { + type: number + sql: ${TABLE}.file.last_modification_time.seconds ;; + group_label: "File Last Modification Time" + group_item_label: "Seconds" + } + + dimension: file__last_seen_time__nanos { + type: number + sql: ${TABLE}.file.last_seen_time.nanos ;; + group_label: "File Last Seen Time" + group_item_label: "Nanos" + } + + dimension: file__last_seen_time__seconds { + type: number + sql: ${TABLE}.file.last_seen_time.seconds ;; + group_label: "File Last Seen Time" + group_item_label: "Seconds" + } + + dimension: file__md5 { + type: string + sql: ${TABLE}.file.md5 ;; + group_label: "File" + group_item_label: "Md5" + } + + dimension: file__mime_type { + type: string + sql: ${TABLE}.file.mime_type ;; + group_label: "File" + group_item_label: "Mime Type" + } + + dimension: file__names { + hidden: yes + sql: ${TABLE}.file.names ;; + group_label: "File" + group_item_label: "Names" + } + + dimension: file__pe_file__compilation_exiftool_time__nanos { + type: number + sql: ${TABLE}.file.pe_file.compilation_exiftool_time.nanos ;; + group_label: "File Pe File Compilation Exiftool Time" + group_item_label: "Nanos" + } + + dimension: file__pe_file__compilation_exiftool_time__seconds { + type: number + sql: ${TABLE}.file.pe_file.compilation_exiftool_time.seconds ;; + group_label: "File Pe File Compilation Exiftool Time" + group_item_label: "Seconds" + } + + dimension: file__pe_file__compilation_time__nanos { + type: number + sql: ${TABLE}.file.pe_file.compilation_time.nanos ;; + group_label: "File Pe File Compilation Time" + group_item_label: "Nanos" + } + + dimension: file__pe_file__compilation_time__seconds { + type: number + sql: ${TABLE}.file.pe_file.compilation_time.seconds ;; + group_label: "File Pe File Compilation Time" + group_item_label: "Seconds" + } + + dimension: file__pe_file__entry_point { + type: number + sql: ${TABLE}.file.pe_file.entry_point ;; + group_label: "File Pe File" + group_item_label: "Entry Point" + } + + dimension: file__pe_file__entry_point_exiftool { + type: number + sql: ${TABLE}.file.pe_file.entry_point_exiftool ;; + group_label: "File Pe File" + group_item_label: "Entry Point Exiftool" + } + + dimension: file__pe_file__imphash { + type: string + sql: ${TABLE}.file.pe_file.imphash ;; + group_label: "File Pe File" + group_item_label: "Imphash" + } + + dimension: file__pe_file__imports { + hidden: yes + sql: ${TABLE}.file.pe_file.imports ;; + group_label: "File Pe File" + group_item_label: "Imports" + } + + dimension: file__pe_file__resource { + hidden: yes + sql: ${TABLE}.file.pe_file.resource ;; + group_label: "File Pe File" + group_item_label: "Resource" + } + + dimension: file__pe_file__resources_language_count { + hidden: yes + sql: ${TABLE}.file.pe_file.resources_language_count ;; + group_label: "File Pe File" + group_item_label: "Resources Language Count" + } + + dimension: file__pe_file__resources_language_count_str { + hidden: yes + sql: ${TABLE}.file.pe_file.resources_language_count_str ;; + group_label: "File Pe File" + group_item_label: "Resources Language Count Str" + } + + dimension: file__pe_file__resources_type_count { + hidden: yes + sql: ${TABLE}.file.pe_file.resources_type_count ;; + group_label: "File Pe File" + group_item_label: "Resources Type Count" + } + + dimension: file__pe_file__resources_type_count_str { + hidden: yes + sql: ${TABLE}.file.pe_file.resources_type_count_str ;; + group_label: "File Pe File" + group_item_label: "Resources Type Count Str" + } + + dimension: file__pe_file__section { + hidden: yes + sql: ${TABLE}.file.pe_file.section ;; + group_label: "File Pe File" + group_item_label: "Section" + } + + dimension: file__pe_file__signature_info__signer { + hidden: yes + sql: ${TABLE}.file.pe_file.signature_info.signer ;; + group_label: "File Pe File Signature Info" + group_item_label: "Signer" + } + + dimension: file__pe_file__signature_info__signers { + hidden: yes + sql: ${TABLE}.file.pe_file.signature_info.signers ;; + group_label: "File Pe File Signature Info" + group_item_label: "Signers" + } + + dimension: file__pe_file__signature_info__verification_message { + type: string + sql: ${TABLE}.file.pe_file.signature_info.verification_message ;; + group_label: "File Pe File Signature Info" + group_item_label: "Verification Message" + } + + dimension: file__pe_file__signature_info__verified { + type: yesno + sql: ${TABLE}.file.pe_file.signature_info.verified ;; + group_label: "File Pe File Signature Info" + group_item_label: "Verified" + } + + dimension: file__prevalence__day_count { + type: number + sql: ${TABLE}.file.prevalence.day_count ;; + group_label: "File Prevalence" + group_item_label: "Day Count" + } + + dimension: file__prevalence__day_max { + type: number + sql: ${TABLE}.file.prevalence.day_max ;; + group_label: "File Prevalence" + group_item_label: "Day Max" + } + + dimension: file__prevalence__day_max_sub_domains { + type: number + sql: ${TABLE}.file.prevalence.day_max_sub_domains ;; + group_label: "File Prevalence" + group_item_label: "Day Max Sub Domains" + } + + dimension: file__prevalence__rolling_max { + type: number + sql: ${TABLE}.file.prevalence.rolling_max ;; + group_label: "File Prevalence" + group_item_label: "Rolling Max" + } + + dimension: file__prevalence__rolling_max_sub_domains { + type: number + sql: ${TABLE}.file.prevalence.rolling_max_sub_domains ;; + group_label: "File Prevalence" + group_item_label: "Rolling Max Sub Domains" + } + + dimension: file__sha1 { + type: string + sql: ${TABLE}.file.sha1 ;; + group_label: "File" + group_item_label: "Sha1" + } + + dimension: file__sha256 { + type: string + sql: ${TABLE}.file.sha256 ;; + group_label: "File" + group_item_label: "Sha256" + } + + dimension: file__size { + type: number + sql: ${TABLE}.file.size ;; + group_label: "File" + group_item_label: "Size" + } + + dimension: file__ssdeep { + type: string + sql: ${TABLE}.file.ssdeep ;; + group_label: "File" + group_item_label: "Ssdeep" + } + + dimension: file__vhash { + type: string + sql: ${TABLE}.file.vhash ;; + group_label: "File" + group_item_label: "Vhash" + } + + dimension: parent_pid { + type: string + sql: ${TABLE}.parent_pid ;; + } + + dimension: pid { + type: string + sql: ${TABLE}.pid ;; + } + + dimension: product_specific_parent_process_id { + type: string + sql: ${TABLE}.product_specific_parent_process_id ;; + } + + dimension: product_specific_process_id { + type: string + sql: ${TABLE}.product_specific_process_id ;; + } +} + +view: udm_events__target__cloud__vpc__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__process__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__about__process__file__pe_file__imports__functions { + dimension: udm_events__about__process__file__pe_file__imports__functions { + type: string + sql: udm_events__about__process__file__pe_file__imports__functions ;; + } +} + +view: udm_events__about__process_ancestors__command_line_history { + dimension: udm_events__about__process_ancestors__command_line_history { + type: string + sql: udm_events__about__process_ancestors__command_line_history ;; + } +} + +view: udm_events__about__domain__tech__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__domain__zone__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__domain__registrant__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__about__domain__registrant__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__domain__registrant__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__domain__registrant__phone_numbers { + dimension: udm_events__intermediary__domain__registrant__phone_numbers { + type: string + sql: udm_events__intermediary__domain__registrant__phone_numbers ;; + } +} + +view: udm_events__intermediary__asset__software__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__user__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__cloud__project__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__cloud__project__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__file__pe_file__signature_info__signer { + dimension: udm_events__principal__file__pe_file__signature_info__signer { + type: string + sql: udm_events__principal__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__principal__group__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__resource__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__user_management_chain__phone_numbers { + dimension: udm_events__observer__user_management_chain__phone_numbers { + type: string + sql: udm_events__observer__user_management_chain__phone_numbers ;; + } +} + +view: udm_events__observer__domain__billing__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__observer__domain__billing__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__domain__billing__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__domain__registrant__group_identifiers { + dimension: udm_events__observer__domain__registrant__group_identifiers { + type: string + sql: udm_events__observer__domain__registrant__group_identifiers ;; + } +} + +view: udm_events__src__cloud__project__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__src__process_ancestors__file__capabilities_tags { + dimension: udm_events__src__process_ancestors__file__capabilities_tags { + type: string + sql: udm_events__src__process_ancestors__file__capabilities_tags ;; + } +} + +view: udm_events__security_result__about__file__capabilities_tags { + dimension: udm_events__security_result__about__file__capabilities_tags { + type: string + sql: udm_events__security_result__about__file__capabilities_tags ;; + } +} + +view: udm_events__security_result__about__domain__tech__department { + dimension: udm_events__security_result__about__domain__tech__department { + type: string + sql: udm_events__security_result__about__domain__tech__department ;; + } +} + +view: udm_events__security_result__about__domain__zone__department { + dimension: udm_events__security_result__about__domain__zone__department { + type: string + sql: udm_events__security_result__about__domain__zone__department ;; + } +} + +view: udm_events__security_result__about__investigation__comments { + dimension: udm_events__security_result__about__investigation__comments { + type: string + sql: udm_events__security_result__about__investigation__comments ;; + } +} + +view: udm_events__security_result__about__user__group_identifiers { + dimension: udm_events__security_result__about__user__group_identifiers { + type: string + sql: udm_events__security_result__about__user__group_identifiers ;; + } +} + +view: udm_events__target__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__process__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__target__user_management_chain__email_addresses { + dimension: udm_events__target__user_management_chain__email_addresses { + type: string + sql: udm_events__target__user_management_chain__email_addresses ;; + } +} + +view: udm_events__about__resource_ancestors__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__resource_ancestors__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__user_management_chain__group_identifiers { + dimension: udm_events__about__user_management_chain__group_identifiers { + type: string + sql: udm_events__about__user_management_chain__group_identifiers ;; + } +} + +view: udm_events__about__domain__admin__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__user_management_chain__department { + dimension: udm_events__intermediary__user_management_chain__department { + type: string + sql: udm_events__intermediary__user_management_chain__department ;; + } +} + +view: udm_events__intermediary__domain__tech__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__intermediary__domain__tech__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__domain__tech__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__domain__billing__group_identifiers { + dimension: udm_events__intermediary__domain__billing__group_identifiers { + type: string + sql: udm_events__intermediary__domain__billing__group_identifiers ;; + } +} + +view: udm_events__intermediary__domain__zone__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__intermediary__domain__zone__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__domain__zone__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__asset__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__resource__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__user_management_chain__phone_numbers { + dimension: udm_events__principal__user_management_chain__phone_numbers { + type: string + sql: udm_events__principal__user_management_chain__phone_numbers ;; + } +} + +view: udm_events__principal__domain__billing__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__principal__domain__billing__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__domain__billing__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__domain__registrant__group_identifiers { + dimension: udm_events__principal__domain__registrant__group_identifiers { + type: string + sql: udm_events__principal__domain__registrant__group_identifiers ;; + } +} + +view: udm_events__observer__cloud__vpc__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__process__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__src__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__domain__billing__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__group__email_addresses { + dimension: udm_events__security_result__about__group__email_addresses { + type: string + sql: udm_events__security_result__about__group__email_addresses ;; + } +} + +view: udm_events__security_result__about__domain__admin__department { + dimension: udm_events__security_result__about__domain__admin__department { + type: string + sql: udm_events__security_result__about__domain__admin__department ;; + } +} + +view: udm_events__target__process__file__pe_file__imports__functions { + dimension: udm_events__target__process__file__pe_file__imports__functions { + type: string + sql: udm_events__target__process__file__pe_file__imports__functions ;; + } +} + +view: udm_events__target__process_ancestors__command_line_history { + dimension: udm_events__target__process_ancestors__command_line_history { + type: string + sql: udm_events__target__process_ancestors__command_line_history ;; + } +} + +view: udm_events__target__domain__tech__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__domain__zone__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__domain__registrant__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__target__domain__registrant__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__domain__registrant__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__nat_ip { + dimension: udm_events__extensions__vulns__vulnerabilities__about__nat_ip { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__nat_ip ;; + } +} + +view: udm_events__about__cloud__project__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__about__process_ancestors__file__capabilities_tags { + dimension: udm_events__about__process_ancestors__file__capabilities_tags { + type: string + sql: udm_events__about__process_ancestors__file__capabilities_tags ;; + } +} + +view: udm_events__intermediary__process__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__intermediary__domain__admin__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__intermediary__domain__admin__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__domain__admin__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__domain__registrant__email_addresses { + dimension: udm_events__intermediary__domain__registrant__email_addresses { + type: string + sql: udm_events__intermediary__domain__registrant__email_addresses ;; + } +} + +view: udm_events__principal__cloud__vpc__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__process__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__observer__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__process__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__observer__user_management_chain__email_addresses { + dimension: udm_events__observer__user_management_chain__email_addresses { + type: string + sql: udm_events__observer__user_management_chain__email_addresses ;; + } +} + +view: udm_events__src__process__file__pe_file__signature_info__signer { + dimension: udm_events__src__process__file__pe_file__signature_info__signer { + type: string + sql: udm_events__src__process__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__src__user_management_chain__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__src__user_management_chain__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__user_management_chain__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__resource_ancestors__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__resource_ancestors__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__user_management_chain__group_identifiers { + dimension: udm_events__target__user_management_chain__group_identifiers { + type: string + sql: udm_events__target__user_management_chain__group_identifiers ;; + } +} + +view: udm_events__target__domain__admin__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__domain__billing__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__cloud__project__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__cloud__project__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__file__pe_file__signature_info__signer { + dimension: udm_events__intermediary__file__pe_file__signature_info__signer { + type: string + sql: udm_events__intermediary__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__intermediary__group__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__process__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__principal__user_management_chain__email_addresses { + dimension: udm_events__principal__user_management_chain__email_addresses { + type: string + sql: udm_events__principal__user_management_chain__email_addresses ;; + } +} + +view: udm_events__observer__process__file__pe_file__imports__functions { + dimension: udm_events__observer__process__file__pe_file__imports__functions { + type: string + sql: udm_events__observer__process__file__pe_file__imports__functions ;; + } +} + +view: udm_events__observer__process_ancestors__command_line_history { + dimension: udm_events__observer__process_ancestors__command_line_history { + type: string + sql: udm_events__observer__process_ancestors__command_line_history ;; + } +} + +view: udm_events__observer__domain__tech__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__domain__zone__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__domain__registrant__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__observer__domain__registrant__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__domain__registrant__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__process_ancestors__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__security_result__about__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__security_result__about__domain__tech__phone_numbers { + dimension: udm_events__security_result__about__domain__tech__phone_numbers { + type: string + sql: udm_events__security_result__about__domain__tech__phone_numbers ;; + } +} + +view: udm_events__security_result__about__domain__billing__department { + dimension: udm_events__security_result__about__domain__billing__department { + type: string + sql: udm_events__security_result__about__domain__billing__department ;; + } +} + +view: udm_events__security_result__about__domain__zone__phone_numbers { + dimension: udm_events__security_result__about__domain__zone__phone_numbers { + type: string + sql: udm_events__security_result__about__domain__zone__phone_numbers ;; + } +} + +view: udm_events__security_result__about__user__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__security_result__about__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__cloud__project__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__target__process_ancestors__file__capabilities_tags { + dimension: udm_events__target__process_ancestors__file__capabilities_tags { + type: string + sql: udm_events__target__process_ancestors__file__capabilities_tags ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__asset__ip { + dimension: udm_events__extensions__vulns__vulnerabilities__about__asset__ip { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__asset__ip ;; + } +} + +view: udm_events__about__process__file__pe_file__signature_info__signer { + dimension: udm_events__about__process__file__pe_file__signature_info__signer { + type: string + sql: udm_events__about__process__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__about__user_management_chain__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__about__user_management_chain__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__user_management_chain__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__resource__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__user_management_chain__phone_numbers { + dimension: udm_events__intermediary__user_management_chain__phone_numbers { + type: string + sql: udm_events__intermediary__user_management_chain__phone_numbers ;; + } +} + +view: udm_events__intermediary__domain__billing__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__intermediary__domain__billing__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__domain__billing__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__domain__registrant__group_identifiers { + dimension: udm_events__intermediary__domain__registrant__group_identifiers { + type: string + sql: udm_events__intermediary__domain__registrant__group_identifiers ;; + } +} + +view: udm_events__principal__process__file__pe_file__imports__functions { + dimension: udm_events__principal__process__file__pe_file__imports__functions { + type: string + sql: udm_events__principal__process__file__pe_file__imports__functions ;; + } +} + +view: udm_events__principal__process_ancestors__command_line_history { + dimension: udm_events__principal__process_ancestors__command_line_history { + type: string + sql: udm_events__principal__process_ancestors__command_line_history ;; + } +} + +view: udm_events__principal__domain__tech__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__domain__zone__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__domain__registrant__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__principal__domain__registrant__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__domain__registrant__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__resource_ancestors__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__resource_ancestors__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__user_management_chain__group_identifiers { + dimension: udm_events__observer__user_management_chain__group_identifiers { + type: string + sql: udm_events__observer__user_management_chain__group_identifiers ;; + } +} + +view: udm_events__observer__domain__admin__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__domain__registrant__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__domain__admin__phone_numbers { + dimension: udm_events__security_result__about__domain__admin__phone_numbers { + type: string + sql: udm_events__security_result__about__domain__admin__phone_numbers ;; + } +} + +view: udm_events__security_result__about__asset__vulnerabilities { + dimension: cve_description { + type: string + sql: ${TABLE}.cve_description ;; + } + + dimension: cve_id { + type: string + sql: ${TABLE}.cve_id ;; + } + + dimension: cvss_base_score { + type: number + sql: ${TABLE}.cvss_base_score ;; + } + + dimension: cvss_vector { + type: string + sql: ${TABLE}.cvss_vector ;; + } + + dimension: cvss_version { + type: string + sql: ${TABLE}.cvss_version ;; + } + + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: first_found__nanos { + type: number + sql: ${TABLE}.first_found.nanos ;; + group_label: "First Found" + group_item_label: "Nanos" + } + + dimension: first_found__seconds { + type: number + sql: ${TABLE}.first_found.seconds ;; + group_label: "First Found" + group_item_label: "Seconds" + } + + dimension: last_found__nanos { + type: number + sql: ${TABLE}.last_found.nanos ;; + group_label: "Last Found" + group_item_label: "Nanos" + } + + dimension: last_found__seconds { + type: number + sql: ${TABLE}.last_found.seconds ;; + group_label: "Last Found" + group_item_label: "Seconds" + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: scan_end_time__nanos { + type: number + sql: ${TABLE}.scan_end_time.nanos ;; + group_label: "Scan End Time" + group_item_label: "Nanos" + } + + dimension: scan_end_time__seconds { + type: number + sql: ${TABLE}.scan_end_time.seconds ;; + group_label: "Scan End Time" + group_item_label: "Seconds" + } + + dimension: scan_start_time__nanos { + type: number + sql: ${TABLE}.scan_start_time.nanos ;; + group_label: "Scan Start Time" + group_item_label: "Nanos" + } + + dimension: scan_start_time__seconds { + type: number + sql: ${TABLE}.scan_start_time.seconds ;; + group_label: "Scan Start Time" + group_item_label: "Seconds" + } + + dimension: severity { + type: number + sql: ${TABLE}.severity ;; + } + + dimension: severity_details { + type: string + sql: ${TABLE}.severity_details ;; + } + + dimension: vendor { + type: string + sql: ${TABLE}.vendor ;; + } + + dimension: vendor_knowledge_base_article_id { + type: string + sql: ${TABLE}.vendor_knowledge_base_article_id ;; + } + + dimension: vendor_vulnerability_id { + type: string + sql: ${TABLE}.vendor_vulnerability_id ;; + } +} + +view: udm_events__security_result__about__asset__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__domain__billing__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__asset__mac { + dimension: udm_events__extensions__vulns__vulnerabilities__about__asset__mac { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__asset__mac ;; + } +} + +view: udm_events__about__process_ancestors__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__intermediary__cloud__vpc__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__process__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__principal__resource_ancestors__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__resource_ancestors__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__user_management_chain__group_identifiers { + dimension: udm_events__principal__user_management_chain__group_identifiers { + type: string + sql: udm_events__principal__user_management_chain__group_identifiers ;; + } +} + +view: udm_events__principal__domain__admin__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__cloud__project__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__observer__process_ancestors__file__capabilities_tags { + dimension: udm_events__observer__process_ancestors__file__capabilities_tags { + type: string + sql: udm_events__observer__process_ancestors__file__capabilities_tags ;; + } +} + +view: udm_events__src__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__process__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__resource_ancestors__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__user_management_chain { + dimension: account_type { + type: number + sql: ${TABLE}.account_type ;; + } + + dimension: attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.attribute.cloud.availability_zone ;; + group_label: "Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: attribute__cloud__environment { + type: number + sql: ${TABLE}.attribute.cloud.environment ;; + group_label: "Attribute Cloud" + group_item_label: "Environment" + } + + dimension: attribute__cloud__project__id { + type: string + sql: ${TABLE}.attribute.cloud.project.id ;; + group_label: "Attribute Cloud Project" + group_item_label: "ID" + } + + dimension: attribute__cloud__project__name { + type: string + sql: ${TABLE}.attribute.cloud.project.name ;; + group_label: "Attribute Cloud Project" + group_item_label: "Name" + } + + dimension: attribute__cloud__project__parent { + type: string + sql: ${TABLE}.attribute.cloud.project.parent ;; + group_label: "Attribute Cloud Project" + group_item_label: "Parent" + } + + dimension: attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.project.product_object_id ;; + group_label: "Attribute Cloud Project" + group_item_label: "Product Object ID" + } + + dimension: attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.attribute.cloud.project.resource_subtype ;; + group_label: "Attribute Cloud Project" + group_item_label: "Resource Subtype" + } + + dimension: attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.attribute.cloud.project.resource_type ;; + group_label: "Attribute Cloud Project" + group_item_label: "Resource Type" + } + + dimension: attribute__cloud__project__type { + type: string + sql: ${TABLE}.attribute.cloud.project.type ;; + group_label: "Attribute Cloud Project" + group_item_label: "Type" + } + + dimension: attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.id ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "ID" + } + + dimension: attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.attribute.cloud.vpc.name ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Name" + } + + dimension: attribute__cloud__vpc__parent { + type: string + sql: ${TABLE}.attribute.cloud.vpc.parent ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Parent" + } + + dimension: attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Product Object ID" + } + + dimension: attribute__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.attribute.cloud.vpc.resource_subtype ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Resource Subtype" + } + + dimension: attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.attribute.cloud.vpc.resource_type ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Resource Type" + } + + dimension: attribute__cloud__vpc__type { + type: string + sql: ${TABLE}.attribute.cloud.vpc.type ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Type" + } + + dimension: attribute__creation_time__nanos { + type: number + sql: ${TABLE}.attribute.creation_time.nanos ;; + group_label: "Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: attribute__creation_time__seconds { + type: number + sql: ${TABLE}.attribute.creation_time.seconds ;; + group_label: "Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: attribute__labels { + hidden: yes + sql: ${TABLE}.attribute.labels ;; + group_label: "Attribute" + group_item_label: "Labels" + } + + dimension: attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.attribute.last_update_time.nanos ;; + group_label: "Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.attribute.last_update_time.seconds ;; + group_label: "Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: attribute__permissions { + hidden: yes + sql: ${TABLE}.attribute.permissions ;; + group_label: "Attribute" + group_item_label: "Permissions" + } + + dimension: attribute__roles { + hidden: yes + sql: ${TABLE}.attribute.roles ;; + group_label: "Attribute" + group_item_label: "Roles" + } + + dimension: company_name { + type: string + sql: ${TABLE}.company_name ;; + } + + dimension: department { + hidden: yes + sql: ${TABLE}.department ;; + } + + dimension: email_addresses { + hidden: yes + sql: ${TABLE}.email_addresses ;; + } + + dimension: employee_id { + type: string + sql: ${TABLE}.employee_id ;; + } + + dimension: first_name { + type: string + sql: ${TABLE}.first_name ;; + } + + dimension: first_seen_time__nanos { + type: number + sql: ${TABLE}.first_seen_time.nanos ;; + group_label: "First Seen Time" + group_item_label: "Nanos" + } + + dimension: first_seen_time__seconds { + type: number + sql: ${TABLE}.first_seen_time.seconds ;; + group_label: "First Seen Time" + group_item_label: "Seconds" + } + + dimension: group_identifiers { + hidden: yes + sql: ${TABLE}.group_identifiers ;; + } + + dimension: groupid { + type: string + sql: ${TABLE}.groupid ;; + } + + dimension: hire_date__nanos { + type: number + sql: ${TABLE}.hire_date.nanos ;; + group_label: "Hire Date" + group_item_label: "Nanos" + } + + dimension: hire_date__seconds { + type: number + sql: ${TABLE}.hire_date.seconds ;; + group_label: "Hire Date" + group_item_label: "Seconds" + } + + dimension: last_name { + type: string + sql: ${TABLE}.last_name ;; + } + + dimension: middle_name { + type: string + sql: ${TABLE}.middle_name ;; + } + + dimension: office_address__city { + type: string + sql: ${TABLE}.office_address.city ;; + group_label: "Office Address" + group_item_label: "City" + } + + dimension: office_address__country_or_region { + type: string + sql: ${TABLE}.office_address.country_or_region ;; + group_label: "Office Address" + group_item_label: "Country or Region" + } + + dimension: office_address__desk_name { + type: string + sql: ${TABLE}.office_address.desk_name ;; + group_label: "Office Address" + group_item_label: "Desk Name" + } + + dimension: office_address__floor_name { + type: string + sql: ${TABLE}.office_address.floor_name ;; + group_label: "Office Address" + group_item_label: "Floor Name" + } + + dimension: office_address__name { + type: string + sql: ${TABLE}.office_address.name ;; + group_label: "Office Address" + group_item_label: "Name" + } + + dimension: office_address__region_latitude { + type: number + sql: ${TABLE}.office_address.region_latitude ;; + group_label: "Office Address" + group_item_label: "Region Latitude" + } + + dimension: office_address__region_longitude { + type: number + sql: ${TABLE}.office_address.region_longitude ;; + group_label: "Office Address" + group_item_label: "Region Longitude" + } + + dimension: office_address__state { + type: string + sql: ${TABLE}.office_address.state ;; + group_label: "Office Address" + group_item_label: "State" + } + + dimension: personal_address__city { + type: string + sql: ${TABLE}.personal_address.city ;; + group_label: "Personal Address" + group_item_label: "City" + } + + dimension: personal_address__country_or_region { + type: string + sql: ${TABLE}.personal_address.country_or_region ;; + group_label: "Personal Address" + group_item_label: "Country or Region" + } + + dimension: personal_address__desk_name { + type: string + sql: ${TABLE}.personal_address.desk_name ;; + group_label: "Personal Address" + group_item_label: "Desk Name" + } + + dimension: personal_address__floor_name { + type: string + sql: ${TABLE}.personal_address.floor_name ;; + group_label: "Personal Address" + group_item_label: "Floor Name" + } + + dimension: personal_address__name { + type: string + sql: ${TABLE}.personal_address.name ;; + group_label: "Personal Address" + group_item_label: "Name" + } + + dimension: personal_address__region_latitude { + type: number + sql: ${TABLE}.personal_address.region_latitude ;; + group_label: "Personal Address" + group_item_label: "Region Latitude" + } + + dimension: personal_address__region_longitude { + type: number + sql: ${TABLE}.personal_address.region_longitude ;; + group_label: "Personal Address" + group_item_label: "Region Longitude" + } + + dimension: personal_address__state { + type: string + sql: ${TABLE}.personal_address.state ;; + group_label: "Personal Address" + group_item_label: "State" + } + + dimension: phone_numbers { + hidden: yes + sql: ${TABLE}.phone_numbers ;; + } + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + } + + dimension: role_description { + type: string + sql: ${TABLE}.role_description ;; + } + + dimension: role_name { + type: string + sql: ${TABLE}.role_name ;; + } + + dimension: termination_date__nanos { + type: number + sql: ${TABLE}.termination_date.nanos ;; + group_label: "Termination Date" + group_item_label: "Nanos" + } + + dimension: termination_date__seconds { + type: number + sql: ${TABLE}.termination_date.seconds ;; + group_label: "Termination Date" + group_item_label: "Seconds" + } + + dimension: time_off { + hidden: yes + sql: ${TABLE}.time_off ;; + } + + dimension: title { + type: string + sql: ${TABLE}.title ;; + } + + dimension: user_authentication_status { + type: number + sql: ${TABLE}.user_authentication_status ;; + } + + dimension: user_display_name { + type: string + sql: ${TABLE}.user_display_name ;; + } + + dimension: user_role { + type: number + sql: ${TABLE}.user_role ;; + } + + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + } + + dimension: windows_sid { + type: string + sql: ${TABLE}.windows_sid ;; + } +} + +view: udm_events__security_result__about__domain__tech__email_addresses { + dimension: udm_events__security_result__about__domain__tech__email_addresses { + type: string + sql: udm_events__security_result__about__domain__tech__email_addresses ;; + } +} + +view: udm_events__security_result__about__domain__zone__email_addresses { + dimension: udm_events__security_result__about__domain__zone__email_addresses { + type: string + sql: udm_events__security_result__about__domain__zone__email_addresses ;; + } +} + +view: udm_events__target__process__file__pe_file__signature_info__signer { + dimension: udm_events__target__process__file__pe_file__signature_info__signer { + type: string + sql: udm_events__target__process__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__target__user_management_chain__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__target__user_management_chain__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__user_management_chain__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__file__names { + dimension: udm_events__extensions__vulns__vulnerabilities__about__file__names { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__file__names ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__domain__registrant__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__process__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__intermediary__user_management_chain__email_addresses { + dimension: udm_events__intermediary__user_management_chain__email_addresses { + type: string + sql: udm_events__intermediary__user_management_chain__email_addresses ;; + } +} + +view: udm_events__principal__cloud__project__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__principal__process_ancestors__file__capabilities_tags { + dimension: udm_events__principal__process_ancestors__file__capabilities_tags { + type: string + sql: udm_events__principal__process_ancestors__file__capabilities_tags ;; + } +} + +view: udm_events__observer__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__domain__billing__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__process_ancestors__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__security_result__about__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__security_result__about__group__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__group__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__process__command_line_history { + dimension: udm_events__security_result__about__process__command_line_history { + type: string + sql: udm_events__security_result__about__process__command_line_history ;; + } +} + +view: udm_events__security_result__about__process_ancestors__file__names { + dimension: udm_events__security_result__about__process_ancestors__file__names { + type: string + sql: udm_events__security_result__about__process_ancestors__file__names ;; + } +} + +view: udm_events__security_result__about__domain__admin__email_addresses { + dimension: udm_events__security_result__about__domain__admin__email_addresses { + type: string + sql: udm_events__security_result__about__domain__admin__email_addresses ;; + } +} + +view: udm_events__security_result__about__domain__billing__phone_numbers { + dimension: udm_events__security_result__about__domain__billing__phone_numbers { + type: string + sql: udm_events__security_result__about__domain__billing__phone_numbers ;; + } +} + +view: udm_events__security_result__about__domain__registrant__department { + dimension: udm_events__security_result__about__domain__registrant__department { + type: string + sql: udm_events__security_result__about__domain__registrant__department ;; + } +} + +view: udm_events__target__process_ancestors__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__about__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__process__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__resource_ancestors__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__process__file__pe_file__imports__functions { + dimension: udm_events__intermediary__process__file__pe_file__imports__functions { + type: string + sql: udm_events__intermediary__process__file__pe_file__imports__functions ;; + } +} + +view: udm_events__intermediary__process_ancestors__command_line_history { + dimension: udm_events__intermediary__process_ancestors__command_line_history { + type: string + sql: udm_events__intermediary__process_ancestors__command_line_history ;; + } +} + +view: udm_events__intermediary__domain__tech__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__domain__zone__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__domain__registrant__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__intermediary__domain__registrant__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__domain__registrant__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__domain__billing__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__process__file__pe_file__signature_info__signer { + dimension: udm_events__observer__process__file__pe_file__signature_info__signer { + type: string + sql: udm_events__observer__process__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__observer__user_management_chain__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__observer__user_management_chain__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__user_management_chain__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__process_ancestors__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__security_result__about__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__security_result__about__resource__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__domain__tech__group_identifiers { + dimension: udm_events__security_result__about__domain__tech__group_identifiers { + type: string + sql: udm_events__security_result__about__domain__tech__group_identifiers ;; + } +} + +view: udm_events__security_result__about__domain__zone__group_identifiers { + dimension: udm_events__security_result__about__domain__zone__group_identifiers { + type: string + sql: udm_events__security_result__about__domain__zone__group_identifiers ;; + } +} + +view: udm_events__target__domain__registrant__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__asset__nat_ip { + dimension: udm_events__extensions__vulns__vulnerabilities__about__asset__nat_ip { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__asset__nat_ip ;; + } +} + +view: udm_events__about__process_ancestors__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__intermediary__resource_ancestors__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__resource_ancestors__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__user_management_chain__group_identifiers { + dimension: udm_events__intermediary__user_management_chain__group_identifiers { + type: string + sql: udm_events__intermediary__user_management_chain__group_identifiers ;; + } +} + +view: udm_events__intermediary__domain__admin__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__process__file__pe_file__signature_info__signer { + dimension: udm_events__principal__process__file__pe_file__signature_info__signer { + type: string + sql: udm_events__principal__process__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__principal__user_management_chain__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__principal__user_management_chain__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__user_management_chain__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__process_ancestors__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__src__process__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__src__user_management_chain__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__process_ancestors__file__pe_file__imports__functions { + dimension: udm_events__src__process_ancestors__file__pe_file__imports__functions { + type: string + sql: udm_events__src__process_ancestors__file__pe_file__imports__functions ;; + } +} + +view: udm_events__security_result__about__cloud__vpc__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__cloud__vpc__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__file__pe_file__imports__functions { + dimension: udm_events__security_result__about__file__pe_file__imports__functions { + type: string + sql: udm_events__security_result__about__file__pe_file__imports__functions ;; + } +} + +view: udm_events__security_result__about__process__file__capabilities_tags { + dimension: udm_events__security_result__about__process__file__capabilities_tags { + type: string + sql: udm_events__security_result__about__process__file__capabilities_tags ;; + } +} + +view: udm_events__security_result__about__domain__admin__group_identifiers { + dimension: udm_events__security_result__about__domain__admin__group_identifiers { + type: string + sql: udm_events__security_result__about__domain__admin__group_identifiers ;; + } +} + +view: udm_events__security_result__about__domain__billing__email_addresses { + dimension: udm_events__security_result__about__domain__billing__email_addresses { + type: string + sql: udm_events__security_result__about__domain__billing__email_addresses ;; + } +} + +view: udm_events__target__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__process__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__resource_ancestors__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__process_ancestors__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__intermediary__cloud__project__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__intermediary__process_ancestors__file__capabilities_tags { + dimension: udm_events__intermediary__process_ancestors__file__capabilities_tags { + type: string + sql: udm_events__intermediary__process_ancestors__file__capabilities_tags ;; + } +} + +view: udm_events__principal__process_ancestors__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__observer__domain__registrant__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__src__process__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__process__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__domain__registrant__phone_numbers { + dimension: udm_events__security_result__about__domain__registrant__phone_numbers { + type: string + sql: udm_events__security_result__about__domain__registrant__phone_numbers ;; + } +} + +view: udm_events__security_result__about__asset__software__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__user__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__process_ancestors__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__about__process__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__about__user_management_chain__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__process_ancestors__file__pe_file__imports__functions { + dimension: udm_events__about__process_ancestors__file__pe_file__imports__functions { + type: string + sql: udm_events__about__process_ancestors__file__pe_file__imports__functions ;; + } +} + +view: udm_events__intermediary__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__domain__billing__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__domain__registrant__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__process__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__resource_ancestors__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__user_management_chain__department { + dimension: udm_events__security_result__about__user_management_chain__department { + type: string + sql: udm_events__security_result__about__user_management_chain__department ;; + } +} + +view: udm_events__security_result__about__domain__tech__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__security_result__about__domain__tech__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__domain__tech__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__domain__billing__group_identifiers { + dimension: udm_events__security_result__about__domain__billing__group_identifiers { + type: string + sql: udm_events__security_result__about__domain__billing__group_identifiers ;; + } +} + +view: udm_events__security_result__about__domain__zone__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__security_result__about__domain__zone__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__domain__zone__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__asset__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__process_ancestors__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__user__department { + dimension: udm_events__extensions__vulns__vulnerabilities__about__user__department { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__user__department ;; + } +} + +view: udm_events__about__process__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__process__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__process__file__pe_file__signature_info__signer { + dimension: udm_events__intermediary__process__file__pe_file__signature_info__signer { + type: string + sql: udm_events__intermediary__process__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__intermediary__user_management_chain__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__intermediary__user_management_chain__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__user_management_chain__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__process__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__resource_ancestors__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__process_ancestors__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__security_result__about__process__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__security_result__about__domain__admin__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__security_result__about__domain__admin__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__domain__admin__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__domain__registrant__email_addresses { + dimension: udm_events__security_result__about__domain__registrant__email_addresses { + type: string + sql: udm_events__security_result__about__domain__registrant__email_addresses ;; + } +} + +view: udm_events__target__process__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__target__user_management_chain__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__process_ancestors__file__pe_file__imports__functions { + dimension: udm_events__target__process_ancestors__file__pe_file__imports__functions { + type: string + sql: udm_events__target__process_ancestors__file__pe_file__imports__functions ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__ip_location { + dimension: city { + type: string + sql: ${TABLE}.city ;; + } + + dimension: country_or_region { + type: string + sql: ${TABLE}.country_or_region ;; + } + + dimension: desk_name { + type: string + sql: ${TABLE}.desk_name ;; + } + + dimension: floor_name { + type: string + sql: ${TABLE}.floor_name ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: region_latitude { + type: number + sql: ${TABLE}.region_latitude ;; + } + + dimension: region_longitude { + type: number + sql: ${TABLE}.region_longitude ;; + } + + dimension: state { + type: string + sql: ${TABLE}.state ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__asset__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__process_ancestors__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__principal__process_ancestors__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__observer__process_ancestors__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__src__process_ancestors__file__pe_file__signature_info__signer { + dimension: udm_events__src__process_ancestors__file__pe_file__signature_info__signer { + type: string + sql: udm_events__src__process_ancestors__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__security_result__about__cloud__project__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__cloud__project__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__file__pe_file__signature_info__signer { + dimension: udm_events__security_result__about__file__pe_file__signature_info__signer { + type: string + sql: udm_events__security_result__about__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__security_result__about__group__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__process__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__process__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__domain__registrant__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__process_ancestors__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__observer__process__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__observer__user_management_chain__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__observer__process_ancestors__file__pe_file__imports__functions { + dimension: udm_events__observer__process_ancestors__file__pe_file__imports__functions { + type: string + sql: udm_events__observer__process_ancestors__file__pe_file__imports__functions ;; + } +} + +view: udm_events__src__process__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__resource__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__user_management_chain__phone_numbers { + dimension: udm_events__security_result__about__user_management_chain__phone_numbers { + type: string + sql: udm_events__security_result__about__user_management_chain__phone_numbers ;; + } +} + +view: udm_events__security_result__about__domain__billing__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__security_result__about__domain__billing__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__domain__billing__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__domain__registrant__group_identifiers { + dimension: udm_events__security_result__about__domain__registrant__group_identifiers { + type: string + sql: udm_events__security_result__about__domain__registrant__group_identifiers ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process__file__names { + dimension: udm_events__extensions__vulns__vulnerabilities__about__process__file__names { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__process__file__names ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__name_server { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__name_server { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__name_server ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__asset__hardware { + dimension: cpu_clock_speed { + type: number + sql: ${TABLE}.cpu_clock_speed ;; + } + + dimension: cpu_max_clock_speed { + type: number + sql: ${TABLE}.cpu_max_clock_speed ;; + } + + dimension: cpu_model { + type: string + sql: ${TABLE}.cpu_model ;; + } + + dimension: cpu_number_cores { + type: number + sql: ${TABLE}.cpu_number_cores ;; + } + + dimension: cpu_platform { + type: string + sql: ${TABLE}.cpu_platform ;; + } + + dimension: manufacturer { + type: string + sql: ${TABLE}.manufacturer ;; + } + + dimension: model { + type: string + sql: ${TABLE}.model ;; + } + + dimension: ram { + type: number + sql: ${TABLE}.ram ;; + } + + dimension: serial_number { + type: string + sql: ${TABLE}.serial_number ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__user__phone_numbers { + dimension: udm_events__extensions__vulns__vulnerabilities__about__user__phone_numbers { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__user__phone_numbers ;; + } +} + +view: udm_events__about__process_ancestors__file__pe_file__signature_info__signer { + dimension: udm_events__about__process_ancestors__file__pe_file__signature_info__signer { + type: string + sql: udm_events__about__process_ancestors__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__intermediary__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__process__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__resource_ancestors__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__process__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__principal__user_management_chain__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__principal__process_ancestors__file__pe_file__imports__functions { + dimension: udm_events__principal__process_ancestors__file__pe_file__imports__functions { + type: string + sql: udm_events__principal__process_ancestors__file__pe_file__imports__functions ;; + } +} + +view: udm_events__observer__process__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__process__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__cloud__vpc__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__process__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__asset__software { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: permissions { + hidden: yes + sql: ${TABLE}.permissions ;; + } + + dimension: version { + type: string + sql: ${TABLE}.version ;; + } +} + +view: udm_events__about__process__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__process_ancestors__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__principal__process__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__process__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__process_ancestors__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__process__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__security_result__about__user_management_chain__email_addresses { + dimension: udm_events__security_result__about__user_management_chain__email_addresses { + type: string + sql: udm_events__security_result__about__user_management_chain__email_addresses ;; + } +} + +view: udm_events__target__process_ancestors__file__pe_file__signature_info__signer { + dimension: udm_events__target__process_ancestors__file__pe_file__signature_info__signer { + type: string + sql: udm_events__target__process_ancestors__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__user__email_addresses { + dimension: udm_events__extensions__vulns__vulnerabilities__about__user__email_addresses { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__user__email_addresses ;; + } +} + +view: udm_events__intermediary__process_ancestors__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__security_result__about__process__file__pe_file__imports__functions { + dimension: udm_events__security_result__about__process__file__pe_file__imports__functions { + type: string + sql: udm_events__security_result__about__process__file__pe_file__imports__functions ;; + } +} + +view: udm_events__security_result__about__process_ancestors__command_line_history { + dimension: udm_events__security_result__about__process_ancestors__command_line_history { + type: string + sql: udm_events__security_result__about__process_ancestors__command_line_history ;; + } +} + +view: udm_events__security_result__about__domain__tech__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__domain__zone__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__domain__registrant__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__security_result__about__domain__registrant__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__domain__registrant__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__process__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__resource_ancestors { + drill_fields: [id] + + dimension: id { + primary_key: yes + type: string + sql: ${TABLE}.id ;; + } + + dimension: attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.attribute.cloud.availability_zone ;; + group_label: "Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: attribute__cloud__environment { + type: number + sql: ${TABLE}.attribute.cloud.environment ;; + group_label: "Attribute Cloud" + group_item_label: "Environment" + } + + dimension: attribute__creation_time__nanos { + type: number + sql: ${TABLE}.attribute.creation_time.nanos ;; + group_label: "Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: attribute__creation_time__seconds { + type: number + sql: ${TABLE}.attribute.creation_time.seconds ;; + group_label: "Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: attribute__labels { + hidden: yes + sql: ${TABLE}.attribute.labels ;; + group_label: "Attribute" + group_item_label: "Labels" + } + + dimension: attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.attribute.last_update_time.nanos ;; + group_label: "Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.attribute.last_update_time.seconds ;; + group_label: "Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: attribute__permissions { + hidden: yes + sql: ${TABLE}.attribute.permissions ;; + group_label: "Attribute" + group_item_label: "Permissions" + } + + dimension: attribute__roles { + hidden: yes + sql: ${TABLE}.attribute.roles ;; + group_label: "Attribute" + group_item_label: "Roles" + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: parent { + type: string + sql: ${TABLE}.parent ;; + } + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + } + + dimension: resource_subtype { + type: string + sql: ${TABLE}.resource_subtype ;; + } + + dimension: resource_type { + type: number + sql: ${TABLE}.resource_type ;; + } + + dimension: type { + type: string + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors { + dimension: access_mask { + type: number + sql: ${TABLE}.access_mask ;; + } + + dimension: command_line { + type: string + sql: ${TABLE}.command_line ;; + } + + dimension: command_line_history { + hidden: yes + sql: ${TABLE}.command_line_history ;; + } + + dimension: file__ahash { + type: string + sql: ${TABLE}.file.ahash ;; + group_label: "File" + group_item_label: "Ahash" + } + + dimension: file__authentihash { + type: string + sql: ${TABLE}.file.authentihash ;; + group_label: "File" + group_item_label: "Authentihash" + } + + dimension: file__capabilities_tags { + hidden: yes + sql: ${TABLE}.file.capabilities_tags ;; + group_label: "File" + group_item_label: "Capabilities Tags" + } + + dimension: file__file_metadata__pe__import_hash { + type: string + sql: ${TABLE}.file.file_metadata.pe.import_hash ;; + group_label: "File File Metadata Pe" + group_item_label: "Import Hash" + } + + dimension: file__file_type { + type: number + sql: ${TABLE}.file.file_type ;; + group_label: "File" + group_item_label: "File Type" + } + + dimension: file__first_seen_time__nanos { + type: number + sql: ${TABLE}.file.first_seen_time.nanos ;; + group_label: "File First Seen Time" + group_item_label: "Nanos" + } + + dimension: file__first_seen_time__seconds { + type: number + sql: ${TABLE}.file.first_seen_time.seconds ;; + group_label: "File First Seen Time" + group_item_label: "Seconds" + } + + dimension: file__full_path { + type: string + sql: ${TABLE}.file.full_path ;; + group_label: "File" + group_item_label: "Full Path" + } + + dimension: file__last_modification_time__nanos { + type: number + sql: ${TABLE}.file.last_modification_time.nanos ;; + group_label: "File Last Modification Time" + group_item_label: "Nanos" + } + + dimension: file__last_modification_time__seconds { + type: number + sql: ${TABLE}.file.last_modification_time.seconds ;; + group_label: "File Last Modification Time" + group_item_label: "Seconds" + } + + dimension: file__last_seen_time__nanos { + type: number + sql: ${TABLE}.file.last_seen_time.nanos ;; + group_label: "File Last Seen Time" + group_item_label: "Nanos" + } + + dimension: file__last_seen_time__seconds { + type: number + sql: ${TABLE}.file.last_seen_time.seconds ;; + group_label: "File Last Seen Time" + group_item_label: "Seconds" + } + + dimension: file__md5 { + type: string + sql: ${TABLE}.file.md5 ;; + group_label: "File" + group_item_label: "Md5" + } + + dimension: file__mime_type { + type: string + sql: ${TABLE}.file.mime_type ;; + group_label: "File" + group_item_label: "Mime Type" + } + + dimension: file__names { + hidden: yes + sql: ${TABLE}.file.names ;; + group_label: "File" + group_item_label: "Names" + } + + dimension: file__pe_file__compilation_exiftool_time__nanos { + type: number + sql: ${TABLE}.file.pe_file.compilation_exiftool_time.nanos ;; + group_label: "File Pe File Compilation Exiftool Time" + group_item_label: "Nanos" + } + + dimension: file__pe_file__compilation_exiftool_time__seconds { + type: number + sql: ${TABLE}.file.pe_file.compilation_exiftool_time.seconds ;; + group_label: "File Pe File Compilation Exiftool Time" + group_item_label: "Seconds" + } + + dimension: file__pe_file__compilation_time__nanos { + type: number + sql: ${TABLE}.file.pe_file.compilation_time.nanos ;; + group_label: "File Pe File Compilation Time" + group_item_label: "Nanos" + } + + dimension: file__pe_file__compilation_time__seconds { + type: number + sql: ${TABLE}.file.pe_file.compilation_time.seconds ;; + group_label: "File Pe File Compilation Time" + group_item_label: "Seconds" + } + + dimension: file__pe_file__entry_point { + type: number + sql: ${TABLE}.file.pe_file.entry_point ;; + group_label: "File Pe File" + group_item_label: "Entry Point" + } + + dimension: file__pe_file__entry_point_exiftool { + type: number + sql: ${TABLE}.file.pe_file.entry_point_exiftool ;; + group_label: "File Pe File" + group_item_label: "Entry Point Exiftool" + } + + dimension: file__pe_file__imphash { + type: string + sql: ${TABLE}.file.pe_file.imphash ;; + group_label: "File Pe File" + group_item_label: "Imphash" + } + + dimension: file__pe_file__imports { + hidden: yes + sql: ${TABLE}.file.pe_file.imports ;; + group_label: "File Pe File" + group_item_label: "Imports" + } + + dimension: file__pe_file__resource { + hidden: yes + sql: ${TABLE}.file.pe_file.resource ;; + group_label: "File Pe File" + group_item_label: "Resource" + } + + dimension: file__pe_file__resources_language_count { + hidden: yes + sql: ${TABLE}.file.pe_file.resources_language_count ;; + group_label: "File Pe File" + group_item_label: "Resources Language Count" + } + + dimension: file__pe_file__resources_language_count_str { + hidden: yes + sql: ${TABLE}.file.pe_file.resources_language_count_str ;; + group_label: "File Pe File" + group_item_label: "Resources Language Count Str" + } + + dimension: file__pe_file__resources_type_count { + hidden: yes + sql: ${TABLE}.file.pe_file.resources_type_count ;; + group_label: "File Pe File" + group_item_label: "Resources Type Count" + } + + dimension: file__pe_file__resources_type_count_str { + hidden: yes + sql: ${TABLE}.file.pe_file.resources_type_count_str ;; + group_label: "File Pe File" + group_item_label: "Resources Type Count Str" + } + + dimension: file__pe_file__section { + hidden: yes + sql: ${TABLE}.file.pe_file.section ;; + group_label: "File Pe File" + group_item_label: "Section" + } + + dimension: file__pe_file__signature_info__signer { + hidden: yes + sql: ${TABLE}.file.pe_file.signature_info.signer ;; + group_label: "File Pe File Signature Info" + group_item_label: "Signer" + } + + dimension: file__pe_file__signature_info__signers { + hidden: yes + sql: ${TABLE}.file.pe_file.signature_info.signers ;; + group_label: "File Pe File Signature Info" + group_item_label: "Signers" + } + + dimension: file__pe_file__signature_info__verification_message { + type: string + sql: ${TABLE}.file.pe_file.signature_info.verification_message ;; + group_label: "File Pe File Signature Info" + group_item_label: "Verification Message" + } + + dimension: file__pe_file__signature_info__verified { + type: yesno + sql: ${TABLE}.file.pe_file.signature_info.verified ;; + group_label: "File Pe File Signature Info" + group_item_label: "Verified" + } + + dimension: file__prevalence__day_count { + type: number + sql: ${TABLE}.file.prevalence.day_count ;; + group_label: "File Prevalence" + group_item_label: "Day Count" + } + + dimension: file__prevalence__day_max { + type: number + sql: ${TABLE}.file.prevalence.day_max ;; + group_label: "File Prevalence" + group_item_label: "Day Max" + } + + dimension: file__prevalence__day_max_sub_domains { + type: number + sql: ${TABLE}.file.prevalence.day_max_sub_domains ;; + group_label: "File Prevalence" + group_item_label: "Day Max Sub Domains" + } + + dimension: file__prevalence__rolling_max { + type: number + sql: ${TABLE}.file.prevalence.rolling_max ;; + group_label: "File Prevalence" + group_item_label: "Rolling Max" + } + + dimension: file__prevalence__rolling_max_sub_domains { + type: number + sql: ${TABLE}.file.prevalence.rolling_max_sub_domains ;; + group_label: "File Prevalence" + group_item_label: "Rolling Max Sub Domains" + } + + dimension: file__sha1 { + type: string + sql: ${TABLE}.file.sha1 ;; + group_label: "File" + group_item_label: "Sha1" + } + + dimension: file__sha256 { + type: string + sql: ${TABLE}.file.sha256 ;; + group_label: "File" + group_item_label: "Sha256" + } + + dimension: file__size { + type: number + sql: ${TABLE}.file.size ;; + group_label: "File" + group_item_label: "Size" + } + + dimension: file__ssdeep { + type: string + sql: ${TABLE}.file.ssdeep ;; + group_label: "File" + group_item_label: "Ssdeep" + } + + dimension: file__vhash { + type: string + sql: ${TABLE}.file.vhash ;; + group_label: "File" + group_item_label: "Vhash" + } + + dimension: parent_pid { + type: string + sql: ${TABLE}.parent_pid ;; + } + + dimension: pid { + type: string + sql: ${TABLE}.pid ;; + } + + dimension: product_specific_parent_process_id { + type: string + sql: ${TABLE}.product_specific_parent_process_id ;; + } + + dimension: product_specific_process_id { + type: string + sql: ${TABLE}.product_specific_process_id ;; + } +} + +view: udm_events__about__process_ancestors__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__process__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__intermediary__user_management_chain__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__process_ancestors__file__pe_file__imports__functions { + dimension: udm_events__intermediary__process_ancestors__file__pe_file__imports__functions { + type: string + sql: udm_events__intermediary__process_ancestors__file__pe_file__imports__functions ;; + } +} + +view: udm_events__observer__process_ancestors__file__pe_file__signature_info__signer { + dimension: udm_events__observer__process_ancestors__file__pe_file__signature_info__signer { + type: string + sql: udm_events__observer__process_ancestors__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__security_result__about__resource_ancestors__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__resource_ancestors__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__user_management_chain__group_identifiers { + dimension: udm_events__security_result__about__user_management_chain__group_identifiers { + type: string + sql: udm_events__security_result__about__user_management_chain__group_identifiers ;; + } +} + +view: udm_events__security_result__about__domain__admin__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__file__capabilities_tags { + dimension: udm_events__extensions__vulns__vulnerabilities__about__file__capabilities_tags { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__file__capabilities_tags ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__department { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__department { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__department ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__department { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__department { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__department ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__investigation__comments { + dimension: udm_events__extensions__vulns__vulnerabilities__about__investigation__comments { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__investigation__comments ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__user__group_identifiers { + dimension: udm_events__extensions__vulns__vulnerabilities__about__user__group_identifiers { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__user__group_identifiers ;; + } +} + +view: udm_events__intermediary__process__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__process__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__process_ancestors__file__pe_file__signature_info__signer { + dimension: udm_events__principal__process_ancestors__file__pe_file__signature_info__signer { + type: string + sql: udm_events__principal__process_ancestors__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__observer__process__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__process_ancestors__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__security_result__about__cloud__project__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__security_result__about__process_ancestors__file__capabilities_tags { + dimension: udm_events__security_result__about__process_ancestors__file__capabilities_tags { + type: string + sql: udm_events__security_result__about__process_ancestors__file__capabilities_tags ;; + } +} + +view: udm_events__target__process_ancestors__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__group__email_addresses { + dimension: udm_events__extensions__vulns__vulnerabilities__about__group__email_addresses { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__group__email_addresses ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__department { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__department { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__department ;; + } +} + +view: udm_events__principal__process__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__process_ancestors__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__src__process_ancestors__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__domain__billing__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__about__process_ancestors__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__observer__process_ancestors__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__process__file__pe_file__signature_info__signer { + dimension: udm_events__security_result__about__process__file__pe_file__signature_info__signer { + type: string + sql: udm_events__security_result__about__process__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__security_result__about__user_management_chain__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__security_result__about__user_management_chain__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__user_management_chain__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__phone_numbers { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__phone_numbers { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__phone_numbers ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__department { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__department { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__department ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__phone_numbers { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__phone_numbers { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__phone_numbers ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__user__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__user__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__user__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__process_ancestors__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__about__process_ancestors__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__process_ancestors__file__pe_file__signature_info__signer { + dimension: udm_events__intermediary__process_ancestors__file__pe_file__signature_info__signer { + type: string + sql: udm_events__intermediary__process_ancestors__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__principal__process_ancestors__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__process_ancestors__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__target__process_ancestors__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__phone_numbers { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__phone_numbers { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__phone_numbers ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__asset__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__asset__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__process__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__domain__registrant__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__target__process_ancestors__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__target__process_ancestors__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain { + dimension: account_type { + type: number + sql: ${TABLE}.account_type ;; + } + + dimension: attribute__cloud__availability_zone { + type: string + sql: ${TABLE}.attribute.cloud.availability_zone ;; + group_label: "Attribute Cloud" + group_item_label: "Availability Zone" + } + + dimension: attribute__cloud__environment { + type: number + sql: ${TABLE}.attribute.cloud.environment ;; + group_label: "Attribute Cloud" + group_item_label: "Environment" + } + + dimension: attribute__cloud__project__id { + type: string + sql: ${TABLE}.attribute.cloud.project.id ;; + group_label: "Attribute Cloud Project" + group_item_label: "ID" + } + + dimension: attribute__cloud__project__name { + type: string + sql: ${TABLE}.attribute.cloud.project.name ;; + group_label: "Attribute Cloud Project" + group_item_label: "Name" + } + + dimension: attribute__cloud__project__parent { + type: string + sql: ${TABLE}.attribute.cloud.project.parent ;; + group_label: "Attribute Cloud Project" + group_item_label: "Parent" + } + + dimension: attribute__cloud__project__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.project.product_object_id ;; + group_label: "Attribute Cloud Project" + group_item_label: "Product Object ID" + } + + dimension: attribute__cloud__project__resource_subtype { + type: string + sql: ${TABLE}.attribute.cloud.project.resource_subtype ;; + group_label: "Attribute Cloud Project" + group_item_label: "Resource Subtype" + } + + dimension: attribute__cloud__project__resource_type { + type: number + sql: ${TABLE}.attribute.cloud.project.resource_type ;; + group_label: "Attribute Cloud Project" + group_item_label: "Resource Type" + } + + dimension: attribute__cloud__project__type { + type: string + sql: ${TABLE}.attribute.cloud.project.type ;; + group_label: "Attribute Cloud Project" + group_item_label: "Type" + } + + dimension: attribute__cloud__vpc__id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.id ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "ID" + } + + dimension: attribute__cloud__vpc__name { + type: string + sql: ${TABLE}.attribute.cloud.vpc.name ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Name" + } + + dimension: attribute__cloud__vpc__parent { + type: string + sql: ${TABLE}.attribute.cloud.vpc.parent ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Parent" + } + + dimension: attribute__cloud__vpc__product_object_id { + type: string + sql: ${TABLE}.attribute.cloud.vpc.product_object_id ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Product Object ID" + } + + dimension: attribute__cloud__vpc__resource_subtype { + type: string + sql: ${TABLE}.attribute.cloud.vpc.resource_subtype ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Resource Subtype" + } + + dimension: attribute__cloud__vpc__resource_type { + type: number + sql: ${TABLE}.attribute.cloud.vpc.resource_type ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Resource Type" + } + + dimension: attribute__cloud__vpc__type { + type: string + sql: ${TABLE}.attribute.cloud.vpc.type ;; + group_label: "Attribute Cloud Vpc" + group_item_label: "Type" + } + + dimension: attribute__creation_time__nanos { + type: number + sql: ${TABLE}.attribute.creation_time.nanos ;; + group_label: "Attribute Creation Time" + group_item_label: "Nanos" + } + + dimension: attribute__creation_time__seconds { + type: number + sql: ${TABLE}.attribute.creation_time.seconds ;; + group_label: "Attribute Creation Time" + group_item_label: "Seconds" + } + + dimension: attribute__labels { + hidden: yes + sql: ${TABLE}.attribute.labels ;; + group_label: "Attribute" + group_item_label: "Labels" + } + + dimension: attribute__last_update_time__nanos { + type: number + sql: ${TABLE}.attribute.last_update_time.nanos ;; + group_label: "Attribute Last Update Time" + group_item_label: "Nanos" + } + + dimension: attribute__last_update_time__seconds { + type: number + sql: ${TABLE}.attribute.last_update_time.seconds ;; + group_label: "Attribute Last Update Time" + group_item_label: "Seconds" + } + + dimension: attribute__permissions { + hidden: yes + sql: ${TABLE}.attribute.permissions ;; + group_label: "Attribute" + group_item_label: "Permissions" + } + + dimension: attribute__roles { + hidden: yes + sql: ${TABLE}.attribute.roles ;; + group_label: "Attribute" + group_item_label: "Roles" + } + + dimension: company_name { + type: string + sql: ${TABLE}.company_name ;; + } + + dimension: department { + hidden: yes + sql: ${TABLE}.department ;; + } + + dimension: email_addresses { + hidden: yes + sql: ${TABLE}.email_addresses ;; + } + + dimension: employee_id { + type: string + sql: ${TABLE}.employee_id ;; + } + + dimension: first_name { + type: string + sql: ${TABLE}.first_name ;; + } + + dimension: first_seen_time__nanos { + type: number + sql: ${TABLE}.first_seen_time.nanos ;; + group_label: "First Seen Time" + group_item_label: "Nanos" + } + + dimension: first_seen_time__seconds { + type: number + sql: ${TABLE}.first_seen_time.seconds ;; + group_label: "First Seen Time" + group_item_label: "Seconds" + } + + dimension: group_identifiers { + hidden: yes + sql: ${TABLE}.group_identifiers ;; + } + + dimension: groupid { + type: string + sql: ${TABLE}.groupid ;; + } + + dimension: hire_date__nanos { + type: number + sql: ${TABLE}.hire_date.nanos ;; + group_label: "Hire Date" + group_item_label: "Nanos" + } + + dimension: hire_date__seconds { + type: number + sql: ${TABLE}.hire_date.seconds ;; + group_label: "Hire Date" + group_item_label: "Seconds" + } + + dimension: last_name { + type: string + sql: ${TABLE}.last_name ;; + } + + dimension: middle_name { + type: string + sql: ${TABLE}.middle_name ;; + } + + dimension: office_address__city { + type: string + sql: ${TABLE}.office_address.city ;; + group_label: "Office Address" + group_item_label: "City" + } + + dimension: office_address__country_or_region { + type: string + sql: ${TABLE}.office_address.country_or_region ;; + group_label: "Office Address" + group_item_label: "Country or Region" + } + + dimension: office_address__desk_name { + type: string + sql: ${TABLE}.office_address.desk_name ;; + group_label: "Office Address" + group_item_label: "Desk Name" + } + + dimension: office_address__floor_name { + type: string + sql: ${TABLE}.office_address.floor_name ;; + group_label: "Office Address" + group_item_label: "Floor Name" + } + + dimension: office_address__name { + type: string + sql: ${TABLE}.office_address.name ;; + group_label: "Office Address" + group_item_label: "Name" + } + + dimension: office_address__region_latitude { + type: number + sql: ${TABLE}.office_address.region_latitude ;; + group_label: "Office Address" + group_item_label: "Region Latitude" + } + + dimension: office_address__region_longitude { + type: number + sql: ${TABLE}.office_address.region_longitude ;; + group_label: "Office Address" + group_item_label: "Region Longitude" + } + + dimension: office_address__state { + type: string + sql: ${TABLE}.office_address.state ;; + group_label: "Office Address" + group_item_label: "State" + } + + dimension: personal_address__city { + type: string + sql: ${TABLE}.personal_address.city ;; + group_label: "Personal Address" + group_item_label: "City" + } + + dimension: personal_address__country_or_region { + type: string + sql: ${TABLE}.personal_address.country_or_region ;; + group_label: "Personal Address" + group_item_label: "Country or Region" + } + + dimension: personal_address__desk_name { + type: string + sql: ${TABLE}.personal_address.desk_name ;; + group_label: "Personal Address" + group_item_label: "Desk Name" + } + + dimension: personal_address__floor_name { + type: string + sql: ${TABLE}.personal_address.floor_name ;; + group_label: "Personal Address" + group_item_label: "Floor Name" + } + + dimension: personal_address__name { + type: string + sql: ${TABLE}.personal_address.name ;; + group_label: "Personal Address" + group_item_label: "Name" + } + + dimension: personal_address__region_latitude { + type: number + sql: ${TABLE}.personal_address.region_latitude ;; + group_label: "Personal Address" + group_item_label: "Region Latitude" + } + + dimension: personal_address__region_longitude { + type: number + sql: ${TABLE}.personal_address.region_longitude ;; + group_label: "Personal Address" + group_item_label: "Region Longitude" + } + + dimension: personal_address__state { + type: string + sql: ${TABLE}.personal_address.state ;; + group_label: "Personal Address" + group_item_label: "State" + } + + dimension: phone_numbers { + hidden: yes + sql: ${TABLE}.phone_numbers ;; + } + + dimension: product_object_id { + type: string + sql: ${TABLE}.product_object_id ;; + } + + dimension: role_description { + type: string + sql: ${TABLE}.role_description ;; + } + + dimension: role_name { + type: string + sql: ${TABLE}.role_name ;; + } + + dimension: termination_date__nanos { + type: number + sql: ${TABLE}.termination_date.nanos ;; + group_label: "Termination Date" + group_item_label: "Nanos" + } + + dimension: termination_date__seconds { + type: number + sql: ${TABLE}.termination_date.seconds ;; + group_label: "Termination Date" + group_item_label: "Seconds" + } + + dimension: time_off { + hidden: yes + sql: ${TABLE}.time_off ;; + } + + dimension: title { + type: string + sql: ${TABLE}.title ;; + } + + dimension: user_authentication_status { + type: number + sql: ${TABLE}.user_authentication_status ;; + } + + dimension: user_display_name { + type: string + sql: ${TABLE}.user_display_name ;; + } + + dimension: user_role { + type: number + sql: ${TABLE}.user_role ;; + } + + dimension: userid { + type: string + sql: ${TABLE}.userid ;; + } + + dimension: windows_sid { + type: string + sql: ${TABLE}.windows_sid ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__email_addresses { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__email_addresses { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__email_addresses ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__email_addresses { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__email_addresses { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__email_addresses ;; + } +} + +view: udm_events__observer__process_ancestors__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__src__process_ancestors__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__process__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__resource_ancestors__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__group__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__group__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process__command_line_history { + dimension: udm_events__extensions__vulns__vulnerabilities__about__process__command_line_history { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__process__command_line_history ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__names { + dimension: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__names { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__names ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__email_addresses { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__email_addresses { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__email_addresses ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__phone_numbers { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__phone_numbers { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__phone_numbers ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__department { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__department { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__department ;; + } +} + +view: udm_events__intermediary__process_ancestors__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__process_ancestors__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__observer__process_ancestors__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__process_ancestors__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__process_ancestors__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__resource__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__resource__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__group_identifiers { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__group_identifiers { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__group_identifiers ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__group_identifiers { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__group_identifiers { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__group_identifiers ;; + } +} + +view: udm_events__about__process_ancestors__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__process_ancestors__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__principal__process_ancestors__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__process_ancestors__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__cloud__vpc__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__cloud__vpc__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__imports__functions { + dimension: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__imports__functions { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__imports__functions ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process__file__capabilities_tags { + dimension: udm_events__extensions__vulns__vulnerabilities__about__process__file__capabilities_tags { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__process__file__capabilities_tags ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__group_identifiers { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__group_identifiers { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__group_identifiers ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__email_addresses { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__email_addresses { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__email_addresses ;; + } +} + +view: udm_events__security_result__about__process__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__security_result__about__user_management_chain__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__process_ancestors__file__pe_file__imports__functions { + dimension: udm_events__security_result__about__process_ancestors__file__pe_file__imports__functions { + type: string + sql: udm_events__security_result__about__process_ancestors__file__pe_file__imports__functions ;; + } +} + +view: udm_events__target__process_ancestors__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__phone_numbers { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__phone_numbers { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__phone_numbers ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__asset__software__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__user__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__process_ancestors__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__security_result__about__process__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__process__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__department { + dimension: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__department { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__department ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__group_identifiers { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__group_identifiers { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__group_identifiers ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__asset__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__intermediary__process_ancestors__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__intermediary__process_ancestors__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__observer__process_ancestors__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__email_addresses { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__email_addresses { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__email_addresses ;; + } +} + +view: udm_events__principal__process_ancestors__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__cloud__project__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__cloud__project__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__signature_info__signer { + dimension: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__signature_info__signer { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__group__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__process_ancestors__file__pe_file__signature_info__signer { + dimension: udm_events__security_result__about__process_ancestors__file__pe_file__signature_info__signer { + type: string + sql: udm_events__security_result__about__process_ancestors__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__resource__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__phone_numbers { + dimension: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__phone_numbers { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__phone_numbers ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__group_identifiers { + dimension: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__group_identifiers { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__group_identifiers ;; + } +} + +view: udm_events__security_result__about__process__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__cloud__vpc__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__intermediary__process_ancestors__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__email_addresses { + dimension: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__email_addresses { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__email_addresses ;; + } +} + +view: udm_events__security_result__about__process_ancestors__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__imports__functions { + dimension: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__imports__functions { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__imports__functions ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__command_line_history { + dimension: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__command_line_history { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__command_line_history ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__tech__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__zone__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__resource_ancestors__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__resource_ancestors__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__group_identifiers { + dimension: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__group_identifiers { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__group_identifiers ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__admin__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__cloud__project__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__capabilities_tags { + dimension: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__capabilities_tags { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__capabilities_tags ;; + } +} + +view: udm_events__security_result__about__process_ancestors__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__billing__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__process_ancestors__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__security_result__about__process_ancestors__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__signature_info__signer { + dimension: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__signature_info__signer { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__time_off { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: interval__end_time__nanos { + type: number + sql: ${TABLE}.`interval`.end_time.nanos ;; + group_label: "Interval End Time" + group_item_label: "Nanos" + } + + dimension: interval__end_time__seconds { + type: number + sql: ${TABLE}.`interval`.end_time.seconds ;; + group_label: "Interval End Time" + group_item_label: "Seconds" + } + + dimension: interval__start_time__nanos { + type: number + sql: ${TABLE}.`interval`.start_time.nanos ;; + group_label: "Interval Start Time" + group_item_label: "Nanos" + } + + dimension: interval__start_time__seconds { + type: number + sql: ${TABLE}.`interval`.start_time.seconds ;; + group_label: "Interval Start Time" + group_item_label: "Seconds" + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__attribute__roles { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__attribute__labels { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__section { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: md5_hex { + type: string + sql: ${TABLE}.md5_hex ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: raw_size_bytes { + type: number + sql: ${TABLE}.raw_size_bytes ;; + } + + dimension: virtual_size_bytes { + type: number + sql: ${TABLE}.virtual_size_bytes ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__domain__registrant__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__resource_ancestors__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__security_result__about__process_ancestors__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__imports { + dimension: functions { + hidden: yes + sql: ${TABLE}.functions ;; + } + + dimension: library { + type: string + sql: ${TABLE}.library ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__resource { + dimension: entropy { + type: number + sql: ${TABLE}.entropy ;; + } + + dimension: file_type { + type: string + sql: ${TABLE}.file_type ;; + } + + dimension: filetype_magic { + type: string + sql: ${TABLE}.filetype_magic ;; + } + + dimension: language_code { + type: string + sql: ${TABLE}.language_code ;; + } + + dimension: resource_type { + type: string + sql: ${TABLE}.resource_type ;; + } + + dimension: sha256_hex { + type: string + sql: ${TABLE}.sha256_hex ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__user_management_chain__attribute__permissions { + dimension: description { + type: string + sql: ${TABLE}.description ;; + } + + dimension: name { + type: string + sql: ${TABLE}.name ;; + } + + dimension: type { + type: number + sql: ${TABLE}.type ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__imports__functions { + dimension: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__imports__functions { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__imports__functions ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__signature_info__signer { + dimension: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__signature_info__signer { + type: string + sql: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__signature_info__signer ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } - dimension: value { - type: string - sql: ${TABLE}.value ;; - } + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__resources_type_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__signature_info__signers { + dimension: name { + type: string + sql: ${TABLE}.name ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__resources_language_count { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: value { + type: number + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__resources_type_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; + } +} + +view: udm_events__extensions__vulns__vulnerabilities__about__process_ancestors__file__pe_file__resources_language_count_str { + dimension: key { + type: string + sql: ${TABLE}.key ;; + } + + dimension: source { + type: string + sql: ${TABLE}.source ;; + } + + dimension: value { + type: string + sql: ${TABLE}.value ;; } +} diff --git a/views/udm_events_aggregates.view.lkml b/views/udm_events_aggregates.view.lkml index 79d21df..2d9b87a 100644 --- a/views/udm_events_aggregates.view.lkml +++ b/views/udm_events_aggregates.view.lkml @@ -1,5 +1,5 @@ view: udm_events_aggregates { - sql_table_name: `@{DATASET_NAME}.@{UDM_EVENTS_AGGREGRATES}` + sql_table_name: `@{UDM_EVENTS_AGGREGRATES}` ;; dimension: action { diff --git a/views/udm_events_gcs.view.lkml b/views/udm_events_gcs.view.lkml deleted file mode 100644 index c3a3d45..0000000 --- a/views/udm_events_gcs.view.lkml +++ /dev/null @@ -1,23633 +0,0 @@ -view: udm_events_gcs { - sql_table_name: `@{UDM_EVENTS_GCS}` - ;; - - dimension: about__list { - hidden: yes - sql: ${TABLE}.about.list ;; - group_label: "About" - group_item_label: "List" - } - - dimension: additional__fields__list { - hidden: yes - sql: ${TABLE}.additional.fields.list ;; - group_label: "Additional Fields" - group_item_label: "List" - } - - dimension: extensions__auth__auth_details { - type: string - sql: ${TABLE}.extensions.auth.auth_details ;; - group_label: "Extensions Auth" - group_item_label: "Auth Details" - } - - dimension: extensions__auth__mechanism__list { - hidden: yes - sql: ${TABLE}.extensions.auth.mechanism.list ;; - group_label: "Extensions Auth Mechanism" - group_item_label: "List" - } - - dimension: extensions__auth__type { - type: number - sql: ${TABLE}.extensions.auth.type ;; - group_label: "Extensions Auth" - group_item_label: "Type" - } - - dimension: extensions__vulns__vulnerabilities__list { - hidden: yes - sql: ${TABLE}.extensions.vulns.vulnerabilities.list ;; - group_label: "Extensions Vulns Vulnerabilities" - group_item_label: "List" - } - - dimension: hour_time_bucket { - type: string - sql: ${TABLE}.hour_time_bucket ;; - } - - dimension: intermediary__list { - hidden: yes - sql: ${TABLE}.intermediary.list ;; - group_label: "Intermediary" - group_item_label: "List" - } - - dimension: metadata__collected_timestamp { - type: string - sql: ${TABLE}.metadata.collected_timestamp ;; - group_label: "Metadata" - group_item_label: "Collected Timestamp" - } - - dimension: metadata__description { - type: string - sql: ${TABLE}.metadata.description ;; - group_label: "Metadata" - group_item_label: "Description" - } - - dimension: metadata__event_timestamp { - type: string - sql: ${TABLE}.metadata.event_timestamp ;; - group_label: "Metadata" - group_item_label: "Event Timestamp" - } - - dimension: metadata__event_type { - type: number - sql: ${TABLE}.metadata.event_type ;; - group_label: "Metadata" - group_item_label: "Event Type" - } - - dimension: metadata__ingested_timestamp { - type: string - sql: ${TABLE}.metadata.ingested_timestamp ;; - group_label: "Metadata" - group_item_label: "Ingested Timestamp" - } - - dimension: metadata__ingestion_labels__list { - hidden: yes - sql: ${TABLE}.metadata.ingestion_labels.list ;; - group_label: "Metadata Ingestion Labels" - group_item_label: "List" - } - - dimension: metadata__product_deployment_id { - type: string - sql: ${TABLE}.metadata.product_deployment_id ;; - group_label: "Metadata" - group_item_label: "Product Deployment ID" - } - - dimension: metadata__product_event_type { - type: string - sql: ${TABLE}.metadata.product_event_type ;; - group_label: "Metadata" - group_item_label: "Product Event Type" - } - - dimension: metadata__product_log_id { - type: string - sql: ${TABLE}.metadata.product_log_id ;; - group_label: "Metadata" - group_item_label: "Product Log ID" - } - - dimension: metadata__product_name { - type: string - sql: ${TABLE}.metadata.product_name ;; - group_label: "Metadata" - group_item_label: "Product Name" - } - - dimension: metadata__product_version { - type: string - sql: ${TABLE}.metadata.product_version ;; - group_label: "Metadata" - group_item_label: "Product Version" - } - - dimension: metadata__tags__tenant_id__list { - hidden: yes - sql: ${TABLE}.metadata.tags.tenant_id.list ;; - group_label: "Metadata Tags Tenant ID" - group_item_label: "List" - } - - dimension: metadata__url_back_to_product { - type: string - sql: ${TABLE}.metadata.url_back_to_product ;; - group_label: "Metadata" - group_item_label: "URL Back to Product" - } - - dimension: metadata__vendor_name { - type: string - sql: ${TABLE}.metadata.vendor_name ;; - group_label: "Metadata" - group_item_label: "Vendor Name" - } - - dimension: network__application_protocol { - type: number - sql: ${TABLE}.network.application_protocol ;; - group_label: "Network" - group_item_label: "Application Protocol" - } - - dimension: network__asn { - type: string - sql: ${TABLE}.network.asn ;; - group_label: "Network" - group_item_label: "Asn" - } - - dimension: network__carrier_name { - type: string - sql: ${TABLE}.network.carrier_name ;; - group_label: "Network" - group_item_label: "Carrier Name" - } - - dimension: network__community_id { - type: string - sql: ${TABLE}.network.community_id ;; - group_label: "Network" - group_item_label: "Community ID" - } - - dimension: network__dhcp__chaddr { - type: string - sql: ${TABLE}.network.dhcp.chaddr ;; - group_label: "Network Dhcp" - group_item_label: "Chaddr" - } - - dimension: network__dhcp__ciaddr { - type: string - sql: ${TABLE}.network.dhcp.ciaddr ;; - group_label: "Network Dhcp" - group_item_label: "Ciaddr" - } - - dimension: network__dhcp__client_hostname { - type: string - sql: ${TABLE}.network.dhcp.client_hostname ;; - group_label: "Network Dhcp" - group_item_label: "Client Hostname" - } - - dimension: network__dhcp__client_identifier { - type: string - sql: ${TABLE}.network.dhcp.client_identifier ;; - group_label: "Network Dhcp" - group_item_label: "Client Identifier" - } - - dimension: network__dhcp__file { - type: string - sql: ${TABLE}.network.dhcp.file ;; - group_label: "Network Dhcp" - group_item_label: "File" - } - - dimension: network__dhcp__flags { - type: number - sql: ${TABLE}.network.dhcp.flags ;; - group_label: "Network Dhcp" - group_item_label: "Flags" - } - - dimension: network__dhcp__giaddr { - type: string - sql: ${TABLE}.network.dhcp.giaddr ;; - group_label: "Network Dhcp" - group_item_label: "Giaddr" - } - - dimension: network__dhcp__hlen { - type: number - sql: ${TABLE}.network.dhcp.hlen ;; - group_label: "Network Dhcp" - group_item_label: "Hlen" - } - - dimension: network__dhcp__hops { - type: number - sql: ${TABLE}.network.dhcp.hops ;; - group_label: "Network Dhcp" - group_item_label: "Hops" - } - - dimension: network__dhcp__htype { - type: number - sql: ${TABLE}.network.dhcp.htype ;; - group_label: "Network Dhcp" - group_item_label: "Htype" - } - - dimension: network__dhcp__lease_time_seconds { - type: number - sql: ${TABLE}.network.dhcp.lease_time_seconds ;; - group_label: "Network Dhcp" - group_item_label: "Lease Time Seconds" - } - - dimension: network__dhcp__opcode { - type: number - sql: ${TABLE}.network.dhcp.opcode ;; - group_label: "Network Dhcp" - group_item_label: "Opcode" - } - - dimension: network__dhcp__options__list { - hidden: yes - sql: ${TABLE}.network.dhcp.options.list ;; - group_label: "Network Dhcp Options" - group_item_label: "List" - } - - dimension: network__dhcp__requested_address { - type: string - sql: ${TABLE}.network.dhcp.requested_address ;; - group_label: "Network Dhcp" - group_item_label: "Requested Address" - } - - dimension: network__dhcp__seconds { - type: number - sql: ${TABLE}.network.dhcp.seconds ;; - group_label: "Network Dhcp" - group_item_label: "Seconds" - } - - dimension: network__dhcp__siaddr { - type: string - sql: ${TABLE}.network.dhcp.siaddr ;; - group_label: "Network Dhcp" - group_item_label: "Siaddr" - } - - dimension: network__dhcp__sname { - type: string - sql: ${TABLE}.network.dhcp.sname ;; - group_label: "Network Dhcp" - group_item_label: "Sname" - } - - dimension: network__dhcp__transaction_id { - type: number - sql: ${TABLE}.network.dhcp.transaction_id ;; - group_label: "Network Dhcp" - group_item_label: "Transaction ID" - } - - dimension: network__dhcp__type { - type: number - sql: ${TABLE}.network.dhcp.type ;; - group_label: "Network Dhcp" - group_item_label: "Type" - } - - dimension: network__dhcp__yiaddr { - type: string - sql: ${TABLE}.network.dhcp.yiaddr ;; - group_label: "Network Dhcp" - group_item_label: "Yiaddr" - } - - dimension: network__direction { - type: number - sql: ${TABLE}.network.direction ;; - group_label: "Network" - group_item_label: "Direction" - } - - dimension: network__dns__additional__list { - hidden: yes - sql: ${TABLE}.network.dns.additional.list ;; - group_label: "Network Dns Additional" - group_item_label: "List" - } - - dimension: network__dns__answers__list { - hidden: yes - sql: ${TABLE}.network.dns.answers.list ;; - group_label: "Network Dns Answers" - group_item_label: "List" - } - - dimension: network__dns__authoritative { - type: yesno - sql: ${TABLE}.network.dns.authoritative ;; - group_label: "Network Dns" - group_item_label: "Authoritative" - } - - dimension: network__dns__authority__list { - hidden: yes - sql: ${TABLE}.network.dns.authority.list ;; - group_label: "Network Dns Authority" - group_item_label: "List" - } - - dimension: network__dns__id { - type: number - sql: ${TABLE}.network.dns.id ;; - group_label: "Network Dns" - group_item_label: "ID" - } - - dimension: network__dns__opcode { - type: number - sql: ${TABLE}.network.dns.opcode ;; - group_label: "Network Dns" - group_item_label: "Opcode" - } - - dimension: network__dns__questions__list { - hidden: yes - sql: ${TABLE}.network.dns.questions.list ;; - group_label: "Network Dns Questions" - group_item_label: "List" - } - - dimension: network__dns__recursion_available { - type: yesno - sql: ${TABLE}.network.dns.recursion_available ;; - group_label: "Network Dns" - group_item_label: "Recursion Available" - } - - dimension: network__dns__recursion_desired { - type: yesno - sql: ${TABLE}.network.dns.recursion_desired ;; - group_label: "Network Dns" - group_item_label: "Recursion Desired" - } - - dimension: network__dns__response { - type: yesno - sql: ${TABLE}.network.dns.response ;; - group_label: "Network Dns" - group_item_label: "Response" - } - - dimension: network__dns__response_code { - type: number - sql: ${TABLE}.network.dns.response_code ;; - group_label: "Network Dns" - group_item_label: "Response Code" - } - - dimension: network__dns__truncated { - type: yesno - sql: ${TABLE}.network.dns.truncated ;; - group_label: "Network Dns" - group_item_label: "Truncated" - } - - dimension: network__dns_domain { - type: string - sql: ${TABLE}.network.dns_domain ;; - group_label: "Network" - group_item_label: "Dns Domain" - } - - dimension: network__email__bcc__list { - hidden: yes - sql: ${TABLE}.network.email.bcc.list ;; - group_label: "Network Email Bcc" - group_item_label: "List" - } - - dimension: network__email__cc__list { - hidden: yes - sql: ${TABLE}.network.email.cc.list ;; - group_label: "Network Email Cc" - group_item_label: "List" - } - - dimension: network__email__from { - type: string - sql: ${TABLE}.network.email.`from` ;; - group_label: "Network Email" - group_item_label: "From" - } - - dimension: network__email__mail_id { - type: string - sql: ${TABLE}.network.email.mail_id ;; - group_label: "Network Email" - group_item_label: "Mail ID" - } - - dimension: network__email__reply_to { - type: string - sql: ${TABLE}.network.email.reply_to ;; - group_label: "Network Email" - group_item_label: "Reply To" - } - - dimension: network__email__subject__list { - hidden: yes - sql: ${TABLE}.network.email.subject.list ;; - group_label: "Network Email Subject" - group_item_label: "List" - } - - dimension: network__email__to__list { - hidden: yes - sql: ${TABLE}.network.email.to.list ;; - group_label: "Network Email To" - group_item_label: "List" - } - - dimension: network__ftp__command { - type: string - sql: ${TABLE}.network.ftp.command ;; - group_label: "Network Ftp" - group_item_label: "Command" - } - - dimension: network__http__method { - type: string - sql: ${TABLE}.network.http.method ;; - group_label: "Network HTTP" - group_item_label: "Method" - } - - dimension: network__http__referral_url { - type: string - sql: ${TABLE}.network.http.referral_url ;; - group_label: "Network HTTP" - group_item_label: "Referral URL" - } - - dimension: network__http__response_code { - type: number - sql: ${TABLE}.network.http.response_code ;; - group_label: "Network HTTP" - group_item_label: "Response Code" - } - - dimension: network__http__user_agent { - type: string - sql: ${TABLE}.network.http.user_agent ;; - group_label: "Network HTTP" - group_item_label: "User Agent" - } - - dimension: network__ip_protocol { - type: number - sql: ${TABLE}.network.ip_protocol ;; - group_label: "Network" - group_item_label: "IP Protocol" - } - - dimension: network__organization_name { - type: string - sql: ${TABLE}.network.organization_name ;; - group_label: "Network" - group_item_label: "Organization Name" - } - - dimension: network__received_bytes { - type: number - sql: ${TABLE}.network.received_bytes ;; - group_label: "Network" - group_item_label: "Received Bytes" - } - - dimension: network__sent_bytes { - type: number - sql: ${TABLE}.network.sent_bytes ;; - group_label: "Network" - group_item_label: "Sent Bytes" - } - - dimension: network__session_duration { - type: string - sql: ${TABLE}.network.session_duration ;; - group_label: "Network" - group_item_label: "Session Duration" - } - - dimension: network__session_id { - type: string - sql: ${TABLE}.network.session_id ;; - group_label: "Network" - group_item_label: "Session ID" - } - - dimension: network__tls__cipher { - type: string - sql: ${TABLE}.network.tls.cipher ;; - group_label: "Network Tls" - group_item_label: "Cipher" - } - - dimension: network__tls__client__certificate__issuer { - type: string - sql: ${TABLE}.network.tls.client.certificate.issuer ;; - group_label: "Network Tls Client Certificate" - group_item_label: "Issuer" - } - - dimension: network__tls__client__certificate__md5 { - type: string - sql: ${TABLE}.network.tls.client.certificate.md5 ;; - group_label: "Network Tls Client Certificate" - group_item_label: "Md5" - } - - dimension: network__tls__client__certificate__not_after { - type: string - sql: ${TABLE}.network.tls.client.certificate.not_after ;; - group_label: "Network Tls Client Certificate" - group_item_label: "Not After" - } - - dimension: network__tls__client__certificate__not_before { - type: string - sql: ${TABLE}.network.tls.client.certificate.not_before ;; - group_label: "Network Tls Client Certificate" - group_item_label: "Not Before" - } - - dimension: network__tls__client__certificate__serial { - type: string - sql: ${TABLE}.network.tls.client.certificate.serial ;; - group_label: "Network Tls Client Certificate" - group_item_label: "Serial" - } - - dimension: network__tls__client__certificate__sha1 { - type: string - sql: ${TABLE}.network.tls.client.certificate.sha1 ;; - group_label: "Network Tls Client Certificate" - group_item_label: "Sha1" - } - - dimension: network__tls__client__certificate__sha256 { - type: string - sql: ${TABLE}.network.tls.client.certificate.sha256 ;; - group_label: "Network Tls Client Certificate" - group_item_label: "Sha256" - } - - dimension: network__tls__client__certificate__subject { - type: string - sql: ${TABLE}.network.tls.client.certificate.subject ;; - group_label: "Network Tls Client Certificate" - group_item_label: "Subject" - } - - dimension: network__tls__client__certificate__version { - type: string - sql: ${TABLE}.network.tls.client.certificate.version ;; - group_label: "Network Tls Client Certificate" - group_item_label: "Version" - } - - dimension: network__tls__client__ja3 { - type: string - sql: ${TABLE}.network.tls.client.ja3 ;; - group_label: "Network Tls Client" - group_item_label: "Ja3" - } - - dimension: network__tls__client__server_name { - type: string - sql: ${TABLE}.network.tls.client.server_name ;; - group_label: "Network Tls Client" - group_item_label: "Server Name" - } - - dimension: network__tls__client__supported_ciphers__list { - hidden: yes - sql: ${TABLE}.network.tls.client.supported_ciphers.list ;; - group_label: "Network Tls Client Supported Ciphers" - group_item_label: "List" - } - - dimension: network__tls__curve { - type: string - sql: ${TABLE}.network.tls.curve ;; - group_label: "Network Tls" - group_item_label: "Curve" - } - - dimension: network__tls__established { - type: yesno - sql: ${TABLE}.network.tls.established ;; - group_label: "Network Tls" - group_item_label: "Established" - } - - dimension: network__tls__next_protocol { - type: string - sql: ${TABLE}.network.tls.next_protocol ;; - group_label: "Network Tls" - group_item_label: "Next Protocol" - } - - dimension: network__tls__resumed { - type: yesno - sql: ${TABLE}.network.tls.resumed ;; - group_label: "Network Tls" - group_item_label: "Resumed" - } - - dimension: network__tls__server__certificate__issuer { - type: string - sql: ${TABLE}.network.tls.server.certificate.issuer ;; - group_label: "Network Tls Server Certificate" - group_item_label: "Issuer" - } - - dimension: network__tls__server__certificate__md5 { - type: string - sql: ${TABLE}.network.tls.server.certificate.md5 ;; - group_label: "Network Tls Server Certificate" - group_item_label: "Md5" - } - - dimension: network__tls__server__certificate__not_after { - type: string - sql: ${TABLE}.network.tls.server.certificate.not_after ;; - group_label: "Network Tls Server Certificate" - group_item_label: "Not After" - } - - dimension: network__tls__server__certificate__not_before { - type: string - sql: ${TABLE}.network.tls.server.certificate.not_before ;; - group_label: "Network Tls Server Certificate" - group_item_label: "Not Before" - } - - dimension: network__tls__server__certificate__serial { - type: string - sql: ${TABLE}.network.tls.server.certificate.serial ;; - group_label: "Network Tls Server Certificate" - group_item_label: "Serial" - } - - dimension: network__tls__server__certificate__sha1 { - type: string - sql: ${TABLE}.network.tls.server.certificate.sha1 ;; - group_label: "Network Tls Server Certificate" - group_item_label: "Sha1" - } - - dimension: network__tls__server__certificate__sha256 { - type: string - sql: ${TABLE}.network.tls.server.certificate.sha256 ;; - group_label: "Network Tls Server Certificate" - group_item_label: "Sha256" - } - - dimension: network__tls__server__certificate__subject { - type: string - sql: ${TABLE}.network.tls.server.certificate.subject ;; - group_label: "Network Tls Server Certificate" - group_item_label: "Subject" - } - - dimension: network__tls__server__certificate__version { - type: string - sql: ${TABLE}.network.tls.server.certificate.version ;; - group_label: "Network Tls Server Certificate" - group_item_label: "Version" - } - - dimension: network__tls__server__ja3s { - type: string - sql: ${TABLE}.network.tls.server.ja3s ;; - group_label: "Network Tls Server" - group_item_label: "Ja3s" - } - - dimension: network__tls__version { - type: string - sql: ${TABLE}.network.tls.version ;; - group_label: "Network Tls" - group_item_label: "Version" - } - - dimension: network__tls__version_protocol { - type: string - sql: ${TABLE}.network.tls.version_protocol ;; - group_label: "Network Tls" - group_item_label: "Version Protocol" - } - - dimension: observer__administrative_domain { - type: string - sql: ${TABLE}.observer.administrative_domain ;; - group_label: "Observer" - group_item_label: "Administrative Domain" - } - - dimension: observer__application { - type: string - sql: ${TABLE}.observer.application ;; - group_label: "Observer" - group_item_label: "Application" - } - - dimension: observer__asset__asset_id { - type: string - sql: ${TABLE}.observer.asset.asset_id ;; - group_label: "Observer Asset" - group_item_label: "Asset ID" - } - - dimension: observer__asset__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.observer.asset.attribute.cloud.availability_zone ;; - group_label: "Observer Asset Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: observer__asset__attribute__cloud__environment { - type: number - sql: ${TABLE}.observer.asset.attribute.cloud.environment ;; - group_label: "Observer Asset Attribute Cloud" - group_item_label: "Environment" - } - - dimension: observer__asset__attribute__creation_time { - type: string - sql: ${TABLE}.observer.asset.attribute.creation_time ;; - group_label: "Observer Asset Attribute" - group_item_label: "Creation Time" - } - - dimension: observer__asset__attribute__labels__list { - hidden: yes - sql: ${TABLE}.observer.asset.attribute.labels.list ;; - group_label: "Observer Asset Attribute Labels" - group_item_label: "List" - } - - dimension: observer__asset__attribute__last_update_time { - type: string - sql: ${TABLE}.observer.asset.attribute.last_update_time ;; - group_label: "Observer Asset Attribute" - group_item_label: "Last Update Time" - } - - dimension: observer__asset__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.observer.asset.attribute.permissions.list ;; - group_label: "Observer Asset Attribute Permissions" - group_item_label: "List" - } - - dimension: observer__asset__attribute__roles__list { - hidden: yes - sql: ${TABLE}.observer.asset.attribute.roles.list ;; - group_label: "Observer Asset Attribute Roles" - group_item_label: "List" - } - - dimension: observer__asset__category { - type: string - sql: ${TABLE}.observer.asset.category ;; - group_label: "Observer Asset" - group_item_label: "Category" - } - - dimension: observer__asset__deployment_status { - type: number - sql: ${TABLE}.observer.asset.deployment_status ;; - group_label: "Observer Asset" - group_item_label: "Deployment Status" - } - - dimension: observer__asset__first_discover_time { - type: string - sql: ${TABLE}.observer.asset.first_discover_time ;; - group_label: "Observer Asset" - group_item_label: "First Discover Time" - } - - dimension: observer__asset__hardware__list { - hidden: yes - sql: ${TABLE}.observer.asset.hardware.list ;; - group_label: "Observer Asset Hardware" - group_item_label: "List" - } - - dimension: observer__asset__hostname { - type: string - sql: ${TABLE}.observer.asset.hostname ;; - group_label: "Observer Asset" - group_item_label: "Hostname" - } - - dimension: observer__asset__ip__list { - hidden: yes - sql: ${TABLE}.observer.asset.ip.list ;; - group_label: "Observer Asset IP" - group_item_label: "List" - } - - dimension: observer__asset__last_boot_time { - type: string - sql: ${TABLE}.observer.asset.last_boot_time ;; - group_label: "Observer Asset" - group_item_label: "Last Boot Time" - } - - dimension: observer__asset__last_discover_time { - type: string - sql: ${TABLE}.observer.asset.last_discover_time ;; - group_label: "Observer Asset" - group_item_label: "Last Discover Time" - } - - dimension: observer__asset__location__city { - type: string - sql: ${TABLE}.observer.asset.location.city ;; - group_label: "Observer Asset Location" - group_item_label: "City" - } - - dimension: observer__asset__location__country_or_region { - type: string - sql: ${TABLE}.observer.asset.location.country_or_region ;; - group_label: "Observer Asset Location" - group_item_label: "Country or Region" - } - - dimension: observer__asset__location__desk_name { - type: string - sql: ${TABLE}.observer.asset.location.desk_name ;; - group_label: "Observer Asset Location" - group_item_label: "Desk Name" - } - - dimension: observer__asset__location__floor_name { - type: string - sql: ${TABLE}.observer.asset.location.floor_name ;; - group_label: "Observer Asset Location" - group_item_label: "Floor Name" - } - - dimension: observer__asset__location__name { - type: string - sql: ${TABLE}.observer.asset.location.name ;; - group_label: "Observer Asset Location" - group_item_label: "Name" - } - - dimension: observer__asset__location__region_latitude { - type: number - sql: ${TABLE}.observer.asset.location.region_latitude ;; - group_label: "Observer Asset Location" - group_item_label: "Region Latitude" - } - - dimension: observer__asset__location__region_longitude { - type: number - sql: ${TABLE}.observer.asset.location.region_longitude ;; - group_label: "Observer Asset Location" - group_item_label: "Region Longitude" - } - - dimension: observer__asset__location__state { - type: string - sql: ${TABLE}.observer.asset.location.state ;; - group_label: "Observer Asset Location" - group_item_label: "State" - } - - dimension: observer__asset__mac__list { - hidden: yes - sql: ${TABLE}.observer.asset.mac.list ;; - group_label: "Observer Asset Mac" - group_item_label: "List" - } - - dimension: observer__asset__nat_ip__list { - hidden: yes - sql: ${TABLE}.observer.asset.nat_ip.list ;; - group_label: "Observer Asset Nat IP" - group_item_label: "List" - } - - dimension: observer__asset__network_domain { - type: string - sql: ${TABLE}.observer.asset.network_domain ;; - group_label: "Observer Asset" - group_item_label: "Network Domain" - } - - dimension: observer__asset__platform_software__platform { - type: number - sql: ${TABLE}.observer.asset.platform_software.platform ;; - group_label: "Observer Asset Platform Software" - group_item_label: "Platform" - } - - dimension: observer__asset__platform_software__platform_patch_level { - type: string - sql: ${TABLE}.observer.asset.platform_software.platform_patch_level ;; - group_label: "Observer Asset Platform Software" - group_item_label: "Platform Patch Level" - } - - dimension: observer__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.observer.asset.platform_software.platform_version ;; - group_label: "Observer Asset Platform Software" - group_item_label: "Platform Version" - } - - dimension: observer__asset__product_object_id { - type: string - sql: ${TABLE}.observer.asset.product_object_id ;; - group_label: "Observer Asset" - group_item_label: "Product Object ID" - } - - dimension: observer__asset__software__list { - hidden: yes - sql: ${TABLE}.observer.asset.software.list ;; - group_label: "Observer Asset Software" - group_item_label: "List" - } - - dimension: observer__asset__system_last_update_time { - type: string - sql: ${TABLE}.observer.asset.system_last_update_time ;; - group_label: "Observer Asset" - group_item_label: "System Last Update Time" - } - - dimension: observer__asset__type { - type: number - sql: ${TABLE}.observer.asset.type ;; - group_label: "Observer Asset" - group_item_label: "Type" - } - - dimension: observer__asset__vulnerabilities__list { - hidden: yes - sql: ${TABLE}.observer.asset.vulnerabilities.list ;; - group_label: "Observer Asset Vulnerabilities" - group_item_label: "List" - } - - dimension: observer__asset_id { - type: string - sql: ${TABLE}.observer.asset_id ;; - group_label: "Observer" - group_item_label: "Asset ID" - } - - dimension: observer__domain__name { - type: string - sql: ${TABLE}.observer.domain.name ;; - group_label: "Observer Domain" - group_item_label: "Name" - } - - dimension: observer__domain__prevalence__day_count { - type: number - sql: ${TABLE}.observer.domain.prevalence.day_count ;; - group_label: "Observer Domain Prevalence" - group_item_label: "Day Count" - } - - dimension: observer__domain__prevalence__rolling_max { - type: number - sql: ${TABLE}.observer.domain.prevalence.rolling_max ;; - group_label: "Observer Domain Prevalence" - group_item_label: "Rolling Max" - } - - dimension: observer__email { - type: string - sql: ${TABLE}.observer.email ;; - group_label: "Observer" - group_item_label: "Email" - } - - dimension: observer__file__ahash { - type: string - sql: ${TABLE}.observer.file.ahash ;; - group_label: "Observer File" - group_item_label: "Ahash" - } - - dimension: observer__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.observer.file.capabilities_tags.list ;; - group_label: "Observer File Capabilities Tags" - group_item_label: "List" - } - - dimension: observer__file__file_type { - type: number - sql: ${TABLE}.observer.file.file_type ;; - group_label: "Observer File" - group_item_label: "File Type" - } - - dimension: observer__file__full_path { - type: string - sql: ${TABLE}.observer.file.full_path ;; - group_label: "Observer File" - group_item_label: "Full Path" - } - - dimension: observer__file__md5 { - type: string - sql: ${TABLE}.observer.file.md5 ;; - group_label: "Observer File" - group_item_label: "Md5" - } - - dimension: observer__file__mime_type { - type: string - sql: ${TABLE}.observer.file.mime_type ;; - group_label: "Observer File" - group_item_label: "Mime Type" - } - - dimension: observer__file__names__list { - hidden: yes - sql: ${TABLE}.observer.file.names.list ;; - group_label: "Observer File Names" - group_item_label: "List" - } - - dimension: observer__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.observer.file.pe_file.compilation_exiftool_time ;; - group_label: "Observer File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: observer__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.observer.file.pe_file.compilation_time ;; - group_label: "Observer File Pe File" - group_item_label: "Compilation Time" - } - - dimension: observer__file__pe_file__entry_point { - type: number - sql: ${TABLE}.observer.file.pe_file.entry_point ;; - group_label: "Observer File Pe File" - group_item_label: "Entry Point" - } - - dimension: observer__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.observer.file.pe_file.entry_point_exiftool ;; - group_label: "Observer File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: observer__file__pe_file__imphash { - type: string - sql: ${TABLE}.observer.file.pe_file.imphash ;; - group_label: "Observer File Pe File" - group_item_label: "Imphash" - } - - dimension: observer__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.observer.file.pe_file.imports.list ;; - group_label: "Observer File Pe File Imports" - group_item_label: "List" - } - - dimension: observer__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.observer.file.pe_file.resource.list ;; - group_label: "Observer File Pe File Resource" - group_item_label: "List" - } - - dimension: observer__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.observer.file.pe_file.resources_language_count.list ;; - group_label: "Observer File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: observer__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.observer.file.pe_file.resources_type_count.list ;; - group_label: "Observer File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: observer__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.observer.file.pe_file.section.list ;; - group_label: "Observer File Pe File Section" - group_item_label: "List" - } - - dimension: observer__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.observer.file.pe_file.signature_info.signer.list ;; - group_label: "Observer File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: observer__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.observer.file.pe_file.signature_info.verification_message ;; - group_label: "Observer File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: observer__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.observer.file.pe_file.signature_info.verified ;; - group_label: "Observer File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: observer__file__sha1 { - type: string - sql: ${TABLE}.observer.file.sha1 ;; - group_label: "Observer File" - group_item_label: "Sha1" - } - - dimension: observer__file__sha256 { - type: string - sql: ${TABLE}.observer.file.sha256 ;; - group_label: "Observer File" - group_item_label: "Sha256" - } - - dimension: observer__file__size { - type: number - sql: ${TABLE}.observer.file.size ;; - group_label: "Observer File" - group_item_label: "Size" - } - - dimension: observer__file__ssdeep { - type: string - sql: ${TABLE}.observer.file.ssdeep ;; - group_label: "Observer File" - group_item_label: "Ssdeep" - } - - dimension: observer__file__vhash { - type: string - sql: ${TABLE}.observer.file.vhash ;; - group_label: "Observer File" - group_item_label: "Vhash" - } - - dimension: observer__group__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.observer.`group`.attribute.cloud.availability_zone ;; - group_label: "Observer Group Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: observer__group__attribute__cloud__environment { - type: number - sql: ${TABLE}.observer.`group`.attribute.cloud.environment ;; - group_label: "Observer Group Attribute Cloud" - group_item_label: "Environment" - } - - dimension: observer__group__attribute__creation_time { - type: string - sql: ${TABLE}.observer.`group`.attribute.creation_time ;; - group_label: "Observer Group Attribute" - group_item_label: "Creation Time" - } - - dimension: observer__group__attribute__labels__list { - hidden: yes - sql: ${TABLE}.observer.group.attribute.labels.list ;; - group_label: "Observer Group Attribute Labels" - group_item_label: "List" - } - - dimension: observer__group__attribute__last_update_time { - type: string - sql: ${TABLE}.observer.`group`.attribute.last_update_time ;; - group_label: "Observer Group Attribute" - group_item_label: "Last Update Time" - } - - dimension: observer__group__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.observer.group.attribute.permissions.list ;; - group_label: "Observer Group Attribute Permissions" - group_item_label: "List" - } - - dimension: observer__group__attribute__roles__list { - hidden: yes - sql: ${TABLE}.observer.group.attribute.roles.list ;; - group_label: "Observer Group Attribute Roles" - group_item_label: "List" - } - - dimension: observer__group__email_addresses__list { - hidden: yes - sql: ${TABLE}.observer.group.email_addresses.list ;; - group_label: "Observer Group Email Addresses" - group_item_label: "List" - } - - dimension: observer__group__group_display_name { - type: string - sql: ${TABLE}.observer.`group`.group_display_name ;; - group_label: "Observer Group" - group_item_label: "Group Display Name" - } - - dimension: observer__group__product_object_id { - type: string - sql: ${TABLE}.observer.`group`.product_object_id ;; - group_label: "Observer Group" - group_item_label: "Product Object ID" - } - - dimension: observer__group__windows_sid { - type: string - sql: ${TABLE}.observer.`group`.windows_sid ;; - group_label: "Observer Group" - group_item_label: "Windows Sid" - } - - dimension: observer__hostname { - type: string - sql: ${TABLE}.observer.hostname ;; - group_label: "Observer" - group_item_label: "Hostname" - } - - dimension: observer__investigation__comments__list { - hidden: yes - sql: ${TABLE}.observer.investigation.comments.list ;; - group_label: "Observer Investigation Comments" - group_item_label: "List" - } - - dimension: observer__investigation__reputation { - type: number - sql: ${TABLE}.observer.investigation.reputation ;; - group_label: "Observer Investigation" - group_item_label: "Reputation" - } - - dimension: observer__investigation__severity_score { - type: number - sql: ${TABLE}.observer.investigation.severity_score ;; - group_label: "Observer Investigation" - group_item_label: "Severity Score" - } - - dimension: observer__investigation__status { - type: number - sql: ${TABLE}.observer.investigation.status ;; - group_label: "Observer Investigation" - group_item_label: "Status" - } - - dimension: observer__investigation__verdict { - type: number - sql: ${TABLE}.observer.investigation.verdict ;; - group_label: "Observer Investigation" - group_item_label: "Verdict" - } - - dimension: observer__ip__list { - hidden: yes - sql: ${TABLE}.observer.ip.list ;; - group_label: "Observer IP" - group_item_label: "List" - } - - dimension: observer__location__city { - type: string - sql: ${TABLE}.observer.location.city ;; - group_label: "Observer Location" - group_item_label: "City" - } - - dimension: observer__location__country_or_region { - type: string - sql: ${TABLE}.observer.location.country_or_region ;; - group_label: "Observer Location" - group_item_label: "Country or Region" - } - - dimension: observer__location__desk_name { - type: string - sql: ${TABLE}.observer.location.desk_name ;; - group_label: "Observer Location" - group_item_label: "Desk Name" - } - - dimension: observer__location__floor_name { - type: string - sql: ${TABLE}.observer.location.floor_name ;; - group_label: "Observer Location" - group_item_label: "Floor Name" - } - - dimension: observer__location__name { - type: string - sql: ${TABLE}.observer.location.name ;; - group_label: "Observer Location" - group_item_label: "Name" - } - - dimension: observer__location__region_latitude { - type: number - sql: ${TABLE}.observer.location.region_latitude ;; - group_label: "Observer Location" - group_item_label: "Region Latitude" - } - - dimension: observer__location__region_longitude { - type: number - sql: ${TABLE}.observer.location.region_longitude ;; - group_label: "Observer Location" - group_item_label: "Region Longitude" - } - - dimension: observer__location__state { - type: string - sql: ${TABLE}.observer.location.state ;; - group_label: "Observer Location" - group_item_label: "State" - } - - dimension: observer__mac__list { - hidden: yes - sql: ${TABLE}.observer.mac.list ;; - group_label: "Observer Mac" - group_item_label: "List" - } - - dimension: observer__namespace { - type: string - sql: ${TABLE}.observer.namespace ;; - group_label: "Observer" - group_item_label: "Namespace" - } - - dimension: observer__nat_ip__list { - hidden: yes - sql: ${TABLE}.observer.nat_ip.list ;; - group_label: "Observer Nat IP" - group_item_label: "List" - } - - dimension: observer__nat_port { - type: number - sql: ${TABLE}.observer.nat_port ;; - group_label: "Observer" - group_item_label: "Nat Port" - } - - dimension: observer__object_reference__id { - type: string - sql: ${TABLE}.observer.object_reference.id ;; - group_label: "Observer Object Reference" - group_item_label: "ID" - } - - dimension: observer__object_reference__namespace { - type: number - sql: ${TABLE}.observer.object_reference.namespace ;; - group_label: "Observer Object Reference" - group_item_label: "Namespace" - } - - dimension: observer__platform { - type: number - sql: ${TABLE}.observer.platform ;; - group_label: "Observer" - group_item_label: "Platform" - } - - dimension: observer__platform_patch_level { - type: string - sql: ${TABLE}.observer.platform_patch_level ;; - group_label: "Observer" - group_item_label: "Platform Patch Level" - } - - dimension: observer__platform_version { - type: string - sql: ${TABLE}.observer.platform_version ;; - group_label: "Observer" - group_item_label: "Platform Version" - } - - dimension: observer__port { - type: number - sql: ${TABLE}.observer.port ;; - group_label: "Observer" - group_item_label: "Port" - } - - dimension: observer__process__access_mask { - type: number - sql: ${TABLE}.observer.process.access_mask ;; - group_label: "Observer Process" - group_item_label: "Access Mask" - } - - dimension: observer__process__command_line { - type: string - sql: ${TABLE}.observer.process.command_line ;; - group_label: "Observer Process" - group_item_label: "Command Line" - } - - dimension: observer__process__command_line_history__list { - hidden: yes - sql: ${TABLE}.observer.process.command_line_history.list ;; - group_label: "Observer Process Command Line History" - group_item_label: "List" - } - - dimension: observer__process__file__ahash { - type: string - sql: ${TABLE}.observer.process.file.ahash ;; - group_label: "Observer Process File" - group_item_label: "Ahash" - } - - dimension: observer__process__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.observer.process.file.capabilities_tags.list ;; - group_label: "Observer Process File Capabilities Tags" - group_item_label: "List" - } - - dimension: observer__process__file__file_type { - type: number - sql: ${TABLE}.observer.process.file.file_type ;; - group_label: "Observer Process File" - group_item_label: "File Type" - } - - dimension: observer__process__file__full_path { - type: string - sql: ${TABLE}.observer.process.file.full_path ;; - group_label: "Observer Process File" - group_item_label: "Full Path" - } - - dimension: observer__process__file__md5 { - type: string - sql: ${TABLE}.observer.process.file.md5 ;; - group_label: "Observer Process File" - group_item_label: "Md5" - } - - dimension: observer__process__file__mime_type { - type: string - sql: ${TABLE}.observer.process.file.mime_type ;; - group_label: "Observer Process File" - group_item_label: "Mime Type" - } - - dimension: observer__process__file__names__list { - hidden: yes - sql: ${TABLE}.observer.process.file.names.list ;; - group_label: "Observer Process File Names" - group_item_label: "List" - } - - dimension: observer__process__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.observer.process.file.pe_file.compilation_exiftool_time ;; - group_label: "Observer Process File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: observer__process__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.observer.process.file.pe_file.compilation_time ;; - group_label: "Observer Process File Pe File" - group_item_label: "Compilation Time" - } - - dimension: observer__process__file__pe_file__entry_point { - type: number - sql: ${TABLE}.observer.process.file.pe_file.entry_point ;; - group_label: "Observer Process File Pe File" - group_item_label: "Entry Point" - } - - dimension: observer__process__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.observer.process.file.pe_file.entry_point_exiftool ;; - group_label: "Observer Process File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: observer__process__file__pe_file__imphash { - type: string - sql: ${TABLE}.observer.process.file.pe_file.imphash ;; - group_label: "Observer Process File Pe File" - group_item_label: "Imphash" - } - - dimension: observer__process__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.observer.process.file.pe_file.imports.list ;; - group_label: "Observer Process File Pe File Imports" - group_item_label: "List" - } - - dimension: observer__process__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.observer.process.file.pe_file.resource.list ;; - group_label: "Observer Process File Pe File Resource" - group_item_label: "List" - } - - dimension: observer__process__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.observer.process.file.pe_file.resources_language_count.list ;; - group_label: "Observer Process File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: observer__process__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.observer.process.file.pe_file.resources_type_count.list ;; - group_label: "Observer Process File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: observer__process__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.observer.process.file.pe_file.section.list ;; - group_label: "Observer Process File Pe File Section" - group_item_label: "List" - } - - dimension: observer__process__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.observer.process.file.pe_file.signature_info.signer.list ;; - group_label: "Observer Process File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: observer__process__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.observer.process.file.pe_file.signature_info.verification_message ;; - group_label: "Observer Process File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: observer__process__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.observer.process.file.pe_file.signature_info.verified ;; - group_label: "Observer Process File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: observer__process__file__sha1 { - type: string - sql: ${TABLE}.observer.process.file.sha1 ;; - group_label: "Observer Process File" - group_item_label: "Sha1" - } - - dimension: observer__process__file__sha256 { - type: string - sql: ${TABLE}.observer.process.file.sha256 ;; - group_label: "Observer Process File" - group_item_label: "Sha256" - } - - dimension: observer__process__file__size { - type: number - sql: ${TABLE}.observer.process.file.size ;; - group_label: "Observer Process File" - group_item_label: "Size" - } - - dimension: observer__process__file__ssdeep { - type: string - sql: ${TABLE}.observer.process.file.ssdeep ;; - group_label: "Observer Process File" - group_item_label: "Ssdeep" - } - - dimension: observer__process__file__vhash { - type: string - sql: ${TABLE}.observer.process.file.vhash ;; - group_label: "Observer Process File" - group_item_label: "Vhash" - } - - dimension: observer__process__pid { - type: string - sql: ${TABLE}.observer.process.pid ;; - group_label: "Observer Process" - group_item_label: "Pid" - } - - dimension: observer__process__product_specific_process_id { - type: string - sql: ${TABLE}.observer.process.product_specific_process_id ;; - group_label: "Observer Process" - group_item_label: "Product Specific Process ID" - } - - dimension: observer__process_ancestors__list { - hidden: yes - sql: ${TABLE}.observer.process_ancestors.list ;; - group_label: "Observer Process Ancestors" - group_item_label: "List" - } - - dimension: observer__registry__registry_key { - type: string - sql: ${TABLE}.observer.registry.registry_key ;; - group_label: "Observer Registry" - group_item_label: "Registry Key" - } - - dimension: observer__registry__registry_value_data { - type: string - sql: ${TABLE}.observer.registry.registry_value_data ;; - group_label: "Observer Registry" - group_item_label: "Registry Value Data" - } - - dimension: observer__registry__registry_value_name { - type: string - sql: ${TABLE}.observer.registry.registry_value_name ;; - group_label: "Observer Registry" - group_item_label: "Registry Value Name" - } - - dimension: observer__resource__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.observer.resource.attribute.cloud.availability_zone ;; - group_label: "Observer Resource Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: observer__resource__attribute__cloud__environment { - type: number - sql: ${TABLE}.observer.resource.attribute.cloud.environment ;; - group_label: "Observer Resource Attribute Cloud" - group_item_label: "Environment" - } - - dimension: observer__resource__attribute__creation_time { - type: string - sql: ${TABLE}.observer.resource.attribute.creation_time ;; - group_label: "Observer Resource Attribute" - group_item_label: "Creation Time" - } - - dimension: observer__resource__attribute__labels__list { - hidden: yes - sql: ${TABLE}.observer.resource.attribute.labels.list ;; - group_label: "Observer Resource Attribute Labels" - group_item_label: "List" - } - - dimension: observer__resource__attribute__last_update_time { - type: string - sql: ${TABLE}.observer.resource.attribute.last_update_time ;; - group_label: "Observer Resource Attribute" - group_item_label: "Last Update Time" - } - - dimension: observer__resource__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.observer.resource.attribute.permissions.list ;; - group_label: "Observer Resource Attribute Permissions" - group_item_label: "List" - } - - dimension: observer__resource__attribute__roles__list { - hidden: yes - sql: ${TABLE}.observer.resource.attribute.roles.list ;; - group_label: "Observer Resource Attribute Roles" - group_item_label: "List" - } - - dimension: observer__resource__name { - type: string - sql: ${TABLE}.observer.resource.name ;; - group_label: "Observer Resource" - group_item_label: "Name" - } - - dimension: observer__resource__product_object_id { - type: string - sql: ${TABLE}.observer.resource.product_object_id ;; - group_label: "Observer Resource" - group_item_label: "Product Object ID" - } - - dimension: observer__resource__resource_subtype { - type: string - sql: ${TABLE}.observer.resource.resource_subtype ;; - group_label: "Observer Resource" - group_item_label: "Resource Subtype" - } - - dimension: observer__resource__resource_type { - type: number - sql: ${TABLE}.observer.resource.resource_type ;; - group_label: "Observer Resource" - group_item_label: "Resource Type" - } - - dimension: observer__resource_ancestors__list { - hidden: yes - sql: ${TABLE}.observer.resource_ancestors.list ;; - group_label: "Observer Resource Ancestors" - group_item_label: "List" - } - - dimension: observer__url { - type: string - sql: ${TABLE}.observer.url ;; - group_label: "Observer" - group_item_label: "URL" - } - - dimension: observer__user__account_type { - type: number - sql: ${TABLE}.observer.user.account_type ;; - group_label: "Observer User" - group_item_label: "Account Type" - } - - dimension: observer__user__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.observer.user.attribute.cloud.availability_zone ;; - group_label: "Observer User Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: observer__user__attribute__cloud__environment { - type: number - sql: ${TABLE}.observer.user.attribute.cloud.environment ;; - group_label: "Observer User Attribute Cloud" - group_item_label: "Environment" - } - - dimension: observer__user__attribute__creation_time { - type: string - sql: ${TABLE}.observer.user.attribute.creation_time ;; - group_label: "Observer User Attribute" - group_item_label: "Creation Time" - } - - dimension: observer__user__attribute__labels__list { - hidden: yes - sql: ${TABLE}.observer.user.attribute.labels.list ;; - group_label: "Observer User Attribute Labels" - group_item_label: "List" - } - - dimension: observer__user__attribute__last_update_time { - type: string - sql: ${TABLE}.observer.user.attribute.last_update_time ;; - group_label: "Observer User Attribute" - group_item_label: "Last Update Time" - } - - dimension: observer__user__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.observer.user.attribute.permissions.list ;; - group_label: "Observer User Attribute Permissions" - group_item_label: "List" - } - - dimension: observer__user__attribute__roles__list { - hidden: yes - sql: ${TABLE}.observer.user.attribute.roles.list ;; - group_label: "Observer User Attribute Roles" - group_item_label: "List" - } - - dimension: observer__user__company_name { - type: string - sql: ${TABLE}.observer.user.company_name ;; - group_label: "Observer User" - group_item_label: "Company Name" - } - - dimension: observer__user__department__list { - hidden: yes - sql: ${TABLE}.observer.user.department.list ;; - group_label: "Observer User Department" - group_item_label: "List" - } - - dimension: observer__user__email_addresses__list { - hidden: yes - sql: ${TABLE}.observer.user.email_addresses.list ;; - group_label: "Observer User Email Addresses" - group_item_label: "List" - } - - dimension: observer__user__employee_id { - type: string - sql: ${TABLE}.observer.user.employee_id ;; - group_label: "Observer User" - group_item_label: "Employee ID" - } - - dimension: observer__user__first_name { - type: string - sql: ${TABLE}.observer.user.first_name ;; - group_label: "Observer User" - group_item_label: "First Name" - } - - dimension: observer__user__group_identifiers__list { - hidden: yes - sql: ${TABLE}.observer.user.group_identifiers.list ;; - group_label: "Observer User Group Identifiers" - group_item_label: "List" - } - - dimension: observer__user__hire_date { - type: string - sql: ${TABLE}.observer.user.hire_date ;; - group_label: "Observer User" - group_item_label: "Hire Date" - } - - dimension: observer__user__last_name { - type: string - sql: ${TABLE}.observer.user.last_name ;; - group_label: "Observer User" - group_item_label: "Last Name" - } - - dimension: observer__user__middle_name { - type: string - sql: ${TABLE}.observer.user.middle_name ;; - group_label: "Observer User" - group_item_label: "Middle Name" - } - - dimension: observer__user__office_address__city { - type: string - sql: ${TABLE}.observer.user.office_address.city ;; - group_label: "Observer User Office Address" - group_item_label: "City" - } - - dimension: observer__user__office_address__country_or_region { - type: string - sql: ${TABLE}.observer.user.office_address.country_or_region ;; - group_label: "Observer User Office Address" - group_item_label: "Country or Region" - } - - dimension: observer__user__office_address__desk_name { - type: string - sql: ${TABLE}.observer.user.office_address.desk_name ;; - group_label: "Observer User Office Address" - group_item_label: "Desk Name" - } - - dimension: observer__user__office_address__floor_name { - type: string - sql: ${TABLE}.observer.user.office_address.floor_name ;; - group_label: "Observer User Office Address" - group_item_label: "Floor Name" - } - - dimension: observer__user__office_address__name { - type: string - sql: ${TABLE}.observer.user.office_address.name ;; - group_label: "Observer User Office Address" - group_item_label: "Name" - } - - dimension: observer__user__office_address__region_latitude { - type: number - sql: ${TABLE}.observer.user.office_address.region_latitude ;; - group_label: "Observer User Office Address" - group_item_label: "Region Latitude" - } - - dimension: observer__user__office_address__region_longitude { - type: number - sql: ${TABLE}.observer.user.office_address.region_longitude ;; - group_label: "Observer User Office Address" - group_item_label: "Region Longitude" - } - - dimension: observer__user__office_address__state { - type: string - sql: ${TABLE}.observer.user.office_address.state ;; - group_label: "Observer User Office Address" - group_item_label: "State" - } - - dimension: observer__user__personal_address__city { - type: string - sql: ${TABLE}.observer.user.personal_address.city ;; - group_label: "Observer User Personal Address" - group_item_label: "City" - } - - dimension: observer__user__personal_address__country_or_region { - type: string - sql: ${TABLE}.observer.user.personal_address.country_or_region ;; - group_label: "Observer User Personal Address" - group_item_label: "Country or Region" - } - - dimension: observer__user__personal_address__desk_name { - type: string - sql: ${TABLE}.observer.user.personal_address.desk_name ;; - group_label: "Observer User Personal Address" - group_item_label: "Desk Name" - } - - dimension: observer__user__personal_address__floor_name { - type: string - sql: ${TABLE}.observer.user.personal_address.floor_name ;; - group_label: "Observer User Personal Address" - group_item_label: "Floor Name" - } - - dimension: observer__user__personal_address__name { - type: string - sql: ${TABLE}.observer.user.personal_address.name ;; - group_label: "Observer User Personal Address" - group_item_label: "Name" - } - - dimension: observer__user__personal_address__region_latitude { - type: number - sql: ${TABLE}.observer.user.personal_address.region_latitude ;; - group_label: "Observer User Personal Address" - group_item_label: "Region Latitude" - } - - dimension: observer__user__personal_address__region_longitude { - type: number - sql: ${TABLE}.observer.user.personal_address.region_longitude ;; - group_label: "Observer User Personal Address" - group_item_label: "Region Longitude" - } - - dimension: observer__user__personal_address__state { - type: string - sql: ${TABLE}.observer.user.personal_address.state ;; - group_label: "Observer User Personal Address" - group_item_label: "State" - } - - dimension: observer__user__phone_numbers__list { - hidden: yes - sql: ${TABLE}.observer.user.phone_numbers.list ;; - group_label: "Observer User Phone Numbers" - group_item_label: "List" - } - - dimension: observer__user__product_object_id { - type: string - sql: ${TABLE}.observer.user.product_object_id ;; - group_label: "Observer User" - group_item_label: "Product Object ID" - } - - dimension: observer__user__termination_date { - type: string - sql: ${TABLE}.observer.user.termination_date ;; - group_label: "Observer User" - group_item_label: "Termination Date" - } - - dimension: observer__user__time_off__list { - hidden: yes - sql: ${TABLE}.observer.user.time_off.list ;; - group_label: "Observer User Time Off" - group_item_label: "List" - } - - dimension: observer__user__title { - type: string - sql: ${TABLE}.observer.user.title ;; - group_label: "Observer User" - group_item_label: "Title" - } - - dimension: observer__user__user_authentication_status { - type: number - sql: ${TABLE}.observer.user.user_authentication_status ;; - group_label: "Observer User" - group_item_label: "User Authentication Status" - } - - dimension: observer__user__user_display_name { - type: string - sql: ${TABLE}.observer.user.user_display_name ;; - group_label: "Observer User" - group_item_label: "User Display Name" - } - - dimension: observer__user__userid { - type: string - sql: ${TABLE}.observer.user.userid ;; - group_label: "Observer User" - group_item_label: "Userid" - } - - dimension: observer__user__windows_sid { - type: string - sql: ${TABLE}.observer.user.windows_sid ;; - group_label: "Observer User" - group_item_label: "Windows Sid" - } - - dimension: observer__user_management_chain__list { - hidden: yes - sql: ${TABLE}.observer.user_management_chain.list ;; - group_label: "Observer User Management Chain" - group_item_label: "List" - } - - dimension: principal__administrative_domain { - type: string - sql: ${TABLE}.principal.administrative_domain ;; - group_label: "Principal" - group_item_label: "Administrative Domain" - } - - dimension: principal__application { - type: string - sql: ${TABLE}.principal.application ;; - group_label: "Principal" - group_item_label: "Application" - } - - dimension: principal__asset__asset_id { - type: string - sql: ${TABLE}.principal.asset.asset_id ;; - group_label: "Principal Asset" - group_item_label: "Asset ID" - } - - dimension: principal__asset__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.principal.asset.attribute.cloud.availability_zone ;; - group_label: "Principal Asset Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: principal__asset__attribute__cloud__environment { - type: number - sql: ${TABLE}.principal.asset.attribute.cloud.environment ;; - group_label: "Principal Asset Attribute Cloud" - group_item_label: "Environment" - } - - dimension: principal__asset__attribute__creation_time { - type: string - sql: ${TABLE}.principal.asset.attribute.creation_time ;; - group_label: "Principal Asset Attribute" - group_item_label: "Creation Time" - } - - dimension: principal__asset__attribute__labels__list { - hidden: yes - sql: ${TABLE}.principal.asset.attribute.labels.list ;; - group_label: "Principal Asset Attribute Labels" - group_item_label: "List" - } - - dimension: principal__asset__attribute__last_update_time { - type: string - sql: ${TABLE}.principal.asset.attribute.last_update_time ;; - group_label: "Principal Asset Attribute" - group_item_label: "Last Update Time" - } - - dimension: principal__asset__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.principal.asset.attribute.permissions.list ;; - group_label: "Principal Asset Attribute Permissions" - group_item_label: "List" - } - - dimension: principal__asset__attribute__roles__list { - hidden: yes - sql: ${TABLE}.principal.asset.attribute.roles.list ;; - group_label: "Principal Asset Attribute Roles" - group_item_label: "List" - } - - dimension: principal__asset__category { - type: string - sql: ${TABLE}.principal.asset.category ;; - group_label: "Principal Asset" - group_item_label: "Category" - } - - dimension: principal__asset__deployment_status { - type: number - sql: ${TABLE}.principal.asset.deployment_status ;; - group_label: "Principal Asset" - group_item_label: "Deployment Status" - } - - dimension: principal__asset__first_discover_time { - type: string - sql: ${TABLE}.principal.asset.first_discover_time ;; - group_label: "Principal Asset" - group_item_label: "First Discover Time" - } - - dimension: principal__asset__hardware__list { - hidden: yes - sql: ${TABLE}.principal.asset.hardware.list ;; - group_label: "Principal Asset Hardware" - group_item_label: "List" - } - - dimension: principal__asset__hostname { - type: string - sql: ${TABLE}.principal.asset.hostname ;; - group_label: "Principal Asset" - group_item_label: "Hostname" - } - - dimension: principal__asset__ip__list { - hidden: yes - sql: ${TABLE}.principal.asset.ip.list ;; - group_label: "Principal Asset IP" - group_item_label: "List" - } - - dimension: principal__asset__last_boot_time { - type: string - sql: ${TABLE}.principal.asset.last_boot_time ;; - group_label: "Principal Asset" - group_item_label: "Last Boot Time" - } - - dimension: principal__asset__last_discover_time { - type: string - sql: ${TABLE}.principal.asset.last_discover_time ;; - group_label: "Principal Asset" - group_item_label: "Last Discover Time" - } - - dimension: principal__asset__location__city { - type: string - sql: ${TABLE}.principal.asset.location.city ;; - group_label: "Principal Asset Location" - group_item_label: "City" - } - - dimension: principal__asset__location__country_or_region { - type: string - sql: ${TABLE}.principal.asset.location.country_or_region ;; - group_label: "Principal Asset Location" - group_item_label: "Country or Region" - } - - dimension: principal__asset__location__desk_name { - type: string - sql: ${TABLE}.principal.asset.location.desk_name ;; - group_label: "Principal Asset Location" - group_item_label: "Desk Name" - } - - dimension: principal__asset__location__floor_name { - type: string - sql: ${TABLE}.principal.asset.location.floor_name ;; - group_label: "Principal Asset Location" - group_item_label: "Floor Name" - } - - dimension: principal__asset__location__name { - type: string - sql: ${TABLE}.principal.asset.location.name ;; - group_label: "Principal Asset Location" - group_item_label: "Name" - } - - dimension: principal__asset__location__region_latitude { - type: number - sql: ${TABLE}.principal.asset.location.region_latitude ;; - group_label: "Principal Asset Location" - group_item_label: "Region Latitude" - } - - dimension: principal__asset__location__region_longitude { - type: number - sql: ${TABLE}.principal.asset.location.region_longitude ;; - group_label: "Principal Asset Location" - group_item_label: "Region Longitude" - } - - dimension: principal__asset__location__state { - type: string - sql: ${TABLE}.principal.asset.location.state ;; - group_label: "Principal Asset Location" - group_item_label: "State" - } - - dimension: principal__asset__mac__list { - hidden: yes - sql: ${TABLE}.principal.asset.mac.list ;; - group_label: "Principal Asset Mac" - group_item_label: "List" - } - - dimension: principal__asset__nat_ip__list { - hidden: yes - sql: ${TABLE}.principal.asset.nat_ip.list ;; - group_label: "Principal Asset Nat IP" - group_item_label: "List" - } - - dimension: principal__asset__network_domain { - type: string - sql: ${TABLE}.principal.asset.network_domain ;; - group_label: "Principal Asset" - group_item_label: "Network Domain" - } - - dimension: principal__asset__platform_software__platform { - type: number - sql: ${TABLE}.principal.asset.platform_software.platform ;; - group_label: "Principal Asset Platform Software" - group_item_label: "Platform" - } - - dimension: principal__asset__platform_software__platform_patch_level { - type: string - sql: ${TABLE}.principal.asset.platform_software.platform_patch_level ;; - group_label: "Principal Asset Platform Software" - group_item_label: "Platform Patch Level" - } - - dimension: principal__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.principal.asset.platform_software.platform_version ;; - group_label: "Principal Asset Platform Software" - group_item_label: "Platform Version" - } - - dimension: principal__asset__product_object_id { - type: string - sql: ${TABLE}.principal.asset.product_object_id ;; - group_label: "Principal Asset" - group_item_label: "Product Object ID" - } - - dimension: principal__asset__software__list { - hidden: yes - sql: ${TABLE}.principal.asset.software.list ;; - group_label: "Principal Asset Software" - group_item_label: "List" - } - - dimension: principal__asset__system_last_update_time { - type: string - sql: ${TABLE}.principal.asset.system_last_update_time ;; - group_label: "Principal Asset" - group_item_label: "System Last Update Time" - } - - dimension: principal__asset__type { - type: number - sql: ${TABLE}.principal.asset.type ;; - group_label: "Principal Asset" - group_item_label: "Type" - } - - dimension: principal__asset__vulnerabilities__list { - hidden: yes - sql: ${TABLE}.principal.asset.vulnerabilities.list ;; - group_label: "Principal Asset Vulnerabilities" - group_item_label: "List" - } - - dimension: principal__asset_id { - type: string - sql: ${TABLE}.principal.asset_id ;; - group_label: "Principal" - group_item_label: "Asset ID" - } - - dimension: principal__domain__name { - type: string - sql: ${TABLE}.principal.domain.name ;; - group_label: "Principal Domain" - group_item_label: "Name" - } - - dimension: principal__domain__prevalence__day_count { - type: number - sql: ${TABLE}.principal.domain.prevalence.day_count ;; - group_label: "Principal Domain Prevalence" - group_item_label: "Day Count" - } - - dimension: principal__domain__prevalence__rolling_max { - type: number - sql: ${TABLE}.principal.domain.prevalence.rolling_max ;; - group_label: "Principal Domain Prevalence" - group_item_label: "Rolling Max" - } - - dimension: principal__email { - type: string - sql: ${TABLE}.principal.email ;; - group_label: "Principal" - group_item_label: "Email" - } - - dimension: principal__file__ahash { - type: string - sql: ${TABLE}.principal.file.ahash ;; - group_label: "Principal File" - group_item_label: "Ahash" - } - - dimension: principal__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.principal.file.capabilities_tags.list ;; - group_label: "Principal File Capabilities Tags" - group_item_label: "List" - } - - dimension: principal__file__file_type { - type: number - sql: ${TABLE}.principal.file.file_type ;; - group_label: "Principal File" - group_item_label: "File Type" - } - - dimension: principal__file__full_path { - type: string - sql: ${TABLE}.principal.file.full_path ;; - group_label: "Principal File" - group_item_label: "Full Path" - } - - dimension: principal__file__md5 { - type: string - sql: ${TABLE}.principal.file.md5 ;; - group_label: "Principal File" - group_item_label: "Md5" - } - - dimension: principal__file__mime_type { - type: string - sql: ${TABLE}.principal.file.mime_type ;; - group_label: "Principal File" - group_item_label: "Mime Type" - } - - dimension: principal__file__names__list { - hidden: yes - sql: ${TABLE}.principal.file.names.list ;; - group_label: "Principal File Names" - group_item_label: "List" - } - - dimension: principal__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.principal.file.pe_file.compilation_exiftool_time ;; - group_label: "Principal File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: principal__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.principal.file.pe_file.compilation_time ;; - group_label: "Principal File Pe File" - group_item_label: "Compilation Time" - } - - dimension: principal__file__pe_file__entry_point { - type: number - sql: ${TABLE}.principal.file.pe_file.entry_point ;; - group_label: "Principal File Pe File" - group_item_label: "Entry Point" - } - - dimension: principal__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.principal.file.pe_file.entry_point_exiftool ;; - group_label: "Principal File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: principal__file__pe_file__imphash { - type: string - sql: ${TABLE}.principal.file.pe_file.imphash ;; - group_label: "Principal File Pe File" - group_item_label: "Imphash" - } - - dimension: principal__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.principal.file.pe_file.imports.list ;; - group_label: "Principal File Pe File Imports" - group_item_label: "List" - } - - dimension: principal__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.principal.file.pe_file.resource.list ;; - group_label: "Principal File Pe File Resource" - group_item_label: "List" - } - - dimension: principal__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.principal.file.pe_file.resources_language_count.list ;; - group_label: "Principal File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: principal__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.principal.file.pe_file.resources_type_count.list ;; - group_label: "Principal File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: principal__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.principal.file.pe_file.section.list ;; - group_label: "Principal File Pe File Section" - group_item_label: "List" - } - - dimension: principal__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.principal.file.pe_file.signature_info.signer.list ;; - group_label: "Principal File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: principal__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.principal.file.pe_file.signature_info.verification_message ;; - group_label: "Principal File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: principal__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.principal.file.pe_file.signature_info.verified ;; - group_label: "Principal File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: principal__file__sha1 { - type: string - sql: ${TABLE}.principal.file.sha1 ;; - group_label: "Principal File" - group_item_label: "Sha1" - } - - dimension: principal__file__sha256 { - type: string - sql: ${TABLE}.principal.file.sha256 ;; - group_label: "Principal File" - group_item_label: "Sha256" - } - - dimension: principal__file__size { - type: number - sql: ${TABLE}.principal.file.size ;; - group_label: "Principal File" - group_item_label: "Size" - } - - dimension: principal__file__ssdeep { - type: string - sql: ${TABLE}.principal.file.ssdeep ;; - group_label: "Principal File" - group_item_label: "Ssdeep" - } - - dimension: principal__file__vhash { - type: string - sql: ${TABLE}.principal.file.vhash ;; - group_label: "Principal File" - group_item_label: "Vhash" - } - - dimension: principal__group__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.principal.`group`.attribute.cloud.availability_zone ;; - group_label: "Principal Group Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: principal__group__attribute__cloud__environment { - type: number - sql: ${TABLE}.principal.`group`.attribute.cloud.environment ;; - group_label: "Principal Group Attribute Cloud" - group_item_label: "Environment" - } - - dimension: principal__group__attribute__creation_time { - type: string - sql: ${TABLE}.principal.`group`.attribute.creation_time ;; - group_label: "Principal Group Attribute" - group_item_label: "Creation Time" - } - - dimension: principal__group__attribute__labels__list { - hidden: yes - sql: ${TABLE}.principal.group.attribute.labels.list ;; - group_label: "Principal Group Attribute Labels" - group_item_label: "List" - } - - dimension: principal__group__attribute__last_update_time { - type: string - sql: ${TABLE}.principal.`group`.attribute.last_update_time ;; - group_label: "Principal Group Attribute" - group_item_label: "Last Update Time" - } - - dimension: principal__group__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.principal.group.attribute.permissions.list ;; - group_label: "Principal Group Attribute Permissions" - group_item_label: "List" - } - - dimension: principal__group__attribute__roles__list { - hidden: yes - sql: ${TABLE}.principal.group.attribute.roles.list ;; - group_label: "Principal Group Attribute Roles" - group_item_label: "List" - } - - dimension: principal__group__email_addresses__list { - hidden: yes - sql: ${TABLE}.principal.group.email_addresses.list ;; - group_label: "Principal Group Email Addresses" - group_item_label: "List" - } - - dimension: principal__group__group_display_name { - type: string - sql: ${TABLE}.principal.`group`.group_display_name ;; - group_label: "Principal Group" - group_item_label: "Group Display Name" - } - - dimension: principal__group__product_object_id { - type: string - sql: ${TABLE}.principal.`group`.product_object_id ;; - group_label: "Principal Group" - group_item_label: "Product Object ID" - } - - dimension: principal__group__windows_sid { - type: string - sql: ${TABLE}.principal.`group`.windows_sid ;; - group_label: "Principal Group" - group_item_label: "Windows Sid" - } - - dimension: principal__hostname { - type: string - sql: ${TABLE}.principal.hostname ;; - group_label: "Principal" - group_item_label: "Hostname" - } - - dimension: principal__investigation__comments__list { - hidden: yes - sql: ${TABLE}.principal.investigation.comments.list ;; - group_label: "Principal Investigation Comments" - group_item_label: "List" - } - - dimension: principal__investigation__reputation { - type: number - sql: ${TABLE}.principal.investigation.reputation ;; - group_label: "Principal Investigation" - group_item_label: "Reputation" - } - - dimension: principal__investigation__severity_score { - type: number - sql: ${TABLE}.principal.investigation.severity_score ;; - group_label: "Principal Investigation" - group_item_label: "Severity Score" - } - - dimension: principal__investigation__status { - type: number - sql: ${TABLE}.principal.investigation.status ;; - group_label: "Principal Investigation" - group_item_label: "Status" - } - - dimension: principal__investigation__verdict { - type: number - sql: ${TABLE}.principal.investigation.verdict ;; - group_label: "Principal Investigation" - group_item_label: "Verdict" - } - - dimension: principal__ip__list { - hidden: yes - sql: ${TABLE}.principal.ip.list ;; - group_label: "Principal IP" - group_item_label: "List" - } - - dimension: principal__location__city { - type: string - sql: ${TABLE}.principal.location.city ;; - group_label: "Principal Location" - group_item_label: "City" - } - - dimension: principal__location__country_or_region { - type: string - sql: ${TABLE}.principal.location.country_or_region ;; - group_label: "Principal Location" - group_item_label: "Country or Region" - } - - dimension: principal__location__desk_name { - type: string - sql: ${TABLE}.principal.location.desk_name ;; - group_label: "Principal Location" - group_item_label: "Desk Name" - } - - dimension: principal__location__floor_name { - type: string - sql: ${TABLE}.principal.location.floor_name ;; - group_label: "Principal Location" - group_item_label: "Floor Name" - } - - dimension: principal__location__name { - type: string - sql: ${TABLE}.principal.location.name ;; - group_label: "Principal Location" - group_item_label: "Name" - } - - dimension: principal__location__region_latitude { - type: number - sql: ${TABLE}.principal.location.region_latitude ;; - group_label: "Principal Location" - group_item_label: "Region Latitude" - } - - dimension: principal__location__region_longitude { - type: number - sql: ${TABLE}.principal.location.region_longitude ;; - group_label: "Principal Location" - group_item_label: "Region Longitude" - } - - dimension: principal__location__state { - type: string - sql: ${TABLE}.principal.location.state ;; - group_label: "Principal Location" - group_item_label: "State" - } - - dimension: principal__mac__list { - hidden: yes - sql: ${TABLE}.principal.mac.list ;; - group_label: "Principal Mac" - group_item_label: "List" - } - - dimension: principal__namespace { - type: string - sql: ${TABLE}.principal.namespace ;; - group_label: "Principal" - group_item_label: "Namespace" - } - - dimension: principal__nat_ip__list { - hidden: yes - sql: ${TABLE}.principal.nat_ip.list ;; - group_label: "Principal Nat IP" - group_item_label: "List" - } - - dimension: principal__nat_port { - type: number - sql: ${TABLE}.principal.nat_port ;; - group_label: "Principal" - group_item_label: "Nat Port" - } - - dimension: principal__object_reference__id { - type: string - sql: ${TABLE}.principal.object_reference.id ;; - group_label: "Principal Object Reference" - group_item_label: "ID" - } - - dimension: principal__object_reference__namespace { - type: number - sql: ${TABLE}.principal.object_reference.namespace ;; - group_label: "Principal Object Reference" - group_item_label: "Namespace" - } - - dimension: principal__platform { - type: number - sql: ${TABLE}.principal.platform ;; - group_label: "Principal" - group_item_label: "Platform" - } - - dimension: principal__platform_patch_level { - type: string - sql: ${TABLE}.principal.platform_patch_level ;; - group_label: "Principal" - group_item_label: "Platform Patch Level" - } - - dimension: principal__platform_version { - type: string - sql: ${TABLE}.principal.platform_version ;; - group_label: "Principal" - group_item_label: "Platform Version" - } - - dimension: principal__port { - type: number - sql: ${TABLE}.principal.port ;; - group_label: "Principal" - group_item_label: "Port" - } - - dimension: principal__process__access_mask { - type: number - sql: ${TABLE}.principal.process.access_mask ;; - group_label: "Principal Process" - group_item_label: "Access Mask" - } - - dimension: principal__process__command_line { - type: string - sql: ${TABLE}.principal.process.command_line ;; - group_label: "Principal Process" - group_item_label: "Command Line" - } - - dimension: principal__process__command_line_history__list { - hidden: yes - sql: ${TABLE}.principal.process.command_line_history.list ;; - group_label: "Principal Process Command Line History" - group_item_label: "List" - } - - dimension: principal__process__file__ahash { - type: string - sql: ${TABLE}.principal.process.file.ahash ;; - group_label: "Principal Process File" - group_item_label: "Ahash" - } - - dimension: principal__process__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.principal.process.file.capabilities_tags.list ;; - group_label: "Principal Process File Capabilities Tags" - group_item_label: "List" - } - - dimension: principal__process__file__file_type { - type: number - sql: ${TABLE}.principal.process.file.file_type ;; - group_label: "Principal Process File" - group_item_label: "File Type" - } - - dimension: principal__process__file__full_path { - type: string - sql: ${TABLE}.principal.process.file.full_path ;; - group_label: "Principal Process File" - group_item_label: "Full Path" - } - - dimension: principal__process__file__md5 { - type: string - sql: ${TABLE}.principal.process.file.md5 ;; - group_label: "Principal Process File" - group_item_label: "Md5" - } - - dimension: principal__process__file__mime_type { - type: string - sql: ${TABLE}.principal.process.file.mime_type ;; - group_label: "Principal Process File" - group_item_label: "Mime Type" - } - - dimension: principal__process__file__names__list { - hidden: yes - sql: ${TABLE}.principal.process.file.names.list ;; - group_label: "Principal Process File Names" - group_item_label: "List" - } - - dimension: principal__process__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.principal.process.file.pe_file.compilation_exiftool_time ;; - group_label: "Principal Process File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: principal__process__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.principal.process.file.pe_file.compilation_time ;; - group_label: "Principal Process File Pe File" - group_item_label: "Compilation Time" - } - - dimension: principal__process__file__pe_file__entry_point { - type: number - sql: ${TABLE}.principal.process.file.pe_file.entry_point ;; - group_label: "Principal Process File Pe File" - group_item_label: "Entry Point" - } - - dimension: principal__process__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.principal.process.file.pe_file.entry_point_exiftool ;; - group_label: "Principal Process File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: principal__process__file__pe_file__imphash { - type: string - sql: ${TABLE}.principal.process.file.pe_file.imphash ;; - group_label: "Principal Process File Pe File" - group_item_label: "Imphash" - } - - dimension: principal__process__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.principal.process.file.pe_file.imports.list ;; - group_label: "Principal Process File Pe File Imports" - group_item_label: "List" - } - - dimension: principal__process__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.principal.process.file.pe_file.resource.list ;; - group_label: "Principal Process File Pe File Resource" - group_item_label: "List" - } - - dimension: principal__process__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.principal.process.file.pe_file.resources_language_count.list ;; - group_label: "Principal Process File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: principal__process__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.principal.process.file.pe_file.resources_type_count.list ;; - group_label: "Principal Process File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: principal__process__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.principal.process.file.pe_file.section.list ;; - group_label: "Principal Process File Pe File Section" - group_item_label: "List" - } - - dimension: principal__process__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.principal.process.file.pe_file.signature_info.signer.list ;; - group_label: "Principal Process File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: principal__process__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.principal.process.file.pe_file.signature_info.verification_message ;; - group_label: "Principal Process File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: principal__process__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.principal.process.file.pe_file.signature_info.verified ;; - group_label: "Principal Process File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: principal__process__file__sha1 { - type: string - sql: ${TABLE}.principal.process.file.sha1 ;; - group_label: "Principal Process File" - group_item_label: "Sha1" - } - - dimension: principal__process__file__sha256 { - type: string - sql: ${TABLE}.principal.process.file.sha256 ;; - group_label: "Principal Process File" - group_item_label: "Sha256" - } - - dimension: principal__process__file__size { - type: number - sql: ${TABLE}.principal.process.file.size ;; - group_label: "Principal Process File" - group_item_label: "Size" - } - - dimension: principal__process__file__ssdeep { - type: string - sql: ${TABLE}.principal.process.file.ssdeep ;; - group_label: "Principal Process File" - group_item_label: "Ssdeep" - } - - dimension: principal__process__file__vhash { - type: string - sql: ${TABLE}.principal.process.file.vhash ;; - group_label: "Principal Process File" - group_item_label: "Vhash" - } - - dimension: principal__process__pid { - type: string - sql: ${TABLE}.principal.process.pid ;; - group_label: "Principal Process" - group_item_label: "Pid" - } - - dimension: principal__process__product_specific_process_id { - type: string - sql: ${TABLE}.principal.process.product_specific_process_id ;; - group_label: "Principal Process" - group_item_label: "Product Specific Process ID" - } - - dimension: principal__process_ancestors__list { - hidden: yes - sql: ${TABLE}.principal.process_ancestors.list ;; - group_label: "Principal Process Ancestors" - group_item_label: "List" - } - - dimension: principal__registry__registry_key { - type: string - sql: ${TABLE}.principal.registry.registry_key ;; - group_label: "Principal Registry" - group_item_label: "Registry Key" - } - - dimension: principal__registry__registry_value_data { - type: string - sql: ${TABLE}.principal.registry.registry_value_data ;; - group_label: "Principal Registry" - group_item_label: "Registry Value Data" - } - - dimension: principal__registry__registry_value_name { - type: string - sql: ${TABLE}.principal.registry.registry_value_name ;; - group_label: "Principal Registry" - group_item_label: "Registry Value Name" - } - - dimension: principal__resource__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.principal.resource.attribute.cloud.availability_zone ;; - group_label: "Principal Resource Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: principal__resource__attribute__cloud__environment { - type: number - sql: ${TABLE}.principal.resource.attribute.cloud.environment ;; - group_label: "Principal Resource Attribute Cloud" - group_item_label: "Environment" - } - - dimension: principal__resource__attribute__creation_time { - type: string - sql: ${TABLE}.principal.resource.attribute.creation_time ;; - group_label: "Principal Resource Attribute" - group_item_label: "Creation Time" - } - - dimension: principal__resource__attribute__labels__list { - hidden: yes - sql: ${TABLE}.principal.resource.attribute.labels.list ;; - group_label: "Principal Resource Attribute Labels" - group_item_label: "List" - } - - dimension: principal__resource__attribute__last_update_time { - type: string - sql: ${TABLE}.principal.resource.attribute.last_update_time ;; - group_label: "Principal Resource Attribute" - group_item_label: "Last Update Time" - } - - dimension: principal__resource__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.principal.resource.attribute.permissions.list ;; - group_label: "Principal Resource Attribute Permissions" - group_item_label: "List" - } - - dimension: principal__resource__attribute__roles__list { - hidden: yes - sql: ${TABLE}.principal.resource.attribute.roles.list ;; - group_label: "Principal Resource Attribute Roles" - group_item_label: "List" - } - - dimension: principal__resource__name { - type: string - sql: ${TABLE}.principal.resource.name ;; - group_label: "Principal Resource" - group_item_label: "Name" - } - - dimension: principal__resource__product_object_id { - type: string - sql: ${TABLE}.principal.resource.product_object_id ;; - group_label: "Principal Resource" - group_item_label: "Product Object ID" - } - - dimension: principal__resource__resource_subtype { - type: string - sql: ${TABLE}.principal.resource.resource_subtype ;; - group_label: "Principal Resource" - group_item_label: "Resource Subtype" - } - - dimension: principal__resource__resource_type { - type: number - sql: ${TABLE}.principal.resource.resource_type ;; - group_label: "Principal Resource" - group_item_label: "Resource Type" - } - - dimension: principal__resource_ancestors__list { - hidden: yes - sql: ${TABLE}.principal.resource_ancestors.list ;; - group_label: "Principal Resource Ancestors" - group_item_label: "List" - } - - dimension: principal__url { - type: string - sql: ${TABLE}.principal.url ;; - group_label: "Principal" - group_item_label: "URL" - } - - dimension: principal__user__account_type { - type: number - sql: ${TABLE}.principal.user.account_type ;; - group_label: "Principal User" - group_item_label: "Account Type" - } - - dimension: principal__user__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.principal.user.attribute.cloud.availability_zone ;; - group_label: "Principal User Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: principal__user__attribute__cloud__environment { - type: number - sql: ${TABLE}.principal.user.attribute.cloud.environment ;; - group_label: "Principal User Attribute Cloud" - group_item_label: "Environment" - } - - dimension: principal__user__attribute__creation_time { - type: string - sql: ${TABLE}.principal.user.attribute.creation_time ;; - group_label: "Principal User Attribute" - group_item_label: "Creation Time" - } - - dimension: principal__user__attribute__labels__list { - hidden: yes - sql: ${TABLE}.principal.user.attribute.labels.list ;; - group_label: "Principal User Attribute Labels" - group_item_label: "List" - } - - dimension: principal__user__attribute__last_update_time { - type: string - sql: ${TABLE}.principal.user.attribute.last_update_time ;; - group_label: "Principal User Attribute" - group_item_label: "Last Update Time" - } - - dimension: principal__user__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.principal.user.attribute.permissions.list ;; - group_label: "Principal User Attribute Permissions" - group_item_label: "List" - } - - dimension: principal__user__attribute__roles__list { - hidden: yes - sql: ${TABLE}.principal.user.attribute.roles.list ;; - group_label: "Principal User Attribute Roles" - group_item_label: "List" - } - - dimension: principal__user__company_name { - type: string - sql: ${TABLE}.principal.user.company_name ;; - group_label: "Principal User" - group_item_label: "Company Name" - } - - dimension: principal__user__department__list { - hidden: yes - sql: ${TABLE}.principal.user.department.list ;; - group_label: "Principal User Department" - group_item_label: "List" - } - - dimension: principal__user__email_addresses__list { - hidden: yes - sql: ${TABLE}.principal.user.email_addresses.list ;; - group_label: "Principal User Email Addresses" - group_item_label: "List" - } - - dimension: principal__user__employee_id { - type: string - sql: ${TABLE}.principal.user.employee_id ;; - group_label: "Principal User" - group_item_label: "Employee ID" - } - - dimension: principal__user__first_name { - type: string - sql: ${TABLE}.principal.user.first_name ;; - group_label: "Principal User" - group_item_label: "First Name" - } - - dimension: principal__user__group_identifiers__list { - hidden: yes - sql: ${TABLE}.principal.user.group_identifiers.list ;; - group_label: "Principal User Group Identifiers" - group_item_label: "List" - } - - dimension: principal__user__hire_date { - type: string - sql: ${TABLE}.principal.user.hire_date ;; - group_label: "Principal User" - group_item_label: "Hire Date" - } - - dimension: principal__user__last_name { - type: string - sql: ${TABLE}.principal.user.last_name ;; - group_label: "Principal User" - group_item_label: "Last Name" - } - - dimension: principal__user__middle_name { - type: string - sql: ${TABLE}.principal.user.middle_name ;; - group_label: "Principal User" - group_item_label: "Middle Name" - } - - dimension: principal__user__office_address__city { - type: string - sql: ${TABLE}.principal.user.office_address.city ;; - group_label: "Principal User Office Address" - group_item_label: "City" - } - - dimension: principal__user__office_address__country_or_region { - type: string - sql: ${TABLE}.principal.user.office_address.country_or_region ;; - group_label: "Principal User Office Address" - group_item_label: "Country or Region" - } - - dimension: principal__user__office_address__desk_name { - type: string - sql: ${TABLE}.principal.user.office_address.desk_name ;; - group_label: "Principal User Office Address" - group_item_label: "Desk Name" - } - - dimension: principal__user__office_address__floor_name { - type: string - sql: ${TABLE}.principal.user.office_address.floor_name ;; - group_label: "Principal User Office Address" - group_item_label: "Floor Name" - } - - dimension: principal__user__office_address__name { - type: string - sql: ${TABLE}.principal.user.office_address.name ;; - group_label: "Principal User Office Address" - group_item_label: "Name" - } - - dimension: principal__user__office_address__region_latitude { - type: number - sql: ${TABLE}.principal.user.office_address.region_latitude ;; - group_label: "Principal User Office Address" - group_item_label: "Region Latitude" - } - - dimension: principal__user__office_address__region_longitude { - type: number - sql: ${TABLE}.principal.user.office_address.region_longitude ;; - group_label: "Principal User Office Address" - group_item_label: "Region Longitude" - } - - dimension: principal__user__office_address__state { - type: string - sql: ${TABLE}.principal.user.office_address.state ;; - group_label: "Principal User Office Address" - group_item_label: "State" - } - - dimension: principal__user__personal_address__city { - type: string - sql: ${TABLE}.principal.user.personal_address.city ;; - group_label: "Principal User Personal Address" - group_item_label: "City" - } - - dimension: principal__user__personal_address__country_or_region { - type: string - sql: ${TABLE}.principal.user.personal_address.country_or_region ;; - group_label: "Principal User Personal Address" - group_item_label: "Country or Region" - } - - dimension: principal__user__personal_address__desk_name { - type: string - sql: ${TABLE}.principal.user.personal_address.desk_name ;; - group_label: "Principal User Personal Address" - group_item_label: "Desk Name" - } - - dimension: principal__user__personal_address__floor_name { - type: string - sql: ${TABLE}.principal.user.personal_address.floor_name ;; - group_label: "Principal User Personal Address" - group_item_label: "Floor Name" - } - - dimension: principal__user__personal_address__name { - type: string - sql: ${TABLE}.principal.user.personal_address.name ;; - group_label: "Principal User Personal Address" - group_item_label: "Name" - } - - dimension: principal__user__personal_address__region_latitude { - type: number - sql: ${TABLE}.principal.user.personal_address.region_latitude ;; - group_label: "Principal User Personal Address" - group_item_label: "Region Latitude" - } - - dimension: principal__user__personal_address__region_longitude { - type: number - sql: ${TABLE}.principal.user.personal_address.region_longitude ;; - group_label: "Principal User Personal Address" - group_item_label: "Region Longitude" - } - - dimension: principal__user__personal_address__state { - type: string - sql: ${TABLE}.principal.user.personal_address.state ;; - group_label: "Principal User Personal Address" - group_item_label: "State" - } - - dimension: principal__user__phone_numbers__list { - hidden: yes - sql: ${TABLE}.principal.user.phone_numbers.list ;; - group_label: "Principal User Phone Numbers" - group_item_label: "List" - } - - dimension: principal__user__product_object_id { - type: string - sql: ${TABLE}.principal.user.product_object_id ;; - group_label: "Principal User" - group_item_label: "Product Object ID" - } - - dimension: principal__user__termination_date { - type: string - sql: ${TABLE}.principal.user.termination_date ;; - group_label: "Principal User" - group_item_label: "Termination Date" - } - - dimension: principal__user__time_off__list { - hidden: yes - sql: ${TABLE}.principal.user.time_off.list ;; - group_label: "Principal User Time Off" - group_item_label: "List" - } - - dimension: principal__user__title { - type: string - sql: ${TABLE}.principal.user.title ;; - group_label: "Principal User" - group_item_label: "Title" - } - - dimension: principal__user__user_authentication_status { - type: number - sql: ${TABLE}.principal.user.user_authentication_status ;; - group_label: "Principal User" - group_item_label: "User Authentication Status" - } - - dimension: principal__user__user_display_name { - type: string - sql: ${TABLE}.principal.user.user_display_name ;; - group_label: "Principal User" - group_item_label: "User Display Name" - } - - dimension: principal__user__userid { - type: string - sql: ${TABLE}.principal.user.userid ;; - group_label: "Principal User" - group_item_label: "Userid" - } - - dimension: principal__user__windows_sid { - type: string - sql: ${TABLE}.principal.user.windows_sid ;; - group_label: "Principal User" - group_item_label: "Windows Sid" - } - - dimension: principal__user_management_chain__list { - hidden: yes - sql: ${TABLE}.principal.user_management_chain.list ;; - group_label: "Principal User Management Chain" - group_item_label: "List" - } - - dimension: security_result__list { - hidden: yes - sql: ${TABLE}.security_result.list ;; - group_label: "Security Result" - group_item_label: "List" - } - - dimension: src__administrative_domain { - type: string - sql: ${TABLE}.src.administrative_domain ;; - group_label: "Src" - group_item_label: "Administrative Domain" - } - - dimension: src__application { - type: string - sql: ${TABLE}.src.application ;; - group_label: "Src" - group_item_label: "Application" - } - - dimension: src__asset__asset_id { - type: string - sql: ${TABLE}.src.asset.asset_id ;; - group_label: "Src Asset" - group_item_label: "Asset ID" - } - - dimension: src__asset__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.src.asset.attribute.cloud.availability_zone ;; - group_label: "Src Asset Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: src__asset__attribute__cloud__environment { - type: number - sql: ${TABLE}.src.asset.attribute.cloud.environment ;; - group_label: "Src Asset Attribute Cloud" - group_item_label: "Environment" - } - - dimension: src__asset__attribute__creation_time { - type: string - sql: ${TABLE}.src.asset.attribute.creation_time ;; - group_label: "Src Asset Attribute" - group_item_label: "Creation Time" - } - - dimension: src__asset__attribute__labels__list { - hidden: yes - sql: ${TABLE}.src.asset.attribute.labels.list ;; - group_label: "Src Asset Attribute Labels" - group_item_label: "List" - } - - dimension: src__asset__attribute__last_update_time { - type: string - sql: ${TABLE}.src.asset.attribute.last_update_time ;; - group_label: "Src Asset Attribute" - group_item_label: "Last Update Time" - } - - dimension: src__asset__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.src.asset.attribute.permissions.list ;; - group_label: "Src Asset Attribute Permissions" - group_item_label: "List" - } - - dimension: src__asset__attribute__roles__list { - hidden: yes - sql: ${TABLE}.src.asset.attribute.roles.list ;; - group_label: "Src Asset Attribute Roles" - group_item_label: "List" - } - - dimension: src__asset__category { - type: string - sql: ${TABLE}.src.asset.category ;; - group_label: "Src Asset" - group_item_label: "Category" - } - - dimension: src__asset__deployment_status { - type: number - sql: ${TABLE}.src.asset.deployment_status ;; - group_label: "Src Asset" - group_item_label: "Deployment Status" - } - - dimension: src__asset__first_discover_time { - type: string - sql: ${TABLE}.src.asset.first_discover_time ;; - group_label: "Src Asset" - group_item_label: "First Discover Time" - } - - dimension: src__asset__hardware__list { - hidden: yes - sql: ${TABLE}.src.asset.hardware.list ;; - group_label: "Src Asset Hardware" - group_item_label: "List" - } - - dimension: src__asset__hostname { - type: string - sql: ${TABLE}.src.asset.hostname ;; - group_label: "Src Asset" - group_item_label: "Hostname" - } - - dimension: src__asset__ip__list { - hidden: yes - sql: ${TABLE}.src.asset.ip.list ;; - group_label: "Src Asset IP" - group_item_label: "List" - } - - dimension: src__asset__last_boot_time { - type: string - sql: ${TABLE}.src.asset.last_boot_time ;; - group_label: "Src Asset" - group_item_label: "Last Boot Time" - } - - dimension: src__asset__last_discover_time { - type: string - sql: ${TABLE}.src.asset.last_discover_time ;; - group_label: "Src Asset" - group_item_label: "Last Discover Time" - } - - dimension: src__asset__location__city { - type: string - sql: ${TABLE}.src.asset.location.city ;; - group_label: "Src Asset Location" - group_item_label: "City" - } - - dimension: src__asset__location__country_or_region { - type: string - sql: ${TABLE}.src.asset.location.country_or_region ;; - group_label: "Src Asset Location" - group_item_label: "Country or Region" - } - - dimension: src__asset__location__desk_name { - type: string - sql: ${TABLE}.src.asset.location.desk_name ;; - group_label: "Src Asset Location" - group_item_label: "Desk Name" - } - - dimension: src__asset__location__floor_name { - type: string - sql: ${TABLE}.src.asset.location.floor_name ;; - group_label: "Src Asset Location" - group_item_label: "Floor Name" - } - - dimension: src__asset__location__name { - type: string - sql: ${TABLE}.src.asset.location.name ;; - group_label: "Src Asset Location" - group_item_label: "Name" - } - - dimension: src__asset__location__region_latitude { - type: number - sql: ${TABLE}.src.asset.location.region_latitude ;; - group_label: "Src Asset Location" - group_item_label: "Region Latitude" - } - - dimension: src__asset__location__region_longitude { - type: number - sql: ${TABLE}.src.asset.location.region_longitude ;; - group_label: "Src Asset Location" - group_item_label: "Region Longitude" - } - - dimension: src__asset__location__state { - type: string - sql: ${TABLE}.src.asset.location.state ;; - group_label: "Src Asset Location" - group_item_label: "State" - } - - dimension: src__asset__mac__list { - hidden: yes - sql: ${TABLE}.src.asset.mac.list ;; - group_label: "Src Asset Mac" - group_item_label: "List" - } - - dimension: src__asset__nat_ip__list { - hidden: yes - sql: ${TABLE}.src.asset.nat_ip.list ;; - group_label: "Src Asset Nat IP" - group_item_label: "List" - } - - dimension: src__asset__network_domain { - type: string - sql: ${TABLE}.src.asset.network_domain ;; - group_label: "Src Asset" - group_item_label: "Network Domain" - } - - dimension: src__asset__platform_software__platform { - type: number - sql: ${TABLE}.src.asset.platform_software.platform ;; - group_label: "Src Asset Platform Software" - group_item_label: "Platform" - } - - dimension: src__asset__platform_software__platform_patch_level { - type: string - sql: ${TABLE}.src.asset.platform_software.platform_patch_level ;; - group_label: "Src Asset Platform Software" - group_item_label: "Platform Patch Level" - } - - dimension: src__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.src.asset.platform_software.platform_version ;; - group_label: "Src Asset Platform Software" - group_item_label: "Platform Version" - } - - dimension: src__asset__product_object_id { - type: string - sql: ${TABLE}.src.asset.product_object_id ;; - group_label: "Src Asset" - group_item_label: "Product Object ID" - } - - dimension: src__asset__software__list { - hidden: yes - sql: ${TABLE}.src.asset.software.list ;; - group_label: "Src Asset Software" - group_item_label: "List" - } - - dimension: src__asset__system_last_update_time { - type: string - sql: ${TABLE}.src.asset.system_last_update_time ;; - group_label: "Src Asset" - group_item_label: "System Last Update Time" - } - - dimension: src__asset__type { - type: number - sql: ${TABLE}.src.asset.type ;; - group_label: "Src Asset" - group_item_label: "Type" - } - - dimension: src__asset__vulnerabilities__list { - hidden: yes - sql: ${TABLE}.src.asset.vulnerabilities.list ;; - group_label: "Src Asset Vulnerabilities" - group_item_label: "List" - } - - dimension: src__asset_id { - type: string - sql: ${TABLE}.src.asset_id ;; - group_label: "Src" - group_item_label: "Asset ID" - } - - dimension: src__domain__name { - type: string - sql: ${TABLE}.src.domain.name ;; - group_label: "Src Domain" - group_item_label: "Name" - } - - dimension: src__domain__prevalence__day_count { - type: number - sql: ${TABLE}.src.domain.prevalence.day_count ;; - group_label: "Src Domain Prevalence" - group_item_label: "Day Count" - } - - dimension: src__domain__prevalence__rolling_max { - type: number - sql: ${TABLE}.src.domain.prevalence.rolling_max ;; - group_label: "Src Domain Prevalence" - group_item_label: "Rolling Max" - } - - dimension: src__email { - type: string - sql: ${TABLE}.src.email ;; - group_label: "Src" - group_item_label: "Email" - } - - dimension: src__file__ahash { - type: string - sql: ${TABLE}.src.file.ahash ;; - group_label: "Src File" - group_item_label: "Ahash" - } - - dimension: src__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.src.file.capabilities_tags.list ;; - group_label: "Src File Capabilities Tags" - group_item_label: "List" - } - - dimension: src__file__file_type { - type: number - sql: ${TABLE}.src.file.file_type ;; - group_label: "Src File" - group_item_label: "File Type" - } - - dimension: src__file__full_path { - type: string - sql: ${TABLE}.src.file.full_path ;; - group_label: "Src File" - group_item_label: "Full Path" - } - - dimension: src__file__md5 { - type: string - sql: ${TABLE}.src.file.md5 ;; - group_label: "Src File" - group_item_label: "Md5" - } - - dimension: src__file__mime_type { - type: string - sql: ${TABLE}.src.file.mime_type ;; - group_label: "Src File" - group_item_label: "Mime Type" - } - - dimension: src__file__names__list { - hidden: yes - sql: ${TABLE}.src.file.names.list ;; - group_label: "Src File Names" - group_item_label: "List" - } - - dimension: src__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.src.file.pe_file.compilation_exiftool_time ;; - group_label: "Src File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: src__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.src.file.pe_file.compilation_time ;; - group_label: "Src File Pe File" - group_item_label: "Compilation Time" - } - - dimension: src__file__pe_file__entry_point { - type: number - sql: ${TABLE}.src.file.pe_file.entry_point ;; - group_label: "Src File Pe File" - group_item_label: "Entry Point" - } - - dimension: src__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.src.file.pe_file.entry_point_exiftool ;; - group_label: "Src File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: src__file__pe_file__imphash { - type: string - sql: ${TABLE}.src.file.pe_file.imphash ;; - group_label: "Src File Pe File" - group_item_label: "Imphash" - } - - dimension: src__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.src.file.pe_file.imports.list ;; - group_label: "Src File Pe File Imports" - group_item_label: "List" - } - - dimension: src__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.src.file.pe_file.resource.list ;; - group_label: "Src File Pe File Resource" - group_item_label: "List" - } - - dimension: src__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.src.file.pe_file.resources_language_count.list ;; - group_label: "Src File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: src__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.src.file.pe_file.resources_type_count.list ;; - group_label: "Src File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: src__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.src.file.pe_file.section.list ;; - group_label: "Src File Pe File Section" - group_item_label: "List" - } - - dimension: src__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.src.file.pe_file.signature_info.signer.list ;; - group_label: "Src File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: src__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.src.file.pe_file.signature_info.verification_message ;; - group_label: "Src File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: src__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.src.file.pe_file.signature_info.verified ;; - group_label: "Src File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: src__file__sha1 { - type: string - sql: ${TABLE}.src.file.sha1 ;; - group_label: "Src File" - group_item_label: "Sha1" - } - - dimension: src__file__sha256 { - type: string - sql: ${TABLE}.src.file.sha256 ;; - group_label: "Src File" - group_item_label: "Sha256" - } - - dimension: src__file__size { - type: number - sql: ${TABLE}.src.file.size ;; - group_label: "Src File" - group_item_label: "Size" - } - - dimension: src__file__ssdeep { - type: string - sql: ${TABLE}.src.file.ssdeep ;; - group_label: "Src File" - group_item_label: "Ssdeep" - } - - dimension: src__file__vhash { - type: string - sql: ${TABLE}.src.file.vhash ;; - group_label: "Src File" - group_item_label: "Vhash" - } - - dimension: src__group__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.src.`group`.attribute.cloud.availability_zone ;; - group_label: "Src Group Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: src__group__attribute__cloud__environment { - type: number - sql: ${TABLE}.src.`group`.attribute.cloud.environment ;; - group_label: "Src Group Attribute Cloud" - group_item_label: "Environment" - } - - dimension: src__group__attribute__creation_time { - type: string - sql: ${TABLE}.src.`group`.attribute.creation_time ;; - group_label: "Src Group Attribute" - group_item_label: "Creation Time" - } - - dimension: src__group__attribute__labels__list { - hidden: yes - sql: ${TABLE}.src.group.attribute.labels.list ;; - group_label: "Src Group Attribute Labels" - group_item_label: "List" - } - - dimension: src__group__attribute__last_update_time { - type: string - sql: ${TABLE}.src.`group`.attribute.last_update_time ;; - group_label: "Src Group Attribute" - group_item_label: "Last Update Time" - } - - dimension: src__group__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.src.group.attribute.permissions.list ;; - group_label: "Src Group Attribute Permissions" - group_item_label: "List" - } - - dimension: src__group__attribute__roles__list { - hidden: yes - sql: ${TABLE}.src.group.attribute.roles.list ;; - group_label: "Src Group Attribute Roles" - group_item_label: "List" - } - - dimension: src__group__email_addresses__list { - hidden: yes - sql: ${TABLE}.src.group.email_addresses.list ;; - group_label: "Src Group Email Addresses" - group_item_label: "List" - } - - dimension: src__group__group_display_name { - type: string - sql: ${TABLE}.src.`group`.group_display_name ;; - group_label: "Src Group" - group_item_label: "Group Display Name" - } - - dimension: src__group__product_object_id { - type: string - sql: ${TABLE}.src.`group`.product_object_id ;; - group_label: "Src Group" - group_item_label: "Product Object ID" - } - - dimension: src__group__windows_sid { - type: string - sql: ${TABLE}.src.`group`.windows_sid ;; - group_label: "Src Group" - group_item_label: "Windows Sid" - } - - dimension: src__hostname { - type: string - sql: ${TABLE}.src.hostname ;; - group_label: "Src" - group_item_label: "Hostname" - } - - dimension: src__investigation__comments__list { - hidden: yes - sql: ${TABLE}.src.investigation.comments.list ;; - group_label: "Src Investigation Comments" - group_item_label: "List" - } - - dimension: src__investigation__reputation { - type: number - sql: ${TABLE}.src.investigation.reputation ;; - group_label: "Src Investigation" - group_item_label: "Reputation" - } - - dimension: src__investigation__severity_score { - type: number - sql: ${TABLE}.src.investigation.severity_score ;; - group_label: "Src Investigation" - group_item_label: "Severity Score" - } - - dimension: src__investigation__status { - type: number - sql: ${TABLE}.src.investigation.status ;; - group_label: "Src Investigation" - group_item_label: "Status" - } - - dimension: src__investigation__verdict { - type: number - sql: ${TABLE}.src.investigation.verdict ;; - group_label: "Src Investigation" - group_item_label: "Verdict" - } - - dimension: src__ip__list { - hidden: yes - sql: ${TABLE}.src.ip.list ;; - group_label: "Src IP" - group_item_label: "List" - } - - dimension: src__location__city { - type: string - sql: ${TABLE}.src.location.city ;; - group_label: "Src Location" - group_item_label: "City" - } - - dimension: src__location__country_or_region { - type: string - sql: ${TABLE}.src.location.country_or_region ;; - group_label: "Src Location" - group_item_label: "Country or Region" - } - - dimension: src__location__desk_name { - type: string - sql: ${TABLE}.src.location.desk_name ;; - group_label: "Src Location" - group_item_label: "Desk Name" - } - - dimension: src__location__floor_name { - type: string - sql: ${TABLE}.src.location.floor_name ;; - group_label: "Src Location" - group_item_label: "Floor Name" - } - - dimension: src__location__name { - type: string - sql: ${TABLE}.src.location.name ;; - group_label: "Src Location" - group_item_label: "Name" - } - - dimension: src__location__region_latitude { - type: number - sql: ${TABLE}.src.location.region_latitude ;; - group_label: "Src Location" - group_item_label: "Region Latitude" - } - - dimension: src__location__region_longitude { - type: number - sql: ${TABLE}.src.location.region_longitude ;; - group_label: "Src Location" - group_item_label: "Region Longitude" - } - - dimension: src__location__state { - type: string - sql: ${TABLE}.src.location.state ;; - group_label: "Src Location" - group_item_label: "State" - } - - dimension: src__mac__list { - hidden: yes - sql: ${TABLE}.src.mac.list ;; - group_label: "Src Mac" - group_item_label: "List" - } - - dimension: src__namespace { - type: string - sql: ${TABLE}.src.namespace ;; - group_label: "Src" - group_item_label: "Namespace" - } - - dimension: src__nat_ip__list { - hidden: yes - sql: ${TABLE}.src.nat_ip.list ;; - group_label: "Src Nat IP" - group_item_label: "List" - } - - dimension: src__nat_port { - type: number - sql: ${TABLE}.src.nat_port ;; - group_label: "Src" - group_item_label: "Nat Port" - } - - dimension: src__object_reference__id { - type: string - sql: ${TABLE}.src.object_reference.id ;; - group_label: "Src Object Reference" - group_item_label: "ID" - } - - dimension: src__object_reference__namespace { - type: number - sql: ${TABLE}.src.object_reference.namespace ;; - group_label: "Src Object Reference" - group_item_label: "Namespace" - } - - dimension: src__platform { - type: number - sql: ${TABLE}.src.platform ;; - group_label: "Src" - group_item_label: "Platform" - } - - dimension: src__platform_patch_level { - type: string - sql: ${TABLE}.src.platform_patch_level ;; - group_label: "Src" - group_item_label: "Platform Patch Level" - } - - dimension: src__platform_version { - type: string - sql: ${TABLE}.src.platform_version ;; - group_label: "Src" - group_item_label: "Platform Version" - } - - dimension: src__port { - type: number - sql: ${TABLE}.src.port ;; - group_label: "Src" - group_item_label: "Port" - } - - dimension: src__process__access_mask { - type: number - sql: ${TABLE}.src.process.access_mask ;; - group_label: "Src Process" - group_item_label: "Access Mask" - } - - dimension: src__process__command_line { - type: string - sql: ${TABLE}.src.process.command_line ;; - group_label: "Src Process" - group_item_label: "Command Line" - } - - dimension: src__process__command_line_history__list { - hidden: yes - sql: ${TABLE}.src.process.command_line_history.list ;; - group_label: "Src Process Command Line History" - group_item_label: "List" - } - - dimension: src__process__file__ahash { - type: string - sql: ${TABLE}.src.process.file.ahash ;; - group_label: "Src Process File" - group_item_label: "Ahash" - } - - dimension: src__process__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.src.process.file.capabilities_tags.list ;; - group_label: "Src Process File Capabilities Tags" - group_item_label: "List" - } - - dimension: src__process__file__file_type { - type: number - sql: ${TABLE}.src.process.file.file_type ;; - group_label: "Src Process File" - group_item_label: "File Type" - } - - dimension: src__process__file__full_path { - type: string - sql: ${TABLE}.src.process.file.full_path ;; - group_label: "Src Process File" - group_item_label: "Full Path" - } - - dimension: src__process__file__md5 { - type: string - sql: ${TABLE}.src.process.file.md5 ;; - group_label: "Src Process File" - group_item_label: "Md5" - } - - dimension: src__process__file__mime_type { - type: string - sql: ${TABLE}.src.process.file.mime_type ;; - group_label: "Src Process File" - group_item_label: "Mime Type" - } - - dimension: src__process__file__names__list { - hidden: yes - sql: ${TABLE}.src.process.file.names.list ;; - group_label: "Src Process File Names" - group_item_label: "List" - } - - dimension: src__process__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.src.process.file.pe_file.compilation_exiftool_time ;; - group_label: "Src Process File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: src__process__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.src.process.file.pe_file.compilation_time ;; - group_label: "Src Process File Pe File" - group_item_label: "Compilation Time" - } - - dimension: src__process__file__pe_file__entry_point { - type: number - sql: ${TABLE}.src.process.file.pe_file.entry_point ;; - group_label: "Src Process File Pe File" - group_item_label: "Entry Point" - } - - dimension: src__process__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.src.process.file.pe_file.entry_point_exiftool ;; - group_label: "Src Process File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: src__process__file__pe_file__imphash { - type: string - sql: ${TABLE}.src.process.file.pe_file.imphash ;; - group_label: "Src Process File Pe File" - group_item_label: "Imphash" - } - - dimension: src__process__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.src.process.file.pe_file.imports.list ;; - group_label: "Src Process File Pe File Imports" - group_item_label: "List" - } - - dimension: src__process__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.src.process.file.pe_file.resource.list ;; - group_label: "Src Process File Pe File Resource" - group_item_label: "List" - } - - dimension: src__process__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.src.process.file.pe_file.resources_language_count.list ;; - group_label: "Src Process File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: src__process__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.src.process.file.pe_file.resources_type_count.list ;; - group_label: "Src Process File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: src__process__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.src.process.file.pe_file.section.list ;; - group_label: "Src Process File Pe File Section" - group_item_label: "List" - } - - dimension: src__process__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.src.process.file.pe_file.signature_info.signer.list ;; - group_label: "Src Process File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: src__process__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.src.process.file.pe_file.signature_info.verification_message ;; - group_label: "Src Process File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: src__process__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.src.process.file.pe_file.signature_info.verified ;; - group_label: "Src Process File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: src__process__file__sha1 { - type: string - sql: ${TABLE}.src.process.file.sha1 ;; - group_label: "Src Process File" - group_item_label: "Sha1" - } - - dimension: src__process__file__sha256 { - type: string - sql: ${TABLE}.src.process.file.sha256 ;; - group_label: "Src Process File" - group_item_label: "Sha256" - } - - dimension: src__process__file__size { - type: number - sql: ${TABLE}.src.process.file.size ;; - group_label: "Src Process File" - group_item_label: "Size" - } - - dimension: src__process__file__ssdeep { - type: string - sql: ${TABLE}.src.process.file.ssdeep ;; - group_label: "Src Process File" - group_item_label: "Ssdeep" - } - - dimension: src__process__file__vhash { - type: string - sql: ${TABLE}.src.process.file.vhash ;; - group_label: "Src Process File" - group_item_label: "Vhash" - } - - dimension: src__process__pid { - type: string - sql: ${TABLE}.src.process.pid ;; - group_label: "Src Process" - group_item_label: "Pid" - } - - dimension: src__process__product_specific_process_id { - type: string - sql: ${TABLE}.src.process.product_specific_process_id ;; - group_label: "Src Process" - group_item_label: "Product Specific Process ID" - } - - dimension: src__process_ancestors__list { - hidden: yes - sql: ${TABLE}.src.process_ancestors.list ;; - group_label: "Src Process Ancestors" - group_item_label: "List" - } - - dimension: src__registry__registry_key { - type: string - sql: ${TABLE}.src.registry.registry_key ;; - group_label: "Src Registry" - group_item_label: "Registry Key" - } - - dimension: src__registry__registry_value_data { - type: string - sql: ${TABLE}.src.registry.registry_value_data ;; - group_label: "Src Registry" - group_item_label: "Registry Value Data" - } - - dimension: src__registry__registry_value_name { - type: string - sql: ${TABLE}.src.registry.registry_value_name ;; - group_label: "Src Registry" - group_item_label: "Registry Value Name" - } - - dimension: src__resource__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.src.resource.attribute.cloud.availability_zone ;; - group_label: "Src Resource Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: src__resource__attribute__cloud__environment { - type: number - sql: ${TABLE}.src.resource.attribute.cloud.environment ;; - group_label: "Src Resource Attribute Cloud" - group_item_label: "Environment" - } - - dimension: src__resource__attribute__creation_time { - type: string - sql: ${TABLE}.src.resource.attribute.creation_time ;; - group_label: "Src Resource Attribute" - group_item_label: "Creation Time" - } - - dimension: src__resource__attribute__labels__list { - hidden: yes - sql: ${TABLE}.src.resource.attribute.labels.list ;; - group_label: "Src Resource Attribute Labels" - group_item_label: "List" - } - - dimension: src__resource__attribute__last_update_time { - type: string - sql: ${TABLE}.src.resource.attribute.last_update_time ;; - group_label: "Src Resource Attribute" - group_item_label: "Last Update Time" - } - - dimension: src__resource__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.src.resource.attribute.permissions.list ;; - group_label: "Src Resource Attribute Permissions" - group_item_label: "List" - } - - dimension: src__resource__attribute__roles__list { - hidden: yes - sql: ${TABLE}.src.resource.attribute.roles.list ;; - group_label: "Src Resource Attribute Roles" - group_item_label: "List" - } - - dimension: src__resource__name { - type: string - sql: ${TABLE}.src.resource.name ;; - group_label: "Src Resource" - group_item_label: "Name" - } - - dimension: src__resource__product_object_id { - type: string - sql: ${TABLE}.src.resource.product_object_id ;; - group_label: "Src Resource" - group_item_label: "Product Object ID" - } - - dimension: src__resource__resource_subtype { - type: string - sql: ${TABLE}.src.resource.resource_subtype ;; - group_label: "Src Resource" - group_item_label: "Resource Subtype" - } - - dimension: src__resource__resource_type { - type: number - sql: ${TABLE}.src.resource.resource_type ;; - group_label: "Src Resource" - group_item_label: "Resource Type" - } - - dimension: src__resource_ancestors__list { - hidden: yes - sql: ${TABLE}.src.resource_ancestors.list ;; - group_label: "Src Resource Ancestors" - group_item_label: "List" - } - - dimension: src__url { - type: string - sql: ${TABLE}.src.url ;; - group_label: "Src" - group_item_label: "URL" - } - - dimension: src__user__account_type { - type: number - sql: ${TABLE}.src.user.account_type ;; - group_label: "Src User" - group_item_label: "Account Type" - } - - dimension: src__user__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.src.user.attribute.cloud.availability_zone ;; - group_label: "Src User Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: src__user__attribute__cloud__environment { - type: number - sql: ${TABLE}.src.user.attribute.cloud.environment ;; - group_label: "Src User Attribute Cloud" - group_item_label: "Environment" - } - - dimension: src__user__attribute__creation_time { - type: string - sql: ${TABLE}.src.user.attribute.creation_time ;; - group_label: "Src User Attribute" - group_item_label: "Creation Time" - } - - dimension: src__user__attribute__labels__list { - hidden: yes - sql: ${TABLE}.src.user.attribute.labels.list ;; - group_label: "Src User Attribute Labels" - group_item_label: "List" - } - - dimension: src__user__attribute__last_update_time { - type: string - sql: ${TABLE}.src.user.attribute.last_update_time ;; - group_label: "Src User Attribute" - group_item_label: "Last Update Time" - } - - dimension: src__user__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.src.user.attribute.permissions.list ;; - group_label: "Src User Attribute Permissions" - group_item_label: "List" - } - - dimension: src__user__attribute__roles__list { - hidden: yes - sql: ${TABLE}.src.user.attribute.roles.list ;; - group_label: "Src User Attribute Roles" - group_item_label: "List" - } - - dimension: src__user__company_name { - type: string - sql: ${TABLE}.src.user.company_name ;; - group_label: "Src User" - group_item_label: "Company Name" - } - - dimension: src__user__department__list { - hidden: yes - sql: ${TABLE}.src.user.department.list ;; - group_label: "Src User Department" - group_item_label: "List" - } - - dimension: src__user__email_addresses__list { - hidden: yes - sql: ${TABLE}.src.user.email_addresses.list ;; - group_label: "Src User Email Addresses" - group_item_label: "List" - } - - dimension: src__user__employee_id { - type: string - sql: ${TABLE}.src.user.employee_id ;; - group_label: "Src User" - group_item_label: "Employee ID" - } - - dimension: src__user__first_name { - type: string - sql: ${TABLE}.src.user.first_name ;; - group_label: "Src User" - group_item_label: "First Name" - } - - dimension: src__user__group_identifiers__list { - hidden: yes - sql: ${TABLE}.src.user.group_identifiers.list ;; - group_label: "Src User Group Identifiers" - group_item_label: "List" - } - - dimension: src__user__hire_date { - type: string - sql: ${TABLE}.src.user.hire_date ;; - group_label: "Src User" - group_item_label: "Hire Date" - } - - dimension: src__user__last_name { - type: string - sql: ${TABLE}.src.user.last_name ;; - group_label: "Src User" - group_item_label: "Last Name" - } - - dimension: src__user__middle_name { - type: string - sql: ${TABLE}.src.user.middle_name ;; - group_label: "Src User" - group_item_label: "Middle Name" - } - - dimension: src__user__office_address__city { - type: string - sql: ${TABLE}.src.user.office_address.city ;; - group_label: "Src User Office Address" - group_item_label: "City" - } - - dimension: src__user__office_address__country_or_region { - type: string - sql: ${TABLE}.src.user.office_address.country_or_region ;; - group_label: "Src User Office Address" - group_item_label: "Country or Region" - } - - dimension: src__user__office_address__desk_name { - type: string - sql: ${TABLE}.src.user.office_address.desk_name ;; - group_label: "Src User Office Address" - group_item_label: "Desk Name" - } - - dimension: src__user__office_address__floor_name { - type: string - sql: ${TABLE}.src.user.office_address.floor_name ;; - group_label: "Src User Office Address" - group_item_label: "Floor Name" - } - - dimension: src__user__office_address__name { - type: string - sql: ${TABLE}.src.user.office_address.name ;; - group_label: "Src User Office Address" - group_item_label: "Name" - } - - dimension: src__user__office_address__region_latitude { - type: number - sql: ${TABLE}.src.user.office_address.region_latitude ;; - group_label: "Src User Office Address" - group_item_label: "Region Latitude" - } - - dimension: src__user__office_address__region_longitude { - type: number - sql: ${TABLE}.src.user.office_address.region_longitude ;; - group_label: "Src User Office Address" - group_item_label: "Region Longitude" - } - - dimension: src__user__office_address__state { - type: string - sql: ${TABLE}.src.user.office_address.state ;; - group_label: "Src User Office Address" - group_item_label: "State" - } - - dimension: src__user__personal_address__city { - type: string - sql: ${TABLE}.src.user.personal_address.city ;; - group_label: "Src User Personal Address" - group_item_label: "City" - } - - dimension: src__user__personal_address__country_or_region { - type: string - sql: ${TABLE}.src.user.personal_address.country_or_region ;; - group_label: "Src User Personal Address" - group_item_label: "Country or Region" - } - - dimension: src__user__personal_address__desk_name { - type: string - sql: ${TABLE}.src.user.personal_address.desk_name ;; - group_label: "Src User Personal Address" - group_item_label: "Desk Name" - } - - dimension: src__user__personal_address__floor_name { - type: string - sql: ${TABLE}.src.user.personal_address.floor_name ;; - group_label: "Src User Personal Address" - group_item_label: "Floor Name" - } - - dimension: src__user__personal_address__name { - type: string - sql: ${TABLE}.src.user.personal_address.name ;; - group_label: "Src User Personal Address" - group_item_label: "Name" - } - - dimension: src__user__personal_address__region_latitude { - type: number - sql: ${TABLE}.src.user.personal_address.region_latitude ;; - group_label: "Src User Personal Address" - group_item_label: "Region Latitude" - } - - dimension: src__user__personal_address__region_longitude { - type: number - sql: ${TABLE}.src.user.personal_address.region_longitude ;; - group_label: "Src User Personal Address" - group_item_label: "Region Longitude" - } - - dimension: src__user__personal_address__state { - type: string - sql: ${TABLE}.src.user.personal_address.state ;; - group_label: "Src User Personal Address" - group_item_label: "State" - } - - dimension: src__user__phone_numbers__list { - hidden: yes - sql: ${TABLE}.src.user.phone_numbers.list ;; - group_label: "Src User Phone Numbers" - group_item_label: "List" - } - - dimension: src__user__product_object_id { - type: string - sql: ${TABLE}.src.user.product_object_id ;; - group_label: "Src User" - group_item_label: "Product Object ID" - } - - dimension: src__user__termination_date { - type: string - sql: ${TABLE}.src.user.termination_date ;; - group_label: "Src User" - group_item_label: "Termination Date" - } - - dimension: src__user__time_off__list { - hidden: yes - sql: ${TABLE}.src.user.time_off.list ;; - group_label: "Src User Time Off" - group_item_label: "List" - } - - dimension: src__user__title { - type: string - sql: ${TABLE}.src.user.title ;; - group_label: "Src User" - group_item_label: "Title" - } - - dimension: src__user__user_authentication_status { - type: number - sql: ${TABLE}.src.user.user_authentication_status ;; - group_label: "Src User" - group_item_label: "User Authentication Status" - } - - dimension: src__user__user_display_name { - type: string - sql: ${TABLE}.src.user.user_display_name ;; - group_label: "Src User" - group_item_label: "User Display Name" - } - - dimension: src__user__userid { - type: string - sql: ${TABLE}.src.user.userid ;; - group_label: "Src User" - group_item_label: "Userid" - } - - dimension: src__user__windows_sid { - type: string - sql: ${TABLE}.src.user.windows_sid ;; - group_label: "Src User" - group_item_label: "Windows Sid" - } - - dimension: src__user_management_chain__list { - hidden: yes - sql: ${TABLE}.src.user_management_chain.list ;; - group_label: "Src User Management Chain" - group_item_label: "List" - } - - dimension: target__administrative_domain { - type: string - sql: ${TABLE}.target.administrative_domain ;; - group_label: "Target" - group_item_label: "Administrative Domain" - } - - dimension: target__application { - type: string - sql: ${TABLE}.target.application ;; - group_label: "Target" - group_item_label: "Application" - } - - dimension: target__asset__asset_id { - type: string - sql: ${TABLE}.target.asset.asset_id ;; - group_label: "Target Asset" - group_item_label: "Asset ID" - } - - dimension: target__asset__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.target.asset.attribute.cloud.availability_zone ;; - group_label: "Target Asset Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: target__asset__attribute__cloud__environment { - type: number - sql: ${TABLE}.target.asset.attribute.cloud.environment ;; - group_label: "Target Asset Attribute Cloud" - group_item_label: "Environment" - } - - dimension: target__asset__attribute__creation_time { - type: string - sql: ${TABLE}.target.asset.attribute.creation_time ;; - group_label: "Target Asset Attribute" - group_item_label: "Creation Time" - } - - dimension: target__asset__attribute__labels__list { - hidden: yes - sql: ${TABLE}.target.asset.attribute.labels.list ;; - group_label: "Target Asset Attribute Labels" - group_item_label: "List" - } - - dimension: target__asset__attribute__last_update_time { - type: string - sql: ${TABLE}.target.asset.attribute.last_update_time ;; - group_label: "Target Asset Attribute" - group_item_label: "Last Update Time" - } - - dimension: target__asset__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.target.asset.attribute.permissions.list ;; - group_label: "Target Asset Attribute Permissions" - group_item_label: "List" - } - - dimension: target__asset__attribute__roles__list { - hidden: yes - sql: ${TABLE}.target.asset.attribute.roles.list ;; - group_label: "Target Asset Attribute Roles" - group_item_label: "List" - } - - dimension: target__asset__category { - type: string - sql: ${TABLE}.target.asset.category ;; - group_label: "Target Asset" - group_item_label: "Category" - } - - dimension: target__asset__deployment_status { - type: number - sql: ${TABLE}.target.asset.deployment_status ;; - group_label: "Target Asset" - group_item_label: "Deployment Status" - } - - dimension: target__asset__first_discover_time { - type: string - sql: ${TABLE}.target.asset.first_discover_time ;; - group_label: "Target Asset" - group_item_label: "First Discover Time" - } - - dimension: target__asset__hardware__list { - hidden: yes - sql: ${TABLE}.target.asset.hardware.list ;; - group_label: "Target Asset Hardware" - group_item_label: "List" - } - - dimension: target__asset__hostname { - type: string - sql: ${TABLE}.target.asset.hostname ;; - group_label: "Target Asset" - group_item_label: "Hostname" - } - - dimension: target__asset__ip__list { - hidden: yes - sql: ${TABLE}.target.asset.ip.list ;; - group_label: "Target Asset IP" - group_item_label: "List" - } - - dimension: target__asset__last_boot_time { - type: string - sql: ${TABLE}.target.asset.last_boot_time ;; - group_label: "Target Asset" - group_item_label: "Last Boot Time" - } - - dimension: target__asset__last_discover_time { - type: string - sql: ${TABLE}.target.asset.last_discover_time ;; - group_label: "Target Asset" - group_item_label: "Last Discover Time" - } - - dimension: target__asset__location__city { - type: string - sql: ${TABLE}.target.asset.location.city ;; - group_label: "Target Asset Location" - group_item_label: "City" - } - - dimension: target__asset__location__country_or_region { - type: string - sql: ${TABLE}.target.asset.location.country_or_region ;; - group_label: "Target Asset Location" - group_item_label: "Country or Region" - } - - dimension: target__asset__location__desk_name { - type: string - sql: ${TABLE}.target.asset.location.desk_name ;; - group_label: "Target Asset Location" - group_item_label: "Desk Name" - } - - dimension: target__asset__location__floor_name { - type: string - sql: ${TABLE}.target.asset.location.floor_name ;; - group_label: "Target Asset Location" - group_item_label: "Floor Name" - } - - dimension: target__asset__location__name { - type: string - sql: ${TABLE}.target.asset.location.name ;; - group_label: "Target Asset Location" - group_item_label: "Name" - } - - dimension: target__asset__location__region_latitude { - type: number - sql: ${TABLE}.target.asset.location.region_latitude ;; - group_label: "Target Asset Location" - group_item_label: "Region Latitude" - } - - dimension: target__asset__location__region_longitude { - type: number - sql: ${TABLE}.target.asset.location.region_longitude ;; - group_label: "Target Asset Location" - group_item_label: "Region Longitude" - } - - dimension: target__asset__location__state { - type: string - sql: ${TABLE}.target.asset.location.state ;; - group_label: "Target Asset Location" - group_item_label: "State" - } - - dimension: target__asset__mac__list { - hidden: yes - sql: ${TABLE}.target.asset.mac.list ;; - group_label: "Target Asset Mac" - group_item_label: "List" - } - - dimension: target__asset__nat_ip__list { - hidden: yes - sql: ${TABLE}.target.asset.nat_ip.list ;; - group_label: "Target Asset Nat IP" - group_item_label: "List" - } - - dimension: target__asset__network_domain { - type: string - sql: ${TABLE}.target.asset.network_domain ;; - group_label: "Target Asset" - group_item_label: "Network Domain" - } - - dimension: target__asset__platform_software__platform { - type: number - sql: ${TABLE}.target.asset.platform_software.platform ;; - group_label: "Target Asset Platform Software" - group_item_label: "Platform" - } - - dimension: target__asset__platform_software__platform_patch_level { - type: string - sql: ${TABLE}.target.asset.platform_software.platform_patch_level ;; - group_label: "Target Asset Platform Software" - group_item_label: "Platform Patch Level" - } - - dimension: target__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.target.asset.platform_software.platform_version ;; - group_label: "Target Asset Platform Software" - group_item_label: "Platform Version" - } - - dimension: target__asset__product_object_id { - type: string - sql: ${TABLE}.target.asset.product_object_id ;; - group_label: "Target Asset" - group_item_label: "Product Object ID" - } - - dimension: target__asset__software__list { - hidden: yes - sql: ${TABLE}.target.asset.software.list ;; - group_label: "Target Asset Software" - group_item_label: "List" - } - - dimension: target__asset__system_last_update_time { - type: string - sql: ${TABLE}.target.asset.system_last_update_time ;; - group_label: "Target Asset" - group_item_label: "System Last Update Time" - } - - dimension: target__asset__type { - type: number - sql: ${TABLE}.target.asset.type ;; - group_label: "Target Asset" - group_item_label: "Type" - } - - dimension: target__asset__vulnerabilities__list { - hidden: yes - sql: ${TABLE}.target.asset.vulnerabilities.list ;; - group_label: "Target Asset Vulnerabilities" - group_item_label: "List" - } - - dimension: target__asset_id { - type: string - sql: ${TABLE}.target.asset_id ;; - group_label: "Target" - group_item_label: "Asset ID" - } - - dimension: target__domain__name { - type: string - sql: ${TABLE}.target.domain.name ;; - group_label: "Target Domain" - group_item_label: "Name" - } - - dimension: target__domain__prevalence__day_count { - type: number - sql: ${TABLE}.target.domain.prevalence.day_count ;; - group_label: "Target Domain Prevalence" - group_item_label: "Day Count" - } - - dimension: target__domain__prevalence__rolling_max { - type: number - sql: ${TABLE}.target.domain.prevalence.rolling_max ;; - group_label: "Target Domain Prevalence" - group_item_label: "Rolling Max" - } - - dimension: target__email { - type: string - sql: ${TABLE}.target.email ;; - group_label: "Target" - group_item_label: "Email" - } - - dimension: target__file__ahash { - type: string - sql: ${TABLE}.target.file.ahash ;; - group_label: "Target File" - group_item_label: "Ahash" - } - - dimension: target__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.target.file.capabilities_tags.list ;; - group_label: "Target File Capabilities Tags" - group_item_label: "List" - } - - dimension: target__file__file_type { - type: number - sql: ${TABLE}.target.file.file_type ;; - group_label: "Target File" - group_item_label: "File Type" - } - - dimension: target__file__full_path { - type: string - sql: ${TABLE}.target.file.full_path ;; - group_label: "Target File" - group_item_label: "Full Path" - } - - dimension: target__file__md5 { - type: string - sql: ${TABLE}.target.file.md5 ;; - group_label: "Target File" - group_item_label: "Md5" - } - - dimension: target__file__mime_type { - type: string - sql: ${TABLE}.target.file.mime_type ;; - group_label: "Target File" - group_item_label: "Mime Type" - } - - dimension: target__file__names__list { - hidden: yes - sql: ${TABLE}.target.file.names.list ;; - group_label: "Target File Names" - group_item_label: "List" - } - - dimension: target__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.target.file.pe_file.compilation_exiftool_time ;; - group_label: "Target File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: target__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.target.file.pe_file.compilation_time ;; - group_label: "Target File Pe File" - group_item_label: "Compilation Time" - } - - dimension: target__file__pe_file__entry_point { - type: number - sql: ${TABLE}.target.file.pe_file.entry_point ;; - group_label: "Target File Pe File" - group_item_label: "Entry Point" - } - - dimension: target__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.target.file.pe_file.entry_point_exiftool ;; - group_label: "Target File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: target__file__pe_file__imphash { - type: string - sql: ${TABLE}.target.file.pe_file.imphash ;; - group_label: "Target File Pe File" - group_item_label: "Imphash" - } - - dimension: target__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.target.file.pe_file.imports.list ;; - group_label: "Target File Pe File Imports" - group_item_label: "List" - } - - dimension: target__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.target.file.pe_file.resource.list ;; - group_label: "Target File Pe File Resource" - group_item_label: "List" - } - - dimension: target__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.target.file.pe_file.resources_language_count.list ;; - group_label: "Target File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: target__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.target.file.pe_file.resources_type_count.list ;; - group_label: "Target File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: target__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.target.file.pe_file.section.list ;; - group_label: "Target File Pe File Section" - group_item_label: "List" - } - - dimension: target__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.target.file.pe_file.signature_info.signer.list ;; - group_label: "Target File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: target__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.target.file.pe_file.signature_info.verification_message ;; - group_label: "Target File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: target__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.target.file.pe_file.signature_info.verified ;; - group_label: "Target File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: target__file__sha1 { - type: string - sql: ${TABLE}.target.file.sha1 ;; - group_label: "Target File" - group_item_label: "Sha1" - } - - dimension: target__file__sha256 { - type: string - sql: ${TABLE}.target.file.sha256 ;; - group_label: "Target File" - group_item_label: "Sha256" - } - - dimension: target__file__size { - type: number - sql: ${TABLE}.target.file.size ;; - group_label: "Target File" - group_item_label: "Size" - } - - dimension: target__file__ssdeep { - type: string - sql: ${TABLE}.target.file.ssdeep ;; - group_label: "Target File" - group_item_label: "Ssdeep" - } - - dimension: target__file__vhash { - type: string - sql: ${TABLE}.target.file.vhash ;; - group_label: "Target File" - group_item_label: "Vhash" - } - - dimension: target__group__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.target.`group`.attribute.cloud.availability_zone ;; - group_label: "Target Group Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: target__group__attribute__cloud__environment { - type: number - sql: ${TABLE}.target.`group`.attribute.cloud.environment ;; - group_label: "Target Group Attribute Cloud" - group_item_label: "Environment" - } - - dimension: target__group__attribute__creation_time { - type: string - sql: ${TABLE}.target.`group`.attribute.creation_time ;; - group_label: "Target Group Attribute" - group_item_label: "Creation Time" - } - - dimension: target__group__attribute__labels__list { - hidden: yes - sql: ${TABLE}.target.group.attribute.labels.list ;; - group_label: "Target Group Attribute Labels" - group_item_label: "List" - } - - dimension: target__group__attribute__last_update_time { - type: string - sql: ${TABLE}.target.`group`.attribute.last_update_time ;; - group_label: "Target Group Attribute" - group_item_label: "Last Update Time" - } - - dimension: target__group__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.target.group.attribute.permissions.list ;; - group_label: "Target Group Attribute Permissions" - group_item_label: "List" - } - - dimension: target__group__attribute__roles__list { - hidden: yes - sql: ${TABLE}.target.group.attribute.roles.list ;; - group_label: "Target Group Attribute Roles" - group_item_label: "List" - } - - dimension: target__group__email_addresses__list { - hidden: yes - sql: ${TABLE}.target.group.email_addresses.list ;; - group_label: "Target Group Email Addresses" - group_item_label: "List" - } - - dimension: target__group__group_display_name { - type: string - sql: ${TABLE}.target.`group`.group_display_name ;; - group_label: "Target Group" - group_item_label: "Group Display Name" - } - - dimension: target__group__product_object_id { - type: string - sql: ${TABLE}.target.`group`.product_object_id ;; - group_label: "Target Group" - group_item_label: "Product Object ID" - } - - dimension: target__group__windows_sid { - type: string - sql: ${TABLE}.target.`group`.windows_sid ;; - group_label: "Target Group" - group_item_label: "Windows Sid" - } - - dimension: target__hostname { - type: string - sql: ${TABLE}.target.hostname ;; - group_label: "Target" - group_item_label: "Hostname" - } - - dimension: target__investigation__comments__list { - hidden: yes - sql: ${TABLE}.target.investigation.comments.list ;; - group_label: "Target Investigation Comments" - group_item_label: "List" - } - - dimension: target__investigation__reputation { - type: number - sql: ${TABLE}.target.investigation.reputation ;; - group_label: "Target Investigation" - group_item_label: "Reputation" - } - - dimension: target__investigation__severity_score { - type: number - sql: ${TABLE}.target.investigation.severity_score ;; - group_label: "Target Investigation" - group_item_label: "Severity Score" - } - - dimension: target__investigation__status { - type: number - sql: ${TABLE}.target.investigation.status ;; - group_label: "Target Investigation" - group_item_label: "Status" - } - - dimension: target__investigation__verdict { - type: number - sql: ${TABLE}.target.investigation.verdict ;; - group_label: "Target Investigation" - group_item_label: "Verdict" - } - - dimension: target__ip__list { - hidden: yes - sql: ${TABLE}.target.ip.list ;; - group_label: "Target IP" - group_item_label: "List" - } - - dimension: target__location__city { - type: string - sql: ${TABLE}.target.location.city ;; - group_label: "Target Location" - group_item_label: "City" - } - - dimension: target__location__country_or_region { - type: string - sql: ${TABLE}.target.location.country_or_region ;; - group_label: "Target Location" - group_item_label: "Country or Region" - } - - dimension: target__location__desk_name { - type: string - sql: ${TABLE}.target.location.desk_name ;; - group_label: "Target Location" - group_item_label: "Desk Name" - } - - dimension: target__location__floor_name { - type: string - sql: ${TABLE}.target.location.floor_name ;; - group_label: "Target Location" - group_item_label: "Floor Name" - } - - dimension: target__location__name { - type: string - sql: ${TABLE}.target.location.name ;; - group_label: "Target Location" - group_item_label: "Name" - } - - dimension: target__location__region_latitude { - type: number - sql: ${TABLE}.target.location.region_latitude ;; - group_label: "Target Location" - group_item_label: "Region Latitude" - } - - dimension: target__location__region_longitude { - type: number - sql: ${TABLE}.target.location.region_longitude ;; - group_label: "Target Location" - group_item_label: "Region Longitude" - } - - dimension: target__location__state { - type: string - sql: ${TABLE}.target.location.state ;; - group_label: "Target Location" - group_item_label: "State" - } - - dimension: target__mac__list { - hidden: yes - sql: ${TABLE}.target.mac.list ;; - group_label: "Target Mac" - group_item_label: "List" - } - - dimension: target__namespace { - type: string - sql: ${TABLE}.target.namespace ;; - group_label: "Target" - group_item_label: "Namespace" - } - - dimension: target__nat_ip__list { - hidden: yes - sql: ${TABLE}.target.nat_ip.list ;; - group_label: "Target Nat IP" - group_item_label: "List" - } - - dimension: target__nat_port { - type: number - sql: ${TABLE}.target.nat_port ;; - group_label: "Target" - group_item_label: "Nat Port" - } - - dimension: target__object_reference__id { - type: string - sql: ${TABLE}.target.object_reference.id ;; - group_label: "Target Object Reference" - group_item_label: "ID" - } - - dimension: target__object_reference__namespace { - type: number - sql: ${TABLE}.target.object_reference.namespace ;; - group_label: "Target Object Reference" - group_item_label: "Namespace" - } - - dimension: target__platform { - type: number - sql: ${TABLE}.target.platform ;; - group_label: "Target" - group_item_label: "Platform" - } - - dimension: target__platform_patch_level { - type: string - sql: ${TABLE}.target.platform_patch_level ;; - group_label: "Target" - group_item_label: "Platform Patch Level" - } - - dimension: target__platform_version { - type: string - sql: ${TABLE}.target.platform_version ;; - group_label: "Target" - group_item_label: "Platform Version" - } - - dimension: target__port { - type: number - sql: ${TABLE}.target.port ;; - group_label: "Target" - group_item_label: "Port" - } - - dimension: target__process__access_mask { - type: number - sql: ${TABLE}.target.process.access_mask ;; - group_label: "Target Process" - group_item_label: "Access Mask" - } - - dimension: target__process__command_line { - type: string - sql: ${TABLE}.target.process.command_line ;; - group_label: "Target Process" - group_item_label: "Command Line" - } - - dimension: target__process__command_line_history__list { - hidden: yes - sql: ${TABLE}.target.process.command_line_history.list ;; - group_label: "Target Process Command Line History" - group_item_label: "List" - } - - dimension: target__process__file__ahash { - type: string - sql: ${TABLE}.target.process.file.ahash ;; - group_label: "Target Process File" - group_item_label: "Ahash" - } - - dimension: target__process__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.target.process.file.capabilities_tags.list ;; - group_label: "Target Process File Capabilities Tags" - group_item_label: "List" - } - - dimension: target__process__file__file_type { - type: number - sql: ${TABLE}.target.process.file.file_type ;; - group_label: "Target Process File" - group_item_label: "File Type" - } - - dimension: target__process__file__full_path { - type: string - sql: ${TABLE}.target.process.file.full_path ;; - group_label: "Target Process File" - group_item_label: "Full Path" - } - - dimension: target__process__file__md5 { - type: string - sql: ${TABLE}.target.process.file.md5 ;; - group_label: "Target Process File" - group_item_label: "Md5" - } - - dimension: target__process__file__mime_type { - type: string - sql: ${TABLE}.target.process.file.mime_type ;; - group_label: "Target Process File" - group_item_label: "Mime Type" - } - - dimension: target__process__file__names__list { - hidden: yes - sql: ${TABLE}.target.process.file.names.list ;; - group_label: "Target Process File Names" - group_item_label: "List" - } - - dimension: target__process__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.target.process.file.pe_file.compilation_exiftool_time ;; - group_label: "Target Process File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: target__process__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.target.process.file.pe_file.compilation_time ;; - group_label: "Target Process File Pe File" - group_item_label: "Compilation Time" - } - - dimension: target__process__file__pe_file__entry_point { - type: number - sql: ${TABLE}.target.process.file.pe_file.entry_point ;; - group_label: "Target Process File Pe File" - group_item_label: "Entry Point" - } - - dimension: target__process__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.target.process.file.pe_file.entry_point_exiftool ;; - group_label: "Target Process File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: target__process__file__pe_file__imphash { - type: string - sql: ${TABLE}.target.process.file.pe_file.imphash ;; - group_label: "Target Process File Pe File" - group_item_label: "Imphash" - } - - dimension: target__process__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.target.process.file.pe_file.imports.list ;; - group_label: "Target Process File Pe File Imports" - group_item_label: "List" - } - - dimension: target__process__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.target.process.file.pe_file.resource.list ;; - group_label: "Target Process File Pe File Resource" - group_item_label: "List" - } - - dimension: target__process__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.target.process.file.pe_file.resources_language_count.list ;; - group_label: "Target Process File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: target__process__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.target.process.file.pe_file.resources_type_count.list ;; - group_label: "Target Process File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: target__process__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.target.process.file.pe_file.section.list ;; - group_label: "Target Process File Pe File Section" - group_item_label: "List" - } - - dimension: target__process__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.target.process.file.pe_file.signature_info.signer.list ;; - group_label: "Target Process File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: target__process__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.target.process.file.pe_file.signature_info.verification_message ;; - group_label: "Target Process File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: target__process__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.target.process.file.pe_file.signature_info.verified ;; - group_label: "Target Process File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: target__process__file__sha1 { - type: string - sql: ${TABLE}.target.process.file.sha1 ;; - group_label: "Target Process File" - group_item_label: "Sha1" - } - - dimension: target__process__file__sha256 { - type: string - sql: ${TABLE}.target.process.file.sha256 ;; - group_label: "Target Process File" - group_item_label: "Sha256" - } - - dimension: target__process__file__size { - type: number - sql: ${TABLE}.target.process.file.size ;; - group_label: "Target Process File" - group_item_label: "Size" - } - - dimension: target__process__file__ssdeep { - type: string - sql: ${TABLE}.target.process.file.ssdeep ;; - group_label: "Target Process File" - group_item_label: "Ssdeep" - } - - dimension: target__process__file__vhash { - type: string - sql: ${TABLE}.target.process.file.vhash ;; - group_label: "Target Process File" - group_item_label: "Vhash" - } - - dimension: target__process__pid { - type: string - sql: ${TABLE}.target.process.pid ;; - group_label: "Target Process" - group_item_label: "Pid" - } - - dimension: target__process__product_specific_process_id { - type: string - sql: ${TABLE}.target.process.product_specific_process_id ;; - group_label: "Target Process" - group_item_label: "Product Specific Process ID" - } - - dimension: target__process_ancestors__list { - hidden: yes - sql: ${TABLE}.target.process_ancestors.list ;; - group_label: "Target Process Ancestors" - group_item_label: "List" - } - - dimension: target__registry__registry_key { - type: string - sql: ${TABLE}.target.registry.registry_key ;; - group_label: "Target Registry" - group_item_label: "Registry Key" - } - - dimension: target__registry__registry_value_data { - type: string - sql: ${TABLE}.target.registry.registry_value_data ;; - group_label: "Target Registry" - group_item_label: "Registry Value Data" - } - - dimension: target__registry__registry_value_name { - type: string - sql: ${TABLE}.target.registry.registry_value_name ;; - group_label: "Target Registry" - group_item_label: "Registry Value Name" - } - - dimension: target__resource__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.target.resource.attribute.cloud.availability_zone ;; - group_label: "Target Resource Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: target__resource__attribute__cloud__environment { - type: number - sql: ${TABLE}.target.resource.attribute.cloud.environment ;; - group_label: "Target Resource Attribute Cloud" - group_item_label: "Environment" - } - - dimension: target__resource__attribute__creation_time { - type: string - sql: ${TABLE}.target.resource.attribute.creation_time ;; - group_label: "Target Resource Attribute" - group_item_label: "Creation Time" - } - - dimension: target__resource__attribute__labels__list { - hidden: yes - sql: ${TABLE}.target.resource.attribute.labels.list ;; - group_label: "Target Resource Attribute Labels" - group_item_label: "List" - } - - dimension: target__resource__attribute__last_update_time { - type: string - sql: ${TABLE}.target.resource.attribute.last_update_time ;; - group_label: "Target Resource Attribute" - group_item_label: "Last Update Time" - } - - dimension: target__resource__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.target.resource.attribute.permissions.list ;; - group_label: "Target Resource Attribute Permissions" - group_item_label: "List" - } - - dimension: target__resource__attribute__roles__list { - hidden: yes - sql: ${TABLE}.target.resource.attribute.roles.list ;; - group_label: "Target Resource Attribute Roles" - group_item_label: "List" - } - - dimension: target__resource__name { - type: string - sql: ${TABLE}.target.resource.name ;; - group_label: "Target Resource" - group_item_label: "Name" - } - - dimension: target__resource__product_object_id { - type: string - sql: ${TABLE}.target.resource.product_object_id ;; - group_label: "Target Resource" - group_item_label: "Product Object ID" - } - - dimension: target__resource__resource_subtype { - type: string - sql: ${TABLE}.target.resource.resource_subtype ;; - group_label: "Target Resource" - group_item_label: "Resource Subtype" - } - - dimension: target__resource__resource_type { - type: number - sql: ${TABLE}.target.resource.resource_type ;; - group_label: "Target Resource" - group_item_label: "Resource Type" - } - - dimension: target__resource_ancestors__list { - hidden: yes - sql: ${TABLE}.target.resource_ancestors.list ;; - group_label: "Target Resource Ancestors" - group_item_label: "List" - } - - dimension: target__url { - type: string - sql: ${TABLE}.target.url ;; - group_label: "Target" - group_item_label: "URL" - } - - dimension: target__user__account_type { - type: number - sql: ${TABLE}.target.user.account_type ;; - group_label: "Target User" - group_item_label: "Account Type" - } - - dimension: target__user__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.target.user.attribute.cloud.availability_zone ;; - group_label: "Target User Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: target__user__attribute__cloud__environment { - type: number - sql: ${TABLE}.target.user.attribute.cloud.environment ;; - group_label: "Target User Attribute Cloud" - group_item_label: "Environment" - } - - dimension: target__user__attribute__creation_time { - type: string - sql: ${TABLE}.target.user.attribute.creation_time ;; - group_label: "Target User Attribute" - group_item_label: "Creation Time" - } - - dimension: target__user__attribute__labels__list { - hidden: yes - sql: ${TABLE}.target.user.attribute.labels.list ;; - group_label: "Target User Attribute Labels" - group_item_label: "List" - } - - dimension: target__user__attribute__last_update_time { - type: string - sql: ${TABLE}.target.user.attribute.last_update_time ;; - group_label: "Target User Attribute" - group_item_label: "Last Update Time" - } - - dimension: target__user__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.target.user.attribute.permissions.list ;; - group_label: "Target User Attribute Permissions" - group_item_label: "List" - } - - dimension: target__user__attribute__roles__list { - hidden: yes - sql: ${TABLE}.target.user.attribute.roles.list ;; - group_label: "Target User Attribute Roles" - group_item_label: "List" - } - - dimension: target__user__company_name { - type: string - sql: ${TABLE}.target.user.company_name ;; - group_label: "Target User" - group_item_label: "Company Name" - } - - dimension: target__user__department__list { - hidden: yes - sql: ${TABLE}.target.user.department.list ;; - group_label: "Target User Department" - group_item_label: "List" - } - - dimension: target__user__email_addresses__list { - hidden: yes - sql: ${TABLE}.target.user.email_addresses.list ;; - group_label: "Target User Email Addresses" - group_item_label: "List" - } - - dimension: target__user__employee_id { - type: string - sql: ${TABLE}.target.user.employee_id ;; - group_label: "Target User" - group_item_label: "Employee ID" - } - - dimension: target__user__first_name { - type: string - sql: ${TABLE}.target.user.first_name ;; - group_label: "Target User" - group_item_label: "First Name" - } - - dimension: target__user__group_identifiers__list { - hidden: yes - sql: ${TABLE}.target.user.group_identifiers.list ;; - group_label: "Target User Group Identifiers" - group_item_label: "List" - } - - dimension: target__user__hire_date { - type: string - sql: ${TABLE}.target.user.hire_date ;; - group_label: "Target User" - group_item_label: "Hire Date" - } - - dimension: target__user__last_name { - type: string - sql: ${TABLE}.target.user.last_name ;; - group_label: "Target User" - group_item_label: "Last Name" - } - - dimension: target__user__middle_name { - type: string - sql: ${TABLE}.target.user.middle_name ;; - group_label: "Target User" - group_item_label: "Middle Name" - } - - dimension: target__user__office_address__city { - type: string - sql: ${TABLE}.target.user.office_address.city ;; - group_label: "Target User Office Address" - group_item_label: "City" - } - - dimension: target__user__office_address__country_or_region { - type: string - sql: ${TABLE}.target.user.office_address.country_or_region ;; - group_label: "Target User Office Address" - group_item_label: "Country or Region" - } - - dimension: target__user__office_address__desk_name { - type: string - sql: ${TABLE}.target.user.office_address.desk_name ;; - group_label: "Target User Office Address" - group_item_label: "Desk Name" - } - - dimension: target__user__office_address__floor_name { - type: string - sql: ${TABLE}.target.user.office_address.floor_name ;; - group_label: "Target User Office Address" - group_item_label: "Floor Name" - } - - dimension: target__user__office_address__name { - type: string - sql: ${TABLE}.target.user.office_address.name ;; - group_label: "Target User Office Address" - group_item_label: "Name" - } - - dimension: target__user__office_address__region_latitude { - type: number - sql: ${TABLE}.target.user.office_address.region_latitude ;; - group_label: "Target User Office Address" - group_item_label: "Region Latitude" - } - - dimension: target__user__office_address__region_longitude { - type: number - sql: ${TABLE}.target.user.office_address.region_longitude ;; - group_label: "Target User Office Address" - group_item_label: "Region Longitude" - } - - dimension: target__user__office_address__state { - type: string - sql: ${TABLE}.target.user.office_address.state ;; - group_label: "Target User Office Address" - group_item_label: "State" - } - - dimension: target__user__personal_address__city { - type: string - sql: ${TABLE}.target.user.personal_address.city ;; - group_label: "Target User Personal Address" - group_item_label: "City" - } - - dimension: target__user__personal_address__country_or_region { - type: string - sql: ${TABLE}.target.user.personal_address.country_or_region ;; - group_label: "Target User Personal Address" - group_item_label: "Country or Region" - } - - dimension: target__user__personal_address__desk_name { - type: string - sql: ${TABLE}.target.user.personal_address.desk_name ;; - group_label: "Target User Personal Address" - group_item_label: "Desk Name" - } - - dimension: target__user__personal_address__floor_name { - type: string - sql: ${TABLE}.target.user.personal_address.floor_name ;; - group_label: "Target User Personal Address" - group_item_label: "Floor Name" - } - - dimension: target__user__personal_address__name { - type: string - sql: ${TABLE}.target.user.personal_address.name ;; - group_label: "Target User Personal Address" - group_item_label: "Name" - } - - dimension: target__user__personal_address__region_latitude { - type: number - sql: ${TABLE}.target.user.personal_address.region_latitude ;; - group_label: "Target User Personal Address" - group_item_label: "Region Latitude" - } - - dimension: target__user__personal_address__region_longitude { - type: number - sql: ${TABLE}.target.user.personal_address.region_longitude ;; - group_label: "Target User Personal Address" - group_item_label: "Region Longitude" - } - - dimension: target__user__personal_address__state { - type: string - sql: ${TABLE}.target.user.personal_address.state ;; - group_label: "Target User Personal Address" - group_item_label: "State" - } - - dimension: target__user__phone_numbers__list { - hidden: yes - sql: ${TABLE}.target.user.phone_numbers.list ;; - group_label: "Target User Phone Numbers" - group_item_label: "List" - } - - dimension: target__user__product_object_id { - type: string - sql: ${TABLE}.target.user.product_object_id ;; - group_label: "Target User" - group_item_label: "Product Object ID" - } - - dimension: target__user__termination_date { - type: string - sql: ${TABLE}.target.user.termination_date ;; - group_label: "Target User" - group_item_label: "Termination Date" - } - - dimension: target__user__time_off__list { - hidden: yes - sql: ${TABLE}.target.user.time_off.list ;; - group_label: "Target User Time Off" - group_item_label: "List" - } - - dimension: target__user__title { - type: string - sql: ${TABLE}.target.user.title ;; - group_label: "Target User" - group_item_label: "Title" - } - - dimension: target__user__user_authentication_status { - type: number - sql: ${TABLE}.target.user.user_authentication_status ;; - group_label: "Target User" - group_item_label: "User Authentication Status" - } - - dimension: target__user__user_display_name { - type: string - sql: ${TABLE}.target.user.user_display_name ;; - group_label: "Target User" - group_item_label: "User Display Name" - } - - dimension: target__user__userid { - type: string - sql: ${TABLE}.target.user.userid ;; - group_label: "Target User" - group_item_label: "Userid" - } - - dimension: target__user__windows_sid { - type: string - sql: ${TABLE}.target.user.windows_sid ;; - group_label: "Target User" - group_item_label: "Windows Sid" - } - - dimension: target__user_management_chain__list { - hidden: yes - sql: ${TABLE}.target.user_management_chain.list ;; - group_label: "Target User Management Chain" - group_item_label: "List" - } - - measure: count { - type: count - drill_fields: [detail*] - } - - # ----- Sets of fields for drilling ------ - set: detail { - fields: [ - src__hostname, - src__domain__name, - target__hostname, - observer__hostname, - src__resource__name, - src__location__name, - principal__hostname, - src__asset__hostname, - src__user__last_name, - target__domain__name, - network__dhcp__sname, - src__user__first_name, - observer__domain__name, - metadata__vendor_name, - src__user__middle_name, - target__resource__name, - target__location__name, - network__carrier_name, - principal__domain__name, - metadata__product_name, - src__user__company_name, - target__asset__hostname, - target__user__last_name, - observer__resource__name, - observer__location__name, - src__location__desk_name, - target__user__first_name, - principal__resource__name, - principal__location__name, - observer__asset__hostname, - observer__user__last_name, - src__location__floor_name, - src__asset__location__name, - target__user__middle_name, - principal__asset__hostname, - principal__user__last_name, - observer__user__first_name, - target__user__company_name, - principal__user__first_name, - observer__user__middle_name, - target__location__desk_name, - network__organization_name, - principal__user__middle_name, - observer__user__company_name, - src__user__user_display_name, - target__location__floor_name, - target__asset__location__name, - principal__user__company_name, - observer__location__desk_name, - principal__location__desk_name, - observer__location__floor_name, - observer__asset__location__name, - src__asset__location__desk_name, - src__user__office_address__name, - network__dhcp__client_hostname, - principal__location__floor_name, - principal__asset__location__name, - src__asset__location__floor_name, - target__user__user_display_name, - src__group__group_display_name, - src__user__personal_address__name, - network__tls__client__server_name, - observer__user__user_display_name, - target__asset__location__desk_name, - target__user__office_address__name, - principal__user__user_display_name, - src__registry__registry_value_name, - target__asset__location__floor_name, - observer__asset__location__desk_name, - observer__user__office_address__name, - src__user__office_address__desk_name, - target__group__group_display_name, - target__user__personal_address__name, - principal__asset__location__desk_name, - principal__user__office_address__name, - observer__asset__location__floor_name, - src__user__office_address__floor_name, - principal__asset__location__floor_name, - observer__group__group_display_name, - observer__user__personal_address__name, - src__user__personal_address__desk_name, - target__registry__registry_value_name, - principal__group__group_display_name, - principal__user__personal_address__name, - src__user__personal_address__floor_name, - target__user__office_address__desk_name, - observer__registry__registry_value_name, - target__user__office_address__floor_name, - principal__registry__registry_value_name, - observer__user__office_address__desk_name, - target__user__personal_address__desk_name, - principal__user__office_address__desk_name, - observer__user__office_address__floor_name, - target__user__personal_address__floor_name, - principal__user__office_address__floor_name, - observer__user__personal_address__desk_name, - principal__user__personal_address__desk_name, - observer__user__personal_address__floor_name, - principal__user__personal_address__floor_name - ] - } -} - -view: udm_events_gcs__src__ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__mac__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list { - dimension: item__administrative_domain { - type: string - sql: ${TABLE}.item.administrative_domain ;; - group_label: "Item" - group_item_label: "Administrative Domain" - } - - dimension: item__application { - type: string - sql: ${TABLE}.item.application ;; - group_label: "Item" - group_item_label: "Application" - } - - dimension: item__asset__asset_id { - type: string - sql: ${TABLE}.item.asset.asset_id ;; - group_label: "Item Asset" - group_item_label: "Asset ID" - } - - dimension: item__asset__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.asset.attribute.cloud.availability_zone ;; - group_label: "Item Asset Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__asset__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.asset.attribute.cloud.environment ;; - group_label: "Item Asset Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__asset__attribute__creation_time { - type: string - sql: ${TABLE}.item.asset.attribute.creation_time ;; - group_label: "Item Asset Attribute" - group_item_label: "Creation Time" - } - - dimension: item__asset__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.asset.attribute.labels.list ;; - group_label: "Item Asset Attribute Labels" - group_item_label: "List" - } - - dimension: item__asset__attribute__last_update_time { - type: string - sql: ${TABLE}.item.asset.attribute.last_update_time ;; - group_label: "Item Asset Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__asset__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.asset.attribute.permissions.list ;; - group_label: "Item Asset Attribute Permissions" - group_item_label: "List" - } - - dimension: item__asset__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.asset.attribute.roles.list ;; - group_label: "Item Asset Attribute Roles" - group_item_label: "List" - } - - dimension: item__asset__category { - type: string - sql: ${TABLE}.item.asset.category ;; - group_label: "Item Asset" - group_item_label: "Category" - } - - dimension: item__asset__deployment_status { - type: number - sql: ${TABLE}.item.asset.deployment_status ;; - group_label: "Item Asset" - group_item_label: "Deployment Status" - } - - dimension: item__asset__first_discover_time { - type: string - sql: ${TABLE}.item.asset.first_discover_time ;; - group_label: "Item Asset" - group_item_label: "First Discover Time" - } - - dimension: item__asset__hardware__list { - hidden: yes - sql: ${TABLE}.item.asset.hardware.list ;; - group_label: "Item Asset Hardware" - group_item_label: "List" - } - - dimension: item__asset__hostname { - type: string - sql: ${TABLE}.item.asset.hostname ;; - group_label: "Item Asset" - group_item_label: "Hostname" - } - - dimension: item__asset__ip__list { - hidden: yes - sql: ${TABLE}.item.asset.ip.list ;; - group_label: "Item Asset IP" - group_item_label: "List" - } - - dimension: item__asset__last_boot_time { - type: string - sql: ${TABLE}.item.asset.last_boot_time ;; - group_label: "Item Asset" - group_item_label: "Last Boot Time" - } - - dimension: item__asset__last_discover_time { - type: string - sql: ${TABLE}.item.asset.last_discover_time ;; - group_label: "Item Asset" - group_item_label: "Last Discover Time" - } - - dimension: item__asset__location__city { - type: string - sql: ${TABLE}.item.asset.location.city ;; - group_label: "Item Asset Location" - group_item_label: "City" - } - - dimension: item__asset__location__country_or_region { - type: string - sql: ${TABLE}.item.asset.location.country_or_region ;; - group_label: "Item Asset Location" - group_item_label: "Country or Region" - } - - dimension: item__asset__location__desk_name { - type: string - sql: ${TABLE}.item.asset.location.desk_name ;; - group_label: "Item Asset Location" - group_item_label: "Desk Name" - } - - dimension: item__asset__location__floor_name { - type: string - sql: ${TABLE}.item.asset.location.floor_name ;; - group_label: "Item Asset Location" - group_item_label: "Floor Name" - } - - dimension: item__asset__location__name { - type: string - sql: ${TABLE}.item.asset.location.name ;; - group_label: "Item Asset Location" - group_item_label: "Name" - } - - dimension: item__asset__location__region_latitude { - type: number - sql: ${TABLE}.item.asset.location.region_latitude ;; - group_label: "Item Asset Location" - group_item_label: "Region Latitude" - } - - dimension: item__asset__location__region_longitude { - type: number - sql: ${TABLE}.item.asset.location.region_longitude ;; - group_label: "Item Asset Location" - group_item_label: "Region Longitude" - } - - dimension: item__asset__location__state { - type: string - sql: ${TABLE}.item.asset.location.state ;; - group_label: "Item Asset Location" - group_item_label: "State" - } - - dimension: item__asset__mac__list { - hidden: yes - sql: ${TABLE}.item.asset.mac.list ;; - group_label: "Item Asset Mac" - group_item_label: "List" - } - - dimension: item__asset__nat_ip__list { - hidden: yes - sql: ${TABLE}.item.asset.nat_ip.list ;; - group_label: "Item Asset Nat IP" - group_item_label: "List" - } - - dimension: item__asset__network_domain { - type: string - sql: ${TABLE}.item.asset.network_domain ;; - group_label: "Item Asset" - group_item_label: "Network Domain" - } - - dimension: item__asset__platform_software__platform { - type: number - sql: ${TABLE}.item.asset.platform_software.platform ;; - group_label: "Item Asset Platform Software" - group_item_label: "Platform" - } - - dimension: item__asset__platform_software__platform_patch_level { - type: string - sql: ${TABLE}.item.asset.platform_software.platform_patch_level ;; - group_label: "Item Asset Platform Software" - group_item_label: "Platform Patch Level" - } - - dimension: item__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.item.asset.platform_software.platform_version ;; - group_label: "Item Asset Platform Software" - group_item_label: "Platform Version" - } - - dimension: item__asset__product_object_id { - type: string - sql: ${TABLE}.item.asset.product_object_id ;; - group_label: "Item Asset" - group_item_label: "Product Object ID" - } - - dimension: item__asset__software__list { - hidden: yes - sql: ${TABLE}.item.asset.software.list ;; - group_label: "Item Asset Software" - group_item_label: "List" - } - - dimension: item__asset__system_last_update_time { - type: string - sql: ${TABLE}.item.asset.system_last_update_time ;; - group_label: "Item Asset" - group_item_label: "System Last Update Time" - } - - dimension: item__asset__type { - type: number - sql: ${TABLE}.item.asset.type ;; - group_label: "Item Asset" - group_item_label: "Type" - } - - dimension: item__asset__vulnerabilities__list { - hidden: yes - sql: ${TABLE}.item.asset.vulnerabilities.list ;; - group_label: "Item Asset Vulnerabilities" - group_item_label: "List" - } - - dimension: item__asset_id { - type: string - sql: ${TABLE}.item.asset_id ;; - group_label: "Item" - group_item_label: "Asset ID" - } - - dimension: item__domain__name { - type: string - sql: ${TABLE}.item.domain.name ;; - group_label: "Item Domain" - group_item_label: "Name" - } - - dimension: item__domain__prevalence__day_count { - type: number - sql: ${TABLE}.item.domain.prevalence.day_count ;; - group_label: "Item Domain Prevalence" - group_item_label: "Day Count" - } - - dimension: item__domain__prevalence__rolling_max { - type: number - sql: ${TABLE}.item.domain.prevalence.rolling_max ;; - group_label: "Item Domain Prevalence" - group_item_label: "Rolling Max" - } - - dimension: item__email { - type: string - sql: ${TABLE}.item.email ;; - group_label: "Item" - group_item_label: "Email" - } - - dimension: item__file__ahash { - type: string - sql: ${TABLE}.item.file.ahash ;; - group_label: "Item File" - group_item_label: "Ahash" - } - - dimension: item__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.item.file.capabilities_tags.list ;; - group_label: "Item File Capabilities Tags" - group_item_label: "List" - } - - dimension: item__file__file_type { - type: number - sql: ${TABLE}.item.file.file_type ;; - group_label: "Item File" - group_item_label: "File Type" - } - - dimension: item__file__full_path { - type: string - sql: ${TABLE}.item.file.full_path ;; - group_label: "Item File" - group_item_label: "Full Path" - } - - dimension: item__file__md5 { - type: string - sql: ${TABLE}.item.file.md5 ;; - group_label: "Item File" - group_item_label: "Md5" - } - - dimension: item__file__mime_type { - type: string - sql: ${TABLE}.item.file.mime_type ;; - group_label: "Item File" - group_item_label: "Mime Type" - } - - dimension: item__file__names__list { - hidden: yes - sql: ${TABLE}.item.file.names.list ;; - group_label: "Item File Names" - group_item_label: "List" - } - - dimension: item__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_exiftool_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: item__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Time" - } - - dimension: item__file__pe_file__entry_point { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point" - } - - dimension: item__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point_exiftool ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: item__file__pe_file__imphash { - type: string - sql: ${TABLE}.item.file.pe_file.imphash ;; - group_label: "Item File Pe File" - group_item_label: "Imphash" - } - - dimension: item__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.imports.list ;; - group_label: "Item File Pe File Imports" - group_item_label: "List" - } - - dimension: item__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resource.list ;; - group_label: "Item File Pe File Resource" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_language_count.list ;; - group_label: "Item File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_type_count.list ;; - group_label: "Item File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.section.list ;; - group_label: "Item File Pe File Section" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.signature_info.signer.list ;; - group_label: "Item File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.item.file.pe_file.signature_info.verification_message ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: item__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.item.file.pe_file.signature_info.verified ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: item__file__sha1 { - type: string - sql: ${TABLE}.item.file.sha1 ;; - group_label: "Item File" - group_item_label: "Sha1" - } - - dimension: item__file__sha256 { - type: string - sql: ${TABLE}.item.file.sha256 ;; - group_label: "Item File" - group_item_label: "Sha256" - } - - dimension: item__file__size { - type: number - sql: ${TABLE}.item.file.size ;; - group_label: "Item File" - group_item_label: "Size" - } - - dimension: item__file__ssdeep { - type: string - sql: ${TABLE}.item.file.ssdeep ;; - group_label: "Item File" - group_item_label: "Ssdeep" - } - - dimension: item__file__vhash { - type: string - sql: ${TABLE}.item.file.vhash ;; - group_label: "Item File" - group_item_label: "Vhash" - } - - dimension: item__group__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.`group`.attribute.cloud.availability_zone ;; - group_label: "Item Group Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__group__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.`group`.attribute.cloud.environment ;; - group_label: "Item Group Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__group__attribute__creation_time { - type: string - sql: ${TABLE}.item.`group`.attribute.creation_time ;; - group_label: "Item Group Attribute" - group_item_label: "Creation Time" - } - - dimension: item__group__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.group.attribute.labels.list ;; - group_label: "Item Group Attribute Labels" - group_item_label: "List" - } - - dimension: item__group__attribute__last_update_time { - type: string - sql: ${TABLE}.item.`group`.attribute.last_update_time ;; - group_label: "Item Group Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__group__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.group.attribute.permissions.list ;; - group_label: "Item Group Attribute Permissions" - group_item_label: "List" - } - - dimension: item__group__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.group.attribute.roles.list ;; - group_label: "Item Group Attribute Roles" - group_item_label: "List" - } - - dimension: item__group__email_addresses__list { - hidden: yes - sql: ${TABLE}.item.group.email_addresses.list ;; - group_label: "Item Group Email Addresses" - group_item_label: "List" - } - - dimension: item__group__group_display_name { - type: string - sql: ${TABLE}.item.`group`.group_display_name ;; - group_label: "Item Group" - group_item_label: "Group Display Name" - } - - dimension: item__group__product_object_id { - type: string - sql: ${TABLE}.item.`group`.product_object_id ;; - group_label: "Item Group" - group_item_label: "Product Object ID" - } - - dimension: item__group__windows_sid { - type: string - sql: ${TABLE}.item.`group`.windows_sid ;; - group_label: "Item Group" - group_item_label: "Windows Sid" - } - - dimension: item__hostname { - type: string - sql: ${TABLE}.item.hostname ;; - group_label: "Item" - group_item_label: "Hostname" - } - - dimension: item__investigation__comments__list { - hidden: yes - sql: ${TABLE}.item.investigation.comments.list ;; - group_label: "Item Investigation Comments" - group_item_label: "List" - } - - dimension: item__investigation__reputation { - type: number - sql: ${TABLE}.item.investigation.reputation ;; - group_label: "Item Investigation" - group_item_label: "Reputation" - } - - dimension: item__investigation__severity_score { - type: number - sql: ${TABLE}.item.investigation.severity_score ;; - group_label: "Item Investigation" - group_item_label: "Severity Score" - } - - dimension: item__investigation__status { - type: number - sql: ${TABLE}.item.investigation.status ;; - group_label: "Item Investigation" - group_item_label: "Status" - } - - dimension: item__investigation__verdict { - type: number - sql: ${TABLE}.item.investigation.verdict ;; - group_label: "Item Investigation" - group_item_label: "Verdict" - } - - dimension: item__ip__list { - hidden: yes - sql: ${TABLE}.item.ip.list ;; - group_label: "Item IP" - group_item_label: "List" - } - - dimension: item__location__city { - type: string - sql: ${TABLE}.item.location.city ;; - group_label: "Item Location" - group_item_label: "City" - } - - dimension: item__location__country_or_region { - type: string - sql: ${TABLE}.item.location.country_or_region ;; - group_label: "Item Location" - group_item_label: "Country or Region" - } - - dimension: item__location__desk_name { - type: string - sql: ${TABLE}.item.location.desk_name ;; - group_label: "Item Location" - group_item_label: "Desk Name" - } - - dimension: item__location__floor_name { - type: string - sql: ${TABLE}.item.location.floor_name ;; - group_label: "Item Location" - group_item_label: "Floor Name" - } - - dimension: item__location__name { - type: string - sql: ${TABLE}.item.location.name ;; - group_label: "Item Location" - group_item_label: "Name" - } - - dimension: item__location__region_latitude { - type: number - sql: ${TABLE}.item.location.region_latitude ;; - group_label: "Item Location" - group_item_label: "Region Latitude" - } - - dimension: item__location__region_longitude { - type: number - sql: ${TABLE}.item.location.region_longitude ;; - group_label: "Item Location" - group_item_label: "Region Longitude" - } - - dimension: item__location__state { - type: string - sql: ${TABLE}.item.location.state ;; - group_label: "Item Location" - group_item_label: "State" - } - - dimension: item__mac__list { - hidden: yes - sql: ${TABLE}.item.mac.list ;; - group_label: "Item Mac" - group_item_label: "List" - } - - dimension: item__namespace { - type: string - sql: ${TABLE}.item.namespace ;; - group_label: "Item" - group_item_label: "Namespace" - } - - dimension: item__nat_ip__list { - hidden: yes - sql: ${TABLE}.item.nat_ip.list ;; - group_label: "Item Nat IP" - group_item_label: "List" - } - - dimension: item__nat_port { - type: number - sql: ${TABLE}.item.nat_port ;; - group_label: "Item" - group_item_label: "Nat Port" - } - - dimension: item__object_reference__id { - type: string - sql: ${TABLE}.item.object_reference.id ;; - group_label: "Item Object Reference" - group_item_label: "ID" - } - - dimension: item__object_reference__namespace { - type: number - sql: ${TABLE}.item.object_reference.namespace ;; - group_label: "Item Object Reference" - group_item_label: "Namespace" - } - - dimension: item__platform { - type: number - sql: ${TABLE}.item.platform ;; - group_label: "Item" - group_item_label: "Platform" - } - - dimension: item__platform_patch_level { - type: string - sql: ${TABLE}.item.platform_patch_level ;; - group_label: "Item" - group_item_label: "Platform Patch Level" - } - - dimension: item__platform_version { - type: string - sql: ${TABLE}.item.platform_version ;; - group_label: "Item" - group_item_label: "Platform Version" - } - - dimension: item__port { - type: number - sql: ${TABLE}.item.port ;; - group_label: "Item" - group_item_label: "Port" - } - - dimension: item__process__access_mask { - type: number - sql: ${TABLE}.item.process.access_mask ;; - group_label: "Item Process" - group_item_label: "Access Mask" - } - - dimension: item__process__command_line { - type: string - sql: ${TABLE}.item.process.command_line ;; - group_label: "Item Process" - group_item_label: "Command Line" - } - - dimension: item__process__command_line_history__list { - hidden: yes - sql: ${TABLE}.item.process.command_line_history.list ;; - group_label: "Item Process Command Line History" - group_item_label: "List" - } - - dimension: item__process__file__ahash { - type: string - sql: ${TABLE}.item.process.file.ahash ;; - group_label: "Item Process File" - group_item_label: "Ahash" - } - - dimension: item__process__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.item.process.file.capabilities_tags.list ;; - group_label: "Item Process File Capabilities Tags" - group_item_label: "List" - } - - dimension: item__process__file__file_type { - type: number - sql: ${TABLE}.item.process.file.file_type ;; - group_label: "Item Process File" - group_item_label: "File Type" - } - - dimension: item__process__file__full_path { - type: string - sql: ${TABLE}.item.process.file.full_path ;; - group_label: "Item Process File" - group_item_label: "Full Path" - } - - dimension: item__process__file__md5 { - type: string - sql: ${TABLE}.item.process.file.md5 ;; - group_label: "Item Process File" - group_item_label: "Md5" - } - - dimension: item__process__file__mime_type { - type: string - sql: ${TABLE}.item.process.file.mime_type ;; - group_label: "Item Process File" - group_item_label: "Mime Type" - } - - dimension: item__process__file__names__list { - hidden: yes - sql: ${TABLE}.item.process.file.names.list ;; - group_label: "Item Process File Names" - group_item_label: "List" - } - - dimension: item__process__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.item.process.file.pe_file.compilation_exiftool_time ;; - group_label: "Item Process File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: item__process__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.item.process.file.pe_file.compilation_time ;; - group_label: "Item Process File Pe File" - group_item_label: "Compilation Time" - } - - dimension: item__process__file__pe_file__entry_point { - type: number - sql: ${TABLE}.item.process.file.pe_file.entry_point ;; - group_label: "Item Process File Pe File" - group_item_label: "Entry Point" - } - - dimension: item__process__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.item.process.file.pe_file.entry_point_exiftool ;; - group_label: "Item Process File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: item__process__file__pe_file__imphash { - type: string - sql: ${TABLE}.item.process.file.pe_file.imphash ;; - group_label: "Item Process File Pe File" - group_item_label: "Imphash" - } - - dimension: item__process__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.item.process.file.pe_file.imports.list ;; - group_label: "Item Process File Pe File Imports" - group_item_label: "List" - } - - dimension: item__process__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.item.process.file.pe_file.resource.list ;; - group_label: "Item Process File Pe File Resource" - group_item_label: "List" - } - - dimension: item__process__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.item.process.file.pe_file.resources_language_count.list ;; - group_label: "Item Process File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: item__process__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.item.process.file.pe_file.resources_type_count.list ;; - group_label: "Item Process File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: item__process__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.item.process.file.pe_file.section.list ;; - group_label: "Item Process File Pe File Section" - group_item_label: "List" - } - - dimension: item__process__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.item.process.file.pe_file.signature_info.signer.list ;; - group_label: "Item Process File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: item__process__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.item.process.file.pe_file.signature_info.verification_message ;; - group_label: "Item Process File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: item__process__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.item.process.file.pe_file.signature_info.verified ;; - group_label: "Item Process File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: item__process__file__sha1 { - type: string - sql: ${TABLE}.item.process.file.sha1 ;; - group_label: "Item Process File" - group_item_label: "Sha1" - } - - dimension: item__process__file__sha256 { - type: string - sql: ${TABLE}.item.process.file.sha256 ;; - group_label: "Item Process File" - group_item_label: "Sha256" - } - - dimension: item__process__file__size { - type: number - sql: ${TABLE}.item.process.file.size ;; - group_label: "Item Process File" - group_item_label: "Size" - } - - dimension: item__process__file__ssdeep { - type: string - sql: ${TABLE}.item.process.file.ssdeep ;; - group_label: "Item Process File" - group_item_label: "Ssdeep" - } - - dimension: item__process__file__vhash { - type: string - sql: ${TABLE}.item.process.file.vhash ;; - group_label: "Item Process File" - group_item_label: "Vhash" - } - - dimension: item__process__pid { - type: string - sql: ${TABLE}.item.process.pid ;; - group_label: "Item Process" - group_item_label: "Pid" - } - - dimension: item__process__product_specific_process_id { - type: string - sql: ${TABLE}.item.process.product_specific_process_id ;; - group_label: "Item Process" - group_item_label: "Product Specific Process ID" - } - - dimension: item__process_ancestors__list { - hidden: yes - sql: ${TABLE}.item.process_ancestors.list ;; - group_label: "Item Process Ancestors" - group_item_label: "List" - } - - dimension: item__registry__registry_key { - type: string - sql: ${TABLE}.item.registry.registry_key ;; - group_label: "Item Registry" - group_item_label: "Registry Key" - } - - dimension: item__registry__registry_value_data { - type: string - sql: ${TABLE}.item.registry.registry_value_data ;; - group_label: "Item Registry" - group_item_label: "Registry Value Data" - } - - dimension: item__registry__registry_value_name { - type: string - sql: ${TABLE}.item.registry.registry_value_name ;; - group_label: "Item Registry" - group_item_label: "Registry Value Name" - } - - dimension: item__resource__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.resource.attribute.cloud.availability_zone ;; - group_label: "Item Resource Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__resource__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.resource.attribute.cloud.environment ;; - group_label: "Item Resource Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__resource__attribute__creation_time { - type: string - sql: ${TABLE}.item.resource.attribute.creation_time ;; - group_label: "Item Resource Attribute" - group_item_label: "Creation Time" - } - - dimension: item__resource__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.resource.attribute.labels.list ;; - group_label: "Item Resource Attribute Labels" - group_item_label: "List" - } - - dimension: item__resource__attribute__last_update_time { - type: string - sql: ${TABLE}.item.resource.attribute.last_update_time ;; - group_label: "Item Resource Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__resource__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.resource.attribute.permissions.list ;; - group_label: "Item Resource Attribute Permissions" - group_item_label: "List" - } - - dimension: item__resource__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.resource.attribute.roles.list ;; - group_label: "Item Resource Attribute Roles" - group_item_label: "List" - } - - dimension: item__resource__name { - type: string - sql: ${TABLE}.item.resource.name ;; - group_label: "Item Resource" - group_item_label: "Name" - } - - dimension: item__resource__product_object_id { - type: string - sql: ${TABLE}.item.resource.product_object_id ;; - group_label: "Item Resource" - group_item_label: "Product Object ID" - } - - dimension: item__resource__resource_subtype { - type: string - sql: ${TABLE}.item.resource.resource_subtype ;; - group_label: "Item Resource" - group_item_label: "Resource Subtype" - } - - dimension: item__resource__resource_type { - type: number - sql: ${TABLE}.item.resource.resource_type ;; - group_label: "Item Resource" - group_item_label: "Resource Type" - } - - dimension: item__resource_ancestors__list { - hidden: yes - sql: ${TABLE}.item.resource_ancestors.list ;; - group_label: "Item Resource Ancestors" - group_item_label: "List" - } - - dimension: item__url { - type: string - sql: ${TABLE}.item.url ;; - group_label: "Item" - group_item_label: "URL" - } - - dimension: item__user__account_type { - type: number - sql: ${TABLE}.item.user.account_type ;; - group_label: "Item User" - group_item_label: "Account Type" - } - - dimension: item__user__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.user.attribute.cloud.availability_zone ;; - group_label: "Item User Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__user__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.user.attribute.cloud.environment ;; - group_label: "Item User Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__user__attribute__creation_time { - type: string - sql: ${TABLE}.item.user.attribute.creation_time ;; - group_label: "Item User Attribute" - group_item_label: "Creation Time" - } - - dimension: item__user__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.user.attribute.labels.list ;; - group_label: "Item User Attribute Labels" - group_item_label: "List" - } - - dimension: item__user__attribute__last_update_time { - type: string - sql: ${TABLE}.item.user.attribute.last_update_time ;; - group_label: "Item User Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__user__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.user.attribute.permissions.list ;; - group_label: "Item User Attribute Permissions" - group_item_label: "List" - } - - dimension: item__user__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.user.attribute.roles.list ;; - group_label: "Item User Attribute Roles" - group_item_label: "List" - } - - dimension: item__user__company_name { - type: string - sql: ${TABLE}.item.user.company_name ;; - group_label: "Item User" - group_item_label: "Company Name" - } - - dimension: item__user__department__list { - hidden: yes - sql: ${TABLE}.item.user.department.list ;; - group_label: "Item User Department" - group_item_label: "List" - } - - dimension: item__user__email_addresses__list { - hidden: yes - sql: ${TABLE}.item.user.email_addresses.list ;; - group_label: "Item User Email Addresses" - group_item_label: "List" - } - - dimension: item__user__employee_id { - type: string - sql: ${TABLE}.item.user.employee_id ;; - group_label: "Item User" - group_item_label: "Employee ID" - } - - dimension: item__user__first_name { - type: string - sql: ${TABLE}.item.user.first_name ;; - group_label: "Item User" - group_item_label: "First Name" - } - - dimension: item__user__group_identifiers__list { - hidden: yes - sql: ${TABLE}.item.user.group_identifiers.list ;; - group_label: "Item User Group Identifiers" - group_item_label: "List" - } - - dimension: item__user__hire_date { - type: string - sql: ${TABLE}.item.user.hire_date ;; - group_label: "Item User" - group_item_label: "Hire Date" - } - - dimension: item__user__last_name { - type: string - sql: ${TABLE}.item.user.last_name ;; - group_label: "Item User" - group_item_label: "Last Name" - } - - dimension: item__user__middle_name { - type: string - sql: ${TABLE}.item.user.middle_name ;; - group_label: "Item User" - group_item_label: "Middle Name" - } - - dimension: item__user__office_address__city { - type: string - sql: ${TABLE}.item.user.office_address.city ;; - group_label: "Item User Office Address" - group_item_label: "City" - } - - dimension: item__user__office_address__country_or_region { - type: string - sql: ${TABLE}.item.user.office_address.country_or_region ;; - group_label: "Item User Office Address" - group_item_label: "Country or Region" - } - - dimension: item__user__office_address__desk_name { - type: string - sql: ${TABLE}.item.user.office_address.desk_name ;; - group_label: "Item User Office Address" - group_item_label: "Desk Name" - } - - dimension: item__user__office_address__floor_name { - type: string - sql: ${TABLE}.item.user.office_address.floor_name ;; - group_label: "Item User Office Address" - group_item_label: "Floor Name" - } - - dimension: item__user__office_address__name { - type: string - sql: ${TABLE}.item.user.office_address.name ;; - group_label: "Item User Office Address" - group_item_label: "Name" - } - - dimension: item__user__office_address__region_latitude { - type: number - sql: ${TABLE}.item.user.office_address.region_latitude ;; - group_label: "Item User Office Address" - group_item_label: "Region Latitude" - } - - dimension: item__user__office_address__region_longitude { - type: number - sql: ${TABLE}.item.user.office_address.region_longitude ;; - group_label: "Item User Office Address" - group_item_label: "Region Longitude" - } - - dimension: item__user__office_address__state { - type: string - sql: ${TABLE}.item.user.office_address.state ;; - group_label: "Item User Office Address" - group_item_label: "State" - } - - dimension: item__user__personal_address__city { - type: string - sql: ${TABLE}.item.user.personal_address.city ;; - group_label: "Item User Personal Address" - group_item_label: "City" - } - - dimension: item__user__personal_address__country_or_region { - type: string - sql: ${TABLE}.item.user.personal_address.country_or_region ;; - group_label: "Item User Personal Address" - group_item_label: "Country or Region" - } - - dimension: item__user__personal_address__desk_name { - type: string - sql: ${TABLE}.item.user.personal_address.desk_name ;; - group_label: "Item User Personal Address" - group_item_label: "Desk Name" - } - - dimension: item__user__personal_address__floor_name { - type: string - sql: ${TABLE}.item.user.personal_address.floor_name ;; - group_label: "Item User Personal Address" - group_item_label: "Floor Name" - } - - dimension: item__user__personal_address__name { - type: string - sql: ${TABLE}.item.user.personal_address.name ;; - group_label: "Item User Personal Address" - group_item_label: "Name" - } - - dimension: item__user__personal_address__region_latitude { - type: number - sql: ${TABLE}.item.user.personal_address.region_latitude ;; - group_label: "Item User Personal Address" - group_item_label: "Region Latitude" - } - - dimension: item__user__personal_address__region_longitude { - type: number - sql: ${TABLE}.item.user.personal_address.region_longitude ;; - group_label: "Item User Personal Address" - group_item_label: "Region Longitude" - } - - dimension: item__user__personal_address__state { - type: string - sql: ${TABLE}.item.user.personal_address.state ;; - group_label: "Item User Personal Address" - group_item_label: "State" - } - - dimension: item__user__phone_numbers__list { - hidden: yes - sql: ${TABLE}.item.user.phone_numbers.list ;; - group_label: "Item User Phone Numbers" - group_item_label: "List" - } - - dimension: item__user__product_object_id { - type: string - sql: ${TABLE}.item.user.product_object_id ;; - group_label: "Item User" - group_item_label: "Product Object ID" - } - - dimension: item__user__termination_date { - type: string - sql: ${TABLE}.item.user.termination_date ;; - group_label: "Item User" - group_item_label: "Termination Date" - } - - dimension: item__user__time_off__list { - hidden: yes - sql: ${TABLE}.item.user.time_off.list ;; - group_label: "Item User Time Off" - group_item_label: "List" - } - - dimension: item__user__title { - type: string - sql: ${TABLE}.item.user.title ;; - group_label: "Item User" - group_item_label: "Title" - } - - dimension: item__user__user_authentication_status { - type: number - sql: ${TABLE}.item.user.user_authentication_status ;; - group_label: "Item User" - group_item_label: "User Authentication Status" - } - - dimension: item__user__user_display_name { - type: string - sql: ${TABLE}.item.user.user_display_name ;; - group_label: "Item User" - group_item_label: "User Display Name" - } - - dimension: item__user__userid { - type: string - sql: ${TABLE}.item.user.userid ;; - group_label: "Item User" - group_item_label: "Userid" - } - - dimension: item__user__windows_sid { - type: string - sql: ${TABLE}.item.user.windows_sid ;; - group_label: "Item User" - group_item_label: "Windows Sid" - } - - dimension: item__user_management_chain__list { - hidden: yes - sql: ${TABLE}.item.user_management_chain.list ;; - group_label: "Item User Management Chain" - group_item_label: "List" - } -} - -view: udm_events_gcs__target__ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__nat_ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__mac__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__mac__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__asset__ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__mac__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__asset__mac__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__nat_ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__nat_ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__asset__ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__nat_ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__asset__nat_ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list { - dimension: item__administrative_domain { - type: string - sql: ${TABLE}.item.administrative_domain ;; - group_label: "Item" - group_item_label: "Administrative Domain" - } - - dimension: item__application { - type: string - sql: ${TABLE}.item.application ;; - group_label: "Item" - group_item_label: "Application" - } - - dimension: item__asset__asset_id { - type: string - sql: ${TABLE}.item.asset.asset_id ;; - group_label: "Item Asset" - group_item_label: "Asset ID" - } - - dimension: item__asset__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.asset.attribute.cloud.availability_zone ;; - group_label: "Item Asset Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__asset__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.asset.attribute.cloud.environment ;; - group_label: "Item Asset Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__asset__attribute__creation_time { - type: string - sql: ${TABLE}.item.asset.attribute.creation_time ;; - group_label: "Item Asset Attribute" - group_item_label: "Creation Time" - } - - dimension: item__asset__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.asset.attribute.labels.list ;; - group_label: "Item Asset Attribute Labels" - group_item_label: "List" - } - - dimension: item__asset__attribute__last_update_time { - type: string - sql: ${TABLE}.item.asset.attribute.last_update_time ;; - group_label: "Item Asset Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__asset__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.asset.attribute.permissions.list ;; - group_label: "Item Asset Attribute Permissions" - group_item_label: "List" - } - - dimension: item__asset__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.asset.attribute.roles.list ;; - group_label: "Item Asset Attribute Roles" - group_item_label: "List" - } - - dimension: item__asset__category { - type: string - sql: ${TABLE}.item.asset.category ;; - group_label: "Item Asset" - group_item_label: "Category" - } - - dimension: item__asset__deployment_status { - type: number - sql: ${TABLE}.item.asset.deployment_status ;; - group_label: "Item Asset" - group_item_label: "Deployment Status" - } - - dimension: item__asset__first_discover_time { - type: string - sql: ${TABLE}.item.asset.first_discover_time ;; - group_label: "Item Asset" - group_item_label: "First Discover Time" - } - - dimension: item__asset__hardware__list { - hidden: yes - sql: ${TABLE}.item.asset.hardware.list ;; - group_label: "Item Asset Hardware" - group_item_label: "List" - } - - dimension: item__asset__hostname { - type: string - sql: ${TABLE}.item.asset.hostname ;; - group_label: "Item Asset" - group_item_label: "Hostname" - } - - dimension: item__asset__ip__list { - hidden: yes - sql: ${TABLE}.item.asset.ip.list ;; - group_label: "Item Asset IP" - group_item_label: "List" - } - - dimension: item__asset__last_boot_time { - type: string - sql: ${TABLE}.item.asset.last_boot_time ;; - group_label: "Item Asset" - group_item_label: "Last Boot Time" - } - - dimension: item__asset__last_discover_time { - type: string - sql: ${TABLE}.item.asset.last_discover_time ;; - group_label: "Item Asset" - group_item_label: "Last Discover Time" - } - - dimension: item__asset__location__city { - type: string - sql: ${TABLE}.item.asset.location.city ;; - group_label: "Item Asset Location" - group_item_label: "City" - } - - dimension: item__asset__location__country_or_region { - type: string - sql: ${TABLE}.item.asset.location.country_or_region ;; - group_label: "Item Asset Location" - group_item_label: "Country or Region" - } - - dimension: item__asset__location__desk_name { - type: string - sql: ${TABLE}.item.asset.location.desk_name ;; - group_label: "Item Asset Location" - group_item_label: "Desk Name" - } - - dimension: item__asset__location__floor_name { - type: string - sql: ${TABLE}.item.asset.location.floor_name ;; - group_label: "Item Asset Location" - group_item_label: "Floor Name" - } - - dimension: item__asset__location__name { - type: string - sql: ${TABLE}.item.asset.location.name ;; - group_label: "Item Asset Location" - group_item_label: "Name" - } - - dimension: item__asset__location__region_latitude { - type: number - sql: ${TABLE}.item.asset.location.region_latitude ;; - group_label: "Item Asset Location" - group_item_label: "Region Latitude" - } - - dimension: item__asset__location__region_longitude { - type: number - sql: ${TABLE}.item.asset.location.region_longitude ;; - group_label: "Item Asset Location" - group_item_label: "Region Longitude" - } - - dimension: item__asset__location__state { - type: string - sql: ${TABLE}.item.asset.location.state ;; - group_label: "Item Asset Location" - group_item_label: "State" - } - - dimension: item__asset__mac__list { - hidden: yes - sql: ${TABLE}.item.asset.mac.list ;; - group_label: "Item Asset Mac" - group_item_label: "List" - } - - dimension: item__asset__nat_ip__list { - hidden: yes - sql: ${TABLE}.item.asset.nat_ip.list ;; - group_label: "Item Asset Nat IP" - group_item_label: "List" - } - - dimension: item__asset__network_domain { - type: string - sql: ${TABLE}.item.asset.network_domain ;; - group_label: "Item Asset" - group_item_label: "Network Domain" - } - - dimension: item__asset__platform_software__platform { - type: number - sql: ${TABLE}.item.asset.platform_software.platform ;; - group_label: "Item Asset Platform Software" - group_item_label: "Platform" - } - - dimension: item__asset__platform_software__platform_patch_level { - type: string - sql: ${TABLE}.item.asset.platform_software.platform_patch_level ;; - group_label: "Item Asset Platform Software" - group_item_label: "Platform Patch Level" - } - - dimension: item__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.item.asset.platform_software.platform_version ;; - group_label: "Item Asset Platform Software" - group_item_label: "Platform Version" - } - - dimension: item__asset__product_object_id { - type: string - sql: ${TABLE}.item.asset.product_object_id ;; - group_label: "Item Asset" - group_item_label: "Product Object ID" - } - - dimension: item__asset__software__list { - hidden: yes - sql: ${TABLE}.item.asset.software.list ;; - group_label: "Item Asset Software" - group_item_label: "List" - } - - dimension: item__asset__system_last_update_time { - type: string - sql: ${TABLE}.item.asset.system_last_update_time ;; - group_label: "Item Asset" - group_item_label: "System Last Update Time" - } - - dimension: item__asset__type { - type: number - sql: ${TABLE}.item.asset.type ;; - group_label: "Item Asset" - group_item_label: "Type" - } - - dimension: item__asset__vulnerabilities__list { - hidden: yes - sql: ${TABLE}.item.asset.vulnerabilities.list ;; - group_label: "Item Asset Vulnerabilities" - group_item_label: "List" - } - - dimension: item__asset_id { - type: string - sql: ${TABLE}.item.asset_id ;; - group_label: "Item" - group_item_label: "Asset ID" - } - - dimension: item__domain__name { - type: string - sql: ${TABLE}.item.domain.name ;; - group_label: "Item Domain" - group_item_label: "Name" - } - - dimension: item__domain__prevalence__day_count { - type: number - sql: ${TABLE}.item.domain.prevalence.day_count ;; - group_label: "Item Domain Prevalence" - group_item_label: "Day Count" - } - - dimension: item__domain__prevalence__rolling_max { - type: number - sql: ${TABLE}.item.domain.prevalence.rolling_max ;; - group_label: "Item Domain Prevalence" - group_item_label: "Rolling Max" - } - - dimension: item__email { - type: string - sql: ${TABLE}.item.email ;; - group_label: "Item" - group_item_label: "Email" - } - - dimension: item__file__ahash { - type: string - sql: ${TABLE}.item.file.ahash ;; - group_label: "Item File" - group_item_label: "Ahash" - } - - dimension: item__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.item.file.capabilities_tags.list ;; - group_label: "Item File Capabilities Tags" - group_item_label: "List" - } - - dimension: item__file__file_type { - type: number - sql: ${TABLE}.item.file.file_type ;; - group_label: "Item File" - group_item_label: "File Type" - } - - dimension: item__file__full_path { - type: string - sql: ${TABLE}.item.file.full_path ;; - group_label: "Item File" - group_item_label: "Full Path" - } - - dimension: item__file__md5 { - type: string - sql: ${TABLE}.item.file.md5 ;; - group_label: "Item File" - group_item_label: "Md5" - } - - dimension: item__file__mime_type { - type: string - sql: ${TABLE}.item.file.mime_type ;; - group_label: "Item File" - group_item_label: "Mime Type" - } - - dimension: item__file__names__list { - hidden: yes - sql: ${TABLE}.item.file.names.list ;; - group_label: "Item File Names" - group_item_label: "List" - } - - dimension: item__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_exiftool_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: item__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Time" - } - - dimension: item__file__pe_file__entry_point { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point" - } - - dimension: item__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point_exiftool ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: item__file__pe_file__imphash { - type: string - sql: ${TABLE}.item.file.pe_file.imphash ;; - group_label: "Item File Pe File" - group_item_label: "Imphash" - } - - dimension: item__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.imports.list ;; - group_label: "Item File Pe File Imports" - group_item_label: "List" - } - - dimension: item__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resource.list ;; - group_label: "Item File Pe File Resource" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_language_count.list ;; - group_label: "Item File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_type_count.list ;; - group_label: "Item File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.section.list ;; - group_label: "Item File Pe File Section" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.signature_info.signer.list ;; - group_label: "Item File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.item.file.pe_file.signature_info.verification_message ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: item__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.item.file.pe_file.signature_info.verified ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: item__file__sha1 { - type: string - sql: ${TABLE}.item.file.sha1 ;; - group_label: "Item File" - group_item_label: "Sha1" - } - - dimension: item__file__sha256 { - type: string - sql: ${TABLE}.item.file.sha256 ;; - group_label: "Item File" - group_item_label: "Sha256" - } - - dimension: item__file__size { - type: number - sql: ${TABLE}.item.file.size ;; - group_label: "Item File" - group_item_label: "Size" - } - - dimension: item__file__ssdeep { - type: string - sql: ${TABLE}.item.file.ssdeep ;; - group_label: "Item File" - group_item_label: "Ssdeep" - } - - dimension: item__file__vhash { - type: string - sql: ${TABLE}.item.file.vhash ;; - group_label: "Item File" - group_item_label: "Vhash" - } - - dimension: item__group__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.`group`.attribute.cloud.availability_zone ;; - group_label: "Item Group Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__group__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.`group`.attribute.cloud.environment ;; - group_label: "Item Group Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__group__attribute__creation_time { - type: string - sql: ${TABLE}.item.`group`.attribute.creation_time ;; - group_label: "Item Group Attribute" - group_item_label: "Creation Time" - } - - dimension: item__group__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.group.attribute.labels.list ;; - group_label: "Item Group Attribute Labels" - group_item_label: "List" - } - - dimension: item__group__attribute__last_update_time { - type: string - sql: ${TABLE}.item.`group`.attribute.last_update_time ;; - group_label: "Item Group Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__group__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.group.attribute.permissions.list ;; - group_label: "Item Group Attribute Permissions" - group_item_label: "List" - } - - dimension: item__group__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.group.attribute.roles.list ;; - group_label: "Item Group Attribute Roles" - group_item_label: "List" - } - - dimension: item__group__email_addresses__list { - hidden: yes - sql: ${TABLE}.item.group.email_addresses.list ;; - group_label: "Item Group Email Addresses" - group_item_label: "List" - } - - dimension: item__group__group_display_name { - type: string - sql: ${TABLE}.item.`group`.group_display_name ;; - group_label: "Item Group" - group_item_label: "Group Display Name" - } - - dimension: item__group__product_object_id { - type: string - sql: ${TABLE}.item.`group`.product_object_id ;; - group_label: "Item Group" - group_item_label: "Product Object ID" - } - - dimension: item__group__windows_sid { - type: string - sql: ${TABLE}.item.`group`.windows_sid ;; - group_label: "Item Group" - group_item_label: "Windows Sid" - } - - dimension: item__hostname { - type: string - sql: ${TABLE}.item.hostname ;; - group_label: "Item" - group_item_label: "Hostname" - } - - dimension: item__investigation__comments__list { - hidden: yes - sql: ${TABLE}.item.investigation.comments.list ;; - group_label: "Item Investigation Comments" - group_item_label: "List" - } - - dimension: item__investigation__reputation { - type: number - sql: ${TABLE}.item.investigation.reputation ;; - group_label: "Item Investigation" - group_item_label: "Reputation" - } - - dimension: item__investigation__severity_score { - type: number - sql: ${TABLE}.item.investigation.severity_score ;; - group_label: "Item Investigation" - group_item_label: "Severity Score" - } - - dimension: item__investigation__status { - type: number - sql: ${TABLE}.item.investigation.status ;; - group_label: "Item Investigation" - group_item_label: "Status" - } - - dimension: item__investigation__verdict { - type: number - sql: ${TABLE}.item.investigation.verdict ;; - group_label: "Item Investigation" - group_item_label: "Verdict" - } - - dimension: item__ip__list { - hidden: yes - sql: ${TABLE}.item.ip.list ;; - group_label: "Item IP" - group_item_label: "List" - } - - dimension: item__location__city { - type: string - sql: ${TABLE}.item.location.city ;; - group_label: "Item Location" - group_item_label: "City" - } - - dimension: item__location__country_or_region { - type: string - sql: ${TABLE}.item.location.country_or_region ;; - group_label: "Item Location" - group_item_label: "Country or Region" - } - - dimension: item__location__desk_name { - type: string - sql: ${TABLE}.item.location.desk_name ;; - group_label: "Item Location" - group_item_label: "Desk Name" - } - - dimension: item__location__floor_name { - type: string - sql: ${TABLE}.item.location.floor_name ;; - group_label: "Item Location" - group_item_label: "Floor Name" - } - - dimension: item__location__name { - type: string - sql: ${TABLE}.item.location.name ;; - group_label: "Item Location" - group_item_label: "Name" - } - - dimension: item__location__region_latitude { - type: number - sql: ${TABLE}.item.location.region_latitude ;; - group_label: "Item Location" - group_item_label: "Region Latitude" - } - - dimension: item__location__region_longitude { - type: number - sql: ${TABLE}.item.location.region_longitude ;; - group_label: "Item Location" - group_item_label: "Region Longitude" - } - - dimension: item__location__state { - type: string - sql: ${TABLE}.item.location.state ;; - group_label: "Item Location" - group_item_label: "State" - } - - dimension: item__mac__list { - hidden: yes - sql: ${TABLE}.item.mac.list ;; - group_label: "Item Mac" - group_item_label: "List" - } - - dimension: item__namespace { - type: string - sql: ${TABLE}.item.namespace ;; - group_label: "Item" - group_item_label: "Namespace" - } - - dimension: item__nat_ip__list { - hidden: yes - sql: ${TABLE}.item.nat_ip.list ;; - group_label: "Item Nat IP" - group_item_label: "List" - } - - dimension: item__nat_port { - type: number - sql: ${TABLE}.item.nat_port ;; - group_label: "Item" - group_item_label: "Nat Port" - } - - dimension: item__object_reference__id { - type: string - sql: ${TABLE}.item.object_reference.id ;; - group_label: "Item Object Reference" - group_item_label: "ID" - } - - dimension: item__object_reference__namespace { - type: number - sql: ${TABLE}.item.object_reference.namespace ;; - group_label: "Item Object Reference" - group_item_label: "Namespace" - } - - dimension: item__platform { - type: number - sql: ${TABLE}.item.platform ;; - group_label: "Item" - group_item_label: "Platform" - } - - dimension: item__platform_patch_level { - type: string - sql: ${TABLE}.item.platform_patch_level ;; - group_label: "Item" - group_item_label: "Platform Patch Level" - } - - dimension: item__platform_version { - type: string - sql: ${TABLE}.item.platform_version ;; - group_label: "Item" - group_item_label: "Platform Version" - } - - dimension: item__port { - type: number - sql: ${TABLE}.item.port ;; - group_label: "Item" - group_item_label: "Port" - } - - dimension: item__process__access_mask { - type: number - sql: ${TABLE}.item.process.access_mask ;; - group_label: "Item Process" - group_item_label: "Access Mask" - } - - dimension: item__process__command_line { - type: string - sql: ${TABLE}.item.process.command_line ;; - group_label: "Item Process" - group_item_label: "Command Line" - } - - dimension: item__process__command_line_history__list { - hidden: yes - sql: ${TABLE}.item.process.command_line_history.list ;; - group_label: "Item Process Command Line History" - group_item_label: "List" - } - - dimension: item__process__file__ahash { - type: string - sql: ${TABLE}.item.process.file.ahash ;; - group_label: "Item Process File" - group_item_label: "Ahash" - } - - dimension: item__process__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.item.process.file.capabilities_tags.list ;; - group_label: "Item Process File Capabilities Tags" - group_item_label: "List" - } - - dimension: item__process__file__file_type { - type: number - sql: ${TABLE}.item.process.file.file_type ;; - group_label: "Item Process File" - group_item_label: "File Type" - } - - dimension: item__process__file__full_path { - type: string - sql: ${TABLE}.item.process.file.full_path ;; - group_label: "Item Process File" - group_item_label: "Full Path" - } - - dimension: item__process__file__md5 { - type: string - sql: ${TABLE}.item.process.file.md5 ;; - group_label: "Item Process File" - group_item_label: "Md5" - } - - dimension: item__process__file__mime_type { - type: string - sql: ${TABLE}.item.process.file.mime_type ;; - group_label: "Item Process File" - group_item_label: "Mime Type" - } - - dimension: item__process__file__names__list { - hidden: yes - sql: ${TABLE}.item.process.file.names.list ;; - group_label: "Item Process File Names" - group_item_label: "List" - } - - dimension: item__process__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.item.process.file.pe_file.compilation_exiftool_time ;; - group_label: "Item Process File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: item__process__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.item.process.file.pe_file.compilation_time ;; - group_label: "Item Process File Pe File" - group_item_label: "Compilation Time" - } - - dimension: item__process__file__pe_file__entry_point { - type: number - sql: ${TABLE}.item.process.file.pe_file.entry_point ;; - group_label: "Item Process File Pe File" - group_item_label: "Entry Point" - } - - dimension: item__process__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.item.process.file.pe_file.entry_point_exiftool ;; - group_label: "Item Process File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: item__process__file__pe_file__imphash { - type: string - sql: ${TABLE}.item.process.file.pe_file.imphash ;; - group_label: "Item Process File Pe File" - group_item_label: "Imphash" - } - - dimension: item__process__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.item.process.file.pe_file.imports.list ;; - group_label: "Item Process File Pe File Imports" - group_item_label: "List" - } - - dimension: item__process__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.item.process.file.pe_file.resource.list ;; - group_label: "Item Process File Pe File Resource" - group_item_label: "List" - } - - dimension: item__process__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.item.process.file.pe_file.resources_language_count.list ;; - group_label: "Item Process File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: item__process__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.item.process.file.pe_file.resources_type_count.list ;; - group_label: "Item Process File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: item__process__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.item.process.file.pe_file.section.list ;; - group_label: "Item Process File Pe File Section" - group_item_label: "List" - } - - dimension: item__process__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.item.process.file.pe_file.signature_info.signer.list ;; - group_label: "Item Process File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: item__process__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.item.process.file.pe_file.signature_info.verification_message ;; - group_label: "Item Process File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: item__process__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.item.process.file.pe_file.signature_info.verified ;; - group_label: "Item Process File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: item__process__file__sha1 { - type: string - sql: ${TABLE}.item.process.file.sha1 ;; - group_label: "Item Process File" - group_item_label: "Sha1" - } - - dimension: item__process__file__sha256 { - type: string - sql: ${TABLE}.item.process.file.sha256 ;; - group_label: "Item Process File" - group_item_label: "Sha256" - } - - dimension: item__process__file__size { - type: number - sql: ${TABLE}.item.process.file.size ;; - group_label: "Item Process File" - group_item_label: "Size" - } - - dimension: item__process__file__ssdeep { - type: string - sql: ${TABLE}.item.process.file.ssdeep ;; - group_label: "Item Process File" - group_item_label: "Ssdeep" - } - - dimension: item__process__file__vhash { - type: string - sql: ${TABLE}.item.process.file.vhash ;; - group_label: "Item Process File" - group_item_label: "Vhash" - } - - dimension: item__process__pid { - type: string - sql: ${TABLE}.item.process.pid ;; - group_label: "Item Process" - group_item_label: "Pid" - } - - dimension: item__process__product_specific_process_id { - type: string - sql: ${TABLE}.item.process.product_specific_process_id ;; - group_label: "Item Process" - group_item_label: "Product Specific Process ID" - } - - dimension: item__process_ancestors__list { - hidden: yes - sql: ${TABLE}.item.process_ancestors.list ;; - group_label: "Item Process Ancestors" - group_item_label: "List" - } - - dimension: item__registry__registry_key { - type: string - sql: ${TABLE}.item.registry.registry_key ;; - group_label: "Item Registry" - group_item_label: "Registry Key" - } - - dimension: item__registry__registry_value_data { - type: string - sql: ${TABLE}.item.registry.registry_value_data ;; - group_label: "Item Registry" - group_item_label: "Registry Value Data" - } - - dimension: item__registry__registry_value_name { - type: string - sql: ${TABLE}.item.registry.registry_value_name ;; - group_label: "Item Registry" - group_item_label: "Registry Value Name" - } - - dimension: item__resource__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.resource.attribute.cloud.availability_zone ;; - group_label: "Item Resource Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__resource__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.resource.attribute.cloud.environment ;; - group_label: "Item Resource Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__resource__attribute__creation_time { - type: string - sql: ${TABLE}.item.resource.attribute.creation_time ;; - group_label: "Item Resource Attribute" - group_item_label: "Creation Time" - } - - dimension: item__resource__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.resource.attribute.labels.list ;; - group_label: "Item Resource Attribute Labels" - group_item_label: "List" - } - - dimension: item__resource__attribute__last_update_time { - type: string - sql: ${TABLE}.item.resource.attribute.last_update_time ;; - group_label: "Item Resource Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__resource__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.resource.attribute.permissions.list ;; - group_label: "Item Resource Attribute Permissions" - group_item_label: "List" - } - - dimension: item__resource__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.resource.attribute.roles.list ;; - group_label: "Item Resource Attribute Roles" - group_item_label: "List" - } - - dimension: item__resource__name { - type: string - sql: ${TABLE}.item.resource.name ;; - group_label: "Item Resource" - group_item_label: "Name" - } - - dimension: item__resource__product_object_id { - type: string - sql: ${TABLE}.item.resource.product_object_id ;; - group_label: "Item Resource" - group_item_label: "Product Object ID" - } - - dimension: item__resource__resource_subtype { - type: string - sql: ${TABLE}.item.resource.resource_subtype ;; - group_label: "Item Resource" - group_item_label: "Resource Subtype" - } - - dimension: item__resource__resource_type { - type: number - sql: ${TABLE}.item.resource.resource_type ;; - group_label: "Item Resource" - group_item_label: "Resource Type" - } - - dimension: item__resource_ancestors__list { - hidden: yes - sql: ${TABLE}.item.resource_ancestors.list ;; - group_label: "Item Resource Ancestors" - group_item_label: "List" - } - - dimension: item__url { - type: string - sql: ${TABLE}.item.url ;; - group_label: "Item" - group_item_label: "URL" - } - - dimension: item__user__account_type { - type: number - sql: ${TABLE}.item.user.account_type ;; - group_label: "Item User" - group_item_label: "Account Type" - } - - dimension: item__user__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.user.attribute.cloud.availability_zone ;; - group_label: "Item User Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__user__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.user.attribute.cloud.environment ;; - group_label: "Item User Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__user__attribute__creation_time { - type: string - sql: ${TABLE}.item.user.attribute.creation_time ;; - group_label: "Item User Attribute" - group_item_label: "Creation Time" - } - - dimension: item__user__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.user.attribute.labels.list ;; - group_label: "Item User Attribute Labels" - group_item_label: "List" - } - - dimension: item__user__attribute__last_update_time { - type: string - sql: ${TABLE}.item.user.attribute.last_update_time ;; - group_label: "Item User Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__user__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.user.attribute.permissions.list ;; - group_label: "Item User Attribute Permissions" - group_item_label: "List" - } - - dimension: item__user__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.user.attribute.roles.list ;; - group_label: "Item User Attribute Roles" - group_item_label: "List" - } - - dimension: item__user__company_name { - type: string - sql: ${TABLE}.item.user.company_name ;; - group_label: "Item User" - group_item_label: "Company Name" - } - - dimension: item__user__department__list { - hidden: yes - sql: ${TABLE}.item.user.department.list ;; - group_label: "Item User Department" - group_item_label: "List" - } - - dimension: item__user__email_addresses__list { - hidden: yes - sql: ${TABLE}.item.user.email_addresses.list ;; - group_label: "Item User Email Addresses" - group_item_label: "List" - } - - dimension: item__user__employee_id { - type: string - sql: ${TABLE}.item.user.employee_id ;; - group_label: "Item User" - group_item_label: "Employee ID" - } - - dimension: item__user__first_name { - type: string - sql: ${TABLE}.item.user.first_name ;; - group_label: "Item User" - group_item_label: "First Name" - } - - dimension: item__user__group_identifiers__list { - hidden: yes - sql: ${TABLE}.item.user.group_identifiers.list ;; - group_label: "Item User Group Identifiers" - group_item_label: "List" - } - - dimension: item__user__hire_date { - type: string - sql: ${TABLE}.item.user.hire_date ;; - group_label: "Item User" - group_item_label: "Hire Date" - } - - dimension: item__user__last_name { - type: string - sql: ${TABLE}.item.user.last_name ;; - group_label: "Item User" - group_item_label: "Last Name" - } - - dimension: item__user__middle_name { - type: string - sql: ${TABLE}.item.user.middle_name ;; - group_label: "Item User" - group_item_label: "Middle Name" - } - - dimension: item__user__office_address__city { - type: string - sql: ${TABLE}.item.user.office_address.city ;; - group_label: "Item User Office Address" - group_item_label: "City" - } - - dimension: item__user__office_address__country_or_region { - type: string - sql: ${TABLE}.item.user.office_address.country_or_region ;; - group_label: "Item User Office Address" - group_item_label: "Country or Region" - } - - dimension: item__user__office_address__desk_name { - type: string - sql: ${TABLE}.item.user.office_address.desk_name ;; - group_label: "Item User Office Address" - group_item_label: "Desk Name" - } - - dimension: item__user__office_address__floor_name { - type: string - sql: ${TABLE}.item.user.office_address.floor_name ;; - group_label: "Item User Office Address" - group_item_label: "Floor Name" - } - - dimension: item__user__office_address__name { - type: string - sql: ${TABLE}.item.user.office_address.name ;; - group_label: "Item User Office Address" - group_item_label: "Name" - } - - dimension: item__user__office_address__region_latitude { - type: number - sql: ${TABLE}.item.user.office_address.region_latitude ;; - group_label: "Item User Office Address" - group_item_label: "Region Latitude" - } - - dimension: item__user__office_address__region_longitude { - type: number - sql: ${TABLE}.item.user.office_address.region_longitude ;; - group_label: "Item User Office Address" - group_item_label: "Region Longitude" - } - - dimension: item__user__office_address__state { - type: string - sql: ${TABLE}.item.user.office_address.state ;; - group_label: "Item User Office Address" - group_item_label: "State" - } - - dimension: item__user__personal_address__city { - type: string - sql: ${TABLE}.item.user.personal_address.city ;; - group_label: "Item User Personal Address" - group_item_label: "City" - } - - dimension: item__user__personal_address__country_or_region { - type: string - sql: ${TABLE}.item.user.personal_address.country_or_region ;; - group_label: "Item User Personal Address" - group_item_label: "Country or Region" - } - - dimension: item__user__personal_address__desk_name { - type: string - sql: ${TABLE}.item.user.personal_address.desk_name ;; - group_label: "Item User Personal Address" - group_item_label: "Desk Name" - } - - dimension: item__user__personal_address__floor_name { - type: string - sql: ${TABLE}.item.user.personal_address.floor_name ;; - group_label: "Item User Personal Address" - group_item_label: "Floor Name" - } - - dimension: item__user__personal_address__name { - type: string - sql: ${TABLE}.item.user.personal_address.name ;; - group_label: "Item User Personal Address" - group_item_label: "Name" - } - - dimension: item__user__personal_address__region_latitude { - type: number - sql: ${TABLE}.item.user.personal_address.region_latitude ;; - group_label: "Item User Personal Address" - group_item_label: "Region Latitude" - } - - dimension: item__user__personal_address__region_longitude { - type: number - sql: ${TABLE}.item.user.personal_address.region_longitude ;; - group_label: "Item User Personal Address" - group_item_label: "Region Longitude" - } - - dimension: item__user__personal_address__state { - type: string - sql: ${TABLE}.item.user.personal_address.state ;; - group_label: "Item User Personal Address" - group_item_label: "State" - } - - dimension: item__user__phone_numbers__list { - hidden: yes - sql: ${TABLE}.item.user.phone_numbers.list ;; - group_label: "Item User Phone Numbers" - group_item_label: "List" - } - - dimension: item__user__product_object_id { - type: string - sql: ${TABLE}.item.user.product_object_id ;; - group_label: "Item User" - group_item_label: "Product Object ID" - } - - dimension: item__user__termination_date { - type: string - sql: ${TABLE}.item.user.termination_date ;; - group_label: "Item User" - group_item_label: "Termination Date" - } - - dimension: item__user__time_off__list { - hidden: yes - sql: ${TABLE}.item.user.time_off.list ;; - group_label: "Item User Time Off" - group_item_label: "List" - } - - dimension: item__user__title { - type: string - sql: ${TABLE}.item.user.title ;; - group_label: "Item User" - group_item_label: "Title" - } - - dimension: item__user__user_authentication_status { - type: number - sql: ${TABLE}.item.user.user_authentication_status ;; - group_label: "Item User" - group_item_label: "User Authentication Status" - } - - dimension: item__user__user_display_name { - type: string - sql: ${TABLE}.item.user.user_display_name ;; - group_label: "Item User" - group_item_label: "User Display Name" - } - - dimension: item__user__userid { - type: string - sql: ${TABLE}.item.user.userid ;; - group_label: "Item User" - group_item_label: "Userid" - } - - dimension: item__user__windows_sid { - type: string - sql: ${TABLE}.item.user.windows_sid ;; - group_label: "Item User" - group_item_label: "Windows Sid" - } - - dimension: item__user_management_chain__list { - hidden: yes - sql: ${TABLE}.item.user_management_chain.list ;; - group_label: "Item User Management Chain" - group_item_label: "List" - } -} - -view: udm_events_gcs__target__asset__mac__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__network__email__cc__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__asset__ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__network__email__bcc__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__asset__ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__asset__mac__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__network__email__to__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__asset__mac__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__user__department__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__mac__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__asset__nat_ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__asset__nat_ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__additional__fields__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value__bool_value { - type: yesno - sql: ${TABLE}.item.value.bool_value ;; - group_label: "Item Value" - group_item_label: "Bool Value" - } - - dimension: item__value__null_value { - type: number - sql: ${TABLE}.item.value.null_value ;; - group_label: "Item Value" - group_item_label: "Null Value" - } - - dimension: item__value__number_value { - type: number - sql: ${TABLE}.item.value.number_value ;; - group_label: "Item Value" - group_item_label: "Number Value" - } - - dimension: item__value__string_value { - type: string - sql: ${TABLE}.item.value.string_value ;; - group_label: "Item Value" - group_item_label: "String Value" - } -} - -view: udm_events_gcs__network__email__subject__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__asset__nat_ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__process__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__asset__hardware__list { - dimension: item__cpu_clock_speed { - type: number - sql: ${TABLE}.item.cpu_clock_speed ;; - group_label: "Item" - group_item_label: "CPU Clock Speed" - } - - dimension: item__cpu_max_clock_speed { - type: number - sql: ${TABLE}.item.cpu_max_clock_speed ;; - group_label: "Item" - group_item_label: "CPU Max Clock Speed" - } - - dimension: item__cpu_model { - type: string - sql: ${TABLE}.item.cpu_model ;; - group_label: "Item" - group_item_label: "CPU Model" - } - - dimension: item__cpu_number_cores { - type: number - sql: ${TABLE}.item.cpu_number_cores ;; - group_label: "Item" - group_item_label: "CPU Number Cores" - } - - dimension: item__cpu_platform { - type: string - sql: ${TABLE}.item.cpu_platform ;; - group_label: "Item" - group_item_label: "CPU Platform" - } - - dimension: item__manufacturer { - type: string - sql: ${TABLE}.item.manufacturer ;; - group_label: "Item" - group_item_label: "Manufacturer" - } - - dimension: item__model { - type: string - sql: ${TABLE}.item.model ;; - group_label: "Item" - group_item_label: "Model" - } - - dimension: item__ram { - type: number - sql: ${TABLE}.item.ram ;; - group_label: "Item" - group_item_label: "Ram" - } - - dimension: item__serial_number { - type: string - sql: ${TABLE}.item.serial_number ;; - group_label: "Item" - group_item_label: "Serial Number" - } -} - -view: udm_events_gcs__src__user__phone_numbers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__nat_ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__user__department__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__metadata__tags__tenant_id__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__asset__software__list { - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__permissions__list { - hidden: yes - sql: ${TABLE}.item.permissions.list ;; - group_label: "Item Permissions" - group_item_label: "List" - } - - dimension: item__version { - type: string - sql: ${TABLE}.item.version ;; - group_label: "Item" - group_item_label: "Version" - } -} - -view: udm_events_gcs__security_result__list { - dimension: item__about__administrative_domain { - type: string - sql: ${TABLE}.item.about.administrative_domain ;; - group_label: "Item About" - group_item_label: "Administrative Domain" - } - - dimension: item__about__application { - type: string - sql: ${TABLE}.item.about.application ;; - group_label: "Item About" - group_item_label: "Application" - } - - dimension: item__about__asset__asset_id { - type: string - sql: ${TABLE}.item.about.asset.asset_id ;; - group_label: "Item About Asset" - group_item_label: "Asset ID" - } - - dimension: item__about__asset__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.about.asset.attribute.cloud.availability_zone ;; - group_label: "Item About Asset Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__about__asset__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.about.asset.attribute.cloud.environment ;; - group_label: "Item About Asset Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__about__asset__attribute__creation_time { - type: string - sql: ${TABLE}.item.about.asset.attribute.creation_time ;; - group_label: "Item About Asset Attribute" - group_item_label: "Creation Time" - } - - dimension: item__about__asset__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.about.asset.attribute.labels.list ;; - group_label: "Item About Asset Attribute Labels" - group_item_label: "List" - } - - dimension: item__about__asset__attribute__last_update_time { - type: string - sql: ${TABLE}.item.about.asset.attribute.last_update_time ;; - group_label: "Item About Asset Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__about__asset__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.about.asset.attribute.permissions.list ;; - group_label: "Item About Asset Attribute Permissions" - group_item_label: "List" - } - - dimension: item__about__asset__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.about.asset.attribute.roles.list ;; - group_label: "Item About Asset Attribute Roles" - group_item_label: "List" - } - - dimension: item__about__asset__category { - type: string - sql: ${TABLE}.item.about.asset.category ;; - group_label: "Item About Asset" - group_item_label: "Category" - } - - dimension: item__about__asset__deployment_status { - type: number - sql: ${TABLE}.item.about.asset.deployment_status ;; - group_label: "Item About Asset" - group_item_label: "Deployment Status" - } - - dimension: item__about__asset__first_discover_time { - type: string - sql: ${TABLE}.item.about.asset.first_discover_time ;; - group_label: "Item About Asset" - group_item_label: "First Discover Time" - } - - dimension: item__about__asset__hardware__list { - hidden: yes - sql: ${TABLE}.item.about.asset.hardware.list ;; - group_label: "Item About Asset Hardware" - group_item_label: "List" - } - - dimension: item__about__asset__hostname { - type: string - sql: ${TABLE}.item.about.asset.hostname ;; - group_label: "Item About Asset" - group_item_label: "Hostname" - } - - dimension: item__about__asset__ip__list { - hidden: yes - sql: ${TABLE}.item.about.asset.ip.list ;; - group_label: "Item About Asset IP" - group_item_label: "List" - } - - dimension: item__about__asset__last_boot_time { - type: string - sql: ${TABLE}.item.about.asset.last_boot_time ;; - group_label: "Item About Asset" - group_item_label: "Last Boot Time" - } - - dimension: item__about__asset__last_discover_time { - type: string - sql: ${TABLE}.item.about.asset.last_discover_time ;; - group_label: "Item About Asset" - group_item_label: "Last Discover Time" - } - - dimension: item__about__asset__location__city { - type: string - sql: ${TABLE}.item.about.asset.location.city ;; - group_label: "Item About Asset Location" - group_item_label: "City" - } - - dimension: item__about__asset__location__country_or_region { - type: string - sql: ${TABLE}.item.about.asset.location.country_or_region ;; - group_label: "Item About Asset Location" - group_item_label: "Country or Region" - } - - dimension: item__about__asset__location__desk_name { - type: string - sql: ${TABLE}.item.about.asset.location.desk_name ;; - group_label: "Item About Asset Location" - group_item_label: "Desk Name" - } - - dimension: item__about__asset__location__floor_name { - type: string - sql: ${TABLE}.item.about.asset.location.floor_name ;; - group_label: "Item About Asset Location" - group_item_label: "Floor Name" - } - - dimension: item__about__asset__location__name { - type: string - sql: ${TABLE}.item.about.asset.location.name ;; - group_label: "Item About Asset Location" - group_item_label: "Name" - } - - dimension: item__about__asset__location__region_latitude { - type: number - sql: ${TABLE}.item.about.asset.location.region_latitude ;; - group_label: "Item About Asset Location" - group_item_label: "Region Latitude" - } - - dimension: item__about__asset__location__region_longitude { - type: number - sql: ${TABLE}.item.about.asset.location.region_longitude ;; - group_label: "Item About Asset Location" - group_item_label: "Region Longitude" - } - - dimension: item__about__asset__location__state { - type: string - sql: ${TABLE}.item.about.asset.location.state ;; - group_label: "Item About Asset Location" - group_item_label: "State" - } - - dimension: item__about__asset__mac__list { - hidden: yes - sql: ${TABLE}.item.about.asset.mac.list ;; - group_label: "Item About Asset Mac" - group_item_label: "List" - } - - dimension: item__about__asset__nat_ip__list { - hidden: yes - sql: ${TABLE}.item.about.asset.nat_ip.list ;; - group_label: "Item About Asset Nat IP" - group_item_label: "List" - } - - dimension: item__about__asset__network_domain { - type: string - sql: ${TABLE}.item.about.asset.network_domain ;; - group_label: "Item About Asset" - group_item_label: "Network Domain" - } - - dimension: item__about__asset__platform_software__platform { - type: number - sql: ${TABLE}.item.about.asset.platform_software.platform ;; - group_label: "Item About Asset Platform Software" - group_item_label: "Platform" - } - - dimension: item__about__asset__platform_software__platform_patch_level { - type: string - sql: ${TABLE}.item.about.asset.platform_software.platform_patch_level ;; - group_label: "Item About Asset Platform Software" - group_item_label: "Platform Patch Level" - } - - dimension: item__about__asset__platform_software__platform_version { - type: string - sql: ${TABLE}.item.about.asset.platform_software.platform_version ;; - group_label: "Item About Asset Platform Software" - group_item_label: "Platform Version" - } - - dimension: item__about__asset__product_object_id { - type: string - sql: ${TABLE}.item.about.asset.product_object_id ;; - group_label: "Item About Asset" - group_item_label: "Product Object ID" - } - - dimension: item__about__asset__software__list { - hidden: yes - sql: ${TABLE}.item.about.asset.software.list ;; - group_label: "Item About Asset Software" - group_item_label: "List" - } - - dimension: item__about__asset__system_last_update_time { - type: string - sql: ${TABLE}.item.about.asset.system_last_update_time ;; - group_label: "Item About Asset" - group_item_label: "System Last Update Time" - } - - dimension: item__about__asset__type { - type: number - sql: ${TABLE}.item.about.asset.type ;; - group_label: "Item About Asset" - group_item_label: "Type" - } - - dimension: item__about__asset__vulnerabilities__list { - hidden: yes - sql: ${TABLE}.item.about.asset.vulnerabilities.list ;; - group_label: "Item About Asset Vulnerabilities" - group_item_label: "List" - } - - dimension: item__about__asset_id { - type: string - sql: ${TABLE}.item.about.asset_id ;; - group_label: "Item About" - group_item_label: "Asset ID" - } - - dimension: item__about__domain__name { - type: string - sql: ${TABLE}.item.about.domain.name ;; - group_label: "Item About Domain" - group_item_label: "Name" - } - - dimension: item__about__domain__prevalence__day_count { - type: number - sql: ${TABLE}.item.about.domain.prevalence.day_count ;; - group_label: "Item About Domain Prevalence" - group_item_label: "Day Count" - } - - dimension: item__about__domain__prevalence__rolling_max { - type: number - sql: ${TABLE}.item.about.domain.prevalence.rolling_max ;; - group_label: "Item About Domain Prevalence" - group_item_label: "Rolling Max" - } - - dimension: item__about__email { - type: string - sql: ${TABLE}.item.about.email ;; - group_label: "Item About" - group_item_label: "Email" - } - - dimension: item__about__file__ahash { - type: string - sql: ${TABLE}.item.about.file.ahash ;; - group_label: "Item About File" - group_item_label: "Ahash" - } - - dimension: item__about__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.item.about.file.capabilities_tags.list ;; - group_label: "Item About File Capabilities Tags" - group_item_label: "List" - } - - dimension: item__about__file__file_type { - type: number - sql: ${TABLE}.item.about.file.file_type ;; - group_label: "Item About File" - group_item_label: "File Type" - } - - dimension: item__about__file__full_path { - type: string - sql: ${TABLE}.item.about.file.full_path ;; - group_label: "Item About File" - group_item_label: "Full Path" - } - - dimension: item__about__file__md5 { - type: string - sql: ${TABLE}.item.about.file.md5 ;; - group_label: "Item About File" - group_item_label: "Md5" - } - - dimension: item__about__file__mime_type { - type: string - sql: ${TABLE}.item.about.file.mime_type ;; - group_label: "Item About File" - group_item_label: "Mime Type" - } - - dimension: item__about__file__names__list { - hidden: yes - sql: ${TABLE}.item.about.file.names.list ;; - group_label: "Item About File Names" - group_item_label: "List" - } - - dimension: item__about__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.item.about.file.pe_file.compilation_exiftool_time ;; - group_label: "Item About File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: item__about__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.item.about.file.pe_file.compilation_time ;; - group_label: "Item About File Pe File" - group_item_label: "Compilation Time" - } - - dimension: item__about__file__pe_file__entry_point { - type: number - sql: ${TABLE}.item.about.file.pe_file.entry_point ;; - group_label: "Item About File Pe File" - group_item_label: "Entry Point" - } - - dimension: item__about__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.item.about.file.pe_file.entry_point_exiftool ;; - group_label: "Item About File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: item__about__file__pe_file__imphash { - type: string - sql: ${TABLE}.item.about.file.pe_file.imphash ;; - group_label: "Item About File Pe File" - group_item_label: "Imphash" - } - - dimension: item__about__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.item.about.file.pe_file.imports.list ;; - group_label: "Item About File Pe File Imports" - group_item_label: "List" - } - - dimension: item__about__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.item.about.file.pe_file.resource.list ;; - group_label: "Item About File Pe File Resource" - group_item_label: "List" - } - - dimension: item__about__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.item.about.file.pe_file.resources_language_count.list ;; - group_label: "Item About File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: item__about__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.item.about.file.pe_file.resources_type_count.list ;; - group_label: "Item About File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: item__about__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.item.about.file.pe_file.section.list ;; - group_label: "Item About File Pe File Section" - group_item_label: "List" - } - - dimension: item__about__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.item.about.file.pe_file.signature_info.signer.list ;; - group_label: "Item About File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: item__about__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.item.about.file.pe_file.signature_info.verification_message ;; - group_label: "Item About File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: item__about__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.item.about.file.pe_file.signature_info.verified ;; - group_label: "Item About File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: item__about__file__sha1 { - type: string - sql: ${TABLE}.item.about.file.sha1 ;; - group_label: "Item About File" - group_item_label: "Sha1" - } - - dimension: item__about__file__sha256 { - type: string - sql: ${TABLE}.item.about.file.sha256 ;; - group_label: "Item About File" - group_item_label: "Sha256" - } - - dimension: item__about__file__size { - type: number - sql: ${TABLE}.item.about.file.size ;; - group_label: "Item About File" - group_item_label: "Size" - } - - dimension: item__about__file__ssdeep { - type: string - sql: ${TABLE}.item.about.file.ssdeep ;; - group_label: "Item About File" - group_item_label: "Ssdeep" - } - - dimension: item__about__file__vhash { - type: string - sql: ${TABLE}.item.about.file.vhash ;; - group_label: "Item About File" - group_item_label: "Vhash" - } - - dimension: item__about__group__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.about.`group`.attribute.cloud.availability_zone ;; - group_label: "Item About Group Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__about__group__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.about.`group`.attribute.cloud.environment ;; - group_label: "Item About Group Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__about__group__attribute__creation_time { - type: string - sql: ${TABLE}.item.about.`group`.attribute.creation_time ;; - group_label: "Item About Group Attribute" - group_item_label: "Creation Time" - } - - dimension: item__about__group__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.about.group.attribute.labels.list ;; - group_label: "Item About Group Attribute Labels" - group_item_label: "List" - } - - dimension: item__about__group__attribute__last_update_time { - type: string - sql: ${TABLE}.item.about.`group`.attribute.last_update_time ;; - group_label: "Item About Group Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__about__group__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.about.group.attribute.permissions.list ;; - group_label: "Item About Group Attribute Permissions" - group_item_label: "List" - } - - dimension: item__about__group__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.about.group.attribute.roles.list ;; - group_label: "Item About Group Attribute Roles" - group_item_label: "List" - } - - dimension: item__about__group__email_addresses__list { - hidden: yes - sql: ${TABLE}.item.about.group.email_addresses.list ;; - group_label: "Item About Group Email Addresses" - group_item_label: "List" - } - - dimension: item__about__group__group_display_name { - type: string - sql: ${TABLE}.item.about.`group`.group_display_name ;; - group_label: "Item About Group" - group_item_label: "Group Display Name" - } - - dimension: item__about__group__product_object_id { - type: string - sql: ${TABLE}.item.about.`group`.product_object_id ;; - group_label: "Item About Group" - group_item_label: "Product Object ID" - } - - dimension: item__about__group__windows_sid { - type: string - sql: ${TABLE}.item.about.`group`.windows_sid ;; - group_label: "Item About Group" - group_item_label: "Windows Sid" - } - - dimension: item__about__hostname { - type: string - sql: ${TABLE}.item.about.hostname ;; - group_label: "Item About" - group_item_label: "Hostname" - } - - dimension: item__about__investigation__comments__list { - hidden: yes - sql: ${TABLE}.item.about.investigation.comments.list ;; - group_label: "Item About Investigation Comments" - group_item_label: "List" - } - - dimension: item__about__investigation__reputation { - type: number - sql: ${TABLE}.item.about.investigation.reputation ;; - group_label: "Item About Investigation" - group_item_label: "Reputation" - } - - dimension: item__about__investigation__severity_score { - type: number - sql: ${TABLE}.item.about.investigation.severity_score ;; - group_label: "Item About Investigation" - group_item_label: "Severity Score" - } - - dimension: item__about__investigation__status { - type: number - sql: ${TABLE}.item.about.investigation.status ;; - group_label: "Item About Investigation" - group_item_label: "Status" - } - - dimension: item__about__investigation__verdict { - type: number - sql: ${TABLE}.item.about.investigation.verdict ;; - group_label: "Item About Investigation" - group_item_label: "Verdict" - } - - dimension: item__about__ip__list { - hidden: yes - sql: ${TABLE}.item.about.ip.list ;; - group_label: "Item About IP" - group_item_label: "List" - } - - dimension: item__about__location__city { - type: string - sql: ${TABLE}.item.about.location.city ;; - group_label: "Item About Location" - group_item_label: "City" - } - - dimension: item__about__location__country_or_region { - type: string - sql: ${TABLE}.item.about.location.country_or_region ;; - group_label: "Item About Location" - group_item_label: "Country or Region" - } - - dimension: item__about__location__desk_name { - type: string - sql: ${TABLE}.item.about.location.desk_name ;; - group_label: "Item About Location" - group_item_label: "Desk Name" - } - - dimension: item__about__location__floor_name { - type: string - sql: ${TABLE}.item.about.location.floor_name ;; - group_label: "Item About Location" - group_item_label: "Floor Name" - } - - dimension: item__about__location__name { - type: string - sql: ${TABLE}.item.about.location.name ;; - group_label: "Item About Location" - group_item_label: "Name" - } - - dimension: item__about__location__region_latitude { - type: number - sql: ${TABLE}.item.about.location.region_latitude ;; - group_label: "Item About Location" - group_item_label: "Region Latitude" - } - - dimension: item__about__location__region_longitude { - type: number - sql: ${TABLE}.item.about.location.region_longitude ;; - group_label: "Item About Location" - group_item_label: "Region Longitude" - } - - dimension: item__about__location__state { - type: string - sql: ${TABLE}.item.about.location.state ;; - group_label: "Item About Location" - group_item_label: "State" - } - - dimension: item__about__mac__list { - hidden: yes - sql: ${TABLE}.item.about.mac.list ;; - group_label: "Item About Mac" - group_item_label: "List" - } - - dimension: item__about__namespace { - type: string - sql: ${TABLE}.item.about.namespace ;; - group_label: "Item About" - group_item_label: "Namespace" - } - - dimension: item__about__nat_ip__list { - hidden: yes - sql: ${TABLE}.item.about.nat_ip.list ;; - group_label: "Item About Nat IP" - group_item_label: "List" - } - - dimension: item__about__nat_port { - type: number - sql: ${TABLE}.item.about.nat_port ;; - group_label: "Item About" - group_item_label: "Nat Port" - } - - dimension: item__about__object_reference__id { - type: string - sql: ${TABLE}.item.about.object_reference.id ;; - group_label: "Item About Object Reference" - group_item_label: "ID" - } - - dimension: item__about__object_reference__namespace { - type: number - sql: ${TABLE}.item.about.object_reference.namespace ;; - group_label: "Item About Object Reference" - group_item_label: "Namespace" - } - - dimension: item__about__platform { - type: number - sql: ${TABLE}.item.about.platform ;; - group_label: "Item About" - group_item_label: "Platform" - } - - dimension: item__about__platform_patch_level { - type: string - sql: ${TABLE}.item.about.platform_patch_level ;; - group_label: "Item About" - group_item_label: "Platform Patch Level" - } - - dimension: item__about__platform_version { - type: string - sql: ${TABLE}.item.about.platform_version ;; - group_label: "Item About" - group_item_label: "Platform Version" - } - - dimension: item__about__port { - type: number - sql: ${TABLE}.item.about.port ;; - group_label: "Item About" - group_item_label: "Port" - } - - dimension: item__about__process__access_mask { - type: number - sql: ${TABLE}.item.about.process.access_mask ;; - group_label: "Item About Process" - group_item_label: "Access Mask" - } - - dimension: item__about__process__command_line { - type: string - sql: ${TABLE}.item.about.process.command_line ;; - group_label: "Item About Process" - group_item_label: "Command Line" - } - - dimension: item__about__process__command_line_history__list { - hidden: yes - sql: ${TABLE}.item.about.process.command_line_history.list ;; - group_label: "Item About Process Command Line History" - group_item_label: "List" - } - - dimension: item__about__process__file__ahash { - type: string - sql: ${TABLE}.item.about.process.file.ahash ;; - group_label: "Item About Process File" - group_item_label: "Ahash" - } - - dimension: item__about__process__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.item.about.process.file.capabilities_tags.list ;; - group_label: "Item About Process File Capabilities Tags" - group_item_label: "List" - } - - dimension: item__about__process__file__file_type { - type: number - sql: ${TABLE}.item.about.process.file.file_type ;; - group_label: "Item About Process File" - group_item_label: "File Type" - } - - dimension: item__about__process__file__full_path { - type: string - sql: ${TABLE}.item.about.process.file.full_path ;; - group_label: "Item About Process File" - group_item_label: "Full Path" - } - - dimension: item__about__process__file__md5 { - type: string - sql: ${TABLE}.item.about.process.file.md5 ;; - group_label: "Item About Process File" - group_item_label: "Md5" - } - - dimension: item__about__process__file__mime_type { - type: string - sql: ${TABLE}.item.about.process.file.mime_type ;; - group_label: "Item About Process File" - group_item_label: "Mime Type" - } - - dimension: item__about__process__file__names__list { - hidden: yes - sql: ${TABLE}.item.about.process.file.names.list ;; - group_label: "Item About Process File Names" - group_item_label: "List" - } - - dimension: item__about__process__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.item.about.process.file.pe_file.compilation_exiftool_time ;; - group_label: "Item About Process File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: item__about__process__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.item.about.process.file.pe_file.compilation_time ;; - group_label: "Item About Process File Pe File" - group_item_label: "Compilation Time" - } - - dimension: item__about__process__file__pe_file__entry_point { - type: number - sql: ${TABLE}.item.about.process.file.pe_file.entry_point ;; - group_label: "Item About Process File Pe File" - group_item_label: "Entry Point" - } - - dimension: item__about__process__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.item.about.process.file.pe_file.entry_point_exiftool ;; - group_label: "Item About Process File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: item__about__process__file__pe_file__imphash { - type: string - sql: ${TABLE}.item.about.process.file.pe_file.imphash ;; - group_label: "Item About Process File Pe File" - group_item_label: "Imphash" - } - - dimension: item__about__process__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.item.about.process.file.pe_file.imports.list ;; - group_label: "Item About Process File Pe File Imports" - group_item_label: "List" - } - - dimension: item__about__process__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.item.about.process.file.pe_file.resource.list ;; - group_label: "Item About Process File Pe File Resource" - group_item_label: "List" - } - - dimension: item__about__process__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.item.about.process.file.pe_file.resources_language_count.list ;; - group_label: "Item About Process File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: item__about__process__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.item.about.process.file.pe_file.resources_type_count.list ;; - group_label: "Item About Process File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: item__about__process__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.item.about.process.file.pe_file.section.list ;; - group_label: "Item About Process File Pe File Section" - group_item_label: "List" - } - - dimension: item__about__process__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.item.about.process.file.pe_file.signature_info.signer.list ;; - group_label: "Item About Process File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: item__about__process__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.item.about.process.file.pe_file.signature_info.verification_message ;; - group_label: "Item About Process File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: item__about__process__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.item.about.process.file.pe_file.signature_info.verified ;; - group_label: "Item About Process File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: item__about__process__file__sha1 { - type: string - sql: ${TABLE}.item.about.process.file.sha1 ;; - group_label: "Item About Process File" - group_item_label: "Sha1" - } - - dimension: item__about__process__file__sha256 { - type: string - sql: ${TABLE}.item.about.process.file.sha256 ;; - group_label: "Item About Process File" - group_item_label: "Sha256" - } - - dimension: item__about__process__file__size { - type: number - sql: ${TABLE}.item.about.process.file.size ;; - group_label: "Item About Process File" - group_item_label: "Size" - } - - dimension: item__about__process__file__ssdeep { - type: string - sql: ${TABLE}.item.about.process.file.ssdeep ;; - group_label: "Item About Process File" - group_item_label: "Ssdeep" - } - - dimension: item__about__process__file__vhash { - type: string - sql: ${TABLE}.item.about.process.file.vhash ;; - group_label: "Item About Process File" - group_item_label: "Vhash" - } - - dimension: item__about__process__pid { - type: string - sql: ${TABLE}.item.about.process.pid ;; - group_label: "Item About Process" - group_item_label: "Pid" - } - - dimension: item__about__process__product_specific_process_id { - type: string - sql: ${TABLE}.item.about.process.product_specific_process_id ;; - group_label: "Item About Process" - group_item_label: "Product Specific Process ID" - } - - dimension: item__about__process_ancestors__list { - hidden: yes - sql: ${TABLE}.item.about.process_ancestors.list ;; - group_label: "Item About Process Ancestors" - group_item_label: "List" - } - - dimension: item__about__registry__registry_key { - type: string - sql: ${TABLE}.item.about.registry.registry_key ;; - group_label: "Item About Registry" - group_item_label: "Registry Key" - } - - dimension: item__about__registry__registry_value_data { - type: string - sql: ${TABLE}.item.about.registry.registry_value_data ;; - group_label: "Item About Registry" - group_item_label: "Registry Value Data" - } - - dimension: item__about__registry__registry_value_name { - type: string - sql: ${TABLE}.item.about.registry.registry_value_name ;; - group_label: "Item About Registry" - group_item_label: "Registry Value Name" - } - - dimension: item__about__resource__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.about.resource.attribute.cloud.availability_zone ;; - group_label: "Item About Resource Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__about__resource__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.about.resource.attribute.cloud.environment ;; - group_label: "Item About Resource Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__about__resource__attribute__creation_time { - type: string - sql: ${TABLE}.item.about.resource.attribute.creation_time ;; - group_label: "Item About Resource Attribute" - group_item_label: "Creation Time" - } - - dimension: item__about__resource__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.about.resource.attribute.labels.list ;; - group_label: "Item About Resource Attribute Labels" - group_item_label: "List" - } - - dimension: item__about__resource__attribute__last_update_time { - type: string - sql: ${TABLE}.item.about.resource.attribute.last_update_time ;; - group_label: "Item About Resource Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__about__resource__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.about.resource.attribute.permissions.list ;; - group_label: "Item About Resource Attribute Permissions" - group_item_label: "List" - } - - dimension: item__about__resource__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.about.resource.attribute.roles.list ;; - group_label: "Item About Resource Attribute Roles" - group_item_label: "List" - } - - dimension: item__about__resource__name { - type: string - sql: ${TABLE}.item.about.resource.name ;; - group_label: "Item About Resource" - group_item_label: "Name" - } - - dimension: item__about__resource__product_object_id { - type: string - sql: ${TABLE}.item.about.resource.product_object_id ;; - group_label: "Item About Resource" - group_item_label: "Product Object ID" - } - - dimension: item__about__resource__resource_subtype { - type: string - sql: ${TABLE}.item.about.resource.resource_subtype ;; - group_label: "Item About Resource" - group_item_label: "Resource Subtype" - } - - dimension: item__about__resource__resource_type { - type: number - sql: ${TABLE}.item.about.resource.resource_type ;; - group_label: "Item About Resource" - group_item_label: "Resource Type" - } - - dimension: item__about__resource_ancestors__list { - hidden: yes - sql: ${TABLE}.item.about.resource_ancestors.list ;; - group_label: "Item About Resource Ancestors" - group_item_label: "List" - } - - dimension: item__about__url { - type: string - sql: ${TABLE}.item.about.url ;; - group_label: "Item About" - group_item_label: "URL" - } - - dimension: item__about__user__account_type { - type: number - sql: ${TABLE}.item.about.user.account_type ;; - group_label: "Item About User" - group_item_label: "Account Type" - } - - dimension: item__about__user__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.about.user.attribute.cloud.availability_zone ;; - group_label: "Item About User Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__about__user__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.about.user.attribute.cloud.environment ;; - group_label: "Item About User Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__about__user__attribute__creation_time { - type: string - sql: ${TABLE}.item.about.user.attribute.creation_time ;; - group_label: "Item About User Attribute" - group_item_label: "Creation Time" - } - - dimension: item__about__user__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.about.user.attribute.labels.list ;; - group_label: "Item About User Attribute Labels" - group_item_label: "List" - } - - dimension: item__about__user__attribute__last_update_time { - type: string - sql: ${TABLE}.item.about.user.attribute.last_update_time ;; - group_label: "Item About User Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__about__user__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.about.user.attribute.permissions.list ;; - group_label: "Item About User Attribute Permissions" - group_item_label: "List" - } - - dimension: item__about__user__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.about.user.attribute.roles.list ;; - group_label: "Item About User Attribute Roles" - group_item_label: "List" - } - - dimension: item__about__user__company_name { - type: string - sql: ${TABLE}.item.about.user.company_name ;; - group_label: "Item About User" - group_item_label: "Company Name" - } - - dimension: item__about__user__department__list { - hidden: yes - sql: ${TABLE}.item.about.user.department.list ;; - group_label: "Item About User Department" - group_item_label: "List" - } - - dimension: item__about__user__email_addresses__list { - hidden: yes - sql: ${TABLE}.item.about.user.email_addresses.list ;; - group_label: "Item About User Email Addresses" - group_item_label: "List" - } - - dimension: item__about__user__employee_id { - type: string - sql: ${TABLE}.item.about.user.employee_id ;; - group_label: "Item About User" - group_item_label: "Employee ID" - } - - dimension: item__about__user__first_name { - type: string - sql: ${TABLE}.item.about.user.first_name ;; - group_label: "Item About User" - group_item_label: "First Name" - } - - dimension: item__about__user__group_identifiers__list { - hidden: yes - sql: ${TABLE}.item.about.user.group_identifiers.list ;; - group_label: "Item About User Group Identifiers" - group_item_label: "List" - } - - dimension: item__about__user__hire_date { - type: string - sql: ${TABLE}.item.about.user.hire_date ;; - group_label: "Item About User" - group_item_label: "Hire Date" - } - - dimension: item__about__user__last_name { - type: string - sql: ${TABLE}.item.about.user.last_name ;; - group_label: "Item About User" - group_item_label: "Last Name" - } - - dimension: item__about__user__middle_name { - type: string - sql: ${TABLE}.item.about.user.middle_name ;; - group_label: "Item About User" - group_item_label: "Middle Name" - } - - dimension: item__about__user__office_address__city { - type: string - sql: ${TABLE}.item.about.user.office_address.city ;; - group_label: "Item About User Office Address" - group_item_label: "City" - } - - dimension: item__about__user__office_address__country_or_region { - type: string - sql: ${TABLE}.item.about.user.office_address.country_or_region ;; - group_label: "Item About User Office Address" - group_item_label: "Country or Region" - } - - dimension: item__about__user__office_address__desk_name { - type: string - sql: ${TABLE}.item.about.user.office_address.desk_name ;; - group_label: "Item About User Office Address" - group_item_label: "Desk Name" - } - - dimension: item__about__user__office_address__floor_name { - type: string - sql: ${TABLE}.item.about.user.office_address.floor_name ;; - group_label: "Item About User Office Address" - group_item_label: "Floor Name" - } - - dimension: item__about__user__office_address__name { - type: string - sql: ${TABLE}.item.about.user.office_address.name ;; - group_label: "Item About User Office Address" - group_item_label: "Name" - } - - dimension: item__about__user__office_address__region_latitude { - type: number - sql: ${TABLE}.item.about.user.office_address.region_latitude ;; - group_label: "Item About User Office Address" - group_item_label: "Region Latitude" - } - - dimension: item__about__user__office_address__region_longitude { - type: number - sql: ${TABLE}.item.about.user.office_address.region_longitude ;; - group_label: "Item About User Office Address" - group_item_label: "Region Longitude" - } - - dimension: item__about__user__office_address__state { - type: string - sql: ${TABLE}.item.about.user.office_address.state ;; - group_label: "Item About User Office Address" - group_item_label: "State" - } - - dimension: item__about__user__personal_address__city { - type: string - sql: ${TABLE}.item.about.user.personal_address.city ;; - group_label: "Item About User Personal Address" - group_item_label: "City" - } - - dimension: item__about__user__personal_address__country_or_region { - type: string - sql: ${TABLE}.item.about.user.personal_address.country_or_region ;; - group_label: "Item About User Personal Address" - group_item_label: "Country or Region" - } - - dimension: item__about__user__personal_address__desk_name { - type: string - sql: ${TABLE}.item.about.user.personal_address.desk_name ;; - group_label: "Item About User Personal Address" - group_item_label: "Desk Name" - } - - dimension: item__about__user__personal_address__floor_name { - type: string - sql: ${TABLE}.item.about.user.personal_address.floor_name ;; - group_label: "Item About User Personal Address" - group_item_label: "Floor Name" - } - - dimension: item__about__user__personal_address__name { - type: string - sql: ${TABLE}.item.about.user.personal_address.name ;; - group_label: "Item About User Personal Address" - group_item_label: "Name" - } - - dimension: item__about__user__personal_address__region_latitude { - type: number - sql: ${TABLE}.item.about.user.personal_address.region_latitude ;; - group_label: "Item About User Personal Address" - group_item_label: "Region Latitude" - } - - dimension: item__about__user__personal_address__region_longitude { - type: number - sql: ${TABLE}.item.about.user.personal_address.region_longitude ;; - group_label: "Item About User Personal Address" - group_item_label: "Region Longitude" - } - - dimension: item__about__user__personal_address__state { - type: string - sql: ${TABLE}.item.about.user.personal_address.state ;; - group_label: "Item About User Personal Address" - group_item_label: "State" - } - - dimension: item__about__user__phone_numbers__list { - hidden: yes - sql: ${TABLE}.item.about.user.phone_numbers.list ;; - group_label: "Item About User Phone Numbers" - group_item_label: "List" - } - - dimension: item__about__user__product_object_id { - type: string - sql: ${TABLE}.item.about.user.product_object_id ;; - group_label: "Item About User" - group_item_label: "Product Object ID" - } - - dimension: item__about__user__termination_date { - type: string - sql: ${TABLE}.item.about.user.termination_date ;; - group_label: "Item About User" - group_item_label: "Termination Date" - } - - dimension: item__about__user__time_off__list { - hidden: yes - sql: ${TABLE}.item.about.user.time_off.list ;; - group_label: "Item About User Time Off" - group_item_label: "List" - } - - dimension: item__about__user__title { - type: string - sql: ${TABLE}.item.about.user.title ;; - group_label: "Item About User" - group_item_label: "Title" - } - - dimension: item__about__user__user_authentication_status { - type: number - sql: ${TABLE}.item.about.user.user_authentication_status ;; - group_label: "Item About User" - group_item_label: "User Authentication Status" - } - - dimension: item__about__user__user_display_name { - type: string - sql: ${TABLE}.item.about.user.user_display_name ;; - group_label: "Item About User" - group_item_label: "User Display Name" - } - - dimension: item__about__user__userid { - type: string - sql: ${TABLE}.item.about.user.userid ;; - group_label: "Item About User" - group_item_label: "Userid" - } - - dimension: item__about__user__windows_sid { - type: string - sql: ${TABLE}.item.about.user.windows_sid ;; - group_label: "Item About User" - group_item_label: "Windows Sid" - } - - dimension: item__about__user_management_chain__list { - hidden: yes - sql: ${TABLE}.item.about.user_management_chain.list ;; - group_label: "Item About User Management Chain" - group_item_label: "List" - } - - dimension: item__action__list { - hidden: yes - sql: ${TABLE}.item.action.list ;; - group_label: "Item Action" - group_item_label: "List" - } - - dimension: item__action_details { - type: string - sql: ${TABLE}.item.action_details ;; - group_label: "Item" - group_item_label: "Action Details" - } - - dimension: item__alert_state { - type: number - sql: ${TABLE}.item.alert_state ;; - group_label: "Item" - group_item_label: "Alert State" - } - - dimension: item__category__list { - hidden: yes - sql: ${TABLE}.item.category.list ;; - group_label: "Item Category" - group_item_label: "List" - } - - dimension: item__category_details__list { - hidden: yes - sql: ${TABLE}.item.category_details.list ;; - group_label: "Item Category Details" - group_item_label: "List" - } - - dimension: item__confidence { - type: number - sql: ${TABLE}.item.confidence ;; - group_label: "Item" - group_item_label: "Confidence" - } - - dimension: item__confidence_details { - type: string - sql: ${TABLE}.item.confidence_details ;; - group_label: "Item" - group_item_label: "Confidence Details" - } - - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__detection_fields__list { - hidden: yes - sql: ${TABLE}.item.detection_fields.list ;; - group_label: "Item Detection Fields" - group_item_label: "List" - } - - dimension: item__outcomes__list { - hidden: yes - sql: ${TABLE}.item.outcomes.list ;; - group_label: "Item Outcomes" - group_item_label: "List" - } - - dimension: item__priority { - type: number - sql: ${TABLE}.item.priority ;; - group_label: "Item" - group_item_label: "Priority" - } - - dimension: item__priority_details { - type: string - sql: ${TABLE}.item.priority_details ;; - group_label: "Item" - group_item_label: "Priority Details" - } - - dimension: item__rule_author { - type: string - sql: ${TABLE}.item.rule_author ;; - group_label: "Item" - group_item_label: "Rule Author" - } - - dimension: item__rule_id { - type: string - sql: ${TABLE}.item.rule_id ;; - group_label: "Item" - group_item_label: "Rule ID" - } - - dimension: item__rule_labels__list { - hidden: yes - sql: ${TABLE}.item.rule_labels.list ;; - group_label: "Item Rule Labels" - group_item_label: "List" - } - - dimension: item__rule_name { - type: string - sql: ${TABLE}.item.rule_name ;; - group_label: "Item" - group_item_label: "Rule Name" - } - - dimension: item__rule_type { - type: string - sql: ${TABLE}.item.rule_type ;; - group_label: "Item" - group_item_label: "Rule Type" - } - - dimension: item__rule_version { - type: string - sql: ${TABLE}.item.rule_version ;; - group_label: "Item" - group_item_label: "Rule Version" - } - - dimension: item__severity { - type: number - sql: ${TABLE}.item.severity ;; - group_label: "Item" - group_item_label: "Severity" - } - - dimension: item__severity_details { - type: string - sql: ${TABLE}.item.severity_details ;; - group_label: "Item" - group_item_label: "Severity Details" - } - - dimension: item__summary { - type: string - sql: ${TABLE}.item.summary ;; - group_label: "Item" - group_item_label: "Summary" - } - - dimension: item__threat_feed_name { - type: string - sql: ${TABLE}.item.threat_feed_name ;; - group_label: "Item" - group_item_label: "Threat Feed Name" - } - - dimension: item__threat_id { - type: string - sql: ${TABLE}.item.threat_id ;; - group_label: "Item" - group_item_label: "Threat ID" - } - - dimension: item__threat_id_namespace { - type: number - value_format_name: id - sql: ${TABLE}.item.threat_id_namespace ;; - group_label: "Item" - group_item_label: "Threat ID Namespace" - } - - dimension: item__threat_name { - type: string - sql: ${TABLE}.item.threat_name ;; - group_label: "Item" - group_item_label: "Threat Name" - } - - dimension: item__threat_status { - type: number - sql: ${TABLE}.item.threat_status ;; - group_label: "Item" - group_item_label: "Threat Status" - } - - dimension: item__url_back_to_product { - type: string - sql: ${TABLE}.item.url_back_to_product ;; - group_label: "Item" - group_item_label: "URL Back to Product" - } -} - -view: udm_events_gcs__network__dns__answers__list { - dimension: item__binary_data { - type: string - sql: ${TABLE}.item.binary_data ;; - group_label: "Item" - group_item_label: "Binary Data" - } - - dimension: item__class { - type: number - sql: ${TABLE}.item.class ;; - group_label: "Item" - group_item_label: "Class" - } - - dimension: item__data { - type: string - sql: ${TABLE}.item.data ;; - group_label: "Item" - group_item_label: "Data" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__ttl { - type: number - sql: ${TABLE}.item.ttl ;; - group_label: "Item" - group_item_label: "Ttl" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__observer__user__department__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__user__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__asset__ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__user__department__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__extensions__auth__mechanism__list { - dimension: item { - type: number - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__process_ancestors__list { - dimension: item__access_mask { - type: number - sql: ${TABLE}.item.access_mask ;; - group_label: "Item" - group_item_label: "Access Mask" - } - - dimension: item__command_line { - type: string - sql: ${TABLE}.item.command_line ;; - group_label: "Item" - group_item_label: "Command Line" - } - - dimension: item__command_line_history__list { - hidden: yes - sql: ${TABLE}.item.command_line_history.list ;; - group_label: "Item Command Line History" - group_item_label: "List" - } - - dimension: item__file__ahash { - type: string - sql: ${TABLE}.item.file.ahash ;; - group_label: "Item File" - group_item_label: "Ahash" - } - - dimension: item__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.item.file.capabilities_tags.list ;; - group_label: "Item File Capabilities Tags" - group_item_label: "List" - } - - dimension: item__file__file_type { - type: number - sql: ${TABLE}.item.file.file_type ;; - group_label: "Item File" - group_item_label: "File Type" - } - - dimension: item__file__full_path { - type: string - sql: ${TABLE}.item.file.full_path ;; - group_label: "Item File" - group_item_label: "Full Path" - } - - dimension: item__file__md5 { - type: string - sql: ${TABLE}.item.file.md5 ;; - group_label: "Item File" - group_item_label: "Md5" - } - - dimension: item__file__mime_type { - type: string - sql: ${TABLE}.item.file.mime_type ;; - group_label: "Item File" - group_item_label: "Mime Type" - } - - dimension: item__file__names__list { - hidden: yes - sql: ${TABLE}.item.file.names.list ;; - group_label: "Item File Names" - group_item_label: "List" - } - - dimension: item__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_exiftool_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: item__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Time" - } - - dimension: item__file__pe_file__entry_point { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point" - } - - dimension: item__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point_exiftool ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: item__file__pe_file__imphash { - type: string - sql: ${TABLE}.item.file.pe_file.imphash ;; - group_label: "Item File Pe File" - group_item_label: "Imphash" - } - - dimension: item__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.imports.list ;; - group_label: "Item File Pe File Imports" - group_item_label: "List" - } - - dimension: item__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resource.list ;; - group_label: "Item File Pe File Resource" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_language_count.list ;; - group_label: "Item File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_type_count.list ;; - group_label: "Item File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.section.list ;; - group_label: "Item File Pe File Section" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.signature_info.signer.list ;; - group_label: "Item File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.item.file.pe_file.signature_info.verification_message ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: item__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.item.file.pe_file.signature_info.verified ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: item__file__sha1 { - type: string - sql: ${TABLE}.item.file.sha1 ;; - group_label: "Item File" - group_item_label: "Sha1" - } - - dimension: item__file__sha256 { - type: string - sql: ${TABLE}.item.file.sha256 ;; - group_label: "Item File" - group_item_label: "Sha256" - } - - dimension: item__file__size { - type: number - sql: ${TABLE}.item.file.size ;; - group_label: "Item File" - group_item_label: "Size" - } - - dimension: item__file__ssdeep { - type: string - sql: ${TABLE}.item.file.ssdeep ;; - group_label: "Item File" - group_item_label: "Ssdeep" - } - - dimension: item__file__vhash { - type: string - sql: ${TABLE}.item.file.vhash ;; - group_label: "Item File" - group_item_label: "Vhash" - } - - dimension: item__pid { - type: string - sql: ${TABLE}.item.pid ;; - group_label: "Item" - group_item_label: "Pid" - } - - dimension: item__product_specific_process_id { - type: string - sql: ${TABLE}.item.product_specific_process_id ;; - group_label: "Item" - group_item_label: "Product Specific Process ID" - } -} - -view: udm_events_gcs__about__list__item__asset__mac__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__process__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__asset__hardware__list { - dimension: item__cpu_clock_speed { - type: number - sql: ${TABLE}.item.cpu_clock_speed ;; - group_label: "Item" - group_item_label: "CPU Clock Speed" - } - - dimension: item__cpu_max_clock_speed { - type: number - sql: ${TABLE}.item.cpu_max_clock_speed ;; - group_label: "Item" - group_item_label: "CPU Max Clock Speed" - } - - dimension: item__cpu_model { - type: string - sql: ${TABLE}.item.cpu_model ;; - group_label: "Item" - group_item_label: "CPU Model" - } - - dimension: item__cpu_number_cores { - type: number - sql: ${TABLE}.item.cpu_number_cores ;; - group_label: "Item" - group_item_label: "CPU Number Cores" - } - - dimension: item__cpu_platform { - type: string - sql: ${TABLE}.item.cpu_platform ;; - group_label: "Item" - group_item_label: "CPU Platform" - } - - dimension: item__manufacturer { - type: string - sql: ${TABLE}.item.manufacturer ;; - group_label: "Item" - group_item_label: "Manufacturer" - } - - dimension: item__model { - type: string - sql: ${TABLE}.item.model ;; - group_label: "Item" - group_item_label: "Model" - } - - dimension: item__ram { - type: number - sql: ${TABLE}.item.ram ;; - group_label: "Item" - group_item_label: "Ram" - } - - dimension: item__serial_number { - type: string - sql: ${TABLE}.item.serial_number ;; - group_label: "Item" - group_item_label: "Serial Number" - } -} - -view: udm_events_gcs__target__user__phone_numbers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__network__dns__authority__list { - dimension: item__binary_data { - type: string - sql: ${TABLE}.item.binary_data ;; - group_label: "Item" - group_item_label: "Binary Data" - } - - dimension: item__class { - type: number - sql: ${TABLE}.item.class ;; - group_label: "Item" - group_item_label: "Class" - } - - dimension: item__data { - type: string - sql: ${TABLE}.item.data ;; - group_label: "Item" - group_item_label: "Data" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__ttl { - type: number - sql: ${TABLE}.item.ttl ;; - group_label: "Item" - group_item_label: "Ttl" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__network__dhcp__options__list { - dimension: item__code { - type: number - sql: ${TABLE}.item.code ;; - group_label: "Item" - group_item_label: "Code" - } - - dimension: item__data { - type: string - sql: ${TABLE}.item.data ;; - group_label: "Item" - group_item_label: "Data" - } -} - -view: udm_events_gcs__src__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__investigation__comments__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__user__group_identifiers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__mac__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__asset__software__list { - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__permissions__list { - hidden: yes - sql: ${TABLE}.item.permissions.list ;; - group_label: "Item Permissions" - group_item_label: "List" - } - - dimension: item__version { - type: string - sql: ${TABLE}.item.version ;; - group_label: "Item" - group_item_label: "Version" - } -} - -view: udm_events_gcs__network__dns__additional__list { - dimension: item__binary_data { - type: string - sql: ${TABLE}.item.binary_data ;; - group_label: "Item" - group_item_label: "Binary Data" - } - - dimension: item__class { - type: number - sql: ${TABLE}.item.class ;; - group_label: "Item" - group_item_label: "Class" - } - - dimension: item__data { - type: string - sql: ${TABLE}.item.data ;; - group_label: "Item" - group_item_label: "Data" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__ttl { - type: number - sql: ${TABLE}.item.ttl ;; - group_label: "Item" - group_item_label: "Ttl" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__network__dns__questions__list { - dimension: item__class { - type: number - sql: ${TABLE}.item.class ;; - group_label: "Item" - group_item_label: "Class" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__prevalence__day_count { - type: number - sql: ${TABLE}.item.prevalence.day_count ;; - group_label: "Item Prevalence" - group_item_label: "Day Count" - } - - dimension: item__prevalence__rolling_max { - type: number - sql: ${TABLE}.item.prevalence.rolling_max ;; - group_label: "Item Prevalence" - group_item_label: "Rolling Max" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__observer__process__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__asset__hardware__list { - dimension: item__cpu_clock_speed { - type: number - sql: ${TABLE}.item.cpu_clock_speed ;; - group_label: "Item" - group_item_label: "CPU Clock Speed" - } - - dimension: item__cpu_max_clock_speed { - type: number - sql: ${TABLE}.item.cpu_max_clock_speed ;; - group_label: "Item" - group_item_label: "CPU Max Clock Speed" - } - - dimension: item__cpu_model { - type: string - sql: ${TABLE}.item.cpu_model ;; - group_label: "Item" - group_item_label: "CPU Model" - } - - dimension: item__cpu_number_cores { - type: number - sql: ${TABLE}.item.cpu_number_cores ;; - group_label: "Item" - group_item_label: "CPU Number Cores" - } - - dimension: item__cpu_platform { - type: string - sql: ${TABLE}.item.cpu_platform ;; - group_label: "Item" - group_item_label: "CPU Platform" - } - - dimension: item__manufacturer { - type: string - sql: ${TABLE}.item.manufacturer ;; - group_label: "Item" - group_item_label: "Manufacturer" - } - - dimension: item__model { - type: string - sql: ${TABLE}.item.model ;; - group_label: "Item" - group_item_label: "Model" - } - - dimension: item__ram { - type: number - sql: ${TABLE}.item.ram ;; - group_label: "Item" - group_item_label: "Ram" - } - - dimension: item__serial_number { - type: string - sql: ${TABLE}.item.serial_number ;; - group_label: "Item" - group_item_label: "Serial Number" - } -} - -view: udm_events_gcs__observer__user__phone_numbers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__group__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__resource_ancestors__list { - dimension: item__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.attribute.cloud.availability_zone ;; - group_label: "Item Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.attribute.cloud.environment ;; - group_label: "Item Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__attribute__creation_time { - type: string - sql: ${TABLE}.item.attribute.creation_time ;; - group_label: "Item Attribute" - group_item_label: "Creation Time" - } - - dimension: item__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.attribute.labels.list ;; - group_label: "Item Attribute Labels" - group_item_label: "List" - } - - dimension: item__attribute__last_update_time { - type: string - sql: ${TABLE}.item.attribute.last_update_time ;; - group_label: "Item Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.attribute.permissions.list ;; - group_label: "Item Attribute Permissions" - group_item_label: "List" - } - - dimension: item__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.attribute.roles.list ;; - group_label: "Item Attribute Roles" - group_item_label: "List" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__product_object_id { - type: string - sql: ${TABLE}.item.product_object_id ;; - group_label: "Item" - group_item_label: "Product Object ID" - } - - dimension: item__resource_subtype { - type: string - sql: ${TABLE}.item.resource_subtype ;; - group_label: "Item" - group_item_label: "Resource Subtype" - } - - dimension: item__resource_type { - type: number - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } -} - -view: udm_events_gcs__target__user__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__process__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__asset__hardware__list { - dimension: item__cpu_clock_speed { - type: number - sql: ${TABLE}.item.cpu_clock_speed ;; - group_label: "Item" - group_item_label: "CPU Clock Speed" - } - - dimension: item__cpu_max_clock_speed { - type: number - sql: ${TABLE}.item.cpu_max_clock_speed ;; - group_label: "Item" - group_item_label: "CPU Max Clock Speed" - } - - dimension: item__cpu_model { - type: string - sql: ${TABLE}.item.cpu_model ;; - group_label: "Item" - group_item_label: "CPU Model" - } - - dimension: item__cpu_number_cores { - type: number - sql: ${TABLE}.item.cpu_number_cores ;; - group_label: "Item" - group_item_label: "CPU Number Cores" - } - - dimension: item__cpu_platform { - type: string - sql: ${TABLE}.item.cpu_platform ;; - group_label: "Item" - group_item_label: "CPU Platform" - } - - dimension: item__manufacturer { - type: string - sql: ${TABLE}.item.manufacturer ;; - group_label: "Item" - group_item_label: "Manufacturer" - } - - dimension: item__model { - type: string - sql: ${TABLE}.item.model ;; - group_label: "Item" - group_item_label: "Model" - } - - dimension: item__ram { - type: number - sql: ${TABLE}.item.ram ;; - group_label: "Item" - group_item_label: "Ram" - } - - dimension: item__serial_number { - type: string - sql: ${TABLE}.item.serial_number ;; - group_label: "Item" - group_item_label: "Serial Number" - } -} - -view: udm_events_gcs__principal__user__phone_numbers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__asset__software__list { - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__permissions__list { - hidden: yes - sql: ${TABLE}.item.permissions.list ;; - group_label: "Item Permissions" - group_item_label: "List" - } - - dimension: item__version { - type: string - sql: ${TABLE}.item.version ;; - group_label: "Item" - group_item_label: "Version" - } -} - -view: udm_events_gcs__about__list__item__asset__nat_ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__process_ancestors__list { - dimension: item__access_mask { - type: number - sql: ${TABLE}.item.access_mask ;; - group_label: "Item" - group_item_label: "Access Mask" - } - - dimension: item__command_line { - type: string - sql: ${TABLE}.item.command_line ;; - group_label: "Item" - group_item_label: "Command Line" - } - - dimension: item__command_line_history__list { - hidden: yes - sql: ${TABLE}.item.command_line_history.list ;; - group_label: "Item Command Line History" - group_item_label: "List" - } - - dimension: item__file__ahash { - type: string - sql: ${TABLE}.item.file.ahash ;; - group_label: "Item File" - group_item_label: "Ahash" - } - - dimension: item__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.item.file.capabilities_tags.list ;; - group_label: "Item File Capabilities Tags" - group_item_label: "List" - } - - dimension: item__file__file_type { - type: number - sql: ${TABLE}.item.file.file_type ;; - group_label: "Item File" - group_item_label: "File Type" - } - - dimension: item__file__full_path { - type: string - sql: ${TABLE}.item.file.full_path ;; - group_label: "Item File" - group_item_label: "Full Path" - } - - dimension: item__file__md5 { - type: string - sql: ${TABLE}.item.file.md5 ;; - group_label: "Item File" - group_item_label: "Md5" - } - - dimension: item__file__mime_type { - type: string - sql: ${TABLE}.item.file.mime_type ;; - group_label: "Item File" - group_item_label: "Mime Type" - } - - dimension: item__file__names__list { - hidden: yes - sql: ${TABLE}.item.file.names.list ;; - group_label: "Item File Names" - group_item_label: "List" - } - - dimension: item__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_exiftool_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: item__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Time" - } - - dimension: item__file__pe_file__entry_point { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point" - } - - dimension: item__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point_exiftool ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: item__file__pe_file__imphash { - type: string - sql: ${TABLE}.item.file.pe_file.imphash ;; - group_label: "Item File Pe File" - group_item_label: "Imphash" - } - - dimension: item__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.imports.list ;; - group_label: "Item File Pe File Imports" - group_item_label: "List" - } - - dimension: item__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resource.list ;; - group_label: "Item File Pe File Resource" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_language_count.list ;; - group_label: "Item File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_type_count.list ;; - group_label: "Item File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.section.list ;; - group_label: "Item File Pe File Section" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.signature_info.signer.list ;; - group_label: "Item File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.item.file.pe_file.signature_info.verification_message ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: item__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.item.file.pe_file.signature_info.verified ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: item__file__sha1 { - type: string - sql: ${TABLE}.item.file.sha1 ;; - group_label: "Item File" - group_item_label: "Sha1" - } - - dimension: item__file__sha256 { - type: string - sql: ${TABLE}.item.file.sha256 ;; - group_label: "Item File" - group_item_label: "Sha256" - } - - dimension: item__file__size { - type: number - sql: ${TABLE}.item.file.size ;; - group_label: "Item File" - group_item_label: "Size" - } - - dimension: item__file__ssdeep { - type: string - sql: ${TABLE}.item.file.ssdeep ;; - group_label: "Item File" - group_item_label: "Ssdeep" - } - - dimension: item__file__vhash { - type: string - sql: ${TABLE}.item.file.vhash ;; - group_label: "Item File" - group_item_label: "Vhash" - } - - dimension: item__pid { - type: string - sql: ${TABLE}.item.pid ;; - group_label: "Item" - group_item_label: "Pid" - } - - dimension: item__product_specific_process_id { - type: string - sql: ${TABLE}.item.product_specific_process_id ;; - group_label: "Item" - group_item_label: "Product Specific Process ID" - } -} - -view: udm_events_gcs__principal__asset__software__list { - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__permissions__list { - hidden: yes - sql: ${TABLE}.item.permissions.list ;; - group_label: "Item Permissions" - group_item_label: "List" - } - - dimension: item__version { - type: string - sql: ${TABLE}.item.version ;; - group_label: "Item" - group_item_label: "Version" - } -} - -view: udm_events_gcs__observer__user__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__metadata__ingestion_labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__src__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__src__user__time_off__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__interval__end_time { - type: string - sql: ${TABLE}.item.`interval`.end_time ;; - group_label: "Item Interval" - group_item_label: "End Time" - } - - dimension: item__interval__start_time { - type: string - sql: ${TABLE}.item.`interval`.start_time ;; - group_label: "Item Interval" - group_item_label: "Start Time" - } -} - -view: udm_events_gcs__src__user__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__src__user__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__intermediary__list__item__nat_ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__investigation__comments__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__user__group_identifiers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__user__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__process_ancestors__list { - dimension: item__access_mask { - type: number - sql: ${TABLE}.item.access_mask ;; - group_label: "Item" - group_item_label: "Access Mask" - } - - dimension: item__command_line { - type: string - sql: ${TABLE}.item.command_line ;; - group_label: "Item" - group_item_label: "Command Line" - } - - dimension: item__command_line_history__list { - hidden: yes - sql: ${TABLE}.item.command_line_history.list ;; - group_label: "Item Command Line History" - group_item_label: "List" - } - - dimension: item__file__ahash { - type: string - sql: ${TABLE}.item.file.ahash ;; - group_label: "Item File" - group_item_label: "Ahash" - } - - dimension: item__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.item.file.capabilities_tags.list ;; - group_label: "Item File Capabilities Tags" - group_item_label: "List" - } - - dimension: item__file__file_type { - type: number - sql: ${TABLE}.item.file.file_type ;; - group_label: "Item File" - group_item_label: "File Type" - } - - dimension: item__file__full_path { - type: string - sql: ${TABLE}.item.file.full_path ;; - group_label: "Item File" - group_item_label: "Full Path" - } - - dimension: item__file__md5 { - type: string - sql: ${TABLE}.item.file.md5 ;; - group_label: "Item File" - group_item_label: "Md5" - } - - dimension: item__file__mime_type { - type: string - sql: ${TABLE}.item.file.mime_type ;; - group_label: "Item File" - group_item_label: "Mime Type" - } - - dimension: item__file__names__list { - hidden: yes - sql: ${TABLE}.item.file.names.list ;; - group_label: "Item File Names" - group_item_label: "List" - } - - dimension: item__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_exiftool_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: item__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Time" - } - - dimension: item__file__pe_file__entry_point { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point" - } - - dimension: item__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point_exiftool ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: item__file__pe_file__imphash { - type: string - sql: ${TABLE}.item.file.pe_file.imphash ;; - group_label: "Item File Pe File" - group_item_label: "Imphash" - } - - dimension: item__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.imports.list ;; - group_label: "Item File Pe File Imports" - group_item_label: "List" - } - - dimension: item__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resource.list ;; - group_label: "Item File Pe File Resource" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_language_count.list ;; - group_label: "Item File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_type_count.list ;; - group_label: "Item File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.section.list ;; - group_label: "Item File Pe File Section" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.signature_info.signer.list ;; - group_label: "Item File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.item.file.pe_file.signature_info.verification_message ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: item__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.item.file.pe_file.signature_info.verified ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: item__file__sha1 { - type: string - sql: ${TABLE}.item.file.sha1 ;; - group_label: "Item File" - group_item_label: "Sha1" - } - - dimension: item__file__sha256 { - type: string - sql: ${TABLE}.item.file.sha256 ;; - group_label: "Item File" - group_item_label: "Sha256" - } - - dimension: item__file__size { - type: number - sql: ${TABLE}.item.file.size ;; - group_label: "Item File" - group_item_label: "Size" - } - - dimension: item__file__ssdeep { - type: string - sql: ${TABLE}.item.file.ssdeep ;; - group_label: "Item File" - group_item_label: "Ssdeep" - } - - dimension: item__file__vhash { - type: string - sql: ${TABLE}.item.file.vhash ;; - group_label: "Item File" - group_item_label: "Vhash" - } - - dimension: item__pid { - type: string - sql: ${TABLE}.item.pid ;; - group_label: "Item" - group_item_label: "Pid" - } - - dimension: item__product_specific_process_id { - type: string - sql: ${TABLE}.item.product_specific_process_id ;; - group_label: "Item" - group_item_label: "Product Specific Process ID" - } -} - -view: udm_events_gcs__src__asset__vulnerabilities__list { - dimension: item__cve_description { - type: string - sql: ${TABLE}.item.cve_description ;; - group_label: "Item" - group_item_label: "Cve Description" - } - - dimension: item__cve_id { - type: string - sql: ${TABLE}.item.cve_id ;; - group_label: "Item" - group_item_label: "Cve ID" - } - - dimension: item__cvss_base_score { - type: number - sql: ${TABLE}.item.cvss_base_score ;; - group_label: "Item" - group_item_label: "Cvss Base Score" - } - - dimension: item__cvss_vector { - type: string - sql: ${TABLE}.item.cvss_vector ;; - group_label: "Item" - group_item_label: "Cvss Vector" - } - - dimension: item__cvss_version { - type: string - sql: ${TABLE}.item.cvss_version ;; - group_label: "Item" - group_item_label: "Cvss Version" - } - - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__first_found { - type: string - sql: ${TABLE}.item.first_found ;; - group_label: "Item" - group_item_label: "First Found" - } - - dimension: item__last_found { - type: string - sql: ${TABLE}.item.last_found ;; - group_label: "Item" - group_item_label: "Last Found" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__scan_end_time { - type: string - sql: ${TABLE}.item.scan_end_time ;; - group_label: "Item" - group_item_label: "Scan End Time" - } - - dimension: item__scan_start_time { - type: string - sql: ${TABLE}.item.scan_start_time ;; - group_label: "Item" - group_item_label: "Scan Start Time" - } - - dimension: item__severity { - type: number - sql: ${TABLE}.item.severity ;; - group_label: "Item" - group_item_label: "Severity" - } - - dimension: item__severity_details { - type: string - sql: ${TABLE}.item.severity_details ;; - group_label: "Item" - group_item_label: "Severity Details" - } - - dimension: item__vendor { - type: string - sql: ${TABLE}.item.vendor ;; - group_label: "Item" - group_item_label: "Vendor" - } - - dimension: item__vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.item.vendor_knowledge_base_article_id ;; - group_label: "Item" - group_item_label: "Vendor Knowledge Base Article ID" - } - - dimension: item__vendor_vulnerability_id { - type: string - sql: ${TABLE}.item.vendor_vulnerability_id ;; - group_label: "Item" - group_item_label: "Vendor Vulnerability ID" - } -} - -view: udm_events_gcs__src__asset__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__src__asset__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__target__group__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__resource_ancestors__list { - dimension: item__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.attribute.cloud.availability_zone ;; - group_label: "Item Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.attribute.cloud.environment ;; - group_label: "Item Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__attribute__creation_time { - type: string - sql: ${TABLE}.item.attribute.creation_time ;; - group_label: "Item Attribute" - group_item_label: "Creation Time" - } - - dimension: item__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.attribute.labels.list ;; - group_label: "Item Attribute Labels" - group_item_label: "List" - } - - dimension: item__attribute__last_update_time { - type: string - sql: ${TABLE}.item.attribute.last_update_time ;; - group_label: "Item Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.attribute.permissions.list ;; - group_label: "Item Attribute Permissions" - group_item_label: "List" - } - - dimension: item__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.attribute.roles.list ;; - group_label: "Item Attribute Roles" - group_item_label: "List" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__product_object_id { - type: string - sql: ${TABLE}.item.product_object_id ;; - group_label: "Item" - group_item_label: "Product Object ID" - } - - dimension: item__resource_subtype { - type: string - sql: ${TABLE}.item.resource_subtype ;; - group_label: "Item" - group_item_label: "Resource Subtype" - } - - dimension: item__resource_type { - type: number - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } -} - -view: udm_events_gcs__principal__process_ancestors__list { - dimension: item__access_mask { - type: number - sql: ${TABLE}.item.access_mask ;; - group_label: "Item" - group_item_label: "Access Mask" - } - - dimension: item__command_line { - type: string - sql: ${TABLE}.item.command_line ;; - group_label: "Item" - group_item_label: "Command Line" - } - - dimension: item__command_line_history__list { - hidden: yes - sql: ${TABLE}.item.command_line_history.list ;; - group_label: "Item Command Line History" - group_item_label: "List" - } - - dimension: item__file__ahash { - type: string - sql: ${TABLE}.item.file.ahash ;; - group_label: "Item File" - group_item_label: "Ahash" - } - - dimension: item__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.item.file.capabilities_tags.list ;; - group_label: "Item File Capabilities Tags" - group_item_label: "List" - } - - dimension: item__file__file_type { - type: number - sql: ${TABLE}.item.file.file_type ;; - group_label: "Item File" - group_item_label: "File Type" - } - - dimension: item__file__full_path { - type: string - sql: ${TABLE}.item.file.full_path ;; - group_label: "Item File" - group_item_label: "Full Path" - } - - dimension: item__file__md5 { - type: string - sql: ${TABLE}.item.file.md5 ;; - group_label: "Item File" - group_item_label: "Md5" - } - - dimension: item__file__mime_type { - type: string - sql: ${TABLE}.item.file.mime_type ;; - group_label: "Item File" - group_item_label: "Mime Type" - } - - dimension: item__file__names__list { - hidden: yes - sql: ${TABLE}.item.file.names.list ;; - group_label: "Item File Names" - group_item_label: "List" - } - - dimension: item__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_exiftool_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: item__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Time" - } - - dimension: item__file__pe_file__entry_point { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point" - } - - dimension: item__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point_exiftool ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: item__file__pe_file__imphash { - type: string - sql: ${TABLE}.item.file.pe_file.imphash ;; - group_label: "Item File Pe File" - group_item_label: "Imphash" - } - - dimension: item__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.imports.list ;; - group_label: "Item File Pe File Imports" - group_item_label: "List" - } - - dimension: item__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resource.list ;; - group_label: "Item File Pe File Resource" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_language_count.list ;; - group_label: "Item File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_type_count.list ;; - group_label: "Item File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.section.list ;; - group_label: "Item File Pe File Section" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.signature_info.signer.list ;; - group_label: "Item File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.item.file.pe_file.signature_info.verification_message ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: item__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.item.file.pe_file.signature_info.verified ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: item__file__sha1 { - type: string - sql: ${TABLE}.item.file.sha1 ;; - group_label: "Item File" - group_item_label: "Sha1" - } - - dimension: item__file__sha256 { - type: string - sql: ${TABLE}.item.file.sha256 ;; - group_label: "Item File" - group_item_label: "Sha256" - } - - dimension: item__file__size { - type: number - sql: ${TABLE}.item.file.size ;; - group_label: "Item File" - group_item_label: "Size" - } - - dimension: item__file__ssdeep { - type: string - sql: ${TABLE}.item.file.ssdeep ;; - group_label: "Item File" - group_item_label: "Ssdeep" - } - - dimension: item__file__vhash { - type: string - sql: ${TABLE}.item.file.vhash ;; - group_label: "Item File" - group_item_label: "Vhash" - } - - dimension: item__pid { - type: string - sql: ${TABLE}.item.pid ;; - group_label: "Item" - group_item_label: "Pid" - } - - dimension: item__product_specific_process_id { - type: string - sql: ${TABLE}.item.product_specific_process_id ;; - group_label: "Item" - group_item_label: "Product Specific Process ID" - } -} - -view: udm_events_gcs__observer__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__investigation__comments__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__user__group_identifiers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__user_management_chain__list { - dimension: item__account_type { - type: number - sql: ${TABLE}.item.account_type ;; - group_label: "Item" - group_item_label: "Account Type" - } - - dimension: item__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.attribute.cloud.availability_zone ;; - group_label: "Item Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.attribute.cloud.environment ;; - group_label: "Item Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__attribute__creation_time { - type: string - sql: ${TABLE}.item.attribute.creation_time ;; - group_label: "Item Attribute" - group_item_label: "Creation Time" - } - - dimension: item__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.attribute.labels.list ;; - group_label: "Item Attribute Labels" - group_item_label: "List" - } - - dimension: item__attribute__last_update_time { - type: string - sql: ${TABLE}.item.attribute.last_update_time ;; - group_label: "Item Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.attribute.permissions.list ;; - group_label: "Item Attribute Permissions" - group_item_label: "List" - } - - dimension: item__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.attribute.roles.list ;; - group_label: "Item Attribute Roles" - group_item_label: "List" - } - - dimension: item__company_name { - type: string - sql: ${TABLE}.item.company_name ;; - group_label: "Item" - group_item_label: "Company Name" - } - - dimension: item__department__list { - hidden: yes - sql: ${TABLE}.item.department.list ;; - group_label: "Item Department" - group_item_label: "List" - } - - dimension: item__email_addresses__list { - hidden: yes - sql: ${TABLE}.item.email_addresses.list ;; - group_label: "Item Email Addresses" - group_item_label: "List" - } - - dimension: item__employee_id { - type: string - sql: ${TABLE}.item.employee_id ;; - group_label: "Item" - group_item_label: "Employee ID" - } - - dimension: item__first_name { - type: string - sql: ${TABLE}.item.first_name ;; - group_label: "Item" - group_item_label: "First Name" - } - - dimension: item__group_identifiers__list { - hidden: yes - sql: ${TABLE}.item.group_identifiers.list ;; - group_label: "Item Group Identifiers" - group_item_label: "List" - } - - dimension: item__hire_date { - type: string - sql: ${TABLE}.item.hire_date ;; - group_label: "Item" - group_item_label: "Hire Date" - } - - dimension: item__last_name { - type: string - sql: ${TABLE}.item.last_name ;; - group_label: "Item" - group_item_label: "Last Name" - } - - dimension: item__middle_name { - type: string - sql: ${TABLE}.item.middle_name ;; - group_label: "Item" - group_item_label: "Middle Name" - } - - dimension: item__office_address__city { - type: string - sql: ${TABLE}.item.office_address.city ;; - group_label: "Item Office Address" - group_item_label: "City" - } - - dimension: item__office_address__country_or_region { - type: string - sql: ${TABLE}.item.office_address.country_or_region ;; - group_label: "Item Office Address" - group_item_label: "Country or Region" - } - - dimension: item__office_address__desk_name { - type: string - sql: ${TABLE}.item.office_address.desk_name ;; - group_label: "Item Office Address" - group_item_label: "Desk Name" - } - - dimension: item__office_address__floor_name { - type: string - sql: ${TABLE}.item.office_address.floor_name ;; - group_label: "Item Office Address" - group_item_label: "Floor Name" - } - - dimension: item__office_address__name { - type: string - sql: ${TABLE}.item.office_address.name ;; - group_label: "Item Office Address" - group_item_label: "Name" - } - - dimension: item__office_address__region_latitude { - type: number - sql: ${TABLE}.item.office_address.region_latitude ;; - group_label: "Item Office Address" - group_item_label: "Region Latitude" - } - - dimension: item__office_address__region_longitude { - type: number - sql: ${TABLE}.item.office_address.region_longitude ;; - group_label: "Item Office Address" - group_item_label: "Region Longitude" - } - - dimension: item__office_address__state { - type: string - sql: ${TABLE}.item.office_address.state ;; - group_label: "Item Office Address" - group_item_label: "State" - } - - dimension: item__personal_address__city { - type: string - sql: ${TABLE}.item.personal_address.city ;; - group_label: "Item Personal Address" - group_item_label: "City" - } - - dimension: item__personal_address__country_or_region { - type: string - sql: ${TABLE}.item.personal_address.country_or_region ;; - group_label: "Item Personal Address" - group_item_label: "Country or Region" - } - - dimension: item__personal_address__desk_name { - type: string - sql: ${TABLE}.item.personal_address.desk_name ;; - group_label: "Item Personal Address" - group_item_label: "Desk Name" - } - - dimension: item__personal_address__floor_name { - type: string - sql: ${TABLE}.item.personal_address.floor_name ;; - group_label: "Item Personal Address" - group_item_label: "Floor Name" - } - - dimension: item__personal_address__name { - type: string - sql: ${TABLE}.item.personal_address.name ;; - group_label: "Item Personal Address" - group_item_label: "Name" - } - - dimension: item__personal_address__region_latitude { - type: number - sql: ${TABLE}.item.personal_address.region_latitude ;; - group_label: "Item Personal Address" - group_item_label: "Region Latitude" - } - - dimension: item__personal_address__region_longitude { - type: number - sql: ${TABLE}.item.personal_address.region_longitude ;; - group_label: "Item Personal Address" - group_item_label: "Region Longitude" - } - - dimension: item__personal_address__state { - type: string - sql: ${TABLE}.item.personal_address.state ;; - group_label: "Item Personal Address" - group_item_label: "State" - } - - dimension: item__phone_numbers__list { - hidden: yes - sql: ${TABLE}.item.phone_numbers.list ;; - group_label: "Item Phone Numbers" - group_item_label: "List" - } - - dimension: item__product_object_id { - type: string - sql: ${TABLE}.item.product_object_id ;; - group_label: "Item" - group_item_label: "Product Object ID" - } - - dimension: item__termination_date { - type: string - sql: ${TABLE}.item.termination_date ;; - group_label: "Item" - group_item_label: "Termination Date" - } - - dimension: item__time_off__list { - hidden: yes - sql: ${TABLE}.item.time_off.list ;; - group_label: "Item Time Off" - group_item_label: "List" - } - - dimension: item__title { - type: string - sql: ${TABLE}.item.title ;; - group_label: "Item" - group_item_label: "Title" - } - - dimension: item__user_authentication_status { - type: number - sql: ${TABLE}.item.user_authentication_status ;; - group_label: "Item" - group_item_label: "User Authentication Status" - } - - dimension: item__user_display_name { - type: string - sql: ${TABLE}.item.user_display_name ;; - group_label: "Item" - group_item_label: "User Display Name" - } - - dimension: item__userid { - type: string - sql: ${TABLE}.item.userid ;; - group_label: "Item" - group_item_label: "Userid" - } - - dimension: item__windows_sid { - type: string - sql: ${TABLE}.item.windows_sid ;; - group_label: "Item" - group_item_label: "Windows Sid" - } -} - -view: udm_events_gcs__about__list__item__user__department__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__asset__ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__investigation__comments__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__user__group_identifiers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__group__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__resource_ancestors__list { - dimension: item__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.attribute.cloud.availability_zone ;; - group_label: "Item Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.attribute.cloud.environment ;; - group_label: "Item Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__attribute__creation_time { - type: string - sql: ${TABLE}.item.attribute.creation_time ;; - group_label: "Item Attribute" - group_item_label: "Creation Time" - } - - dimension: item__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.attribute.labels.list ;; - group_label: "Item Attribute Labels" - group_item_label: "List" - } - - dimension: item__attribute__last_update_time { - type: string - sql: ${TABLE}.item.attribute.last_update_time ;; - group_label: "Item Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.attribute.permissions.list ;; - group_label: "Item Attribute Permissions" - group_item_label: "List" - } - - dimension: item__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.attribute.roles.list ;; - group_label: "Item Attribute Roles" - group_item_label: "List" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__product_object_id { - type: string - sql: ${TABLE}.item.product_object_id ;; - group_label: "Item" - group_item_label: "Product Object ID" - } - - dimension: item__resource_subtype { - type: string - sql: ${TABLE}.item.resource_subtype ;; - group_label: "Item" - group_item_label: "Resource Subtype" - } - - dimension: item__resource_type { - type: number - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } -} - -view: udm_events_gcs__src__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__src__group__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__src__group__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__src__process__command_line_history__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__asset__mac__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__action__list { - dimension: item { - type: number - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__target__user__time_off__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__interval__end_time { - type: string - sql: ${TABLE}.item.`interval`.end_time ;; - group_label: "Item Interval" - group_item_label: "End Time" - } - - dimension: item__interval__start_time { - type: string - sql: ${TABLE}.item.`interval`.start_time ;; - group_label: "Item Interval" - group_item_label: "Start Time" - } -} - -view: udm_events_gcs__target__user__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__target__user__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__principal__group__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__resource_ancestors__list { - dimension: item__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.attribute.cloud.availability_zone ;; - group_label: "Item Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.attribute.cloud.environment ;; - group_label: "Item Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__attribute__creation_time { - type: string - sql: ${TABLE}.item.attribute.creation_time ;; - group_label: "Item Attribute" - group_item_label: "Creation Time" - } - - dimension: item__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.attribute.labels.list ;; - group_label: "Item Attribute Labels" - group_item_label: "List" - } - - dimension: item__attribute__last_update_time { - type: string - sql: ${TABLE}.item.attribute.last_update_time ;; - group_label: "Item Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.attribute.permissions.list ;; - group_label: "Item Attribute Permissions" - group_item_label: "List" - } - - dimension: item__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.attribute.roles.list ;; - group_label: "Item Attribute Roles" - group_item_label: "List" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__product_object_id { - type: string - sql: ${TABLE}.item.product_object_id ;; - group_label: "Item" - group_item_label: "Product Object ID" - } - - dimension: item__resource_subtype { - type: string - sql: ${TABLE}.item.resource_subtype ;; - group_label: "Item" - group_item_label: "Resource Subtype" - } - - dimension: item__resource_type { - type: number - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } -} - -view: udm_events_gcs__src__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__src__resource__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__src__resource__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__intermediary__list__item__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__asset__vulnerabilities__list { - dimension: item__cve_description { - type: string - sql: ${TABLE}.item.cve_description ;; - group_label: "Item" - group_item_label: "Cve Description" - } - - dimension: item__cve_id { - type: string - sql: ${TABLE}.item.cve_id ;; - group_label: "Item" - group_item_label: "Cve ID" - } - - dimension: item__cvss_base_score { - type: number - sql: ${TABLE}.item.cvss_base_score ;; - group_label: "Item" - group_item_label: "Cvss Base Score" - } - - dimension: item__cvss_vector { - type: string - sql: ${TABLE}.item.cvss_vector ;; - group_label: "Item" - group_item_label: "Cvss Vector" - } - - dimension: item__cvss_version { - type: string - sql: ${TABLE}.item.cvss_version ;; - group_label: "Item" - group_item_label: "Cvss Version" - } - - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__first_found { - type: string - sql: ${TABLE}.item.first_found ;; - group_label: "Item" - group_item_label: "First Found" - } - - dimension: item__last_found { - type: string - sql: ${TABLE}.item.last_found ;; - group_label: "Item" - group_item_label: "Last Found" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__scan_end_time { - type: string - sql: ${TABLE}.item.scan_end_time ;; - group_label: "Item" - group_item_label: "Scan End Time" - } - - dimension: item__scan_start_time { - type: string - sql: ${TABLE}.item.scan_start_time ;; - group_label: "Item" - group_item_label: "Scan Start Time" - } - - dimension: item__severity { - type: number - sql: ${TABLE}.item.severity ;; - group_label: "Item" - group_item_label: "Severity" - } - - dimension: item__severity_details { - type: string - sql: ${TABLE}.item.severity_details ;; - group_label: "Item" - group_item_label: "Severity Details" - } - - dimension: item__vendor { - type: string - sql: ${TABLE}.item.vendor ;; - group_label: "Item" - group_item_label: "Vendor" - } - - dimension: item__vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.item.vendor_knowledge_base_article_id ;; - group_label: "Item" - group_item_label: "Vendor Knowledge Base Article ID" - } - - dimension: item__vendor_vulnerability_id { - type: string - sql: ${TABLE}.item.vendor_vulnerability_id ;; - group_label: "Item" - group_item_label: "Vendor Vulnerability ID" - } -} - -view: udm_events_gcs__target__asset__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__target__asset__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__observer__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__observer__user__time_off__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__interval__end_time { - type: string - sql: ${TABLE}.item.`interval`.end_time ;; - group_label: "Item Interval" - group_item_label: "End Time" - } - - dimension: item__interval__start_time { - type: string - sql: ${TABLE}.item.`interval`.start_time ;; - group_label: "Item Interval" - group_item_label: "Start Time" - } -} - -view: udm_events_gcs__observer__user__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__observer__user__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__src__process__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__process__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__asset__hardware__list { - dimension: item__cpu_clock_speed { - type: number - sql: ${TABLE}.item.cpu_clock_speed ;; - group_label: "Item" - group_item_label: "CPU Clock Speed" - } - - dimension: item__cpu_max_clock_speed { - type: number - sql: ${TABLE}.item.cpu_max_clock_speed ;; - group_label: "Item" - group_item_label: "CPU Max Clock Speed" - } - - dimension: item__cpu_model { - type: string - sql: ${TABLE}.item.cpu_model ;; - group_label: "Item" - group_item_label: "CPU Model" - } - - dimension: item__cpu_number_cores { - type: number - sql: ${TABLE}.item.cpu_number_cores ;; - group_label: "Item" - group_item_label: "CPU Number Cores" - } - - dimension: item__cpu_platform { - type: string - sql: ${TABLE}.item.cpu_platform ;; - group_label: "Item" - group_item_label: "CPU Platform" - } - - dimension: item__manufacturer { - type: string - sql: ${TABLE}.item.manufacturer ;; - group_label: "Item" - group_item_label: "Manufacturer" - } - - dimension: item__model { - type: string - sql: ${TABLE}.item.model ;; - group_label: "Item" - group_item_label: "Model" - } - - dimension: item__ram { - type: number - sql: ${TABLE}.item.ram ;; - group_label: "Item" - group_item_label: "Ram" - } - - dimension: item__serial_number { - type: string - sql: ${TABLE}.item.serial_number ;; - group_label: "Item" - group_item_label: "Serial Number" - } -} - -view: udm_events_gcs__about__list__item__user__phone_numbers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__category__list { - dimension: item { - type: number - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__user_management_chain__list { - dimension: item__account_type { - type: number - sql: ${TABLE}.item.account_type ;; - group_label: "Item" - group_item_label: "Account Type" - } - - dimension: item__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.attribute.cloud.availability_zone ;; - group_label: "Item Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.attribute.cloud.environment ;; - group_label: "Item Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__attribute__creation_time { - type: string - sql: ${TABLE}.item.attribute.creation_time ;; - group_label: "Item Attribute" - group_item_label: "Creation Time" - } - - dimension: item__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.attribute.labels.list ;; - group_label: "Item Attribute Labels" - group_item_label: "List" - } - - dimension: item__attribute__last_update_time { - type: string - sql: ${TABLE}.item.attribute.last_update_time ;; - group_label: "Item Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.attribute.permissions.list ;; - group_label: "Item Attribute Permissions" - group_item_label: "List" - } - - dimension: item__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.attribute.roles.list ;; - group_label: "Item Attribute Roles" - group_item_label: "List" - } - - dimension: item__company_name { - type: string - sql: ${TABLE}.item.company_name ;; - group_label: "Item" - group_item_label: "Company Name" - } - - dimension: item__department__list { - hidden: yes - sql: ${TABLE}.item.department.list ;; - group_label: "Item Department" - group_item_label: "List" - } - - dimension: item__email_addresses__list { - hidden: yes - sql: ${TABLE}.item.email_addresses.list ;; - group_label: "Item Email Addresses" - group_item_label: "List" - } - - dimension: item__employee_id { - type: string - sql: ${TABLE}.item.employee_id ;; - group_label: "Item" - group_item_label: "Employee ID" - } - - dimension: item__first_name { - type: string - sql: ${TABLE}.item.first_name ;; - group_label: "Item" - group_item_label: "First Name" - } - - dimension: item__group_identifiers__list { - hidden: yes - sql: ${TABLE}.item.group_identifiers.list ;; - group_label: "Item Group Identifiers" - group_item_label: "List" - } - - dimension: item__hire_date { - type: string - sql: ${TABLE}.item.hire_date ;; - group_label: "Item" - group_item_label: "Hire Date" - } - - dimension: item__last_name { - type: string - sql: ${TABLE}.item.last_name ;; - group_label: "Item" - group_item_label: "Last Name" - } - - dimension: item__middle_name { - type: string - sql: ${TABLE}.item.middle_name ;; - group_label: "Item" - group_item_label: "Middle Name" - } - - dimension: item__office_address__city { - type: string - sql: ${TABLE}.item.office_address.city ;; - group_label: "Item Office Address" - group_item_label: "City" - } - - dimension: item__office_address__country_or_region { - type: string - sql: ${TABLE}.item.office_address.country_or_region ;; - group_label: "Item Office Address" - group_item_label: "Country or Region" - } - - dimension: item__office_address__desk_name { - type: string - sql: ${TABLE}.item.office_address.desk_name ;; - group_label: "Item Office Address" - group_item_label: "Desk Name" - } - - dimension: item__office_address__floor_name { - type: string - sql: ${TABLE}.item.office_address.floor_name ;; - group_label: "Item Office Address" - group_item_label: "Floor Name" - } - - dimension: item__office_address__name { - type: string - sql: ${TABLE}.item.office_address.name ;; - group_label: "Item Office Address" - group_item_label: "Name" - } - - dimension: item__office_address__region_latitude { - type: number - sql: ${TABLE}.item.office_address.region_latitude ;; - group_label: "Item Office Address" - group_item_label: "Region Latitude" - } - - dimension: item__office_address__region_longitude { - type: number - sql: ${TABLE}.item.office_address.region_longitude ;; - group_label: "Item Office Address" - group_item_label: "Region Longitude" - } - - dimension: item__office_address__state { - type: string - sql: ${TABLE}.item.office_address.state ;; - group_label: "Item Office Address" - group_item_label: "State" - } - - dimension: item__personal_address__city { - type: string - sql: ${TABLE}.item.personal_address.city ;; - group_label: "Item Personal Address" - group_item_label: "City" - } - - dimension: item__personal_address__country_or_region { - type: string - sql: ${TABLE}.item.personal_address.country_or_region ;; - group_label: "Item Personal Address" - group_item_label: "Country or Region" - } - - dimension: item__personal_address__desk_name { - type: string - sql: ${TABLE}.item.personal_address.desk_name ;; - group_label: "Item Personal Address" - group_item_label: "Desk Name" - } - - dimension: item__personal_address__floor_name { - type: string - sql: ${TABLE}.item.personal_address.floor_name ;; - group_label: "Item Personal Address" - group_item_label: "Floor Name" - } - - dimension: item__personal_address__name { - type: string - sql: ${TABLE}.item.personal_address.name ;; - group_label: "Item Personal Address" - group_item_label: "Name" - } - - dimension: item__personal_address__region_latitude { - type: number - sql: ${TABLE}.item.personal_address.region_latitude ;; - group_label: "Item Personal Address" - group_item_label: "Region Latitude" - } - - dimension: item__personal_address__region_longitude { - type: number - sql: ${TABLE}.item.personal_address.region_longitude ;; - group_label: "Item Personal Address" - group_item_label: "Region Longitude" - } - - dimension: item__personal_address__state { - type: string - sql: ${TABLE}.item.personal_address.state ;; - group_label: "Item Personal Address" - group_item_label: "State" - } - - dimension: item__phone_numbers__list { - hidden: yes - sql: ${TABLE}.item.phone_numbers.list ;; - group_label: "Item Phone Numbers" - group_item_label: "List" - } - - dimension: item__product_object_id { - type: string - sql: ${TABLE}.item.product_object_id ;; - group_label: "Item" - group_item_label: "Product Object ID" - } - - dimension: item__termination_date { - type: string - sql: ${TABLE}.item.termination_date ;; - group_label: "Item" - group_item_label: "Termination Date" - } - - dimension: item__time_off__list { - hidden: yes - sql: ${TABLE}.item.time_off.list ;; - group_label: "Item Time Off" - group_item_label: "List" - } - - dimension: item__title { - type: string - sql: ${TABLE}.item.title ;; - group_label: "Item" - group_item_label: "Title" - } - - dimension: item__user_authentication_status { - type: number - sql: ${TABLE}.item.user_authentication_status ;; - group_label: "Item" - group_item_label: "User Authentication Status" - } - - dimension: item__user_display_name { - type: string - sql: ${TABLE}.item.user_display_name ;; - group_label: "Item" - group_item_label: "User Display Name" - } - - dimension: item__userid { - type: string - sql: ${TABLE}.item.userid ;; - group_label: "Item" - group_item_label: "Userid" - } - - dimension: item__windows_sid { - type: string - sql: ${TABLE}.item.windows_sid ;; - group_label: "Item" - group_item_label: "Windows Sid" - } -} - -view: udm_events_gcs__principal__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__principal__user__time_off__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__interval__end_time { - type: string - sql: ${TABLE}.item.`interval`.end_time ;; - group_label: "Item Interval" - group_item_label: "End Time" - } - - dimension: item__interval__start_time { - type: string - sql: ${TABLE}.item.`interval`.start_time ;; - group_label: "Item Interval" - group_item_label: "Start Time" - } -} - -view: udm_events_gcs__principal__user__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__principal__user__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__observer__asset__vulnerabilities__list { - dimension: item__cve_description { - type: string - sql: ${TABLE}.item.cve_description ;; - group_label: "Item" - group_item_label: "Cve Description" - } - - dimension: item__cve_id { - type: string - sql: ${TABLE}.item.cve_id ;; - group_label: "Item" - group_item_label: "Cve ID" - } - - dimension: item__cvss_base_score { - type: number - sql: ${TABLE}.item.cvss_base_score ;; - group_label: "Item" - group_item_label: "Cvss Base Score" - } - - dimension: item__cvss_vector { - type: string - sql: ${TABLE}.item.cvss_vector ;; - group_label: "Item" - group_item_label: "Cvss Vector" - } - - dimension: item__cvss_version { - type: string - sql: ${TABLE}.item.cvss_version ;; - group_label: "Item" - group_item_label: "Cvss Version" - } - - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__first_found { - type: string - sql: ${TABLE}.item.first_found ;; - group_label: "Item" - group_item_label: "First Found" - } - - dimension: item__last_found { - type: string - sql: ${TABLE}.item.last_found ;; - group_label: "Item" - group_item_label: "Last Found" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__scan_end_time { - type: string - sql: ${TABLE}.item.scan_end_time ;; - group_label: "Item" - group_item_label: "Scan End Time" - } - - dimension: item__scan_start_time { - type: string - sql: ${TABLE}.item.scan_start_time ;; - group_label: "Item" - group_item_label: "Scan Start Time" - } - - dimension: item__severity { - type: number - sql: ${TABLE}.item.severity ;; - group_label: "Item" - group_item_label: "Severity" - } - - dimension: item__severity_details { - type: string - sql: ${TABLE}.item.severity_details ;; - group_label: "Item" - group_item_label: "Severity Details" - } - - dimension: item__vendor { - type: string - sql: ${TABLE}.item.vendor ;; - group_label: "Item" - group_item_label: "Vendor" - } - - dimension: item__vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.item.vendor_knowledge_base_article_id ;; - group_label: "Item" - group_item_label: "Vendor Knowledge Base Article ID" - } - - dimension: item__vendor_vulnerability_id { - type: string - sql: ${TABLE}.item.vendor_vulnerability_id ;; - group_label: "Item" - group_item_label: "Vendor Vulnerability ID" - } -} - -view: udm_events_gcs__observer__asset__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__observer__asset__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__src__user__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__about__list__item__asset__software__list { - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__permissions__list { - hidden: yes - sql: ${TABLE}.item.permissions.list ;; - group_label: "Item Permissions" - group_item_label: "List" - } - - dimension: item__version { - type: string - sql: ${TABLE}.item.version ;; - group_label: "Item" - group_item_label: "Version" - } -} - -view: udm_events_gcs__intermediary__list__item__asset__nat_ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__mac__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__target__group__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__target__group__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__target__process__command_line_history__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__asset__vulnerabilities__list { - dimension: item__cve_description { - type: string - sql: ${TABLE}.item.cve_description ;; - group_label: "Item" - group_item_label: "Cve Description" - } - - dimension: item__cve_id { - type: string - sql: ${TABLE}.item.cve_id ;; - group_label: "Item" - group_item_label: "Cve ID" - } - - dimension: item__cvss_base_score { - type: number - sql: ${TABLE}.item.cvss_base_score ;; - group_label: "Item" - group_item_label: "Cvss Base Score" - } - - dimension: item__cvss_vector { - type: string - sql: ${TABLE}.item.cvss_vector ;; - group_label: "Item" - group_item_label: "Cvss Vector" - } - - dimension: item__cvss_version { - type: string - sql: ${TABLE}.item.cvss_version ;; - group_label: "Item" - group_item_label: "Cvss Version" - } - - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__first_found { - type: string - sql: ${TABLE}.item.first_found ;; - group_label: "Item" - group_item_label: "First Found" - } - - dimension: item__last_found { - type: string - sql: ${TABLE}.item.last_found ;; - group_label: "Item" - group_item_label: "Last Found" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__scan_end_time { - type: string - sql: ${TABLE}.item.scan_end_time ;; - group_label: "Item" - group_item_label: "Scan End Time" - } - - dimension: item__scan_start_time { - type: string - sql: ${TABLE}.item.scan_start_time ;; - group_label: "Item" - group_item_label: "Scan Start Time" - } - - dimension: item__severity { - type: number - sql: ${TABLE}.item.severity ;; - group_label: "Item" - group_item_label: "Severity" - } - - dimension: item__severity_details { - type: string - sql: ${TABLE}.item.severity_details ;; - group_label: "Item" - group_item_label: "Severity Details" - } - - dimension: item__vendor { - type: string - sql: ${TABLE}.item.vendor ;; - group_label: "Item" - group_item_label: "Vendor" - } - - dimension: item__vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.item.vendor_knowledge_base_article_id ;; - group_label: "Item" - group_item_label: "Vendor Knowledge Base Article ID" - } - - dimension: item__vendor_vulnerability_id { - type: string - sql: ${TABLE}.item.vendor_vulnerability_id ;; - group_label: "Item" - group_item_label: "Vendor Vulnerability ID" - } -} - -view: udm_events_gcs__principal__asset__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__principal__asset__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__observer__user_management_chain__list { - dimension: item__account_type { - type: number - sql: ${TABLE}.item.account_type ;; - group_label: "Item" - group_item_label: "Account Type" - } - - dimension: item__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.attribute.cloud.availability_zone ;; - group_label: "Item Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.attribute.cloud.environment ;; - group_label: "Item Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__attribute__creation_time { - type: string - sql: ${TABLE}.item.attribute.creation_time ;; - group_label: "Item Attribute" - group_item_label: "Creation Time" - } - - dimension: item__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.attribute.labels.list ;; - group_label: "Item Attribute Labels" - group_item_label: "List" - } - - dimension: item__attribute__last_update_time { - type: string - sql: ${TABLE}.item.attribute.last_update_time ;; - group_label: "Item Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.attribute.permissions.list ;; - group_label: "Item Attribute Permissions" - group_item_label: "List" - } - - dimension: item__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.attribute.roles.list ;; - group_label: "Item Attribute Roles" - group_item_label: "List" - } - - dimension: item__company_name { - type: string - sql: ${TABLE}.item.company_name ;; - group_label: "Item" - group_item_label: "Company Name" - } - - dimension: item__department__list { - hidden: yes - sql: ${TABLE}.item.department.list ;; - group_label: "Item Department" - group_item_label: "List" - } - - dimension: item__email_addresses__list { - hidden: yes - sql: ${TABLE}.item.email_addresses.list ;; - group_label: "Item Email Addresses" - group_item_label: "List" - } - - dimension: item__employee_id { - type: string - sql: ${TABLE}.item.employee_id ;; - group_label: "Item" - group_item_label: "Employee ID" - } - - dimension: item__first_name { - type: string - sql: ${TABLE}.item.first_name ;; - group_label: "Item" - group_item_label: "First Name" - } - - dimension: item__group_identifiers__list { - hidden: yes - sql: ${TABLE}.item.group_identifiers.list ;; - group_label: "Item Group Identifiers" - group_item_label: "List" - } - - dimension: item__hire_date { - type: string - sql: ${TABLE}.item.hire_date ;; - group_label: "Item" - group_item_label: "Hire Date" - } - - dimension: item__last_name { - type: string - sql: ${TABLE}.item.last_name ;; - group_label: "Item" - group_item_label: "Last Name" - } - - dimension: item__middle_name { - type: string - sql: ${TABLE}.item.middle_name ;; - group_label: "Item" - group_item_label: "Middle Name" - } - - dimension: item__office_address__city { - type: string - sql: ${TABLE}.item.office_address.city ;; - group_label: "Item Office Address" - group_item_label: "City" - } - - dimension: item__office_address__country_or_region { - type: string - sql: ${TABLE}.item.office_address.country_or_region ;; - group_label: "Item Office Address" - group_item_label: "Country or Region" - } - - dimension: item__office_address__desk_name { - type: string - sql: ${TABLE}.item.office_address.desk_name ;; - group_label: "Item Office Address" - group_item_label: "Desk Name" - } - - dimension: item__office_address__floor_name { - type: string - sql: ${TABLE}.item.office_address.floor_name ;; - group_label: "Item Office Address" - group_item_label: "Floor Name" - } - - dimension: item__office_address__name { - type: string - sql: ${TABLE}.item.office_address.name ;; - group_label: "Item Office Address" - group_item_label: "Name" - } - - dimension: item__office_address__region_latitude { - type: number - sql: ${TABLE}.item.office_address.region_latitude ;; - group_label: "Item Office Address" - group_item_label: "Region Latitude" - } - - dimension: item__office_address__region_longitude { - type: number - sql: ${TABLE}.item.office_address.region_longitude ;; - group_label: "Item Office Address" - group_item_label: "Region Longitude" - } - - dimension: item__office_address__state { - type: string - sql: ${TABLE}.item.office_address.state ;; - group_label: "Item Office Address" - group_item_label: "State" - } - - dimension: item__personal_address__city { - type: string - sql: ${TABLE}.item.personal_address.city ;; - group_label: "Item Personal Address" - group_item_label: "City" - } - - dimension: item__personal_address__country_or_region { - type: string - sql: ${TABLE}.item.personal_address.country_or_region ;; - group_label: "Item Personal Address" - group_item_label: "Country or Region" - } - - dimension: item__personal_address__desk_name { - type: string - sql: ${TABLE}.item.personal_address.desk_name ;; - group_label: "Item Personal Address" - group_item_label: "Desk Name" - } - - dimension: item__personal_address__floor_name { - type: string - sql: ${TABLE}.item.personal_address.floor_name ;; - group_label: "Item Personal Address" - group_item_label: "Floor Name" - } - - dimension: item__personal_address__name { - type: string - sql: ${TABLE}.item.personal_address.name ;; - group_label: "Item Personal Address" - group_item_label: "Name" - } - - dimension: item__personal_address__region_latitude { - type: number - sql: ${TABLE}.item.personal_address.region_latitude ;; - group_label: "Item Personal Address" - group_item_label: "Region Latitude" - } - - dimension: item__personal_address__region_longitude { - type: number - sql: ${TABLE}.item.personal_address.region_longitude ;; - group_label: "Item Personal Address" - group_item_label: "Region Longitude" - } - - dimension: item__personal_address__state { - type: string - sql: ${TABLE}.item.personal_address.state ;; - group_label: "Item Personal Address" - group_item_label: "State" - } - - dimension: item__phone_numbers__list { - hidden: yes - sql: ${TABLE}.item.phone_numbers.list ;; - group_label: "Item Phone Numbers" - group_item_label: "List" - } - - dimension: item__product_object_id { - type: string - sql: ${TABLE}.item.product_object_id ;; - group_label: "Item" - group_item_label: "Product Object ID" - } - - dimension: item__termination_date { - type: string - sql: ${TABLE}.item.termination_date ;; - group_label: "Item" - group_item_label: "Termination Date" - } - - dimension: item__time_off__list { - hidden: yes - sql: ${TABLE}.item.time_off.list ;; - group_label: "Item Time Off" - group_item_label: "List" - } - - dimension: item__title { - type: string - sql: ${TABLE}.item.title ;; - group_label: "Item" - group_item_label: "Title" - } - - dimension: item__user_authentication_status { - type: number - sql: ${TABLE}.item.user_authentication_status ;; - group_label: "Item" - group_item_label: "User Authentication Status" - } - - dimension: item__user_display_name { - type: string - sql: ${TABLE}.item.user_display_name ;; - group_label: "Item" - group_item_label: "User Display Name" - } - - dimension: item__userid { - type: string - sql: ${TABLE}.item.userid ;; - group_label: "Item" - group_item_label: "Userid" - } - - dimension: item__windows_sid { - type: string - sql: ${TABLE}.item.windows_sid ;; - group_label: "Item" - group_item_label: "Windows Sid" - } -} - -view: udm_events_gcs__src__asset__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__about__list__item__user__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__target__resource__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__target__resource__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__network__tls__client__supported_ciphers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__user_management_chain__list { - dimension: item__account_type { - type: number - sql: ${TABLE}.item.account_type ;; - group_label: "Item" - group_item_label: "Account Type" - } - - dimension: item__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.attribute.cloud.availability_zone ;; - group_label: "Item Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.attribute.cloud.environment ;; - group_label: "Item Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__attribute__creation_time { - type: string - sql: ${TABLE}.item.attribute.creation_time ;; - group_label: "Item Attribute" - group_item_label: "Creation Time" - } - - dimension: item__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.attribute.labels.list ;; - group_label: "Item Attribute Labels" - group_item_label: "List" - } - - dimension: item__attribute__last_update_time { - type: string - sql: ${TABLE}.item.attribute.last_update_time ;; - group_label: "Item Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.attribute.permissions.list ;; - group_label: "Item Attribute Permissions" - group_item_label: "List" - } - - dimension: item__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.attribute.roles.list ;; - group_label: "Item Attribute Roles" - group_item_label: "List" - } - - dimension: item__company_name { - type: string - sql: ${TABLE}.item.company_name ;; - group_label: "Item" - group_item_label: "Company Name" - } - - dimension: item__department__list { - hidden: yes - sql: ${TABLE}.item.department.list ;; - group_label: "Item Department" - group_item_label: "List" - } - - dimension: item__email_addresses__list { - hidden: yes - sql: ${TABLE}.item.email_addresses.list ;; - group_label: "Item Email Addresses" - group_item_label: "List" - } - - dimension: item__employee_id { - type: string - sql: ${TABLE}.item.employee_id ;; - group_label: "Item" - group_item_label: "Employee ID" - } - - dimension: item__first_name { - type: string - sql: ${TABLE}.item.first_name ;; - group_label: "Item" - group_item_label: "First Name" - } - - dimension: item__group_identifiers__list { - hidden: yes - sql: ${TABLE}.item.group_identifiers.list ;; - group_label: "Item Group Identifiers" - group_item_label: "List" - } - - dimension: item__hire_date { - type: string - sql: ${TABLE}.item.hire_date ;; - group_label: "Item" - group_item_label: "Hire Date" - } - - dimension: item__last_name { - type: string - sql: ${TABLE}.item.last_name ;; - group_label: "Item" - group_item_label: "Last Name" - } - - dimension: item__middle_name { - type: string - sql: ${TABLE}.item.middle_name ;; - group_label: "Item" - group_item_label: "Middle Name" - } - - dimension: item__office_address__city { - type: string - sql: ${TABLE}.item.office_address.city ;; - group_label: "Item Office Address" - group_item_label: "City" - } - - dimension: item__office_address__country_or_region { - type: string - sql: ${TABLE}.item.office_address.country_or_region ;; - group_label: "Item Office Address" - group_item_label: "Country or Region" - } - - dimension: item__office_address__desk_name { - type: string - sql: ${TABLE}.item.office_address.desk_name ;; - group_label: "Item Office Address" - group_item_label: "Desk Name" - } - - dimension: item__office_address__floor_name { - type: string - sql: ${TABLE}.item.office_address.floor_name ;; - group_label: "Item Office Address" - group_item_label: "Floor Name" - } - - dimension: item__office_address__name { - type: string - sql: ${TABLE}.item.office_address.name ;; - group_label: "Item Office Address" - group_item_label: "Name" - } - - dimension: item__office_address__region_latitude { - type: number - sql: ${TABLE}.item.office_address.region_latitude ;; - group_label: "Item Office Address" - group_item_label: "Region Latitude" - } - - dimension: item__office_address__region_longitude { - type: number - sql: ${TABLE}.item.office_address.region_longitude ;; - group_label: "Item Office Address" - group_item_label: "Region Longitude" - } - - dimension: item__office_address__state { - type: string - sql: ${TABLE}.item.office_address.state ;; - group_label: "Item Office Address" - group_item_label: "State" - } - - dimension: item__personal_address__city { - type: string - sql: ${TABLE}.item.personal_address.city ;; - group_label: "Item Personal Address" - group_item_label: "City" - } - - dimension: item__personal_address__country_or_region { - type: string - sql: ${TABLE}.item.personal_address.country_or_region ;; - group_label: "Item Personal Address" - group_item_label: "Country or Region" - } - - dimension: item__personal_address__desk_name { - type: string - sql: ${TABLE}.item.personal_address.desk_name ;; - group_label: "Item Personal Address" - group_item_label: "Desk Name" - } - - dimension: item__personal_address__floor_name { - type: string - sql: ${TABLE}.item.personal_address.floor_name ;; - group_label: "Item Personal Address" - group_item_label: "Floor Name" - } - - dimension: item__personal_address__name { - type: string - sql: ${TABLE}.item.personal_address.name ;; - group_label: "Item Personal Address" - group_item_label: "Name" - } - - dimension: item__personal_address__region_latitude { - type: number - sql: ${TABLE}.item.personal_address.region_latitude ;; - group_label: "Item Personal Address" - group_item_label: "Region Latitude" - } - - dimension: item__personal_address__region_longitude { - type: number - sql: ${TABLE}.item.personal_address.region_longitude ;; - group_label: "Item Personal Address" - group_item_label: "Region Longitude" - } - - dimension: item__personal_address__state { - type: string - sql: ${TABLE}.item.personal_address.state ;; - group_label: "Item Personal Address" - group_item_label: "State" - } - - dimension: item__phone_numbers__list { - hidden: yes - sql: ${TABLE}.item.phone_numbers.list ;; - group_label: "Item Phone Numbers" - group_item_label: "List" - } - - dimension: item__product_object_id { - type: string - sql: ${TABLE}.item.product_object_id ;; - group_label: "Item" - group_item_label: "Product Object ID" - } - - dimension: item__termination_date { - type: string - sql: ${TABLE}.item.termination_date ;; - group_label: "Item" - group_item_label: "Termination Date" - } - - dimension: item__time_off__list { - hidden: yes - sql: ${TABLE}.item.time_off.list ;; - group_label: "Item Time Off" - group_item_label: "List" - } - - dimension: item__title { - type: string - sql: ${TABLE}.item.title ;; - group_label: "Item" - group_item_label: "Title" - } - - dimension: item__user_authentication_status { - type: number - sql: ${TABLE}.item.user_authentication_status ;; - group_label: "Item" - group_item_label: "User Authentication Status" - } - - dimension: item__user_display_name { - type: string - sql: ${TABLE}.item.user_display_name ;; - group_label: "Item" - group_item_label: "User Display Name" - } - - dimension: item__userid { - type: string - sql: ${TABLE}.item.userid ;; - group_label: "Item" - group_item_label: "Userid" - } - - dimension: item__windows_sid { - type: string - sql: ${TABLE}.item.windows_sid ;; - group_label: "Item" - group_item_label: "Windows Sid" - } -} - -view: udm_events_gcs__observer__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__observer__group__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__observer__group__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__observer__process__command_line_history__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__extensions__vulns__vulnerabilities__list { - dimension: item__cve_description { - type: string - sql: ${TABLE}.item.cve_description ;; - group_label: "Item" - group_item_label: "Cve Description" - } - - dimension: item__cve_id { - type: string - sql: ${TABLE}.item.cve_id ;; - group_label: "Item" - group_item_label: "Cve ID" - } - - dimension: item__cvss_base_score { - type: number - sql: ${TABLE}.item.cvss_base_score ;; - group_label: "Item" - group_item_label: "Cvss Base Score" - } - - dimension: item__cvss_vector { - type: string - sql: ${TABLE}.item.cvss_vector ;; - group_label: "Item" - group_item_label: "Cvss Vector" - } - - dimension: item__cvss_version { - type: string - sql: ${TABLE}.item.cvss_version ;; - group_label: "Item" - group_item_label: "Cvss Version" - } - - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__first_found { - type: string - sql: ${TABLE}.item.first_found ;; - group_label: "Item" - group_item_label: "First Found" - } - - dimension: item__last_found { - type: string - sql: ${TABLE}.item.last_found ;; - group_label: "Item" - group_item_label: "Last Found" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__scan_end_time { - type: string - sql: ${TABLE}.item.scan_end_time ;; - group_label: "Item" - group_item_label: "Scan End Time" - } - - dimension: item__scan_start_time { - type: string - sql: ${TABLE}.item.scan_start_time ;; - group_label: "Item" - group_item_label: "Scan Start Time" - } - - dimension: item__severity { - type: number - sql: ${TABLE}.item.severity ;; - group_label: "Item" - group_item_label: "Severity" - } - - dimension: item__severity_details { - type: string - sql: ${TABLE}.item.severity_details ;; - group_label: "Item" - group_item_label: "Severity Details" - } - - dimension: item__vendor { - type: string - sql: ${TABLE}.item.vendor ;; - group_label: "Item" - group_item_label: "Vendor" - } - - dimension: item__vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.item.vendor_knowledge_base_article_id ;; - group_label: "Item" - group_item_label: "Vendor Knowledge Base Article ID" - } - - dimension: item__vendor_vulnerability_id { - type: string - sql: ${TABLE}.item.vendor_vulnerability_id ;; - group_label: "Item" - group_item_label: "Vendor Vulnerability ID" - } -} - -view: udm_events_gcs__src__process__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__about__list__item__process_ancestors__list { - dimension: item__access_mask { - type: number - sql: ${TABLE}.item.access_mask ;; - group_label: "Item" - group_item_label: "Access Mask" - } - - dimension: item__command_line { - type: string - sql: ${TABLE}.item.command_line ;; - group_label: "Item" - group_item_label: "Command Line" - } - - dimension: item__command_line_history__list { - hidden: yes - sql: ${TABLE}.item.command_line_history.list ;; - group_label: "Item Command Line History" - group_item_label: "List" - } - - dimension: item__file__ahash { - type: string - sql: ${TABLE}.item.file.ahash ;; - group_label: "Item File" - group_item_label: "Ahash" - } - - dimension: item__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.item.file.capabilities_tags.list ;; - group_label: "Item File Capabilities Tags" - group_item_label: "List" - } - - dimension: item__file__file_type { - type: number - sql: ${TABLE}.item.file.file_type ;; - group_label: "Item File" - group_item_label: "File Type" - } - - dimension: item__file__full_path { - type: string - sql: ${TABLE}.item.file.full_path ;; - group_label: "Item File" - group_item_label: "Full Path" - } - - dimension: item__file__md5 { - type: string - sql: ${TABLE}.item.file.md5 ;; - group_label: "Item File" - group_item_label: "Md5" - } - - dimension: item__file__mime_type { - type: string - sql: ${TABLE}.item.file.mime_type ;; - group_label: "Item File" - group_item_label: "Mime Type" - } - - dimension: item__file__names__list { - hidden: yes - sql: ${TABLE}.item.file.names.list ;; - group_label: "Item File Names" - group_item_label: "List" - } - - dimension: item__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_exiftool_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: item__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Time" - } - - dimension: item__file__pe_file__entry_point { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point" - } - - dimension: item__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point_exiftool ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: item__file__pe_file__imphash { - type: string - sql: ${TABLE}.item.file.pe_file.imphash ;; - group_label: "Item File Pe File" - group_item_label: "Imphash" - } - - dimension: item__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.imports.list ;; - group_label: "Item File Pe File Imports" - group_item_label: "List" - } - - dimension: item__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resource.list ;; - group_label: "Item File Pe File Resource" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_language_count.list ;; - group_label: "Item File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_type_count.list ;; - group_label: "Item File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.section.list ;; - group_label: "Item File Pe File Section" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.signature_info.signer.list ;; - group_label: "Item File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.item.file.pe_file.signature_info.verification_message ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: item__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.item.file.pe_file.signature_info.verified ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: item__file__sha1 { - type: string - sql: ${TABLE}.item.file.sha1 ;; - group_label: "Item File" - group_item_label: "Sha1" - } - - dimension: item__file__sha256 { - type: string - sql: ${TABLE}.item.file.sha256 ;; - group_label: "Item File" - group_item_label: "Sha256" - } - - dimension: item__file__size { - type: number - sql: ${TABLE}.item.file.size ;; - group_label: "Item File" - group_item_label: "Size" - } - - dimension: item__file__ssdeep { - type: string - sql: ${TABLE}.item.file.ssdeep ;; - group_label: "Item File" - group_item_label: "Ssdeep" - } - - dimension: item__file__vhash { - type: string - sql: ${TABLE}.item.file.vhash ;; - group_label: "Item File" - group_item_label: "Vhash" - } - - dimension: item__pid { - type: string - sql: ${TABLE}.item.pid ;; - group_label: "Item" - group_item_label: "Pid" - } - - dimension: item__product_specific_process_id { - type: string - sql: ${TABLE}.item.product_specific_process_id ;; - group_label: "Item" - group_item_label: "Product Specific Process ID" - } -} - -view: udm_events_gcs__target__process__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__principal__group__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__principal__group__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__principal__process__command_line_history__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__observer__resource__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__observer__resource__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__src__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__group__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__about__list__item__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__investigation__comments__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__user__group_identifiers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__user__department__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__nat_ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__outcomes__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__target__user__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__principal__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__principal__resource__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__principal__resource__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__observer__process__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__resource__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__about__list__item__group__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__resource_ancestors__list { - dimension: item__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.attribute.cloud.availability_zone ;; - group_label: "Item Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.attribute.cloud.environment ;; - group_label: "Item Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__attribute__creation_time { - type: string - sql: ${TABLE}.item.attribute.creation_time ;; - group_label: "Item Attribute" - group_item_label: "Creation Time" - } - - dimension: item__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.attribute.labels.list ;; - group_label: "Item Attribute Labels" - group_item_label: "List" - } - - dimension: item__attribute__last_update_time { - type: string - sql: ${TABLE}.item.attribute.last_update_time ;; - group_label: "Item Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.attribute.permissions.list ;; - group_label: "Item Attribute Permissions" - group_item_label: "List" - } - - dimension: item__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.attribute.roles.list ;; - group_label: "Item Attribute Roles" - group_item_label: "List" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__product_object_id { - type: string - sql: ${TABLE}.item.product_object_id ;; - group_label: "Item" - group_item_label: "Product Object ID" - } - - dimension: item__resource_subtype { - type: string - sql: ${TABLE}.item.resource_subtype ;; - group_label: "Item" - group_item_label: "Resource Subtype" - } - - dimension: item__resource_type { - type: number - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } -} - -view: udm_events_gcs__target__asset__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__principal__process__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__user__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__src__process__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__security_result__list__item__about__asset__ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__process__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__principal__user__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__observer__asset__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__src__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__src__process__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__about__list__item__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__about__list__item__user__time_off__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__interval__end_time { - type: string - sql: ${TABLE}.item.`interval`.end_time ;; - group_label: "Item Interval" - group_item_label: "End Time" - } - - dimension: item__interval__start_time { - type: string - sql: ${TABLE}.item.`interval`.start_time ;; - group_label: "Item Interval" - group_item_label: "Start Time" - } -} - -view: udm_events_gcs__about__list__item__user__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__about__list__item__user__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__intermediary__list__item__process__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__asset__hardware__list { - dimension: item__cpu_clock_speed { - type: number - sql: ${TABLE}.item.cpu_clock_speed ;; - group_label: "Item" - group_item_label: "CPU Clock Speed" - } - - dimension: item__cpu_max_clock_speed { - type: number - sql: ${TABLE}.item.cpu_max_clock_speed ;; - group_label: "Item" - group_item_label: "CPU Max Clock Speed" - } - - dimension: item__cpu_model { - type: string - sql: ${TABLE}.item.cpu_model ;; - group_label: "Item" - group_item_label: "CPU Model" - } - - dimension: item__cpu_number_cores { - type: number - sql: ${TABLE}.item.cpu_number_cores ;; - group_label: "Item" - group_item_label: "CPU Number Cores" - } - - dimension: item__cpu_platform { - type: string - sql: ${TABLE}.item.cpu_platform ;; - group_label: "Item" - group_item_label: "CPU Platform" - } - - dimension: item__manufacturer { - type: string - sql: ${TABLE}.item.manufacturer ;; - group_label: "Item" - group_item_label: "Manufacturer" - } - - dimension: item__model { - type: string - sql: ${TABLE}.item.model ;; - group_label: "Item" - group_item_label: "Model" - } - - dimension: item__ram { - type: number - sql: ${TABLE}.item.ram ;; - group_label: "Item" - group_item_label: "Ram" - } - - dimension: item__serial_number { - type: string - sql: ${TABLE}.item.serial_number ;; - group_label: "Item" - group_item_label: "Serial Number" - } -} - -view: udm_events_gcs__intermediary__list__item__user__phone_numbers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__asset__mac__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__rule_labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__target__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__group__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__principal__asset__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__observer__process__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__src__process_ancestors__list__item__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__asset__vulnerabilities__list { - dimension: item__cve_description { - type: string - sql: ${TABLE}.item.cve_description ;; - group_label: "Item" - group_item_label: "Cve Description" - } - - dimension: item__cve_id { - type: string - sql: ${TABLE}.item.cve_id ;; - group_label: "Item" - group_item_label: "Cve ID" - } - - dimension: item__cvss_base_score { - type: number - sql: ${TABLE}.item.cvss_base_score ;; - group_label: "Item" - group_item_label: "Cvss Base Score" - } - - dimension: item__cvss_vector { - type: string - sql: ${TABLE}.item.cvss_vector ;; - group_label: "Item" - group_item_label: "Cvss Vector" - } - - dimension: item__cvss_version { - type: string - sql: ${TABLE}.item.cvss_version ;; - group_label: "Item" - group_item_label: "Cvss Version" - } - - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__first_found { - type: string - sql: ${TABLE}.item.first_found ;; - group_label: "Item" - group_item_label: "First Found" - } - - dimension: item__last_found { - type: string - sql: ${TABLE}.item.last_found ;; - group_label: "Item" - group_item_label: "Last Found" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__scan_end_time { - type: string - sql: ${TABLE}.item.scan_end_time ;; - group_label: "Item" - group_item_label: "Scan End Time" - } - - dimension: item__scan_start_time { - type: string - sql: ${TABLE}.item.scan_start_time ;; - group_label: "Item" - group_item_label: "Scan Start Time" - } - - dimension: item__severity { - type: number - sql: ${TABLE}.item.severity ;; - group_label: "Item" - group_item_label: "Severity" - } - - dimension: item__severity_details { - type: string - sql: ${TABLE}.item.severity_details ;; - group_label: "Item" - group_item_label: "Severity Details" - } - - dimension: item__vendor { - type: string - sql: ${TABLE}.item.vendor ;; - group_label: "Item" - group_item_label: "Vendor" - } - - dimension: item__vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.item.vendor_knowledge_base_article_id ;; - group_label: "Item" - group_item_label: "Vendor Knowledge Base Article ID" - } - - dimension: item__vendor_vulnerability_id { - type: string - sql: ${TABLE}.item.vendor_vulnerability_id ;; - group_label: "Item" - group_item_label: "Vendor Vulnerability ID" - } -} - -view: udm_events_gcs__about__list__item__asset__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__about__list__item__asset__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__intermediary__list__item__asset__software__list { - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__permissions__list { - hidden: yes - sql: ${TABLE}.item.permissions.list ;; - group_label: "Item Permissions" - group_item_label: "List" - } - - dimension: item__version { - type: string - sql: ${TABLE}.item.version ;; - group_label: "Item" - group_item_label: "Version" - } -} - -view: udm_events_gcs__security_result__list__item__about__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__category_details__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__resource__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__principal__process__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__observer__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__group__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__about__list__item__user_management_chain__list { - dimension: item__account_type { - type: number - sql: ${TABLE}.item.account_type ;; - group_label: "Item" - group_item_label: "Account Type" - } - - dimension: item__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.attribute.cloud.availability_zone ;; - group_label: "Item Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.attribute.cloud.environment ;; - group_label: "Item Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__attribute__creation_time { - type: string - sql: ${TABLE}.item.attribute.creation_time ;; - group_label: "Item Attribute" - group_item_label: "Creation Time" - } - - dimension: item__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.attribute.labels.list ;; - group_label: "Item Attribute Labels" - group_item_label: "List" - } - - dimension: item__attribute__last_update_time { - type: string - sql: ${TABLE}.item.attribute.last_update_time ;; - group_label: "Item Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.attribute.permissions.list ;; - group_label: "Item Attribute Permissions" - group_item_label: "List" - } - - dimension: item__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.attribute.roles.list ;; - group_label: "Item Attribute Roles" - group_item_label: "List" - } - - dimension: item__company_name { - type: string - sql: ${TABLE}.item.company_name ;; - group_label: "Item" - group_item_label: "Company Name" - } - - dimension: item__department__list { - hidden: yes - sql: ${TABLE}.item.department.list ;; - group_label: "Item Department" - group_item_label: "List" - } - - dimension: item__email_addresses__list { - hidden: yes - sql: ${TABLE}.item.email_addresses.list ;; - group_label: "Item Email Addresses" - group_item_label: "List" - } - - dimension: item__employee_id { - type: string - sql: ${TABLE}.item.employee_id ;; - group_label: "Item" - group_item_label: "Employee ID" - } - - dimension: item__first_name { - type: string - sql: ${TABLE}.item.first_name ;; - group_label: "Item" - group_item_label: "First Name" - } - - dimension: item__group_identifiers__list { - hidden: yes - sql: ${TABLE}.item.group_identifiers.list ;; - group_label: "Item Group Identifiers" - group_item_label: "List" - } - - dimension: item__hire_date { - type: string - sql: ${TABLE}.item.hire_date ;; - group_label: "Item" - group_item_label: "Hire Date" - } - - dimension: item__last_name { - type: string - sql: ${TABLE}.item.last_name ;; - group_label: "Item" - group_item_label: "Last Name" - } - - dimension: item__middle_name { - type: string - sql: ${TABLE}.item.middle_name ;; - group_label: "Item" - group_item_label: "Middle Name" - } - - dimension: item__office_address__city { - type: string - sql: ${TABLE}.item.office_address.city ;; - group_label: "Item Office Address" - group_item_label: "City" - } - - dimension: item__office_address__country_or_region { - type: string - sql: ${TABLE}.item.office_address.country_or_region ;; - group_label: "Item Office Address" - group_item_label: "Country or Region" - } - - dimension: item__office_address__desk_name { - type: string - sql: ${TABLE}.item.office_address.desk_name ;; - group_label: "Item Office Address" - group_item_label: "Desk Name" - } - - dimension: item__office_address__floor_name { - type: string - sql: ${TABLE}.item.office_address.floor_name ;; - group_label: "Item Office Address" - group_item_label: "Floor Name" - } - - dimension: item__office_address__name { - type: string - sql: ${TABLE}.item.office_address.name ;; - group_label: "Item Office Address" - group_item_label: "Name" - } - - dimension: item__office_address__region_latitude { - type: number - sql: ${TABLE}.item.office_address.region_latitude ;; - group_label: "Item Office Address" - group_item_label: "Region Latitude" - } - - dimension: item__office_address__region_longitude { - type: number - sql: ${TABLE}.item.office_address.region_longitude ;; - group_label: "Item Office Address" - group_item_label: "Region Longitude" - } - - dimension: item__office_address__state { - type: string - sql: ${TABLE}.item.office_address.state ;; - group_label: "Item Office Address" - group_item_label: "State" - } - - dimension: item__personal_address__city { - type: string - sql: ${TABLE}.item.personal_address.city ;; - group_label: "Item Personal Address" - group_item_label: "City" - } - - dimension: item__personal_address__country_or_region { - type: string - sql: ${TABLE}.item.personal_address.country_or_region ;; - group_label: "Item Personal Address" - group_item_label: "Country or Region" - } - - dimension: item__personal_address__desk_name { - type: string - sql: ${TABLE}.item.personal_address.desk_name ;; - group_label: "Item Personal Address" - group_item_label: "Desk Name" - } - - dimension: item__personal_address__floor_name { - type: string - sql: ${TABLE}.item.personal_address.floor_name ;; - group_label: "Item Personal Address" - group_item_label: "Floor Name" - } - - dimension: item__personal_address__name { - type: string - sql: ${TABLE}.item.personal_address.name ;; - group_label: "Item Personal Address" - group_item_label: "Name" - } - - dimension: item__personal_address__region_latitude { - type: number - sql: ${TABLE}.item.personal_address.region_latitude ;; - group_label: "Item Personal Address" - group_item_label: "Region Latitude" - } - - dimension: item__personal_address__region_longitude { - type: number - sql: ${TABLE}.item.personal_address.region_longitude ;; - group_label: "Item Personal Address" - group_item_label: "Region Longitude" - } - - dimension: item__personal_address__state { - type: string - sql: ${TABLE}.item.personal_address.state ;; - group_label: "Item Personal Address" - group_item_label: "State" - } - - dimension: item__phone_numbers__list { - hidden: yes - sql: ${TABLE}.item.phone_numbers.list ;; - group_label: "Item Phone Numbers" - group_item_label: "List" - } - - dimension: item__product_object_id { - type: string - sql: ${TABLE}.item.product_object_id ;; - group_label: "Item" - group_item_label: "Product Object ID" - } - - dimension: item__termination_date { - type: string - sql: ${TABLE}.item.termination_date ;; - group_label: "Item" - group_item_label: "Termination Date" - } - - dimension: item__time_off__list { - hidden: yes - sql: ${TABLE}.item.time_off.list ;; - group_label: "Item Time Off" - group_item_label: "List" - } - - dimension: item__title { - type: string - sql: ${TABLE}.item.title ;; - group_label: "Item" - group_item_label: "Title" - } - - dimension: item__user_authentication_status { - type: number - sql: ${TABLE}.item.user_authentication_status ;; - group_label: "Item" - group_item_label: "User Authentication Status" - } - - dimension: item__user_display_name { - type: string - sql: ${TABLE}.item.user_display_name ;; - group_label: "Item" - group_item_label: "User Display Name" - } - - dimension: item__userid { - type: string - sql: ${TABLE}.item.userid ;; - group_label: "Item" - group_item_label: "Userid" - } - - dimension: item__windows_sid { - type: string - sql: ${TABLE}.item.windows_sid ;; - group_label: "Item" - group_item_label: "Windows Sid" - } -} - -view: udm_events_gcs__intermediary__list__item__user__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__process__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__principal__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__group__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__observer__resource__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__src__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__about__list__item__group__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__about__list__item__group__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__about__list__item__process__command_line_history__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__process_ancestors__list { - dimension: item__access_mask { - type: number - sql: ${TABLE}.item.access_mask ;; - group_label: "Item" - group_item_label: "Access Mask" - } - - dimension: item__command_line { - type: string - sql: ${TABLE}.item.command_line ;; - group_label: "Item" - group_item_label: "Command Line" - } - - dimension: item__command_line_history__list { - hidden: yes - sql: ${TABLE}.item.command_line_history.list ;; - group_label: "Item Command Line History" - group_item_label: "List" - } - - dimension: item__file__ahash { - type: string - sql: ${TABLE}.item.file.ahash ;; - group_label: "Item File" - group_item_label: "Ahash" - } - - dimension: item__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.item.file.capabilities_tags.list ;; - group_label: "Item File Capabilities Tags" - group_item_label: "List" - } - - dimension: item__file__file_type { - type: number - sql: ${TABLE}.item.file.file_type ;; - group_label: "Item File" - group_item_label: "File Type" - } - - dimension: item__file__full_path { - type: string - sql: ${TABLE}.item.file.full_path ;; - group_label: "Item File" - group_item_label: "Full Path" - } - - dimension: item__file__md5 { - type: string - sql: ${TABLE}.item.file.md5 ;; - group_label: "Item File" - group_item_label: "Md5" - } - - dimension: item__file__mime_type { - type: string - sql: ${TABLE}.item.file.mime_type ;; - group_label: "Item File" - group_item_label: "Mime Type" - } - - dimension: item__file__names__list { - hidden: yes - sql: ${TABLE}.item.file.names.list ;; - group_label: "Item File Names" - group_item_label: "List" - } - - dimension: item__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_exiftool_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: item__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Time" - } - - dimension: item__file__pe_file__entry_point { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point" - } - - dimension: item__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point_exiftool ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: item__file__pe_file__imphash { - type: string - sql: ${TABLE}.item.file.pe_file.imphash ;; - group_label: "Item File Pe File" - group_item_label: "Imphash" - } - - dimension: item__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.imports.list ;; - group_label: "Item File Pe File Imports" - group_item_label: "List" - } - - dimension: item__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resource.list ;; - group_label: "Item File Pe File Resource" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_language_count.list ;; - group_label: "Item File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_type_count.list ;; - group_label: "Item File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.section.list ;; - group_label: "Item File Pe File Section" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.signature_info.signer.list ;; - group_label: "Item File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.item.file.pe_file.signature_info.verification_message ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: item__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.item.file.pe_file.signature_info.verified ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: item__file__sha1 { - type: string - sql: ${TABLE}.item.file.sha1 ;; - group_label: "Item File" - group_item_label: "Sha1" - } - - dimension: item__file__sha256 { - type: string - sql: ${TABLE}.item.file.sha256 ;; - group_label: "Item File" - group_item_label: "Sha256" - } - - dimension: item__file__size { - type: number - sql: ${TABLE}.item.file.size ;; - group_label: "Item File" - group_item_label: "Size" - } - - dimension: item__file__ssdeep { - type: string - sql: ${TABLE}.item.file.ssdeep ;; - group_label: "Item File" - group_item_label: "Ssdeep" - } - - dimension: item__file__vhash { - type: string - sql: ${TABLE}.item.file.vhash ;; - group_label: "Item File" - group_item_label: "Vhash" - } - - dimension: item__pid { - type: string - sql: ${TABLE}.item.pid ;; - group_label: "Item" - group_item_label: "Pid" - } - - dimension: item__product_specific_process_id { - type: string - sql: ${TABLE}.item.product_specific_process_id ;; - group_label: "Item" - group_item_label: "Product Specific Process ID" - } -} - -view: udm_events_gcs__security_result__list__item__about__asset__nat_ip__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__target__process__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__principal__resource__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__observer__process__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__src__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__src__asset__software__list__item__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__about__list__item__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__about__list__item__resource__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__about__list__item__resource__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__intermediary__list__item__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__investigation__comments__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__user__group_identifiers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__process_ancestors__list__item__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__process__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__observer__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__observer__process__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__src__process__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__user_management_chain__list__item__department__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__process__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__group__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__resource_ancestors__list { - dimension: item__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.attribute.cloud.availability_zone ;; - group_label: "Item Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.attribute.cloud.environment ;; - group_label: "Item Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__attribute__creation_time { - type: string - sql: ${TABLE}.item.attribute.creation_time ;; - group_label: "Item Attribute" - group_item_label: "Creation Time" - } - - dimension: item__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.attribute.labels.list ;; - group_label: "Item Attribute Labels" - group_item_label: "List" - } - - dimension: item__attribute__last_update_time { - type: string - sql: ${TABLE}.item.attribute.last_update_time ;; - group_label: "Item Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.attribute.permissions.list ;; - group_label: "Item Attribute Permissions" - group_item_label: "List" - } - - dimension: item__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.attribute.roles.list ;; - group_label: "Item Attribute Roles" - group_item_label: "List" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__product_object_id { - type: string - sql: ${TABLE}.item.product_object_id ;; - group_label: "Item" - group_item_label: "Product Object ID" - } - - dimension: item__resource_subtype { - type: string - sql: ${TABLE}.item.resource_subtype ;; - group_label: "Item" - group_item_label: "Resource Subtype" - } - - dimension: item__resource_type { - type: number - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } -} - -view: udm_events_gcs__security_result__list__item__detection_fields__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__principal__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__principal__process__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__observer__process_ancestors__list__item__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__user__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__security_result__list__item__about__user__department__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__process_ancestors__list__item__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__asset__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__intermediary__list__item__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__intermediary__list__item__user__time_off__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__interval__end_time { - type: string - sql: ${TABLE}.item.`interval`.end_time ;; - group_label: "Item Interval" - group_item_label: "End Time" - } - - dimension: item__interval__start_time { - type: string - sql: ${TABLE}.item.`interval`.start_time ;; - group_label: "Item Interval" - group_item_label: "Start Time" - } -} - -view: udm_events_gcs__intermediary__list__item__user__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__intermediary__list__item__user__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__target__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__target__asset__software__list__item__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__observer__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__process__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__src__user_management_chain__list__item__phone_numbers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__process__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__intermediary__list__item__asset__vulnerabilities__list { - dimension: item__cve_description { - type: string - sql: ${TABLE}.item.cve_description ;; - group_label: "Item" - group_item_label: "Cve Description" - } - - dimension: item__cve_id { - type: string - sql: ${TABLE}.item.cve_id ;; - group_label: "Item" - group_item_label: "Cve ID" - } - - dimension: item__cvss_base_score { - type: number - sql: ${TABLE}.item.cvss_base_score ;; - group_label: "Item" - group_item_label: "Cvss Base Score" - } - - dimension: item__cvss_vector { - type: string - sql: ${TABLE}.item.cvss_vector ;; - group_label: "Item" - group_item_label: "Cvss Vector" - } - - dimension: item__cvss_version { - type: string - sql: ${TABLE}.item.cvss_version ;; - group_label: "Item" - group_item_label: "Cvss Version" - } - - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__first_found { - type: string - sql: ${TABLE}.item.first_found ;; - group_label: "Item" - group_item_label: "First Found" - } - - dimension: item__last_found { - type: string - sql: ${TABLE}.item.last_found ;; - group_label: "Item" - group_item_label: "Last Found" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__scan_end_time { - type: string - sql: ${TABLE}.item.scan_end_time ;; - group_label: "Item" - group_item_label: "Scan End Time" - } - - dimension: item__scan_start_time { - type: string - sql: ${TABLE}.item.scan_start_time ;; - group_label: "Item" - group_item_label: "Scan Start Time" - } - - dimension: item__severity { - type: number - sql: ${TABLE}.item.severity ;; - group_label: "Item" - group_item_label: "Severity" - } - - dimension: item__severity_details { - type: string - sql: ${TABLE}.item.severity_details ;; - group_label: "Item" - group_item_label: "Severity Details" - } - - dimension: item__vendor { - type: string - sql: ${TABLE}.item.vendor ;; - group_label: "Item" - group_item_label: "Vendor" - } - - dimension: item__vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.item.vendor_knowledge_base_article_id ;; - group_label: "Item" - group_item_label: "Vendor Knowledge Base Article ID" - } - - dimension: item__vendor_vulnerability_id { - type: string - sql: ${TABLE}.item.vendor_vulnerability_id ;; - group_label: "Item" - group_item_label: "Vendor Vulnerability ID" - } -} - -view: udm_events_gcs__intermediary__list__item__asset__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__intermediary__list__item__asset__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__target__process__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__user_management_chain__list__item__department__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__observer__asset__software__list__item__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__about__list__item__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__group__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__intermediary__list__item__user_management_chain__list { - dimension: item__account_type { - type: number - sql: ${TABLE}.item.account_type ;; - group_label: "Item" - group_item_label: "Account Type" - } - - dimension: item__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.attribute.cloud.availability_zone ;; - group_label: "Item Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.attribute.cloud.environment ;; - group_label: "Item Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__attribute__creation_time { - type: string - sql: ${TABLE}.item.attribute.creation_time ;; - group_label: "Item Attribute" - group_item_label: "Creation Time" - } - - dimension: item__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.attribute.labels.list ;; - group_label: "Item Attribute Labels" - group_item_label: "List" - } - - dimension: item__attribute__last_update_time { - type: string - sql: ${TABLE}.item.attribute.last_update_time ;; - group_label: "Item Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.attribute.permissions.list ;; - group_label: "Item Attribute Permissions" - group_item_label: "List" - } - - dimension: item__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.attribute.roles.list ;; - group_label: "Item Attribute Roles" - group_item_label: "List" - } - - dimension: item__company_name { - type: string - sql: ${TABLE}.item.company_name ;; - group_label: "Item" - group_item_label: "Company Name" - } - - dimension: item__department__list { - hidden: yes - sql: ${TABLE}.item.department.list ;; - group_label: "Item Department" - group_item_label: "List" - } - - dimension: item__email_addresses__list { - hidden: yes - sql: ${TABLE}.item.email_addresses.list ;; - group_label: "Item Email Addresses" - group_item_label: "List" - } - - dimension: item__employee_id { - type: string - sql: ${TABLE}.item.employee_id ;; - group_label: "Item" - group_item_label: "Employee ID" - } - - dimension: item__first_name { - type: string - sql: ${TABLE}.item.first_name ;; - group_label: "Item" - group_item_label: "First Name" - } - - dimension: item__group_identifiers__list { - hidden: yes - sql: ${TABLE}.item.group_identifiers.list ;; - group_label: "Item Group Identifiers" - group_item_label: "List" - } - - dimension: item__hire_date { - type: string - sql: ${TABLE}.item.hire_date ;; - group_label: "Item" - group_item_label: "Hire Date" - } - - dimension: item__last_name { - type: string - sql: ${TABLE}.item.last_name ;; - group_label: "Item" - group_item_label: "Last Name" - } - - dimension: item__middle_name { - type: string - sql: ${TABLE}.item.middle_name ;; - group_label: "Item" - group_item_label: "Middle Name" - } - - dimension: item__office_address__city { - type: string - sql: ${TABLE}.item.office_address.city ;; - group_label: "Item Office Address" - group_item_label: "City" - } - - dimension: item__office_address__country_or_region { - type: string - sql: ${TABLE}.item.office_address.country_or_region ;; - group_label: "Item Office Address" - group_item_label: "Country or Region" - } - - dimension: item__office_address__desk_name { - type: string - sql: ${TABLE}.item.office_address.desk_name ;; - group_label: "Item Office Address" - group_item_label: "Desk Name" - } - - dimension: item__office_address__floor_name { - type: string - sql: ${TABLE}.item.office_address.floor_name ;; - group_label: "Item Office Address" - group_item_label: "Floor Name" - } - - dimension: item__office_address__name { - type: string - sql: ${TABLE}.item.office_address.name ;; - group_label: "Item Office Address" - group_item_label: "Name" - } - - dimension: item__office_address__region_latitude { - type: number - sql: ${TABLE}.item.office_address.region_latitude ;; - group_label: "Item Office Address" - group_item_label: "Region Latitude" - } - - dimension: item__office_address__region_longitude { - type: number - sql: ${TABLE}.item.office_address.region_longitude ;; - group_label: "Item Office Address" - group_item_label: "Region Longitude" - } - - dimension: item__office_address__state { - type: string - sql: ${TABLE}.item.office_address.state ;; - group_label: "Item Office Address" - group_item_label: "State" - } - - dimension: item__personal_address__city { - type: string - sql: ${TABLE}.item.personal_address.city ;; - group_label: "Item Personal Address" - group_item_label: "City" - } - - dimension: item__personal_address__country_or_region { - type: string - sql: ${TABLE}.item.personal_address.country_or_region ;; - group_label: "Item Personal Address" - group_item_label: "Country or Region" - } - - dimension: item__personal_address__desk_name { - type: string - sql: ${TABLE}.item.personal_address.desk_name ;; - group_label: "Item Personal Address" - group_item_label: "Desk Name" - } - - dimension: item__personal_address__floor_name { - type: string - sql: ${TABLE}.item.personal_address.floor_name ;; - group_label: "Item Personal Address" - group_item_label: "Floor Name" - } - - dimension: item__personal_address__name { - type: string - sql: ${TABLE}.item.personal_address.name ;; - group_label: "Item Personal Address" - group_item_label: "Name" - } - - dimension: item__personal_address__region_latitude { - type: number - sql: ${TABLE}.item.personal_address.region_latitude ;; - group_label: "Item Personal Address" - group_item_label: "Region Latitude" - } - - dimension: item__personal_address__region_longitude { - type: number - sql: ${TABLE}.item.personal_address.region_longitude ;; - group_label: "Item Personal Address" - group_item_label: "Region Longitude" - } - - dimension: item__personal_address__state { - type: string - sql: ${TABLE}.item.personal_address.state ;; - group_label: "Item Personal Address" - group_item_label: "State" - } - - dimension: item__phone_numbers__list { - hidden: yes - sql: ${TABLE}.item.phone_numbers.list ;; - group_label: "Item Phone Numbers" - group_item_label: "List" - } - - dimension: item__product_object_id { - type: string - sql: ${TABLE}.item.product_object_id ;; - group_label: "Item" - group_item_label: "Product Object ID" - } - - dimension: item__termination_date { - type: string - sql: ${TABLE}.item.termination_date ;; - group_label: "Item" - group_item_label: "Termination Date" - } - - dimension: item__time_off__list { - hidden: yes - sql: ${TABLE}.item.time_off.list ;; - group_label: "Item Time Off" - group_item_label: "List" - } - - dimension: item__title { - type: string - sql: ${TABLE}.item.title ;; - group_label: "Item" - group_item_label: "Title" - } - - dimension: item__user_authentication_status { - type: number - sql: ${TABLE}.item.user_authentication_status ;; - group_label: "Item" - group_item_label: "User Authentication Status" - } - - dimension: item__user_display_name { - type: string - sql: ${TABLE}.item.user_display_name ;; - group_label: "Item" - group_item_label: "User Display Name" - } - - dimension: item__userid { - type: string - sql: ${TABLE}.item.userid ;; - group_label: "Item" - group_item_label: "Userid" - } - - dimension: item__windows_sid { - type: string - sql: ${TABLE}.item.windows_sid ;; - group_label: "Item" - group_item_label: "Windows Sid" - } -} - -view: udm_events_gcs__security_result__list__item__about__process__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__asset__hardware__list { - dimension: item__cpu_clock_speed { - type: number - sql: ${TABLE}.item.cpu_clock_speed ;; - group_label: "Item" - group_item_label: "CPU Clock Speed" - } - - dimension: item__cpu_max_clock_speed { - type: number - sql: ${TABLE}.item.cpu_max_clock_speed ;; - group_label: "Item" - group_item_label: "CPU Max Clock Speed" - } - - dimension: item__cpu_model { - type: string - sql: ${TABLE}.item.cpu_model ;; - group_label: "Item" - group_item_label: "CPU Model" - } - - dimension: item__cpu_number_cores { - type: number - sql: ${TABLE}.item.cpu_number_cores ;; - group_label: "Item" - group_item_label: "CPU Number Cores" - } - - dimension: item__cpu_platform { - type: string - sql: ${TABLE}.item.cpu_platform ;; - group_label: "Item" - group_item_label: "CPU Platform" - } - - dimension: item__manufacturer { - type: string - sql: ${TABLE}.item.manufacturer ;; - group_label: "Item" - group_item_label: "Manufacturer" - } - - dimension: item__model { - type: string - sql: ${TABLE}.item.model ;; - group_label: "Item" - group_item_label: "Model" - } - - dimension: item__ram { - type: number - sql: ${TABLE}.item.ram ;; - group_label: "Item" - group_item_label: "Ram" - } - - dimension: item__serial_number { - type: string - sql: ${TABLE}.item.serial_number ;; - group_label: "Item" - group_item_label: "Serial Number" - } -} - -view: udm_events_gcs__security_result__list__item__about__user__phone_numbers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__principal__asset__software__list__item__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__observer__process__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__user_management_chain__list__item__department__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__user_management_chain__list__item__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__resource__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__intermediary__list__item__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__intermediary__list__item__group__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__intermediary__list__item__group__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__intermediary__list__item__process__command_line_history__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__asset__software__list { - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__permissions__list { - hidden: yes - sql: ${TABLE}.item.permissions.list ;; - group_label: "Item Permissions" - group_item_label: "List" - } - - dimension: item__version { - type: string - sql: ${TABLE}.item.version ;; - group_label: "Item" - group_item_label: "Version" - } -} - -view: udm_events_gcs__principal__process__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__user_management_chain__list__item__department__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__process__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__process_ancestors__list__item__command_line_history__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__process__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__intermediary__list__item__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__intermediary__list__item__resource__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__intermediary__list__item__resource__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__security_result__list__item__about__user__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__process__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__target__user_management_chain__list__item__phone_numbers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__process__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__src__resource_ancestors__list__item__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__src__resource_ancestors__list__item__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__src__user_management_chain__list__item__group_identifiers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__about__list__item__process__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__intermediary__list__item__process__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__process_ancestors__list { - dimension: item__access_mask { - type: number - sql: ${TABLE}.item.access_mask ;; - group_label: "Item" - group_item_label: "Access Mask" - } - - dimension: item__command_line { - type: string - sql: ${TABLE}.item.command_line ;; - group_label: "Item" - group_item_label: "Command Line" - } - - dimension: item__command_line_history__list { - hidden: yes - sql: ${TABLE}.item.command_line_history.list ;; - group_label: "Item Command Line History" - group_item_label: "List" - } - - dimension: item__file__ahash { - type: string - sql: ${TABLE}.item.file.ahash ;; - group_label: "Item File" - group_item_label: "Ahash" - } - - dimension: item__file__capabilities_tags__list { - hidden: yes - sql: ${TABLE}.item.file.capabilities_tags.list ;; - group_label: "Item File Capabilities Tags" - group_item_label: "List" - } - - dimension: item__file__file_type { - type: number - sql: ${TABLE}.item.file.file_type ;; - group_label: "Item File" - group_item_label: "File Type" - } - - dimension: item__file__full_path { - type: string - sql: ${TABLE}.item.file.full_path ;; - group_label: "Item File" - group_item_label: "Full Path" - } - - dimension: item__file__md5 { - type: string - sql: ${TABLE}.item.file.md5 ;; - group_label: "Item File" - group_item_label: "Md5" - } - - dimension: item__file__mime_type { - type: string - sql: ${TABLE}.item.file.mime_type ;; - group_label: "Item File" - group_item_label: "Mime Type" - } - - dimension: item__file__names__list { - hidden: yes - sql: ${TABLE}.item.file.names.list ;; - group_label: "Item File Names" - group_item_label: "List" - } - - dimension: item__file__pe_file__compilation_exiftool_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_exiftool_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Exiftool Time" - } - - dimension: item__file__pe_file__compilation_time { - type: string - sql: ${TABLE}.item.file.pe_file.compilation_time ;; - group_label: "Item File Pe File" - group_item_label: "Compilation Time" - } - - dimension: item__file__pe_file__entry_point { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point" - } - - dimension: item__file__pe_file__entry_point_exiftool { - type: number - sql: ${TABLE}.item.file.pe_file.entry_point_exiftool ;; - group_label: "Item File Pe File" - group_item_label: "Entry Point Exiftool" - } - - dimension: item__file__pe_file__imphash { - type: string - sql: ${TABLE}.item.file.pe_file.imphash ;; - group_label: "Item File Pe File" - group_item_label: "Imphash" - } - - dimension: item__file__pe_file__imports__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.imports.list ;; - group_label: "Item File Pe File Imports" - group_item_label: "List" - } - - dimension: item__file__pe_file__resource__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resource.list ;; - group_label: "Item File Pe File Resource" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_language_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_language_count.list ;; - group_label: "Item File Pe File Resources Language Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__resources_type_count__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.resources_type_count.list ;; - group_label: "Item File Pe File Resources Type Count" - group_item_label: "List" - } - - dimension: item__file__pe_file__section__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.section.list ;; - group_label: "Item File Pe File Section" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__signer__list { - hidden: yes - sql: ${TABLE}.item.file.pe_file.signature_info.signer.list ;; - group_label: "Item File Pe File Signature Info Signer" - group_item_label: "List" - } - - dimension: item__file__pe_file__signature_info__verification_message { - type: string - sql: ${TABLE}.item.file.pe_file.signature_info.verification_message ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verification Message" - } - - dimension: item__file__pe_file__signature_info__verified { - type: yesno - sql: ${TABLE}.item.file.pe_file.signature_info.verified ;; - group_label: "Item File Pe File Signature Info" - group_item_label: "Verified" - } - - dimension: item__file__sha1 { - type: string - sql: ${TABLE}.item.file.sha1 ;; - group_label: "Item File" - group_item_label: "Sha1" - } - - dimension: item__file__sha256 { - type: string - sql: ${TABLE}.item.file.sha256 ;; - group_label: "Item File" - group_item_label: "Sha256" - } - - dimension: item__file__size { - type: number - sql: ${TABLE}.item.file.size ;; - group_label: "Item File" - group_item_label: "Size" - } - - dimension: item__file__ssdeep { - type: string - sql: ${TABLE}.item.file.ssdeep ;; - group_label: "Item File" - group_item_label: "Ssdeep" - } - - dimension: item__file__vhash { - type: string - sql: ${TABLE}.item.file.vhash ;; - group_label: "Item File" - group_item_label: "Vhash" - } - - dimension: item__pid { - type: string - sql: ${TABLE}.item.pid ;; - group_label: "Item" - group_item_label: "Pid" - } - - dimension: item__product_specific_process_id { - type: string - sql: ${TABLE}.item.product_specific_process_id ;; - group_label: "Item" - group_item_label: "Product Specific Process ID" - } -} - -view: udm_events_gcs__observer__process__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__observer__user_management_chain__list__item__phone_numbers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__process_ancestors__list__item__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__process_ancestors__list__item__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__user__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__security_result__list__item__about__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__investigation__comments__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__user__group_identifiers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__user_management_chain__list__item__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__process__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__principal__user_management_chain__list__item__phone_numbers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__asset__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__security_result__list__item__about__group__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__resource_ancestors__list { - dimension: item__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.attribute.cloud.availability_zone ;; - group_label: "Item Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.attribute.cloud.environment ;; - group_label: "Item Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__attribute__creation_time { - type: string - sql: ${TABLE}.item.attribute.creation_time ;; - group_label: "Item Attribute" - group_item_label: "Creation Time" - } - - dimension: item__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.attribute.labels.list ;; - group_label: "Item Attribute Labels" - group_item_label: "List" - } - - dimension: item__attribute__last_update_time { - type: string - sql: ${TABLE}.item.attribute.last_update_time ;; - group_label: "Item Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.attribute.permissions.list ;; - group_label: "Item Attribute Permissions" - group_item_label: "List" - } - - dimension: item__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.attribute.roles.list ;; - group_label: "Item Attribute Roles" - group_item_label: "List" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__product_object_id { - type: string - sql: ${TABLE}.item.product_object_id ;; - group_label: "Item" - group_item_label: "Product Object ID" - } - - dimension: item__resource_subtype { - type: string - sql: ${TABLE}.item.resource_subtype ;; - group_label: "Item" - group_item_label: "Resource Subtype" - } - - dimension: item__resource_type { - type: number - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } -} - -view: udm_events_gcs__target__process__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__process_ancestors__list__item__command_line_history__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__user_management_chain__list__item__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__user_management_chain__list__item__time_off__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__interval__end_time { - type: string - sql: ${TABLE}.item.`interval`.end_time ;; - group_label: "Item Interval" - group_item_label: "End Time" - } - - dimension: item__interval__start_time { - type: string - sql: ${TABLE}.item.`interval`.start_time ;; - group_label: "Item Interval" - group_item_label: "Start Time" - } -} - -view: udm_events_gcs__src__user_management_chain__list__item__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__src__user_management_chain__list__item__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__about__list__item__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__process__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__target__process__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__target__resource_ancestors__list__item__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__target__resource_ancestors__list__item__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__target__user_management_chain__list__item__group_identifiers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__user_management_chain__list__item__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__process__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__process_ancestors__list__item__command_line_history__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__process_ancestors__list__item__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__about__list__item__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__about__list__item__asset__software__list__item__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__intermediary__list__item__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__group__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__security_result__list__item__about__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__security_result__list__item__about__user__time_off__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__interval__end_time { - type: string - sql: ${TABLE}.item.`interval`.end_time ;; - group_label: "Item Interval" - group_item_label: "End Time" - } - - dimension: item__interval__start_time { - type: string - sql: ${TABLE}.item.`interval`.start_time ;; - group_label: "Item Interval" - group_item_label: "Start Time" - } -} - -view: udm_events_gcs__security_result__list__item__about__user__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__security_result__list__item__about__user__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__target__process_ancestors__list__item__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__process__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__process_ancestors__list__item__command_line_history__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__process__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__observer__resource_ancestors__list__item__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__observer__resource_ancestors__list__item__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__observer__user_management_chain__list__item__group_identifiers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__process__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__user_management_chain__list__item__department__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__resource__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__security_result__list__item__about__asset__vulnerabilities__list { - dimension: item__cve_description { - type: string - sql: ${TABLE}.item.cve_description ;; - group_label: "Item" - group_item_label: "Cve Description" - } - - dimension: item__cve_id { - type: string - sql: ${TABLE}.item.cve_id ;; - group_label: "Item" - group_item_label: "Cve ID" - } - - dimension: item__cvss_base_score { - type: number - sql: ${TABLE}.item.cvss_base_score ;; - group_label: "Item" - group_item_label: "Cvss Base Score" - } - - dimension: item__cvss_vector { - type: string - sql: ${TABLE}.item.cvss_vector ;; - group_label: "Item" - group_item_label: "Cvss Vector" - } - - dimension: item__cvss_version { - type: string - sql: ${TABLE}.item.cvss_version ;; - group_label: "Item" - group_item_label: "Cvss Version" - } - - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__first_found { - type: string - sql: ${TABLE}.item.first_found ;; - group_label: "Item" - group_item_label: "First Found" - } - - dimension: item__last_found { - type: string - sql: ${TABLE}.item.last_found ;; - group_label: "Item" - group_item_label: "Last Found" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__scan_end_time { - type: string - sql: ${TABLE}.item.scan_end_time ;; - group_label: "Item" - group_item_label: "Scan End Time" - } - - dimension: item__scan_start_time { - type: string - sql: ${TABLE}.item.scan_start_time ;; - group_label: "Item" - group_item_label: "Scan Start Time" - } - - dimension: item__severity { - type: number - sql: ${TABLE}.item.severity ;; - group_label: "Item" - group_item_label: "Severity" - } - - dimension: item__severity_details { - type: string - sql: ${TABLE}.item.severity_details ;; - group_label: "Item" - group_item_label: "Severity Details" - } - - dimension: item__vendor { - type: string - sql: ${TABLE}.item.vendor ;; - group_label: "Item" - group_item_label: "Vendor" - } - - dimension: item__vendor_knowledge_base_article_id { - type: string - sql: ${TABLE}.item.vendor_knowledge_base_article_id ;; - group_label: "Item" - group_item_label: "Vendor Knowledge Base Article ID" - } - - dimension: item__vendor_vulnerability_id { - type: string - sql: ${TABLE}.item.vendor_vulnerability_id ;; - group_label: "Item" - group_item_label: "Vendor Vulnerability ID" - } -} - -view: udm_events_gcs__security_result__list__item__about__asset__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__security_result__list__item__about__asset__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__principal__process__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__principal__resource_ancestors__list__item__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__principal__resource_ancestors__list__item__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__principal__user_management_chain__list__item__group_identifiers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__process_ancestors__list__item__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__resource_ancestors__list__item__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__intermediary__list__item__process__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__security_result__list__item__about__user_management_chain__list { - dimension: item__account_type { - type: number - sql: ${TABLE}.item.account_type ;; - group_label: "Item" - group_item_label: "Account Type" - } - - dimension: item__attribute__cloud__availability_zone { - type: string - sql: ${TABLE}.item.attribute.cloud.availability_zone ;; - group_label: "Item Attribute Cloud" - group_item_label: "Availability Zone" - } - - dimension: item__attribute__cloud__environment { - type: number - sql: ${TABLE}.item.attribute.cloud.environment ;; - group_label: "Item Attribute Cloud" - group_item_label: "Environment" - } - - dimension: item__attribute__creation_time { - type: string - sql: ${TABLE}.item.attribute.creation_time ;; - group_label: "Item Attribute" - group_item_label: "Creation Time" - } - - dimension: item__attribute__labels__list { - hidden: yes - sql: ${TABLE}.item.attribute.labels.list ;; - group_label: "Item Attribute Labels" - group_item_label: "List" - } - - dimension: item__attribute__last_update_time { - type: string - sql: ${TABLE}.item.attribute.last_update_time ;; - group_label: "Item Attribute" - group_item_label: "Last Update Time" - } - - dimension: item__attribute__permissions__list { - hidden: yes - sql: ${TABLE}.item.attribute.permissions.list ;; - group_label: "Item Attribute Permissions" - group_item_label: "List" - } - - dimension: item__attribute__roles__list { - hidden: yes - sql: ${TABLE}.item.attribute.roles.list ;; - group_label: "Item Attribute Roles" - group_item_label: "List" - } - - dimension: item__company_name { - type: string - sql: ${TABLE}.item.company_name ;; - group_label: "Item" - group_item_label: "Company Name" - } - - dimension: item__department__list { - hidden: yes - sql: ${TABLE}.item.department.list ;; - group_label: "Item Department" - group_item_label: "List" - } - - dimension: item__email_addresses__list { - hidden: yes - sql: ${TABLE}.item.email_addresses.list ;; - group_label: "Item Email Addresses" - group_item_label: "List" - } - - dimension: item__employee_id { - type: string - sql: ${TABLE}.item.employee_id ;; - group_label: "Item" - group_item_label: "Employee ID" - } - - dimension: item__first_name { - type: string - sql: ${TABLE}.item.first_name ;; - group_label: "Item" - group_item_label: "First Name" - } - - dimension: item__group_identifiers__list { - hidden: yes - sql: ${TABLE}.item.group_identifiers.list ;; - group_label: "Item Group Identifiers" - group_item_label: "List" - } - - dimension: item__hire_date { - type: string - sql: ${TABLE}.item.hire_date ;; - group_label: "Item" - group_item_label: "Hire Date" - } - - dimension: item__last_name { - type: string - sql: ${TABLE}.item.last_name ;; - group_label: "Item" - group_item_label: "Last Name" - } - - dimension: item__middle_name { - type: string - sql: ${TABLE}.item.middle_name ;; - group_label: "Item" - group_item_label: "Middle Name" - } - - dimension: item__office_address__city { - type: string - sql: ${TABLE}.item.office_address.city ;; - group_label: "Item Office Address" - group_item_label: "City" - } - - dimension: item__office_address__country_or_region { - type: string - sql: ${TABLE}.item.office_address.country_or_region ;; - group_label: "Item Office Address" - group_item_label: "Country or Region" - } - - dimension: item__office_address__desk_name { - type: string - sql: ${TABLE}.item.office_address.desk_name ;; - group_label: "Item Office Address" - group_item_label: "Desk Name" - } - - dimension: item__office_address__floor_name { - type: string - sql: ${TABLE}.item.office_address.floor_name ;; - group_label: "Item Office Address" - group_item_label: "Floor Name" - } - - dimension: item__office_address__name { - type: string - sql: ${TABLE}.item.office_address.name ;; - group_label: "Item Office Address" - group_item_label: "Name" - } - - dimension: item__office_address__region_latitude { - type: number - sql: ${TABLE}.item.office_address.region_latitude ;; - group_label: "Item Office Address" - group_item_label: "Region Latitude" - } - - dimension: item__office_address__region_longitude { - type: number - sql: ${TABLE}.item.office_address.region_longitude ;; - group_label: "Item Office Address" - group_item_label: "Region Longitude" - } - - dimension: item__office_address__state { - type: string - sql: ${TABLE}.item.office_address.state ;; - group_label: "Item Office Address" - group_item_label: "State" - } - - dimension: item__personal_address__city { - type: string - sql: ${TABLE}.item.personal_address.city ;; - group_label: "Item Personal Address" - group_item_label: "City" - } - - dimension: item__personal_address__country_or_region { - type: string - sql: ${TABLE}.item.personal_address.country_or_region ;; - group_label: "Item Personal Address" - group_item_label: "Country or Region" - } - - dimension: item__personal_address__desk_name { - type: string - sql: ${TABLE}.item.personal_address.desk_name ;; - group_label: "Item Personal Address" - group_item_label: "Desk Name" - } - - dimension: item__personal_address__floor_name { - type: string - sql: ${TABLE}.item.personal_address.floor_name ;; - group_label: "Item Personal Address" - group_item_label: "Floor Name" - } - - dimension: item__personal_address__name { - type: string - sql: ${TABLE}.item.personal_address.name ;; - group_label: "Item Personal Address" - group_item_label: "Name" - } - - dimension: item__personal_address__region_latitude { - type: number - sql: ${TABLE}.item.personal_address.region_latitude ;; - group_label: "Item Personal Address" - group_item_label: "Region Latitude" - } - - dimension: item__personal_address__region_longitude { - type: number - sql: ${TABLE}.item.personal_address.region_longitude ;; - group_label: "Item Personal Address" - group_item_label: "Region Longitude" - } - - dimension: item__personal_address__state { - type: string - sql: ${TABLE}.item.personal_address.state ;; - group_label: "Item Personal Address" - group_item_label: "State" - } - - dimension: item__phone_numbers__list { - hidden: yes - sql: ${TABLE}.item.phone_numbers.list ;; - group_label: "Item Phone Numbers" - group_item_label: "List" - } - - dimension: item__product_object_id { - type: string - sql: ${TABLE}.item.product_object_id ;; - group_label: "Item" - group_item_label: "Product Object ID" - } - - dimension: item__termination_date { - type: string - sql: ${TABLE}.item.termination_date ;; - group_label: "Item" - group_item_label: "Termination Date" - } - - dimension: item__time_off__list { - hidden: yes - sql: ${TABLE}.item.time_off.list ;; - group_label: "Item Time Off" - group_item_label: "List" - } - - dimension: item__title { - type: string - sql: ${TABLE}.item.title ;; - group_label: "Item" - group_item_label: "Title" - } - - dimension: item__user_authentication_status { - type: number - sql: ${TABLE}.item.user_authentication_status ;; - group_label: "Item" - group_item_label: "User Authentication Status" - } - - dimension: item__user_display_name { - type: string - sql: ${TABLE}.item.user_display_name ;; - group_label: "Item" - group_item_label: "User Display Name" - } - - dimension: item__userid { - type: string - sql: ${TABLE}.item.userid ;; - group_label: "Item" - group_item_label: "Userid" - } - - dimension: item__windows_sid { - type: string - sql: ${TABLE}.item.windows_sid ;; - group_label: "Item" - group_item_label: "Windows Sid" - } -} - -view: udm_events_gcs__target__user_management_chain__list__item__time_off__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__interval__end_time { - type: string - sql: ${TABLE}.item.`interval`.end_time ;; - group_label: "Item Interval" - group_item_label: "End Time" - } - - dimension: item__interval__start_time { - type: string - sql: ${TABLE}.item.`interval`.start_time ;; - group_label: "Item Interval" - group_item_label: "Start Time" - } -} - -view: udm_events_gcs__target__user_management_chain__list__item__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__target__user_management_chain__list__item__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__principal__process_ancestors__list__item__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__process_ancestors__list__item__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__intermediary__list__item__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__intermediary__list__item__process__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__security_result__list__item__about__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__security_result__list__item__about__group__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__security_result__list__item__about__group__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__security_result__list__item__about__process__command_line_history__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__process_ancestors__list__item__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__observer__user_management_chain__list__item__time_off__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__interval__end_time { - type: string - sql: ${TABLE}.item.`interval`.end_time ;; - group_label: "Item Interval" - group_item_label: "End Time" - } - - dimension: item__interval__start_time { - type: string - sql: ${TABLE}.item.`interval`.start_time ;; - group_label: "Item Interval" - group_item_label: "Start Time" - } -} - -view: udm_events_gcs__observer__user_management_chain__list__item__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__observer__user_management_chain__list__item__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__src__process_ancestors__list__item__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__about__list__item__process__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__about__list__item__user_management_chain__list__item__phone_numbers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__security_result__list__item__about__resource__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__security_result__list__item__about__resource__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__principal__user_management_chain__list__item__time_off__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__interval__end_time { - type: string - sql: ${TABLE}.item.`interval`.end_time ;; - group_label: "Item Interval" - group_item_label: "End Time" - } - - dimension: item__interval__start_time { - type: string - sql: ${TABLE}.item.`interval`.start_time ;; - group_label: "Item Interval" - group_item_label: "Start Time" - } -} - -view: udm_events_gcs__principal__user_management_chain__list__item__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__principal__user_management_chain__list__item__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__src__user_management_chain__list__item__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__security_result__list__item__about__process__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__resource_ancestors__list__item__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__about__list__item__user_management_chain__list__item__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__user__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__target__process_ancestors__list__item__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__observer__resource_ancestors__list__item__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__about__list__item__process__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__process_ancestors__list__item__command_line_history__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__intermediary__list__item__asset__software__list__item__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__security_result__list__item__about__asset__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__target__process_ancestors__list__item__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__principal__resource_ancestors__list__item__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__about__list__item__process__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__about__list__item__resource_ancestors__list__item__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__about__list__item__resource_ancestors__list__item__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__about__list__item__user_management_chain__list__item__group_identifiers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__process__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__user_management_chain__list__item__department__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__process__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__target__user_management_chain__list__item__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__src__process_ancestors__list__item__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__process_ancestors__list__item__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__group__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__observer__user_management_chain__list__item__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__security_result__list__item__about__resource__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__principal__user_management_chain__list__item__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__about__list__item__user_management_chain__list__item__time_off__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__interval__end_time { - type: string - sql: ${TABLE}.item.`interval`.end_time ;; - group_label: "Item Interval" - group_item_label: "End Time" - } - - dimension: item__interval__start_time { - type: string - sql: ${TABLE}.item.`interval`.start_time ;; - group_label: "Item Interval" - group_item_label: "Start Time" - } -} - -view: udm_events_gcs__about__list__item__user_management_chain__list__item__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__about__list__item__user_management_chain__list__item__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__intermediary__list__item__process__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__intermediary__list__item__user_management_chain__list__item__phone_numbers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__process__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__src__process_ancestors__list__item__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__security_result__list__item__about__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__security_result__list__item__about__process__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__target__process_ancestors__list__item__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__user_management_chain__list__item__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__names__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__resource_ancestors__list__item__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__intermediary__list__item__process__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__command_line_history__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__src__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__intermediary__list__item__process__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__intermediary__list__item__resource_ancestors__list__item__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__intermediary__list__item__resource_ancestors__list__item__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__intermediary__list__item__user_management_chain__list__item__group_identifiers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__target__process_ancestors__list__item__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__src__process_ancestors__list__item__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__security_result__list__item__about__asset__software__list__item__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__about__list__item__user_management_chain__list__item__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__security_result__list__item__about__process__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__department__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__intermediary__list__item__user_management_chain__list__item__time_off__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__interval__end_time { - type: string - sql: ${TABLE}.item.`interval`.end_time ;; - group_label: "Item Interval" - group_item_label: "End Time" - } - - dimension: item__interval__start_time { - type: string - sql: ${TABLE}.item.`interval`.start_time ;; - group_label: "Item Interval" - group_item_label: "Start Time" - } -} - -view: udm_events_gcs__intermediary__list__item__user_management_chain__list__item__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__intermediary__list__item__user_management_chain__list__item__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__target__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__target__process_ancestors__list__item__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__process__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__phone_numbers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__observer__process_ancestors__list__item__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__resource_ancestors__list__item__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__principal__process_ancestors__list__item__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__email_addresses__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__security_result__list__item__about__process__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__command_line_history__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__intermediary__list__item__user_management_chain__list__item__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__security_result__list__item__about__process__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__security_result__list__item__about__resource_ancestors__list__item__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__security_result__list__item__about__resource_ancestors__list__item__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__group_identifiers__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__capabilities_tags__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__time_off__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__interval__end_time { - type: string - sql: ${TABLE}.item.`interval`.end_time ;; - group_label: "Item Interval" - group_item_label: "End Time" - } - - dimension: item__interval__start_time { - type: string - sql: ${TABLE}.item.`interval`.start_time ;; - group_label: "Item Interval" - group_item_label: "Start Time" - } -} - -view: udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__attribute__roles__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__attribute__labels__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: string - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__about__list__item__process_ancestors__list__item__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__section__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__md5_hex { - type: string - sql: ${TABLE}.item.md5_hex ;; - group_label: "Item" - group_item_label: "Md5 Hex" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__raw_size_bytes { - type: number - sql: ${TABLE}.item.raw_size_bytes ;; - group_label: "Item" - group_item_label: "Raw Size Bytes" - } - - dimension: item__virtual_size_bytes { - type: number - sql: ${TABLE}.item.virtual_size_bytes ;; - group_label: "Item" - group_item_label: "Virtual Size Bytes" - } -} - -view: udm_events_gcs__security_result__list__item__about__resource_ancestors__list__item__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__imports__list { - dimension: item__functions__list { - hidden: yes - sql: ${TABLE}.item.functions.list ;; - group_label: "Item Functions" - group_item_label: "List" - } - - dimension: item__library { - type: string - sql: ${TABLE}.item.library ;; - group_label: "Item" - group_item_label: "Library" - } -} - -view: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__resource__list { - dimension: item__entropy { - type: number - sql: ${TABLE}.item.entropy ;; - group_label: "Item" - group_item_label: "Entropy" - } - - dimension: item__filetype_magic { - type: string - sql: ${TABLE}.item.filetype_magic ;; - group_label: "Item" - group_item_label: "Filetype Magic" - } - - dimension: item__language_code { - type: string - sql: ${TABLE}.item.language_code ;; - group_label: "Item" - group_item_label: "Language Code" - } - - dimension: item__resource_type { - type: string - sql: ${TABLE}.item.resource_type ;; - group_label: "Item" - group_item_label: "Resource Type" - } - - dimension: item__sha256_hex { - type: string - sql: ${TABLE}.item.sha256_hex ;; - group_label: "Item" - group_item_label: "Sha256 Hex" - } -} - -view: udm_events_gcs__security_result__list__item__about__user_management_chain__list__item__attribute__permissions__list { - dimension: item__description { - type: string - sql: ${TABLE}.item.description ;; - group_label: "Item" - group_item_label: "Description" - } - - dimension: item__name { - type: string - sql: ${TABLE}.item.name ;; - group_label: "Item" - group_item_label: "Name" - } - - dimension: item__type { - type: number - sql: ${TABLE}.item.type ;; - group_label: "Item" - group_item_label: "Type" - } -} - -view: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__intermediary__list__item__process_ancestors__list__item__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__signature_info__signer__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__resources_type_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -} - -view: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__imports__list__item__functions__list { - dimension: item { - type: string - sql: ${TABLE}.item ;; - } -} - -view: udm_events_gcs__security_result__list__item__about__process_ancestors__list__item__file__pe_file__resources_language_count__list { - dimension: item__key { - type: string - sql: ${TABLE}.item.key ;; - group_label: "Item" - group_item_label: "Key" - } - - dimension: item__value { - type: number - sql: ${TABLE}.item.value ;; - group_label: "Item" - group_item_label: "Value" - } -}