- JSON representation
- Element
- Reference
- DataTableRowInfo
- EntityGraphEnrichment
- EnrichmentType
- SoarAlertMetadata
Collection represents a container of objects (such as events, entity context metadata, detection finding metadata) and state (such as investigation details).
An example use case for Collection is to model a detection and investigation from detection finding metadata to investigative state collected in the course of the investigation. For more complex investigation and response workflows a Collection could represent an incident consisting of multiple child findings or incidents. This can be expanded on to model remediation elements of a full detection and response workflow.
NEXT TAG: 20
JSON representation |
---|
{ "id": string, "type": enum ( |
Fields | |
---|---|
id |
Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID. |
type |
What the collection represents. |
idNamespace |
The ID namespace used for the Collection. |
createdTime |
Time the collection was created. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastUpdatedTime |
Time the collection was last updated. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
timeWindow |
Time interval that the collection represents. |
collectionElements[] |
Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior. |
detection[] |
Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field). |
detectionTime |
Timestamp within the timeWindow related to the time of the collectionElements. For Rule Detections, this timestamp is the end of the the timeWindow for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detectionTime will be the event time of the event. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
investigation |
Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output. |
tags[] |
Tags set by UC/DSML/RE for the Finding during creation. |
responsePlatformInfo |
Alert related info of this same alert in customer's SOAR platform. |
caseName |
The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id} |
feedbackSummary |
The current primary analyst feedback. This does not include the history of feedback given, which may be supplied in |
feedbackHistory[] |
The history of feedback submitted by analysts for this finding, in descending order by timestamp. This field is limited to the most recent 1000 feedback events. The primary feedback will also be included in this list. |
soarAlert |
A boolean field indicating that the alert is present in SOAR. |
soarAlertMetadata |
Metadata fields of alerts coming from other SIEM systems via SOAR. |
dataAccessScope |
The resource name of the DataAccessScope of this collection. |
Element
NEXT TAG: 5
JSON representation |
---|
{ "association": { object ( |
Fields | |
---|---|
association |
Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field). |
references[] |
References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity). |
label |
A name that labels the entire references group. |
referencesSampled |
Copied from the detection eventSample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references. |
Reference
Reference to model primatives including event and entity. As support is added for fast retrieval of objects by identifiers, this will be expanded to include ID references rather than full object copies.
JSON representation |
---|
{ "event": { object ( |
Fields | |
---|---|
event |
Only one of event or entity will be populated for a single reference. Start one-of Event being referenced. |
entity |
Entity being referenced. In cases where the entity graph is overridden by data table, this will represent the original entity. End one-of |
joinedDataTableRows[] |
The data table rows joined with the event. |
graphEnrichment |
The entity graph enrichment details. Only set when the reference is an Entity which has been overridden by a data table or appended from a data table. |
id |
Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated. |
DataTableRowInfo
DataTableRowInfo captures information about a data table row including the name of the data table.
JSON representation |
---|
{ "dataTable": string, "row": { object }, "rowId": string } |
Fields | |
---|---|
dataTable |
The name of data table. |
row |
Stores the key value pair for a data table row where the key is the name of the column for the given value. |
rowId |
The row id of the data table row. |
EntityGraphEnrichment
EntityGraphEnrichment contains the data table name and the enrichment applied to the entity.
JSON representation |
---|
{ "dataTable": string, "enrichmentType": enum ( |
Fields | |
---|---|
dataTable |
The name of the data table. |
enrichmentType |
The type of enrichment. |
overriddenEntity |
The entity which has only the overridden fields populated. Only populated if the enrichment type is OVERRIDE. |
EnrichmentType
Type of enrichment.
Enums | |
---|---|
ENRICHMENT_TYPE_UNSPECIFIED |
Enrichment type is unspecified. |
APPEND |
The data table was appended to the entity graph. |
OVERRIDE |
The entity graph was overridden by the data table. |
SoarAlertMetadata
Metadata fields of alerts coming from other SIEM systems.
JSON representation |
---|
{ "alertId": string, "sourceRule": string, "vendor": string, "sourceSystem": string, "product": string, "sourceSystemTicketId": string, "sourceSystemUri": string } |
Fields | |
---|---|
alertId |
Alert ID in the source SIEM system. |
sourceRule |
Name of the rule triggering the alert in the source SIEM. |
vendor |
Name of the vendor. |
sourceSystem |
Name of the Source SIEM system. |
product |
Name of the product the alert is coming from. |
sourceSystemTicketId |
Ticket id for the alert in the source system. |
sourceSystemUri |
Url to the source SIEM system. |