LegacyFederatedCase

This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. LegacyFederatedCase is a representation of a case in the Federated Case store.

JSON representation 
{
  "name": string,
  "createTimeMs": string,
  "updateTimeMs": string,
  "displayName": string,
  "alertCount": integer,
  "stage": string,
  "priority": enum (Priority),
  "important": boolean,
  "description": string,
  "type": enum (CaseType),
  "assigneeFullName": string,
  "environmentData": {
    object (EnvironmentData)
  },
  "status": enum (CaseDataState),
  "score": number,
  "caseSla": {
    object (LegacyCaseSla)
  },
  "alertsSla": {
    object (LegacyCaseSla)
  },
  "incident": boolean,
  "hasSuspiciousEntity": boolean,
  "workflowStatus": enum (WorkflowState),
  "tags": [
    string
  ],
  "products": [
    string
  ],
  "displayId": string,
  "touched": boolean,
  "merged": boolean,
  "hasIncident": boolean,
  "alertNames": [
    string
  ],
  "workflow": boolean,
  "overflowCase": boolean,
  "externalReference": {
    object (LegacyPlatformReference)
  },
  "additionalProperties": {
    string: string,
    ...
  }
}
Fields
name

string

Identifier. The name of the case. Format: projects/{project}/locations/{location}/instances/{instance}/legacyFederatedCases/{legacyFederatedCase}
createTimeMs

string (int64 format)

Output only. The creation time of the record in ms.
updateTimeMs

string (int64 format)

Output only. The modification time of the record in ms.
displayName

string

Output only. Case title, limited to 200 characters. Replaces old property: Title
alertCount

integer

Output only. Alerts in case.
stage

string

Output only. The stage of the Case. For example, "Triage", "Incident", "Investigation". The default stage option is "Triage", and users can define custom stages
priority

enum (Priority)

Output only. Default value is HIGH.
important

boolean

Output only. Additional way to specify case importance. The default is false.
description

string

Output only. Case description. limit chars to 1000
type

enum (CaseType)

Output only. Case description (e.g. External, test)
assigneeFullName

string

Output only. This can be the full name of a user or a @SocRole.
environmentData

object (EnvironmentData)

Output only. Case logical environment.
status

enum (CaseDataState)

Output only. Case status.
score

number

Output only. Attack exposure\Risk score for the case
caseSla

object (LegacyCaseSla)

Output only. Case SLA
alertsSla

object (LegacyCaseSla)

Output only. Aggregated alerts SLA. (alert has SLA as well).
incident

boolean

Output only. is Case an incident
hasSuspiciousEntity

boolean

Output only. Does the case have a suspicious entity
workflowStatus

enum (WorkflowState)

Output only. status of the most recent playbook that executed on the case
tags[]

string

Output only. list of tags assigned to the case
products[]

string

Output only. List of Products that exists within the case (e.g. WinEventLog:Security/DLP_Product)
displayId

string

Output only. synthetic unique identifier of the case, for display
touched

boolean

Output only. was the case manually edited since creation
merged

boolean

Output only. was the case merged with another case
hasIncident

boolean

Output only. does the case represent an incident
alertNames[]

string

Output only. names of the alerts in this case
workflow

boolean

Output only. has workflow been run on the case
overflowCase

boolean

Output only. is the case an overflow case
externalReference

object (LegacyPlatformReference)

Output only. external reference
additionalProperties

map (key: string, value: string)

Output only. Additional properties of the case, represented as key-value pairs.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Priority

Case priority.

Enums
PRIORITY_UNSPECIFIED The priority is unspecified.
INFORMATIONAL The priority is informative.
LOW The priority is low.
MEDIUM The priority is medium.
HIGH The priority is high.
CRITICAL The priority is critical.

CaseType

The type of the case.

Enums
CASE_TYPE_UNSPECIFIED The type is unspecified.
EXTERNAL The type is external.
TEST The type is test.
REQUEST The type is request.

EnvironmentData

EnvironmentData is a representation of an environment in the Federated Case store.

JSON representation 
{
  "environment": string,
  "platform": string,
  "dynamicParameters": [
    {
      object (EnvironmentDynamicParameterDto)
    }
  ],
  "base64Image": string
}
Fields
environment

string

Output only. The name of the environment
platform

string (int64 format)

Output only. The platform of the environment
dynamicParameters[]

object (EnvironmentDynamicParameterDto)

Output only. The dynamic parameters for the environment
base64Image

string (bytes format)

Output only. Base64 encoded image of the environment

A base64-encoded string.

EnvironmentDynamicParameterDto

EnvironmentDynamicParameterDto is a representation of a dynamic parameter key-value pair in the Federated Case store.

JSON representation 
{
  "key": string,
  "value": string
}
Fields
key

string

Output only. The key of the dynamic parameter key-value
value

string

Output only. The Value of the dynamic parameter key-value

CaseDataState

Case data state.

Enums
CASE_DATA_STATE_UNSPECIFIED The status is unspecified.
OPENED The status is open.
CLOSED The status is closed.
ALL The status is all.
MERGED The status is merged.
CREATION_PENDING The status is creation pending.

LegacyCaseSla

SLA is a representation of an SLA in the Federated Case store.

JSON representation 
{
  "expirationTimeMs": string,
  "criticalExpirationTimeMs": string,
  "expirationStatus": enum (SlaExpirationEnum),
  "lastPauseRemainingTimeMs": string
}
Fields
expirationTimeMs

string (int64 format)

Output only. The expiration time of the SLA in ms.
criticalExpirationTimeMs

string (int64 format)

Output only. The critical expiration time of the SLA in ms.
expirationStatus

enum (SlaExpirationEnum)

Optional. The expiration status of the SLA.
lastPauseRemainingTimeMs

string (int64 format)

Optional. The critical expiration time of the SLA in ms.

SlaExpirationEnum

The status of the SLA.

Enums
NO_SLA No SLA
PAUSED Paused
OPEN_SLA Open SLA
CRITICAL_EXPIRED Critical expired
PASSED_DUE Passed due

WorkflowState

The status of the workflow.

Enums
NONE The status is none.
IN_PROGRESS The status is in progress.
COMPLETED The status is completed.
FAILED The status is failed.
TERMINATED The status is terminated.
PENDING_IN_QUEUE The status is pending in queue.
PENDING_FOR_USER The status is pending for user.

LegacyPlatformReference

LegacyPlatformReference is a representation of a platform reference in the Federated Case store.

JSON representation 
{
  "platform": string,
  "uri": string
}
Fields
platform

string

Output only. The platform name.
uri

string

Output only. The url of the platform.