SecurityResult

Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty.

JSON representation 
{
  "about": {
    object (Noun)
  },
  "category": [
    enum (SecurityCategory)
  ],
  "category_details": [
    string
  ],
  "threat_name": string,
  "rule_set": string,
  "rule_set_display_name": string,
  "ruleset_category_display_name": string,
  "rule_id": string,
  "rule_name": string,
  "rule_version": string,
  "rule_type": string,
  "rule_author": string,
  "rule_labels": [
    {
      object (Label)
    }
  ],
  "alert_state": enum (AlertState),
  "detection_fields": [
    {
      object (Label)
    }
  ],
  "outcomes": [
    {
      object (Label)
    }
  ],
  "variables": {
    string: {
      object (FindingVariable)
    },
    ...
  },
  "summary": string,
  "description": string,
  "action": [
    enum (Action)
  ],
  "action_details": string,
  "severity": enum (ProductSeverity),
  "confidence": enum (ProductConfidence),
  "priority": enum (ProductPriority),
  "risk_score": number,
  "confidence_score": number,
  "analytics_metadata": [
    {
      object (AnalyticsMetadata)
    }
  ],
  "severity_details": string,
  "confidence_details": string,
  "priority_details": string,
  "url_back_to_product": string,
  "threat_id": string,
  "threat_feed_name": string,
  "threat_id_namespace": enum (Namespace),
  "threat_status": enum (ThreatStatus),
  "attack_details": {
    object (AttackDetails)
  },
  "first_discovered_time": string,
  "associations": [
    {
      object (Association)
    }
  ],
  "campaigns": [
    string
  ],
  "reports": [
    string
  ],
  "verdict": {
    object (Verdict)
  },
  "last_updated_time": string,
  "verdict_info": [
    {
      object (VerdictInfo)
    }
  ],
  "threat_verdict": enum (ThreatVerdict),
  "last_discovered_time": string
}
Fields
about

object (Noun)

If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
category[]

enum (SecurityCategory)

The security category. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
category_details[]

string

For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a finding (a detection or alert).
threat_name

string

A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a finding (a detection or alert).
rule_set

string

The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts.
rule_set_display_name

string

The curated detections rule set display name. This is primarily set in rule-generated detections and alerts.
ruleset_category_display_name

string

The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts.
rule_id

string

A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe").
rule_name

string

Name of the security rule (e.g. "BlockInboundToOracle").
rule_version

string

Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed.
rule_type

string

The type of security rule.
rule_author

string

Author of the security rule. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
rule_labels[]

object (Label)

A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts.
alert_state

enum (AlertState)

The alerting types of this security result. This is primarily set for rule-generated detections and alerts.
detection_fields[]

object (Label)

An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables).

This is only populated when the SecurityResult appears in a finding (a detection or alert).
outcomes[]

object (Label)

A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values.

This is only populated when the SecurityResult appears in a finding (a detection or alert).
variables

map (key: string, value: object (FindingVariable))

A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values.

This is only populated when the SecurityResult appears in a finding (a detection or alert).

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
summary

string

A short human-readable summary (e.g. "failed login occurred")
description

string

A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary.
action[]

enum (Action)

Actions taken for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
action_details

string

The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
severity

enum (ProductSeverity)

The severity of the result.
confidence

enum (ProductConfidence)

The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
priority

enum (ProductPriority)

The priority of the result. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
risk_score

number

The risk score of the security result.
confidence_score

number

The confidence score of the security result. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
analytics_metadata[]

object (AnalyticsMetadata)

Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
severity_details

string

Vendor-specific severity. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
confidence_details

string

Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
priority_details

string

Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
url_back_to_product

string

URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
threat_id

string

Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
threat_feed_name

string

Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
threat_id_namespace

enum (Namespace)

The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
threat_status

enum (ThreatStatus)

Current status of the threat This field is not populated when the SecurityResult appears in a finding (a detection or alert).
attack_details

object (AttackDetails)

MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
first_discovered_time

string (Timestamp format)

First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert).

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
associations[]

object (Association)

Associations related to the threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
campaigns[]

string

Campaigns using this IOC threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
reports[]

string

Reports that reference this IOC threat. These are the report IDs. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
verdict
(deprecated)

object (Verdict)

Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead.
last_updated_time

string (Timestamp format)

Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert).

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
verdict_info[]

object (VerdictInfo)

Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
threat_verdict

enum (ThreatVerdict)

GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
last_discovered_time

string (Timestamp format)

Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a finding (a detection or alert).

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

SecurityCategory

SecurityCategory is used to standardize security categories across products so one event is not categorized as "malware" and another as a "virus".

Enums
UNKNOWN_CATEGORY The default category.
SOFTWARE_MALICIOUS Malware, spyware, rootkit.
SOFTWARE_SUSPICIOUS Below the conviction threshold; probably bad.
SOFTWARE_PUA Potentially Unwanted App (such as adware).
NETWORK_MALICIOUS Includes C&C or network exploit.
NETWORK_SUSPICIOUS Suspicious activity, such as potential reverse tunnel.
NETWORK_CATEGORIZED_CONTENT Non-security related: URL has category like gambling or porn.
NETWORK_DENIAL_OF_SERVICE DoS, DDoS.
NETWORK_RECON Port scan detected by an IDS, probing of web app.
NETWORK_COMMAND_AND_CONTROL If we know this is a C&C channel.
ACL_VIOLATION Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc.
AUTH_VIOLATION Authentication failed (e.g. bad password or bad 2-factor authentication).
EXPLOIT Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits.
DATA_EXFILTRATION DLP: Sensitive data transmission, copy to thumb drive.
DATA_AT_REST DLP: Sensitive data found at rest in a scan.
DATA_DESTRUCTION Attempt to destroy/delete data.
TOR_EXIT_NODE TOR Exit Nodes.
MAIL_SPAM @exclude Spam email, message, etc.
MAIL_PHISHING Phishing email, chat messages, etc.
MAIL_SPOOFING Spoofed source email address, etc.
POLICY_VIOLATION Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action).
SOCIAL_ENGINEERING Threats which manipulate to break normal security procedures.
PHISHING Phishing pages, pops, https phishing etc.

AlertState

The type of alerting set up for a security result.

Enums
UNSPECIFIED The security result type is not known.
NOT_ALERTING The security result is not an alert.
ALERTING The security result is an alert.

FindingVariable

A structure that holds the value and associated metadata for values extracted while producing a Finding.

JSON representation 
{
  "type": enum (Type),
  "value": string,
  "source_path": string,

  // Union field typed_value can be only one of the following:
  "bool_val": boolean,
  "bytes_val": string,
  "double_val": number,
  "int64_val": string,
  "uint64_val": string,
  "string_val": string,
  "null_val": boolean,
  "bool_seq": {
    object (BoolSequence)
  },
  "bytes_seq": {
    object (BytesSequence)
  },
  "double_seq": {
    object (DoubleSequence)
  },
  "int64_seq": {
    object (Int64Sequence)
  },
  "uint64_seq": {
    object (Uint64Sequence)
  },
  "string_seq": {
    object (StringSequence)
  }
  // End of list of possible types for union field typed_value.
}
Fields
type

enum (Type)

The type of the variable.
value

string

The value in string form.
source_path

string

The UDM field path for the field which this value was derived from. Example: principal.user.username
Union field typed_value. The typed value of the variable. typed_value can be only one of the following:
bool_val

boolean

The value in boolean format.
bytes_val

string (bytes format)

The value in bytes format.

A base64-encoded string.
double_val

number

The value in double format.
int64_val

string (int64 format)

The value in int64 format.
uint64_val

string

The value in uint64 format.
string_val

string

The value in string format. Enum values are returned as strings.
null_val

boolean

Whether the value is null.
bool_seq

object (BoolSequence)

The value in boolsequence format.
bytes_seq

object (BytesSequence)

The value in bytessequence format.
double_seq

object (DoubleSequence)

The value in doublesequence format.
int64_seq

object (Int64Sequence)

The value in int64sequence format.
uint64_seq

object (Uint64Sequence)

The value in uint64sequence format.
string_seq

object (StringSequence)

The value in stringsequence format.

Type

Type options for Finding variables.

Enums
TYPE_UNSPECIFIED An unspecified variable type.
MATCH A variable coming from the match conditions.
OUTCOME A variable representing significant data that was found in the detection logic.

BoolSequence

BoolSequence represents a sequence of bools.

JSON representation 
{
  "bool_vals": [
    boolean
  ]
}
Fields
bool_vals[]

boolean

bool sequence.

BytesSequence

BytesSequence represents a sequence of bytes.

JSON representation 
{
  "bytes_vals": [
    string
  ]
}
Fields
bytes_vals[]

string (bytes format)

bytes sequence.

A base64-encoded string.

DoubleSequence

DoubleSequence represents a sequence of doubles.

JSON representation 
{
  "double_vals": [
    number
  ]
}
Fields
double_vals[]

number

double sequence.

Int64Sequence

Int64Sequence represents a sequence of int64s.

JSON representation 
{
  "int64_vals": [
    string
  ]
}
Fields
int64_vals[]

string (int64 format)

int64 sequence.

Uint64Sequence

Uint64Sequence represents a sequence of uint64s.

JSON representation 
{
  "uint64_vals": [
    string
  ]
}
Fields
uint64_vals[]

string

uint64 sequence.

StringSequence

StringSequence represents a sequence of string.

JSON representation 
{
  "string_vals": [
    string
  ]
}
Fields
string_vals[]

string

string sequence.

Action

Enum representing different possible actions taken by the product that created the event.

Enums
UNKNOWN_ACTION The default action.
ALLOW Allowed.
BLOCK Blocked.
ALLOW_WITH_MODIFICATION Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded).
QUARANTINE Put somewhere for later analysis (does NOT imply block).
FAIL Failed (e.g. the event was allowed but failed).
CHALLENGE Challenged (e.g. the user was challenged by a Captcha, 2FA).

ProductSeverity

Defined by the product

Enums
UNKNOWN_SEVERITY The default severity level.
INFORMATIONAL Info severity.
ERROR An error.
NONE No malicious result.
LOW Low-severity malicious result.
MEDIUM Medium-severity malicious result.
HIGH High-severity malicious result.
CRITICAL Critical-severity malicious result.

ProductConfidence

A level of confidence in the result.

Enums
UNKNOWN_CONFIDENCE The default confidence level.
LOW_CONFIDENCE Low confidence.
MEDIUM_CONFIDENCE Medium confidence.
HIGH_CONFIDENCE High confidence.

ProductPriority

A product priority level.

Enums
UNKNOWN_PRIORITY Default priority level.
LOW_PRIORITY Low priority.
MEDIUM_PRIORITY Medium priority.
HIGH_PRIORITY High priority.

AnalyticsMetadata

Stores information about an analytics metric used in a rule.

JSON representation 
{
  "analytic": string
}
Fields
analytic

string

Name of the analytic.

ThreatStatus

Vendor-specific information about the status of a threat (ITW).

Enums
THREAT_STATUS_UNSPECIFIED Default threat status
ACTIVE Active threat.
CLEARED Cleared threat.
FALSE_POSITIVE False positive.

AttackDetails

MITRE ATT&CK details.

JSON representation 
{
  "version": string,
  "tactics": [
    {
      object (Tactic)
    }
  ],
  "techniques": [
    {
      object (Technique)
    }
  ]
}
Fields
version

string

ATT&CK version (e.g. 12.1).
tactics[]

object (Tactic)

Tactics employed.
techniques[]

object (Technique)

Techniques employed.

Tactic

Tactic information related to an attack or threat.

JSON representation 
{
  "id": string,
  "name": string
}
Fields
id

string

Tactic ID (e.g. "TA0043").
name

string

Tactic Name (e.g. "Reconnaissance")

Technique

Technique information related to an attack or threat.

JSON representation 
{
  "id": string,
  "name": string,
  "subtechnique_id": string,
  "subtechnique_name": string
}
Fields
id

string

Technique ID (e.g. "T1595").
name

string

Technique Name (e.g. "Active Scanning").
subtechnique_id

string

Subtechnique ID (e.g. "T1595.001").
subtechnique_name

string

Subtechnique Name (e.g. "Scanning IP Blocks").

Association

Associations represents different metadata about malware and threat actors involved with an IoC.

JSON representation 
{
  "id": string,
  "country_code": [
    string
  ],
  "type": enum (AssociationType),
  "name": string,
  "description": string,
  "role": string,
  "source_country": string,
  "alias": [
    {
      object (AssociationAlias)
    }
  ],
  "first_reference_time": string,
  "last_reference_time": string,
  "industries_affected": [
    string
  ],
  "associated_actors": [
    {
      object (Association)
    }
  ],
  "region_code": {
    object (Location)
  },
  "sponsor_region": {
    object (Location)
  },
  "targeted_regions": [
    {
      object (Location)
    }
  ],
  "tags": [
    string
  ]
}
Fields
id

string

Unique association id generated by mandiant.
country_code[]

string

Country from which the threat actor/ malware is originated.
type

enum (AssociationType)

Signifies the type of association.
name

string

Name of the threat actor/malware.
description

string

Human readable description about the association.
role

string

Role of the malware. Not applicable for threat actor.
source_country
(deprecated)

string

Name of the country the threat originated from.
alias[]

object (AssociationAlias)

Different aliases of the threat actor given by different sources.
first_reference_time

string (Timestamp format)

First time the threat actor was referenced or seen.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
last_reference_time

string (Timestamp format)

Last time the threat actor was referenced or seen.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
industries_affected[]

string

List of industries the threat actor affects.
associated_actors[]

object (Association)

List of associated threat actors for a malware. Not applicable for threat actors.
region_code

object (Location)

Name of the country, the threat is originating from.
sponsor_region

object (Location)

Sponsor region of the threat actor.
targeted_regions[]

object (Location)

Targeted regions.
tags[]

string

Tags.

AssociationType

Represents different possible Association types. Can be threat or malware. Used to represent Mandiant threat intelligence.

Enums
ASSOCIATION_TYPE_UNSPECIFIED The default Association Type.
THREAT_ACTOR Association type Threat actor.
MALWARE Association type Malware.

AssociationAlias

Association Alias used to represent Mandiant Threat Intelligence.

JSON representation 
{
  "name": string,
  "company": string
}
Fields
name

string

Name of the alias.
company

string

Name of the provider who gave the association's name.

Verdict

Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources.

JSON representation 
{
  "source_count": integer,
  "response_count": integer,
  "neighbour_influence": string,
  "verdict": {
    object (ProviderMLVerdict)
  },
  "analyst_verdict": {
    object (AnalystVerdict)
  }
}
Fields
source_count

integer

Number of sources from which intelligence was extracted.
response_count

integer

Total response count across all sources.
neighbour_influence

string

Describes the neighbour influence of the verdict.
verdict

object (ProviderMLVerdict)

ML Verdict provided by sources like Mandiant.
analyst_verdict

object (AnalystVerdict)

Human analyst verdict provided by sources like Mandiant.

ProviderMLVerdict

Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources.

JSON representation 
{
  "source_provider": string,
  "benign_count": integer,
  "malicious_count": integer,
  "confidence_score": integer,
  "mandiant_sources": [
    {
      object (Source)
    }
  ],
  "third_party_sources": [
    {
      object (Source)
    }
  ]
}
Fields
source_provider

string

Source provider giving the ML verdict.
benign_count

integer

Count of responses where this IoC was marked benign.
malicious_count

integer

Count of responses where this IoC was marked malicious.
confidence_score

integer

Confidence score of the verdict.
mandiant_sources[]

object (Source)

List of mandiant sources from which the verdict was generated.
third_party_sources[]

object (Source)

List of third-party sources from which the verdict was generated.

Source

Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources.

JSON representation 
{
  "name": string,
  "benign_count": integer,
  "malicious_count": integer,
  "quality": enum (ProductConfidence),
  "response_count": integer,
  "source_count": integer,
  "threat_intelligence_sources": [
    {
      object (Source)
    }
  ]
}
Fields
name

string

Name of the IoC source.
benign_count

integer

Count of responses where this IoC was marked benign.
malicious_count

integer

Count of responses where this IoC was marked malicious.
quality

enum (ProductConfidence)

Quality of the IoC mapping extracted from the source.
response_count

integer

Total response count from this source.
source_count

integer

Number of sources from which intelligence was extracted.
threat_intelligence_sources[]

object (Source)

Different threat intelligence sources from which IoC info was extracted.

AnalystVerdict

Verdict provided by the human analyst. These fields are used to model Mandiant sources.

JSON representation 
{
  "confidence_score": integer,
  "verdict_time": string,
  "verdict_response": enum (VerdictResponse)
}
Fields
confidence_score

integer

Confidence score of the verdict.
verdict_time

string (Timestamp format)

Timestamp at which the verdict was generated.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
verdict_response

enum (VerdictResponse)

Details of the verdict.

VerdictResponse

Represents different verdict types. Used to represent Mandiant threat intelligence.

Enums
VERDICT_RESPONSE_UNSPECIFIED The default verdict response type.
MALICIOUS VerdictResponse resulted a threat as malicious.
BENIGN VerdictResponse resulted a threat as benign.

VerdictInfo

Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources.

JSON representation 
{
  "source_count": integer,
  "response_count": integer,
  "neighbour_influence": string,
  "verdict_type": enum (VerdictType),
  "source_provider": string,
  "benign_count": integer,
  "malicious_count": integer,
  "confidence_score": integer,
  "ioc_stats": [
    {
      object (IoCStats)
    }
  ],
  "verdict_time": string,
  "verdict_response": enum (VerdictResponse),
  "global_customer_count": integer,
  "global_hits_count": integer,
  "pwn": boolean,
  "category_details": string,
  "pwn_first_tagged_time": string
}
Fields
source_count

integer

Number of sources from which intelligence was extracted.
response_count

integer

Total response count across all sources.
neighbour_influence

string

Describes the near neighbor influence of the verdict.
verdict_type

enum (VerdictType)

Type of verdict.
source_provider

string

Source provider giving the machine learning verdict.
benign_count

integer

Count of responses where this IoC was marked as benign.
malicious_count

integer

Count of responses where this IoC was marked as malicious.
confidence_score

integer

Confidence score of the verdict.
ioc_stats[]

object (IoCStats)

List of IoCStats from which the verdict was generated.
verdict_time

string (Timestamp format)

Timestamp when the verdict was generated.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
verdict_response

enum (VerdictResponse)

Details about the verdict.
global_customer_count

integer

Global customer count over the last 30 days
global_hits_count

integer

Global hit count over the last 30 days.
pwn

boolean

Whether one or more Mandiant incident response customers had this indicator in their environment.
category_details

string

Tags related to the verdict.
pwn_first_tagged_time

string (Timestamp format)

The timestamp of the first time a pwn was associated to this entity.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

VerdictType

Category of the verdict.

Enums
VERDICT_TYPE_UNSPECIFIED Verdict category not specified.
PROVIDER_ML_VERDICT MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources.
ANALYST_VERDICT Verdict provided by the human analyst. These fields are used to model Mandiant sources.

IoCStats

Information about the threat intelligence source. These fields are used to model Mandiant sources.

JSON representation 
{
  "ioc_stats_type": enum (IoCStatsType),
  "first_level_source": string,
  "second_level_source": string,
  "benign_count": integer,
  "quality": enum (ProductConfidence),
  "malicious_count": integer,
  "response_count": integer,
  "source_count": integer
}
Fields
ioc_stats_type

enum (IoCStatsType)

Describes the source of the IoCStat.
first_level_source

string

Name of first level IoC source, for example Mandiant or a third-party.
second_level_source

string

Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph.
benign_count

integer

Count of responses where the IoC was identified as benign.
quality

enum (ProductConfidence)

Level of confidence in the IoC mapping extracted from the source.
malicious_count

integer

Count of responses where the IoC was identified as malicious.
response_count

integer

Total number of response from the source.
source_count

integer

Number of sources from which information was extracted.

IoCStatsType

Type of IoCStat based on source.

Enums
UNSPECIFIED_IOC_STATS_TYPE IoCStat source is unidentified.
MANDIANT_SOURCES IoCStat is from a Mandiant Source.
THIRD_PARTY_SOURCES IoCStat is from a third-party source.
THREAT_INTELLIGENCE_IOC_STATS IoCStat is from a threat intelligence feed.

ThreatVerdict

GCTI threat verdict levels.

Enums
THREAT_VERDICT_UNSPECIFIED Unspecified threat verdict level.
UNDETECTED Undetected threat verdict level.
SUSPICIOUS Suspicious threat verdict level.
MALICIOUS Malicious threat verdict level.