- Resource: CaseAlert
- AlertClosureDetails
- CloseReason
- LegacyCasePriority
- AlertStatus
- InvolvedRelation
- EntityKey
- WorkflowStatus
- Methods
Resource: CaseAlert
This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. Alerts are tied to data identified as a threat by your security systems. Investigating alerts gives you context about the alert and related entities.
| JSON representation |
|---|
{ "name": string, "identifier": string, "caseId": integer, "createTime": string, "updateTime": string, "ruleGenerator": string, "sourceGroupingIdentifier": string, "product": string, "displayName": string, "vendor": string, "environment": string, "ticketId": string, "sourceSystemName": string, "closureDetails": { object ( |
| Fields | |
|---|---|
name |
Identifier. The unique name(ID) of the CaseAlert. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseAlerts/{caseAlert} |
identifier |
Output only. Title + Guid, e.g. ACCESS DISABLED ACCOUNTS_3A0C90F9-A87E-4E94-8727-7884F686ECDA Legacy identifier of alert used across the legacy modules in the system. Char limit: 2100 |
caseId |
Output only. Case associated with the alert. Added for convenience to be used by the UI. |
createTime |
Output only. The creation time of the record in milliseconds. |
updateTime |
Output only. The modification time of the record in milliseconds. |
ruleGenerator |
Output only. Which rule triggered the alert on the third party. This can be any rule defined in the third party Such SIEM, Splunk, CrowdStrike. Characters limit: 250. |
sourceGroupingIdentifier |
Output only. A key on the alert that can be used to group alerts to the same case. Characters limit: 2100 |
product |
Output only. The product associated with the alert. E.g. DLP, WinEventLog:Security |
displayName |
Output only. The display name of the alert. E.g. "DATA EXFILTRATION" |
vendor |
Output only. The vendor of the alert. E.g. "Microsoft". Characters limit: 2100 |
environment |
Output only. The environment of the alert. |
ticketId |
Output only. Third party ticket id, can be originated from SIEM or other tools. E.g. "3a0c90f9-a87e-4e94-8727-7884f686ecda" |
sourceSystemName |
Output only. Which alerting system raises the alert. E.g. "QRadar", "Arcsight", "Microsoft CASB". The Integration Name in soar. |
closureDetails |
Optional. Defines the close reason of an alert if any. |
sla |
Optional. SLA (Service Level Agreement) for the specific alert, used also to calculate aggregate case sla. |
manual |
Output only. Whether the alert was created manually. |
priority |
Output only. Default value is HIGH. |
sourceIdentifier |
Output only. Stores the identifier of the source of the alert, could be a connector identifier etc. |
additionalProperties |
Output only. Stores additional data on specific alerts, currently used by connectors, in JSON format. |
status |
Output only. Alert status. Default value is OPEN. |
startTime |
Output only. When the alert was created on the third party product (SIEM, IPS, etc). |
endTime |
Output only. When the alert was closed on the third party product (SIEM, IPS, etc). |
involvedRelations[] |
Output only. All involved relations for the alert. Directional connection between entities in a given alert. |
siemAlertId |
Output only. The identifier of the alert int SIEM. |
sourceUrl |
Output only. The source URL of the alert. |
sourceRuleUrl |
Output only. The source rule URL of the alert. |
sourceSystemUrl |
Output only. The source system URL. |
sourceRuleIdentifier |
Output only. The source rule identifier. |
playbookStatus |
Output only. Alert playbook status. |
attachedPlaybookName |
Output only. The attached playbook name. |
nestingDepth |
Output only. The nesting depth of the alert. |
alertGroupIdentifier |
Output only. The alert group identifier. |
eventCount |
Output only. The number of events that triggered the alert. |
AlertClosureDetails
Alert closure details.
| JSON representation |
|---|
{
"reason": enum ( |
| Fields | |
|---|---|
reason |
Output only. Alert closure reason. |
comment |
Output only. Alert closure comment. |
rootCause |
Output only. Alert closure root cause. |
closingTimeMs |
Output only. Alert closure time in unix format as milliseconds. |
CloseReason
Alert closure reason.
| Enums | |
|---|---|
CLOSE_REASON_UNSPECIFIED |
Unspecified close reason. |
MALICIOUS |
Case is malicious. |
NOT_MALICIOUS |
Case is not malicious. |
MAINTENANCE |
Case is in maintenance. |
INCONCLUSIVE |
Case is inconclusive. |
UNKNOWN |
Case closure reason is unknown. |
LegacyCasePriority
Legacy Case priority.
| Enums | |
|---|---|
LEGACY_CASE_PRIORITY_UNSPECIFIED |
Case priority is unspecified. |
UNCHANGED |
Unchanged case priority. |
INFORMATIVE |
Informative case priority. |
LOW |
Low case priority. |
MEDIUM |
Medium case priority. |
HIGH |
High case priority. |
CRITICAL |
Critical case priority. |
AlertStatus
Alert status.
| Enums | |
|---|---|
ALERT_STATUS_UNSPECIFIED |
The alert status is unspecified. |
OPEN |
The alert is open |
CLOSE |
The alert is closed. |
InvolvedRelation
Displays a connection between entities for a given alert.
| JSON representation |
|---|
{ "identifier": string, "alertIdentifier": string, "caseId": integer, "relationType": string, "from": { object ( |
| Fields | |
|---|---|
identifier |
Required. The identifier of the relation. |
alertIdentifier |
Output only. The identifier of the alert the relation belongs to. |
caseId |
Output only. The id of the case the relation belongs to. |
relationType |
Output only. The type of the relation. |
from |
Output only. The source of the relation. |
to |
Output only. The destination of the relation. |
deviceProduct |
Output only. The product. |
deviceVendor |
Output only. The vendor. |
categoryOutcome |
Output only. The category outcome. Blocked/Allowed/null. |
destinationPort |
Output only. The destination port, if relevant |
eventClassId |
Output only. Event display name. For example: Email Check, Data Exfiltration, IRC etc. |
startTime |
Output only. Start time of the involved relation. |
endTime |
Output only. End time of the involved relation. |
additionalProperties |
Output only. Additional data, stored in JSON format. |
EntityKey
Identifies an entity, used to display connections between entities for a given alert.
| JSON representation |
|---|
{ "identifier": string, "type": string } |
| Fields | |
|---|---|
identifier |
Output only. The identifier of the entity. |
type |
Output only. The type of the entity. |
WorkflowStatus
Workflow status.
| Enums | |
|---|---|
WORKFLOW_STATUS_UNSPECIFIED |
Unspecified workflow status. |
NONE |
Workflow status is none. |
IN_PROGRESS |
Workflow is running. |
COMPLETED |
Workflow is completed. |
FAILED |
Workflow is failed. |
TERMINATED |
Workflow is terminated. |
PENDING_IN_QUEUE |
Workflow is pending in queue. |
PENDING_FOR_USER |
Workflow is pending for user. |
Methods |
|
|---|---|
|
Get a CaseAlert. |
|
Get alert overview. |
|
List CaseAlerts. |
|
Move CaseAlert to a different case. |
|
Update a CaseAlert. |
|
Pause a CaseAlert SLA. |
|
Resolve alert overview widget. |
|
Resume a CaseAlert SLA. |
|
Set CaseAlert SLA. |