REST Resource: projects.locations.instances.findingsRefinements

Resource: FindingsRefinement

Represents a set of logic conditions used to refine various types of findings such as curated rule detections.

JSON representation
{
  "name": string,
  "displayName": string,
  "type": enum (FindingsRefinementType),
  "createTime": string,
  "updateTime": string,
  "query": string,
  "outcomeFilters": [
    {
      object (OutcomeFilter)
    }
  ]
}
Fields
name

string

Full resource name for the findings refinement. Format: projects/{project}/locations/{region}/instances/{instance}/findingsRefinements/{findingsRefinement}

displayName

string

Display name of the findings refinement.

type

enum (FindingsRefinementType)

The type of findings refinement.

createTime

string (Timestamp format)

Output only. The timestamp of when the findings refinement was created.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

updateTime

string (Timestamp format)

Output only. The timestamp of when the findings refinement was last updated.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

query

string

The query for the findings refinement. Works in conjunction with the type field to determine the findings refinement behavior. The syntax of this query is the same as a UDM search string. See the following for more information: https://cloud.google.com/chronicle/docs/investigation/udm-search

outcomeFilters[]

object (OutcomeFilter)

Optional. The outcome filters for the findings refinement. These allow you to specify filters that are applied to the outcome variables in the detection. All filters must be true for a detection to match the findings refinement.

FindingsRefinementType

The type of findings refinement, which determines what the findings refinement runs over and the mechanism by which it runs.

Enums
FINDINGS_REFINEMENT_TYPE_UNSPECIFIED The findings refinement type is unspecified.
DETECTION_EXCLUSION Indicates that the findings refinement is a detection exclusion and should exclude matching detections.

OutcomeFilter

Outcome filter for the findings refinement. This is used to filter the findings refinement based on the outcome variable values.

JSON representation
{
  "outcomeVariable": string,
  "outcomeValue": string,
  "outcomeFilterOperator": enum (Operator)
}
Fields
outcomeVariable

string

Required. The outcome variable name.

outcomeValue

string

Required. The value of the outcome variable to match.

outcomeFilterOperator

enum (Operator)

Required. The operator to be applied to the outcome variable.

Operator

The operator to compare the outcome variable value with the outcome value in the outcome filter.

Enums
OPERATOR_UNSPECIFIED The operator is unspecified.
EQUAL The outcome variable value must be equal to the outcome value in the outcome filter.
CONTAINS The outcome variable value must contain the outcome value in the outcome filter.
MATCHES_REGEX The outcome variable value must match the outcome value regex in the outcome filter.
MATCHES_CIDR The outcome variable value must be a valid IP address in the outcome filter value CIDR range.

Methods

computeFindingsRefinementActivity

Returns findings refinement activity for a specific findings refinement.

create

Creates a new findings refinement.

get

Gets a single findings refinement.

getDeployment

Gets a findings refinement deployment.

list

Lists a collection of findings refinements.

patch

Updates a findings refinement.

updateDeployment

Updates a findings refinement deployment.