Resource: FindingsRefinement
Represents a set of logic conditions used to refine various types of findings such as curated rule detections.
JSON representation |
---|
{ "name": string, "displayName": string, "type": enum ( |
Fields | |
---|---|
name |
Full resource name for the findings refinement. Format: projects/{project}/locations/{region}/instances/{instance}/findingsRefinements/{findingsRefinement} |
displayName |
Display name of the findings refinement. |
type |
The type of findings refinement. |
createTime |
Output only. The timestamp of when the findings refinement was created. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
updateTime |
Output only. The timestamp of when the findings refinement was last updated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
query |
The query for the findings refinement. Works in conjunction with the type field to determine the findings refinement behavior. The syntax of this query is the same as a UDM search string. See the following for more information: https://cloud.google.com/chronicle/docs/investigation/udm-search |
outcomeFilters[] |
Optional. The outcome filters for the findings refinement. These allow you to specify filters that are applied to the outcome variables in the detection. All filters must be true for a detection to match the findings refinement. |
FindingsRefinementType
The type of findings refinement, which determines what the findings refinement runs over and the mechanism by which it runs.
Enums | |
---|---|
FINDINGS_REFINEMENT_TYPE_UNSPECIFIED |
The findings refinement type is unspecified. |
DETECTION_EXCLUSION |
Indicates that the findings refinement is a detection exclusion and should exclude matching detections. |
OutcomeFilter
Outcome filter for the findings refinement. This is used to filter the findings refinement based on the outcome variable values.
JSON representation |
---|
{
"outcomeVariable": string,
"outcomeValue": string,
"outcomeFilterOperator": enum ( |
Fields | |
---|---|
outcomeVariable |
Required. The outcome variable name. |
outcomeValue |
Required. The value of the outcome variable to match. |
outcomeFilterOperator |
Required. The operator to be applied to the outcome variable. |
Operator
The operator to compare the outcome variable value with the outcome value in the outcome filter.
Enums | |
---|---|
OPERATOR_UNSPECIFIED |
The operator is unspecified. |
EQUAL |
The outcome variable value must be equal to the outcome value in the outcome filter. |
CONTAINS |
The outcome variable value must contain the outcome value in the outcome filter. |
MATCHES_REGEX |
The outcome variable value must match the outcome value regex in the outcome filter. |
MATCHES_CIDR |
The outcome variable value must be a valid IP address in the outcome filter value CIDR range. |
Methods |
|
---|---|
|
Returns findings refinement activity for a specific findings refinement. |
|
Creates a new findings refinement. |
|
Gets a single findings refinement. |
|
Gets a findings refinement deployment. |
|
Lists a collection of findings refinements. |
|
Updates a findings refinement. |
|
Updates a findings refinement deployment. |