- Resource: Investigation
- AssociatedSubjects
- Verdict
- InvestigationStatus
- InvestigationNextStep
- Type
- InvestigationTriggerType
- Finding
- Methods
Resource: Investigation
An Investigation is a resource that captures analysis details of a particular threat or incident. It includes a final disposition (e.g., true positive, false positive), confidence score, recommended next steps, and a list of InvestigationStep items (timeline events). Investigation is optionally linked to an Alert via alerts.ids.
JSON representation |
---|
{ "name": string, "displayName": string, "verdict": enum ( |
Fields | |
---|---|
name |
Output only. Identifier. The full resource name of the investigation. Format: projects/{project}/locations/{location}/instances/{instance}/investigations/{investigation} |
displayName |
Required. The user-facing label for the investigation. |
verdict |
Optional. The final disposition of the investigation. |
confidenceScore |
Optional. The confidence score of the investigation in the range [1..100]. |
recommendedNextSteps[] |
Optional. Recommended next steps, if any. This is a list of strings that can be displayed to the user. Use |
summary |
Optional. A short summary or analysis result for this investigation. |
status |
Optional. The current status of the investigation. |
timeRange |
Output only. The time range of the investigation. |
notebook |
Output only. The resource name of notebook associated with the investigation. Format: projects/{project}/locations/{location}/instances/{instance}/notebooks/{notebook} |
severity |
The severity of the investigation. |
confidence |
The level of confidence in the investigation. |
nextSteps[] |
Output only. Recommended next steps, if any. This is a list of strings that can be displayed to the user. |
triggerType |
Output only. The trigger type of the investigation. Not required for manual investigations. |
experimental |
Output only. Whether the investigation is experimental. |
publishTime |
Output only. Time when investigation was published. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
updateTime |
Output only. Time when investigation was last updated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
findings[] |
Output only. Detailed findings from the investigation. An investigation can have multiple findings. |
associations[] |
Output only. Associations represents different metadata about malware and threat actors associated with an Investigation. |
investigationSteps[] |
Output only. Investigation steps taken by gemini during the investigation. |
entities[] |
Output only. A list of network entities associated with the investigation. |
Union field subjects . The subjects of the investigation, starting with alerts and cases. subjects can be only one of the following: |
|
alerts |
The list of alerts associated with the investigation. |
cases |
The list of cases associated with the investigation. |
AssociatedSubjects
AssociatedSubjects is a wrapper for a list of ids.
JSON representation |
---|
{ "ids": [ string ] } |
Fields | |
---|---|
ids[] |
Output only. IDs of associated subjects. |
Verdict
The final disposition assigned by the agent.
Enums | |
---|---|
VERDICT_UNSPECIFIED |
An unspecified verdict. |
TRUE_POSITIVE |
A categorization of the finding as a "true positive". |
FALSE_POSITIVE |
A categorization of the finding as a "false positive". |
InvestigationStatus
Enums | |
---|---|
STATUS_UNSPECIFIED |
The status of the investigation is unspecified. |
STATUS_NOT_STARTED |
The investigation has not started. |
STATUS_IN_PROGRESS |
The investigation is in progress. |
STATUS_COMPLETED_SUCCESS |
The investigation has been completed successfully. |
STATUS_COMPLETED_ERROR |
The investigation has been completed with an error. |
STATUS_PENDING |
The investigation is in pending state. |
InvestigationNextStep
InvestigationNextStep contains the recommended next steps for an investigation.
JSON representation |
---|
{
"title": string,
"type": enum ( |
Fields | |
---|---|
title |
Output only. The recommended next steps for the investigation. |
type |
Output only. The type of the recommended next steps. |
Type
The type of the recommended next steps.
Enums | |
---|---|
TYPE_UNSPECIFIED |
The next step type is unknown. |
SEARCHABLE |
The next step type is searchable. |
MANUAL |
The next step type is manual. |
InvestigationTriggerType
The trigger type of the investigation.
Enums | |
---|---|
INVESTIGATION_TRIGGER_TYPE_UNSPECIFIED |
The trigger type is unknown. |
AGENT_MANUAL |
The trigger type is agent manual. |
AGENT_AUTO |
The trigger type is agent auto. |
MTD_ALERT |
The trigger type is MTD alert. |
MTD_HUNT |
The trigger type is MTD hunt. |
Finding
Findings from the investigation.
JSON representation |
---|
{ "narrative": string, "secopsQueryUri": string, "events": [ string ], "eventTime": string } |
Fields | |
---|---|
narrative |
Output only. A detailed analysis summary provided by the Mandiant Analyst. |
secopsQueryUri |
Output only. The URI path to the SecOps search page for the events. For example: |
events[] |
Output only. The UDM events associated with the findings. Example: events: ["projects/123/locations/us/instances/c17c06a4-7a45-4b1d-aaa9-d8bd5c6cb331/events/event1", "projects/123/locations/us/instances/c17c06a4-7a45-4b1d-aaa9-d8bd5c6cb331/events/event2"] |
eventTime |
The timestamp of the first event found in the finding. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Methods |
|
---|---|
|
GetInvestigation is used to retrieve an investigation. |
|
ListInvestigations is used to retrieve existing investigations for a given instance. |
|
Custom method to manually trigger an investigation for a given alert. |