Method: iocs.searchCuratedDetectionsForIoc

Full name: projects.locations.instances.iocs.searchCuratedDetectionsForIoc

Search curated detections for an Ioc.

HTTP request

GET https://chronicle.googleapis.com/v1alpha/{name}:searchCuratedDetectionsForIoc

Path parameters

Parameters
name

string

Required. projects/{project}/locations/{location}/instances/{instance}/iocs/{ioc}

Query parameters

Parameters
timestampRange

object (Interval)

Optional. Time range in which we want to find detections.
pageSize

integer

Optional. The maximum number of detections to return. Max is 10000, anything over max will be coerced to max.
pageToken

string

Optional. A page token, received from a previous SearchDetectionEventsForIoC call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to SearchDetectionEventsForIoC must match the call that provided the page token.

Request body

The request body must be empty.

Response body

Response message to search for curated detection of an Ioc

If successful, the response body contains data with the following structure:

JSON representation 
{
  "detections": [
    {
      object (LegacyIocCuratedDetection)
    }
  ],
  "artifact_indicator": {
    object (IocArtifactIndicator)
  },
  "next_page_token": string
}
Fields
detections[]

object (LegacyIocCuratedDetection)

List of all detection to be displayed.
artifact_indicator

object (IocArtifactIndicator)

Metadata about the artifact of interest.
next_page_token

string

A token that can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the name resource:

  • chronicle.iocs.searchCuratedDetectionsForIoc

For more information, see the IAM documentation.

LegacyIocCuratedDetection

Described the detections generated by curated rules.

JSON representation 
{
  "priority": enum (Priority),
  "ic_score": integer,
  "device_action": enum (Action),
  "asset_hostname": string,
  "asset_ip": string,
  "log_source": string,
  "user_id": string,
  "detection_id": string,
  "detection_time": string
}
Fields
priority

enum (Priority)

The priority of a detection.
ic_score

integer (uint32 format)

Optional. Mandiant Scoring on severity of maliciousness.
device_action

enum (Action)

Device action tells whether the detection id blocked or not.
asset_hostname

string

Hostname of the asset of the detection.
asset_ip

string

IP address of the asset of the detection.
log_source

string

Source of the detection log.
user_id

string

User ID.
detection_id

string (bytes format)

Detection ID.

A base64-encoded string.
detection_time

string (Timestamp format)

Detection time of a detection.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".