Full name: projects.locations.instances.legacy.legacyCreateSoarAlert
RPC for creating a SOAR alert. This is used by Chronicle SOAR to ingest alerts it pulls from other SIEMs.
HTTP request
Path parameters
Parameters | |
---|---|
instance |
Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance} |
Request body
The request body contains data with the following structure:
JSON representation |
---|
{
"soarAlert": {
object ( |
Fields | |
---|---|
soarAlert |
Required. The alert to be created. |
Response body
LegacySoarAlert is a representation of alerts coming from other SIEMs via Chronicle SOAR. NEXT TAG: 19
If successful, the response body contains data with the following structure:
JSON representation |
---|
{
"soarAlertId": string,
"startTime": string,
"endTime": string,
"detectionTime": string,
"sourceRule": string,
"sourceSystemUri": string,
"vendor": string,
"sourceSystem": string,
"product": string,
"originalTicketId": string,
"priority": string,
"severity": string,
"events": [
{
object ( |
Fields | |
---|---|
soarAlertId |
Optional. Id of the alert in Chronicle SOAR product. |
startTime |
Optional. Represents the startTime of the window for which an alert was generated. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
endTime |
Optional. Represents the endTime of the window for which an alert was generated. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
detectionTime |
Optional. Represents the time when the alert was detected. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
sourceRule |
Optional. Name of the rule triggering the alert in the Source SIEM. |
sourceSystemUri |
Optional. Uri to the source SIEM system. |
vendor |
Optional. Name of the vendor. |
sourceSystem |
Optional. Name of the Source SIEM system. |
product |
Optional. Name of the product the alert is coming from. |
originalTicketId |
Optional. Ticket id for the alert in the source SIEM system. |
priority |
Optional. Priority of the alert. |
severity |
Optional. Severity of the alert. |
events[] |
Optional. List of Events related to the alert. |
description |
Optional. Description of the event. |
summary |
Optional. Summary of the event. |
name |
Optional. Name of the alert in the Secops platform. |
alertGroupId |
Optional. The alert identifier in SOAR which will be unique per customer. This field will be used to enforce idempotency of the CreateSoarAlert API. |
soarCreateTime |
Optional. Represents the time when the alert was created in SOAR. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
SoarEvent
SoarEvent is a representation of events coming from other SIEMs via Chronicle SOAR. These fields map to the fields in the Chronicle SOAR event model. NEXT TAG: 49
JSON representation |
---|
{ "eventId": string, "startTime": string, "endTime": string, "eventTime": string, "receiptTime": string, "managerReceiptTime": string, "eventMessage": string, "eventDescription": string, "sourceUser": string, "sourceHost": string, "sourceDomain": string, "sourceIpAddress": string, "sourceMacAddress": string, "sourceUserId": string, "sourceProcessPid": string, "sourceDnsDomain": string, "sourceNtDomain": string, "destinationUser": string, "destinationDomain": string, "destinationHost": string, "destinationDnsDomain": string, "destinationNtDomain": string, "destinationPort": string, "destinationIpAddress": string, "destinationProcessPid": string, "destinationUri": string, "destinationMacAddress": string, "genericEntity": string, "phoneNumber": string, "emailSubject": string, "cve": string, "threatActor": string, "threatCampaign": string, "threatSignature": string, "threat": string, "categoryOutcome": string, "deployment": string, "transportProtocol": string, "applicationProtocol": string, "processPid": string, "parentProcessPid": string, "ruleGenerator": string, "file": string, "fileHash": string, "fileType": string, "vendor": string, "product": string, "usb": string } |
Fields | |
---|---|
eventId |
Optional. Id of the event in Chronicle SOAR. |
startTime |
Optional. Start time of the window containing the event. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
endTime |
Optional. End time of the window containing the event. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
eventTime |
Optional. The timestamp when the event occurred. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
receiptTime |
Optional. The timestamp when the event was received. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
managerReceiptTime |
Optional. The timestamp when the event was received by the manager. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
eventMessage |
Optional. Message describing/related to the event. |
eventDescription |
Optional. Description of the event. |
sourceUser |
Optional. Username of the source user. |
sourceHost |
Optional. Hostname of the source. |
sourceDomain |
Optional. Domain of the source. |
sourceIpAddress |
Optional. IP address of the source system. |
sourceMacAddress |
Optional. Mac address of the source system. |
sourceUserId |
Optional. User id of the source system. |
sourceProcessPid |
Optional. Process pid of the source process. |
sourceDnsDomain |
Optional. DNS domain of the source. |
sourceNtDomain |
Optional. Administrative domain of the source. |
destinationUser |
Optional. Destination attributes. Username of the destination user. |
destinationDomain |
Optional. Domain of the destination. |
destinationHost |
Optional. Hostname of the destination user. |
destinationDnsDomain |
Optional. DNS domain of the destination. |
destinationNtDomain |
Optional. Administrative domain of the destination. |
destinationPort |
Optional. Port of the target destination. |
destinationIpAddress |
Optional. IP address of the destination user. |
destinationProcessPid |
Optional. Process pid of the destination process. |
destinationUri |
Optional. URI of the target. |
destinationMacAddress |
Optional. Mac address of the destination system. |
genericEntity |
Optional. Generic Entity maps to target details. |
phoneNumber |
Optional. Phone number of the user. |
emailSubject |
Optional. Subject of the related email. |
cve |
Optional. Threat attributes. CVEID. |
threatActor |
Optional. Threat actor. |
threatCampaign |
Optional. Threat campaign |
threatSignature |
Optional. Threat signature. |
threat |
Optional. Threat summary or threat name of the threat. |
categoryOutcome |
Optional. Outcome/Action on the threat. |
deployment |
Optional. Cloud project name, |
transportProtocol |
Optional. Transport protocol. |
applicationProtocol |
Optional. Application protocol. |
processPid |
Optional. Process Pid |
parentProcessPid |
Optional. Parent processid. |
ruleGenerator |
Optional. Rule Generator. |
file |
Optional. Full path of the associated file. |
fileHash |
Optional. sha256, sha1 or md5 hash of the associated file. |
fileType |
Optional. File type. |
vendor |
Optional. Name of the vendor. |
product |
Optional. Name of the product the alert is coming from. |
usb |
Optional. Name of the USB device |