Method: legacy.legacyCreateSoarAlert

Full name: projects.locations.instances.legacy.legacyCreateSoarAlert

RPC for creating a SOAR alert. This is used by Chronicle SOAR to ingest alerts it pulls from other SIEMs.

HTTP request


Path parameters

Parameters
instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Request body

The request body contains data with the following structure:

JSON representation
{
  "soarAlert": {
    object (LegacySoarAlert)
  }
}
Fields
soarAlert

object (LegacySoarAlert)

Required. The alert to be created.

Response body

LegacySoarAlert is a representation of alerts coming from other SIEMs via Chronicle SOAR. NEXT TAG: 19

If successful, the response body contains data with the following structure:

JSON representation
{
  "soarAlertId": string,
  "startTime": string,
  "endTime": string,
  "detectionTime": string,
  "sourceRule": string,
  "sourceSystemUri": string,
  "vendor": string,
  "sourceSystem": string,
  "product": string,
  "originalTicketId": string,
  "priority": string,
  "severity": string,
  "events": [
    {
      object (SoarEvent)
    }
  ],
  "description": string,
  "summary": string,
  "name": string,
  "alertGroupId": string,
  "soarCreateTime": string
}
Fields
soarAlertId

string

Optional. Id of the alert in Chronicle SOAR product.

startTime

string (Timestamp format)

Optional. Represents the startTime of the window for which an alert was generated.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

endTime

string (Timestamp format)

Optional. Represents the endTime of the window for which an alert was generated.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

detectionTime

string (Timestamp format)

Optional. Represents the time when the alert was detected.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

sourceRule

string

Optional. Name of the rule triggering the alert in the Source SIEM.

sourceSystemUri

string

Optional. Uri to the source SIEM system.

vendor

string

Optional. Name of the vendor.

sourceSystem

string

Optional. Name of the Source SIEM system.

product

string

Optional. Name of the product the alert is coming from.

originalTicketId

string

Optional. Ticket id for the alert in the source SIEM system.

priority

string

Optional. Priority of the alert.

severity

string

Optional. Severity of the alert.

events[]

object (SoarEvent)

Optional. List of Events related to the alert.

description

string

Optional. Description of the event.

summary

string

Optional. Summary of the event.

name

string

Optional. Name of the alert in the Secops platform.

alertGroupId

string

Optional. The alert identifier in SOAR which will be unique per customer. This field will be used to enforce idempotency of the CreateSoarAlert API.

soarCreateTime

string (Timestamp format)

Optional. Represents the time when the alert was created in SOAR.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

SoarEvent

SoarEvent is a representation of events coming from other SIEMs via Chronicle SOAR. These fields map to the fields in the Chronicle SOAR event model. NEXT TAG: 49

JSON representation
{
  "eventId": string,
  "startTime": string,
  "endTime": string,
  "eventTime": string,
  "receiptTime": string,
  "managerReceiptTime": string,
  "eventMessage": string,
  "eventDescription": string,
  "sourceUser": string,
  "sourceHost": string,
  "sourceDomain": string,
  "sourceIpAddress": string,
  "sourceMacAddress": string,
  "sourceUserId": string,
  "sourceProcessPid": string,
  "sourceDnsDomain": string,
  "sourceNtDomain": string,
  "destinationUser": string,
  "destinationDomain": string,
  "destinationHost": string,
  "destinationDnsDomain": string,
  "destinationNtDomain": string,
  "destinationPort": string,
  "destinationIpAddress": string,
  "destinationProcessPid": string,
  "destinationUri": string,
  "destinationMacAddress": string,
  "genericEntity": string,
  "phoneNumber": string,
  "emailSubject": string,
  "cve": string,
  "threatActor": string,
  "threatCampaign": string,
  "threatSignature": string,
  "threat": string,
  "categoryOutcome": string,
  "deployment": string,
  "transportProtocol": string,
  "applicationProtocol": string,
  "processPid": string,
  "parentProcessPid": string,
  "ruleGenerator": string,
  "file": string,
  "fileHash": string,
  "fileType": string,
  "vendor": string,
  "product": string,
  "usb": string
}
Fields
eventId

string

Optional. Id of the event in Chronicle SOAR.

startTime

string (Timestamp format)

Optional. Start time of the window containing the event.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

endTime

string (Timestamp format)

Optional. End time of the window containing the event.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

eventTime

string (Timestamp format)

Optional. The timestamp when the event occurred.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

receiptTime

string (Timestamp format)

Optional. The timestamp when the event was received.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

managerReceiptTime

string (Timestamp format)

Optional. The timestamp when the event was received by the manager.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

eventMessage

string

Optional. Message describing/related to the event.

eventDescription

string

Optional. Description of the event.

sourceUser

string

Optional. Username of the source user.

sourceHost

string

Optional. Hostname of the source.

sourceDomain

string

Optional. Domain of the source.

sourceIpAddress

string

Optional. IP address of the source system.

sourceMacAddress

string

Optional. Mac address of the source system.

sourceUserId

string

Optional. User id of the source system.

sourceProcessPid

string

Optional. Process pid of the source process.

sourceDnsDomain

string

Optional. DNS domain of the source.

sourceNtDomain

string

Optional. Administrative domain of the source.

destinationUser

string

Optional. Destination attributes. Username of the destination user.

destinationDomain

string

Optional. Domain of the destination.

destinationHost

string

Optional. Hostname of the destination user.

destinationDnsDomain

string

Optional. DNS domain of the destination.

destinationNtDomain

string

Optional. Administrative domain of the destination.

destinationPort

string

Optional. Port of the target destination.

destinationIpAddress

string

Optional. IP address of the destination user.

destinationProcessPid

string

Optional. Process pid of the destination process.

destinationUri

string

Optional. URI of the target.

destinationMacAddress

string

Optional. Mac address of the destination system.

genericEntity

string

Optional. Generic Entity maps to target details.

phoneNumber

string

Optional. Phone number of the user.

emailSubject

string

Optional. Subject of the related email.

cve

string

Optional. Threat attributes. CVEID.

threatActor

string

Optional. Threat actor.

threatCampaign

string

Optional. Threat campaign

threatSignature

string

Optional. Threat signature.

threat

string

Optional. Threat summary or threat name of the threat.

categoryOutcome

string

Optional. Outcome/Action on the threat.

deployment

string

Optional. Cloud project name,

transportProtocol

string

Optional. Transport protocol.

applicationProtocol

string

Optional. Application protocol.

processPid

string

Optional. Process Pid

parentProcessPid

string

Optional. Parent processid.

ruleGenerator

string

Optional. Rule Generator.

file

string

Optional. Full path of the associated file.

fileHash

string

Optional. sha256, sha1 or md5 hash of the associated file.

fileType

string

Optional. File type.

vendor

string

Optional. Name of the vendor.

product

string

Optional. Name of the product the alert is coming from.

usb

string

Optional. Name of the USB device