Method: legacy.legacyCreateSoarAlert

Full name: projects.locations.instances.legacy.legacyCreateSoarAlert

RPC for creating a SOAR alert. This is used by Chronicle SOAR to ingest alerts it pulls from other SIEMs.

HTTP request

POST https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacyCreateSoarAlert

Path parameters

Parameters
instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Request body

The request body contains data with the following structure:

JSON representation
{
  "soar_alert": {
    object (LegacySoarAlert)
  }
}
Fields
soar_alert

object (LegacySoarAlert)

Required. The alert to be created.

Response body

LegacySoarAlert is a representation of alerts coming from other SIEMs via Chronicle SOAR. NEXT TAG: 19

If successful, the response body contains data with the following structure:

JSON representation
{
  "soar_alert_id": string,
  "start_time": string,
  "end_time": string,
  "detection_time": string,
  "source_rule": string,
  "source_system_uri": string,
  "vendor": string,
  "source_system": string,
  "product": string,
  "original_ticket_id": string,
  "priority": string,
  "severity": string,
  "events": [
    {
      object (SoarEvent)
    }
  ],
  "description": string,
  "summary": string,
  "name": string,
  "alert_group_id": string,
  "soar_create_time": string
}
Fields
soar_alert_id

string

Optional. Id of the alert in Chronicle SOAR product.

start_time

string (Timestamp format)

Optional. Represents the start_time of the window for which an alert was generated.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

end_time

string (Timestamp format)

Optional. Represents the end_time of the window for which an alert was generated.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

detection_time

string (Timestamp format)

Optional. Represents the time when the alert was detected.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

source_rule

string

Optional. Name of the rule triggering the alert in the Source SIEM.

source_system_uri

string

Optional. Uri to the source SIEM system.

vendor

string

Optional. Name of the vendor.

source_system

string

Optional. Name of the Source SIEM system.

product

string

Optional. Name of the product the alert is coming from.

original_ticket_id

string

Optional. Ticket id for the alert in the source SIEM system.

priority

string

Optional. Priority of the alert.

severity

string

Optional. Severity of the alert.

events[]

object (SoarEvent)

Optional. List of Events related to the alert.

description

string

Optional. Description of the event.

summary

string

Optional. Summary of the event.

name

string

Optional. Name of the alert in the Secops platform.

alert_group_id

string

Optional. The alert identifier in SOAR which will be unique per customer. This field will be used to enforce idempotency of the CreateSoarAlert API.

soar_create_time

string (Timestamp format)

Optional. Represents the time when the alert was created in SOAR.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

SoarEvent

SoarEvent is a representation of events coming from other SIEMs via Chronicle SOAR. These fields map to the fields in the Chronicle SOAR event model. NEXT TAG: 49

JSON representation
{
  "event_id": string,
  "start_time": string,
  "end_time": string,
  "event_time": string,
  "receipt_time": string,
  "manager_receipt_time": string,
  "event_message": string,
  "event_description": string,
  "source_user": string,
  "source_host": string,
  "source_domain": string,
  "source_ip_address": string,
  "source_mac_address": string,
  "source_user_id": string,
  "source_process_pid": string,
  "source_dns_domain": string,
  "source_nt_domain": string,
  "destination_user": string,
  "destination_domain": string,
  "destination_host": string,
  "destination_dns_domain": string,
  "destination_nt_domain": string,
  "destination_port": string,
  "destination_ip_address": string,
  "destination_process_pid": string,
  "destination_uri": string,
  "destination_mac_address": string,
  "generic_entity": string,
  "phone_number": string,
  "email_subject": string,
  "cve": string,
  "threat_actor": string,
  "threat_campaign": string,
  "threat_signature": string,
  "threat": string,
  "category_outcome": string,
  "deployment": string,
  "transport_protocol": string,
  "application_protocol": string,
  "process_pid": string,
  "parent_process_pid": string,
  "rule_generator": string,
  "file": string,
  "file_hash": string,
  "file_type": string,
  "vendor": string,
  "product": string,
  "usb": string
}
Fields
event_id

string

Optional. Id of the event in Chronicle SOAR.

start_time

string (Timestamp format)

Optional. Start time of the window containing the event.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

end_time

string (Timestamp format)

Optional. End time of the window containing the event.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

event_time

string (Timestamp format)

Optional. The timestamp when the event occurred.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

receipt_time

string (Timestamp format)

Optional. The timestamp when the event was received.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

manager_receipt_time

string (Timestamp format)

Optional. The timestamp when the event was received by the manager.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

event_message

string

Optional. Message describing/related to the event.

event_description

string

Optional. Description of the event.

source_user

string

Optional. Username of the source user.

source_host

string

Optional. Hostname of the source.

source_domain

string

Optional. Domain of the source.

source_ip_address

string

Optional. IP address of the source system.

source_mac_address

string

Optional. Mac address of the source system.

source_user_id

string

Optional. User id of the source system.

source_process_pid

string

Optional. Process pid of the source process.

source_dns_domain

string

Optional. DNS domain of the source.

source_nt_domain

string

Optional. Administrative domain of the source.

destination_user

string

Optional. Destination attributes. Username of the destination user.

destination_domain

string

Optional. Domain of the destination.

destination_host

string

Optional. Hostname of the destination user.

destination_dns_domain

string

Optional. DNS domain of the destination.

destination_nt_domain

string

Optional. Administrative domain of the destination.

destination_port

string

Optional. Port of the target destination.

destination_ip_address

string

Optional. IP address of the destination user.

destination_process_pid

string

Optional. Process pid of the destination process.

destination_uri

string

Optional. URI of the target.

destination_mac_address

string

Optional. Mac address of the destination system.

generic_entity

string

Optional. Generic Entity maps to target details.

phone_number

string

Optional. Phone number of the user.

email_subject

string

Optional. Subject of the related email.

cve

string

Optional. Threat attributes. CVEID.

threat_actor

string

Optional. Threat actor.

threat_campaign

string

Optional. Threat campaign

threat_signature

string

Optional. Threat signature.

threat

string

Optional. Threat summary or threat name of the threat.

category_outcome

string

Optional. Outcome/Action on the threat.

deployment

string

Optional. Cloud project name,

transport_protocol

string

Optional. Transport protocol.

application_protocol

string

Optional. Application protocol.

process_pid

string

Optional. Process Pid

parent_process_pid

string

Optional. Parent processid.

rule_generator

string

Optional. Rule Generator.

file

string

Optional. Full path of the associated file.

file_hash

string

Optional. sha256, sha1 or md5 hash of the associated file.

file_type

string

Optional. File type.

vendor

string

Optional. Name of the vendor.

product

string

Optional. Name of the product the alert is coming from.

usb

string

Optional. Name of the USB device