Full name: projects.locations.instances.legacy.legacyCreateSoarAlert
RPC for creating a SOAR alert. This is used by Chronicle SOAR to ingest alerts it pulls from other SIEMs.
HTTP request
POST https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacyCreateSoarAlert
Path parameters
| Parameters | |
|---|---|
instance |
Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance} |
Request body
The request body contains data with the following structure:
| JSON representation |
|---|
{
"soar_alert": {
object ( |
| Fields | |
|---|---|
soar_alert |
Required. The alert to be created. |
Response body
LegacySoarAlert is a representation of alerts coming from other SIEMs via Chronicle SOAR. NEXT TAG: 19
If successful, the response body contains data with the following structure:
| JSON representation |
|---|
{
"soar_alert_id": string,
"start_time": string,
"end_time": string,
"detection_time": string,
"source_rule": string,
"source_system_uri": string,
"vendor": string,
"source_system": string,
"product": string,
"original_ticket_id": string,
"priority": string,
"severity": string,
"events": [
{
object ( |
| Fields | |
|---|---|
soar_alert_id |
Optional. Id of the alert in Chronicle SOAR product. |
start_time |
Optional. Represents the start_time of the window for which an alert was generated. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
end_time |
Optional. Represents the end_time of the window for which an alert was generated. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
detection_time |
Optional. Represents the time when the alert was detected. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
source_rule |
Optional. Name of the rule triggering the alert in the Source SIEM. |
source_system_uri |
Optional. Uri to the source SIEM system. |
vendor |
Optional. Name of the vendor. |
source_system |
Optional. Name of the Source SIEM system. |
product |
Optional. Name of the product the alert is coming from. |
original_ticket_id |
Optional. Ticket id for the alert in the source SIEM system. |
priority |
Optional. Priority of the alert. |
severity |
Optional. Severity of the alert. |
events[] |
Optional. List of Events related to the alert. |
description |
Optional. Description of the event. |
summary |
Optional. Summary of the event. |
name |
Optional. Name of the alert in the Secops platform. |
alert_group_id |
Optional. The alert identifier in SOAR which will be unique per customer. This field will be used to enforce idempotency of the CreateSoarAlert API. |
soar_create_time |
Optional. Represents the time when the alert was created in SOAR. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
SoarEvent
SoarEvent is a representation of events coming from other SIEMs via Chronicle SOAR. These fields map to the fields in the Chronicle SOAR event model. NEXT TAG: 49
| JSON representation |
|---|
{ "event_id": string, "start_time": string, "end_time": string, "event_time": string, "receipt_time": string, "manager_receipt_time": string, "event_message": string, "event_description": string, "source_user": string, "source_host": string, "source_domain": string, "source_ip_address": string, "source_mac_address": string, "source_user_id": string, "source_process_pid": string, "source_dns_domain": string, "source_nt_domain": string, "destination_user": string, "destination_domain": string, "destination_host": string, "destination_dns_domain": string, "destination_nt_domain": string, "destination_port": string, "destination_ip_address": string, "destination_process_pid": string, "destination_uri": string, "destination_mac_address": string, "generic_entity": string, "phone_number": string, "email_subject": string, "cve": string, "threat_actor": string, "threat_campaign": string, "threat_signature": string, "threat": string, "category_outcome": string, "deployment": string, "transport_protocol": string, "application_protocol": string, "process_pid": string, "parent_process_pid": string, "rule_generator": string, "file": string, "file_hash": string, "file_type": string, "vendor": string, "product": string, "usb": string } |
| Fields | |
|---|---|
event_id |
Optional. Id of the event in Chronicle SOAR. |
start_time |
Optional. Start time of the window containing the event. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
end_time |
Optional. End time of the window containing the event. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
event_time |
Optional. The timestamp when the event occurred. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
receipt_time |
Optional. The timestamp when the event was received. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
manager_receipt_time |
Optional. The timestamp when the event was received by the manager. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
event_message |
Optional. Message describing/related to the event. |
event_description |
Optional. Description of the event. |
source_user |
Optional. Username of the source user. |
source_host |
Optional. Hostname of the source. |
source_domain |
Optional. Domain of the source. |
source_ip_address |
Optional. IP address of the source system. |
source_mac_address |
Optional. Mac address of the source system. |
source_user_id |
Optional. User id of the source system. |
source_process_pid |
Optional. Process pid of the source process. |
source_dns_domain |
Optional. DNS domain of the source. |
source_nt_domain |
Optional. Administrative domain of the source. |
destination_user |
Optional. Destination attributes. Username of the destination user. |
destination_domain |
Optional. Domain of the destination. |
destination_host |
Optional. Hostname of the destination user. |
destination_dns_domain |
Optional. DNS domain of the destination. |
destination_nt_domain |
Optional. Administrative domain of the destination. |
destination_port |
Optional. Port of the target destination. |
destination_ip_address |
Optional. IP address of the destination user. |
destination_process_pid |
Optional. Process pid of the destination process. |
destination_uri |
Optional. URI of the target. |
destination_mac_address |
Optional. Mac address of the destination system. |
generic_entity |
Optional. Generic Entity maps to target details. |
phone_number |
Optional. Phone number of the user. |
email_subject |
Optional. Subject of the related email. |
cve |
Optional. Threat attributes. CVEID. |
threat_actor |
Optional. Threat actor. |
threat_campaign |
Optional. Threat campaign |
threat_signature |
Optional. Threat signature. |
threat |
Optional. Threat summary or threat name of the threat. |
category_outcome |
Optional. Outcome/Action on the threat. |
deployment |
Optional. Cloud project name, |
transport_protocol |
Optional. Transport protocol. |
application_protocol |
Optional. Application protocol. |
process_pid |
Optional. Process Pid |
parent_process_pid |
Optional. Parent processid. |
rule_generator |
Optional. Rule Generator. |
file |
Optional. Full path of the associated file. |
file_hash |
Optional. sha256, sha1 or md5 hash of the associated file. |
file_type |
Optional. File type. |
vendor |
Optional. Name of the vendor. |
product |
Optional. Name of the product the alert is coming from. |
usb |
Optional. Name of the USB device |