Method: legacy.legacyUpdateAlert

Full name: projects.locations.instances.legacy.legacyUpdateAlert

Legacy endpoint for updating an alert.

HTTP request


Path parameters

Parameters
instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Request body

The request body contains data with the following structure:

JSON representation
{
  "alertId": string,
  "feedback": {
    object (LegacyFeedback)
  },
  "caseName": string,
  "responsePlatformInfo": {
    object (ResponsePlatformInfo)
  }
}
Fields
alertId

string

Required. The id of the alert.

feedback

object (LegacyFeedback)

Required. The analyst-supplied feedback on the alert.

caseName

string

Optional. The case name that the alert is associated with.

responsePlatformInfo

object (ResponsePlatformInfo)

Optional. The response platform info of the alert.

Response body

If successful, the response body contains an instance of Collection.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacyUpdateAlert

For more information, see the IAM documentation.

LegacyFeedback

A piece of user feedback on an alert. NEXT TAG: 17

JSON representation
{
  "idpUserId": string,
  "createTime": string,
  "verdict": enum (Verdict),
  "reputation": enum (Reputation),
  "confidenceScore": integer,
  "riskScore": integer,
  "disregarded": boolean,
  "severity": integer,
  "comment": string,
  "status": enum (Status),
  "priority": enum (Priority),
  "rootCause": string,
  "reason": enum (Reason),
  "severityDisplay": string,
  "triageAgentInvestigationId": string,
  "userType": enum (UserType)
}
Fields
idpUserId

string

Readonly. The unique identifier supplied by the customer's identity provider (IDP) for the user that provided the feedback.

createTime

string (Timestamp format)

Readonly. The time when the user submitted the feedback.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

verdict

enum (Verdict)

A verdict on whether the finding reflects a security inc

reputation

enum (Reputation)

A categorization of the finding as useful or not useful.

confidenceScore

integer

Confidence score (0-100) of the finding.

riskScore

integer

Risk score (0-100) of the finding.

disregarded

boolean

Analyst disregard (or un-disregard) the event.

severity

integer

Severity score (1-100) of the finding.

comment

string

Analyst comment.

status

enum (Status)

Alert status.

priority

enum (Priority)

Alert priority.

rootCause

string

Alert root cause.

reason

enum (Reason)

Reason for closing an Alert.

severityDisplay

string

Severity display name for UI and filtering.

triageAgentInvestigationId

string

Output only. Investigation Id of the latest investigation performed by the Triage Agent on the alert. The Triage Agent is designed to autonomously investigate alerts and determine whether an alert needs to be escalated to a human while providing transparency about the actions it took as part of its investigation.

userType

enum (UserType)

Output only. Type of user that submitted or updated the feedback. This field is used to distinguish between the feedback submitted by a human analyst and an AI agent. By default, the user is assumed to be a human analyst.