SecurityResult

Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty.

JSON representation 
{
  "about": {
    object (Noun)
  },
  "category": [
    enum (SecurityCategory)
  ],
  "categoryDetails": [
    string
  ],
  "threatName": string,
  "ruleSet": string,
  "ruleSetDisplayName": string,
  "rulesetCategoryDisplayName": string,
  "ruleId": string,
  "ruleName": string,
  "displayName": string,
  "ruleVersion": string,
  "ruleType": string,
  "ruleAuthor": string,
  "ruleLabels": [
    {
      object (Label)
    }
  ],
  "alertState": enum (AlertState),
  "detectionFields": [
    {
      object (Label)
    }
  ],
  "outcomes": [
    {
      object (Label)
    }
  ],
  "variables": {
    string: {
      object (FindingVariable)
    },
    ...
  },
  "summary": string,
  "description": string,
  "action": [
    enum (Action)
  ],
  "actionDetails": string,
  "severity": enum (ProductSeverity),
  "confidence": enum (ProductConfidence),
  "priority": enum (ProductPriority),
  "riskScore": number,
  "confidenceScore": number,
  "analyticsMetadata": [
    {
      object (AnalyticsMetadata)
    }
  ],
  "severityDetails": string,
  "confidenceDetails": string,
  "priorityDetails": string,
  "urlBackToProduct": string,
  "threatId": string,
  "threatFeedName": string,
  "threatIdNamespace": enum (Namespace),
  "threatStatus": enum (ThreatStatus),
  "attackDetails": {
    object (AttackDetails)
  },
  "firstDiscoveredTime": string,
  "associations": [
    {
      object (Association)
    }
  ],
  "campaigns": [
    string
  ],
  "reports": [
    string
  ],
  "verdict": {
    object (Verdict)
  },
  "lastUpdatedTime": string,
  "verdictInfo": [
    {
      object (VerdictInfo)
    }
  ],
  "threatVerdict": enum (ThreatVerdict),
  "lastDiscoveredTime": string,
  "detectionDepth": string,
  "threatCollections": [
    {
      object (ThreatCollectionItem)
    }
  ]
}
Fields
about

object (Noun)

If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a detection.
category[]

enum (SecurityCategory)

The security category. This field is not populated when the SecurityResult appears in a detection.
categoryDetails[]

string

For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a detection.
threatName

string

A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a detection.
ruleSet

string

The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts.
ruleSetDisplayName

string

The curated detections rule set display name. This is primarily set in rule-generated detections and alerts.
rulesetCategoryDisplayName

string

The curated detection rule set category display name. (for example, if ruleSetDisplayName is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts.
ruleId

string

A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe").
ruleName

string

Name of the security rule (e.g. "BlockInboundToOracle").
displayName

string

The display name of the security result. This is populated from 'name_override' Outcome Variable, if present. Otherwise, this field is not set.
ruleVersion

string

Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed.
ruleType

string

The type of security rule.
ruleAuthor

string

Author of the security rule. This field is not populated when the SecurityResult appears in a detection.
ruleLabels[]

object (Label)

A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts.
alertState

enum (AlertState)

The alerting types of this security result. This is primarily set for rule-generated detections and alerts.
detectionFields[]

object (Label)

An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables).

For Collection SecurityResults, prefer variables instead.
outcomes[]
(deprecated)

object (Label)

A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values.

This is only populated when the SecurityResult appears in a detection. This is deprecated. Use variables instead.
variables

map (key: string, value: object (FindingVariable))

A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values.

This is only populated when the SecurityResult appears in a detection.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
summary

string

A short human-readable summary (e.g. "failed login occurred")
description

string

A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary.
action[]

enum (Action)

Actions taken for this event. This field is not populated when the SecurityResult appears in a detection.
actionDetails

string

The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a detection.
severity

enum (ProductSeverity)

The severity of the result.
confidence

enum (ProductConfidence)

The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a detection.
priority

enum (ProductPriority)

The priority of the result. This field is not populated when the SecurityResult appears in a detection.
riskScore

number

The risk score of the security result.
confidenceScore

number

The confidence score of the security result. This field is not populated when the SecurityResult appears in a detection.
analyticsMetadata[]

object (AnalyticsMetadata)

Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a detection.
severityDetails

string

Vendor-specific severity. This field is not populated when the SecurityResult appears in a detection.
confidenceDetails

string

Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a detection.
priorityDetails

string

Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a detection.
urlBackToProduct

string

URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a detection.
threatId

string

Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a detection.
threatFeedName

string

Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a detection.
threatIdNamespace

enum (Namespace)

The attribute threatIdNamespace qualifies threatId with an id namespace to get an unique id. The attribute threatId by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a detection.
threatStatus

enum (ThreatStatus)

Current status of the threat This field is not populated when the SecurityResult appears in a detection.
attackDetails

object (AttackDetails)

MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a detection.
firstDiscoveredTime

string (Timestamp format)

First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a detection.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
associations[]

object (Association)

Associations related to the threat.
campaigns[]
(deprecated)

string

Campaigns using this IOC threat. This is deprecated. Use threatCollections instead.
reports[]
(deprecated)

string

Reports that reference this IOC threat. These are the report IDs. This is deprecated. Use threatCollections instead.
verdict
(deprecated)

object (Verdict)

Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead.
lastUpdatedTime

string (Timestamp format)

Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a detection.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
verdictInfo[]

object (VerdictInfo)

Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a detection.
threatVerdict

enum (ThreatVerdict)

GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a detection.
lastDiscoveredTime

string (Timestamp format)

Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a detection.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
detectionDepth

string (int64 format)

The depth of the detection chain. Applies only to composite detections.
threatCollections[]

object (ThreatCollectionItem)

GTI collections associated with the security result.

AttackDetails

MITRE ATT&CK details.

JSON representation 
{
  "version": string,
  "tactics": [
    {
      object (Tactic)
    }
  ],
  "techniques": [
    {
      object (Technique)
    }
  ]
}
Fields
version

string

ATT&CK version (e.g. 12.1).
tactics[]

object (Tactic)

Tactics employed.
techniques[]

object (Technique)

Techniques employed.

Tactic

Tactic information related to an attack or threat.

JSON representation 
{
  "id": string,
  "name": string
}
Fields
id

string

Tactic ID (e.g. "TA0043").
name

string

Tactic Name (e.g. "Reconnaissance")

Technique

Technique information related to an attack or threat.

JSON representation 
{
  "id": string,
  "name": string,
  "subtechniqueId": string,
  "subtechniqueName": string
}
Fields
id

string

Technique ID (e.g. "T1595").
name

string

Technique Name (e.g. "Active Scanning").
subtechniqueId

string

Subtechnique ID (e.g. "T1595.001").
subtechniqueName

string

Subtechnique Name (e.g. "Scanning IP Blocks").

Verdict

Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources.

JSON representation 
{
  "sourceCount": integer,
  "responseCount": integer,
  "neighbourInfluence": string,
  "verdict": {
    object (ProviderMLVerdict)
  },
  "analystVerdict": {
    object (AnalystVerdict)
  }
}
Fields
sourceCount

integer

Number of sources from which intelligence was extracted.
responseCount

integer

Total response count across all sources.
neighbourInfluence

string

Describes the neighbour influence of the verdict.
verdict

object (ProviderMLVerdict)

ML Verdict provided by sources like Mandiant.
analystVerdict

object (AnalystVerdict)

Human analyst verdict provided by sources like Mandiant.

ProviderMLVerdict

Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources.

JSON representation 
{
  "sourceProvider": string,
  "benignCount": integer,
  "maliciousCount": integer,
  "confidenceScore": integer,
  "mandiantSources": [
    {
      object (Source)
    }
  ],
  "thirdPartySources": [
    {
      object (Source)
    }
  ]
}
Fields
sourceProvider

string

Source provider giving the ML verdict.
benignCount

integer

Count of responses where this IoC was marked benign.
maliciousCount

integer

Count of responses where this IoC was marked malicious.
confidenceScore

integer

Confidence score of the verdict.
mandiantSources[]

object (Source)

List of mandiant sources from which the verdict was generated.
thirdPartySources[]

object (Source)

List of third-party sources from which the verdict was generated.

Source

Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources.

JSON representation 
{
  "name": string,
  "benignCount": integer,
  "maliciousCount": integer,
  "quality": enum (ProductConfidence),
  "responseCount": integer,
  "sourceCount": integer,
  "threatIntelligenceSources": [
    {
      object (Source)
    }
  ]
}
Fields
name

string

Name of the IoC source.
benignCount

integer

Count of responses where this IoC was marked benign.
maliciousCount

integer

Count of responses where this IoC was marked malicious.
quality

enum (ProductConfidence)

Quality of the IoC mapping extracted from the source.
responseCount

integer

Total response count from this source.
sourceCount

integer

Number of sources from which intelligence was extracted.
threatIntelligenceSources[]

object (Source)

Different threat intelligence sources from which IoC info was extracted.

AnalystVerdict

Verdict provided by the human analyst. These fields are used to model Mandiant sources.

JSON representation 
{
  "confidenceScore": integer,
  "verdictTime": string,
  "verdictResponse": enum (VerdictResponse)
}
Fields
confidenceScore

integer

Confidence score of the verdict.
verdictTime

string (Timestamp format)

Timestamp at which the verdict was generated.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
verdictResponse

enum (VerdictResponse)

Details of the verdict.

VerdictInfo

Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources.

JSON representation 
{
  "sourceCount": integer,
  "responseCount": integer,
  "neighbourInfluence": string,
  "verdictType": enum (VerdictType),
  "sourceProvider": string,
  "benignCount": integer,
  "maliciousCount": integer,
  "confidenceScore": integer,
  "iocStats": [
    {
      object (IoCStats)
    }
  ],
  "verdictTime": string,
  "verdictResponse": enum (VerdictResponse),
  "globalCustomerCount": integer,
  "globalHitsCount": integer,
  "pwn": boolean,
  "categoryDetails": string,
  "pwnFirstTaggedTime": string
}
Fields
sourceCount

integer

Number of sources from which intelligence was extracted.
responseCount

integer

Total response count across all sources.
neighbourInfluence

string

Describes the near neighbor influence of the verdict.
verdictType

enum (VerdictType)

Type of verdict.
sourceProvider

string

Source provider giving the machine learning verdict.
benignCount

integer

Count of responses where this IoC was marked as benign.
maliciousCount

integer

Count of responses where this IoC was marked as malicious.
confidenceScore

integer

Confidence score of the verdict.
iocStats[]

object (IoCStats)

List of IoCStats from which the verdict was generated.
verdictTime

string (Timestamp format)

Timestamp when the verdict was generated.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
verdictResponse

enum (VerdictResponse)

Details about the verdict.
globalCustomerCount

integer

Global customer count over the last 30 days
globalHitsCount

integer

Global hit count over the last 30 days.
pwn

boolean

Whether one or more Mandiant incident response customers had this indicator in their environment.
categoryDetails

string

Tags related to the verdict.
pwnFirstTaggedTime

string (Timestamp format)

The timestamp of the first time a pwn was associated to this entity.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

IoCStats

Information about the threat intelligence source. These fields are used to model Mandiant sources.

JSON representation 
{
  "iocStatsType": enum (IoCStatsType),
  "firstLevelSource": string,
  "secondLevelSource": string,
  "benignCount": integer,
  "quality": enum (ProductConfidence),
  "maliciousCount": integer,
  "responseCount": integer,
  "sourceCount": integer
}
Fields
iocStatsType

enum (IoCStatsType)

Describes the source of the IoCStat.
firstLevelSource

string

Name of first level IoC source, for example Mandiant or a third-party.
secondLevelSource

string

Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph.
benignCount

integer

Count of responses where the IoC was identified as benign.
quality

enum (ProductConfidence)

Level of confidence in the IoC mapping extracted from the source.
maliciousCount

integer

Count of responses where the IoC was identified as malicious.
responseCount

integer

Total number of response from the source.
sourceCount

integer

Number of sources from which information was extracted.

ThreatCollectionItem

Threat Collection that is either a threat campaign or a threat report.

JSON representation 
{
  "id": string,
  "type": enum (ThreatCollectionType),
  "altNames": [
    string
  ]
}
Fields
id

string

The ID of the threat collection.
type

enum (ThreatCollectionType)

The type of threat collection (e.g., "campaign").
altNames[]

string

The name of the threat collection.