LegacyCaseInfo

JSON representation
LegacyCaseSecurityEvent
- JSON representation
LegacyCasePropertyValue
- JSON representation
CaseType
CasePriority
LegacyCaseInfoAttachment
- JSON representation
LoadDataTypeEnumQueue
IngestionSourceType

CaseInfo represents the case information model.

JSON representation

JSON representation
{ "creatorUserId": string, "events": [ { object (`LegacyCaseSecurityEvent`) } ], "environment": string, "sourceSystemName": string, "ticketId": string, "description": string, "displayId": string, "reason": string, "name": string, "deviceVendor": string, "deviceProduct": string, "startTime": string, "endTime": string, "ruleGenerator": string, "sourceGroupingIdentifier": string, "playbookTriggerKeywords": [ string ], "extensions": [ { object (`LegacyCasePropertyValue`) } ], "attachments": [ { object (`LegacyCaseInfoAttachment`) } ], "sourceSystemUrl": string, "sourceRuleIdentifier": string, "siemAlertId": string, "updatedFields": [ { object (`LegacyCasePropertyValue`) } ], "alertMetadata": { string: value, ... }, "dataAccessScope": string, "type": enum (`CaseType`), "priority": enum (`CasePriority`), "isTrimmed": boolean, "dataType": enum (`LoadDataTypeEnumQueue`), "sourceType": enum (`IngestionSourceType`), "alertUpdateSupported": boolean }

{
  "creatorUserId": string,
  "events": [
    {
      object (LegacyCaseSecurityEvent)
    }
  ],
  "environment": string,
  "sourceSystemName": string,
  "ticketId": string,
  "description": string,
  "displayId": string,
  "reason": string,
  "name": string,
  "deviceVendor": string,
  "deviceProduct": string,
  "startTime": string,
  "endTime": string,
  "ruleGenerator": string,
  "sourceGroupingIdentifier": string,
  "playbookTriggerKeywords": [
    string
  ],
  "extensions": [
    {
      object (LegacyCasePropertyValue)
    }
  ],
  "attachments": [
    {
      object (LegacyCaseInfoAttachment)
    }
  ],
  "sourceSystemUrl": string,
  "sourceRuleIdentifier": string,
  "siemAlertId": string,
  "updatedFields": [
    {
      object (LegacyCasePropertyValue)
    }
  ],
  "alertMetadata": {
    string: value,
    ...
  },
  "dataAccessScope": string,
  "type": enum (CaseType),
  "priority": enum (CasePriority),
  "isTrimmed": boolean,
  "dataType": enum (LoadDataTypeEnumQueue),
  "sourceType": enum (IngestionSourceType),
  "alertUpdateSupported": boolean
}

Fields
`creatorUserId`	`string` Optional. CreatorUserId identifies the user who creates this case - only relevant for cases of type Request.
`events[]`	`object (LegacyCaseSecurityEvent)` Required. Events is a list of the events that make up this case.
`environment`	`string` Optional. Environment is the case environment.
`sourceSystemName`	`string` Optional. SourceSystemName is the name of the source system - based on the connector.
`ticketId`	`string` Optional. TicketId is the external case id received from the external product - based on the connector.
`description`	`string` Optional. Description is the case description.
`displayId`	`string` Optional. DisplayId is the external case display id received from the external product - based on the connector.
`reason`	`string` Optional. Reason is the case reason.
`name`	`string` Optional. Name is the case name.
`deviceVendor`	`string` Optional. DeviceVendor is the case product vendor - based on the connector.
`deviceProduct`	`string` Optional. DeviceProduct is the case product vendor - based on the connector.
`startTime`	`string (int64 format)` Optional. StartTime is the case starting time in unix format as milliseconds - based on the connector. Represents DateTime StartTime as unix time
`endTime`	`string (int64 format)` Optional. EndTime is the case ending time in unix format as milliseconds - based on the connector. Represents DateTime EndTime as unix time
`ruleGenerator`	`string` Optional. RuleGenerator is the rule that generates this case - based on the connector.
`sourceGroupingIdentifier`	`string` Optional. SourceGroupingIdentifier is the source grouping identifier will be used to group alert into one case - depends on alert grouping configuration - based on the connector.
`playbookTriggerKeywords[]`	`string` Optional. PlaybookTriggerKeywords is the playbook trigger keywords - used for 'Alert Trigger Value' playbook trigger type.
`extensions[]`	`object (LegacyCasePropertyValue)` Optional. Extensions is an obsolete field.
`attachments[]`	`object (LegacyCaseInfoAttachment)` Optional. Attachments is the case attachments - based on the connector.
`sourceSystemUrl`	`string` Optional. SourceSystemUrl is the configured source url - defined in the connector that ingested this alert.
`sourceRuleIdentifier`	`string` Optional. SourceRuleIdentifier is the configured source rule url - defined in the connector that ingested this alert.
`siemAlertId`	`string` Optional. SiemAlertId is the Chronicle SIEM alert identifier.
`updatedFields[]`	`object (LegacyCasePropertyValue)` Optional. UpdatedFields is the alert Updated Fields.
`alertMetadata`	`map (key: string, value: value (Value format))` Optional. AlertMetadata is the additional alert metadata as key-value pairs. An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
`dataAccessScope`	`string` Optional. DataAccessScope is the Chronicle SIEM resource name of the DataAccessScope of this alert.
`type`	`enum (CaseType)` Optional. Type is the case type.
`priority`	`enum (CasePriority)` Optional. Priority is the case priority.
`isTrimmed`	`boolean` Optional. IsTrimmed is a flag that indicates whether the case got trimmed or not.
`dataType`	`enum (LoadDataTypeEnumQueue)` Optional. DataType is the case data type.
`sourceType`	`enum (IngestionSourceType)` Optional. SourceType is the case source type.
`alertUpdateSupported`	`boolean` Optional. AlertUpdateSupported indicates if the alert source system support alert updates.

LegacyCaseSecurityEvent

SecurityEvent represents a security event.

JSON representation

JSON representation
{ "environment": string, "sourceSystemName": string, "extensions": [ { object (`LegacyCasePropertyValue`) } ], "parentEventId": string, "sourceMacAddress": string, "destinationMacAddress": string, "name": string, "message": string, "type": string, "severity": string, "eventId": string, "managerReceiptTime": string, "startTime": string, "ruleGenerator": string, "endTime": string, "deviceHostName": string, "deviceAddress": string, "destinationDnsDomain": string, "destinationNtDomain": string, "sourceDnsDomain": string, "sourceNtDomain": string, "deviceEventClassId": string, "transportProtocol": string, "applicationProtocol": string, "destinationPort": string, "categoryOutcome": string, "deviceEventCategory": string, "deviceVendor": string, "deviceProduct": string, "deviceSeverity": string, "fileType": string, "baseEventIds": [ string ], "cefVersion": string, "deviceVersion": string, "signatureId": string, "description": string, "receiptTime": string, "rawDataFields": { string: string, ... }, "destinationUrl": string, "creditCard": string, "phoneNumber": string, "cve": string, "threatActor": string, "threatCampaign": string, "process": string, "parentProcess": string, "parentHash": string, "childProcess": string, "ipset": string, "cluster": string, "application": string, "database": string, "pod": string, "container": string, "service": string, "genericEntity": string, "sourceProcessName": string, "fileName": string, "fileHash": string, "deployment": string, "emailSubject": string, "threatSignature": string, "usb": string, "childHash": string, "sourceHostName": string, "sourceAddress": string, "destinationHostName": string, "destinationAddress": string, "destinationUserName": string, "sourceUserName": string, "sourceUserId": string, "destinationProcessName": string, "sourceDomain": string, "destinationDomain": string, "fields": { string: value, ... }, "isCorrelation": boolean }

{
  "environment": string,
  "sourceSystemName": string,
  "extensions": [
    {
      object (LegacyCasePropertyValue)
    }
  ],
  "parentEventId": string,
  "sourceMacAddress": string,
  "destinationMacAddress": string,
  "name": string,
  "message": string,
  "type": string,
  "severity": string,
  "eventId": string,
  "managerReceiptTime": string,
  "startTime": string,
  "ruleGenerator": string,
  "endTime": string,
  "deviceHostName": string,
  "deviceAddress": string,
  "destinationDnsDomain": string,
  "destinationNtDomain": string,
  "sourceDnsDomain": string,
  "sourceNtDomain": string,
  "deviceEventClassId": string,
  "transportProtocol": string,
  "applicationProtocol": string,
  "destinationPort": string,
  "categoryOutcome": string,
  "deviceEventCategory": string,
  "deviceVendor": string,
  "deviceProduct": string,
  "deviceSeverity": string,
  "fileType": string,
  "baseEventIds": [
    string
  ],
  "cefVersion": string,
  "deviceVersion": string,
  "signatureId": string,
  "description": string,
  "receiptTime": string,
  "rawDataFields": {
    string: string,
    ...
  },
  "destinationUrl": string,
  "creditCard": string,
  "phoneNumber": string,
  "cve": string,
  "threatActor": string,
  "threatCampaign": string,
  "process": string,
  "parentProcess": string,
  "parentHash": string,
  "childProcess": string,
  "ipset": string,
  "cluster": string,
  "application": string,
  "database": string,
  "pod": string,
  "container": string,
  "service": string,
  "genericEntity": string,
  "sourceProcessName": string,
  "fileName": string,
  "fileHash": string,
  "deployment": string,
  "emailSubject": string,
  "threatSignature": string,
  "usb": string,
  "childHash": string,
  "sourceHostName": string,
  "sourceAddress": string,
  "destinationHostName": string,
  "destinationAddress": string,
  "destinationUserName": string,
  "sourceUserName": string,
  "sourceUserId": string,
  "destinationProcessName": string,
  "sourceDomain": string,
  "destinationDomain": string,
  "fields": {
    string: value,
    ...
  },
  "isCorrelation": boolean
}

Fields
`environment`	`string` Required. Environment is the event environment.
`sourceSystemName`	`string` Optional. SourceSystemName is the name of the source system.
`extensions[]`	`object (LegacyCasePropertyValue)` Optional. Extensions is a list of key-value pairs for event extensions.
`parentEventId`	`string (int64 format)` Optional. ParentEventId is the ID of the parent event.
`sourceMacAddress`	`string` Optional. SourceMacAddress is the source MAC address.
`destinationMacAddress`	`string` Optional. DestinationMacAddress is the destination MAC address.
`name`	`string` Optional. Name is the name of the event.
`message`	`string` Optional. Message is the event message.
`type`	`string` Optional. Type is the event type.
`severity`	`string` Optional. Severity is the event severity.
`eventId`	`string` Optional. EventId is the event identifier.
`managerReceiptTime`	`string` Optional. ManagerReceiptTime is the manager receipt time.
`startTime`	`string` Optional. StartTime is the event start time.
`ruleGenerator`	`string` Optional. RuleGenerator is the rule that generated the event.
`endTime`	`string` Optional. EndTime is the event end time.
`deviceHostName`	`string` Optional. DeviceHostName is the device host name.
`deviceAddress`	`string` Optional. DeviceAddress is the device address.
`destinationDnsDomain`	`string` Optional. DestinationDnsDomain is the destination DNS domain.
`destinationNtDomain`	`string` Optional. DestinationNtDomain is the destination NT domain.
`sourceDnsDomain`	`string` Optional. SourceDnsDomain is the source DNS domain.
`sourceNtDomain`	`string` Optional. SourceNtDomain is the source NT domain.
`deviceEventClassId`	`string` Optional. DeviceEventClassId is the device event class ID.
`transportProtocol`	`string` Optional. TransportProtocol is the transport protocol.
`applicationProtocol`	`string` Optional. ApplicationProtocol is the application protocol.
`destinationPort`	`string` Optional. DestinationPort is the destination port.
`categoryOutcome`	`string` Optional. CategoryOutcome is the category outcome.
`deviceEventCategory`	`string` Optional. DeviceEventCategory is the device event category.
`deviceVendor`	`string` Optional. DeviceVendor is the device vendor.
`deviceProduct`	`string` Optional. DeviceProduct is the device product.
`deviceSeverity`	`string` Optional. DeviceSeverity is the device severity.
`fileType`	`string` Optional. FileType is the file type.
`baseEventIds[]`	`string (int64 format)` Optional. BaseEventIds is a list of base event IDs.
`cefVersion`	`string` Optional. CefVersion is the CEF version.
`deviceVersion`	`string` Optional. DeviceVersion is the device version.
`signatureId`	`string` Optional. SignatureId is the signature ID.
`description`	`string` Optional. Description is the event description.
`receiptTime`	`string` Optional. ReceiptTime is the receipt time.
`rawDataFields`	`map (key: string, value: string)` Optional. RawDataFields is a map of raw data fields. An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
`destinationUrl`	`string` Optional. DestinationURL is the destination URL.
`creditCard`	`string` Optional. CreditCard is the credit card information.
`phoneNumber`	`string` Optional. PhoneNumber is the phone number.
`cve`	`string` Optional. CVE is the CVE identifier.
`threatActor`	`string` Optional. ThreatActor is the threat actor.
`threatCampaign`	`string` Optional. ThreatCampaign is the threat campaign.
`process`	`string` Optional. Process is the process name.
`parentProcess`	`string` Optional. ParentProcess is the parent process name.
`parentHash`	`string` Optional. ParentHash is the parent hash.
`childProcess`	`string` Optional. ChildProcess is the child process name.
`ipset`	`string` Optional. IPSET is the IP set.
`cluster`	`string` Optional. Cluster is the cluster name.
`application`	`string` Optional. Application is the application name.
`database`	`string` Optional. Database is the database name.
`pod`	`string` Optional. Pod is the pod name.
`container`	`string` Optional. Container is the container name.
`service`	`string` Optional. Service is the service name.
`genericEntity`	`string` Optional. GenericEntity is a generic entity.
`sourceProcessName`	`string` Optional. SourceProcessName is the source process name.
`fileName`	`string` Optional. FileName is the file name.
`fileHash`	`string` Optional. FileHash is the file hash.
`deployment`	`string` Optional. Deployment is the deployment name.
`emailSubject`	`string` Optional. EmailSubject is the email subject.
`threatSignature`	`string` Optional. ThreatSignature is the threat signature.
`usb`	`string` Optional. USB is the USB information.
`childHash`	`string` Optional. ChildHash is the child hash.
`sourceHostName`	`string` Optional. SourceHostName is the source host name.
`sourceAddress`	`string` Optional. SourceAddress is the source address.
`destinationHostName`	`string` Optional. DestinationHostName is the destination host name.
`destinationAddress`	`string` Optional. DestinationAddress is the destination address.
`destinationUserName`	`string` Optional. DestinationUserName is the destination user name.
`sourceUserName`	`string` Optional. SourceUserName is the source user name.
`sourceUserId`	`string` Optional. SourceUserID is the source user ID.
`destinationProcessName`	`string` Optional. DestinationProcessName is the destination process name.
`sourceDomain`	`string` Optional. SourceDomain is the source domain.
`destinationDomain`	`string` Optional. DestinationDomain is the destination domain.
`fields`	`map (key: string, value: value (Value format))` Optional. Fields is a map of fields. An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
`isCorrelation`	`boolean` Optional. IsCorrelation indicates if the event is a correlation.

LegacyCasePropertyValue

PropertyValue represents a key-value pair.

JSON representation
{ "key": string, "value": string }

Fields

Fields
`key`	`string` Required. Key is the property key.
`value`	`string` Required. Value is the property value.

key

string

Required. Key is the property key.

value

string

Required. Value is the property value.

CaseType

LINT.IfChange(CaseType) CaseType represents the type of a case.

Enums
`EXTERNAL`	External case type.
`TEST`	Test case type.
`REQUEST`	Request case type.

CasePriority

CasePriority represents the priority of a case. LINT.IfChange(CasePriority)

Enums
`UNCHANGED`	Unchanged case priority.
`LOW`	Low case priority.
`MEDIUM`	Medium case priority.
`HIGH`	High case priority.
`CRITICAL`	Critical case priority.
`INFORMATIVE`	Informative case priority.

LegacyCaseInfoAttachment

CaseInfoAttachment represents the case attachment model.

JSON representation
{ "base64Blob": string, "type": string, "name": string, "description": string, "isImportant": boolean }

Fields
`base64Blob`	`string` Required. Base64Blob is the base64 representation of the attachment.
`type`	`string` Optional. Type is the type of the attachment.
`name`	`string` Optional. Name is the name of the attachment.
`description`	`string` Optional. Description is the description of the attachment.
`isImportant`	`boolean` Optional. IsImportant indicates if the attachment is important.

LoadDataTypeEnumQueue

LoadDataTypeEnumQueue represents the type of data to load.

Enums
`EVENTS`	Events data type.
`CASES`	Cases data type.
`CONNECTOR_LOG`	Connector log data type.
`CONNECTOR_OVERFLOW`	Connector overflow data type.

IngestionSourceType

IngestionSourceType represents the source type of an ingestion.

Enums
`CONNECTOR`	Connector ingestion source type.
`WEBHOOK`	Webhook ingestion source type.

LegacyCaseInfo Stay organized with collections Save and categorize content based on your preferences.