LegacyFederatedCase

This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. LegacyFederatedCase is a representation of a case in the Federated Case store.

JSON representation 
{
  "name": string,
  "id": string,
  "createTimeMs": string,
  "updateTimeMs": string,
  "displayName": string,
  "alertCount": integer,
  "stage": string,
  "priority": enum (Priority),
  "important": boolean,
  "description": string,
  "type": enum (CaseType),
  "assigneeFullName": string,
  "environmentData": {
    object (EnvironmentData)
  },
  "status": enum (CaseDataState),
  "score": number,
  "caseSla": {
    object (LegacyCaseSla)
  },
  "alertsSla": {
    object (LegacyCaseSla)
  },
  "incident": boolean,
  "hasSuspiciousEntity": boolean,
  "workflowStatus": enum (WorkflowState),
  "tags": [
    string
  ],
  "products": [
    string
  ],
  "displayId": string,
  "touched": boolean,
  "merged": boolean,
  "hasIncident": boolean,
  "alertNames": [
    string
  ],
  "workflow": boolean,
  "overflowCase": boolean,
  "externalReference": {
    object (LegacyPlatformReference)
  },
  "additionalProperties": {
    string: string,
    ...
  }
}
Fields
name

string

Identifier. The name of the case. Format: projects/{project}/locations/{location}/instances/{instance}/legacyFederatedCases/{legacyFederatedCase}
id

string (int64 format)

Required. The id of the case.
createTimeMs

string (int64 format)

Optional. The creation time of the record in ms.
updateTimeMs

string (int64 format)

Optional. The modification time of the record in ms.
displayName

string

Optional. Case title, limited to 200 characters. Replaces old property: Title
alertCount

integer

Optional. Alerts in case.
stage

string

Optional. The stage of the Case. For example, "Triage", "Incident", "Investigation". The default stage option is "Triage", and users can define custom stages
priority

enum (Priority)

Required. Case priority.
important

boolean

Optional. Additional way to specify case importance. The default is false.
description

string

Optional. Case description. limit chars to 1000
type

enum (CaseType)

Required. Case description (e.g. External, test)
assigneeFullName

string

Optional. This can be the full name of a user or a @SocRole.
environmentData

object (EnvironmentData)

Optional. Case logical environment.
status

enum (CaseDataState)

Optional. Case status.
score

number

Optional. Attack exposure\Risk score for the case
caseSla

object (LegacyCaseSla)

Optional. Case SLA
alertsSla

object (LegacyCaseSla)

Optional. Aggregated alerts SLA. (alert has SLA as well).
incident

boolean

Optional. is Case an incident
hasSuspiciousEntity

boolean

Optional. Does the case have a suspicious entity
workflowStatus

enum (WorkflowState)

Optional. status of the most recent playbook that executed on the case
tags[]

string

Optional. list of tags assigned to the case
products[]

string

Optional. List of Products that exists within the case (e.g. WinEventLog:Security/DLP_Product)
displayId

string

Optional. synthetic unique identifier of the case, for display
touched

boolean

Optional. was the case manually edited since creation
merged

boolean

Optional. was the case merged with another case
hasIncident

boolean

Optional. does the case represent an incident
alertNames[]

string

Optional. names of the alerts in this case
workflow

boolean

Optional. has workflow been run on the case
overflowCase

boolean

Optional. is the case an overflow case
externalReference

object (LegacyPlatformReference)

Optional. external reference
additionalProperties

map (key: string, value: string)

Optional. Additional properties of the case, represented as key-value pairs.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Priority

Case priority.

Enums
UNCHANGED The priority is unchanged (unspecified).
INFORMATIVE The priority is informative.
LOW The priority is low.
MEDIUM The priority is medium.
HIGH The priority is high.
CRITICAL The priority is critical.

CaseType

The type of the case.

Enums
CASE_TYPE_UNSPECIFIED The type is unspecified.
EXTERNAL The type is external.
TEST The type is test.
REQUEST The type is request.

EnvironmentData

EnvironmentData is a representation of an environment in the Federated Case store.

JSON representation 
{
  "environment": string,
  "platform": string,
  "dynamicParameters": [
    {
      object (EnvironmentDynamicParameterDto)
    }
  ],
  "base64Image": string
}
Fields
environment

string

Optional. The name of the environment
platform

string (int64 format)

Optional. The platform of the environment
dynamicParameters[]

object (EnvironmentDynamicParameterDto)

Optional. The dynamic parameters for the environment
base64Image

string (bytes format)

Optional. Base64 encoded image of the environment

A base64-encoded string.

EnvironmentDynamicParameterDto

EnvironmentDynamicParameterDto is a representation of a dynamic parameter key-value pair in the Federated Case store.

JSON representation 
{
  "key": string,
  "value": string
}
Fields
key

string

Optional. The key of the dynamic parameter key-value
value

string

Optional. The Value of the dynamic parameter key-value

CaseDataState

Case data state.

Enums
CASE_DATA_STATE_UNSPECIFIED The status is unspecified.
OPENED The status is open.
CLOSED The status is closed.
ALL The status is all.
MERGED The status is merged.
CREATION_PENDING The status is creation pending.

LegacyCaseSla

SLA is a representation of an SLA in the Federated Case store.

JSON representation 
{
  "expirationTimeMs": string,
  "criticalExpirationTimeMs": string,
  "expirationStatus": enum (SlaExpirationEnum),
  "lastPauseRemainingTimeMs": string
}
Fields
expirationTimeMs

string (int64 format)

Optional. The expiration time of the SLA in ms.
criticalExpirationTimeMs

string (int64 format)

Optional. The critical expiration time of the SLA in ms.
expirationStatus

enum (SlaExpirationEnum)

Optional. The expiration status of the SLA.
lastPauseRemainingTimeMs

string (int64 format)

Optional. The critical expiration time of the SLA in ms.

SlaExpirationEnum

The status of the SLA.

Enums
NO_SLA No SLA
PAUSED Paused
OPEN_SLA Open SLA
CRITICAL_EXPIRED Critical expired
PASSED_DUE Passed due

WorkflowState

The status of the workflow.

Enums
NONE The status is none.
IN_PROGRESS The status is in progress.
COMPLETED The status is completed.
FAILED The status is failed.
TERMINATED The status is terminated.
PENDING_IN_QUEUE The status is pending in queue.
PENDING_FOR_USER The status is pending for user.

LegacyPlatformReference

LegacyPlatformReference is a representation of a platform reference in the Federated Case store.

JSON representation 
{
  "platform": string,
  "uri": string
}
Fields
platform

string

Optional. The platform name.
uri

string

Optional. The url of the platform.