ThreatDetectionOpportunity

Threat Detection Opportunity.

JSON representation 
{
  "summary": string,
  "mitreInfo": {
    object (MitreInfo)
  },
  "supportingEvidence": [
    string
  ],
  "observables": {
    object (ObservableCollection)
  },
  "logTypes": [
    string
  ]
}
Fields
summary

string

Concise, one sentence summary.
mitreInfo

object (MitreInfo)

MITRE ATT&CK details for the Threat Detection Opportunity.
supportingEvidence[]

string

Free-form text of supporting evidence for the Threat Detection Opportunity extracted from the threat.
observables

object (ObservableCollection)

Detection opportunity observables - hostnames, IP's, etc.
logTypes[]

string

Output only. Resource names of log types associated with the Threat Detection Opportunity.

MitreInfo

MITRE ATT&CK details for the Threat Detection Opportunity.

JSON representation 
{
  "tactics": [
    string
  ],
  "techniques": [
    string
  ],
  "platform": string,
  "procedure": string,
  "detectionStrategy": string
}
Fields
tactics[]

string

Optional. MITRE ATT&CK tactics.
techniques[]

string

Optional. MITRE ATT&CK techniques.
platform

string

Platform the technique is associated with.
procedure

string

MITRE ATT&CK procedure.
detectionStrategy

string

Detection strategy for the Threat Detection Opportunity.

ObservableCollection

Detection opportunity observables.

JSON representation 
{
  "atomics": {
    object (AtomicIndicatorCollection)
  },
  "procedures": {
    object (ProcedureCollection)
  }
}
Fields
atomics

object (AtomicIndicatorCollection)

Context-free IOCs.
procedures

object (ProcedureCollection)

Context-dependent tactics, techniques, and procedures.

AtomicIndicatorCollection

Context-free IOCs.

JSON representation 
{
  "hashes": [
    string
  ],
  "domains": [
    string
  ],
  "urls": [
    string
  ],
  "ipAddresses": [
    string
  ],
  "emails": [
    string
  ],
  "ports": [
    integer
  ]
}
Fields
hashes[]

string

File hashes associated with the threat.
domains[]

string

Domains associated with the threat.
urls[]

string

URLs associated with the threat.
ipAddresses[]

string

IP addresses associated with the threat.
emails[]

string

Email addresses associated with the threat.
ports[]

integer

Ports associated with the threat.

ProcedureCollection

Context-dependent tactics, techniques, and procedures.

JSON representation 
{
  "files": [
    string
  ],
  "registryKeys": [
    string
  ],
  "processes": [
    string
  ],
  "parentProcesses": [
    string
  ],
  "userAccounts": [
    string
  ]
}
Fields
files[]

string

Files associated with the threat.
registryKeys[]

string

Registry keys associated with the threat.
processes[]

string

Processes associated with the threat.
parentProcesses[]

string

Parent process names associated with the threat.
userAccounts[]

string

User accounts associated with the threat.