Resource: CaseEvent
A CaseEvent represents a snapshot of a UDM event attached to a case.
| JSON representation |
|---|
{ "name": string, "event": { object ( |
| Fields | |
|---|---|
name |
Identifier. The unique name of the Case Event. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/events/{event} |
event |
Output only. The immutable snapshot of the UDM event data. This contains the data as it existed when attached to the case. |
sources[] |
Output only. Information about how this event is related to the case. |
CaseEvidence
Represents a piece of evidence associated with a Chronicle case. Evidence can be of various types, such as alerts, detections, or events.
| JSON representation |
|---|
{ "evidenceType": enum ( |
| Fields | |
|---|---|
evidenceType |
Output only. The type of evidence. |
evidenceId |
Output only. The unique identifier of the evidence. |
attachTime |
Output only. The timestamp when the evidence was attached to the Case. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
attacher |
Output only. The user who attached the evidence to the Case. |
sourceEvidenceId |
Output only. The ID of the evidence that this evidence was extracted from. |
sourceEvidenceType |
Output only. The type of evidence that this evidence was extracted from. |
sourceEvidenceKey |
Output only. The key of the evidence that this evidence was extracted from. |
soarEvidenceId |
Output only. The ID of the evidence in SOAR. |
EvidenceType
Describes the type of evidence a case evidence is.
| Enums | |
|---|---|
EVIDENCE_TYPE_UNSPECIFIED |
The evidence type is unspecified. |
EVIDENCE_TYPE_ALERT |
The evidence type is alert. |
EVIDENCE_TYPE_EVENT |
The evidence type is event. |
EVIDENCE_TYPE_DETECTION |
The evidence type is detection. |
Methods |
|
|---|---|
|
Gets a case event. |
|
Lists events for a case. |