Method: enrichmentAgent.executeActions

Full name: projects.locations.instances.enrichmentAgent.executeActions

Executes a list of manual actions on a given SIEM alert.

HTTP request

POST https://{endpoint}/v1alpha/{parent}/enrichmentAgent:executeActions

Where {endpoint} is one of the supported service endpoints.

Path parameters

Parameters
parent

string

Required. The parent, which owns the collection of actions.

Request body

The request body contains data with the following structure:

JSON representation 
{
  "siemAlertId": string,
  "actions": [
    {
      object (ExecuteActionRequest)
    }
  ]
}
Fields
siemAlertId

string

Required. The identifier of the SIEM alert.
actions[]

object (ExecuteActionRequest)

Required. The actions to execute.

Response body

Response for enrichmentAgent.executeActions. Details of an list of actions that will be executed.

If successful, the response body contains data with the following structure:

JSON representation 
{
  "parent": string,
  "results": [
    {
      object (ExecuteActionResult)
    }
  ],
  "executionTimeSeconds": number
}
Fields
parent

string

Output only. The parent, which owns the collection of actions.
results[]

object (ExecuteActionResult)

The results of the actions.
executionTimeSeconds

number

Output only. The execution time of the actions in seconds.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/chronicle
  • https://www.googleapis.com/auth/chronicle.readonly

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the parent resource:

  • chronicle.enrichmentAgent.execute

For more information, see the IAM documentation.

ExecuteActionRequest

Request for executing a manual action.

JSON representation 
{
  "targetEntities": [
    string
  ],
  "parameters": {
    string: string,
    ...
  },
  "displayName": string,
  "integration": string,
  "integrationInstance": string
}
Fields
targetEntities[]

string

Required. The target entities. repeated AgentSecurityEntity targetEntities = 1 [
parameters

map (key: string, value: string)

Optional. The parameters.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
displayName

string

Required. The action name.
integration

string

Required. The integration
integrationInstance

string

Required. The integration instance.

ExecuteActionResult

Minimal information about an action result.

JSON representation 
{
  "integration": string,
  "displayName": string,
  "message": string,
  "executionTimeSeconds": number,
  "entityId": string,
  "resultJson": string,
  "resultEntitiesDelta": string,
  "resultValue": string,
  "status": enum (ActionStatus)
}
Fields
integration

string

Output only. The integration.
displayName

string

Output only. The action display name.
message

string

Output only. The message.
executionTimeSeconds

number

Output only. The execution time of the action in seconds.
entityId

string

Output only. The entity identifier.
resultJson

string

Output only. The result JSON object.
resultEntitiesDelta

string

Output only. The result entities JSON object.
resultValue

string

Output only. The result value.
status

enum (ActionStatus)

Output only. The status of the action.

ActionStatus

Status of an action execution.

Enums
ACTION_STATUS_UNSPECIFIED Unspecified action status.
FAULTED Faulted.
ASYNC_PENDING In progress.
COMPLETED Completed.
PENDING_USER_INPUT Pending user input.
PENDING_PREVIOUS_STEPS Pending previous steps.
STARTED Started.
FAULTED_AND_SKIPPED Faulted and skipped.
HANDLED_TIMEDOUT Handled timed out.
UNHANDLED_TIMEDOUT Unhandled timed out.
TERMINATED Terminated.
NOT_RUN_AND_SKIPPED Not run and skipped.
PENDING_ACTION_TIMEOUT Pending action got timeout, the playbook stopped.
PENDING_ACTION_TIMEOUT_AND_SKIPPED Pending action timeout and skipped.
PENDING_RETRY Pending action retry.