REST Resource: projects.locations.instances.ontologyRecords

Resource: OntologyRecord

This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. OntologyRecord represents a record in the ontology.

JSON representation 
{
  "name": string,
  "source": string,
  "product": string,
  "eventName": string,
  "visualFamily": string,
  "changeSource": enum (ChangeSource),
  "exampleEventFields": [
    {
      object (ExampleEventFieldGroup)
    }
  ],
  "id": string,
  "mappingRules": [
    string
  ]
}
Fields
name

string

Identifier. The resource name of the OntologyRecord. Format: projects/{project}/locations/{location}/instances/{instance}/ontologyRecords/{ontologyRecord}
source

string

Required. The data source (e.g., "GoogleChronicle").
product

string

Required. The product name (e.g. "RandomProductExample0").
eventName

string

Required. The event name (e.g., "IRC Connections").
visualFamily

string

Output only. Resource reference to the VisualFamily.
changeSource

enum (ChangeSource)

Output only. The source of the change.
exampleEventFields[]

object (ExampleEventFieldGroup)

Output only. Example event fields (if any).
id

string (int64 format)

Output only. Unique numeric ID for the OntologyRecord.
mappingRules[]

string

Output only. Resource references to the MappingRules associated with this OntologyRecord.

ChangeSource

The source of the change

Enums
CHANGE_SOURCE_UNSPECIFIED The ontology record was created not by ingesting an alert with the relevant identifiers (i.e. Source, Product and Event Name). Currently only import is supported.
INGESTED_ALERT An alert that was ingested via the ETL triggered the creation of this ontology record

ExampleEventFieldGroup

Example event field group.

JSON representation 
{
  "highlighted": boolean,
  "groupName": string,
  "hideOptions": boolean,
  "items": [
    {
      object (ExampleEventFieldItem)
    }
  ]
}
Fields
highlighted

boolean

Output only. Whether the group should be highlighted.
groupName

string

Output only. The group name.
hideOptions

boolean

Output only. Whether the group should be hidden.
items[]

object (ExampleEventFieldItem)

Output only. The list of example event field items.

ExampleEventFieldItem

Example event field item.

JSON representation 
{
  "originalName": string,
  "displayName": string,
  "value": string
}
Fields
originalName

string

Output only. The original name of the event field.
displayName

string

Output only. The display name of the event field.
value

string

Output only. The value of the event field.

Methods

delete

 Deletes an ontology record.

export

 Exports selected ontology records as a ZIP file.

family

 Returns the visual family currently associated with a specific data source, product, and event_name.

get

 Gets a single specific ontology record by its name.

import

 Imports multiple ontology records from a ZIP file.

list

 Lists all ontology records defined in the instance.

patch

 Updates an existing ontology record.

statistics

 Returns high-level statistics about ontology records in the instance.