Method: instances.runThreatHunt

HTTP request
Path parameters
Request body
- JSON representation
Response body
Authorization scopes
IAM Permissions

Full name: projects.locations.instances.runThreatHunt

Runs a Threat Hunt.

HTTP request

POST https://{endpoint}/v1alpha/{parent}:runThreatHunt

Where {endpoint} is one of the supported service endpoints.

Path parameters

Parameters

Parameters
`parent`	`string` Required. The instance to run the ThreatHunt in. Format: projects/{project}/locations/{location}/instances/{instance}

parent

string

Required. The instance to run the ThreatHunt in. Format: projects/{project}/locations/{location}/instances/{instance}

Request body

The request body contains data with the following structure:

JSON representation

JSON representation
{ "interval": { object (`Interval`) }, "environment": string, "legacySoarUser": string, // Union field `subject` can be only one of the following: "campaign": string, "actor": string, "malware": string, "technique": string, "tool": string // End of list of possible types for union field `subject`. }

{
  "interval": {
    object (Interval)
  },
  "environment": string,
  "legacySoarUser": string,

  // Union field subject can be only one of the following:
  "campaign": string,
  "actor": string,
  "malware": string,
  "technique": string,
  "tool": string
  // End of list of possible types for union field subject.
}

Fields
`interval`	`object (Interval)` Required. The time range over which to run the hunt.
`environment`	`string` Optional. The environment to run the threat hunt in. Format: projects/{project}/locations/{location}/instances/{instance}/environments/{environment}
`legacySoarUser`	`string` Optional. The SOAR user to attribute the threat hunt to. When a threat hunt is initiated from SOAR, this field should be populated with the resource name of the SOAR user who initiated the hunt. Format: projects/{project}/locations/{location}/instances/{instance}/legacySoarUsers/{legacySoarUser}
Union field `subject`. The subject of the hunt. One of these fields must be populated. `subject` can be only one of the following:
`campaign`	`string` Optional. Identifier for a GTI campaign. For example, "CAMP.26.012"
`actor`	`string` Optional. Identifier for a GTI threat actor. For example, "UNC5792"
`malware`	`string` Optional. Identifier for a GTI malware family. For example, "WHATLINK".
`technique`	`string` Optional. ID for MITRE Technique or subtechnique. Ex: TT1651
`tool`	`string` Optional. ID for a software tool

Response body

If successful, the response body contains an instance of Operation.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/chronicle
https://www.googleapis.com/auth/chronicle.readonly

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the parent resource:

chronicle.instances.runThreatHunt

For more information, see the IAM documentation.

Method: instances.runThreatHunt Stay organized with collections Save and categorize content based on your preferences.