REST Resource: projects.alerts

Resource: Alert

Stateful object representing a group of Findings. Key feature to an Alert is that it expresses the user's intent towards the findings of that group, even those that haven't occurred yet.

JSON representation 
{
  "name": string,
  "findings": [
    string
  ],
  "state": enum (State),
  "audit": {
    object (Audit)
  },
  "displayName": string,
  "assets": [
    string
  ],
  "detail": {
    object (AlertDetail)
  },
  "duplicateOf": string,
  "duplicatedBy": [
    string
  ],
  "etag": string,
  "externalId": string,
  "aiSummary": string,
  "relevanceAnalysis": {
    object (RelevanceAnalysis)
  },
  "severityAnalysis": {
    object (SeverityAnalysis)
  },
  "priorityAnalysis": {
    object (PriorityAnalysis)
  },
  "configurations": [
    string
  ]
}
Fields
name

string

Identifier. Server generated name for the alert. format is projects/{project}/alerts/{alert}
findings[]

string

Output only. Findings that are covered by this alert.
state

enum (State)

Output only. State of the alert.
audit

object (Audit)

Output only. Audit information for the alert.
displayName

string

Output only. A short title for the alert.
assets[]

string

Output only. Assets that are impacted by this alert.
detail

object (AlertDetail)

Output only. Details object for the alert, not all alerts will have a details object.
duplicateOf

string

Output only. alert name of the alert this alert is a duplicate of. Format: projects/{project}/alerts/{alert}
duplicatedBy[]

string

Output only. alert names of the alerts that are duplicates of this alert. Format: projects/{project}/alerts/{alert}
etag

string

Optional. If included when updating an alert, this should be set to the current etag of the alert. If the etags do not match, the update will be rejected and an ABORTED error will be returned.
externalId

string

Output only. External ID for the alert. This is used internally to provide protection against out of order updates.
aiSummary

string

Optional. AI summary of the finding.
relevanceAnalysis

object (RelevanceAnalysis)

Output only. High-Precision Relevance Analysis verdict for the alert.
severityAnalysis

object (SeverityAnalysis)

Output only. High-Precision Severity Analysis for the alert.
priorityAnalysis

object (PriorityAnalysis)

Output only. High-Precision Priority Analysis for the alert.
configurations[]

string

Output only. The resource names of the Configurations bound to this alert. Format: projects/{project}/configurations/{configuration}

State

alert state is used to track the lifecycle of an alert. More state values may be added in the future.

Enums
STATE_UNSPECIFIED Default value, should never be set.
NEW alert is new.
READ alert was read by a human.
TRIAGED alert has been triaged.
ESCALATED alert has been escalated.
RESOLVED alert has been resolved.
DUPLICATE alert is a duplicate of another alert.
FALSE_POSITIVE alert is a false positive and should be ignored.
NOT_ACTIONABLE alert is not actionable.
BENIGN alert is benign.
TRACKED_EXTERNALLY alert is tracked externally.

AlertDetail

Container for different types of alert details.

JSON representation 
{
  "detailType": string,

  // Union field detail can be only one of the following:
  "initialAccessBroker": {
    object (InitialAccessBrokerAlertDetail)
  },
  "dataLeak": {
    object (DataLeakAlertDetail)
  },
  "insiderThreat": {
    object (InsiderThreatAlertDetail)
  },
  "targetTechnology": {
    object (TargetTechnologyAlertDetail)
  }
  // End of list of possible types for union field detail.
}
Fields
detailType

string

Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
Union field detail. Domain specific details object which includes a high level summary of the finding for use in GTI Alerts contexts. detail can be only one of the following:
initialAccessBroker

object (InitialAccessBrokerAlertDetail)

Initial Access Broker alert detail type.
dataLeak

object (DataLeakAlertDetail)

Data Leak alert detail type.
insiderThreat

object (InsiderThreatAlertDetail)

Insider Threat alert detail type.
targetTechnology

object (TargetTechnologyAlertDetail)

Technology Watchlist alert detail type.

InitialAccessBrokerAlertDetail

Captures the specific details of InitialAccessBroker (IAB) alert.

JSON representation 
{
  "severity": string,
  "discoveryDocumentIds": [
    string
  ]
}
Fields
severity

string

Required. IAB specific severity
discoveryDocumentIds[]

string

Required. Array of ids to accommodate multiple discovery documents

DataLeakAlertDetail

Captures the specific details of Data Leak alert.

JSON representation 
{
  "severity": string,
  "discoveryDocumentIds": [
    string
  ]
}
Fields
severity

string

Required. Data Leak specific severity This will be the string representation of the DataLeakFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
discoveryDocumentIds[]

string

Required. Array of ids to accommodate multiple discovery documents

InsiderThreatAlertDetail

Captures the specific details of InsiderThreat alert.

JSON representation 
{
  "severity": string,
  "discoveryDocumentIds": [
    string
  ]
}
Fields
severity

string

Required. InsiderThreat specific severity This will be the string representation of the InsiderThreatFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
discoveryDocumentIds[]

string

Required. Array of ids to accommodate multiple discovery documents

TargetTechnologyAlertDetail

Contains details for a technology watchlist alert.

JSON representation 
{
  "vulnerabilityMatch": {
    object (VulnerabilityMatch)
  }
}
Fields
vulnerabilityMatch

object (VulnerabilityMatch)

Output only. The vulnerability match details.

PriorityAnalysis

Structured priority analysis for a threat.

JSON representation 
{
  "priorityLevel": enum (PriorityLevel),
  "confidence": enum (ConfidenceLevel),
  "reasoning": string
}
Fields
priorityLevel

enum (PriorityLevel)

The level of Priority.
confidence

enum (ConfidenceLevel)

The level of confidence in the given verdict.
reasoning

string

Human-readable explanation from the model, detailing why a particular result is considered to have a certain priority.

PriorityLevel

Priority Level of an issue.

Enums
PRIORITY_LEVEL_UNSPECIFIED Default value, should never be set.
PRIORITY_LEVEL_LOW Low Priority.
PRIORITY_LEVEL_MEDIUM Medium Priority.
PRIORITY_LEVEL_HIGH High Priority.
PRIORITY_LEVEL_CRITICAL Critical Priority.

Methods

benign

 Marks an alert as benign - BENIGN.

duplicate

 Marks an alert as a duplicate of another alert.

enumerateFacets

 EnumerateAlertFacets returns the facets and the number of alerts that meet the filter criteria and have that value for each facet.

escalate

 Marks an alert as escalated - ESCALATED.

falsePositive

 Marks an alert as a false positive - FALSE_POSITIVE.

get

 Get an alert by name.

list

 Get a list of alerts that meet the filter criteria.

notActionable

 Marks an alert as not actionable - NOT_ACTIONABLE.

read

 Marks an alert as read - READ.

resolve

 Marks an alert to closed state - RESOLVED.

trackExternally

 Marks an alert as tracked externally - TRACKED_EXTERNALLY.

triage

 Marks an alert as triaged - TRIAGED.