Collection

JSON representation
Element
- JSON representation
Reference
- JSON representation
ResponsePlatformInfo
- JSON representation
ResponsePlatformType
SoarAlertMetadata
- JSON representation

Collection represents a container of objects (such as events, entity context metadata, detection finding metadata) and state (such as investigation details).

An example use case for Collection is to model a detection and investigation from detection finding metadata to investigative state collected in the course of the investigation. For more complex investigation and response workflows a Collection could represent an incident consisting of multiple child findings or incidents. This can be expanded on to model remediation elements of a full detection and response workflow.

NEXT TAG: 20

JSON representation

JSON representation
{ "id": string, "type": enum (`CollectionType`), "id_namespace": enum (`Namespace`), "created_time": string, "last_updated_time": string, "time_window": { object (`Interval`) }, "collection_elements": [ { object (`Element`) } ], "detection": [ { object (`SecurityResult`) } ], "detection_time": string, "investigation": { object (`Investigation`) }, "tags": [ string ], "response_platform_info": { object (`ResponsePlatformInfo`) }, "case_name": string, "feedback_summary": { object (`Feedback`) }, "feedback_history": [ { object (`Feedback`) } ], "soar_alert": boolean, "soar_alert_metadata": { object (`SoarAlertMetadata`) }, "data_access_scope": string }

{
  "id": string,
  "type": enum (CollectionType),
  "id_namespace": enum (Namespace),
  "created_time": string,
  "last_updated_time": string,
  "time_window": {
    object (Interval)
  },
  "collection_elements": [
    {
      object (Element)
    }
  ],
  "detection": [
    {
      object (SecurityResult)
    }
  ],
  "detection_time": string,
  "investigation": {
    object (Investigation)
  },
  "tags": [
    string
  ],
  "response_platform_info": {
    object (ResponsePlatformInfo)
  },
  "case_name": string,
  "feedback_summary": {
    object (Feedback)
  },
  "feedback_history": [
    {
      object (Feedback)
    }
  ],
  "soar_alert": boolean,
  "soar_alert_metadata": {
    object (SoarAlertMetadata)
  },
  "data_access_scope": string
}

Fields
`id`	`string` Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID.
`type`	`enum (CollectionType)` What the collection represents.
`id_namespace`	`enum (Namespace)` The ID namespace used for the Collection.
`created_time`	`string (Timestamp format)` Time the collection was created. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`last_updated_time`	`string (Timestamp format)` Time the collection was last updated. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`time_window`	`object (Interval)` Time interval that the collection represents.
`collection_elements[]`	`object (Element)` Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior.
`detection[]`	`object (SecurityResult)` Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field).
`detection_time`	`string (Timestamp format)` Timestamp within the time_window related to the time of the collection_elements. For Rule Detections, this timestamp is the end of the the time_window for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detection_time will be the event time of the event. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`investigation`	`object (Investigation)` Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output.
`tags[]`	`string` Tags set by UC/DSML/RE for the Finding during creation.
`response_platform_info`	`object (ResponsePlatformInfo)` Alert related info of this same alert in customer's SOAR platform.
`case_name`	`string` The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id}
`feedback_summary`	`object (Feedback)` The current primary analyst feedback. This does not include the history of feedback given, which may be supplied in `feedback`.
`feedback_history[]`	`object (Feedback)` The history of feedback submitted by analysts for this finding, in descending order by timestamp. This field is limited to the most recent 1000 feedback events. The primary feedback will also be included in this list.
`soar_alert`	`boolean` A boolean field indicating that the alert is present in SOAR.
`soar_alert_metadata`	`object (SoarAlertMetadata)` Metadata fields of alerts coming from other SIEM systems via SOAR.
`data_access_scope`	`string` The resource name of the DataAccessScope of this collection.

Element

NEXT TAG: 5

JSON representation
{ "association": { object (`SecurityResult`) }, "references": [ { object (`Reference`) } ], "label": string, "references_sampled": boolean }

Fields
`association`	`object (SecurityResult)` Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field).
`references[]`	`object (Reference)` References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity).
`label`	`string` A name that labels the entire references group.
`references_sampled`	`boolean` Copied from the detection event_sample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references.

Reference

Reference to model primatives including event and entity. As support is added for fast retrieval of objects by identifiers, this will be expanded to include ID references rather than full object copies.

JSON representation
{ "event": { object (`UDM`) }, "entity": { object (`Entity`) }, "id": { object (`Id`) } }

Fields

Fields
`event`	`object (UDM)` Only one of event or entity will be populated for a single reference. Start one-of Event being referenced.
`entity`	`object (Entity)` Entity being referenced. End one-of
`id`	`object (Id)` Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated.

event

object (UDM)

Only one of event or entity will be populated for a single reference. Start one-of Event being referenced.

entity

object (Entity)

Entity being referenced. End one-of

id

object (Id)

Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated.

ResponsePlatformInfo

Related info of an Alert in customer's SOAR platform.

JSON representation
{ "alert_id": string, "response_platform_type": enum (`ResponsePlatformType`) }

Fields

Fields
`alert_id`	`string` Id of the alert in SOAR product.
`response_platform_type`	`enum (ResponsePlatformType)` Type of SOAR product.

alert_id

string

Id of the alert in SOAR product.

response_platform_type

enum (ResponsePlatformType)

Type of SOAR product.

ResponsePlatformType

Available response platforms.

Enums
`RESPONSE_PLATFORM_TYPE_UNSPECIFIED`	Response platform not specified.
`RESPONSE_PLATFORM_TYPE_SIEMPLIFY`	Siemplify

SoarAlertMetadata

Metadata fields of alerts coming from other SIEM systems.

JSON representation
{ "alert_id": string, "source_rule": string, "vendor": string, "source_system": string, "product": string, "source_system_ticket_id": string, "source_system_uri": string }

Fields
`alert_id`	`string` Alert ID in the source SIEM system.
`source_rule`	`string` Name of the rule triggering the alert in the source SIEM.
`vendor`	`string` Name of the vendor.
`source_system`	`string` Name of the Source SIEM system.
`product`	`string` Name of the product the alert is coming from.
`source_system_ticket_id`	`string` Ticket id for the alert in the source system.
`source_system_uri`	`string` Url to the source SIEM system.