REST Resource: projects.locations.instances.iocs.iocMatches

Resource: IocMatch
- JSON representation
AssetIndicators
- JSON representation
EntityIndicator
- JSON representation
EmptyAssetListReasonCode
FilterProperties
- JSON representation
StringValues
- JSON representation
StringValue
- JSON representation
State
Methods

Resource: IocMatch

An Ioc match contains all those IOCs (indicator of compromise) that have matched with the ingested log data and flagged as suspicious.

JSON representation

JSON representation
{ "name": string, "filter_properties": { object (`FilterProperties`) }, "ioc_state": enum (`State`), // Union field `indicators` can be only one of the following: "asset_indicators": { object (`AssetIndicators`) }, "empty_asset_list_reason_code": enum (`EmptyAssetListReasonCode`) // End of list of possible types for union field `indicators`. }

{
  "name": string,
  "filter_properties": {
    object (FilterProperties)
  },
  "ioc_state": enum (State),

  // Union field indicators can be only one of the following:
  "asset_indicators": {
    object (AssetIndicators)
  },
  "empty_asset_list_reason_code": enum (EmptyAssetListReasonCode)
  // End of list of possible types for union field indicators.
}

Fields
`name`	`string` Output only. The resource id
`filter_properties (deprecated)`	`object (FilterProperties)` This item is deprecated! Properties of this match, used for filtering in the client. This field is now deprecated.
`ioc_state`	`enum (State)` Optional. The current state of IoC. default state is MATCHED.
Union field `indicators`. One or multiple assets with matching property. `indicators` can be only one of the following:
`asset_indicators`	`object (AssetIndicators)` An indicator for locating one or multiple assets with matching property.
`empty_asset_list_reason_code`	`enum (EmptyAssetListReasonCode)` When asset_indicators is empty, this field should be set.

AssetIndicators

An indicator for locating one or multiple assets with matching property.

JSON representation
{ "entity_indicators": [ { object (`EntityIndicator`) } ] }

Fields

Fields
`entity_indicators[]`	`object (EntityIndicator)` Output only. The indicator can be hostname, ip address or mac address. We will limit the number of assets to the first N (e.g., N=20) found.

entity_indicators[]

object (EntityIndicator)

Output only. The indicator can be hostname, ip address or mac address. We will limit the number of assets to the first N (e.g., N=20) found.

EntityIndicator

Enacpsulates the Entity Indicator Value and Type

JSON representation

JSON representation
{ "indicator_namespace": string, // Union field `indicator` can be only one of the following: "hostname": string, "asset_ip_address": string, "mac": string, "product_id": string, "username": string, "email": string, "employee_id": string, "windows_sid": string, "project_object_id": string, "raw_pid": string, "process_id": string, "full_command_line": string, "parent_process_id": string, "hash_md5": string, "hash_sha1": string, "hash_sha256": string, "file_path": string, "destination_ip_address": string, "domainname": string, "resource_project_object_id": string, "resource": string, "product_object_id": string // End of list of possible types for union field `indicator`. }

{
  "indicator_namespace": string,

  // Union field indicator can be only one of the following:
  "hostname": string,
  "asset_ip_address": string,
  "mac": string,
  "product_id": string,
  "username": string,
  "email": string,
  "employee_id": string,
  "windows_sid": string,
  "project_object_id": string,
  "raw_pid": string,
  "process_id": string,
  "full_command_line": string,
  "parent_process_id": string,
  "hash_md5": string,
  "hash_sha1": string,
  "hash_sha256": string,
  "file_path": string,
  "destination_ip_address": string,
  "domainname": string,
  "resource_project_object_id": string,
  "resource": string,
  "product_object_id": string
  // End of list of possible types for union field indicator.
}

Fields
`indicator_namespace`	`string` Namespace value of the indicator. An unknown namespace will be stored as 'malachite_null_namespace' specifically. Searching globally across all namespaces for an unknown namespace.
Union field `indicator`. Indicator type and value, consistent with malachite.dao.KValueType. `indicator` can be only one of the following:
`hostname`	`string` Asset types. The hostname.
`asset_ip_address`	`string` The IP address.
`mac`	`string` The MAC address.
`product_id`	`string` The product specific id.
`username`	`string` User types. The username.
`email`	`string` The email.
`employee_id`	`string` The employee id.
`windows_sid`	`string` The windows sid.
`project_object_id`	`string` The project object id.
`raw_pid`	`string` Process types. The raw pid.
`process_id`	`string` The process id.
`full_command_line`	`string` The full command line.
`parent_process_id`	`string` The parent process id.
`hash_md5`	`string` File types. The hash md5.
`hash_sha1`	`string` The hash sha1.
`hash_sha256`	`string` The hash sha256.
`file_path`	`string` The file path,
`destination_ip_address`	`string` Artifact types. The resolved ip address in internal KValueType from udm artifact.ip.
`domainname`	`string` The domain name.
`resource_project_object_id`	`string` Resource types. LDAP Object Id or generic product object identifier that creates a unique user entity identifier.
`resource`	`string` System unique resource name.
`product_object_id`	`string` The product object id.

EmptyAssetListReasonCode

Indicate the reason that the asset_indicators field in ListIocMatches is empty.

Enums
`EMPTY_ASSET_LIST_REASON_CODE_UNSPECIFIED`	If asset_indicators isn't empty, it will be set as UNSPECIFIED_CODE.
`CONTAIN_HIGH_VOLUME_ASSETS_ONLY`	In current approach, we don't return DNS Servers (high volume assests) to customers.
`CALCULATION_TIME_OUT`	Since AssetIndicators calacution has a long tail latency, we don't calaculate AssetIndicator for all IOCs, when the RPC returns too many IOCs.

FilterProperties

JSON representation
{ "string_properties": { string: { object (`StringValues`) }, ... }, "hidden": boolean }

Fields

Fields
`string_properties`	`map (key: string, value: object (StringValues))` An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
`hidden`	`boolean`

string_properties

map (key: string, value: object (StringValues))

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

hidden

boolean

StringValues

JSON representation
{ "values": [ { object (`StringValue`) } ] }

Fields
`values[]`	`object (StringValue)`

StringValue

JSON representation
{ "raw_value": string, "display_value": string }

Fields
`raw_value`	`string`
`display_value`	`string`

State

Status of an IOC. Default status is matched

Enums
`STATE_UNSPECIFIED`	The Ioc Status is unknown.
`MATCHED`	The Ioc has matched with some event.
`REVIEWED`	The Ioc has been reviewed.
`MUTED`	The Ioc has been muted.

Methods
`get`	Get an Ioc match.
`list`	Lists Ioc matches across all iocs.