- Resource: IocMatch
- AssetIndicators
- EntityIndicator
- EmptyAssetListReasonCode
- FilterProperties
- StringValues
- StringValue
- State
- Methods
Resource: IocMatch
An Ioc match contains all those IOCs (indicator of compromise) that have matched with the ingested log data and flagged as suspicious.
| JSON representation |
|---|
{ "name": string, "filter_properties": { object ( |
| Fields | |
|---|---|
name |
Output only. The resource id |
filter_properties |
Properties of this match, used for filtering in the client. This field is now deprecated. |
ioc_state |
Optional. The current state of IoC. default state is MATCHED. |
Union field indicators. One or multiple assets with matching property. indicators can be only one of the following: |
|
asset_indicators |
An indicator for locating one or multiple assets with matching property. |
empty_asset_list_reason_code |
When asset_indicators is empty, this field should be set. |
AssetIndicators
An indicator for locating one or multiple assets with matching property.
| JSON representation |
|---|
{
"entity_indicators": [
{
object ( |
| Fields | |
|---|---|
entity_indicators[] |
Output only. The indicator can be hostname, ip address or mac address. We will limit the number of assets to the first N (e.g., N=20) found. |
EntityIndicator
Enacpsulates the Entity Indicator Value and Type
| JSON representation |
|---|
{ "indicator_namespace": string, // Union field |
| Fields | |
|---|---|
indicator_namespace |
Namespace value of the indicator. An unknown namespace will be stored as 'malachite_null_namespace' specifically. Searching globally across all namespaces for an unknown namespace. |
Union field indicator. Indicator type and value, consistent with malachite.dao.KValueType. indicator can be only one of the following: |
|
hostname |
Asset types. The hostname. |
asset_ip_address |
The IP address. |
mac |
The MAC address. |
product_id |
The product specific id. |
username |
User types. The username. |
email |
The email. |
employee_id |
The employee id. |
windows_sid |
The windows sid. |
project_object_id |
The project object id. |
raw_pid |
Process types. The raw pid. |
process_id |
The process id. |
full_command_line |
The full command line. |
parent_process_id |
The parent process id. |
hash_md5 |
File types. The hash md5. |
hash_sha1 |
The hash sha1. |
hash_sha256 |
The hash sha256. |
file_path |
The file path, |
destination_ip_address |
Artifact types. The resolved ip address in internal KValueType from udm artifact.ip. |
domainname |
The domain name. |
resource_project_object_id |
Resource types. LDAP Object Id or generic product object identifier that creates a unique user entity identifier. |
resource |
System unique resource name. |
product_object_id |
The product object id. |
EmptyAssetListReasonCode
Indicate the reason that the asset_indicators field in ListIocMatches is empty.
| Enums | |
|---|---|
EMPTY_ASSET_LIST_REASON_CODE_UNSPECIFIED |
If asset_indicators isn't empty, it will be set as UNSPECIFIED_CODE. |
CONTAIN_HIGH_VOLUME_ASSETS_ONLY |
In current approach, we don't return DNS Servers (high volume assests) to customers. |
CALCULATION_TIME_OUT |
Since AssetIndicators calacution has a long tail latency, we don't calaculate AssetIndicator for all IOCs, when the RPC returns too many IOCs. |
FilterProperties
| JSON representation |
|---|
{
"string_properties": {
string: {
object ( |
| Fields | |
|---|---|
string_properties |
An object containing a list of |
StringValues
| JSON representation |
|---|
{
"values": [
{
object ( |
| Fields | |
|---|---|
values[] |
|
StringValue
| JSON representation |
|---|
{ "raw_value": string, "display_value": string } |
| Fields | |
|---|---|
raw_value |
|
display_value |
|
State
Status of an IOC. Default status is matched
| Enums | |
|---|---|
STATE_UNSPECIFIED |
The Ioc Status is unknown. |
MATCHED |
The Ioc has matched with some event. |
REVIEWED |
The Ioc has been reviewed. |
MUTED |
The Ioc has been muted. |
Methods |
|
|---|---|
|
Get an Ioc match. |
|
Lists Ioc matches across all iocs. |