Method: legacy.legacyCreateSoarAlert

HTTP request
Path parameters
Request body
- JSON representation
Response body
- JSON representation
Authorization scopes
SoarEvent
- JSON representation
Try it!

Full name: projects.locations.instances.legacy.legacyCreateSoarAlert

RPC for creating a SOAR alert. This is used by Chronicle SOAR to ingest alerts it pulls from other SIEMs.

HTTP request

Choose a location:

Path parameters

Parameters

Parameters
`instance`	`string` Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Request body

The request body contains data with the following structure:

JSON representation
{ "soarAlert": { object (`LegacySoarAlert`) } }

Fields

Fields
`soarAlert`	`object (LegacySoarAlert)` Required. The alert to be created.

soarAlert

object (LegacySoarAlert)

Required. The alert to be created.

Response body

LegacySoarAlert is a representation of alerts coming from other SIEMs via Chronicle SOAR. NEXT TAG: 19

If successful, the response body contains data with the following structure:

JSON representation

JSON representation
{ "soarAlertId": string, "startTime": string, "endTime": string, "detectionTime": string, "sourceRule": string, "sourceSystemUri": string, "vendor": string, "sourceSystem": string, "product": string, "originalTicketId": string, "priority": string, "severity": string, "events": [ { object (`SoarEvent`) } ], "description": string, "summary": string, "name": string, "alertGroupId": string, "soarCreateTime": string }

{
  "soarAlertId": string,
  "startTime": string,
  "endTime": string,
  "detectionTime": string,
  "sourceRule": string,
  "sourceSystemUri": string,
  "vendor": string,
  "sourceSystem": string,
  "product": string,
  "originalTicketId": string,
  "priority": string,
  "severity": string,
  "events": [
    {
      object (SoarEvent)
    }
  ],
  "description": string,
  "summary": string,
  "name": string,
  "alertGroupId": string,
  "soarCreateTime": string
}

Fields
`soarAlertId`	`string` Optional. Id of the alert in Chronicle SOAR product.
`startTime`	`string (Timestamp format)` Optional. Represents the startTime of the window for which an alert was generated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`endTime`	`string (Timestamp format)` Optional. Represents the endTime of the window for which an alert was generated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`detectionTime`	`string (Timestamp format)` Optional. Represents the time when the alert was detected. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`sourceRule`	`string` Optional. Name of the rule triggering the alert in the Source SIEM.
`sourceSystemUri`	`string` Optional. Uri to the source SIEM system.
`vendor`	`string` Optional. Name of the vendor.
`sourceSystem`	`string` Optional. Name of the Source SIEM system.
`product`	`string` Optional. Name of the product the alert is coming from.
`originalTicketId`	`string` Optional. Ticket id for the alert in the source SIEM system.
`priority`	`string` Optional. Priority of the alert.
`severity`	`string` Optional. Severity of the alert.
`events[]`	`object (SoarEvent)` Optional. List of Events related to the alert.
`description`	`string` Optional. Description of the event.
`summary`	`string` Optional. Summary of the event.
`name`	`string` Optional. Name of the alert in the Secops platform.
`alertGroupId`	`string` Optional. The alert identifier in SOAR which will be unique per customer. This field will be used to enforce idempotency of the CreateSoarAlert API.
`soarCreateTime`	`string (Timestamp format)` Optional. Represents the time when the alert was created in SOAR. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

SoarEvent

SoarEvent is a representation of events coming from other SIEMs via Chronicle SOAR. These fields map to the fields in the Chronicle SOAR event model. NEXT TAG: 49

JSON representation
{ "eventId": string, "startTime": string, "endTime": string, "eventTime": string, "receiptTime": string, "managerReceiptTime": string, "eventMessage": string, "eventDescription": string, "sourceUser": string, "sourceHost": string, "sourceDomain": string, "sourceIpAddress": string, "sourceMacAddress": string, "sourceUserId": string, "sourceProcessPid": string, "sourceDnsDomain": string, "sourceNtDomain": string, "destinationUser": string, "destinationDomain": string, "destinationHost": string, "destinationDnsDomain": string, "destinationNtDomain": string, "destinationPort": string, "destinationIpAddress": string, "destinationProcessPid": string, "destinationUri": string, "destinationMacAddress": string, "genericEntity": string, "phoneNumber": string, "emailSubject": string, "cve": string, "threatActor": string, "threatCampaign": string, "threatSignature": string, "threat": string, "categoryOutcome": string, "deployment": string, "transportProtocol": string, "applicationProtocol": string, "processPid": string, "parentProcessPid": string, "ruleGenerator": string, "file": string, "fileHash": string, "fileType": string, "vendor": string, "product": string, "usb": string }

JSON representation

{
  "eventId": string,
  "startTime": string,
  "endTime": string,
  "eventTime": string,
  "receiptTime": string,
  "managerReceiptTime": string,
  "eventMessage": string,
  "eventDescription": string,
  "sourceUser": string,
  "sourceHost": string,
  "sourceDomain": string,
  "sourceIpAddress": string,
  "sourceMacAddress": string,
  "sourceUserId": string,
  "sourceProcessPid": string,
  "sourceDnsDomain": string,
  "sourceNtDomain": string,
  "destinationUser": string,
  "destinationDomain": string,
  "destinationHost": string,
  "destinationDnsDomain": string,
  "destinationNtDomain": string,
  "destinationPort": string,
  "destinationIpAddress": string,
  "destinationProcessPid": string,
  "destinationUri": string,
  "destinationMacAddress": string,
  "genericEntity": string,
  "phoneNumber": string,
  "emailSubject": string,
  "cve": string,
  "threatActor": string,
  "threatCampaign": string,
  "threatSignature": string,
  "threat": string,
  "categoryOutcome": string,
  "deployment": string,
  "transportProtocol": string,
  "applicationProtocol": string,
  "processPid": string,
  "parentProcessPid": string,
  "ruleGenerator": string,
  "file": string,
  "fileHash": string,
  "fileType": string,
  "vendor": string,
  "product": string,
  "usb": string
}

Fields
`eventId`	`string` Optional. Id of the event in Chronicle SOAR.
`startTime`	`string (Timestamp format)` Optional. Start time of the window containing the event. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`endTime`	`string (Timestamp format)` Optional. End time of the window containing the event. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`eventTime`	`string (Timestamp format)` Optional. The timestamp when the event occurred. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`receiptTime`	`string (Timestamp format)` Optional. The timestamp when the event was received. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`managerReceiptTime`	`string (Timestamp format)` Optional. The timestamp when the event was received by the manager. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`eventMessage`	`string` Optional. Message describing/related to the event.
`eventDescription`	`string` Optional. Description of the event.
`sourceUser`	`string` Optional. Username of the source user.
`sourceHost`	`string` Optional. Hostname of the source.
`sourceDomain`	`string` Optional. Domain of the source.
`sourceIpAddress`	`string` Optional. IP address of the source system.
`sourceMacAddress`	`string` Optional. Mac address of the source system.
`sourceUserId`	`string` Optional. User id of the source system.
`sourceProcessPid`	`string` Optional. Process pid of the source process.
`sourceDnsDomain`	`string` Optional. DNS domain of the source.
`sourceNtDomain`	`string` Optional. Administrative domain of the source.
`destinationUser`	`string` Optional. Destination attributes. Username of the destination user.
`destinationDomain`	`string` Optional. Domain of the destination.
`destinationHost`	`string` Optional. Hostname of the destination user.
`destinationDnsDomain`	`string` Optional. DNS domain of the destination.
`destinationNtDomain`	`string` Optional. Administrative domain of the destination.
`destinationPort`	`string` Optional. Port of the target destination.
`destinationIpAddress`	`string` Optional. IP address of the destination user.
`destinationProcessPid`	`string` Optional. Process pid of the destination process.
`destinationUri`	`string` Optional. URI of the target.
`destinationMacAddress`	`string` Optional. Mac address of the destination system.
`genericEntity`	`string` Optional. Generic Entity maps to target details.
`phoneNumber`	`string` Optional. Phone number of the user.
`emailSubject`	`string` Optional. Subject of the related email.
`cve`	`string` Optional. Threat attributes. CVEID.
`threatActor`	`string` Optional. Threat actor.
`threatCampaign`	`string` Optional. Threat campaign
`threatSignature`	`string` Optional. Threat signature.
`threat`	`string` Optional. Threat summary or threat name of the threat.
`categoryOutcome`	`string` Optional. Outcome/Action on the threat.
`deployment`	`string` Optional. Cloud project name,
`transportProtocol`	`string` Optional. Transport protocol.
`applicationProtocol`	`string` Optional. Application protocol.
`processPid`	`string` Optional. Process Pid
`parentProcessPid`	`string` Optional. Parent processid.
`ruleGenerator`	`string` Optional. Rule Generator.
`file`	`string` Optional. Full path of the associated file.
`fileHash`	`string` Optional. sha256, sha1 or md5 hash of the associated file.
`fileType`	`string` Optional. File type.
`vendor`	`string` Optional. Name of the vendor.
`product`	`string` Optional. Name of the product the alert is coming from.
`usb`	`string` Optional. Name of the USB device