Method: legacy.legacySearchEnterpriseWideIoCs

HTTP request
Path parameters
Query parameters
Request body
Response body
- JSON representation
Authorization scopes
IAM Permissions
IoCDiscoveryInfo
- JSON representation
EmptyAssetListReasonCode
IocState
Priority
AssociationIdentity
- JSON representation
Try it!

Full name: projects.locations.instances.legacy.legacySearchEnterpriseWideIoCs

RPC for listing IoC matches against ingested events.

HTTP request

GET https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacySearchEnterpriseWideIoCs

Path parameters

Parameters

Parameters
`instance`	`string` Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
`timestampRange`	`object (Interval)` Required. Time range [start, end) in which matched to be queried. UI/FE is expected to pass in NOW as end.
`maxMatchesToReturn`	`integer` Required. How many matches to return, maximum. All matches will be sorted by default by most recently seen IoC ingestion time OR first seen in enterprise time and the most recent items returned as shown in the mocks. If we need to support other sorting schemes, we can add another field later.
`addMandiantAttributes`	`boolean` Required. Indicates if mandiant attributes should be added to the ioc response.
Union parameter `id`. `id` can be only one of the following:
`entityId`	`string` ID of the entity.
`fieldAndValue`	`object (FieldAndValue)` Field path or type with value to identify entity.

Request body

The request body must be empty.

Response body

Response containing matched IoCs NEXT TAG: 3

If successful, the response body contains data with the following structure:

JSON representation
{ "matches": [ { object (`IoCDiscoveryInfo`) } ], "more_data_available": boolean }

Fields

Fields
`matches[]`	`object (IoCDiscoveryInfo)` IoC Matches returned for the query.
`more_data_available`	`boolean` Indicates that more data was available but not sent due to more hits than max_matches_to_return.

matches[]

object (IoCDiscoveryInfo)

IoC Matches returned for the query.

more_data_available

boolean

Indicates that more data was available but not sent due to more hits than max_matches_to_return.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

chronicle.legacies.legacySearchEnterpriseWideIoCs

For more information, see the IAM documentation.

IoCDiscoveryInfo

Information about an IoC match. NEXT TAG: 31

JSON representation

JSON representation
{ "artifact_indicator": { object (`ArtifactIndicator`) }, "id": string, "sources": [ string ], "categories": [ string ], "confidence_score": integer, "confidence_bucket": string, "asset_indicators": [ { object (`AssetIndicator`) } ], "empty_asset_list_reason_code": enum (`EmptyAssetListReasonCode`), "ioc_ingest_timestamp": string, "first_seen_timestamp": string, "last_seen_timestamp": string, "filter_properties": { object (`FilterProperties`) }, "raw_severity": string, "ioc_state": enum (`IocState`), "priority": enum (`Priority`), "association_identifier": [ { object (`AssociationIdentity`) } ], "campaigns": [ string ], "global_source_id": string, "log_type": enum (`LogType`), "global_customer_id": string, "confidence_score_bucket": { object (`IntRange`) }, "ip_and_ports": { object (`IpAndPorts`) }, "categorization": string, "domain_and_ports": { object (`DomainAndPorts`) }, "active_timerange": { object (`Interval`) }, "link": { object (`Link`) }, "feed_name": string, "description": string }

{
  "artifact_indicator": {
    object (ArtifactIndicator)
  },
  "id": string,
  "sources": [
    string
  ],
  "categories": [
    string
  ],
  "confidence_score": integer,
  "confidence_bucket": string,
  "asset_indicators": [
    {
      object (AssetIndicator)
    }
  ],
  "empty_asset_list_reason_code": enum (EmptyAssetListReasonCode),
  "ioc_ingest_timestamp": string,
  "first_seen_timestamp": string,
  "last_seen_timestamp": string,
  "filter_properties": {
    object (FilterProperties)
  },
  "raw_severity": string,
  "ioc_state": enum (IocState),
  "priority": enum (Priority),
  "association_identifier": [
    {
      object (AssociationIdentity)
    }
  ],
  "campaigns": [
    string
  ],
  "global_source_id": string,
  "log_type": enum (LogType),
  "global_customer_id": string,
  "confidence_score_bucket": {
    object (IntRange)
  },
  "ip_and_ports": {
    object (IpAndPorts)
  },
  "categorization": string,
  "domain_and_ports": {
    object (DomainAndPorts)
  },
  "active_timerange": {
    object (Interval)
  },
  "link": {
    object (Link)
  },
  "feed_name": string,
  "description": string
}

Fields
`artifact_indicator`	`object (ArtifactIndicator)` Artifact that was found in the customer environment.
`id`	`string` Entity ID as a string for pivoting
`sources[]`	`string` IoC feed sources.
`categories[]`	`string` IoC threat categories.
`confidence_score`	`integer` IoC confidence score. It is not a repeated field because it is used for V2 feeds, where sources and categories are restricted to a cardnality of 1 as well.
`confidence_bucket`	`string` IoC confidence score, bucketed into e.g. low/medium/high.
`asset_indicators[]`	`object (AssetIndicator)` We will limit the number of assets to the first N (e.g., N=20) found.
`empty_asset_list_reason_code`	`enum (EmptyAssetListReasonCode)` When asset_indicators is empty, this field should be set.
`ioc_ingest_timestamp`	`string (Timestamp format)` Timestamp when the IoC was first received from ANY feed. This is the earliest timestamp of receipt by Malachite, given that the artifact might have been sent in multiple feeds at different times. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`first_seen_timestamp`	`string (Timestamp format)` Timestamp when the IoC was first seen in the enterprise. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`last_seen_timestamp`	`string (Timestamp format)` Timestamp when the IoC was last seen in the enterprise. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`filter_properties`	`object (FilterProperties)` Properties of this match, used for filtering in the client.
`raw_severity`	`string` The indicator's raw severity.
`ioc_state`	`enum (IocState)` The current state of IoC. default state is MATCHED.
`priority`	`enum (Priority)` The priority of the ioc match.
`association_identifier[]`	`object (AssociationIdentity)` Associated actors and malware.
`campaigns[]`	`string` List of campaigns this IoC was observed.
`global_source_id`	`string` Global source ID this IoC is part of. This would only be populated if the indicator is coming from a global source.
`log_type`	`enum (LogType)` The log type of the IoC source.
`global_customer_id`	`string (bytes format)` Global source ID this IoC is part of. This would only be populated if the indicator is coming from a global source. A base64-encoded string.
`confidence_score_bucket`	`object (IntRange)` Confidence score bucket
`ip_and_ports`	`object (IpAndPorts)` IP address indicator.
`categorization`	`string` The category/type of this indicator. Ex: "Spyware", "Bitcoin_Related", etc.
`domain_and_ports`	`object (DomainAndPorts)` Domain indicator.
`active_timerange`	`object (Interval)` The time range in which this indicator has been "active". The start or end time (or both) may be empty, indicating an open-ended time interval.
`link`	`object (Link)` optional. This will usually be a link to the Feed's definition.
`feed_name`	`string` Original feed this indicator originated from.
`description`	`string` Raw description of the IoC.

EmptyAssetListReasonCode

Enums
`UNSPECIFIED_CODE`
`CONTAIN_HIGH_VOLUME_ASSETS_ONLY`
`CALCULATION_TIME_OUT`

IocState

Enums
`IOC_STATE_UNSPECIFIED`
`STATUS_MATCHED`
`STATUS_REVIEWED`
`STATUS_MUTED`

Priority

Enums
`PRIORITY_UNSPECIFIED`
`LOW`
`MEDIUM`
`HIGH`
`ACTIVE_BREACH`

AssociationIdentity

JSON representation
{ "name": string, "region_code": { object (`Location`) }, "association_type": enum (`AssociationType`), "association_id": string }

Fields
`name`	`string`
`region_code`	`object (Location)`
`association_type`	`enum (AssociationType)`
`association_id`	`string`