Method: legacy.legacySearchIoCInsights

Full name: projects.locations.instances.legacy.legacySearchIoCInsights

Rpc to list IoC insights on given artifacts.

HTTP request

GET https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacySearchIoCInsights

Path parameters

Parameters
instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
domainNames[]

string

Optional. The domains we are interested in.

destinationIpAddresses[]

string

Optional. The ip addresses we are interested in.

Request body

The request body must be empty.

Response body

Any insights about the requested artifacts. Each insight is independent of the other, meaning an artifact can be repeated. NEXT TAG: 2

If successful, the response body contains data with the following structure:

JSON representation
{
  "insight_groups": [
    {
      object (InsightGroup)
    }
  ]
}
Fields
insight_groups[]

object (InsightGroup)

Can be empty if there is nothing interesting about the given artifacts.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacySearchIoCInsights

For more information, see the IAM documentation.

InsightGroup

Used for populating IoC insights in asset view. Represents a feed with its metadata and all of its artifact matches.

JSON representation
{
  "title": string,
  "description": string,
  "insights": [
    {
      object (Insight)
    }
  ]
}
Fields
title

string

(e.g. Emerging Threats IoC)

description

string

Description of the feed.

insights[]

object (Insight)

Represents all artifacts that matched under this feed. This will have a minimum of 1 entry.

Insight

An ioc artifact and how it is categorized.

JSON representation
{
  "subtitle": string,
  "artifact": {
    object (ArtifactIndicator)
  },
  "confidence_score": string,
  "raw_severity": string,
  "feed": string
}
Fields
subtitle

string

A comma-separated string of categories (e.g. bitcoin related)

artifact

object (ArtifactIndicator)

(e.g., example.com or 198.51.100.23).

confidence_score

string

Raw confidence level from the IoC source, higher score means more confidence. If there is no confidence score in the raw data, this will not be set.

raw_severity

string

The indicator's raw severity.

feed

string

ONLY RELEVANT TO FEED AGGREGATORS. The underlying feed from the feed aggregator that provided the IoC. This field will be empty for feeds that are not aggregators.