Method: legacy.legacySearchIoCInsights

HTTP request
Path parameters
Query parameters
Request body
Response body
- JSON representation
Authorization scopes
IAM Permissions
InsightGroup
- JSON representation
Insight
- JSON representation
Try it!

Full name: projects.locations.instances.legacy.legacySearchIoCInsights

Rpc to list IoC insights on given artifacts.

HTTP request

GET https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacySearchIoCInsights

Path parameters

Parameters

Parameters
`instance`	`string` Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters

Parameters
`domainNames[]`	`string` Optional. The domains we are interested in.
`destinationIpAddresses[]`	`string` Optional. The ip addresses we are interested in.

domainNames[]

string

Optional. The domains we are interested in.

destinationIpAddresses[]

string

Optional. The ip addresses we are interested in.

Request body

The request body must be empty.

Response body

Any insights about the requested artifacts. Each insight is independent of the other, meaning an artifact can be repeated. NEXT TAG: 2

If successful, the response body contains data with the following structure:

JSON representation
{ "insight_groups": [ { object (`InsightGroup`) } ] }

Fields

Fields
`insight_groups[]`	`object (InsightGroup)` Can be empty if there is nothing interesting about the given artifacts.

insight_groups[]

object (InsightGroup)

Can be empty if there is nothing interesting about the given artifacts.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

chronicle.legacies.legacySearchIoCInsights

For more information, see the IAM documentation.

InsightGroup

Used for populating IoC insights in asset view. Represents a feed with its metadata and all of its artifact matches.

JSON representation
{ "title": string, "description": string, "insights": [ { object (`Insight`) } ] }

Fields

Fields
`title`	`string` (e.g. Emerging Threats IoC)
`description`	`string` Description of the feed.
`insights[]`	`object (Insight)` Represents all artifacts that matched under this feed. This will have a minimum of 1 entry.

title

string

(e.g. Emerging Threats IoC)

description

string

Description of the feed.

insights[]

object (Insight)

Represents all artifacts that matched under this feed. This will have a minimum of 1 entry.

Insight

An ioc artifact and how it is categorized.

JSON representation
{ "subtitle": string, "artifact": { object (`ArtifactIndicator`) }, "confidence_score": string, "raw_severity": string, "feed": string }

Fields
`subtitle`	`string` A comma-separated string of categories (e.g. bitcoin related)
`artifact`	`object (ArtifactIndicator)` (e.g., example.com or 198.51.100.23).
`confidence_score`	`string` Raw confidence level from the IoC source, higher score means more confidence. If there is no confidence score in the raw data, this will not be set.
`raw_severity`	`string` The indicator's raw severity.
`feed`	`string` ONLY RELEVANT TO FEED AGGREGATORS. The underlying feed from the feed aggregator that provided the IoC. This field will be empty for feeds that are not aggregators.