- HTTP request
- Path parameters
- Query parameters
- Request body
- Response body
- Authorization scopes
- IAM Permissions
- PrevalenceSnapshot
- AssetRiskMetadata
- MetadataAndProperties
- FileHashProperties
- QueryState
- WidgetMetadata
- Try it!
Full name: projects.locations.instances.summarizeEntity
Returns all entity data over specified time.
HTTP request
Path parameters
Parameters | |
---|---|
instance |
Required. The name of the parent resource, which is the SecOps instance to summarize an entity for. Format: |
Query parameters
Parameters | |
---|---|
timeRange |
Required. Time range to retrieve the summary for [Inclusive start time, exclusive end time). |
pageSize |
The maximum number of Entities to return. The service may return fewer than this value. If unspecified, at most 1000 entities will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000. |
pageToken |
A page token received from a previous |
returnPrevalence |
Optional. Whether to return prevelance data for the entity. |
prevalenceInput |
Optional. Entity to use in order to compute combined prevalences. |
returnAlerts |
Optional. Whether to return alertCounts for the entity. |
includeAllUdmEventTypesForFirstLastSeen |
Optional. If true, it includes all types of events we show in UDM Search to calculate the first and last seen time of an entity. |
Union parameter id . Identifier options to find the entity snapshots. id can be only one of the following: |
|
entityId |
ID of the entity indicator to list entity summary snapshots for. |
fieldAndValue |
A set of fields which characterize the entity indicator to return entity summary snapshots for. This can use either an enumerated type or infer the type from a UDM path. |
Request body
The request body must be empty.
Response body
Response message to retrieve summarized data for an entity.
If successful, the response body contains data with the following structure:
JSON representation |
---|
{ "entities": [ { object ( |
Fields | |
---|---|
entities[] |
A list of entities. Each "entity" is a snapshot of data about the requested entity indicator for a particular time range. |
alertCounts[] |
Rule display names with an alert count for each rule that has alerts that match the requested entity indicator. This will only be populated if returnAlerts is true in the request. |
hasMoreAlerts |
Indicates if there are more alerts than the limit (1000 currently). |
timeline |
Data representing the number of alerts associated with the entity indicator within the requested time range, bucketed by time ranges. This will only be populated if returnAlerts is true in the request. |
prevalenceResult[] |
Prevalence statistics for the requested indicator. |
tpdPrevalenceResult[] |
If the entity was a domain with a different top private domain, this will contain statistics for the top private domain. |
assetPrevalenceTimes[] |
Timestamps at which the asset was queried for the entity being summarized. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
assetRiskMetadata[] |
Vendor-defined risk metadata for an asset entity. This will only be populated if the requested entity indicator is for an asset entity (internal IP, hostname, MAC, etc.) |
fileMetadataAndProperties |
File hash metadata and properties. This data will be only be populated if the requested entity indicator is for a file entity (MD5, SHA1, SHA256 file hash). |
widgetMetadata |
Widget metadata for the VirusTotal VT Augment widget. This is included for entity indicators that are supported by VirusTotal including file hash (MD5, SHA1, SHA256), IP, and Domain. |
topLevelDomain |
Data describing the Top level domain entity for the requested indicator. |
nextPageToken |
A token, which can be sent as |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IAM Permissions
Requires the following IAM permission on the instance
resource:
chronicle.entities.summarize
For more information, see the IAM documentation.
PrevalenceSnapshot
Prevalence statistics for an artifact at a particular point of time.
JSON representation |
---|
{ "prevalenceTime": string, "count": integer } |
Fields | |
---|---|
prevalenceTime |
The timestamp that the prevalence statistic represents. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
count |
The prevalence count for the indicator at the prevalenceTime. |
AssetRiskMetadata
Arbitrary vendor-defined risk metadata about an asset entity.
JSON representation |
---|
{ "sourceProduct": string, "uploadTime": string, "risks": { string: string, ... } } |
Fields | |
---|---|
sourceProduct |
Source product that produces the risk metadata for the asset. |
uploadTime |
The timestamp of the event that uploaded this metadata version. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
risks |
Map from a risk's name to its description. An object containing a list of |
MetadataAndProperties
Data about a file hash entity.
JSON representation |
---|
{ "metadata": [ { object ( |
Fields | |
---|---|
metadata[] |
File hash's metadata include file type and file size information. |
properties[] |
Properties include PE properties (for windows file only) and signer details. |
specialDescriptions[] |
Special descriptions for risks of some well-known file types, e.g., micsoroft office documents. |
queryState |
Output only. File hash query state. |
FileHashProperties
File hash properties.
JSON representation |
---|
{
"title": string,
"properties": [
{
object ( |
Fields | |
---|---|
title |
Title of properties: for example, "PE Properties". |
properties[] |
Repeated field of properties |
QueryState
File hash query state.
Enums | |
---|---|
QUERY_STATE_UNSPECIFIED |
Unspecified state for file hash query. |
QUERY_STATE_OK_HAS_RESULT |
Query is successful and has result. |
QUERY_STATE_OK_HAS_NO_RESULT |
Query is successful but has no result. |
QUERY_STATE_ERROR |
Query is unsuccessful. |
WidgetMetadata
VirusTotal widget metadata.
JSON representation |
---|
{ "uri": string, "detections": integer, "total": integer } |
Fields | |
---|---|
uri |
Widget rendering URL for the VirusTotal VT Augment widget. See https://docs.virustotal.com/reference/widgeturl |
detections |
Number of scanners which flagged this content. |
total |
Total number of scanners. |