- HTTP request
- Path parameters
- Query parameters
- Request body
- Response body
- Authorization scopes
- IAM Permissions
- PrevalenceSnapshot
- AssetRiskMetadata
- MetadataAndProperties
- FileHashProperties
- QueryState
- WidgetMetadata
- Try it!
Full name: projects.locations.instances.summarizeEntity
Returns all entity data over specified time.
HTTP request
GET https://chronicle.googleapis.com/v1alpha/{instance}:summarizeEntity
Path parameters
Parameters | |
---|---|
instance |
Required. The ID of the Instance to summarize entity for. Format: projects/{project}/locations/{location}/instances/{instance} |
Query parameters
Parameters | |
---|---|
timeRange |
Required. Time range to retrieve the summary for [Inclusive start time, exclusive end time). |
pageSize |
The maximum number of Entities to return. The service may return fewer than this value. If unspecified, at most 1000 entities will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000. |
pageToken |
A page token received from a previous |
returnPrevalence |
Optional. Request prevelances for the entity. |
prevalenceInput |
Optional. Entity to use in order to compute combined prevalences. |
returnAlerts |
Optional. Request alerts for the entity. |
Union parameter
|
|
entityId |
ID of the entity. |
fieldAndValue |
Field path or type with value to identify entity. |
Request body
The request body must be empty.
Response body
Response message to retrieve summarized data for an entity.
If successful, the response body contains data with the following structure:
JSON representation |
---|
{ "entities": [ { object ( |
Fields | |
---|---|
entities[] |
A list of entities. |
alert_counts[] |
Rule names with alert count for each. |
has_more_alerts |
Indicates if there are more alerts than the limit (1000 currently). |
timeline |
Bucketed timeline with alert count. |
prevalence_result[] |
Timestamp and prevalences for a given entity. If there is no result, that means there are no references to the entity in the customer instance. |
tpd_prevalence_result[] |
If the entity was a domain with a different top private domain, this will contain statistics for the top private domain. |
asset_prevalence_times[] |
Timestamps at which the asset was queried for the entity being summarized. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
asset_risk_metadata[] |
Vendor defined risk metadata. |
file_metadata_and_properties |
File hash metadata and properties. |
widget_metadata |
Widget metadata for VT widget. |
top_level_domain |
Top level domain entity. |
next_page_token |
A token, which can be sent as |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IAM Permissions
Requires the following IAM permission on the instance
resource:
chronicle.entities.summarize
For more information, see the IAM documentation.
PrevalenceSnapshot
Prevalence for an artifact at a particular point of time.
JSON representation |
---|
{ "prevalence_time": string, "count": integer } |
Fields | |
---|---|
prevalence_time |
The timestamp that the prevalence statistic represents. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
count |
The prevalence count for the given entity. |
AssetRiskMetadata
Arbitrary Vendor defined risk metadata.
JSON representation |
---|
{ "source_product": string, "upload_time": string, "risks": { string: string, ... } } |
Fields | |
---|---|
source_product |
Source product. |
upload_time |
The timestamp of the event that uploaded this metadata version. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
risks |
Map from a risk's name to its description. An object containing a list of |
MetadataAndProperties
Metadata and properties subpanel
JSON representation |
---|
{ "metadata": [ { object ( |
Fields | |
---|---|
metadata[] |
File hash's metadata include file type and file size information. |
properties[] |
Properties include PE properties (for windows file only) and signer details. |
special_descriptions[] |
Special descriptions for risks of some well-known file types, e.g., micsoroft office documents. |
query_state |
Output only. File hash query state. |
FileHashProperties
File hash properties
JSON representation |
---|
{
"title": string,
"properties": [
{
object ( |
Fields | |
---|---|
title |
Title of properties: for example, "PE Properties". |
properties[] |
Repeated field of properties |
QueryState
File hash query state.
Enums | |
---|---|
QUERY_STATE_UNSPECIFIED |
Unspecified state for file hash query. |
QUERY_STATE_OK_HAS_RESULT |
Query is successful and has result. |
QUERY_STATE_OK_HAS_NO_RESULT |
Query is successful but has no result. |
QUERY_STATE_ERROR |
Query is unsuccessful. |
WidgetMetadata
Widget metadata.
JSON representation |
---|
{ "uri": string, "detections": integer, "total": integer } |
Fields | |
---|---|
uri |
Widget link for the input query. |
detections |
Number of scanners which flagged this content. |
total |
Total number of scanners. |