- Resource: Case
- CaseType
- MoveEnvironment
- CaseStatus
- WorkflowStatus
- CaseTag
- CaseProduct
- CaseClosureDetails
- CloseReason
- CaseClosedAction
- Methods
Resource: Case
This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. Cases provides analysts a way to investigate incoming security alerts and safeguard workstations. Cases are generated by alerts from the SIEM platform. Further alerts linked to the same entities may be grouped into an existing case based on a flexible configuration. In addition, analysts can create manual cases and simulated cases and ingest specific data.
| JSON representation |
|---|
{ "name" : string , "creatorUserId" : string , "creatorUser" : string , "lastModifyingUserId" : string , "lastModifyingUser" : string , "createTime" : string , "updateTime" : string , "displayName" : string , "alertCount" : integer , "stage" : string , "priority" : enum ( |
| Fields | |
|---|---|
name
|
Identifier. The unique name(ID) of the Case. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case} |
creatorUserId
|
Output only. Case creator id. Used for homepage/requests feature. |
creatorUser
|
Output only. Resource association for the creator. |
lastModifyingUserId
|
Output only. Last user who modified the case. replaced old property name: LastModifyingUser. |
lastModifyingUser
|
Output only. Resource association for the modifying user. |
createTime
|
Output only. The creation time of the record in milliseconds. |
updateTime
|
Output only. The modification time of the record in milliseconds. |
displayName
|
Required. Case title, limited to 200 characters. Replaces old property: Title. |
alertCount
|
Output only. Alerts in case. |
stage
|
Required. The stage of the Case. For example, "Triage", "Incident", "Investigation". Stages are defined in "chronicle.googleapis.com/CaseStageDefinition". The default stage option is "Triage". |
priority
|
Required. Default value is HIGH. Case priority. For example, "Informative", "Low", "Medium", "High", "Critical". |
assignee
|
Optional. This can be a user or a @SocRole, default value is the default soc-role defined in Settings. |
assignedUser
|
Output only. Resource association for the assignee. |
description
|
Optional. Case description. Limit chars to 1000. |
type
|
Required. Case type. |
environment
|
Required. Case logical environments. |
moveEnvironment
|
Optional. Case environment move details. |
status
|
Output only. Case data status. |
score
|
Optional. Attack exposure score, how risky the case. |
workflowStatus
|
Output only. Case playbook status. |
sla
|
Optional. SLA for the case. |
alertsSla
|
Optional. Aggregated alerts SLA. (alert has SLA as well). |
source
|
Output only. The source that created the case. Possible values: "Server", "User", "Simulated", "Merge", "AlertMove" |
tags[]
|
Optional. CaseTags associated with the case. |
products[]
|
Optional. Products associated with the case. Contains Name of product (e.g. WinEventLog:Security/DLP_Product). Replaces old property: "Product". |
closureDetails
|
Optional. Case closure details. |
tasks[]
|
Output only. Tasks associated with the case. |
important
|
Optional. Additional way to specify case importance. The default is false. |
incident
|
Optional. Additional way to specify if the case marked as incident. The default is false. |
overflowCase
|
Output only. Case without events, was reduced by the connector service due to a large amount of data. During ingestion if the "alert package" crosses a specific threshold, the alert will be trimmed due to security reasons (DDOS attacks, etc..) |
involvedSuspiciousEntity
|
Optional. If has involved suspicious entity in the case. |
CaseType
Case type.
| Enums | |
|---|---|
CASE_TYPE_UNSPECIFIED
|
Unspecified case type. |
EXTERNAL
|
Case created based on alerts from external SIEM. |
TEST
|
Case created based on simulated alerts for testing. |
REQUEST
|
Case created internally through the Homepage feature. |
MoveEnvironment
Case environment move details.
| JSON representation |
|---|
{ "shouldDeleteOldCase" : boolean } |
| Fields | |
|---|---|
shouldDeleteOldCase
|
Optional. If the case should be deleted on move to the new environment. |
CaseStatus
Case status.
| Enums | |
|---|---|
CASE_DATA_STATE_UNSPECIFIED
|
Unspecified case data status. |
OPENED
|
Case data is opened. |
CLOSED
|
Case data is closed. |
ALL
|
Case data is all. |
MERGED
|
Case data is merged. |
CREATION_PENDING
|
Case data is creation pending. |
WorkflowStatus
Workflow status.
| Enums | |
|---|---|
WORKFLOW_STATUS_UNSPECIFIED
|
Unspecified workflow status. |
NONE
|
Workflow status is none. |
IN_PROGRESS
|
Workflow is running. |
COMPLETED
|
Workflow is completed. |
FAILED
|
Workflow is failed. |
TERMINATED
|
Workflow is terminated. |
PENDING_IN_QUEUE
|
Workflow is pending in queue. |
PENDING_FOR_USER
|
Workflow is pending for user. |
CaseTag
CaseTag associated with the case.
| JSON representation |
|---|
{ "displayName" : string , "alert" : string , "priority" : integer } |
| Fields | |
|---|---|
displayName
|
Output only. The name of the tag |
alert
|
Output only. For tags set by playbook action, this is relevant during MoveAlert. Replaces old property: "Indicator". |
priority
|
Output only. During ingestion if more than one tag matches the criteria, the one with the priority will be chosen. Available options: 1-5. |
CaseProduct
Product associated with the case.
| JSON representation |
|---|
{ "displayName" : string , "alert" : string } |
| Fields | |
|---|---|
displayName
|
Output only. Display name of the product. |
alert
|
Output only. Replaces old property: "AlertIdentifier". |
CaseClosureDetails
Case closure details.
| JSON representation |
|---|
{ "reason" : enum ( |
| Fields | |
|---|---|
reason
|
Output only. Case closure reason. |
rootCause
|
Output only. Case closure root cause. |
caseClosedAction
|
Output only. Case closed action. |
comment
|
Output only. Case closure comment. |
CloseReason
Case closure reason.
| Enums | |
|---|---|
CLOSE_REASON_UNSPECIFIED
|
Unspecified close reason. |
MALICIOUS
|
Case is malicious. |
NOT_MALICIOUS
|
Case is not malicious. |
MAINTENANCE
|
Case is in maintenance. |
INCONCLUSIVE
|
Case is inconclusive. |
UNKNOWN
|
Case closure reason is unknown. |
CaseClosedAction
Case closed action.
| Enums | |
|---|---|
CASE_CLOSED_ACTION_UNSPECIFIED
|
Unspecified case closed action. |
AUTOMATIC
|
Case closed action is automatic. |
MANUALLY
|
Case closed action is manually. |
Methods |
|
|---|---|
|
Add a case tag. |
|
Count a selection of cases by priority. |
|
Add a case insight. |
|
Add cases tags in bulk. |
|
Assign cases in bulk. |
|
Change cases priority in bulk. |
|
Add cases stage in bulk. |
|
Close cases in bulk. |
|
Reopen cases in bulk. |
|
Generate case report. |
|
Get a case. |
|
Get case overview. |
|
Lists cases. |
|
Merge cases. |
|
Update a case. |
|
Pause case SLA. |
|
Remove a case tag. |
|
Resolve case overview widget. |
|
Resume case SLA. |
