- JSON representation
- Priority
- CaseType
- EnvironmentData
- EnvironmentDynamicParameterDto
- CaseDataState
- LegacyCaseSla
- SlaExpirationEnum
- WorkflowState
- LegacyPlatformReference
This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. LegacyFederatedCase is a representation of a case in the Federated Case store.
| JSON representation |
|---|
{ "name" : string , "createTimeMs" : string , "updateTimeMs" : string , "displayName" : string , "alertCount" : integer , "stage" : string , "priority" : enum ( |
| Fields | |
|---|---|
name
|
Identifier. The name of the case. Format: projects/{project}/locations/{location}/instances/{instance}/legacyFederatedCases/{legacyFederatedCase} |
createTimeMs
|
Output only. The creation time of the record in ms. |
updateTimeMs
|
Output only. The modification time of the record in ms. |
displayName
|
Output only. Case title, limited to 200 characters. Replaces old property: Title |
alertCount
|
Output only. Alerts in case. |
stage
|
Output only. The stage of the Case. For example, "Triage", "Incident", "Investigation". The default stage option is "Triage", and users can define custom stages |
priority
|
Output only. Default value is HIGH. |
important
|
Output only. Additional way to specify case importance. The default is false. |
description
|
Output only. Case description. limit chars to 1000 |
type
|
Output only. Case description (e.g. External, test) |
assigneeFullName
|
Output only. This can be the full name of a user or a @SocRole. |
environmentData
|
Output only. Case logical environment. |
status
|
Output only. Case status. |
score
|
Output only. Attack exposure\Risk score for the case |
caseSla
|
Output only. Case SLA |
alertsSla
|
Output only. Aggregated alerts SLA. (alert has SLA as well). |
incident
|
Output only. is Case an incident |
hasSuspiciousEntity
|
Output only. Does the case have a suspicious entity |
workflowStatus
|
Output only. status of the most recent playbook that executed on the case |
tags[]
|
Output only. list of tags assigned to the case |
products[]
|
Output only. List of Products that exists within the case (e.g. WinEventLog:Security/DLP_Product) |
displayId
|
Output only. synthetic unique identifier of the case, for display |
touched
|
Output only. was the case manually edited since creation |
merged
|
Output only. was the case merged with another case |
hasIncident
|
Output only. does the case represent an incident |
alertNames[]
|
Output only. names of the alerts in this case |
workflow
|
Output only. has workflow been run on the case |
overflowCase
|
Output only. is the case an overflow case |
externalReference
|
Output only. external reference |
additionalProperties
|
Output only. Additional properties of the case, represented as key-value pairs. An object containing a list of |
Priority
Case priority.
| Enums | |
|---|---|
PRIORITY_UNSPECIFIED
|
The priority is unspecified. |
INFORMATIONAL
|
The priority is informative. |
LOW
|
The priority is low. |
MEDIUM
|
The priority is medium. |
HIGH
|
The priority is high. |
CRITICAL
|
The priority is critical. |
CaseType
The type of the case.
| Enums | |
|---|---|
CASE_TYPE_UNSPECIFIED
|
The type is unspecified. |
EXTERNAL
|
The type is external. |
TEST
|
The type is test. |
REQUEST
|
The type is request. |
EnvironmentData
EnvironmentData is a representation of an environment in the Federated Case store.
| JSON representation |
|---|
{
"environment"
:
string
,
"platform"
:
string
,
"dynamicParameters"
:
[
{
object (
|
| Fields | |
|---|---|
environment
|
Output only. The name of the environment |
platform
|
Output only. The platform of the environment |
dynamicParameters[]
|
Output only. The dynamic parameters for the environment |
base64Image
|
Output only. Base64 encoded image of the environment A base64-encoded string. |
EnvironmentDynamicParameterDto
EnvironmentDynamicParameterDto is a representation of a dynamic parameter key-value pair in the Federated Case store.
| JSON representation |
|---|
{ "key" : string , "value" : string } |
| Fields | |
|---|---|
key
|
Output only. The key of the dynamic parameter key-value |
value
|
Output only. The Value of the dynamic parameter key-value |
CaseDataState
Case data state.
| Enums | |
|---|---|
CASE_DATA_STATE_UNSPECIFIED
|
The status is unspecified. |
OPENED
|
The status is open. |
CLOSED
|
The status is closed. |
ALL
|
The status is all. |
MERGED
|
The status is merged. |
CREATION_PENDING
|
The status is creation pending. |
LegacyCaseSla
SLA is a representation of an SLA in the Federated Case store.
| JSON representation |
|---|
{
"expirationTimeMs"
:
string
,
"criticalExpirationTimeMs"
:
string
,
"expirationStatus"
:
enum (
|
| Fields | |
|---|---|
expirationTimeMs
|
Output only. The expiration time of the SLA in ms. |
criticalExpirationTimeMs
|
Output only. The critical expiration time of the SLA in ms. |
expirationStatus
|
Optional. The expiration status of the SLA. |
lastPauseRemainingTimeMs
|
Optional. The critical expiration time of the SLA in ms. |
SlaExpirationEnum
The status of the SLA.
| Enums | |
|---|---|
NO_SLA
|
No SLA |
PAUSED
|
Paused |
OPEN_SLA
|
Open SLA |
CRITICAL_EXPIRED
|
Critical expired |
PASSED_DUE
|
Passed due |
WorkflowState
The status of the workflow.
| Enums | |
|---|---|
NONE
|
The status is none. |
IN_PROGRESS
|
The status is in progress. |
COMPLETED
|
The status is completed. |
FAILED
|
The status is failed. |
TERMINATED
|
The status is terminated. |
PENDING_IN_QUEUE
|
The status is pending in queue. |
PENDING_FOR_USER
|
The status is pending for user. |
LegacyPlatformReference
LegacyPlatformReference is a representation of a platform reference in the Federated Case store.
| JSON representation |
|---|
{ "platform" : string , "uri" : string } |
| Fields | |
|---|---|
platform
|
Output only. The platform name. |
uri
|
Output only. The url of the platform. |
