LegacyFederatedCase

JSON representation
Priority
CaseType
EnvironmentData
- JSON representation
EnvironmentDynamicParameterDto
- JSON representation
CaseDataState
LegacyCaseSla
- JSON representation
SlaExpirationEnum
WorkflowState
LegacyPlatformReference
- JSON representation

This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. LegacyFederatedCase is a representation of a case in the Federated Case store.

JSON representation

JSON representation
{ "name" : string , "createTimeMs" : string , "updateTimeMs" : string , "displayName" : string , "alertCount" : integer , "stage" : string , "priority" : enum ( `Priority` ) , "important" : boolean , "description" : string , "type" : enum ( `CaseType` ) , "assigneeFullName" : string , "environmentData" : { object ( `EnvironmentData` ) } , "status" : enum ( `CaseDataState` ) , "score" : number , "caseSla" : { object ( `LegacyCaseSla` ) } , "alertsSla" : { object ( `LegacyCaseSla` ) } , "incident" : boolean , "hasSuspiciousEntity" : boolean , "workflowStatus" : enum ( `WorkflowState` ) , "tags" : [ string ] , "products" : [ string ] , "displayId" : string , "touched" : boolean , "merged" : boolean , "hasIncident" : boolean , "alertNames" : [ string ] , "workflow" : boolean , "overflowCase" : boolean , "externalReference" : { object ( `LegacyPlatformReference` ) } , "additionalProperties" : { string : string , ... } }

 { 
 "name" 
 : 
 string 
 , 
 "createTimeMs" 
 : 
 string 
 , 
 "updateTimeMs" 
 : 
 string 
 , 
 "displayName" 
 : 
 string 
 , 
 "alertCount" 
 : 
 integer 
 , 
 "stage" 
 : 
 string 
 , 
 "priority" 
 : 
 enum (  Priority 
 
) 
 , 
 "important" 
 : 
 boolean 
 , 
 "description" 
 : 
 string 
 , 
 "type" 
 : 
 enum (  CaseType 
 
) 
 , 
 "assigneeFullName" 
 : 
 string 
 , 
 "environmentData" 
 : 
 { 
 object (  EnvironmentData 
 
) 
 } 
 , 
 "status" 
 : 
 enum (  CaseDataState 
 
) 
 , 
 "score" 
 : 
 number 
 , 
 "caseSla" 
 : 
 { 
 object (  LegacyCaseSla 
 
) 
 } 
 , 
 "alertsSla" 
 : 
 { 
 object (  LegacyCaseSla 
 
) 
 } 
 , 
 "incident" 
 : 
 boolean 
 , 
 "hasSuspiciousEntity" 
 : 
 boolean 
 , 
 "workflowStatus" 
 : 
 enum (  WorkflowState 
 
) 
 , 
 "tags" 
 : 
 [ 
 string 
 ] 
 , 
 "products" 
 : 
 [ 
 string 
 ] 
 , 
 "displayId" 
 : 
 string 
 , 
 "touched" 
 : 
 boolean 
 , 
 "merged" 
 : 
 boolean 
 , 
 "hasIncident" 
 : 
 boolean 
 , 
 "alertNames" 
 : 
 [ 
 string 
 ] 
 , 
 "workflow" 
 : 
 boolean 
 , 
 "overflowCase" 
 : 
 boolean 
 , 
 "externalReference" 
 : 
 { 
 object (  LegacyPlatformReference 
 
) 
 } 
 , 
 "additionalProperties" 
 : 
 { 
 string 
 : 
 string 
 , 
 ... 
 } 
 }

Fields
`name`	`string` Identifier. The name of the case. Format: projects/{project}/locations/{location}/instances/{instance}/legacyFederatedCases/{legacyFederatedCase}
`createTimeMs`	`string ( int64 format)` Output only. The creation time of the record in ms.
`updateTimeMs`	`string ( int64 format)` Output only. The modification time of the record in ms.
`displayName`	`string` Output only. Case title, limited to 200 characters. Replaces old property: Title
`alertCount`	`integer` Output only. Alerts in case.
`stage`	`string` Output only. The stage of the Case. For example, "Triage", "Incident", "Investigation". The default stage option is "Triage", and users can define custom stages
`priority`	`enum ( Priority )` Output only. Default value is HIGH.
`important`	`boolean` Output only. Additional way to specify case importance. The default is false.
`description`	`string` Output only. Case description. limit chars to 1000
`type`	`enum ( CaseType )` Output only. Case description (e.g. External, test)
`assigneeFullName`	`string` Output only. This can be the full name of a user or a @SocRole.
`environmentData`	`object ( EnvironmentData )` Output only. Case logical environment.
`status`	`enum ( CaseDataState )` Output only. Case status.
`score`	`number` Output only. Attack exposure\Risk score for the case
`caseSla`	`object ( LegacyCaseSla )` Output only. Case SLA
`alertsSla`	`object ( LegacyCaseSla )` Output only. Aggregated alerts SLA. (alert has SLA as well).
`incident`	`boolean` Output only. is Case an incident
`hasSuspiciousEntity`	`boolean` Output only. Does the case have a suspicious entity
`workflowStatus`	`enum ( WorkflowState )` Output only. status of the most recent playbook that executed on the case
`tags[]`	`string` Output only. list of tags assigned to the case
`products[]`	`string` Output only. List of Products that exists within the case (e.g. WinEventLog:Security/DLP_Product)
`displayId`	`string` Output only. synthetic unique identifier of the case, for display
`touched`	`boolean` Output only. was the case manually edited since creation
`merged`	`boolean` Output only. was the case merged with another case
`hasIncident`	`boolean` Output only. does the case represent an incident
`alertNames[]`	`string` Output only. names of the alerts in this case
`workflow`	`boolean` Output only. has workflow been run on the case
`overflowCase`	`boolean` Output only. is the case an overflow case
`externalReference`	`object ( LegacyPlatformReference )` Output only. external reference
`additionalProperties`	`map (key: string, value: string)` Output only. Additional properties of the case, represented as key-value pairs. An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }` .

Priority

Case priority.

Enums
`PRIORITY_UNSPECIFIED`	The priority is unspecified.
`INFORMATIONAL`	The priority is informative.
`LOW`	The priority is low.
`MEDIUM`	The priority is medium.
`HIGH`	The priority is high.
`CRITICAL`	The priority is critical.

CaseType

The type of the case.

Enums
`CASE_TYPE_UNSPECIFIED`	The type is unspecified.
`EXTERNAL`	The type is external.
`TEST`	The type is test.
`REQUEST`	The type is request.

EnvironmentData

EnvironmentData is a representation of an environment in the Federated Case store.

JSON representation
{ "environment" : string , "platform" : string , "dynamicParameters" : [ { object ( `EnvironmentDynamicParameterDto` ) } ] , "base64Image" : string }

Fields
`environment`	`string` Output only. The name of the environment
`platform`	`string ( int64 format)` Output only. The platform of the environment
`dynamicParameters[]`	`object ( EnvironmentDynamicParameterDto )` Output only. The dynamic parameters for the environment
`base64Image`	`string ( bytes format)` Output only. Base64 encoded image of the environment A base64-encoded string.

EnvironmentDynamicParameterDto

EnvironmentDynamicParameterDto is a representation of a dynamic parameter key-value pair in the Federated Case store.

JSON representation
{ "key" : string , "value" : string }

Fields

Fields
`key`	`string` Output only. The key of the dynamic parameter key-value
`value`	`string` Output only. The Value of the dynamic parameter key-value

key

string

Output only. The key of the dynamic parameter key-value

value

string

Output only. The Value of the dynamic parameter key-value

CaseDataState

Case data state.

Enums
`CASE_DATA_STATE_UNSPECIFIED`	The status is unspecified.
`OPENED`	The status is open.
`CLOSED`	The status is closed.
`ALL`	The status is all.
`MERGED`	The status is merged.
`CREATION_PENDING`	The status is creation pending.

LegacyCaseSla

SLA is a representation of an SLA in the Federated Case store.

JSON representation
{ "expirationTimeMs" : string , "criticalExpirationTimeMs" : string , "expirationStatus" : enum ( `SlaExpirationEnum` ) , "lastPauseRemainingTimeMs" : string }

Fields
`expirationTimeMs`	`string ( int64 format)` Output only. The expiration time of the SLA in ms.
`criticalExpirationTimeMs`	`string ( int64 format)` Output only. The critical expiration time of the SLA in ms.
`expirationStatus`	`enum ( SlaExpirationEnum )` Optional. The expiration status of the SLA.
`lastPauseRemainingTimeMs`	`string ( int64 format)` Optional. The critical expiration time of the SLA in ms.

SlaExpirationEnum

The status of the SLA.

Enums
`NO_SLA`	No SLA
`PAUSED`	Paused
`OPEN_SLA`	Open SLA
`CRITICAL_EXPIRED`	Critical expired
`PASSED_DUE`	Passed due

WorkflowState

The status of the workflow.

Enums
`NONE`	The status is none.
`IN_PROGRESS`	The status is in progress.
`COMPLETED`	The status is completed.
`FAILED`	The status is failed.
`TERMINATED`	The status is terminated.
`PENDING_IN_QUEUE`	The status is pending in queue.
`PENDING_FOR_USER`	The status is pending for user.

LegacyPlatformReference

LegacyPlatformReference is a representation of a platform reference in the Federated Case store.

JSON representation
{ "platform" : string , "uri" : string }

Fields

Fields
`platform`	`string` Output only. The platform name.
`uri`	`string` Output only. The url of the platform.

platform

string

Output only. The platform name.

uri

string

Output only. The url of the platform.