Method: legacy.legacySearchEnterpriseWideIoCs

HTTP request
Path parameters
Query parameters
Request body
Response body
- JSON representation
Authorization scopes
IAM Permissions
IoCDiscoveryInfo
- JSON representation
EmptyAssetListReasonCode
IocState
Priority
AssociationIdentity
- JSON representation
Try it!

Full name: projects.locations.instances.legacy.legacySearchEnterpriseWideIoCs

RPC for listing IoC matches against ingested events.

HTTP request

Choose a location:

Path parameters

Parameters

Parameters
`instance`	`string` Required. The name of the parent resource, which is the SecOps instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

instance

string

Required. The name of the parent resource, which is the SecOps instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
`timestampRange`	`object (Interval)` Required. Time range [start, end) in which matched to be queried. UI/FE is expected to pass in NOW as end.
`maxMatchesToReturn`	`integer` Required. How many matches to return, maximum. All matches will be sorted by default by most recently seen IoC ingestion time OR first seen in enterprise time and the most recent items returned as shown in the mocks. If we need to support other sorting schemes, we can add another field later.
`addMandiantAttributes`	`boolean` Required. Indicates if mandiant attributes should be added to the ioc response.
`fetchPrioritizedIocsOnly`	`boolean` Optional. Indicates if only prioritized iocs should be fetched. If threat artifact id is set, this must be not be set.
`threatArtifactId`	`string` Optional. Indicates to fetch ioc matches that are associated with the threat artifact id. Should be set only if fetchPrioritizedIocsOnly is not set.
Union parameter `id`. `id` can be only one of the following:
`entityId`	`string` ID of the entity.
`fieldAndValue`	`object (FieldAndValue)` Field path or type with value to identify entity.

Request body

The request body must be empty.

Response body

Response containing matched IoCs NEXT TAG: 3

If successful, the response body contains data with the following structure:

JSON representation
{ "matches": [ { object (`IoCDiscoveryInfo`) } ], "moreDataAvailable": boolean }

Fields

Fields
`matches[]`	`object (IoCDiscoveryInfo)` IoC Matches returned for the query.
`moreDataAvailable`	`boolean` Indicates that more data was available but not sent due to more hits than maxMatchesToReturn.

matches[]

object (IoCDiscoveryInfo)

IoC Matches returned for the query.

moreDataAvailable

boolean

Indicates that more data was available but not sent due to more hits than maxMatchesToReturn.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

chronicle.legacies.legacySearchEnterpriseWideIoCs

For more information, see the IAM documentation.

IoCDiscoveryInfo

Information about an IoC match. NEXT TAG: 31

JSON representation

JSON representation
{ "artifactIndicator": { object (`ArtifactIndicator`) }, "id": string, "fieldAndValue": { object (`FieldAndValue`) }, "sources": [ string ], "categories": [ string ], "confidenceScore": integer, "confidenceBucket": string, "assetIndicators": [ { object (`AssetIndicator`) } ], "emptyAssetListReasonCode": enum (`EmptyAssetListReasonCode`), "iocIngestTimestamp": string, "firstSeenTimestamp": string, "lastSeenTimestamp": string, "filterProperties": { object (`FilterProperties`) }, "rawSeverity": string, "iocState": enum (`IocState`), "priority": enum (`Priority`), "associationIdentifier": [ { object (`AssociationIdentity`) } ], "campaigns": [ string ], "globalSourceId": string, "logType": enum (`LogType`), "globalCustomerId": string, "confidenceScoreBucket": { object (`IntRange`) }, "ipAndPorts": { object (`IpAndPorts`) }, "categorization": string, "domainAndPorts": { object (`DomainAndPorts`) }, "activeTimerange": { object (`Interval`) }, "link": { object (`Link`) }, "feedName": string, "description": string }

{
  "artifactIndicator": {
    object (ArtifactIndicator)
  },
  "id": string,
  "fieldAndValue": {
    object (FieldAndValue)
  },
  "sources": [
    string
  ],
  "categories": [
    string
  ],
  "confidenceScore": integer,
  "confidenceBucket": string,
  "assetIndicators": [
    {
      object (AssetIndicator)
    }
  ],
  "emptyAssetListReasonCode": enum (EmptyAssetListReasonCode),
  "iocIngestTimestamp": string,
  "firstSeenTimestamp": string,
  "lastSeenTimestamp": string,
  "filterProperties": {
    object (FilterProperties)
  },
  "rawSeverity": string,
  "iocState": enum (IocState),
  "priority": enum (Priority),
  "associationIdentifier": [
    {
      object (AssociationIdentity)
    }
  ],
  "campaigns": [
    string
  ],
  "globalSourceId": string,
  "logType": enum (LogType),
  "globalCustomerId": string,
  "confidenceScoreBucket": {
    object (IntRange)
  },
  "ipAndPorts": {
    object (IpAndPorts)
  },
  "categorization": string,
  "domainAndPorts": {
    object (DomainAndPorts)
  },
  "activeTimerange": {
    object (Interval)
  },
  "link": {
    object (Link)
  },
  "feedName": string,
  "description": string
}

Fields
`artifactIndicator`	`object (ArtifactIndicator)` Artifact that was found in the customer environment.
`id`	`string` Entity ID as a string for pivoting
`fieldAndValue`	`object (FieldAndValue)` Field path or type with value to identify entity.
`sources[]`	`string` IoC feed sources.
`categories[]`	`string` IoC threat categories.
`confidenceScore`	`integer` IoC confidence score. It is not a repeated field because it is used for V2 feeds, where sources and categories are restricted to a cardnality of 1 as well.
`confidenceBucket`	`string` IoC confidence score, bucketed into e.g. low/medium/high.
`assetIndicators[]`	`object (AssetIndicator)` We will limit the number of assets to the first N (e.g., N=20) found.
`emptyAssetListReasonCode`	`enum (EmptyAssetListReasonCode)` When assetIndicators is empty, this field should be set.
`iocIngestTimestamp`	`string (Timestamp format)` Timestamp when the IoC was first received from ANY feed. This is the earliest timestamp of receipt by Malachite, given that the artifact might have been sent in multiple feeds at different times. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`firstSeenTimestamp`	`string (Timestamp format)` Timestamp when the IoC was first seen in the enterprise. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`lastSeenTimestamp`	`string (Timestamp format)` Timestamp when the IoC was last seen in the enterprise. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`filterProperties`	`object (FilterProperties)` Properties of this match, used for filtering in the client.
`rawSeverity`	`string` The indicator's raw severity.
`iocState`	`enum (IocState)` The current state of IoC. default state is MATCHED.
`priority`	`enum (Priority)` The priority of the ioc match.
`associationIdentifier[]`	`object (AssociationIdentity)` Associated actors and malware.
`campaigns[]`	`string` List of campaigns this IoC was observed.
`globalSourceId`	`string` Global source ID this IoC is part of. This would only be populated if the indicator is coming from a global source.
`logType`	`enum (LogType)` The log type of the IoC source.
`globalCustomerId`	`string (bytes format)` Global source ID this IoC is part of. This would only be populated if the indicator is coming from a global source. A base64-encoded string.
`confidenceScoreBucket`	`object (IntRange)` Confidence score bucket
`ipAndPorts`	`object (IpAndPorts)` IP address indicator.
`categorization`	`string` The category/type of this indicator. Ex: "Spyware", "Bitcoin_Related", etc.
`domainAndPorts`	`object (DomainAndPorts)` Domain indicator.
`activeTimerange`	`object (Interval)` The time range in which this indicator has been "active". The start or end time (or both) may be empty, indicating an open-ended time interval.
`link`	`object (Link)` optional. This will usually be a link to the Feed's definition.
`feedName`	`string` Original feed this indicator originated from.
`description`	`string` Raw description of the IoC.

EmptyAssetListReasonCode

Enums
`UNSPECIFIED_CODE`
`CONTAIN_HIGH_VOLUME_ASSETS_ONLY`
`CALCULATION_TIME_OUT`

IocState

Enums
`IOC_STATE_UNSPECIFIED`
`STATUS_MATCHED`
`STATUS_REVIEWED`
`STATUS_MUTED`

Priority

Enums
`PRIORITY_UNSPECIFIED`
`LOW`
`MEDIUM`
`HIGH`
`ACTIVE_BREACH`

AssociationIdentity

JSON representation
{ "name": string, "regionCode": { object (`Location`) }, "associationType": enum (`AssociationType`), "associationId": string }

Fields
`name`	`string`
`regionCode`	`object (Location)`
`associationType`	`enum (AssociationType)`
`associationId`	`string`

Method: legacy.legacySearchEnterpriseWideIoCs Stay organized with collections Save and categorize content based on your preferences.