Resource: Alert
Stateful object representing a group of Findings. Key feature to an Alert is that it expresses the user's intent towards the findings of that group, even those that haven't occurred yet.
{
"name": string,
"findings": [
string
],
"state": enum (State),
"audit": {
object (Audit)
},
"displayName": string,
"detail": {
object (AlertDetail)
},
"duplicateOf": string,
"duplicatedBy": [
string
],
"etag": string,
"externalId": string,
"aiSummary": string,
"relevanceAnalysis": {
object (RelevanceAnalysis)
},
"severityAnalysis": {
object (SeverityAnalysis)
},
"priorityAnalysis": {
object (PriorityAnalysis)
},
"findingCount": string,
"configurations": [
string
]
}| Fields | |
|---|---|
name | stringIdentifier. Server generated name for the alert. format is projects/{project}/alerts/{alert} |
findings[] | stringOutput only. Findings that are covered by this alert. |
state | enum (State )Output only. State of the alert. |
audit | object (Audit )Output only. Audit information for the alert. |
displayName | stringOutput only. A short title for the alert. |
detail | object (AlertDetail )Output only. Details object for the alert, not all alerts will have a details object. |
duplicateOf | stringOutput only. alert name of the alert this alert is a duplicate of. Format: projects/{project}/alerts/{alert} |
duplicatedBy[] | stringOutput only. alert names of the alerts that are duplicates of this alert. Format: projects/{project}/alerts/{alert} |
etag | stringOptional. If included when updating an alert, this should be set to the current etag of the alert. If the etags do not match, the update will be rejected and an ABORTED error will be returned. |
externalId | stringOutput only. External ID for the alert. This is used internally to provide protection against out of order updates. |
aiSummary | stringOptional. AI summary of the finding. |
relevanceAnalysis | object (RelevanceAnalysis )Output only. High-Precision Relevance Analysis verdict for the alert. |
severityAnalysis | object (SeverityAnalysis )Output only. High-Precision Severity Analysis for the alert. |
priorityAnalysis | object (PriorityAnalysis )Output only. High-Precision Priority Analysis for the alert. |
findingCount | string (int64 format)Output only. The number of findings associated with this alert. |
configurations[] | stringOutput only. The resource names of the Configurations bound to this alert. Format: projects/{project}/configurations/{configuration} |
State
alert state is used to track the lifecycle of an alert. More state values may be added in the future.
| Enums | |
|---|---|
STATE_UNSPECIFIED | Default value, should never be set. |
NEW | alert is new. |
READ | alert was read by a human. |
TRIAGED | alert has been triaged. |
ESCALATED | alert has been escalated. |
RESOLVED | alert has been resolved. |
DUPLICATE | alert is a duplicate of another alert. |
FALSE_POSITIVE | alert is a false positive and should be ignored. |
NOT_ACTIONABLE | alert is not actionable. |
BENIGN | alert is benign. |
TRACKED_EXTERNALLY | alert is tracked externally. |
AlertDetail
Container for different types of alert details.
{
"detailType": string,
// Union field detail can be only one of the following:
"initialAccessBroker": {
object (InitialAccessBrokerAlertDetail)
},
"dataLeak": {
object (DataLeakAlertDetail)
},
"insiderThreat": {
object (InsiderThreatAlertDetail)
}
// End of list of possible types for union field detail.
}| Fields | |
|---|---|
detailType | stringOutput only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union. |
Union field detail. Domain specific details object which includes a high level summary of the finding for use in CTEM contexts. detail can be only one of the following: | |
initialAccessBroker | object (InitialAccessBrokerAlertDetail )Initial Access Broker alert detail type. |
dataLeak | object (DataLeakAlertDetail )Data Leak alert detail type. |
insiderThreat | object (InsiderThreatAlertDetail )Insider Threat alert detail type. |
InitialAccessBrokerAlertDetail
Captures the specific details of InitialAccessBroker (IAB) alert.
{
"severity": string,
"discoveryDocumentIds": [
string
]
}| Fields | |
|---|---|
severity | stringRequired. The severity of the Initial Access Broker (IAB) alert. Allowed values are: LOW MEDIUM HIGH CRITICAL |
discoveryDocumentIds[] | stringRequired. Array of ids to accommodate multiple discovery documents |
DataLeakAlertDetail
Captures the specific details of Data Leak alert.
{
"severity": string,
"discoveryDocumentIds": [
string
]
}| Fields | |
|---|---|
severity | stringRequired. The severity of the Data Leak alert. Allowed values are: LOW MEDIUM HIGH CRITICAL |
discoveryDocumentIds[] | stringRequired. Array of ids to accommodate multiple discovery documents |
InsiderThreatAlertDetail
Captures the specific details of InsiderThreat alert.
{
"severity": string,
"discoveryDocumentIds": [
string
]
}| Fields | |
|---|---|
severity | stringRequired. The severity of the Insider Threat alert. Allowed values are: LOW MEDIUM HIGH CRITICAL |
discoveryDocumentIds[] | stringRequired. Array of ids to accommodate multiple discovery documents |
PriorityAnalysis
Structured priority analysis for a threat.
{
"priorityLevel": enum (PriorityLevel),
"confidence": enum (ConfidenceLevel),
"reasoning": string
}| Fields | |
|---|---|
priorityLevel | enum (PriorityLevel )The level of Priority. |
confidence | enum (ConfidenceLevel )The level of confidence in the given verdict. |
reasoning | stringHuman-readable explanation from the model, detailing why a particular result is considered to have a certain priority. |
PriorityLevel
Priority Level of an issue.
| Enums | |
|---|---|
PRIORITY_LEVEL_UNSPECIFIED | Default value, should never be set. |
PRIORITY_LEVEL_LOW | Low Priority. |
PRIORITY_LEVEL_MEDIUM | Medium Priority. |
PRIORITY_LEVEL_HIGH | High Priority. |
PRIORITY_LEVEL_CRITICAL | Critical Priority. |
Methods
| benign | Marks an alert as benign - BENIGN. |
| duplicate | Marks an alert as a duplicate of another alert. |
| enumerateFacets | EnumerateAlertFacets returns the facets and the number of alerts that meet the filter criteria and have that value for each facet. |
| escalate | Marks an alert as escalated - ESCALATED. |
| falsePositive | Marks an alert as a false positive - FALSE_POSITIVE. |
| get | Get an alert by name. |
| list | Get a list of alerts that meet the filter criteria. |
| notActionable | Marks an alert as not actionable - NOT_ACTIONABLE. |
| read | Marks an alert as read - READ. |
| resolve | Marks an alert to closed state - RESOLVED. |
| trackExternally | Marks an alert as tracked externally - TRACKED_EXTERNALLY. |
| triage | Marks an alert as triaged - TRIAGED. |