SecurityResult

JSON representation
SecurityCategory
AlertState
FindingVariable
- JSON representation
Type
BoolSequence
- JSON representation
BytesSequence
- JSON representation
DoubleSequence
- JSON representation
Int64Sequence
- JSON representation
Uint64Sequence
- JSON representation
StringSequence
- JSON representation
Action
ProductSeverity
ProductConfidence
ProductPriority
AnalyticsMetadata
- JSON representation
ThreatStatus
AttackDetails
- JSON representation
Tactic
- JSON representation
Technique
- JSON representation
Association
- JSON representation
AssociationType
AssociationAlias
- JSON representation
Verdict
- JSON representation
ProviderMLVerdict
- JSON representation
Source
- JSON representation
AnalystVerdict
- JSON representation
VerdictResponse
VerdictInfo
- JSON representation
VerdictType
IoCStats
- JSON representation
IoCStatsType
ThreatVerdict

Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty.

JSON representation

JSON representation
{ "about": { object (`Noun`) }, "category": [ enum (`SecurityCategory`) ], "category_details": [ string ], "threat_name": string, "rule_set": string, "rule_set_display_name": string, "ruleset_category_display_name": string, "rule_id": string, "rule_name": string, "rule_version": string, "rule_type": string, "rule_author": string, "rule_labels": [ { object (`Label`) } ], "alert_state": enum (`AlertState`), "detection_fields": [ { object (`Label`) } ], "outcomes": [ { object (`Label`) } ], "variables": { string: { object (`FindingVariable`) }, ... }, "summary": string, "description": string, "action": [ enum (`Action`) ], "action_details": string, "severity": enum (`ProductSeverity`), "confidence": enum (`ProductConfidence`), "priority": enum (`ProductPriority`), "risk_score": number, "confidence_score": number, "analytics_metadata": [ { object (`AnalyticsMetadata`) } ], "severity_details": string, "confidence_details": string, "priority_details": string, "url_back_to_product": string, "threat_id": string, "threat_feed_name": string, "threat_id_namespace": enum (`Namespace`), "threat_status": enum (`ThreatStatus`), "attack_details": { object (`AttackDetails`) }, "first_discovered_time": string, "associations": [ { object (`Association`) } ], "campaigns": [ string ], "reports": [ string ], "verdict": { object (`Verdict`) }, "last_updated_time": string, "verdict_info": [ { object (`VerdictInfo`) } ], "threat_verdict": enum (`ThreatVerdict`), "last_discovered_time": string }

{
  "about": {
    object (Noun)
  },
  "category": [
    enum (SecurityCategory)
  ],
  "category_details": [
    string
  ],
  "threat_name": string,
  "rule_set": string,
  "rule_set_display_name": string,
  "ruleset_category_display_name": string,
  "rule_id": string,
  "rule_name": string,
  "rule_version": string,
  "rule_type": string,
  "rule_author": string,
  "rule_labels": [
    {
      object (Label)
    }
  ],
  "alert_state": enum (AlertState),
  "detection_fields": [
    {
      object (Label)
    }
  ],
  "outcomes": [
    {
      object (Label)
    }
  ],
  "variables": {
    string: {
      object (FindingVariable)
    },
    ...
  },
  "summary": string,
  "description": string,
  "action": [
    enum (Action)
  ],
  "action_details": string,
  "severity": enum (ProductSeverity),
  "confidence": enum (ProductConfidence),
  "priority": enum (ProductPriority),
  "risk_score": number,
  "confidence_score": number,
  "analytics_metadata": [
    {
      object (AnalyticsMetadata)
    }
  ],
  "severity_details": string,
  "confidence_details": string,
  "priority_details": string,
  "url_back_to_product": string,
  "threat_id": string,
  "threat_feed_name": string,
  "threat_id_namespace": enum (Namespace),
  "threat_status": enum (ThreatStatus),
  "attack_details": {
    object (AttackDetails)
  },
  "first_discovered_time": string,
  "associations": [
    {
      object (Association)
    }
  ],
  "campaigns": [
    string
  ],
  "reports": [
    string
  ],
  "verdict": {
    object (Verdict)
  },
  "last_updated_time": string,
  "verdict_info": [
    {
      object (VerdictInfo)
    }
  ],
  "threat_verdict": enum (ThreatVerdict),
  "last_discovered_time": string
}

Fields
`about`	`object (Noun)` If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`category[]`	`enum (SecurityCategory)` The security category. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`category_details[]`	`string` For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`threat_name`	`string` A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`rule_set`	`string` The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts.
`rule_set_display_name`	`string` The curated detections rule set display name. This is primarily set in rule-generated detections and alerts.
`ruleset_category_display_name`	`string` The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts.
`rule_id`	`string` A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe").
`rule_name`	`string` Name of the security rule (e.g. "BlockInboundToOracle").
`rule_version`	`string` Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed.
`rule_type`	`string` The type of security rule.
`rule_author`	`string` Author of the security rule. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`rule_labels[]`	`object (Label)` A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts.
`alert_state`	`enum (AlertState)` The alerting types of this security result. This is primarily set for rule-generated detections and alerts.
`detection_fields[]`	`object (Label)` An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). This is only populated when the SecurityResult appears in a finding (a detection or alert).
`outcomes[]`	`object (Label)` A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a finding (a detection or alert).
`variables`	`map (key: string, value: object (FindingVariable))` A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
`summary`	`string` A short human-readable summary (e.g. "failed login occurred")
`description`	`string` A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary.
`action[]`	`enum (Action)` Actions taken for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`action_details`	`string` The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`severity`	`enum (ProductSeverity)` The severity of the result.
`confidence`	`enum (ProductConfidence)` The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`priority`	`enum (ProductPriority)` The priority of the result. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`risk_score`	`number` The risk score of the security result.
`confidence_score`	`number` The confidence score of the security result. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`analytics_metadata[]`	`object (AnalyticsMetadata)` Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`severity_details`	`string` Vendor-specific severity. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`confidence_details`	`string` Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`priority_details`	`string` Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`url_back_to_product`	`string` URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`threat_id`	`string` Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`threat_feed_name`	`string` Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`threat_id_namespace`	`enum (Namespace)` The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`threat_status`	`enum (ThreatStatus)` Current status of the threat This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`attack_details`	`object (AttackDetails)` MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`first_discovered_time`	`string (Timestamp format)` First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`associations[]`	`object (Association)` Associations related to the threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`campaigns[]`	`string` Campaigns using this IOC threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`reports[]`	`string` Reports that reference this IOC threat. These are the report IDs. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`verdict (deprecated)`	`object (Verdict)` This item is deprecated! Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead.
`last_updated_time`	`string (Timestamp format)` Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`verdict_info[]`	`object (VerdictInfo)` Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`threat_verdict`	`enum (ThreatVerdict)` GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a finding (a detection or alert).
`last_discovered_time`	`string (Timestamp format)` Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a finding (a detection or alert). Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.

SecurityCategory

SecurityCategory is used to standardize security categories across products so one event is not categorized as "malware" and another as a "virus".

Enums
`UNKNOWN_CATEGORY`	The default category.
`SOFTWARE_MALICIOUS`	Malware, spyware, rootkit.
`SOFTWARE_SUSPICIOUS`	Below the conviction threshold; probably bad.
`SOFTWARE_PUA`	Potentially Unwanted App (such as adware).
`NETWORK_MALICIOUS`	Includes C&C or network exploit.
`NETWORK_SUSPICIOUS`	Suspicious activity, such as potential reverse tunnel.
`NETWORK_CATEGORIZED_CONTENT`	Non-security related: URL has category like gambling or porn.
`NETWORK_DENIAL_OF_SERVICE`	DoS, DDoS.
`NETWORK_RECON`	Port scan detected by an IDS, probing of web app.
`NETWORK_COMMAND_AND_CONTROL`	If we know this is a C&C channel.
`ACL_VIOLATION`	Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc.
`AUTH_VIOLATION`	Authentication failed (e.g. bad password or bad 2-factor authentication).
`EXPLOIT`	Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits.
`DATA_EXFILTRATION`	DLP: Sensitive data transmission, copy to thumb drive.
`DATA_AT_REST`	DLP: Sensitive data found at rest in a scan.
`DATA_DESTRUCTION`	Attempt to destroy/delete data.
`TOR_EXIT_NODE`	TOR Exit Nodes.
`MAIL_SPAM`	@exclude Spam email, message, etc.
`MAIL_PHISHING`	Phishing email, chat messages, etc.
`MAIL_SPOOFING`	Spoofed source email address, etc.
`POLICY_VIOLATION`	Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action).
`SOCIAL_ENGINEERING`	Threats which manipulate to break normal security procedures.
`PHISHING`	Phishing pages, pops, https phishing etc.

AlertState

The type of alerting set up for a security result.

Enums
`UNSPECIFIED`	The security result type is not known.
`NOT_ALERTING`	The security result is not an alert.
`ALERTING`	The security result is an alert.

FindingVariable

A structure that holds the value and associated metadata for values extracted while producing a Finding.

JSON representation

JSON representation
{ "type": enum (`Type`), "value": string, "source_path": string, // Union field `typed_value` can be only one of the following: "bool_val": boolean, "bytes_val": string, "double_val": number, "int64_val": string, "uint64_val": string, "string_val": string, "null_val": boolean, "bool_seq": { object (`BoolSequence`) }, "bytes_seq": { object (`BytesSequence`) }, "double_seq": { object (`DoubleSequence`) }, "int64_seq": { object (`Int64Sequence`) }, "uint64_seq": { object (`Uint64Sequence`) }, "string_seq": { object (`StringSequence`) } // End of list of possible types for union field `typed_value`. }

{
  "type": enum (Type),
  "value": string,
  "source_path": string,

  // Union field typed_value can be only one of the following:
  "bool_val": boolean,
  "bytes_val": string,
  "double_val": number,
  "int64_val": string,
  "uint64_val": string,
  "string_val": string,
  "null_val": boolean,
  "bool_seq": {
    object (BoolSequence)
  },
  "bytes_seq": {
    object (BytesSequence)
  },
  "double_seq": {
    object (DoubleSequence)
  },
  "int64_seq": {
    object (Int64Sequence)
  },
  "uint64_seq": {
    object (Uint64Sequence)
  },
  "string_seq": {
    object (StringSequence)
  }
  // End of list of possible types for union field typed_value.
}

Fields
`type`	`enum (Type)` The type of the variable.
`value`	`string` The value in string form.
`source_path`	`string` The UDM field path for the field which this value was derived from. Example: `principal.user.username`
Union field `typed_value`. The typed value of the variable. `typed_value` can be only one of the following:
`bool_val`	`boolean` The value in boolean format.
`bytes_val`	`string (bytes format)` The value in bytes format. A base64-encoded string.
`double_val`	`number` The value in double format.
`int64_val`	`string (int64 format)` The value in int64 format.
`uint64_val`	`string` The value in uint64 format.
`string_val`	`string` The value in string format. Enum values are returned as strings.
`null_val`	`boolean` Whether the value is null.
`bool_seq`	`object (BoolSequence)` The value in boolsequence format.
`bytes_seq`	`object (BytesSequence)` The value in bytessequence format.
`double_seq`	`object (DoubleSequence)` The value in doublesequence format.
`int64_seq`	`object (Int64Sequence)` The value in int64sequence format.
`uint64_seq`	`object (Uint64Sequence)` The value in uint64sequence format.
`string_seq`	`object (StringSequence)` The value in stringsequence format.

Type

Type options for Finding variables.

Enums
`TYPE_UNSPECIFIED`	An unspecified variable type.
`MATCH`	A variable coming from the match conditions.
`OUTCOME`	A variable representing significant data that was found in the detection logic.

BoolSequence

BoolSequence represents a sequence of bools.

JSON representation
{ "bool_vals": [ boolean ] }

Fields

Fields
`bool_vals[]`	`boolean` bool sequence.

bool_vals[]

boolean

bool sequence.

BytesSequence

BytesSequence represents a sequence of bytes.

JSON representation
{ "bytes_vals": [ string ] }

Fields

Fields
`bytes_vals[]`	`string (bytes format)` bytes sequence. A base64-encoded string.

bytes_vals[]

string (bytes format)

bytes sequence.

A base64-encoded string.

DoubleSequence

DoubleSequence represents a sequence of doubles.

JSON representation
{ "double_vals": [ number ] }

Fields

Fields
`double_vals[]`	`number` double sequence.

double_vals[]

number

double sequence.

Int64Sequence

Int64Sequence represents a sequence of int64s.

JSON representation
{ "int64_vals": [ string ] }

Fields

Fields
`int64_vals[]`	`string (int64 format)` int64 sequence.

int64_vals[]

string (int64 format)

int64 sequence.

Uint64Sequence

Uint64Sequence represents a sequence of uint64s.

JSON representation
{ "uint64_vals": [ string ] }

Fields

Fields
`uint64_vals[]`	`string` uint64 sequence.

uint64_vals[]

string

uint64 sequence.

StringSequence

StringSequence represents a sequence of string.

JSON representation
{ "string_vals": [ string ] }

Fields

Fields
`string_vals[]`	`string` string sequence.

string_vals[]

string

string sequence.

Action

Enum representing different possible actions taken by the product that created the event.

Enums
`UNKNOWN_ACTION`	The default action.
`ALLOW`	Allowed.
`BLOCK`	Blocked.
`ALLOW_WITH_MODIFICATION`	Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded).
`QUARANTINE`	Put somewhere for later analysis (does NOT imply block).
`FAIL`	Failed (e.g. the event was allowed but failed).
`CHALLENGE`	Challenged (e.g. the user was challenged by a Captcha, 2FA).

ProductSeverity

Defined by the product

Enums
`UNKNOWN_SEVERITY`	The default severity level.
`INFORMATIONAL`	Info severity.
`ERROR`	An error.
`NONE`	No malicious result.
`LOW`	Low-severity malicious result.
`MEDIUM`	Medium-severity malicious result.
`HIGH`	High-severity malicious result.
`CRITICAL`	Critical-severity malicious result.

ProductConfidence

A level of confidence in the result.

Enums
`UNKNOWN_CONFIDENCE`	The default confidence level.
`LOW_CONFIDENCE`	Low confidence.
`MEDIUM_CONFIDENCE`	Medium confidence.
`HIGH_CONFIDENCE`	High confidence.

ProductPriority

A product priority level.

Enums
`UNKNOWN_PRIORITY`	Default priority level.
`LOW_PRIORITY`	Low priority.
`MEDIUM_PRIORITY`	Medium priority.
`HIGH_PRIORITY`	High priority.

AnalyticsMetadata

Stores information about an analytics metric used in a rule.

JSON representation
{ "analytic": string }

Fields

analytic

string

Name of the analytic.

ThreatStatus

Vendor-specific information about the status of a threat (ITW).

Enums
`THREAT_STATUS_UNSPECIFIED`	Default threat status
`ACTIVE`	Active threat.
`CLEARED`	Cleared threat.
`FALSE_POSITIVE`	False positive.

AttackDetails

MITRE ATT&CK details.

JSON representation
{ "version": string, "tactics": [ { object (`Tactic`) } ], "techniques": [ { object (`Technique`) } ] }

Fields

Fields
`version`	`string` ATT&CK version (e.g. 12.1).
`tactics[]`	`object (Tactic)` Tactics employed.
`techniques[]`	`object (Technique)` Techniques employed.

version

string

ATT&CK version (e.g. 12.1).

tactics[]

object (Tactic)

Tactics employed.

techniques[]

object (Technique)

Techniques employed.

Tactic

Tactic information related to an attack or threat.

JSON representation
{ "id": string, "name": string }

Fields

Fields
`id`	`string` Tactic ID (e.g. "TA0043").
`name`	`string` Tactic Name (e.g. "Reconnaissance")

id

string

Tactic ID (e.g. "TA0043").

name

string

Tactic Name (e.g. "Reconnaissance")

Technique

Technique information related to an attack or threat.

JSON representation
{ "id": string, "name": string, "subtechnique_id": string, "subtechnique_name": string }

Fields
`id`	`string` Technique ID (e.g. "T1595").
`name`	`string` Technique Name (e.g. "Active Scanning").
`subtechnique_id`	`string` Subtechnique ID (e.g. "T1595.001").
`subtechnique_name`	`string` Subtechnique Name (e.g. "Scanning IP Blocks").

Association

Associations represents different metadata about malware and threat actors involved with an IoC.

JSON representation

JSON representation
{ "id": string, "country_code": [ string ], "type": enum (`AssociationType`), "name": string, "description": string, "role": string, "source_country": string, "alias": [ { object (`AssociationAlias`) } ], "first_reference_time": string, "last_reference_time": string, "industries_affected": [ string ], "associated_actors": [ { object (`Association`) } ], "region_code": { object (`Location`) }, "sponsor_region": { object (`Location`) }, "targeted_regions": [ { object (`Location`) } ], "tags": [ string ] }

{
  "id": string,
  "country_code": [
    string
  ],
  "type": enum (AssociationType),
  "name": string,
  "description": string,
  "role": string,
  "source_country": string,
  "alias": [
    {
      object (AssociationAlias)
    }
  ],
  "first_reference_time": string,
  "last_reference_time": string,
  "industries_affected": [
    string
  ],
  "associated_actors": [
    {
      object (Association)
    }
  ],
  "region_code": {
    object (Location)
  },
  "sponsor_region": {
    object (Location)
  },
  "targeted_regions": [
    {
      object (Location)
    }
  ],
  "tags": [
    string
  ]
}

Fields
`id`	`string` Unique association id generated by mandiant.
`country_code[]`	`string` Country from which the threat actor/ malware is originated.
`type`	`enum (AssociationType)` Signifies the type of association.
`name`	`string` Name of the threat actor/malware.
`description`	`string` Human readable description about the association.
`role`	`string` Role of the malware. Not applicable for threat actor.
`source_country (deprecated)`	`string` This item is deprecated! Name of the country the threat originated from.
`alias[]`	`object (AssociationAlias)` Different aliases of the threat actor given by different sources.
`first_reference_time`	`string (Timestamp format)` First time the threat actor was referenced or seen. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`last_reference_time`	`string (Timestamp format)` Last time the threat actor was referenced or seen. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`industries_affected[]`	`string` List of industries the threat actor affects.
`associated_actors[]`	`object (Association)` List of associated threat actors for a malware. Not applicable for threat actors.
`region_code`	`object (Location)` Name of the country, the threat is originating from.
`sponsor_region`	`object (Location)` Sponsor region of the threat actor.
`targeted_regions[]`	`object (Location)` Targeted regions.
`tags[]`	`string` Tags.

AssociationType

Represents different possible Association types. Can be threat or malware. Used to represent Mandiant threat intelligence.

Enums
`ASSOCIATION_TYPE_UNSPECIFIED`	The default Association Type.
`THREAT_ACTOR`	Association type Threat actor.
`MALWARE`	Association type Malware.

AssociationAlias

Association Alias used to represent Mandiant Threat Intelligence.

JSON representation
{ "name": string, "company": string }

Fields

Fields
`name`	`string` Name of the alias.
`company`	`string` Name of the provider who gave the association's name.

name

string

Name of the alias.

company

string

Name of the provider who gave the association's name.

Verdict

Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources.

JSON representation
{ "source_count": integer, "response_count": integer, "neighbour_influence": string, "verdict": { object (`ProviderMLVerdict`) }, "analyst_verdict": { object (`AnalystVerdict`) } }

Fields
`source_count`	`integer` Number of sources from which intelligence was extracted.
`response_count`	`integer` Total response count across all sources.
`neighbour_influence`	`string` Describes the neighbour influence of the verdict.
`verdict`	`object (ProviderMLVerdict)` ML Verdict provided by sources like Mandiant.
`analyst_verdict`	`object (AnalystVerdict)` Human analyst verdict provided by sources like Mandiant.

ProviderMLVerdict

Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources.

JSON representation

JSON representation
{ "source_provider": string, "benign_count": integer, "malicious_count": integer, "confidence_score": integer, "mandiant_sources": [ { object (`Source`) } ], "third_party_sources": [ { object (`Source`) } ] }

{
  "source_provider": string,
  "benign_count": integer,
  "malicious_count": integer,
  "confidence_score": integer,
  "mandiant_sources": [
    {
      object (Source)
    }
  ],
  "third_party_sources": [
    {
      object (Source)
    }
  ]
}

Fields
`source_provider`	`string` Source provider giving the ML verdict.
`benign_count`	`integer` Count of responses where this IoC was marked benign.
`malicious_count`	`integer` Count of responses where this IoC was marked malicious.
`confidence_score`	`integer` Confidence score of the verdict.
`mandiant_sources[]`	`object (Source)` List of mandiant sources from which the verdict was generated.
`third_party_sources[]`	`object (Source)` List of third-party sources from which the verdict was generated.

Source

Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources.

JSON representation

JSON representation
{ "name": string, "benign_count": integer, "malicious_count": integer, "quality": enum (`ProductConfidence`), "response_count": integer, "source_count": integer, "threat_intelligence_sources": [ { object (`Source`) } ] }

{
  "name": string,
  "benign_count": integer,
  "malicious_count": integer,
  "quality": enum (ProductConfidence),
  "response_count": integer,
  "source_count": integer,
  "threat_intelligence_sources": [
    {
      object (Source)
    }
  ]
}

Fields
`name`	`string` Name of the IoC source.
`benign_count`	`integer` Count of responses where this IoC was marked benign.
`malicious_count`	`integer` Count of responses where this IoC was marked malicious.
`quality`	`enum (ProductConfidence)` Quality of the IoC mapping extracted from the source.
`response_count`	`integer` Total response count from this source.
`source_count`	`integer` Number of sources from which intelligence was extracted.
`threat_intelligence_sources[]`	`object (Source)` Different threat intelligence sources from which IoC info was extracted.

AnalystVerdict

Verdict provided by the human analyst. These fields are used to model Mandiant sources.

JSON representation
{ "confidence_score": integer, "verdict_time": string, "verdict_response": enum (`VerdictResponse`) }

Fields

Fields
`confidence_score`	`integer` Confidence score of the verdict.
`verdict_time`	`string (Timestamp format)` Timestamp at which the verdict was generated. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`verdict_response`	`enum (VerdictResponse)` Details of the verdict.

confidence_score

integer

Confidence score of the verdict.

verdict_time

string (Timestamp format)

Timestamp at which the verdict was generated.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

verdict_response

enum (VerdictResponse)

Details of the verdict.

VerdictResponse

Represents different verdict types. Used to represent Mandiant threat intelligence.

Enums
`VERDICT_RESPONSE_UNSPECIFIED`	The default verdict response type.
`MALICIOUS`	VerdictResponse resulted a threat as malicious.
`BENIGN`	VerdictResponse resulted a threat as benign.

VerdictInfo

Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources.

JSON representation

JSON representation
{ "source_count": integer, "response_count": integer, "neighbour_influence": string, "verdict_type": enum (`VerdictType`), "source_provider": string, "benign_count": integer, "malicious_count": integer, "confidence_score": integer, "ioc_stats": [ { object (`IoCStats`) } ], "verdict_time": string, "verdict_response": enum (`VerdictResponse`), "global_customer_count": integer, "global_hits_count": integer, "pwn": boolean, "category_details": string, "pwn_first_tagged_time": string }

{
  "source_count": integer,
  "response_count": integer,
  "neighbour_influence": string,
  "verdict_type": enum (VerdictType),
  "source_provider": string,
  "benign_count": integer,
  "malicious_count": integer,
  "confidence_score": integer,
  "ioc_stats": [
    {
      object (IoCStats)
    }
  ],
  "verdict_time": string,
  "verdict_response": enum (VerdictResponse),
  "global_customer_count": integer,
  "global_hits_count": integer,
  "pwn": boolean,
  "category_details": string,
  "pwn_first_tagged_time": string
}

Fields
`source_count`	`integer` Number of sources from which intelligence was extracted.
`response_count`	`integer` Total response count across all sources.
`neighbour_influence`	`string` Describes the near neighbor influence of the verdict.
`verdict_type`	`enum (VerdictType)` Type of verdict.
`source_provider`	`string` Source provider giving the machine learning verdict.
`benign_count`	`integer` Count of responses where this IoC was marked as benign.
`malicious_count`	`integer` Count of responses where this IoC was marked as malicious.
`confidence_score`	`integer` Confidence score of the verdict.
`ioc_stats[]`	`object (IoCStats)` List of IoCStats from which the verdict was generated.
`verdict_time`	`string (Timestamp format)` Timestamp when the verdict was generated. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`verdict_response`	`enum (VerdictResponse)` Details about the verdict.
`global_customer_count`	`integer` Global customer count over the last 30 days
`global_hits_count`	`integer` Global hit count over the last 30 days.
`pwn`	`boolean` Whether one or more Mandiant incident response customers had this indicator in their environment.
`category_details`	`string` Tags related to the verdict.
`pwn_first_tagged_time`	`string (Timestamp format)` The timestamp of the first time a pwn was associated to this entity. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.

VerdictType

Category of the verdict.

Enums
`VERDICT_TYPE_UNSPECIFIED`	Verdict category not specified.
`PROVIDER_ML_VERDICT`	MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources.
`ANALYST_VERDICT`	Verdict provided by the human analyst. These fields are used to model Mandiant sources.

IoCStats

Information about the threat intelligence source. These fields are used to model Mandiant sources.

JSON representation

JSON representation
{ "ioc_stats_type": enum (`IoCStatsType`), "first_level_source": string, "second_level_source": string, "benign_count": integer, "quality": enum (`ProductConfidence`), "malicious_count": integer, "response_count": integer, "source_count": integer }

{
  "ioc_stats_type": enum (IoCStatsType),
  "first_level_source": string,
  "second_level_source": string,
  "benign_count": integer,
  "quality": enum (ProductConfidence),
  "malicious_count": integer,
  "response_count": integer,
  "source_count": integer
}

Fields
`ioc_stats_type`	`enum (IoCStatsType)` Describes the source of the IoCStat.
`first_level_source`	`string` Name of first level IoC source, for example Mandiant or a third-party.
`second_level_source`	`string` Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph.
`benign_count`	`integer` Count of responses where the IoC was identified as benign.
`quality`	`enum (ProductConfidence)` Level of confidence in the IoC mapping extracted from the source.
`malicious_count`	`integer` Count of responses where the IoC was identified as malicious.
`response_count`	`integer` Total number of response from the source.
`source_count`	`integer` Number of sources from which information was extracted.

IoCStatsType

Type of IoCStat based on source.

Enums
`UNSPECIFIED_IOC_STATS_TYPE`	IoCStat source is unidentified.
`MANDIANT_SOURCES`	IoCStat is from a Mandiant Source.
`THIRD_PARTY_SOURCES`	IoCStat is from a third-party source.
`THREAT_INTELLIGENCE_IOC_STATS`	IoCStat is from a threat intelligence feed.

ThreatVerdict

GCTI threat verdict levels.

Enums
`THREAT_VERDICT_UNSPECIFIED`	Unspecified threat verdict level.
`UNDETECTED`	Undetected threat verdict level.
`SUSPICIOUS`	Suspicious threat verdict level.
`MALICIOUS`	Malicious threat verdict level.