Returns the documents Resource.
benign(name, body=None, x__xgafv=None)
Marks an alert as benign - BENIGN.
Close httplib2 connections.
duplicate(name, body=None, x__xgafv=None)
Marks an alert as a duplicate of another alert. - DUPLICATE.
enumerateFacets(parent, filter=None, x__xgafv=None)
EnumerateAlertFacets returns the facets and the number of alerts that meet the filter criteria and have that value for each facet.
escalate(name, body=None, x__xgafv=None)
Marks an alert as escalated - ESCALATED.
falsePositive(name, body=None, x__xgafv=None)
Marks an alert as a false positive - FALSE_POSITIVE.
Get an alert by name.
list(parent, filter=None, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None)
Get a list of alerts that meet the filter criteria.
Retrieves the next page of results.
notActionable(name, body=None, x__xgafv=None)
Marks an alert as not actionable - NOT_ACTIONABLE.
read(name, body=None, x__xgafv=None)
Marks an alert as read - READ.
refreshUriStatus(name, body=None, x__xgafv=None)
Return the status of a URI submitted to Google WebRisk.
reportAlertUri(name, body=None, x__xgafv=None)
Report the URI associated with an alert to Google WebRisk.
resolve(name, body=None, x__xgafv=None)
Marks an alert to closed state - RESOLVED.
trackExternally(name, body=None, x__xgafv=None)
Marks an alert as tracked externally - TRACKED_EXTERNALLY.
triage(name, body=None, x__xgafv=None)
Marks an alert as triaged - TRIAGED.
benign(name, body=None, x__xgafv=None)
Marks an alert as benign - BENIGN.
Args:
name: string, Required. Name of the alert to mark as a benign. Format: projects/{project}/alerts/{alert} (required)
body: object, The request body.
The object takes the form of:
{ # Request message for MarkAlertAsBenign.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Stateful object representing a group of Findings. Key feature to an Alert is that it expresses the user's intent towards the findings of that group, even those that haven't occurred yet.
"aiSummary": "A String", # Optional. AI summary of the finding.
"assets": [ # Output only. Assets that are impacted by this alert.
"A String",
],
"audit": { # Tracks basic CRUD facts. # Output only. Audit information for the alert.
"createTime": "A String", # Output only. Time of creation.
"creator": "A String", # Output only. Agent that created or updated the record, could be a UserId or a JobId.
"updateTime": "A String", # Output only. Time of creation or last update.
"updater": "A String", # Output only. Agent that last updated the record, could be a UserId or a JobId.
},
"configurations": [ # Output only. The resource names of the Configurations bound to this alert. Format: projects/{project}/configurations/{configuration}
"A String",
],
"detail": { # Container for different types of alert details. # Output only. Details object for the alert, not all alerts will have a details object.
"dataLeak": { # Captures the specific details of Data Leak alert. # Data Leak alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. Data Leak specific severity This will be the string representation of the DataLeakFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"detailType": "A String", # Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
"initialAccessBroker": { # Captures the specific details of InitialAccessBroker (IAB) alert. # Initial Access Broker alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. IAB specific severity
},
"insiderThreat": { # Captures the specific details of InsiderThreat alert. # Insider Threat alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. InsiderThreat specific severity This will be the string representation of the InsiderThreatFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"suspiciousDomain": { # The alert detail for a suspicious domain finding. # Domain Monitoring alert detail type.
"dns": { # The DNS details of the suspicious domain. # The DNS details of the suspicious domain.
"dnsRecords": [ # The DNS records of the suspicious domain.
{ # The DNS record of the suspicious domain.
"record": "A String", # The name of the DNS record.
"ttl": 42, # The TTL of the DNS record.
"type": "A String", # The type of the DNS record.
"value": "A String", # The value of the DNS record.
},
],
"retrievalTime": "A String", # The time the DNS details were retrieved.
},
"domain": "A String", # Required. The suspicious domain name.
"gtiDetails": { # The GTI details of the suspicious domain. # The GTI details of the suspicious domain.
"threatScore": 42, # The threat score of the suspicious domain. The threat score is a number between 0 and 100.
"verdict": "A String", # Output only. The verdict of the suspicious domain.
"virustotalUri": "A String", # VirusTotal link for the domain
},
"webRiskOperation": "A String", # Output only. Name of Web Risk submission operation.
"webRiskState": "A String", # Output only. Status of the Web Risk submission.
"whois": { # The whois details of the suspicious domain. # The whois details of the suspicious domain.
"retrievalTime": "A String", # The time the whois details were retrieved.
"whois": "A String", # The whois details of the suspicious domain.
},
},
"targetTechnology": { # Contains details for a technology watchlist alert. # Technology Watchlist alert detail type.
"vulnerabilityMatch": { # Contains details about a vulnerability match. # Output only. The vulnerability match details.
"associations": [ # Optional. Associated threat actors, malware, etc. This is embedded as a snapshot because the details of the association at the time of the vulnerability match are important for context and reporting.
{ # Represents an association with a vulnerability.
"id": "A String", # Required. The ID of the association.
"type": "A String", # Required. The type of the association.
},
],
"collectionId": "A String", # Output only. The collection ID of the vulnerability. Ex: "vulnerability--cve-2025-9876".
"cveId": "A String", # Output only. The CVE ID of the vulnerability. Ex: "CVE-2025-9876". See https://www.cve.org/ for more information.
"cvss3Score": 3.14, # Output only. The CVSS v3 score of the vulnerability. Example: 6.4.
"description": "A String", # Output only. A description of the vulnerability.
"exploitationState": "A String", # Output only. The exploitation state of the vulnerability.
"riskRating": "A String", # Output only. The risk rating of the vulnerability.
"technologies": [ # Output only. The affected technologies. Ex: "Apache Struts".
"A String",
],
},
},
},
"displayName": "A String", # Output only. A short title for the alert.
"duplicateOf": "A String", # Output only. alert name of the alert this alert is a duplicate of. Format: projects/{project}/alerts/{alert}
"duplicatedBy": [ # Output only. alert names of the alerts that are duplicates of this alert. Format: projects/{project}/alerts/{alert}
"A String",
],
"etag": "A String", # Optional. If included when updating an alert, this should be set to the current etag of the alert. If the etags do not match, the update will be rejected and an ABORTED error will be returned.
"externalId": "A String", # Output only. External ID for the alert. This is used internally to provide protection against out of order updates.
"findings": [ # Output only. Findings that are covered by this alert.
"A String",
],
"name": "A String", # Identifier. Server generated name for the alert. format is projects/{project}/alerts/{alert}
"priorityAnalysis": { # Structured priority analysis for a threat. # Output only. High-Precision Priority Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"priorityLevel": "A String", # The level of Priority.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain priority.
},
"relevanceAnalysis": { # Structured relevance analysis for a threat. # Output only. High-Precision Relevance Analysis verdict for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"evidence": { # Details the evidence used to determine the relevance verdict. # Evidence supporting the verdict, including matched and unmatched items.
"commonThemes": [ # A list of semantic themes or concepts found to be common, related, or aligned between the sources, supporting the verdict.
"A String",
],
"distinctThemes": [ # A list of semantic themes or descriptions unique to one source or semantically distant.
"A String",
],
},
"reasoning": "A String", # Human-readable explanation from the matcher, detailing why a particular result is considered relevant or not relevant.
"relevanceLevel": "A String", # The level of relevance.
"relevant": True or False, # Indicates whether the threat is considered relevant.
},
"severityAnalysis": { # Structured severity analysis for a threat. # Output only. High-Precision Severity Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain severity.
"severityLevel": "A String", # The level of severity.
},
"state": "A String", # Output only. State of the alert.
}
close()
Close httplib2 connections.
duplicate(name, body=None, x__xgafv=None)
Marks an alert as a duplicate of another alert. - DUPLICATE.
Args:
name: string, Required. Name of the alert to mark as a duplicate. Format: projects/{project}/alerts/{alert} (required)
body: object, The request body.
The object takes the form of:
{ # Request message for MarkAlertAsDuplicate.
"duplicateOf": "A String", # Optional. Name of the alert to mark as a duplicate of. Format: projects/{project}/alerts/{alert}
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Stateful object representing a group of Findings. Key feature to an Alert is that it expresses the user's intent towards the findings of that group, even those that haven't occurred yet.
"aiSummary": "A String", # Optional. AI summary of the finding.
"assets": [ # Output only. Assets that are impacted by this alert.
"A String",
],
"audit": { # Tracks basic CRUD facts. # Output only. Audit information for the alert.
"createTime": "A String", # Output only. Time of creation.
"creator": "A String", # Output only. Agent that created or updated the record, could be a UserId or a JobId.
"updateTime": "A String", # Output only. Time of creation or last update.
"updater": "A String", # Output only. Agent that last updated the record, could be a UserId or a JobId.
},
"configurations": [ # Output only. The resource names of the Configurations bound to this alert. Format: projects/{project}/configurations/{configuration}
"A String",
],
"detail": { # Container for different types of alert details. # Output only. Details object for the alert, not all alerts will have a details object.
"dataLeak": { # Captures the specific details of Data Leak alert. # Data Leak alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. Data Leak specific severity This will be the string representation of the DataLeakFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"detailType": "A String", # Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
"initialAccessBroker": { # Captures the specific details of InitialAccessBroker (IAB) alert. # Initial Access Broker alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. IAB specific severity
},
"insiderThreat": { # Captures the specific details of InsiderThreat alert. # Insider Threat alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. InsiderThreat specific severity This will be the string representation of the InsiderThreatFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"suspiciousDomain": { # The alert detail for a suspicious domain finding. # Domain Monitoring alert detail type.
"dns": { # The DNS details of the suspicious domain. # The DNS details of the suspicious domain.
"dnsRecords": [ # The DNS records of the suspicious domain.
{ # The DNS record of the suspicious domain.
"record": "A String", # The name of the DNS record.
"ttl": 42, # The TTL of the DNS record.
"type": "A String", # The type of the DNS record.
"value": "A String", # The value of the DNS record.
},
],
"retrievalTime": "A String", # The time the DNS details were retrieved.
},
"domain": "A String", # Required. The suspicious domain name.
"gtiDetails": { # The GTI details of the suspicious domain. # The GTI details of the suspicious domain.
"threatScore": 42, # The threat score of the suspicious domain. The threat score is a number between 0 and 100.
"verdict": "A String", # Output only. The verdict of the suspicious domain.
"virustotalUri": "A String", # VirusTotal link for the domain
},
"webRiskOperation": "A String", # Output only. Name of Web Risk submission operation.
"webRiskState": "A String", # Output only. Status of the Web Risk submission.
"whois": { # The whois details of the suspicious domain. # The whois details of the suspicious domain.
"retrievalTime": "A String", # The time the whois details were retrieved.
"whois": "A String", # The whois details of the suspicious domain.
},
},
"targetTechnology": { # Contains details for a technology watchlist alert. # Technology Watchlist alert detail type.
"vulnerabilityMatch": { # Contains details about a vulnerability match. # Output only. The vulnerability match details.
"associations": [ # Optional. Associated threat actors, malware, etc. This is embedded as a snapshot because the details of the association at the time of the vulnerability match are important for context and reporting.
{ # Represents an association with a vulnerability.
"id": "A String", # Required. The ID of the association.
"type": "A String", # Required. The type of the association.
},
],
"collectionId": "A String", # Output only. The collection ID of the vulnerability. Ex: "vulnerability--cve-2025-9876".
"cveId": "A String", # Output only. The CVE ID of the vulnerability. Ex: "CVE-2025-9876". See https://www.cve.org/ for more information.
"cvss3Score": 3.14, # Output only. The CVSS v3 score of the vulnerability. Example: 6.4.
"description": "A String", # Output only. A description of the vulnerability.
"exploitationState": "A String", # Output only. The exploitation state of the vulnerability.
"riskRating": "A String", # Output only. The risk rating of the vulnerability.
"technologies": [ # Output only. The affected technologies. Ex: "Apache Struts".
"A String",
],
},
},
},
"displayName": "A String", # Output only. A short title for the alert.
"duplicateOf": "A String", # Output only. alert name of the alert this alert is a duplicate of. Format: projects/{project}/alerts/{alert}
"duplicatedBy": [ # Output only. alert names of the alerts that are duplicates of this alert. Format: projects/{project}/alerts/{alert}
"A String",
],
"etag": "A String", # Optional. If included when updating an alert, this should be set to the current etag of the alert. If the etags do not match, the update will be rejected and an ABORTED error will be returned.
"externalId": "A String", # Output only. External ID for the alert. This is used internally to provide protection against out of order updates.
"findings": [ # Output only. Findings that are covered by this alert.
"A String",
],
"name": "A String", # Identifier. Server generated name for the alert. format is projects/{project}/alerts/{alert}
"priorityAnalysis": { # Structured priority analysis for a threat. # Output only. High-Precision Priority Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"priorityLevel": "A String", # The level of Priority.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain priority.
},
"relevanceAnalysis": { # Structured relevance analysis for a threat. # Output only. High-Precision Relevance Analysis verdict for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"evidence": { # Details the evidence used to determine the relevance verdict. # Evidence supporting the verdict, including matched and unmatched items.
"commonThemes": [ # A list of semantic themes or concepts found to be common, related, or aligned between the sources, supporting the verdict.
"A String",
],
"distinctThemes": [ # A list of semantic themes or descriptions unique to one source or semantically distant.
"A String",
],
},
"reasoning": "A String", # Human-readable explanation from the matcher, detailing why a particular result is considered relevant or not relevant.
"relevanceLevel": "A String", # The level of relevance.
"relevant": True or False, # Indicates whether the threat is considered relevant.
},
"severityAnalysis": { # Structured severity analysis for a threat. # Output only. High-Precision Severity Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain severity.
"severityLevel": "A String", # The level of severity.
},
"state": "A String", # Output only. State of the alert.
}
enumerateFacets(parent, filter=None, x__xgafv=None)
EnumerateAlertFacets returns the facets and the number of alerts that meet the filter criteria and have that value for each facet.
Args:
parent: string, Required. Parent of the alerts. (required)
filter: string, Optional. Filter on what alerts will be enumerated.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for EnumerateAlertFacets.
"facets": [ # List of facets and the counts.
{ # Facet represents a sub element of a resource for filtering. The results from this method are used to populate the filterable facets in the UI.
"facet": "A String", # Name of the facet. This is also the string that needs to be used in the filtering expression.
"facetCounts": [ # List of counts for the facet (if categorical).
{ # FacetCount represents a count of records with each facet value.
"count": 42, # Count of records with the value.
"value": "A String", # Value of the facet stringified. Timestamps will be formatted using RFC3339.
},
],
"facetType": "A String", # The type of the facet. Options include "string", "int", "float", "bool", "enum", "timestamp", "user" and are useful to show the right sort of UI controls when building a AIP-160 style filtering string.
"maxValue": "A String", # Max value of the facet stringified based on type. Will be populated and formatted the same as min_value.
"minValue": "A String", # Min value of the facet stringified based on type. This is only populated for facets that have a clear ordering, for types like enum it will be left empty. Timestamps will be formatted using RFC3339.
"totalCount": "A String", # Total number of records that contain this facet with ANY value.
},
],
}
escalate(name, body=None, x__xgafv=None)
Marks an alert as escalated - ESCALATED.
Args:
name: string, Required. Name of the alert to mark as escalated. Format: projects/{project}/alerts/{alert} (required)
body: object, The request body.
The object takes the form of:
{ # Request message for MarkAlertAsEscalated.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Stateful object representing a group of Findings. Key feature to an Alert is that it expresses the user's intent towards the findings of that group, even those that haven't occurred yet.
"aiSummary": "A String", # Optional. AI summary of the finding.
"assets": [ # Output only. Assets that are impacted by this alert.
"A String",
],
"audit": { # Tracks basic CRUD facts. # Output only. Audit information for the alert.
"createTime": "A String", # Output only. Time of creation.
"creator": "A String", # Output only. Agent that created or updated the record, could be a UserId or a JobId.
"updateTime": "A String", # Output only. Time of creation or last update.
"updater": "A String", # Output only. Agent that last updated the record, could be a UserId or a JobId.
},
"configurations": [ # Output only. The resource names of the Configurations bound to this alert. Format: projects/{project}/configurations/{configuration}
"A String",
],
"detail": { # Container for different types of alert details. # Output only. Details object for the alert, not all alerts will have a details object.
"dataLeak": { # Captures the specific details of Data Leak alert. # Data Leak alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. Data Leak specific severity This will be the string representation of the DataLeakFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"detailType": "A String", # Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
"initialAccessBroker": { # Captures the specific details of InitialAccessBroker (IAB) alert. # Initial Access Broker alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. IAB specific severity
},
"insiderThreat": { # Captures the specific details of InsiderThreat alert. # Insider Threat alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. InsiderThreat specific severity This will be the string representation of the InsiderThreatFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"suspiciousDomain": { # The alert detail for a suspicious domain finding. # Domain Monitoring alert detail type.
"dns": { # The DNS details of the suspicious domain. # The DNS details of the suspicious domain.
"dnsRecords": [ # The DNS records of the suspicious domain.
{ # The DNS record of the suspicious domain.
"record": "A String", # The name of the DNS record.
"ttl": 42, # The TTL of the DNS record.
"type": "A String", # The type of the DNS record.
"value": "A String", # The value of the DNS record.
},
],
"retrievalTime": "A String", # The time the DNS details were retrieved.
},
"domain": "A String", # Required. The suspicious domain name.
"gtiDetails": { # The GTI details of the suspicious domain. # The GTI details of the suspicious domain.
"threatScore": 42, # The threat score of the suspicious domain. The threat score is a number between 0 and 100.
"verdict": "A String", # Output only. The verdict of the suspicious domain.
"virustotalUri": "A String", # VirusTotal link for the domain
},
"webRiskOperation": "A String", # Output only. Name of Web Risk submission operation.
"webRiskState": "A String", # Output only. Status of the Web Risk submission.
"whois": { # The whois details of the suspicious domain. # The whois details of the suspicious domain.
"retrievalTime": "A String", # The time the whois details were retrieved.
"whois": "A String", # The whois details of the suspicious domain.
},
},
"targetTechnology": { # Contains details for a technology watchlist alert. # Technology Watchlist alert detail type.
"vulnerabilityMatch": { # Contains details about a vulnerability match. # Output only. The vulnerability match details.
"associations": [ # Optional. Associated threat actors, malware, etc. This is embedded as a snapshot because the details of the association at the time of the vulnerability match are important for context and reporting.
{ # Represents an association with a vulnerability.
"id": "A String", # Required. The ID of the association.
"type": "A String", # Required. The type of the association.
},
],
"collectionId": "A String", # Output only. The collection ID of the vulnerability. Ex: "vulnerability--cve-2025-9876".
"cveId": "A String", # Output only. The CVE ID of the vulnerability. Ex: "CVE-2025-9876". See https://www.cve.org/ for more information.
"cvss3Score": 3.14, # Output only. The CVSS v3 score of the vulnerability. Example: 6.4.
"description": "A String", # Output only. A description of the vulnerability.
"exploitationState": "A String", # Output only. The exploitation state of the vulnerability.
"riskRating": "A String", # Output only. The risk rating of the vulnerability.
"technologies": [ # Output only. The affected technologies. Ex: "Apache Struts".
"A String",
],
},
},
},
"displayName": "A String", # Output only. A short title for the alert.
"duplicateOf": "A String", # Output only. alert name of the alert this alert is a duplicate of. Format: projects/{project}/alerts/{alert}
"duplicatedBy": [ # Output only. alert names of the alerts that are duplicates of this alert. Format: projects/{project}/alerts/{alert}
"A String",
],
"etag": "A String", # Optional. If included when updating an alert, this should be set to the current etag of the alert. If the etags do not match, the update will be rejected and an ABORTED error will be returned.
"externalId": "A String", # Output only. External ID for the alert. This is used internally to provide protection against out of order updates.
"findings": [ # Output only. Findings that are covered by this alert.
"A String",
],
"name": "A String", # Identifier. Server generated name for the alert. format is projects/{project}/alerts/{alert}
"priorityAnalysis": { # Structured priority analysis for a threat. # Output only. High-Precision Priority Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"priorityLevel": "A String", # The level of Priority.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain priority.
},
"relevanceAnalysis": { # Structured relevance analysis for a threat. # Output only. High-Precision Relevance Analysis verdict for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"evidence": { # Details the evidence used to determine the relevance verdict. # Evidence supporting the verdict, including matched and unmatched items.
"commonThemes": [ # A list of semantic themes or concepts found to be common, related, or aligned between the sources, supporting the verdict.
"A String",
],
"distinctThemes": [ # A list of semantic themes or descriptions unique to one source or semantically distant.
"A String",
],
},
"reasoning": "A String", # Human-readable explanation from the matcher, detailing why a particular result is considered relevant or not relevant.
"relevanceLevel": "A String", # The level of relevance.
"relevant": True or False, # Indicates whether the threat is considered relevant.
},
"severityAnalysis": { # Structured severity analysis for a threat. # Output only. High-Precision Severity Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain severity.
"severityLevel": "A String", # The level of severity.
},
"state": "A String", # Output only. State of the alert.
}
falsePositive(name, body=None, x__xgafv=None)
Marks an alert as a false positive - FALSE_POSITIVE.
Args:
name: string, Required. Name of the alert to mark as a false positive. Format: projects/{project}/alerts/{alert} (required)
body: object, The request body.
The object takes the form of:
{ # Request message for MarkAlertAsFalsePositive.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Stateful object representing a group of Findings. Key feature to an Alert is that it expresses the user's intent towards the findings of that group, even those that haven't occurred yet.
"aiSummary": "A String", # Optional. AI summary of the finding.
"assets": [ # Output only. Assets that are impacted by this alert.
"A String",
],
"audit": { # Tracks basic CRUD facts. # Output only. Audit information for the alert.
"createTime": "A String", # Output only. Time of creation.
"creator": "A String", # Output only. Agent that created or updated the record, could be a UserId or a JobId.
"updateTime": "A String", # Output only. Time of creation or last update.
"updater": "A String", # Output only. Agent that last updated the record, could be a UserId or a JobId.
},
"configurations": [ # Output only. The resource names of the Configurations bound to this alert. Format: projects/{project}/configurations/{configuration}
"A String",
],
"detail": { # Container for different types of alert details. # Output only. Details object for the alert, not all alerts will have a details object.
"dataLeak": { # Captures the specific details of Data Leak alert. # Data Leak alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. Data Leak specific severity This will be the string representation of the DataLeakFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"detailType": "A String", # Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
"initialAccessBroker": { # Captures the specific details of InitialAccessBroker (IAB) alert. # Initial Access Broker alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. IAB specific severity
},
"insiderThreat": { # Captures the specific details of InsiderThreat alert. # Insider Threat alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. InsiderThreat specific severity This will be the string representation of the InsiderThreatFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"suspiciousDomain": { # The alert detail for a suspicious domain finding. # Domain Monitoring alert detail type.
"dns": { # The DNS details of the suspicious domain. # The DNS details of the suspicious domain.
"dnsRecords": [ # The DNS records of the suspicious domain.
{ # The DNS record of the suspicious domain.
"record": "A String", # The name of the DNS record.
"ttl": 42, # The TTL of the DNS record.
"type": "A String", # The type of the DNS record.
"value": "A String", # The value of the DNS record.
},
],
"retrievalTime": "A String", # The time the DNS details were retrieved.
},
"domain": "A String", # Required. The suspicious domain name.
"gtiDetails": { # The GTI details of the suspicious domain. # The GTI details of the suspicious domain.
"threatScore": 42, # The threat score of the suspicious domain. The threat score is a number between 0 and 100.
"verdict": "A String", # Output only. The verdict of the suspicious domain.
"virustotalUri": "A String", # VirusTotal link for the domain
},
"webRiskOperation": "A String", # Output only. Name of Web Risk submission operation.
"webRiskState": "A String", # Output only. Status of the Web Risk submission.
"whois": { # The whois details of the suspicious domain. # The whois details of the suspicious domain.
"retrievalTime": "A String", # The time the whois details were retrieved.
"whois": "A String", # The whois details of the suspicious domain.
},
},
"targetTechnology": { # Contains details for a technology watchlist alert. # Technology Watchlist alert detail type.
"vulnerabilityMatch": { # Contains details about a vulnerability match. # Output only. The vulnerability match details.
"associations": [ # Optional. Associated threat actors, malware, etc. This is embedded as a snapshot because the details of the association at the time of the vulnerability match are important for context and reporting.
{ # Represents an association with a vulnerability.
"id": "A String", # Required. The ID of the association.
"type": "A String", # Required. The type of the association.
},
],
"collectionId": "A String", # Output only. The collection ID of the vulnerability. Ex: "vulnerability--cve-2025-9876".
"cveId": "A String", # Output only. The CVE ID of the vulnerability. Ex: "CVE-2025-9876". See https://www.cve.org/ for more information.
"cvss3Score": 3.14, # Output only. The CVSS v3 score of the vulnerability. Example: 6.4.
"description": "A String", # Output only. A description of the vulnerability.
"exploitationState": "A String", # Output only. The exploitation state of the vulnerability.
"riskRating": "A String", # Output only. The risk rating of the vulnerability.
"technologies": [ # Output only. The affected technologies. Ex: "Apache Struts".
"A String",
],
},
},
},
"displayName": "A String", # Output only. A short title for the alert.
"duplicateOf": "A String", # Output only. alert name of the alert this alert is a duplicate of. Format: projects/{project}/alerts/{alert}
"duplicatedBy": [ # Output only. alert names of the alerts that are duplicates of this alert. Format: projects/{project}/alerts/{alert}
"A String",
],
"etag": "A String", # Optional. If included when updating an alert, this should be set to the current etag of the alert. If the etags do not match, the update will be rejected and an ABORTED error will be returned.
"externalId": "A String", # Output only. External ID for the alert. This is used internally to provide protection against out of order updates.
"findings": [ # Output only. Findings that are covered by this alert.
"A String",
],
"name": "A String", # Identifier. Server generated name for the alert. format is projects/{project}/alerts/{alert}
"priorityAnalysis": { # Structured priority analysis for a threat. # Output only. High-Precision Priority Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"priorityLevel": "A String", # The level of Priority.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain priority.
},
"relevanceAnalysis": { # Structured relevance analysis for a threat. # Output only. High-Precision Relevance Analysis verdict for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"evidence": { # Details the evidence used to determine the relevance verdict. # Evidence supporting the verdict, including matched and unmatched items.
"commonThemes": [ # A list of semantic themes or concepts found to be common, related, or aligned between the sources, supporting the verdict.
"A String",
],
"distinctThemes": [ # A list of semantic themes or descriptions unique to one source or semantically distant.
"A String",
],
},
"reasoning": "A String", # Human-readable explanation from the matcher, detailing why a particular result is considered relevant or not relevant.
"relevanceLevel": "A String", # The level of relevance.
"relevant": True or False, # Indicates whether the threat is considered relevant.
},
"severityAnalysis": { # Structured severity analysis for a threat. # Output only. High-Precision Severity Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain severity.
"severityLevel": "A String", # The level of severity.
},
"state": "A String", # Output only. State of the alert.
}
get(name, x__xgafv=None)
Get an alert by name.
Args:
name: string, Required. Name of the alert to get. Format: projects/{project}/alerts/{alert} (required)
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Stateful object representing a group of Findings. Key feature to an Alert is that it expresses the user's intent towards the findings of that group, even those that haven't occurred yet.
"aiSummary": "A String", # Optional. AI summary of the finding.
"assets": [ # Output only. Assets that are impacted by this alert.
"A String",
],
"audit": { # Tracks basic CRUD facts. # Output only. Audit information for the alert.
"createTime": "A String", # Output only. Time of creation.
"creator": "A String", # Output only. Agent that created or updated the record, could be a UserId or a JobId.
"updateTime": "A String", # Output only. Time of creation or last update.
"updater": "A String", # Output only. Agent that last updated the record, could be a UserId or a JobId.
},
"configurations": [ # Output only. The resource names of the Configurations bound to this alert. Format: projects/{project}/configurations/{configuration}
"A String",
],
"detail": { # Container for different types of alert details. # Output only. Details object for the alert, not all alerts will have a details object.
"dataLeak": { # Captures the specific details of Data Leak alert. # Data Leak alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. Data Leak specific severity This will be the string representation of the DataLeakFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"detailType": "A String", # Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
"initialAccessBroker": { # Captures the specific details of InitialAccessBroker (IAB) alert. # Initial Access Broker alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. IAB specific severity
},
"insiderThreat": { # Captures the specific details of InsiderThreat alert. # Insider Threat alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. InsiderThreat specific severity This will be the string representation of the InsiderThreatFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"suspiciousDomain": { # The alert detail for a suspicious domain finding. # Domain Monitoring alert detail type.
"dns": { # The DNS details of the suspicious domain. # The DNS details of the suspicious domain.
"dnsRecords": [ # The DNS records of the suspicious domain.
{ # The DNS record of the suspicious domain.
"record": "A String", # The name of the DNS record.
"ttl": 42, # The TTL of the DNS record.
"type": "A String", # The type of the DNS record.
"value": "A String", # The value of the DNS record.
},
],
"retrievalTime": "A String", # The time the DNS details were retrieved.
},
"domain": "A String", # Required. The suspicious domain name.
"gtiDetails": { # The GTI details of the suspicious domain. # The GTI details of the suspicious domain.
"threatScore": 42, # The threat score of the suspicious domain. The threat score is a number between 0 and 100.
"verdict": "A String", # Output only. The verdict of the suspicious domain.
"virustotalUri": "A String", # VirusTotal link for the domain
},
"webRiskOperation": "A String", # Output only. Name of Web Risk submission operation.
"webRiskState": "A String", # Output only. Status of the Web Risk submission.
"whois": { # The whois details of the suspicious domain. # The whois details of the suspicious domain.
"retrievalTime": "A String", # The time the whois details were retrieved.
"whois": "A String", # The whois details of the suspicious domain.
},
},
"targetTechnology": { # Contains details for a technology watchlist alert. # Technology Watchlist alert detail type.
"vulnerabilityMatch": { # Contains details about a vulnerability match. # Output only. The vulnerability match details.
"associations": [ # Optional. Associated threat actors, malware, etc. This is embedded as a snapshot because the details of the association at the time of the vulnerability match are important for context and reporting.
{ # Represents an association with a vulnerability.
"id": "A String", # Required. The ID of the association.
"type": "A String", # Required. The type of the association.
},
],
"collectionId": "A String", # Output only. The collection ID of the vulnerability. Ex: "vulnerability--cve-2025-9876".
"cveId": "A String", # Output only. The CVE ID of the vulnerability. Ex: "CVE-2025-9876". See https://www.cve.org/ for more information.
"cvss3Score": 3.14, # Output only. The CVSS v3 score of the vulnerability. Example: 6.4.
"description": "A String", # Output only. A description of the vulnerability.
"exploitationState": "A String", # Output only. The exploitation state of the vulnerability.
"riskRating": "A String", # Output only. The risk rating of the vulnerability.
"technologies": [ # Output only. The affected technologies. Ex: "Apache Struts".
"A String",
],
},
},
},
"displayName": "A String", # Output only. A short title for the alert.
"duplicateOf": "A String", # Output only. alert name of the alert this alert is a duplicate of. Format: projects/{project}/alerts/{alert}
"duplicatedBy": [ # Output only. alert names of the alerts that are duplicates of this alert. Format: projects/{project}/alerts/{alert}
"A String",
],
"etag": "A String", # Optional. If included when updating an alert, this should be set to the current etag of the alert. If the etags do not match, the update will be rejected and an ABORTED error will be returned.
"externalId": "A String", # Output only. External ID for the alert. This is used internally to provide protection against out of order updates.
"findings": [ # Output only. Findings that are covered by this alert.
"A String",
],
"name": "A String", # Identifier. Server generated name for the alert. format is projects/{project}/alerts/{alert}
"priorityAnalysis": { # Structured priority analysis for a threat. # Output only. High-Precision Priority Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"priorityLevel": "A String", # The level of Priority.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain priority.
},
"relevanceAnalysis": { # Structured relevance analysis for a threat. # Output only. High-Precision Relevance Analysis verdict for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"evidence": { # Details the evidence used to determine the relevance verdict. # Evidence supporting the verdict, including matched and unmatched items.
"commonThemes": [ # A list of semantic themes or concepts found to be common, related, or aligned between the sources, supporting the verdict.
"A String",
],
"distinctThemes": [ # A list of semantic themes or descriptions unique to one source or semantically distant.
"A String",
],
},
"reasoning": "A String", # Human-readable explanation from the matcher, detailing why a particular result is considered relevant or not relevant.
"relevanceLevel": "A String", # The level of relevance.
"relevant": True or False, # Indicates whether the threat is considered relevant.
},
"severityAnalysis": { # Structured severity analysis for a threat. # Output only. High-Precision Severity Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain severity.
"severityLevel": "A String", # The level of severity.
},
"state": "A String", # Output only. State of the alert.
}
list(parent, filter=None, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None)
Get a list of alerts that meet the filter criteria.
Args:
parent: string, Required. Parent of the alerts. Format: projects/{project} (required)
filter: string, Optional. Filter criteria.
orderBy: string, Optional. Order by criteria in the csv format: "field1,field2 desc" or "field1,field2" or "field1 asc, field2".
pageSize: integer, Optional. Page size.
pageToken: string, Optional. Page token.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for ListAlerts.
"alerts": [ # List of alerts.
{ # Stateful object representing a group of Findings. Key feature to an Alert is that it expresses the user's intent towards the findings of that group, even those that haven't occurred yet.
"aiSummary": "A String", # Optional. AI summary of the finding.
"assets": [ # Output only. Assets that are impacted by this alert.
"A String",
],
"audit": { # Tracks basic CRUD facts. # Output only. Audit information for the alert.
"createTime": "A String", # Output only. Time of creation.
"creator": "A String", # Output only. Agent that created or updated the record, could be a UserId or a JobId.
"updateTime": "A String", # Output only. Time of creation or last update.
"updater": "A String", # Output only. Agent that last updated the record, could be a UserId or a JobId.
},
"configurations": [ # Output only. The resource names of the Configurations bound to this alert. Format: projects/{project}/configurations/{configuration}
"A String",
],
"detail": { # Container for different types of alert details. # Output only. Details object for the alert, not all alerts will have a details object.
"dataLeak": { # Captures the specific details of Data Leak alert. # Data Leak alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. Data Leak specific severity This will be the string representation of the DataLeakFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"detailType": "A String", # Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
"initialAccessBroker": { # Captures the specific details of InitialAccessBroker (IAB) alert. # Initial Access Broker alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. IAB specific severity
},
"insiderThreat": { # Captures the specific details of InsiderThreat alert. # Insider Threat alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. InsiderThreat specific severity This will be the string representation of the InsiderThreatFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"suspiciousDomain": { # The alert detail for a suspicious domain finding. # Domain Monitoring alert detail type.
"dns": { # The DNS details of the suspicious domain. # The DNS details of the suspicious domain.
"dnsRecords": [ # The DNS records of the suspicious domain.
{ # The DNS record of the suspicious domain.
"record": "A String", # The name of the DNS record.
"ttl": 42, # The TTL of the DNS record.
"type": "A String", # The type of the DNS record.
"value": "A String", # The value of the DNS record.
},
],
"retrievalTime": "A String", # The time the DNS details were retrieved.
},
"domain": "A String", # Required. The suspicious domain name.
"gtiDetails": { # The GTI details of the suspicious domain. # The GTI details of the suspicious domain.
"threatScore": 42, # The threat score of the suspicious domain. The threat score is a number between 0 and 100.
"verdict": "A String", # Output only. The verdict of the suspicious domain.
"virustotalUri": "A String", # VirusTotal link for the domain
},
"webRiskOperation": "A String", # Output only. Name of Web Risk submission operation.
"webRiskState": "A String", # Output only. Status of the Web Risk submission.
"whois": { # The whois details of the suspicious domain. # The whois details of the suspicious domain.
"retrievalTime": "A String", # The time the whois details were retrieved.
"whois": "A String", # The whois details of the suspicious domain.
},
},
"targetTechnology": { # Contains details for a technology watchlist alert. # Technology Watchlist alert detail type.
"vulnerabilityMatch": { # Contains details about a vulnerability match. # Output only. The vulnerability match details.
"associations": [ # Optional. Associated threat actors, malware, etc. This is embedded as a snapshot because the details of the association at the time of the vulnerability match are important for context and reporting.
{ # Represents an association with a vulnerability.
"id": "A String", # Required. The ID of the association.
"type": "A String", # Required. The type of the association.
},
],
"collectionId": "A String", # Output only. The collection ID of the vulnerability. Ex: "vulnerability--cve-2025-9876".
"cveId": "A String", # Output only. The CVE ID of the vulnerability. Ex: "CVE-2025-9876". See https://www.cve.org/ for more information.
"cvss3Score": 3.14, # Output only. The CVSS v3 score of the vulnerability. Example: 6.4.
"description": "A String", # Output only. A description of the vulnerability.
"exploitationState": "A String", # Output only. The exploitation state of the vulnerability.
"riskRating": "A String", # Output only. The risk rating of the vulnerability.
"technologies": [ # Output only. The affected technologies. Ex: "Apache Struts".
"A String",
],
},
},
},
"displayName": "A String", # Output only. A short title for the alert.
"duplicateOf": "A String", # Output only. alert name of the alert this alert is a duplicate of. Format: projects/{project}/alerts/{alert}
"duplicatedBy": [ # Output only. alert names of the alerts that are duplicates of this alert. Format: projects/{project}/alerts/{alert}
"A String",
],
"etag": "A String", # Optional. If included when updating an alert, this should be set to the current etag of the alert. If the etags do not match, the update will be rejected and an ABORTED error will be returned.
"externalId": "A String", # Output only. External ID for the alert. This is used internally to provide protection against out of order updates.
"findings": [ # Output only. Findings that are covered by this alert.
"A String",
],
"name": "A String", # Identifier. Server generated name for the alert. format is projects/{project}/alerts/{alert}
"priorityAnalysis": { # Structured priority analysis for a threat. # Output only. High-Precision Priority Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"priorityLevel": "A String", # The level of Priority.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain priority.
},
"relevanceAnalysis": { # Structured relevance analysis for a threat. # Output only. High-Precision Relevance Analysis verdict for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"evidence": { # Details the evidence used to determine the relevance verdict. # Evidence supporting the verdict, including matched and unmatched items.
"commonThemes": [ # A list of semantic themes or concepts found to be common, related, or aligned between the sources, supporting the verdict.
"A String",
],
"distinctThemes": [ # A list of semantic themes or descriptions unique to one source or semantically distant.
"A String",
],
},
"reasoning": "A String", # Human-readable explanation from the matcher, detailing why a particular result is considered relevant or not relevant.
"relevanceLevel": "A String", # The level of relevance.
"relevant": True or False, # Indicates whether the threat is considered relevant.
},
"severityAnalysis": { # Structured severity analysis for a threat. # Output only. High-Precision Severity Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain severity.
"severityLevel": "A String", # The level of severity.
},
"state": "A String", # Output only. State of the alert.
},
],
"nextPageToken": "A String", # Page token.
}
list_next()
Retrieves the next page of results.
Args:
previous_request: The request for the previous page. (required)
previous_response: The response from the request for the previous page. (required)
Returns:
A request object that you can call 'execute()' on to request the next
page. Returns None if there are no more items in the collection.
notActionable(name, body=None, x__xgafv=None)
Marks an alert as not actionable - NOT_ACTIONABLE.
Args:
name: string, Required. Name of the alert to mark as a not actionable. Format: projects/{project}/alerts/{alert} (required)
body: object, The request body.
The object takes the form of:
{ # Request message for MarkAlertAsNotActionable.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Stateful object representing a group of Findings. Key feature to an Alert is that it expresses the user's intent towards the findings of that group, even those that haven't occurred yet.
"aiSummary": "A String", # Optional. AI summary of the finding.
"assets": [ # Output only. Assets that are impacted by this alert.
"A String",
],
"audit": { # Tracks basic CRUD facts. # Output only. Audit information for the alert.
"createTime": "A String", # Output only. Time of creation.
"creator": "A String", # Output only. Agent that created or updated the record, could be a UserId or a JobId.
"updateTime": "A String", # Output only. Time of creation or last update.
"updater": "A String", # Output only. Agent that last updated the record, could be a UserId or a JobId.
},
"configurations": [ # Output only. The resource names of the Configurations bound to this alert. Format: projects/{project}/configurations/{configuration}
"A String",
],
"detail": { # Container for different types of alert details. # Output only. Details object for the alert, not all alerts will have a details object.
"dataLeak": { # Captures the specific details of Data Leak alert. # Data Leak alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. Data Leak specific severity This will be the string representation of the DataLeakFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"detailType": "A String", # Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
"initialAccessBroker": { # Captures the specific details of InitialAccessBroker (IAB) alert. # Initial Access Broker alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. IAB specific severity
},
"insiderThreat": { # Captures the specific details of InsiderThreat alert. # Insider Threat alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. InsiderThreat specific severity This will be the string representation of the InsiderThreatFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"suspiciousDomain": { # The alert detail for a suspicious domain finding. # Domain Monitoring alert detail type.
"dns": { # The DNS details of the suspicious domain. # The DNS details of the suspicious domain.
"dnsRecords": [ # The DNS records of the suspicious domain.
{ # The DNS record of the suspicious domain.
"record": "A String", # The name of the DNS record.
"ttl": 42, # The TTL of the DNS record.
"type": "A String", # The type of the DNS record.
"value": "A String", # The value of the DNS record.
},
],
"retrievalTime": "A String", # The time the DNS details were retrieved.
},
"domain": "A String", # Required. The suspicious domain name.
"gtiDetails": { # The GTI details of the suspicious domain. # The GTI details of the suspicious domain.
"threatScore": 42, # The threat score of the suspicious domain. The threat score is a number between 0 and 100.
"verdict": "A String", # Output only. The verdict of the suspicious domain.
"virustotalUri": "A String", # VirusTotal link for the domain
},
"webRiskOperation": "A String", # Output only. Name of Web Risk submission operation.
"webRiskState": "A String", # Output only. Status of the Web Risk submission.
"whois": { # The whois details of the suspicious domain. # The whois details of the suspicious domain.
"retrievalTime": "A String", # The time the whois details were retrieved.
"whois": "A String", # The whois details of the suspicious domain.
},
},
"targetTechnology": { # Contains details for a technology watchlist alert. # Technology Watchlist alert detail type.
"vulnerabilityMatch": { # Contains details about a vulnerability match. # Output only. The vulnerability match details.
"associations": [ # Optional. Associated threat actors, malware, etc. This is embedded as a snapshot because the details of the association at the time of the vulnerability match are important for context and reporting.
{ # Represents an association with a vulnerability.
"id": "A String", # Required. The ID of the association.
"type": "A String", # Required. The type of the association.
},
],
"collectionId": "A String", # Output only. The collection ID of the vulnerability. Ex: "vulnerability--cve-2025-9876".
"cveId": "A String", # Output only. The CVE ID of the vulnerability. Ex: "CVE-2025-9876". See https://www.cve.org/ for more information.
"cvss3Score": 3.14, # Output only. The CVSS v3 score of the vulnerability. Example: 6.4.
"description": "A String", # Output only. A description of the vulnerability.
"exploitationState": "A String", # Output only. The exploitation state of the vulnerability.
"riskRating": "A String", # Output only. The risk rating of the vulnerability.
"technologies": [ # Output only. The affected technologies. Ex: "Apache Struts".
"A String",
],
},
},
},
"displayName": "A String", # Output only. A short title for the alert.
"duplicateOf": "A String", # Output only. alert name of the alert this alert is a duplicate of. Format: projects/{project}/alerts/{alert}
"duplicatedBy": [ # Output only. alert names of the alerts that are duplicates of this alert. Format: projects/{project}/alerts/{alert}
"A String",
],
"etag": "A String", # Optional. If included when updating an alert, this should be set to the current etag of the alert. If the etags do not match, the update will be rejected and an ABORTED error will be returned.
"externalId": "A String", # Output only. External ID for the alert. This is used internally to provide protection against out of order updates.
"findings": [ # Output only. Findings that are covered by this alert.
"A String",
],
"name": "A String", # Identifier. Server generated name for the alert. format is projects/{project}/alerts/{alert}
"priorityAnalysis": { # Structured priority analysis for a threat. # Output only. High-Precision Priority Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"priorityLevel": "A String", # The level of Priority.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain priority.
},
"relevanceAnalysis": { # Structured relevance analysis for a threat. # Output only. High-Precision Relevance Analysis verdict for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"evidence": { # Details the evidence used to determine the relevance verdict. # Evidence supporting the verdict, including matched and unmatched items.
"commonThemes": [ # A list of semantic themes or concepts found to be common, related, or aligned between the sources, supporting the verdict.
"A String",
],
"distinctThemes": [ # A list of semantic themes or descriptions unique to one source or semantically distant.
"A String",
],
},
"reasoning": "A String", # Human-readable explanation from the matcher, detailing why a particular result is considered relevant or not relevant.
"relevanceLevel": "A String", # The level of relevance.
"relevant": True or False, # Indicates whether the threat is considered relevant.
},
"severityAnalysis": { # Structured severity analysis for a threat. # Output only. High-Precision Severity Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain severity.
"severityLevel": "A String", # The level of severity.
},
"state": "A String", # Output only. State of the alert.
}
read(name, body=None, x__xgafv=None)
Marks an alert as read - READ.
Args:
name: string, Required. Name of the alert to mark as read. Format: projects/{project}/alerts/{alert} (required)
body: object, The request body.
The object takes the form of:
{ # Request message for MarkAlertAsRead.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Stateful object representing a group of Findings. Key feature to an Alert is that it expresses the user's intent towards the findings of that group, even those that haven't occurred yet.
"aiSummary": "A String", # Optional. AI summary of the finding.
"assets": [ # Output only. Assets that are impacted by this alert.
"A String",
],
"audit": { # Tracks basic CRUD facts. # Output only. Audit information for the alert.
"createTime": "A String", # Output only. Time of creation.
"creator": "A String", # Output only. Agent that created or updated the record, could be a UserId or a JobId.
"updateTime": "A String", # Output only. Time of creation or last update.
"updater": "A String", # Output only. Agent that last updated the record, could be a UserId or a JobId.
},
"configurations": [ # Output only. The resource names of the Configurations bound to this alert. Format: projects/{project}/configurations/{configuration}
"A String",
],
"detail": { # Container for different types of alert details. # Output only. Details object for the alert, not all alerts will have a details object.
"dataLeak": { # Captures the specific details of Data Leak alert. # Data Leak alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. Data Leak specific severity This will be the string representation of the DataLeakFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"detailType": "A String", # Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
"initialAccessBroker": { # Captures the specific details of InitialAccessBroker (IAB) alert. # Initial Access Broker alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. IAB specific severity
},
"insiderThreat": { # Captures the specific details of InsiderThreat alert. # Insider Threat alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. InsiderThreat specific severity This will be the string representation of the InsiderThreatFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"suspiciousDomain": { # The alert detail for a suspicious domain finding. # Domain Monitoring alert detail type.
"dns": { # The DNS details of the suspicious domain. # The DNS details of the suspicious domain.
"dnsRecords": [ # The DNS records of the suspicious domain.
{ # The DNS record of the suspicious domain.
"record": "A String", # The name of the DNS record.
"ttl": 42, # The TTL of the DNS record.
"type": "A String", # The type of the DNS record.
"value": "A String", # The value of the DNS record.
},
],
"retrievalTime": "A String", # The time the DNS details were retrieved.
},
"domain": "A String", # Required. The suspicious domain name.
"gtiDetails": { # The GTI details of the suspicious domain. # The GTI details of the suspicious domain.
"threatScore": 42, # The threat score of the suspicious domain. The threat score is a number between 0 and 100.
"verdict": "A String", # Output only. The verdict of the suspicious domain.
"virustotalUri": "A String", # VirusTotal link for the domain
},
"webRiskOperation": "A String", # Output only. Name of Web Risk submission operation.
"webRiskState": "A String", # Output only. Status of the Web Risk submission.
"whois": { # The whois details of the suspicious domain. # The whois details of the suspicious domain.
"retrievalTime": "A String", # The time the whois details were retrieved.
"whois": "A String", # The whois details of the suspicious domain.
},
},
"targetTechnology": { # Contains details for a technology watchlist alert. # Technology Watchlist alert detail type.
"vulnerabilityMatch": { # Contains details about a vulnerability match. # Output only. The vulnerability match details.
"associations": [ # Optional. Associated threat actors, malware, etc. This is embedded as a snapshot because the details of the association at the time of the vulnerability match are important for context and reporting.
{ # Represents an association with a vulnerability.
"id": "A String", # Required. The ID of the association.
"type": "A String", # Required. The type of the association.
},
],
"collectionId": "A String", # Output only. The collection ID of the vulnerability. Ex: "vulnerability--cve-2025-9876".
"cveId": "A String", # Output only. The CVE ID of the vulnerability. Ex: "CVE-2025-9876". See https://www.cve.org/ for more information.
"cvss3Score": 3.14, # Output only. The CVSS v3 score of the vulnerability. Example: 6.4.
"description": "A String", # Output only. A description of the vulnerability.
"exploitationState": "A String", # Output only. The exploitation state of the vulnerability.
"riskRating": "A String", # Output only. The risk rating of the vulnerability.
"technologies": [ # Output only. The affected technologies. Ex: "Apache Struts".
"A String",
],
},
},
},
"displayName": "A String", # Output only. A short title for the alert.
"duplicateOf": "A String", # Output only. alert name of the alert this alert is a duplicate of. Format: projects/{project}/alerts/{alert}
"duplicatedBy": [ # Output only. alert names of the alerts that are duplicates of this alert. Format: projects/{project}/alerts/{alert}
"A String",
],
"etag": "A String", # Optional. If included when updating an alert, this should be set to the current etag of the alert. If the etags do not match, the update will be rejected and an ABORTED error will be returned.
"externalId": "A String", # Output only. External ID for the alert. This is used internally to provide protection against out of order updates.
"findings": [ # Output only. Findings that are covered by this alert.
"A String",
],
"name": "A String", # Identifier. Server generated name for the alert. format is projects/{project}/alerts/{alert}
"priorityAnalysis": { # Structured priority analysis for a threat. # Output only. High-Precision Priority Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"priorityLevel": "A String", # The level of Priority.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain priority.
},
"relevanceAnalysis": { # Structured relevance analysis for a threat. # Output only. High-Precision Relevance Analysis verdict for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"evidence": { # Details the evidence used to determine the relevance verdict. # Evidence supporting the verdict, including matched and unmatched items.
"commonThemes": [ # A list of semantic themes or concepts found to be common, related, or aligned between the sources, supporting the verdict.
"A String",
],
"distinctThemes": [ # A list of semantic themes or descriptions unique to one source or semantically distant.
"A String",
],
},
"reasoning": "A String", # Human-readable explanation from the matcher, detailing why a particular result is considered relevant or not relevant.
"relevanceLevel": "A String", # The level of relevance.
"relevant": True or False, # Indicates whether the threat is considered relevant.
},
"severityAnalysis": { # Structured severity analysis for a threat. # Output only. High-Precision Severity Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain severity.
"severityLevel": "A String", # The level of severity.
},
"state": "A String", # Output only. State of the alert.
}
refreshUriStatus(name, body=None, x__xgafv=None)
Return the status of a URI submitted to Google WebRisk.
Args:
name: string, Required. Name of alert to refresh status from WebRisk (required)
body: object, The request body.
The object takes the form of:
{ # Request message for FetchAlertUriStatus.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for FetchAlertUriStatus.
"state": "A String", # Output only. Status of the alert in WebRisk.
}
reportAlertUri(name, body=None, x__xgafv=None)
Report the URI associated with an alert to Google WebRisk.
Args:
name: string, Required. Name of alert to submit to WebRisk. (required)
body: object, The request body.
The object takes the form of:
{ # Request message for ReportAlertUri.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for ReportAlertUri.
"state": "A String", # Output only. Status of the alert in WebRisk.
}
resolve(name, body=None, x__xgafv=None)
Marks an alert to closed state - RESOLVED.
Args:
name: string, Required. Name of the alert to mark as resolved. Format: projects/{project}/alerts/{alert} (required)
body: object, The request body.
The object takes the form of:
{ # Request message for MarkAlertAsResolved.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Stateful object representing a group of Findings. Key feature to an Alert is that it expresses the user's intent towards the findings of that group, even those that haven't occurred yet.
"aiSummary": "A String", # Optional. AI summary of the finding.
"assets": [ # Output only. Assets that are impacted by this alert.
"A String",
],
"audit": { # Tracks basic CRUD facts. # Output only. Audit information for the alert.
"createTime": "A String", # Output only. Time of creation.
"creator": "A String", # Output only. Agent that created or updated the record, could be a UserId or a JobId.
"updateTime": "A String", # Output only. Time of creation or last update.
"updater": "A String", # Output only. Agent that last updated the record, could be a UserId or a JobId.
},
"configurations": [ # Output only. The resource names of the Configurations bound to this alert. Format: projects/{project}/configurations/{configuration}
"A String",
],
"detail": { # Container for different types of alert details. # Output only. Details object for the alert, not all alerts will have a details object.
"dataLeak": { # Captures the specific details of Data Leak alert. # Data Leak alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. Data Leak specific severity This will be the string representation of the DataLeakFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"detailType": "A String", # Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
"initialAccessBroker": { # Captures the specific details of InitialAccessBroker (IAB) alert. # Initial Access Broker alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. IAB specific severity
},
"insiderThreat": { # Captures the specific details of InsiderThreat alert. # Insider Threat alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. InsiderThreat specific severity This will be the string representation of the InsiderThreatFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"suspiciousDomain": { # The alert detail for a suspicious domain finding. # Domain Monitoring alert detail type.
"dns": { # The DNS details of the suspicious domain. # The DNS details of the suspicious domain.
"dnsRecords": [ # The DNS records of the suspicious domain.
{ # The DNS record of the suspicious domain.
"record": "A String", # The name of the DNS record.
"ttl": 42, # The TTL of the DNS record.
"type": "A String", # The type of the DNS record.
"value": "A String", # The value of the DNS record.
},
],
"retrievalTime": "A String", # The time the DNS details were retrieved.
},
"domain": "A String", # Required. The suspicious domain name.
"gtiDetails": { # The GTI details of the suspicious domain. # The GTI details of the suspicious domain.
"threatScore": 42, # The threat score of the suspicious domain. The threat score is a number between 0 and 100.
"verdict": "A String", # Output only. The verdict of the suspicious domain.
"virustotalUri": "A String", # VirusTotal link for the domain
},
"webRiskOperation": "A String", # Output only. Name of Web Risk submission operation.
"webRiskState": "A String", # Output only. Status of the Web Risk submission.
"whois": { # The whois details of the suspicious domain. # The whois details of the suspicious domain.
"retrievalTime": "A String", # The time the whois details were retrieved.
"whois": "A String", # The whois details of the suspicious domain.
},
},
"targetTechnology": { # Contains details for a technology watchlist alert. # Technology Watchlist alert detail type.
"vulnerabilityMatch": { # Contains details about a vulnerability match. # Output only. The vulnerability match details.
"associations": [ # Optional. Associated threat actors, malware, etc. This is embedded as a snapshot because the details of the association at the time of the vulnerability match are important for context and reporting.
{ # Represents an association with a vulnerability.
"id": "A String", # Required. The ID of the association.
"type": "A String", # Required. The type of the association.
},
],
"collectionId": "A String", # Output only. The collection ID of the vulnerability. Ex: "vulnerability--cve-2025-9876".
"cveId": "A String", # Output only. The CVE ID of the vulnerability. Ex: "CVE-2025-9876". See https://www.cve.org/ for more information.
"cvss3Score": 3.14, # Output only. The CVSS v3 score of the vulnerability. Example: 6.4.
"description": "A String", # Output only. A description of the vulnerability.
"exploitationState": "A String", # Output only. The exploitation state of the vulnerability.
"riskRating": "A String", # Output only. The risk rating of the vulnerability.
"technologies": [ # Output only. The affected technologies. Ex: "Apache Struts".
"A String",
],
},
},
},
"displayName": "A String", # Output only. A short title for the alert.
"duplicateOf": "A String", # Output only. alert name of the alert this alert is a duplicate of. Format: projects/{project}/alerts/{alert}
"duplicatedBy": [ # Output only. alert names of the alerts that are duplicates of this alert. Format: projects/{project}/alerts/{alert}
"A String",
],
"etag": "A String", # Optional. If included when updating an alert, this should be set to the current etag of the alert. If the etags do not match, the update will be rejected and an ABORTED error will be returned.
"externalId": "A String", # Output only. External ID for the alert. This is used internally to provide protection against out of order updates.
"findings": [ # Output only. Findings that are covered by this alert.
"A String",
],
"name": "A String", # Identifier. Server generated name for the alert. format is projects/{project}/alerts/{alert}
"priorityAnalysis": { # Structured priority analysis for a threat. # Output only. High-Precision Priority Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"priorityLevel": "A String", # The level of Priority.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain priority.
},
"relevanceAnalysis": { # Structured relevance analysis for a threat. # Output only. High-Precision Relevance Analysis verdict for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"evidence": { # Details the evidence used to determine the relevance verdict. # Evidence supporting the verdict, including matched and unmatched items.
"commonThemes": [ # A list of semantic themes or concepts found to be common, related, or aligned between the sources, supporting the verdict.
"A String",
],
"distinctThemes": [ # A list of semantic themes or descriptions unique to one source or semantically distant.
"A String",
],
},
"reasoning": "A String", # Human-readable explanation from the matcher, detailing why a particular result is considered relevant or not relevant.
"relevanceLevel": "A String", # The level of relevance.
"relevant": True or False, # Indicates whether the threat is considered relevant.
},
"severityAnalysis": { # Structured severity analysis for a threat. # Output only. High-Precision Severity Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain severity.
"severityLevel": "A String", # The level of severity.
},
"state": "A String", # Output only. State of the alert.
}
trackExternally(name, body=None, x__xgafv=None)
Marks an alert as tracked externally - TRACKED_EXTERNALLY.
Args:
name: string, Required. Name of the alert to mark as tracked externally. Format: projects/{project}/alerts/{alert} (required)
body: object, The request body.
The object takes the form of:
{ # Request message for MarkAlertAsTrackedExternally.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Stateful object representing a group of Findings. Key feature to an Alert is that it expresses the user's intent towards the findings of that group, even those that haven't occurred yet.
"aiSummary": "A String", # Optional. AI summary of the finding.
"assets": [ # Output only. Assets that are impacted by this alert.
"A String",
],
"audit": { # Tracks basic CRUD facts. # Output only. Audit information for the alert.
"createTime": "A String", # Output only. Time of creation.
"creator": "A String", # Output only. Agent that created or updated the record, could be a UserId or a JobId.
"updateTime": "A String", # Output only. Time of creation or last update.
"updater": "A String", # Output only. Agent that last updated the record, could be a UserId or a JobId.
},
"configurations": [ # Output only. The resource names of the Configurations bound to this alert. Format: projects/{project}/configurations/{configuration}
"A String",
],
"detail": { # Container for different types of alert details. # Output only. Details object for the alert, not all alerts will have a details object.
"dataLeak": { # Captures the specific details of Data Leak alert. # Data Leak alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. Data Leak specific severity This will be the string representation of the DataLeakFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"detailType": "A String", # Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
"initialAccessBroker": { # Captures the specific details of InitialAccessBroker (IAB) alert. # Initial Access Broker alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. IAB specific severity
},
"insiderThreat": { # Captures the specific details of InsiderThreat alert. # Insider Threat alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. InsiderThreat specific severity This will be the string representation of the InsiderThreatFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"suspiciousDomain": { # The alert detail for a suspicious domain finding. # Domain Monitoring alert detail type.
"dns": { # The DNS details of the suspicious domain. # The DNS details of the suspicious domain.
"dnsRecords": [ # The DNS records of the suspicious domain.
{ # The DNS record of the suspicious domain.
"record": "A String", # The name of the DNS record.
"ttl": 42, # The TTL of the DNS record.
"type": "A String", # The type of the DNS record.
"value": "A String", # The value of the DNS record.
},
],
"retrievalTime": "A String", # The time the DNS details were retrieved.
},
"domain": "A String", # Required. The suspicious domain name.
"gtiDetails": { # The GTI details of the suspicious domain. # The GTI details of the suspicious domain.
"threatScore": 42, # The threat score of the suspicious domain. The threat score is a number between 0 and 100.
"verdict": "A String", # Output only. The verdict of the suspicious domain.
"virustotalUri": "A String", # VirusTotal link for the domain
},
"webRiskOperation": "A String", # Output only. Name of Web Risk submission operation.
"webRiskState": "A String", # Output only. Status of the Web Risk submission.
"whois": { # The whois details of the suspicious domain. # The whois details of the suspicious domain.
"retrievalTime": "A String", # The time the whois details were retrieved.
"whois": "A String", # The whois details of the suspicious domain.
},
},
"targetTechnology": { # Contains details for a technology watchlist alert. # Technology Watchlist alert detail type.
"vulnerabilityMatch": { # Contains details about a vulnerability match. # Output only. The vulnerability match details.
"associations": [ # Optional. Associated threat actors, malware, etc. This is embedded as a snapshot because the details of the association at the time of the vulnerability match are important for context and reporting.
{ # Represents an association with a vulnerability.
"id": "A String", # Required. The ID of the association.
"type": "A String", # Required. The type of the association.
},
],
"collectionId": "A String", # Output only. The collection ID of the vulnerability. Ex: "vulnerability--cve-2025-9876".
"cveId": "A String", # Output only. The CVE ID of the vulnerability. Ex: "CVE-2025-9876". See https://www.cve.org/ for more information.
"cvss3Score": 3.14, # Output only. The CVSS v3 score of the vulnerability. Example: 6.4.
"description": "A String", # Output only. A description of the vulnerability.
"exploitationState": "A String", # Output only. The exploitation state of the vulnerability.
"riskRating": "A String", # Output only. The risk rating of the vulnerability.
"technologies": [ # Output only. The affected technologies. Ex: "Apache Struts".
"A String",
],
},
},
},
"displayName": "A String", # Output only. A short title for the alert.
"duplicateOf": "A String", # Output only. alert name of the alert this alert is a duplicate of. Format: projects/{project}/alerts/{alert}
"duplicatedBy": [ # Output only. alert names of the alerts that are duplicates of this alert. Format: projects/{project}/alerts/{alert}
"A String",
],
"etag": "A String", # Optional. If included when updating an alert, this should be set to the current etag of the alert. If the etags do not match, the update will be rejected and an ABORTED error will be returned.
"externalId": "A String", # Output only. External ID for the alert. This is used internally to provide protection against out of order updates.
"findings": [ # Output only. Findings that are covered by this alert.
"A String",
],
"name": "A String", # Identifier. Server generated name for the alert. format is projects/{project}/alerts/{alert}
"priorityAnalysis": { # Structured priority analysis for a threat. # Output only. High-Precision Priority Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"priorityLevel": "A String", # The level of Priority.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain priority.
},
"relevanceAnalysis": { # Structured relevance analysis for a threat. # Output only. High-Precision Relevance Analysis verdict for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"evidence": { # Details the evidence used to determine the relevance verdict. # Evidence supporting the verdict, including matched and unmatched items.
"commonThemes": [ # A list of semantic themes or concepts found to be common, related, or aligned between the sources, supporting the verdict.
"A String",
],
"distinctThemes": [ # A list of semantic themes or descriptions unique to one source or semantically distant.
"A String",
],
},
"reasoning": "A String", # Human-readable explanation from the matcher, detailing why a particular result is considered relevant or not relevant.
"relevanceLevel": "A String", # The level of relevance.
"relevant": True or False, # Indicates whether the threat is considered relevant.
},
"severityAnalysis": { # Structured severity analysis for a threat. # Output only. High-Precision Severity Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain severity.
"severityLevel": "A String", # The level of severity.
},
"state": "A String", # Output only. State of the alert.
}
triage(name, body=None, x__xgafv=None)
Marks an alert as triaged - TRIAGED.
Args:
name: string, Required. Name of the alert to mark as a triaged. Format: projects/{project}/alerts/{alert} (required)
body: object, The request body.
The object takes the form of:
{ # Request message for MarkAlertAsTriaged.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Stateful object representing a group of Findings. Key feature to an Alert is that it expresses the user's intent towards the findings of that group, even those that haven't occurred yet.
"aiSummary": "A String", # Optional. AI summary of the finding.
"assets": [ # Output only. Assets that are impacted by this alert.
"A String",
],
"audit": { # Tracks basic CRUD facts. # Output only. Audit information for the alert.
"createTime": "A String", # Output only. Time of creation.
"creator": "A String", # Output only. Agent that created or updated the record, could be a UserId or a JobId.
"updateTime": "A String", # Output only. Time of creation or last update.
"updater": "A String", # Output only. Agent that last updated the record, could be a UserId or a JobId.
},
"configurations": [ # Output only. The resource names of the Configurations bound to this alert. Format: projects/{project}/configurations/{configuration}
"A String",
],
"detail": { # Container for different types of alert details. # Output only. Details object for the alert, not all alerts will have a details object.
"dataLeak": { # Captures the specific details of Data Leak alert. # Data Leak alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. Data Leak specific severity This will be the string representation of the DataLeakFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"detailType": "A String", # Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
"initialAccessBroker": { # Captures the specific details of InitialAccessBroker (IAB) alert. # Initial Access Broker alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. IAB specific severity
},
"insiderThreat": { # Captures the specific details of InsiderThreat alert. # Insider Threat alert detail type.
"discoveryDocumentIds": [ # Required. Array of ids to accommodate multiple discovery documents
"A String",
],
"severity": "A String", # Required. InsiderThreat specific severity This will be the string representation of the InsiderThreatFindingDetail.Severityenum. (e.g., "LOW", "MEDIUM", "HIGH", "CRITICAL")
},
"suspiciousDomain": { # The alert detail for a suspicious domain finding. # Domain Monitoring alert detail type.
"dns": { # The DNS details of the suspicious domain. # The DNS details of the suspicious domain.
"dnsRecords": [ # The DNS records of the suspicious domain.
{ # The DNS record of the suspicious domain.
"record": "A String", # The name of the DNS record.
"ttl": 42, # The TTL of the DNS record.
"type": "A String", # The type of the DNS record.
"value": "A String", # The value of the DNS record.
},
],
"retrievalTime": "A String", # The time the DNS details were retrieved.
},
"domain": "A String", # Required. The suspicious domain name.
"gtiDetails": { # The GTI details of the suspicious domain. # The GTI details of the suspicious domain.
"threatScore": 42, # The threat score of the suspicious domain. The threat score is a number between 0 and 100.
"verdict": "A String", # Output only. The verdict of the suspicious domain.
"virustotalUri": "A String", # VirusTotal link for the domain
},
"webRiskOperation": "A String", # Output only. Name of Web Risk submission operation.
"webRiskState": "A String", # Output only. Status of the Web Risk submission.
"whois": { # The whois details of the suspicious domain. # The whois details of the suspicious domain.
"retrievalTime": "A String", # The time the whois details were retrieved.
"whois": "A String", # The whois details of the suspicious domain.
},
},
"targetTechnology": { # Contains details for a technology watchlist alert. # Technology Watchlist alert detail type.
"vulnerabilityMatch": { # Contains details about a vulnerability match. # Output only. The vulnerability match details.
"associations": [ # Optional. Associated threat actors, malware, etc. This is embedded as a snapshot because the details of the association at the time of the vulnerability match are important for context and reporting.
{ # Represents an association with a vulnerability.
"id": "A String", # Required. The ID of the association.
"type": "A String", # Required. The type of the association.
},
],
"collectionId": "A String", # Output only. The collection ID of the vulnerability. Ex: "vulnerability--cve-2025-9876".
"cveId": "A String", # Output only. The CVE ID of the vulnerability. Ex: "CVE-2025-9876". See https://www.cve.org/ for more information.
"cvss3Score": 3.14, # Output only. The CVSS v3 score of the vulnerability. Example: 6.4.
"description": "A String", # Output only. A description of the vulnerability.
"exploitationState": "A String", # Output only. The exploitation state of the vulnerability.
"riskRating": "A String", # Output only. The risk rating of the vulnerability.
"technologies": [ # Output only. The affected technologies. Ex: "Apache Struts".
"A String",
],
},
},
},
"displayName": "A String", # Output only. A short title for the alert.
"duplicateOf": "A String", # Output only. alert name of the alert this alert is a duplicate of. Format: projects/{project}/alerts/{alert}
"duplicatedBy": [ # Output only. alert names of the alerts that are duplicates of this alert. Format: projects/{project}/alerts/{alert}
"A String",
],
"etag": "A String", # Optional. If included when updating an alert, this should be set to the current etag of the alert. If the etags do not match, the update will be rejected and an ABORTED error will be returned.
"externalId": "A String", # Output only. External ID for the alert. This is used internally to provide protection against out of order updates.
"findings": [ # Output only. Findings that are covered by this alert.
"A String",
],
"name": "A String", # Identifier. Server generated name for the alert. format is projects/{project}/alerts/{alert}
"priorityAnalysis": { # Structured priority analysis for a threat. # Output only. High-Precision Priority Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"priorityLevel": "A String", # The level of Priority.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain priority.
},
"relevanceAnalysis": { # Structured relevance analysis for a threat. # Output only. High-Precision Relevance Analysis verdict for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"evidence": { # Details the evidence used to determine the relevance verdict. # Evidence supporting the verdict, including matched and unmatched items.
"commonThemes": [ # A list of semantic themes or concepts found to be common, related, or aligned between the sources, supporting the verdict.
"A String",
],
"distinctThemes": [ # A list of semantic themes or descriptions unique to one source or semantically distant.
"A String",
],
},
"reasoning": "A String", # Human-readable explanation from the matcher, detailing why a particular result is considered relevant or not relevant.
"relevanceLevel": "A String", # The level of relevance.
"relevant": True or False, # Indicates whether the threat is considered relevant.
},
"severityAnalysis": { # Structured severity analysis for a threat. # Output only. High-Precision Severity Analysis for the alert.
"confidence": "A String", # The level of confidence in the given verdict.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain severity.
"severityLevel": "A String", # The level of severity.
},
"state": "A String", # Output only. State of the alert.
}