Threat Intelligence API . projects . findings

Instance Methods

close()

Close httplib2 connections.

get(name, x__xgafv=None)

Get a finding by name. The `name` field should have the format: `projects/{project}/findings/{finding}`

list(parent, filter=None, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None)

Get a list of findings that meet the filter criteria. The `parent` field in ListFindingsRequest should have the format: projects/{project}

list_next()

Retrieves the next page of results.

search(parent, orderBy=None, pageSize=None, pageToken=None, query=None, x__xgafv=None)

SearchFindings is a more powerful version of ListFindings that supports complex queries like "findings for alerts" using functions such as `has_alert` in the query string. The `parent` field in SearchFindingsRequest should have the format: projects/{project} Example to search for findings for a specific issue: `has_alert("name=\"projects/gti-12345/alerts/alert-12345\"")`

search_next()

Retrieves the next page of results.

Method Details

close() 
Close httplib2 connections.
get(name, x__xgafv=None) 
Get a finding by name. The `name` field should have the format: `projects/{project}/findings/{finding}`

Args:
  name: string, Required. Name of the finding to get. (required)
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # A ‘stateless’ and a point in time event that a check produced a result of interest.
  "aiSummary": "A String", # Optional. AI summary of the finding.
  "alert": "A String", # Optional. Name of the alert that this finding is bound to.
  "audit": { # Tracks basic CRUD facts. # Output only. Audit data about the finding.
    "createTime": "A String", # Output only. Time of creation.
    "creator": "A String", # Output only. Agent that created or updated the record, could be a UserId or a JobId.
    "updateTime": "A String", # Output only. Time of creation or last update.
    "updater": "A String", # Output only. Agent that last updated the record, could be a UserId or a JobId.
  },
  "configurations": [ # Optional. Configuration names that are bound to this finding.
    "A String",
  ],
  "detail": { # Wrapper class that contains the union struct for all the various findings detail specific classes. # Required. Holder of the domain specific details of the finding.
    "dataLeak": { # A detail object for a Data Leak finding. # Data Leak finding detail type.
      "documentId": "A String", # Required. The unique identifier of the document that triggered the Data Leak finding. This ID can be used to retrieve the content of the document for further analysis.
      "matchScore": 3.14, # Required. Reference to the match score of the Data Leak finding. This is a float value greater than 0 and less than or equal to 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
      "severity": "A String", # Required. The severity of the Data Leak finding. This indicates the potential impact of the threat.
    },
    "detailType": "A String", # Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
    "initialAccessBroker": { # A detail object for an Initial Access Broker (IAB) finding. # Initial Access Broker finding detail type.
      "documentId": "A String", # Required. The unique identifier of the document that triggered the IAB finding. This ID can be used to retrieve the content of the document for further analysis.
      "matchScore": 3.14, # Required. Reference to the match score of the IAB finding. This is a float value between 0 and 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
      "severity": "A String", # Required. The severity of the IAB finding. This indicates the potential impact of the threat.
    },
    "insiderThreat": { # A detail object for a InsiderThreat finding. # Insider Threat finding detail type.
      "documentId": "A String", # Required. The unique identifier of the document that triggered the InsiderThreat finding. This ID can be used to retrieve the content of the document for further analysis.
      "matchScore": 3.14, # Required. Reference to the match score of the InsiderThreat finding. This is a float value greater than 0 and less than or equal to 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
      "severity": "A String", # Required. The severity of the InsiderThreat finding. This indicates the potential impact of the threat.
    },
  },
  "displayName": "A String", # Required. A short descriptive title for the finding <= 250 chars. EX: "Actor 'baddy' offering $1000 for credentials of 'goodguy'".
  "name": "A String", # Identifier. Server generated name for the finding (leave clear during creation). Format: projects/{project}/findings/{finding}
  "provider": "A String", # Required. Logical source of this finding (name of the sub-engine).
  "relevanceAnalysis": { # Structured relevance analysis for a threat. # Output only. High-Precision Relevance Analysis verdict for the finding.
    "confidence": "A String", # The level of confidence in the given verdict.
    "evidence": { # Details the evidence used to determine the relevance verdict. # Evidence supporting the verdict, including matched and unmatched items.
      "commonThemes": [ # A list of semantic themes or concepts found to be common, related, or aligned between the sources, supporting the verdict.
        "A String",
      ],
      "distinctThemes": [ # A list of semantic themes or descriptions unique to one source or semantically distant.
        "A String",
      ],
    },
    "reasoning": "A String", # Human-readable explanation from the matcher, detailing why a particular result is considered relevant or not relevant.
    "relevanceLevel": "A String", # The level of relevance.
    "relevant": True or False, # Indicates whether the threat is considered relevant.
  },
  "reoccurrenceTimes": [ # Output only. When identical finding (same labels and same details) has re-occurred.
    "A String",
  ],
  "severity": 3.14, # Optional. Deprecated: Use the `severity_analysis` field instead. Base severity score from the finding source.
  "severityAnalysis": { # Structured severity analysis for a threat. # Output only. High-Precision Severity Analysis verdict for the finding.
    "confidence": "A String", # The level of confidence in the given verdict.
    "reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain severity.
    "severityLevel": "A String", # The level of severity.
  },
}
list(parent, filter=None, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None) 
Get a list of findings that meet the filter criteria. The `parent` field in ListFindingsRequest should have the format: projects/{project}

Args:
  parent: string, Required. Parent of the findings. (required)
  filter: string, Optional. Filter criteria.
  orderBy: string, Optional. Order by criteria in the csv format: "field1,field2 desc" or "field1,field2" or "field1 asc, field2".
  pageSize: integer, Optional. Page size.
  pageToken: string, Optional. Page token.
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # Response message for ListFindings.
  "findings": [ # List of findings.
    { # A ‘stateless’ and a point in time event that a check produced a result of interest.
      "aiSummary": "A String", # Optional. AI summary of the finding.
      "alert": "A String", # Optional. Name of the alert that this finding is bound to.
      "audit": { # Tracks basic CRUD facts. # Output only. Audit data about the finding.
        "createTime": "A String", # Output only. Time of creation.
        "creator": "A String", # Output only. Agent that created or updated the record, could be a UserId or a JobId.
        "updateTime": "A String", # Output only. Time of creation or last update.
        "updater": "A String", # Output only. Agent that last updated the record, could be a UserId or a JobId.
      },
      "configurations": [ # Optional. Configuration names that are bound to this finding.
        "A String",
      ],
      "detail": { # Wrapper class that contains the union struct for all the various findings detail specific classes. # Required. Holder of the domain specific details of the finding.
        "dataLeak": { # A detail object for a Data Leak finding. # Data Leak finding detail type.
          "documentId": "A String", # Required. The unique identifier of the document that triggered the Data Leak finding. This ID can be used to retrieve the content of the document for further analysis.
          "matchScore": 3.14, # Required. Reference to the match score of the Data Leak finding. This is a float value greater than 0 and less than or equal to 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
          "severity": "A String", # Required. The severity of the Data Leak finding. This indicates the potential impact of the threat.
        },
        "detailType": "A String", # Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
        "initialAccessBroker": { # A detail object for an Initial Access Broker (IAB) finding. # Initial Access Broker finding detail type.
          "documentId": "A String", # Required. The unique identifier of the document that triggered the IAB finding. This ID can be used to retrieve the content of the document for further analysis.
          "matchScore": 3.14, # Required. Reference to the match score of the IAB finding. This is a float value between 0 and 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
          "severity": "A String", # Required. The severity of the IAB finding. This indicates the potential impact of the threat.
        },
        "insiderThreat": { # A detail object for a InsiderThreat finding. # Insider Threat finding detail type.
          "documentId": "A String", # Required. The unique identifier of the document that triggered the InsiderThreat finding. This ID can be used to retrieve the content of the document for further analysis.
          "matchScore": 3.14, # Required. Reference to the match score of the InsiderThreat finding. This is a float value greater than 0 and less than or equal to 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
          "severity": "A String", # Required. The severity of the InsiderThreat finding. This indicates the potential impact of the threat.
        },
      },
      "displayName": "A String", # Required. A short descriptive title for the finding <= 250 chars. EX: "Actor 'baddy' offering $1000 for credentials of 'goodguy'".
      "name": "A String", # Identifier. Server generated name for the finding (leave clear during creation). Format: projects/{project}/findings/{finding}
      "provider": "A String", # Required. Logical source of this finding (name of the sub-engine).
      "relevanceAnalysis": { # Structured relevance analysis for a threat. # Output only. High-Precision Relevance Analysis verdict for the finding.
        "confidence": "A String", # The level of confidence in the given verdict.
        "evidence": { # Details the evidence used to determine the relevance verdict. # Evidence supporting the verdict, including matched and unmatched items.
          "commonThemes": [ # A list of semantic themes or concepts found to be common, related, or aligned between the sources, supporting the verdict.
            "A String",
          ],
          "distinctThemes": [ # A list of semantic themes or descriptions unique to one source or semantically distant.
            "A String",
          ],
        },
        "reasoning": "A String", # Human-readable explanation from the matcher, detailing why a particular result is considered relevant or not relevant.
        "relevanceLevel": "A String", # The level of relevance.
        "relevant": True or False, # Indicates whether the threat is considered relevant.
      },
      "reoccurrenceTimes": [ # Output only. When identical finding (same labels and same details) has re-occurred.
        "A String",
      ],
      "severity": 3.14, # Optional. Deprecated: Use the `severity_analysis` field instead. Base severity score from the finding source.
      "severityAnalysis": { # Structured severity analysis for a threat. # Output only. High-Precision Severity Analysis verdict for the finding.
        "confidence": "A String", # The level of confidence in the given verdict.
        "reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain severity.
        "severityLevel": "A String", # The level of severity.
      },
    },
  ],
  "nextPageToken": "A String", # Page token.
}
list_next() 
Retrieves the next page of results.

        Args:
          previous_request: The request for the previous page. (required)
          previous_response: The response from the request for the previous page. (required)

        Returns:
          A request object that you can call 'execute()' on to request the next
          page. Returns None if there are no more items in the collection.
search(parent, orderBy=None, pageSize=None, pageToken=None, query=None, x__xgafv=None) 
SearchFindings is a more powerful version of ListFindings that supports complex queries like "findings for alerts" using functions such as `has_alert` in the query string. The `parent` field in SearchFindingsRequest should have the format: projects/{project} Example to search for findings for a specific issue: `has_alert("name=\"projects/gti-12345/alerts/alert-12345\"")`

Args:
  parent: string, Required. Parent of the findings. Format: vaults/{vault} (required)
  orderBy: string, Optional. Order by criteria in the csv format: "field1,field2 desc" or "field1,field2" or "field1 asc, field2".
  pageSize: integer, Optional. Page size.
  pageToken: string, Optional. Page token.
  query: string, Optional. Query on what findings will be returned. This supports the same filter criteria as FindingService.ListFindings as well as the following relationship query `has_alert`. Example: - `has_alert("name=\"projects/gti-12345/alerts/alert-12345\"")`
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # Response message for SearchFindings.
  "findings": [ # List of findings.
    { # A ‘stateless’ and a point in time event that a check produced a result of interest.
      "aiSummary": "A String", # Optional. AI summary of the finding.
      "alert": "A String", # Optional. Name of the alert that this finding is bound to.
      "audit": { # Tracks basic CRUD facts. # Output only. Audit data about the finding.
        "createTime": "A String", # Output only. Time of creation.
        "creator": "A String", # Output only. Agent that created or updated the record, could be a UserId or a JobId.
        "updateTime": "A String", # Output only. Time of creation or last update.
        "updater": "A String", # Output only. Agent that last updated the record, could be a UserId or a JobId.
      },
      "configurations": [ # Optional. Configuration names that are bound to this finding.
        "A String",
      ],
      "detail": { # Wrapper class that contains the union struct for all the various findings detail specific classes. # Required. Holder of the domain specific details of the finding.
        "dataLeak": { # A detail object for a Data Leak finding. # Data Leak finding detail type.
          "documentId": "A String", # Required. The unique identifier of the document that triggered the Data Leak finding. This ID can be used to retrieve the content of the document for further analysis.
          "matchScore": 3.14, # Required. Reference to the match score of the Data Leak finding. This is a float value greater than 0 and less than or equal to 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
          "severity": "A String", # Required. The severity of the Data Leak finding. This indicates the potential impact of the threat.
        },
        "detailType": "A String", # Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
        "initialAccessBroker": { # A detail object for an Initial Access Broker (IAB) finding. # Initial Access Broker finding detail type.
          "documentId": "A String", # Required. The unique identifier of the document that triggered the IAB finding. This ID can be used to retrieve the content of the document for further analysis.
          "matchScore": 3.14, # Required. Reference to the match score of the IAB finding. This is a float value between 0 and 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
          "severity": "A String", # Required. The severity of the IAB finding. This indicates the potential impact of the threat.
        },
        "insiderThreat": { # A detail object for a InsiderThreat finding. # Insider Threat finding detail type.
          "documentId": "A String", # Required. The unique identifier of the document that triggered the InsiderThreat finding. This ID can be used to retrieve the content of the document for further analysis.
          "matchScore": 3.14, # Required. Reference to the match score of the InsiderThreat finding. This is a float value greater than 0 and less than or equal to 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
          "severity": "A String", # Required. The severity of the InsiderThreat finding. This indicates the potential impact of the threat.
        },
      },
      "displayName": "A String", # Required. A short descriptive title for the finding <= 250 chars. EX: "Actor 'baddy' offering $1000 for credentials of 'goodguy'".
      "name": "A String", # Identifier. Server generated name for the finding (leave clear during creation). Format: projects/{project}/findings/{finding}
      "provider": "A String", # Required. Logical source of this finding (name of the sub-engine).
      "relevanceAnalysis": { # Structured relevance analysis for a threat. # Output only. High-Precision Relevance Analysis verdict for the finding.
        "confidence": "A String", # The level of confidence in the given verdict.
        "evidence": { # Details the evidence used to determine the relevance verdict. # Evidence supporting the verdict, including matched and unmatched items.
          "commonThemes": [ # A list of semantic themes or concepts found to be common, related, or aligned between the sources, supporting the verdict.
            "A String",
          ],
          "distinctThemes": [ # A list of semantic themes or descriptions unique to one source or semantically distant.
            "A String",
          ],
        },
        "reasoning": "A String", # Human-readable explanation from the matcher, detailing why a particular result is considered relevant or not relevant.
        "relevanceLevel": "A String", # The level of relevance.
        "relevant": True or False, # Indicates whether the threat is considered relevant.
      },
      "reoccurrenceTimes": [ # Output only. When identical finding (same labels and same details) has re-occurred.
        "A String",
      ],
      "severity": 3.14, # Optional. Deprecated: Use the `severity_analysis` field instead. Base severity score from the finding source.
      "severityAnalysis": { # Structured severity analysis for a threat. # Output only. High-Precision Severity Analysis verdict for the finding.
        "confidence": "A String", # The level of confidence in the given verdict.
        "reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain severity.
        "severityLevel": "A String", # The level of severity.
      },
    },
  ],
  "nextPageToken": "A String", # Page token.
}
search_next() 
Retrieves the next page of results.

        Args:
          previous_request: The request for the previous page. (required)
          previous_response: The response from the request for the previous page. (required)

        Returns:
          A request object that you can call 'execute()' on to request the next
          page. Returns None if there are no more items in the collection.