Cyware Orchestrate

Get Alert Details

This action retrieves the alert with the provided ID.

List Alerts (Deprecated)

This action provides a list of assets and user-based alerts.

List Asset Events

This action provides a list of parsed events for the asset matching the provided identification. Note that one of the hostname, ip_address, mac_address, and product_id must be provided.

List Detections

This action lists detections for either a specified rule version, the latest version, all versions of a rule, or all versions of all rules.

List IOCs

This action provides a list of indicators of compromise within the provided time range.

Query Events

This action executes the specified query to search for events in the chronicle environment.

Generic Action

This is a generic action used to make requests to any Google Chronicle endpoint.

Credential File

Enter the google-provided JSON credential file.

File

Required

SSL Verification

Choose whether to perform certificate verification on SSL connections.

Boolean

Optional

Default value:true

Alert ID

Enter the ID of the alert to retrieve the alert details.

Text

Required

You can retrieve the Alert ID using the action List Alerts.

Start time

Enter the beginning of the time range to start the search, as an iso-8601 string (yyyy-mm-ddthh:mm:ss).

Example:

1970-01-01t12:00:00

Text

Required

End time

Enter the end of the time range for this search, as an iso-8601 string (yyyy-mm-ddthh:mm:ss).

Example:

1970-01-01t12:00:00

Text

Required

Local time

Choose if the specified time is in the system's local timezone, as opposed to UTC.

Example:

false

Boolean

Optional

Default value:false

Page size

Enter the maximum number of alerts to return, up to a maximum of 100,000.

Example:

1000

Integer

Optional

Default value:1000

Hostname

Enter the hostname of the asset to list all asset events.

Example:

"enterprise.service.example.com"

Text

Optional

IP address

Enter the IP address of the asset.

Example:

10.0.2.10

Text

Optional

Mac address

Enter the Mac address of the asset.

Text

Optional

Product ID

Enter the product ID of the asset.

Example:

"CS:3456-7891"

Text

Optional

Start time

Enter the beginning of the event time range, as an iso-8601 string (yyyy-mm-ddthh:mm:ss).

Example:

1970-01-01t12:00:00

Text

Optional

End time

Enter the end of the event time range, as an iso-8601 string (yyyy-mm-ddthh:mm:ss).

Example:

1970-01-01t12:00:00

Text

Optional

Local time

Choose if the specified time is in the system's local timezone, as opposed to UTC.

Example:

false

Boolean

Optional

Default value:

false

Page size

Enter the maximum number of alerts to return, up to 100,000.

Example:

1000

Integer

Optional

Default value:

1000

Rule ID

Enter the unique identifier for a specific rule.

Example:

ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d

Text

Optional

Allowed format:

ru_{UUID}

Version ID

Enter the unique identifier for a specific version of a rule.

Example:

ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d@v_1605892822_687503000

Text

Optional

Allowed format:

{ruleId}@v_{int64}_{int64}

Start Time

Specify the start time to begin retrieving detections, filtered by the detection field defined in the listBasis parameter.

Example:

2020-12-03T16:59:55.124243Z

Text

Optional

Allowed format:

ISO 8601

End Time

Specify the end time to stop retrieving detections, filtered by the detection field defined in the listBasis parameter.

Example:

2020-12-04T16:59:55.124243Z

Text

Optional

Allowed format:

ISO 8601

Page Size

Enter the number of detections to retrieve on each page.

Integer

Optional

Allowed range:

1 to 1000

Default value:

100

List Basis

Enter the value to sort the detections.

Text

Optional

Allowed values:

DETECTION_TIME and CREATED_TIME

By default, detections are sorted by DETECTION_TIME in descending order.

Alert State

Enter the value to filter detections by alert state.

Text

Optional

Allowed values:

ALERTING and NOT_ALERTING

Start time

Enter the beginning of the IOC time range, as an iso-8601 string (yyyy-mm-ddthh:mm:ss).

Example:

1970-01-01t12:00:00

Text

Optional

End time

Enter the end of the IOC time range, as an iso-8601 string (yyyy-mm-ddthh:mm:ss).

Example:

1970-01-01t12:00:00

Text

Optional

Local time

Choose if the specified times are in the system's local timezone, as opposed to UTC.

Example:

false

Boolean

Optional

Default value: false

Page size

Enter the maximum number of IOCs to return, up to a maximum of 100,000.

Example:

1000

Integer

Optional

Default value:

1000

Raw query

Enter the search query string to search for events.

Text

Required

Start time

Enter the beginning of the event time range, as an iso-8601 string (yyyy-mm-ddthh:mm:ss).

Example:

1970-01-01t12:00:00

Text

Required

End time

Enter the end of the event time range, as an iso-8601 string (yyyy-mm-ddthh:mm:ss).

Example:

1970-01-01t12:00:00

Text

Required

Local time

Choose if the specified times are in the system's local timezone, as opposed to UTC.

Example:

false

Boolean

Optional

Default value:false

Page size

Enter the maximum number of events to return, up to 100,000.

Example:

1000

Integer

Optional

Default value:1000

Method

Enter the HTTP method to make the request.

Text

Required

Allowed values:

GET, PUT, POST, DELETE

Endpoint

Enter the endpoint to make the request to.

Example:

ioc/listiocs

Text

Required

Query Params

Enter the query parameters to pass to the API.

Key Value

Optional

Payload

Enter the payload data to pass to the API.

Any

Optional

Additional Fields

Enter the additional parameters to pass to the API.

Example:

{'download':True,'custom_output':'This is a custom output'}.

Key Value

Optional

Allowed keys:

payload_json, custom_output, download, filename, files, retry_wait, retry_count, response_type