Update incident basic attributes
Relative path: /v2/incidents/{incidentUuid}/basic-attributes:update
Update chosen attributes of particular incident.
Request body
Display Schema instead of an Example or vice-versa
Type |
Required |
Example |
Schema |
|---|---|---|---|
application/json |
No |
{
"assigneeUuid": "string",
"description": "string",
"displayName": "string",
"severity": "INCIDENT_SEVERITY_LEVEL_UNSPECIFIED",
"updateMask": "string"
} |
{
"$ref": "IncidentsUpdateIncidentBasicAttributesBody",
"assigneeUuid": {
"type": "string",
"description": "Reference to User to be assigned as the assignee. The attribute can only be empty when the status is 'Open'. type: user_management.v1.User"
},
"description": {
"type": "string",
"description": "New description."
},
"displayName": {
"type": "string",
"description": "New human readable name."
},
"severity": {
"$ref": "v2IncidentSeverityLevel",
"type": "string",
"description": "Severity levels abstracted to cover all the possible GUIs. Vocabulary is leaving interpretation of severity level completely to API client. Info: This approach is inevitable on SIEM level as there are many contributing sources. Keeping the local names for severity levels never fits all the GUIs. INCIDENT_SEVERITY_LEVEL_UNSPECIFIED: fallback INCIDENT_SEVERITY_LEVEL_LOW: In some GUIs known Warning INCIDENT_SEVERITY_LEVEL_MEDIUM: In some GUIs known as Error or Threat INCIDENT_SEVERITY_LEVEL_HIGH: In some GUIs known as Critical",
"default": "INCIDENT_SEVERITY_LEVEL_UNSPECIFIED",
"enum": [
"INCIDENT_SEVERITY_LEVEL_UNSPECIFIED",
"INCIDENT_SEVERITY_LEVEL_LOW",
"INCIDENT_SEVERITY_LEVEL_MEDIUM",
"INCIDENT_SEVERITY_LEVEL_HIGH"
]
},
"updateMask": {
"type": "string",
"description": "The list of fields to update. Info: Modeled after: https://google.aip.dev/134"
}
} |
Parameters in path
Name |
Type |
Required |
Description |
|---|---|---|---|
incidentUuid |
string |
Yes |
Reference to [Incident]. type: Incident |
Responses
Display Schema instead of an Example or vice-versa
Code |
Description |
Example |
Schema |
|---|---|---|---|
200 |
Successful response. |
{
"incident": {
"assigneeUuid": "string",
"createTime": "string",
"description": "string",
"detectionUuids": [
"string"
],
"deviceUuids": [
"string"
],
"displayName": "string",
"metrics": {
"deviceCount": 0,
"executableCount": 0,
"processCount": 0
},
"resolveReason": "INCIDENT_RESOLVE_REASON_UNSPECIFIED",
"responseDuration": "string",
"severity": "INCIDENT_SEVERITY_LEVEL_UNSPECIFIED",
"status": "INCIDENT_STATUS_UNSPECIFIED",
"tags": [
"string"
],
"triageDuration": "string",
"updateTime": "string",
"uuid": "string"
}
} |
{
"$ref": "v2UpdateIncidentBasicAttributesResponse",
"incident": {
"$ref": "v2Incident",
"description": {
"type": "string",
"description": "Arbitrary text describing the incident."
},
"assigneeUuid": {
"type": "string",
"description": "User responsible for investigation and remediation. type: user_management.v1.User"
},
"createTime": {
"type": "string",
"description": "Timestamp for when the incident was created.",
"format": "date-time",
"readOnly": true
},
"detectionUuids": [
{
"type": "string"
}
],
"deviceUuids": [
{
"type": "string"
}
],
"displayName": {
"type": "string",
"description": "Human readable name of the incident."
},
"metrics": {
"$ref": "v2IncidentMetrics",
"description": "Metrics related to the incident.",
"deviceCount": {
"type": "integer",
"description": "Count of devices related to the incident.",
"format": "int64"
},
"executableCount": {
"type": "integer",
"description": "Count of executables related to the incident.",
"format": "int64"
},
"processCount": {
"type": "integer",
"description": "Count of processes related to the incident.",
"format": "int64"
}
},
"resolveReason": {
"$ref": "v2IncidentResolveReason",
"type": "string",
"description": "Possible reasons for resolved incident. INCIDENT_RESOLVE_REASON_UNSPECIFIED: fallback INCIDENT_RESOLVE_REASON_TRUE_POSITIVE: The incident was a true positive, indicating a genuine security threat. INCIDENT_RESOLVE_REASON_FALSE_POSITIVE: The incident was initially thought to be a security threat but later determined to be a false alarm. INCIDENT_RESOLVE_REASON_SUSPICIOUS: The incident is not a confirmed threat (true positive), but investigating it can provide valuable insights into user behavior patterns and help mitigate potential attacks.",
"default": "INCIDENT_RESOLVE_REASON_UNSPECIFIED",
"enum": [
"INCIDENT_RESOLVE_REASON_UNSPECIFIED",
"INCIDENT_RESOLVE_REASON_TRUE_POSITIVE",
"INCIDENT_RESOLVE_REASON_FALSE_POSITIVE",
"INCIDENT_RESOLVE_REASON_SUSPICIOUS"
]
},
"responseDuration": {
"type": "string",
"description": "How long did it take to respond to the incident.",
"readOnly": true
},
"severity": {
"$ref": "v2IncidentSeverityLevel",
"type": "string",
"description": "Severity levels abstracted to cover all the possible GUIs. Vocabulary is leaving interpretation of severity level completely to API client. Info: This approach is inevitable on SIEM level as there are many contributing sources. Keeping the local names for severity levels never fits all the GUIs. INCIDENT_SEVERITY_LEVEL_UNSPECIFIED: fallback INCIDENT_SEVERITY_LEVEL_LOW: In some GUIs known Warning INCIDENT_SEVERITY_LEVEL_MEDIUM: In some GUIs known as Error or Threat INCIDENT_SEVERITY_LEVEL_HIGH: In some GUIs known as Critical",
"default": "INCIDENT_SEVERITY_LEVEL_UNSPECIFIED",
"enum": [
"INCIDENT_SEVERITY_LEVEL_UNSPECIFIED",
"INCIDENT_SEVERITY_LEVEL_LOW",
"INCIDENT_SEVERITY_LEVEL_MEDIUM",
"INCIDENT_SEVERITY_LEVEL_HIGH"
]
},
"status": {
"$ref": "v2IncidentStatus",
"type": "string",
"description": "Define an enumeration for incident status. INCIDENT_STATUS_UNSPECIFIED: fallback INCIDENT_STATUS_OPEN: The incident is OPEN (aka NEW) and has been reported or detected. INCIDENT_STATUS_IN_PROGRESS: The incident is currently in progress and being actively addressed. INCIDENT_STATUS_CLOSED: The incident has been closed, and the necessary actions have been taken.",
"default": "INCIDENT_STATUS_UNSPECIFIED",
"enum": [
"INCIDENT_STATUS_UNSPECIFIED",
"INCIDENT_STATUS_OPEN",
"INCIDENT_STATUS_IN_PROGRESS",
"INCIDENT_STATUS_CLOSED"
]
},
"tags": [
{
"type": "string"
}
],
"triageDuration": {
"type": "string",
"description": "How long incident remained in triage status.",
"readOnly": true
},
"updateTime": {
"type": "string",
"description": "Represents the timestamp when the resource was most recently updated. Any change to the resource made by users (create/update/delete) must update this value; changes to a resource made internally by the service should refresh this value unless specified otherwise on entity level. Info: Modeled after: https://google.aip.dev/148#timestamps",
"format": "date-time",
"readOnly": true
},
"uuid": {
"type": "string",
"description": "Unique identifier of the entity. Must be collision free - two identifiers created anywhere in the world must not collide within entity parent scope. Unless a member of aggregate, the entity scope is always global. Although most of the times compliant with RFC 4122: A Universally Unique IDentifier (UUID) URN Namespace, do not rely on it being a RFC UUID. Treat it as an opaque identifier. RFC UUID can be recognized by being formatted according to template xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx, as explained on wikipedia. UUID is used for referencing an entity, even across domains. Example: '123e4567-e89b-12d3-a456-426614174000'"
}
}
} |
202 |
Response took too long; request cached. Response can be retrieved later using the response-id header. |
null |
[] |
400 |
One of the errors: 1. Bad or missing authorization. 2. Validation error. Invalid argument provided. |
null |
[] |
401 |
Token has expired or is invalid. |
null |
[] |
403 |
Access denied. Check permissions. |
null |
[] |
404 |
Requested resource not found. |
null |
[] |
429 |
Rate limit reached. Try again later. |
null |
[] |
500 |
Internal server failure. Try again later. |
null |
[] |
502 |
Internal server failure. Try again later. |
null |
[] |
503 |
Environment under maintenance. Try again later. |
null |
[] |
504 |
Action took too long; timeout reached |
null |
[] |