/*
* CrowdStrike API Specification
*
* Use this API specification as a reference for the API endpoints you can use to interact with your Falcon environment. These endpoints support authentication via OAuth2 and interact with detections and network containment. For detailed usage guides and examples, see our [documentation inside the Falcon console](https://falcon.crowdstrike.com/support/documentation). To use the APIs described below, combine the base URL with the path shown for each API endpoint. For commercial cloud customers, your base URL is `https://api.crowdstrike.com`. Each API endpoint requires authorization via an OAuth2 token. Your first API request should retrieve an OAuth2 token using the `oauth2/token` endpoint, such as `https://api.crowdstrike.com/oauth2/token`. For subsequent requests, include the OAuth2 token in an HTTP authorization header. Tokens expire after 30 minutes, after which you should make a new token request to continue making API requests.
*
* The version of the OpenAPI document: rolling
*
* Generated by: https://openapi-generator.tech
*/
use crate::models;
#[derive(Clone, Default, Debug, PartialEq, Serialize, Deserialize)]
pub struct DetectsExternalAlert {
/// Device or sensor ID for which the Alert was generated
#[serde(rename = "agent_id", skip_serializing_if = "Option::is_none")]
pub agent_id: Option<String>,
/// Common linkage between multiple Alerts that belong to the same detection bouquet
#[serde(rename = "aggregate_id")]
pub aggregate_id: String,
/// Name of the person this Alert is assigned to
#[serde(rename = "assigned_to_name", skip_serializing_if = "Option::is_none")]
pub assigned_to_name: Option<String>,
/// UserID to which this Alert is assigned to
#[serde(rename = "assigned_to_uid", skip_serializing_if = "Option::is_none")]
pub assigned_to_uid: Option<String>,
/// UUID to which this Alert is assigned to
#[serde(rename = "assigned_to_uuid", skip_serializing_if = "Option::is_none")]
pub assigned_to_uuid: Option<String>,
/// Unique ID of CrowdStrike customers
#[serde(rename = "cid")]
pub cid: String,
/// An opaque internal identifier that can uniquely identify an Alert
#[serde(rename = "composite_id")]
pub composite_id: String,
/// Confidence is a 1-100 integer value denoting the confidence that, when this Alert fires, it is indicative of malicious activity
#[serde(rename = "confidence", skip_serializing_if = "Option::is_none")]
pub confidence: Option<i32>,
/// indicates when ThreatGraph was crawled to gather info for this alert creation/update
#[serde(rename = "crawled_timestamp")]
pub crawled_timestamp: String,
/// indicates when the Alert was first written to backend store
#[serde(rename = "created_timestamp")]
pub created_timestamp: String,
/// Data Domains represents domains to which this alert belongs to
#[serde(rename = "data_domains")]
pub data_domains: Vec<String>,
/// Short, customer-visible summary of the detected activity
#[serde(rename = "description")]
pub description: String,
/// Customer visible name for the Alert's pattern
#[serde(rename = "display_name")]
pub display_name: String,
/// Boolean to know if we sent email regarding this Alert
#[serde(rename = "email_sent", skip_serializing_if = "Option::is_none")]
pub email_sent: Option<bool>,
/// Boolean indicating if this Alert is internal or external
#[serde(rename = "external", skip_serializing_if = "Option::is_none")]
pub external: Option<bool>,
/// Vertex key which triggers the formation of the Alert
#[serde(rename = "id")]
pub id: String,
/// Linked Case Ids are cases that are associated with this alert
#[serde(rename = "linked_case_ids")]
pub linked_case_ids: Vec<String>,
/// References to MITRE ATT&CK, which is a public framework for tracking and modeling adversary tools techniques and procedures
#[serde(rename = "mitre_attack")]
pub mitre_attack: Vec<models::DetectsMitreAttackMapping>,
/// Pattern Name coming either from Taxonomy or directly from the ingested Alert
#[serde(rename = "name")]
pub name: String,
/// End goal that an attack adversary intends to achieve according to MITRE
#[serde(rename = "objective", skip_serializing_if = "Option::is_none")]
pub objective: Option<String>,
/// Taxonomy patternID for this Alert
#[serde(rename = "pattern_id")]
pub pattern_id: i32,
/// Platform that this Alert was triggered on e.g. Android, Windows, etc..
#[serde(rename = "platform", skip_serializing_if = "Option::is_none")]
pub platform: Option<String>,
/// Product specifies the SKU that this Alert belongs to e.g. mobile, idp, epp
#[serde(rename = "product")]
pub product: String,
/// Alert resolution. Could be one of the following values: true_positive, false_positive, ignored
#[serde(rename = "resolution", skip_serializing_if = "Option::is_none")]
pub resolution: Option<String>,
/// Scenario was used pre-Handrails to display additional killchain context for UI alerts. With handrails, this field is mostly obsolete in favor of tactic/technique. Still, it can be useful for determining specific pattern types that are not straightforward to distinguish from other fields alone
#[serde(rename = "scenario", skip_serializing_if = "Option::is_none")]
pub scenario: Option<String>,
/// Seconds To Resolved represents the seconds elapsed since this alert has been resolved
#[serde(rename = "seconds_to_resolved")]
pub seconds_to_resolved: i64,
/// Seconds To Triage represents the seconds elapsed since this alert has been triaged
#[serde(rename = "seconds_to_triaged")]
pub seconds_to_triaged: i64,
/// Severity is also a 1-100 integer value, but unlike confidence severity impacts how a Alert is displayed in the UI
#[serde(rename = "severity")]
pub severity: i32,
/// Severity name is a UI friendly bucketing of the severity integer
#[serde(rename = "severity_name")]
pub severity_name: String,
/// Boolean indicating if this Alert will be shown in the UI or if it's hidden'
#[serde(rename = "show_in_ui")]
pub show_in_ui: bool,
/// Source Products are products that produced events which contributed to this alert
#[serde(rename = "source_products")]
pub source_products: Vec<String>,
/// Source Vendors are vendors that produced events which contributed to this alert
#[serde(rename = "source_vendors")]
pub source_vendors: Vec<String>,
/// Could be one of the following - New, closed, in_progress, reopened
#[serde(rename = "status")]
pub status: String,
/// Tactic and Technique are references to MITRE ATT&CK, which is a public framework for tracking and modeling adversary tools techniques and procedures
#[serde(rename = "tactic", skip_serializing_if = "Option::is_none")]
pub tactic: Option<String>,
/// Unique ID for the tactic seen in the Alert
#[serde(rename = "tactic_id", skip_serializing_if = "Option::is_none")]
pub tactic_id: Option<String>,
/// Tags are string values associated with the alert that can be added or removed through the API
#[serde(rename = "tags", skip_serializing_if = "Option::is_none")]
pub tags: Option<Vec<String>>,
/// Tactic and Technique are references to MITRE ATT&CK, which is a public framework for tracking and modeling adversary tools techniques and procedures
#[serde(rename = "technique", skip_serializing_if = "Option::is_none")]
pub technique: Option<String>,
/// Unique ID for the technique seen in the Alert
#[serde(rename = "technique_id", skip_serializing_if = "Option::is_none")]
pub technique_id: Option<String>,
/// stored value coming in directly from the ingested event or set by cloud in the absence of it
#[serde(rename = "timestamp")]
pub timestamp: String,
/// Type of definition Detections Extensibility use. Keyed-off of Pattern of the incoming events/Alerts
#[serde(rename = "type")]
pub r#type: String,
/// indicates when the Alert was last modified
#[serde(rename = "updated_timestamp")]
pub updated_timestamp: String,
}
impl DetectsExternalAlert {
pub fn new(
agent_id: Option<String>,
aggregate_id: String,
assigned_to_name: Option<String>,
assigned_to_uid: Option<String>,
assigned_to_uuid: Option<String>,
cid: String,
composite_id: String,
confidence: Option<i32>,
crawled_timestamp: String,
created_timestamp: String,
data_domains: Vec<String>,
description: String,
display_name: String,
email_sent: Option<bool>,
external: Option<bool>,
id: String,
linked_case_ids: Vec<String>,
mitre_attack: Vec<models::DetectsMitreAttackMapping>,
name: String,
objective: Option<String>,
pattern_id: i32,
platform: Option<String>,
product: String,
resolution: Option<String>,
scenario: Option<String>,
seconds_to_resolved: i64,
seconds_to_triaged: i64,
severity: i32,
severity_name: String,
show_in_ui: bool,
source_products: Vec<String>,
source_vendors: Vec<String>,
status: String,
tactic: Option<String>,
tactic_id: Option<String>,
tags: Option<Vec<String>>,
technique: Option<String>,
technique_id: Option<String>,
timestamp: String,
r#type: String,
updated_timestamp: String,
) -> DetectsExternalAlert {
DetectsExternalAlert {
agent_id,
aggregate_id,
assigned_to_name,
assigned_to_uid,
assigned_to_uuid,
cid,
composite_id,
confidence,
crawled_timestamp,
created_timestamp,
data_domains,
description,
display_name,
email_sent,
external,
id,
linked_case_ids,
mitre_attack,
name,
objective,
pattern_id,
platform,
product,
resolution,
scenario,
seconds_to_resolved,
seconds_to_triaged,
severity,
severity_name,
show_in_ui,
source_products,
source_vendors,
status,
tactic,
tactic_id,
tags,
technique,
technique_id,
timestamp,
r#type,
updated_timestamp,
}
}
}