Method: legacy.legacyFetchAlertsView

Full name: projects.locations.instances.legacy.legacyFetchAlertsView

Legacy streaming endpoint for getting alerts (and in some cases, non-alerting detections) along with aggregated fields that match the query.

HTTP request

GET https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacyFetchAlertsView

Path parameters

Parameters
instance

string

Required. The Google Security Operations instance. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
baselineQuery

string

The baseline query to search for. The baseline query is used for this request and its results are cached for subseqent requests, so that supplying additional filters in the snapshot_query will not require re-running the baseline query. This uses a syntax similar to UDM search, with the following supported fields: - detection.rule_set - detection.rule_set_display_name - detection.rule_id - detection.rule_name - detection.rule_author - detection.alert_state - case_name - feedback_summary.verdict - feedback_summary.reputation - feedback_summary.status - feedback_summary.priority - feedback_summary.severity_display - feedback_summary.risk_score

snapshotQuery

string

Required. The snapshot query to search for. This uses a syntax similar to UDM search, with the following supported fields: - detection.rule_set - detection.rule_set_display_name - detection.rule_id - detection.rule_name - detection.rule_author - detection.alert_state - case_name - feedback_summary.verdict - feedback_summary.reputation - feedback_summary.status - feedback_summary.priority - feedback_summary.severity_display - feedback_summary.risk_score

timeRange

object (Interval)

Required. The time range to search for [Inclusive, Exclusive).

alertListOptions

object (AlertListOptions)

Parameters for the Alerts that will be streamed back.

fieldAggregationOptions

object (AlertFieldAggregationOptions)

Parameters for the Aggregated Alert fields that will be streamed back.

enableCache

enum (AlertsFeaturePreference)

If enabled, subsequent requests for the same time range and baseline query will try to leverage our cache to serve the response with filters applied in the snapshot query.

plaqueTraceLevel
(deprecated)

integer

Optional. Deprecated. An internal trace level.

maxShardCount
(deprecated)

integer

Optional. Deprecated. An internal optimization value.

maxBaselineResults
(deprecated)

integer

Optional. Deprecated. Maximum number of alerts that will be processed for a single request.

Request body

The request body must be empty.

Response body

Depending on the parameters in FetchAlertsViewRequest, stream back some combination of |alerts| and |field_aggregations|.

NEXT TAG: 12;

If successful, the response body contains data with the following structure:

JSON representation
{
  "progress": number,
  "too_many_alerts": boolean,
  "complete": boolean,
  "valid_baseline_query": boolean,
  "baseline_alerts_count": integer,
  "valid_snapshot_query": boolean,
  "query_validation_errors": [
    {
      object (ErrorMessage)
    }
  ],
  "runtime_errors": [
    {
      object (RuntimeError)
    }
  ],
  "filtered_alerts_count": integer,
  "alerts": {
    object (AlertList)
  },
  "field_aggregations": {
    object (AlertFieldAggregations)
  }
}
Fields
progress

number

Progress of the query represented as a double between 0 and 1.

too_many_alerts

boolean

If true, there are too many alerts matched and some have been omitted from both the alerts and from the field_aggregations.

"Too many alerts" depends on the server-side limit of 1,000,000 matched alerts to serve as a base for the field aggregations, rather than on the max_returned_alerts option.

complete

boolean

Streaming for this response is done. There will be no additional updates.

valid_baseline_query

boolean

Whether the request baseline_query is a valid structured query. If not, query_validation_errors will include the parse error.

baseline_alerts_count

integer

The number of alerts matched by the baseline query.

valid_snapshot_query

boolean

Whether the request baseline and snapshot queries are valid. If not, query_validation_errors will include the parse error.

query_validation_errors[]

object (ErrorMessage)

Parse error for the baseline_query and/or the snapshot_query.

runtime_errors[]

object (RuntimeError)

Runtime errors.

filtered_alerts_count

integer

The number of alerts in the snapshot that match the snapshot_query. This is <= baseline_alerts_count. If the snapshot query is empty this will be equivalent to baseline_alerts_count.

alerts

object (AlertList)

The list of the first N matched alerts. The value of N is determined by the AlertListOptions.max_returned_alerts field in the request.

field_aggregations

object (AlertFieldAggregations)

List of fields with aggregated values.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacyFetchAlertsView

For more information, see the IAM documentation.

AlertListOptions

JSON representation
{
  "max_returned_alerts": integer,
  "entity_indicator": {
    object (EntityIndicator)
  }
}
Fields
max_returned_alerts

integer

entity_indicator

object (EntityIndicator)

EntityIndicator

JSON representation
{
  "indicator_namespace": string,

  // Union field indicator can be only one of the following:
  "hostname": string,
  "asset_ip_address": string,
  "mac": string,
  "product_id": string,
  "user_name": string,
  "email": string,
  "employee_id": string,
  "windows_sid": string,
  "project_object_id": string,
  "product_object_id": string,
  "raw_pid": string,
  "process_id": string,
  "full_command_line": string,
  "parent_process_id": string,
  "hash_md5": string,
  "hash_sha1": string,
  "hash_sha256": string,
  "file_path": string,
  "destination_ip_address": string,
  "domain_name": string,
  "resource_project_object_id": string,
  "resource_name": string
  // End of list of possible types for union field indicator.
}
Fields
indicator_namespace

string

Union field indicator.

indicator can be only one of the following:

hostname

string

asset_ip_address

string

mac

string

product_id

string

user_name

string

email

string

employee_id

string

windows_sid

string

project_object_id
(deprecated)

string

product_object_id

string

raw_pid

string

process_id

string

full_command_line

string

parent_process_id

string

hash_md5

string

hash_sha1

string

hash_sha256

string

file_path

string

destination_ip_address

string

domain_name

string

resource_project_object_id
(deprecated)

string

resource_name

string

AlertFieldAggregationOptions

JSON representation
{
  "max_values_per_field": integer
}
Fields
max_values_per_field

integer

AlertsFeaturePreference

A generic option to enable or disable a feature. NEXT TAG = 3;

Enums
ALERTS_FEATURE_PREFERENCE_UNSPECIFIED An unspecified preference. Behavior will depend on the server defaults.
ALERTS_FEATURE_PREFERENCE_ENABLED Enable the feature.
ALERTS_FEATURE_PREFERENCE_DISABLED Disable the feature.

AlertList

JSON representation
{
  "alerts": [
    {
      object (Collection)
    }
  ]
}
Fields
alerts[]

object (Collection)