Method: legacy.legacyFetchAlertsView

Full name: projects.locations.instances.legacy.legacyFetchAlertsView

Legacy endpoint for getting the histgramming of alerts.

HTTP request

GET https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacyFetchAlertsView

Path parameters

Parameters
instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
baselineQuery

string

The baseline query to search for.
snapshotQuery

string

Required. The snapshot query to search for.
timeRange

object (Interval)

Required. The time range to search for [Inclusive, Exclusive).
alertListOptions

object (AlertListOptions)

Parameters for the Alerts that will be streamed back.
fieldAggregationOptions

object (AlertFieldAggregationOptions)

Parameters for the Aggregated Alert fields that will be streamed back.
maxBaselineResults

integer

For performance testing: Maximum number of alerts that will be processed for a single request.
plaqueTraceLevel

integer

Controls the trace detail level set on the Plaque binding.
enableCache

enum (AlertsFeaturePreference)

If true, try to leverage our cache and potentially bypassing our persitence layer.
maxShardCount

integer

The maximum number of Plaque shards to instantiate.

Request body

The request body must be empty.

Response body

Depending on the parameters in FetchAlertsViewRequest, stream back some combination of |alerts| and |field_aggregations|.

NEXT TAG: 12;

If successful, the response body contains data with the following structure:

JSON representation 
{
  "progress": number,
  "too_many_alerts": boolean,
  "complete": boolean,
  "valid_baseline_query": boolean,
  "baseline_alerts_count": integer,
  "valid_snapshot_query": boolean,
  "query_validation_errors": [
    {
      object (ErrorMessage)
    }
  ],
  "runtime_errors": [
    {
      object (RuntimeError)
    }
  ],
  "filtered_alerts_count": integer,
  "alerts": {
    object (AlertList)
  },
  "field_aggregations": {
    object (AlertFieldAggregations)
  }
}
Fields
progress

number

Progress of the query represented as a double between 0 and 1.
too_many_alerts

boolean

If true, there are too many alerts to return and some have been omitted.
complete

boolean

Streaming for this response is done. There will be no additional updates.
valid_baseline_query

boolean

Indicates whether the request baseline_query is a valid structured query or not. If not, query_validation_errors will include the parse error.
baseline_alerts_count

integer

The number of alerts in the baseline query.
valid_snapshot_query

boolean

Indicates whether the request baseline and snapshot queries are valid. If not, query_validation_errors will include the parse error.
query_validation_errors[]

object (ErrorMessage)

Parse error for the baseline_query and/or the snapshot_query.
runtime_errors[]

object (RuntimeError)

Runtime errors.
filtered_alerts_count

integer

The number of alerts in the snapshot that match the snapshot_query. This is <= baseline_alerts_count. If the snapshot query is empty this will be equivalent to baseline_alerts_count.
alerts

object (AlertList)

List of Alerts.
field_aggregations

object (AlertFieldAggregations)

List of fields with aggregated values.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacyFetchAlertsView

For more information, see the IAM documentation.

AlertListOptions

JSON representation 
{
  "max_returned_alerts": integer,
  "entity_indicator": {
    object (EntityIndicator)
  }
}
Fields
max_returned_alerts

integer
entity_indicator

object (EntityIndicator)

EntityIndicator

JSON representation 
{
  "indicator_namespace": string,

  // Union field indicator can be only one of the following:
  "hostname": string,
  "asset_ip_address": string,
  "mac": string,
  "product_id": string,
  "user_name": string,
  "email": string,
  "employee_id": string,
  "windows_sid": string,
  "project_object_id": string,
  "product_object_id": string,
  "raw_pid": string,
  "process_id": string,
  "full_command_line": string,
  "parent_process_id": string,
  "hash_md5": string,
  "hash_sha1": string,
  "hash_sha256": string,
  "file_path": string,
  "destination_ip_address": string,
  "domain_name": string,
  "resource_project_object_id": string,
  "resource_name": string
  // End of list of possible types for union field indicator.
}
Fields
indicator_namespace

string

Union field indicator.

indicator can be only one of the following:
hostname

string
asset_ip_address

string
mac

string
product_id

string
user_name

string
email

string
employee_id

string
windows_sid

string
project_object_id
(deprecated)

string
product_object_id

string
raw_pid

string
process_id

string
full_command_line

string
parent_process_id

string
hash_md5

string
hash_sha1

string
hash_sha256

string
file_path

string
destination_ip_address

string
domain_name

string
resource_project_object_id
(deprecated)

string
resource_name

string

AlertFieldAggregationOptions

JSON representation 
{
  "max_values_per_field": integer
}
Fields
max_values_per_field

integer

AlertsFeaturePreference

Simple enum to allow for clients to express a tri-state of force on, force off, and use default. NEXT TAG = 3;

Enums
ALERTS_FEATURE_PREFERENCE_UNSPECIFIED Use the default value controlled by flag.
ALERTS_FEATURE_PREFERENCE_ENABLED Force on the feature regardless of the flag value.
ALERTS_FEATURE_PREFERENCE_DISABLED Force off the feature regardless of the flag value.

AlertList

JSON representation 
{
  "alerts": [
    {
      object (Collection)
    }
  ]
}
Fields
alerts[]

object (Collection)