- HTTP request
- Path parameters
- Query parameters
- Request body
- Response body
- Authorization scopes
- IAM Permissions
- AlertListOptions
- EntityIndicator
- AlertFieldAggregationOptions
- AlertsFeaturePreference
- AlertList
- Try it!
Full name: projects.locations.instances.legacy.legacyFetchAlertsView
Legacy streaming endpoint for getting alerts (and in some cases, non-alerting detections) along with aggregated fields that match the query.
HTTP request
GET https://chronicle.africa-south1.rep.googleapis.com/v1alpha/{instance}/legacy:legacyFetchAlertsView Path parameters
| Parameters | |
|---|---|
instance |
Required. The name of the parent resource, which is the SecOps instance. Format: projects/{project}/locations/{location}/instances/{instance} |
Query parameters
| Parameters | |
|---|---|
baselineQuery |
The baseline query is used for this request and its results are cached for subseqent requests, so that supplying additional filters in the snapshotQuery will not require re-running the baseline query. This uses a syntax similar to UDM search, with all fields other than the following path prefixes supported: - collectionElements.references.event - collectionElements.references.entity - feedbackSummary.* |
snapshotQuery |
Required. This uses a syntax similar to UDM search, with support for all fields within 7 levels of nesting within the collection proto. For composite detections, the filters prefixed with "collectionElements.references.event" or "collectionElements.references.entity" are also checked against one-level of producer detections. |
timeRange |
Required. The time range to search for [Inclusive, Exclusive). |
alertListOptions |
Parameters for the Alerts that will be streamed back. |
fieldAggregationOptions |
Parameters for the Aggregated Alert fields that will be streamed back. |
enableCache |
If enabled, subsequent requests for the same time range and baseline query will try to leverage our cache to serve the response with filters applied in the snapshot query. |
includeNonAlertingDetections |
Whether to include non-alerting detections in the response. |
plaqueTraceLevel |
Optional. Deprecated. An internal trace level. |
maxShardCount |
Optional. Deprecated. An internal optimization value. |
maxBaselineResults |
Optional. Deprecated. Maximum number of alerts that will be processed for a single request. |
Request body
The request body must be empty.
Response body
Depending on the parameters in FetchAlertsViewRequest, stream back some combination of |alerts| and |fieldAggregations|.
NEXT TAG: 12;
If successful, the response body contains data with the following structure:
| JSON representation |
|---|
{ "progress": number, "tooManyAlerts": boolean, "complete": boolean, "validBaselineQuery": boolean, "baselineAlertsCount": integer, "validSnapshotQuery": boolean, "queryValidationErrors": [ { object ( |
| Fields | |
|---|---|
progress |
Progress of the query represented as a double between 0 and 1. |
tooManyAlerts |
If true, there are too many alerts matched and some have been omitted from both the "Too many alerts" depends on the server-side limit of 1,000,000 matched alerts to serve as a base for the field aggregations, rather than on the |
complete |
Streaming for this response is done. There will be no additional updates. |
validBaselineQuery |
Whether the request baselineQuery is a valid structured query. If not, |
baselineAlertsCount |
The number of alerts matched by the baseline query. |
validSnapshotQuery |
Whether the request baseline and snapshot queries are valid. If not, |
queryValidationErrors[] |
Parse error for the baselineQuery and/or the snapshotQuery. |
runtimeErrors[] |
Runtime errors. |
filteredAlertsCount |
The number of alerts in the snapshot that match the snapshotQuery. This is <= |
alerts |
The list of the first N matched alerts. The value of N is determined by the AlertListOptions.max_returned_alerts field in the request. |
fieldAggregations |
List of fields with aggregated values. |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IAM Permissions
Requires the following IAM permission on the instance resource:
chronicle.legacies.legacyFetchAlertsView
For more information, see the IAM documentation.
AlertListOptions
| JSON representation |
|---|
{
"maxReturnedAlerts": integer,
"entityIndicator": {
object ( |
| Fields | |
|---|---|
maxReturnedAlerts |
|
entityIndicator |
|
EntityIndicator
| JSON representation |
|---|
{ "indicatorNamespace": string, // Union field |
| Fields | |
|---|---|
indicatorNamespace |
|
Union field
|
|
hostname |
|
assetIpAddress |
|
mac |
|
productId |
|
userName |
|
email |
|
employeeId |
|
windowsSid |
|
projectObjectId |
|
productObjectId |
|
rawPid |
|
processId |
|
fullCommandLine |
|
parentProcessId |
|
hashMd5 |
|
hashSha1 |
|
hashSha256 |
|
filePath |
|
destinationIpAddress |
|
domainName |
|
resourceProjectObjectId |
|
resourceName |
|
AlertFieldAggregationOptions
| JSON representation |
|---|
{ "maxValuesPerField": integer } |
| Fields | |
|---|---|
maxValuesPerField |
|
AlertsFeaturePreference
A generic option to enable or disable a feature. NEXT TAG = 3;
| Enums | |
|---|---|
ALERTS_FEATURE_PREFERENCE_UNSPECIFIED |
An unspecified preference. Behavior will depend on the server defaults. |
ALERTS_FEATURE_PREFERENCE_ENABLED |
Enable the feature. |
ALERTS_FEATURE_PREFERENCE_DISABLED |
Disable the feature. |
AlertList
| JSON representation |
|---|
{
"alerts": [
{
object ( |
| Fields | |
|---|---|
alerts[] |
|