Method: legacy.legacyRunTestRule

HTTP request
Path parameters
Request body
- JSON representation
Response body
- JSON representation
Authorization scopes
IAM Permissions
RuleError
- JSON representation
UserFacingError
- JSON representation
Try it!

Full name: projects.locations.instances.legacy.legacyRunTestRule

Legacy RPC to test a rule and stream back the responses. Runs the rule over the given time range and streams back detections and errors without persisting them.

HTTP request

POST https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacyRunTestRule

Path parameters

Parameters

Parameters
`instance`	`string` Required. The Chronicle instance associated with the request. Format: projects/{project}/locations/{location}/instances/{instance}

instance

string

Required. The Chronicle instance associated with the request. Format: projects/{project}/locations/{location}/instances/{instance}

Request body

The request body contains data with the following structure:

JSON representation
{ "rule_text": string, "time_range": { object (`Interval`) }, "max_results": integer, "scope": string }

Fields
`rule_text`	`string` Required. The rule text to be tested.
`time_range`	`object (Interval)` Required. The time range the rule should be tested on. Limited to 14 days.
`max_results`	`integer` Optional. The maximum number of results to return. The service may return fewer than this value. If unspecified, at most 1000 detections will be returned. The maximum value is 10000; values above 10000 will be coerced to 10000.
`scope`	`string` Optional. The data access scope to use to run the rule. This field is only required if data access control is enabled. If reference lists are used in the rule, validations are performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".

Response body

Response message for LegacyRunTestRule.

If successful, the response body contains data with the following structure:

JSON representation

JSON representation
{ "detection": { object (`YaraL2Detection`) }, "rule_compilation_failed": boolean, "rule_compilation_error": { object (`RuleCompilationError`) }, "rule_error": { object (`RuleError`) }, "too_many_detections": boolean, "progress_percent": number }

{
  "detection": {
    object (YaraL2Detection)
  },
  "rule_compilation_failed": boolean,
  "rule_compilation_error": {
    object (RuleCompilationError)
  },
  "rule_error": {
    object (RuleError)
  },
  "too_many_detections": boolean,
  "progress_percent": number
}

Fields
`detection`	`object (YaraL2Detection)` Detection found for the given rule text.
`rule_compilation_failed`	`boolean` Indicates if the rule failed to compile.
`rule_compilation_error`	`object (RuleCompilationError)` The compilation error generated from the rule text.
`rule_error`	`object (RuleError)` The rule's runtime error.
`too_many_detections`	`boolean` Indicates if the request would have streamed more detections than max_results allows.
`progress_percent`	`number` The progress percent of the run, from 0.0-100.0.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

chronicle.legacies.legacyRunTestRule

For more information, see the IAM documentation.

RuleError

JSON representation
{ "user_facing_error": { object (`UserFacingError`) }, "time_range": { object (`Interval`) }, "id": string }

Fields
`user_facing_error`	`object (UserFacingError)`
`time_range`	`object (Interval)`
`id`	`string`

UserFacingError

JSON representation
{ "status": { object (`StatusProto`) } }

Fields
`status`	`object (StatusProto)`