- HTTP request
- Path parameters
- Query parameters
- Request body
- Response body
- Authorization scopes
- IAM Permissions
- AlertResponseMode
- AssetAlert
- AlertInfo
- UserAlert
- Try it!
Full name: projects.locations.instances.legacy.legacySearchAlerts
Legacy endpoint for retrieving a list of all alerts(with Events and Raw Logs as clients require in requests) within the customer's environment.
HTTP request
GET https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacySearchAlerts
Path parameters
| Parameters | |
|---|---|
instance |
Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance} |
Query parameters
| Parameters | |
|---|---|
startTime |
Required. Beginning of time range, inclusive, to search for alerts. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
endTime |
Required. End of time range, exclusive, to search for alerts. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
pageSize |
The maximum number of Alerts to return. The service may return fewer than this value. If unspecified, at most 100,000 Artifacts will be returned. The maximum value is 100,000; values above 100,000 will be coerced to 100,000. |
pageToken |
A page token, received from a previous ListAlerts call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to ListAlerts must match the call that provided the page token. |
alertResponseMode |
Retrieve the full raw log associated with each event. |
Request body
The request body must be empty.
Response body
Response message for LegacySearchAlerts.
If successful, the response body contains data with the following structure:
| JSON representation |
|---|
{ "alerts": [ { object ( |
| Fields | |
|---|---|
alerts[] |
A list of alerts associated with certain assets. |
next_page_token |
A page token, to be used in a future ListAlerts call. Provide this token in the next ListAlerts call in the page_token field to get the next page of results. |
user_alerts[] |
A list of alerts associated with certain users. |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IAM Permissions
Requires the following IAM permission on the instance resource:
chronicle.legacies.legacySearchAlerts
For more information, see the IAM documentation.
AlertResponseMode
Alert response mode.
| Enums | |
|---|---|
ALERT_RESPONSE_MODE_UNSPECIFIED |
Default value has the same effect as INCLUDE_RAW_LOG. |
INCLUDE_RAW_LOG |
Full Event including Raw Log. |
EVENT_ONLY |
Retrieve event only. |
AssetAlert
Several alerts related to a single asset.
| JSON representation |
|---|
{ "asset": { object ( |
| Fields | |
|---|---|
asset |
The asset triggering the alert. |
alert_infos[] |
Detailed information about the alerts. |
AlertInfo
Information pertaining to a specific alert.
| JSON representation |
|---|
{
"name": string,
"source_product": string,
"severity": string,
"timestamp": string,
"raw_log": string,
"uri": [
string
],
"udm_event": {
object ( |
| Fields | |
|---|---|
name |
The name of the alert. |
source_product |
The source of the alert. |
severity |
Normalized severity level of the alert. |
timestamp |
Timestamp of the alert. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
raw_log |
This is the raw event log of the corresponding alert event. A base64-encoded string. |
uri[] |
URLs that direct into the Backstory UI. |
udm_event |
UDM event corresponding to the alert. |
UserAlert
Several alerts related to a single user.
| JSON representation |
|---|
{ "user": { object ( |
| Fields | |
|---|---|
user |
The user triggering the alert. |
alert_infos[] |
Detailed information about the alerts. |