Method: legacy.legacySearchArtifactEvents

HTTP request
Path parameters
Query parameters
Request body
Response body
- JSON representation
Authorization scopes
IAM Permissions
AssetIndicatorTimestamp
- JSON representation
Try it!

Full name: projects.locations.instances.legacy.legacySearchArtifactEvents

Legacy endpoint for getting events for a given artifact.

HTTP request

GET https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacySearchArtifactEvents

Path parameters

Parameters

Parameters
`instance`	`string` Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters

Parameters
`artifact`	`object (ArtifactIndicator)` Required. The artifact for which we want to find events.
`timeRange`	`object (Interval)` The time range within which we want to search [inclusive start time, exclusive end time). If left empty, then we search over all time.
`limit`	`integer` The maximum number of events to return. The service may return fewer than this value. If unspecified, at most 10,000 events will be returned. The maximum value is 100,000; values above 100,000 will be coerced to 100,000.

artifact

object (ArtifactIndicator)

Required. The artifact for which we want to find events.

timeRange

object (Interval)

The time range within which we want to search [inclusive start time, exclusive end time). If left empty, then we search over all time.

limit

integer

The maximum number of events to return. The service may return fewer than this value. If unspecified, at most 10,000 events will be returned. The maximum value is 100,000; values above 100,000 will be coerced to 100,000.

Request body

The request body must be empty.

Response body

The response to a request to find all asset events for queried artifact.

If successful, the response body contains data with the following structure:

JSON representation
{ "assets": [ { object (`AssetIndicatorTimestamp`) } ] }

Fields

Fields
`assets[]`	`object (AssetIndicatorTimestamp)` A list assets along with the time they queried the Artifact. This list is built after de-duping the raw events. The deduping is done on the queried artifact (i.e., multiple lookups by an asset to the queried domain or any subdomains in a short period of time are represented as a single event). Sorted in ASC order of AssetIndicatorTimestamp.time.

assets[]

object (AssetIndicatorTimestamp)

A list assets along with the time they queried the Artifact. This list is built after de-duping the raw events. The deduping is done on the queried artifact (i.e., multiple lookups by an asset to the queried domain or any subdomains in a short period of time are represented as a single event). Sorted in ASC order of AssetIndicatorTimestamp.time.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

chronicle.legacies.legacySearchArtifactEvents

For more information, see the IAM documentation.

AssetIndicatorTimestamp

Event information returned for timeline in either domain or ip. Contains asset that resolved domain/ip at a given timestamp and any webproxy data if available.

JSON representation

JSON representation
{ "asset_indicator": { object (`AssetIndicator`) }, "event_time": string, "artifact_indicator": { object (`ArtifactIndicator`) }, "http_details": [ { object (`HttpDetails`) } ], "raw_logs_token": string, "filter_properties": { object (`FilterProperties`) }, "sidebar_entries": [ { object (`SidebarEntry`) } ], "file_names": [ string ] }

{
  "asset_indicator": {
    object (AssetIndicator)
  },
  "event_time": string,
  "artifact_indicator": {
    object (ArtifactIndicator)
  },
  "http_details": [
    {
      object (HttpDetails)
    }
  ],
  "raw_logs_token": string,
  "filter_properties": {
    object (FilterProperties)
  },
  "sidebar_entries": [
    {
      object (SidebarEntry)
    }
  ],
  "file_names": [
    string
  ]
}

Fields
`asset_indicator`	`object (AssetIndicator)` The asset.
`event_time`	`string (Timestamp format)` A time associated with this asset. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`artifact_indicator`	`object (ArtifactIndicator)` The artifact.
`http_details[]`	`object (HttpDetails)` Additional details about HTTP requests associated with the lookup.
`raw_logs_token`	`string` A token to request raw logs, this is opaque to the client. If empty, no raw logs can be requested.
`filter_properties`	`object (FilterProperties)` Filter properties for each timeline event.
`sidebar_entries[]`	`object (SidebarEntry)` All the sidebar entries.
`file_names[]`	`string` File names associated with queried file hash in hash view timeline This field is only valid when ArtifactIndicator is file hash.