Method: legacy.legacySearchAssetEvents

Full name: projects.locations.instances.legacy.legacySearchAssetEvents

Legacy endpoint for getting events for a given asset.

HTTP request


Path parameters

Parameters
instance

string

Required. The name of the parent resource, which is the SecOps instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
assetIndicator

object (AssetIndicator)

Required. The asset to return events for.
timeRange

object (Interval)

Required. The time range of the events to return [inclusive start time, exclusive end time).
maxResults

integer

The maximum number of events to return. The service may return fewer than this value. If unspecified, at most 10,000 events will be returned. The maximum value is 100,000; values above 100,000 will be coerced to 100,000.
referenceTime

string (Timestamp format)

The time used to alias indicator and fetch results of the asset.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

Request body

The request body must be empty.

Response body

Returns searched for events grouped into different categories.

If successful, the response body contains data with the following structure:

JSON representation 
{
  "results": [
    {
      object (SearchResult)
    }
  ],
  "alerts": [
    {
      object (AssetAlertEvent)
    }
  ],
  "ipNetworkEvents": [
    {
      object (IpNetworkEvent)
    }
  ],
  "edrEvents": [
    {
      object (AssetEdrEvent)
    }
  ],
  "typedUserEvents": [
    {
      object (UserEvent)
    }
  ],
  "md5FileHashes": [
    string
  ],
  "sha1FileHashes": [
    string
  ],
  "sha256FileHashes": [
    string
  ],
  "totalRecords": string,
  "tooManyResults": boolean
}
Fields
results[]

object (SearchResult)

A list of network events along with associated domains. Sorted in ASC order of SearchResult.timestamp
alerts[]

object (AssetAlertEvent)

A list of alerts events for the given indicator and time range. Sorted in ASC order of AssetAlertEvent.timestamp.
ipNetworkEvents[]

object (IpNetworkEvent)

A list of network events with associated destination ip that do not have domain. Sorted ASC order of IpNetworkEvent.timestamp
edrEvents[]

object (AssetEdrEvent)

A list of EDR events. Sorted ASC order of AssetEdrEvent.timestamp.
typedUserEvents[]

object (UserEvent)

A list of User Events. Sorted ASC order of UserEvent.timestamp.
md5FileHashes[]

string

All unique md5 file hashes within all events being returned.
sha1FileHashes[]

string

All unique sha1 file hashes within all events being returned.
sha256FileHashes[]

string

All unique sha256 file hashes within all events being returned.
totalRecords

string (int64 format)

The total number of records matching the request.
tooManyResults

boolean

Whether the request results in more records than those specified in the maxResults field.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacySearchAssetEvents

For more information, see the IAM documentation.