Full name: projects.locations.instances.legacy.legacySearchDetections
Legacy endpoint for searching detections for a rule version.
HTTP request
Path parameters
Parameters
instance
string
Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}
Query parameters
Parameters
ruleId
string
Required. The specific rule revision to search detections for. There are four acceptable formats: - {ruleId} retrieves detections for the latest revision of the Rule with rule ID |ruleId| - {ruleId}@{revisionId} retrieves detections for the Rule revision with rule ID |ruleId| and revision ID |revisionId|. - {ruleId}@{wildcard} retrieves detections for all revisions of the Rule with rule ID |ruleId|. - {wildcard} retrieves detections for all revisions of all Rules.
Optional. The time to start search detections from, inclusive.
Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
Optional. The time to end searching detections to, exclusive.
Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
Either detections or nestedDetections will be populated, but not both. List of detections in Collection protos corresponding to the ruleId. Only returned if includeNestedDetections is false or missing in the request.
Detections generated by the rule named by ruleId in the request, along with one level of nested detections. Only returned if includeNestedDetections is true in the request.
nextPageToken
string
A token that can be sent as pageToken to retrieve the next page. If this field is omitted, there are no subsequent pages.
respTooLargeDetectionsTruncated
boolean
This is related to the maxRespSizeBytes field in the request. If the original response size is larger than the maxRespSizeBytes, we will truncate detections so that the response size is smaller than maxRespSizeBytes, and this field will be set to true.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis API endpoint, \u003ccode\u003eprojects.locations.instances.legacy.legacySearchDetections\u003c/code\u003e, is a legacy method for searching detections related to a specific rule version within a Chronicle instance.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eGET\u003c/code\u003e request utilizes path parameters like \u003ccode\u003einstance\u003c/code\u003e to specify the Chronicle instance, and several query parameters such as \u003ccode\u003eruleId\u003c/code\u003e, \u003ccode\u003ealertState\u003c/code\u003e, \u003ccode\u003estartTime\u003c/code\u003e, and \u003ccode\u003eendTime\u003c/code\u003e to refine the search for detections.\u003c/p\u003e\n"],["\u003cp\u003eThe API allows for pagination via the \u003ccode\u003epageSize\u003c/code\u003e and \u003ccode\u003epageToken\u003c/code\u003e parameters, enabling the retrieval of large datasets in chunks, while \u003ccode\u003emaxRespSizeBytes\u003c/code\u003e is used to truncate results and limit the size of response.\u003c/p\u003e\n"],["\u003cp\u003eThe response body contains \u003ccode\u003edetections\u003c/code\u003e, or \u003ccode\u003enested_detection_samples\u003c/code\u003e, which are lists of detection objects, along with a \u003ccode\u003enext_page_token\u003c/code\u003e for subsequent pages and a \u003ccode\u003eresp_too_large_detections_truncated\u003c/code\u003e flag indicating if results were cut.\u003c/p\u003e\n"],["\u003cp\u003eThis endpoint requires the OAuth scope \u003ccode\u003ehttps://www.googleapis.com/auth/cloud-platform\u003c/code\u003e and the IAM permission \u003ccode\u003echronicle.legacies.legacySearchDetections\u003c/code\u003e on the instance resource for authorization.\u003c/p\u003e\n"]]],[],null,["# Method: legacy.legacySearchDetections\n\n- [HTTP request](#body.HTTP_TEMPLATE)\n- [Path parameters](#body.PATH_PARAMETERS)\n- [Query parameters](#body.QUERY_PARAMETERS)\n- [Request body](#body.request_body)\n- [Response body](#body.response_body)\n - [JSON representation](#body.LegacySearchDetectionsResponse.SCHEMA_REPRESENTATION)\n- [Authorization scopes](#body.aspect)\n- [IAM Permissions](#body.aspect_1)\n- [ListBasis](#ListBasis)\n- [Try it!](#try-it)\n\n**Full name**: projects.locations.instances.legacy.legacySearchDetections\n\nLegacy endpoint for searching detections for a rule version.\n\n### HTTP request\n\nChoose a location: \nafrica-south1 asia-northeast1 asia-south1 asia-southeast1 asia-southeast2 australia-southeast1 europe-west12 europe-west2 europe-west3 europe-west6 europe-west9 me-central1 me-central2 me-west1 northamerica-northeast2 southamerica-east1 us eu \n\n\u003cbr /\u003e\n\n### Path parameters\n\n### Query parameters\n\n### Request body\n\nThe request body must be empty.\n\n### Response body\n\nlegacy.legacySearchDetections response message.\n\nIf successful, the response body contains data with the following structure:\n\n### Authorization scopes\n\nRequires the following OAuth scope:\n\n- `https://www.googleapis.com/auth/cloud-platform`\n\nFor more information, see the [Authentication Overview](/docs/authentication#authorization-gcp).\n\n### IAM Permissions\n\nRequires the following [IAM](https://cloud.google.com/iam/docs) permission on the `instance` resource:\n\n- `chronicle.legacies.legacySearchDetections`\n\nFor more information, see the [IAM documentation](https://cloud.google.com/iam/docs).\n\nListBasis\n---------\n\nType of Timestamp to use for listing detections."]]
