Method: legacy.legacySearchEnterpriseWideAlerts

Full name: projects.locations.instances.legacy.legacySearchEnterpriseWideAlerts

RPC for getting all alerts in a time range in legacy page site.

HTTP request

GET https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacySearchEnterpriseWideAlerts

Path parameters

Parameters
instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
timestampRange

object (Interval)

Required. Time range [start, end) for alerts to retrieve.

maxNumAlertsReturn

integer

Required. Maximum number of alert events to return across all assets & users. Note that this is not a limit on the cumulative number of alert_summaries & user_summaries returned, nor a limit on the total number of alert_infos to return as each alert might be associated with more than one asset and/or user.

Request body

The request body must be empty.

Response body

Returns alerts for the customer in the requested time range

If successful, the response body contains data with the following structure:

JSON representation
{
  "alert_summaries": [
    {
      object (AssetAlertSummary)
    }
  ],
  "more_data_available": boolean,
  "user_alert_summaries": [
    {
      object (UserAlertSummary)
    }
  ]
}
Fields
alert_summaries[]

object (AssetAlertSummary)

Alerts that occurred in the requested time range, grouped by asset

more_data_available

boolean

Indicates that more data was available but not sent due to more hits than max_num_alerts_to_return.

user_alert_summaries[]

object (UserAlertSummary)

Alerts that occurred in the requested time range, grouped by user

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacySearchEnterpriseWideAlerts

For more information, see the IAM documentation.

AssetAlertSummary

An Asset and its associated alerts.

JSON representation
{
  "asset": {
    object (AssetIndicator)
  },
  "alert_info": [
    {
      object (AssetAlertInfo)
    }
  ]
}
Fields
asset

object (AssetIndicator)

The best indicator we have for this asset

alert_info[]

object (AssetAlertInfo)

Relevant information of alerts associated with the asset.

AssetAlertInfo

Alert information an asset-based alert

JSON representation
{
  "alert": string,
  "source_product": string,
  "severity": string,
  "alert_time": string,
  "filter_properties": {
    object (FilterProperties)
  },
  "alert_number": integer,
  "uid": string
}
Fields
alert

string

Alert category

source_product

string

Alert log source product name

severity

string

Normalized severity level of the alert

alert_time

string (Timestamp format)

Timestamp of the alert

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

filter_properties

object (FilterProperties)

Filter properties associated wth the alert

alert_number

integer

Alert number used to identify an alert event.

uid

string (bytes format)

Used to link to the alert. Only populated for Security Command Center alerts.

A base64-encoded string.

UserAlertSummary

User and associated alerts

JSON representation
{
  "user": {
    object (UserIndicator)
  },
  "alert_infos": [
    {
      object (UdmEventInfo)
    }
  ]
}
Fields
user

object (UserIndicator)

Best user indicator from available user indicators

alert_infos[]

object (UdmEventInfo)

Relevant information of alerts associated with the User.