Method: legacy.legacySearchRuleDetectionEvents

Full name: projects.locations.instances.legacy.legacySearchRuleDetectionEvents

Legacy RPC for listing events associated with a particular Detection generated by a Rules Engine rule.

HTTP request

GET https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacySearchRuleDetectionEvents

Path parameters

Parameters
instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
ruleId

string

Required. The rule ID that generated the detection.
versionTimestamp

string (Timestamp format)

Optional. The version timestamp of the rule that generated the detection. If omitted, the latest version of the rule will be used.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
detectionId

string

Required. The ID of the detection.
maxEvents

integer

Optional. Max events returned over all event variables. The default and limit is 100k events over all event variables. The events of this detection are sorted by event timestamp, truncated to max_events events, and grouped by event variable in the response.

Request body

The request body must be empty.

Response body

Events associated with a Rule-generated Detection. NEXT TAG: 3

If successful, the response body contains data with the following structure:

JSON representation 
{
  "result_events": {
    string: {
      object (OnDemandEventSampleList)
    },
    ...
  },
  "too_many_events": boolean
}
Fields
result_events

map (key: string, value: object (OnDemandEventSampleList))

Map from event variable to the event samples. The events for each event variable are sorted by the event timestamp.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
too_many_events

boolean

True if the request would have returned more event samples than max_events allows.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacySearchRuleDetectionEvents

For more information, see the IAM documentation.

OnDemandEventSampleList

JSON representation 
{
  "event_samples": [
    {
      object (EventSample)
    }
  ]
}
Fields
event_samples[]

object (EventSample)

EventSample

JSON representation 
{
  "raw_log_event_information": {
    object (RawLogEventInformation)
  },
  "raw_log_token": string,
  "event_id": string,

  // Union field event_sample can be only one of the following:
  "event": {
    object (UDM)
  },
  "entity": {
    object (Entity)
  }
  // End of list of possible types for union field event_sample.
}
Fields
raw_log_event_information
(deprecated)

object (RawLogEventInformation)
raw_log_token

string
event_id

string

Union field event_sample.

event_sample can be only one of the following:
event

object (UDM)
entity

object (Entity)

RawLogEventInformation

JSON representation 
{
  "batch_id": string,
  "offset": integer,
  "timestamp": string,
  "event_type": enum (EventType),
  "disambiguation_key": string,
  "normalized_event_type": enum (EventType)
}
Fields
batch_id

string (bytes format)

A base64-encoded string.
offset

integer
timestamp

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
event_type

enum (EventType)
disambiguation_key

string (bytes format)

A base64-encoded string.
normalized_event_type

enum (EventType)