Method: legacy.legacySearchRuleResults

HTTP request
Path parameters
Query parameters
Request body
Response body
- JSON representation
Authorization scopes
IAM Permissions
Try it!

Full name: projects.locations.instances.legacy.legacySearchRuleResults

Legacy endpoint for listing aggregated results for a Rules Engine rule.

HTTP request

GET https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacySearchRuleResults

Path parameters

Parameters

Parameters
`instance`	`string` Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
`ruleId`	`string` Required. The rule ID to return results for.
`versionTimestamp`	`string (Timestamp format)` Optional. The version timestamp of the rule. - If not specified for customer rules, use the latest version of the rule. - If not specified for Uppercase rules, aggregate across all versions of the rule. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`timeRange`	`object (Interval)` Optional. If it is empty, return latest max_matches number of matches.
`maxMatches`	`integer` Optional. The maximum number of matches to return. If max_matches is set to 0 (or is omitted), the server will use the default limit (10K).
`ruleSource`	`enum (RuleSource)` Optional. The rule source to return results for. If omitted, default to returning results for customer rules. If it does not match the rule_id field, an error will be returned.

Request body

The request body must be empty.

Response body

Response with list of matches that have been found from a Rules Engine rule. NEXT TAG: 3

If successful, the response body contains data with the following structure:

JSON representation
{ "yara_l_2_too_many_detections": boolean, "yara_l_2_detections": [ { object (`YaraL2Detection`) } ] }

Fields

Fields
`yara_l_2_too_many_detections`	`boolean` For YARA 2.0 Whether the request would have resulted in more detections than the default limit allows. If true, the `detections` field will contain only the number of allowed matches.
`yara_l_2_detections[]`	`object (YaraL2Detection)` For YARA 2.0 A list of detections found by applying the rule.

yara_l_2_too_many_detections

boolean

For YARA 2.0 Whether the request would have resulted in more detections than the default limit allows. If true, the detections field will contain only the number of allowed matches.

yara_l_2_detections[]

object (YaraL2Detection)

For YARA 2.0 A list of detections found by applying the rule.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

chronicle.legacies.legacySearchRuleResults

For more information, see the IAM documentation.