Method: legacy.legacySearchRuleResults

HTTP request
Path parameters
Query parameters
Request body
Response body
- JSON representation
Authorization scopes
IAM Permissions
Try it!

Full name: projects.locations.instances.legacy.legacySearchRuleResults

Legacy endpoint for listing aggregated results for a Rules Engine rule.

HTTP request

GET https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacySearchRuleResults

Path parameters

Parameters

Parameters
`instance`	`string` Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
`ruleId`	`string` Required. The rule ID to return results for.
`versionTimestamp`	`string (Timestamp format)` Optional. The version timestamp of the rule. - If not specified for customer rules, use the latest version of the rule. - If not specified for Uppercase rules, aggregate across all versions of the rule. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`timeRange`	`object (Interval)` Optional. If it is empty, return latest max_matches number of matches.
`maxMatches`	`integer` Optional. The maximum number of matches to return. If max_matches is set to 0 (or is omitted), the server will use the default limit (10K).
`ruleSource`	`enum (RuleSource)` Optional. The rule source to return results for. If omitted, default to returning results for customer rules. If it does not match the rule_id field, an error will be returned.
`maxRespSizeBytes`	`integer` Optional. The maximum size of response in bytes. If it is set to 0 (or is omitted), the server will not enforce any max response size limit.

Request body

The request body must be empty.

Response body

Response with list of matches that have been found from a Rules Engine rule. NEXT TAG: 4

If successful, the response body contains data with the following structure:

JSON representation
{ "yara_l_2_too_many_detections": boolean, "yara_l_2_detections": [ { object (`YaraL2Detection`) } ], "resp_too_large_detections_truncated": boolean }

Fields

Fields
`yara_l_2_too_many_detections`	`boolean` For YARA 2.0 Whether the request would have resulted in more detections than the default limit allows. If true, the `detections` field will contain only the number of allowed matches.
`yara_l_2_detections[]`	`object (YaraL2Detection)` For YARA 2.0 A list of detections found by applying the rule.
`resp_too_large_detections_truncated`	`boolean` This is related to the max_resp_size_bytes field in the request. If the original response size is larger than the max_resp_size_bytes, we will truncate detections so that the response size is smaller than max_resp_size_bytes, and this field will be set to true.

yara_l_2_too_many_detections

boolean

For YARA 2.0 Whether the request would have resulted in more detections than the default limit allows. If true, the detections field will contain only the number of allowed matches.

yara_l_2_detections[]

object (YaraL2Detection)

For YARA 2.0 A list of detections found by applying the rule.

resp_too_large_detections_truncated

boolean

This is related to the max_resp_size_bytes field in the request. If the original response size is larger than the max_resp_size_bytes, we will truncate detections so that the response size is smaller than max_resp_size_bytes, and this field will be set to true.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

chronicle.legacies.legacySearchRuleResults

For more information, see the IAM documentation.