Method: legacy.legacySearchRulesAlerts

Full name: projects.locations.instances.legacy.legacySearchRulesAlerts

RPC to get the list of Rules Engine generated alerts for a customer.

HTTP request


Path parameters

Parameters
instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
timeRange

object (Interval)

Required. Time range [start, end) for alerts to retrieve. All RE alerts with the detection _time that fall in this time range are returned.
maxNumAlertsToReturn

integer

Optional. The maximum number of alerts to return. The default and maximum value is 10,000; values above that will be coerced to 10,000. When the number of available alerts is greater than this value, the response will contain a tooManyAlerts field set to true.
status

enum (RuleStatus)

Optional. When this field is not set, uses ACTIVE by default.

Request body

The request body must be empty.

Response body

List of Rules alerts aggregated by Rule NEXT TAG: 3

If successful, the response body contains data with the following structure:

JSON representation 
{
  "ruleAlerts": [
    {
      object (RuleAlertsList)
    }
  ],
  "tooManyAlerts": boolean
}
Fields
ruleAlerts[]

object (RuleAlertsList)

Alerts generated by the Rules engine. One entry for each Rule created by the customer
tooManyAlerts

boolean

Indicates that more data was available but not sent due to more hits than maxNumAlertsToReturn.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacySearchRulesAlerts

For more information, see the IAM documentation.

RuleStatus

Enums
ACTIVE
ARCHIVED
ALL

RuleAlertsList

JSON representation 
{
  "ruleMetadata": {
    object (Rule)
  },
  "alerts": [
    {
      object (YaraL2Detection)
    }
  ]
}
Fields
ruleMetadata

object (Rule)
alerts[]

object (YaraL2Detection)

Rule

JSON representation 
{
  "ruleId": string,
  "properties": {
    object (RuleProperties)
  },
  "ruleCompilationError": {
    object (RuleCompilationError)
  }
}
Fields
ruleId

string
properties

object (RuleProperties)
ruleCompilationError

object (RuleCompilationError)

RuleProperties

JSON representation 
{
  "name": string,
  "metadata": {
    string: string,
    ...
  },
  "lastUpdateTime": string,
  "liveRuleStatus": enum (LiveRuleStatus),
  "executionState": enum (ExecutionState),
  "ruleNotificationEnabled": boolean,
  "lastAlertStatusChangeTime": string,
  "userFacingRuleType": enum (UserFacingRuleType),
  "text": string,
  "creationTime": string,
  "archivedTimestamp": string,
  "runFrequency": enum (RunFrequency),
  "allowedRunFrequencies": [
    enum (RunFrequency)
  ],
  "nearRealTimeLiveRuleEligible": boolean,
  "rlNameVersions": {
    object (RLNameVersions)
  },
  "policy": string,
  "policyRuleType": enum (PolicyRuleType),
  "dtNameVersions": {
    object (DTNameVersions)
  }
}
Fields
name

string
metadata

map (key: string, value: string)

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
lastUpdateTime

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
liveRuleStatus

enum (LiveRuleStatus)
executionState

enum (ExecutionState)

Output only.
ruleNotificationEnabled

boolean
lastAlertStatusChangeTime

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
userFacingRuleType

enum (UserFacingRuleType)
text

string
creationTime

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
archivedTimestamp

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
runFrequency

enum (RunFrequency)
allowedRunFrequencies[]

enum (RunFrequency)
nearRealTimeLiveRuleEligible

boolean
rlNameVersions

object (RLNameVersions)
policy

string
policyRuleType

enum (PolicyRuleType)
dtNameVersions

object (DTNameVersions)

LiveRuleStatus

Enums
LIVE_RULE_STATUS_UNSPECIFIED
ENABLED
DISABLED

ExecutionState

Enums
EXECUTION_STATE_UNSPECIFIED
DEFAULT
LIMITED
PAUSED

RunFrequency

Enums
RUN_FREQUENCY_UNSPECIFIED
RUN_FREQUENCY_REALTIME
RUN_FREQUENCY_HOURLY
RUN_FREQUENCY_DAILY

RLNameVersions

JSON representation 
{
  "nameVersions": {
    string: string,
    ...
  }
}
Fields
nameVersions

map (key: string, value: string (Timestamp format))

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

PolicyRuleType

Enums
POLICY_RULE_TYPE_UNSPECIFIED
HUNTING
PRODUCTION
FOUNDATIONAL

DTNameVersions

JSON representation 
{
  "nameVersions": {
    string: string,
    ...
  }
}
Fields
nameVersions

map (key: string, value: string (int64 format))

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.