- HTTP request
- Path parameters
- Query parameters
- Request body
- Response body
- Authorization scopes
- IAM Permissions
- RuleStatus
- RuleAlertsList
- Rule
- RuleProperties
- LiveRuleStatus
- ExecutionState
- RunFrequency
- RLNameVersions
- PolicyRuleType
- DTNameVersions
- Try it!
Full name: projects.locations.instances.legacy.legacySearchRulesAlerts
RPC to get the list of Rules Engine generated alerts for a customer.
HTTP request
Path parameters
Parameters | |
---|---|
instance |
Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance} |
Query parameters
Parameters | |
---|---|
timeRange |
Required. Time range [start, end) for alerts to retrieve. All RE alerts with the detection _time that fall in this time range are returned. |
maxNumAlertsToReturn |
Optional. The maximum number of alerts to return. The default and maximum value is 10,000; values above that will be coerced to 10,000. When the number of available alerts is greater than this value, the response will contain a tooManyAlerts field set to true. |
status |
Optional. When this field is not set, uses ACTIVE by default. |
Request body
The request body must be empty.
Response body
List of Rules alerts aggregated by Rule NEXT TAG: 3
If successful, the response body contains data with the following structure:
JSON representation |
---|
{
"ruleAlerts": [
{
object ( |
Fields | |
---|---|
ruleAlerts[] |
Alerts generated by the Rules engine. One entry for each Rule created by the customer |
tooManyAlerts |
Indicates that more data was available but not sent due to more hits than maxNumAlertsToReturn. |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IAM Permissions
Requires the following IAM permission on the instance
resource:
chronicle.legacies.legacySearchRulesAlerts
For more information, see the IAM documentation.
RuleStatus
Enums | |
---|---|
ACTIVE |
|
ARCHIVED |
|
ALL |
RuleAlertsList
JSON representation |
---|
{ "ruleMetadata": { object ( |
Fields | |
---|---|
ruleMetadata |
|
alerts[] |
|
Rule
JSON representation |
---|
{ "ruleId": string, "properties": { object ( |
Fields | |
---|---|
ruleId |
|
properties |
|
ruleCompilationError |
|
RuleProperties
JSON representation |
---|
{ "name": string, "metadata": { string: string, ... }, "lastUpdateTime": string, "liveRuleStatus": enum ( |
Fields | |
---|---|
name |
|
metadata |
An object containing a list of |
lastUpdateTime |
Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
liveRuleStatus |
|
executionState |
Output only. |
ruleNotificationEnabled |
|
lastAlertStatusChangeTime |
Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
userFacingRuleType |
|
text |
|
creationTime |
Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
archivedTimestamp |
Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
runFrequency |
|
allowedRunFrequencies[] |
|
nearRealTimeLiveRuleEligible |
|
rlNameVersions |
|
policy |
|
policyRuleType |
|
dtNameVersions |
|
LiveRuleStatus
Enums | |
---|---|
LIVE_RULE_STATUS_UNSPECIFIED |
|
ENABLED |
|
DISABLED |
ExecutionState
Enums | |
---|---|
EXECUTION_STATE_UNSPECIFIED |
|
DEFAULT |
|
LIMITED |
|
PAUSED |
RunFrequency
Enums | |
---|---|
RUN_FREQUENCY_UNSPECIFIED |
|
RUN_FREQUENCY_REALTIME |
|
RUN_FREQUENCY_HOURLY |
|
RUN_FREQUENCY_DAILY |
RLNameVersions
JSON representation |
---|
{ "nameVersions": { string: string, ... } } |
Fields | |
---|---|
nameVersions |
An object containing a list of |
PolicyRuleType
Enums | |
---|---|
POLICY_RULE_TYPE_UNSPECIFIED |
|
HUNTING |
|
PRODUCTION |
|
FOUNDATIONAL |
DTNameVersions
JSON representation |
---|
{ "nameVersions": { string: string, ... } } |
Fields | |
---|---|
nameVersions |
An object containing a list of |