- HTTP request
- Path parameters
- Query parameters
- Request body
- Response body
- Authorization scopes
- IAM Permissions
- RuleStatus
- RuleAlertsList
- Rule
- RuleProperties
- LiveRuleStatus
- ExecutionState
- RunFrequency
- RLNameVersions
- PolicyRuleType
- Try it!
Full name: projects.locations.instances.legacy.legacySearchRulesAlerts
RPC to get the list of Rules Enginer generated alerts for a customer.
HTTP request
GET https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacySearchRulesAlerts
Path parameters
| Parameters | |
|---|---|
instance |
Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance} |
Query parameters
| Parameters | |
|---|---|
timeRange |
Required. Time range [start, end) for alerts to retrieve. All RE alerts with the detection _time that fall in this time range are returned. |
maxNumAlertsToReturn |
Optional. Maximum number of alerts to return. |
status |
Optional. When this field is not set, uses ACTIVE by default. |
Request body
The request body must be empty.
Response body
List of Rules alerts aggregated by Rule NEXT TAG: 3
If successful, the response body contains data with the following structure:
| JSON representation |
|---|
{
"rule_alerts": [
{
object ( |
| Fields | |
|---|---|
rule_alerts[] |
Alerts generated by the Rules engine. One entry for each Rule created by the customer |
too_many_alerts |
Indicates that more data was available but not sent due to more hits than max_matches_to_return. |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IAM Permissions
Requires the following IAM permission on the instance resource:
chronicle.legacies.legacySearchRulesAlerts
For more information, see the IAM documentation.
RuleStatus
| Enums | |
|---|---|
ACTIVE |
|
ARCHIVED |
|
ALL |
|
RuleAlertsList
| JSON representation |
|---|
{ "rule_metadata": { object ( |
| Fields | |
|---|---|
rule_metadata |
|
alerts[] |
|
Rule
| JSON representation |
|---|
{ "rule_id": string, "properties": { object ( |
| Fields | |
|---|---|
rule_id |
|
properties |
|
rule_compilation_error |
|
RuleProperties
| JSON representation |
|---|
{ "name": string, "metadata": { string: string, ... }, "last_update_time": string, "live_rule_status": enum ( |
| Fields | |
|---|---|
name |
|
metadata |
An object containing a list of |
last_update_time |
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
live_rule_status |
|
execution_state |
Output only. |
rule_notification_enabled |
|
user_facing_rule_type |
|
text |
|
creation_time |
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
archived_timestamp |
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
run_frequency |
|
allowed_run_frequencies[] |
|
near_real_time_live_rule_eligible |
|
rl_name_versions |
|
policy |
|
policy_rule_type |
|
LiveRuleStatus
| Enums | |
|---|---|
LIVE_RULE_STATUS_UNSPECIFIED |
|
ENABLED |
|
DISABLED |
|
ExecutionState
| Enums | |
|---|---|
EXECUTION_STATE_UNSPECIFIED |
|
DEFAULT |
|
LIMITED |
|
PAUSED |
|
RunFrequency
| Enums | |
|---|---|
RUN_FREQUENCY_UNSPECIFIED |
|
RUN_FREQUENCY_REALTIME |
|
RUN_FREQUENCY_HOURLY |
|
RUN_FREQUENCY_DAILY |
|
RLNameVersions
| JSON representation |
|---|
{ "name_versions": { string: string, ... } } |
| Fields | |
|---|---|
name_versions |
An object containing a list of |
PolicyRuleType
| Enums | |
|---|---|
POLICY_RULE_TYPE_UNSPECIFIED |
|
HUNTING |
|
PRODUCTION |
|