Chronicle API

The Chronicle API serves all customer endpoints.

Service: chronicle.googleapis.com

Service endpoint

A service endpoint is the base URL that specifies the network address of an API service. A single service might have multiple service endpoints. Prepend your region code to the service endpoint—for example, https://us-chronicle.googleapis.com. Requests without a region code aren't automcatically redirected and might return a 404 error. To know more about the regional endpoints supported by Google Security Operations, see Google Security Operations regional endpoints.

This service has the following service endpoint:

  • https://{region}-chronicle.googleapis.com
    For example: https://us-chronicle.googleapis.com

All URLs listed in this document are relative to this service endpoint.

REST Resource: v1beta.projects.locations.instances

Methods
get GET /v1beta/{name}
Gets an instance.

REST Resource: v1beta.projects.locations.instances.dataAccessLabels

Methods
create POST /v1beta/{parent}/dataAccessLabels
Creates a data access label.
delete DELETE /v1beta/{name}
Deletes a data access label.
get GET /v1beta/{name}
Gets a data access label.
list GET /v1beta/{parent}/dataAccessLabels
Lists all data access labels for the customer.
patch PATCH /v1beta/{dataAccessLabel.name}
Updates a data access label.

REST Resource: v1beta.projects.locations.instances.dataAccessScopes

Methods
create POST /v1beta/{parent}/dataAccessScopes
Creates a data access scope.
delete DELETE /v1beta/{name}
Deletes a data access scope.
get GET /v1beta/{name}
Retrieves an existing data access scope.
list GET /v1beta/{parent}/dataAccessScopes
Lists all existing data access scopes for the customer.
patch PATCH /v1beta/{dataAccessScope.name}
Updates a data access scope.

REST Resource: v1beta.projects.locations.instances.operations

Methods
cancel POST /v1beta/{name}:cancel
Starts asynchronous cancellation on a long-running operation.
delete DELETE /v1beta/{name}
Deletes a long-running operation.
get GET /v1beta/{name}
Gets the latest state of a long-running operation.
list GET /v1beta/{name}/operations
Lists operations that match the specified filter in the request.

REST Resource: v1beta.projects.locations.instances.referenceLists

Methods
create POST /v1beta/{parent}/referenceLists
Creates a new reference list.
get GET /v1beta/{name}
Gets a single reference list.
list GET /v1beta/{parent}/referenceLists
Lists a collection of reference lists.
patch PATCH /v1beta/{referenceList.name}
Updates an existing reference list.

REST Resource: v1beta.projects.locations.instances.rules

Methods
create POST /v1beta/{parent}/rules
Creates a new Rule.
delete DELETE /v1beta/{name}
Deletes a Rule.
get GET /v1beta/{name}
Gets a Rule.
getDeployment GET /v1beta/{name}
Gets a RuleDeployment.
list GET /v1beta/{parent}/rules
Lists Rules.
listRevisions GET /v1beta/{name}:listRevisions
Lists all revisions of the rule.
patch PATCH /v1beta/{rule.name}
Updates a Rule.
updateDeployment PATCH /v1beta/{ruleDeployment.name}
Updates a RuleDeployment.

REST Resource: v1beta.projects.locations.instances.rules.deployments

Methods
list GET /v1beta/{parent}/deployments
Lists RuleDeployments across all Rules.

REST Resource: v1beta.projects.locations.instances.rules.retrohunts

Methods
create POST /v1beta/{parent}/retrohunts
Create a Retrohunt.
get GET /v1beta/{name}
Get a Retrohunt.
list GET /v1beta/{parent}/retrohunts
List Retrohunts.

REST Resource: v1beta.projects.locations.instances.watchlists

Methods
create POST /v1beta/{parent}/watchlists
Creates a watchlist for the given instance.
delete DELETE /v1beta/{name}
Deletes the watchlist for the given instance.
get GET /v1beta/{name}
Gets watchlist details for the given watchlist ID.
list GET /v1beta/{parent}/watchlists
Lists all watchlists for the given instance.
patch PATCH /v1beta/{watchlist.name}
Updates the watchlist for the given instance.

REST Resource: v1alpha.projects.locations.instances

Methods
batchValidateWatchlistEntities POST /v1alpha/{parent}:batchValidateWatchlistEntities
Validates a batch of entities that could be added into watchlist under an instance.
computeAllFindingsRefinementActivities POST /v1alpha/{instance}:computeAllFindingsRefinementActivities
Returns findings refinement activity for all findings refinements.
countAllCuratedRuleSetDetections POST /v1alpha/{instance}:countAllCuratedRuleSetDetections
Count detections across all curated rule sets.
createFeedback POST /v1alpha/{instance}:createFeedback
RPC to submit user feedback on content generated by AI services.
delete DELETE /v1alpha/{name}
DeleteInstance deletes an Instance.
extractSyslog POST /v1alpha/{instance}:extractSyslog
ExtractSyslog extracts structured part of log from a unstructured log by running a grok regex over it.
fetchFederationAccess GET /v1alpha/{name}:fetchFederationAccess
FetchFederationAccess method lists all the instances the authenticated user has access to and the operations they can perform over these instances.
findEntity GET /v1alpha/{instance}:findEntity
Identifies the entity type and retrieves relevant data associated with a specified indicator.
findEntityAlerts GET /v1alpha/{instance}:findEntityAlerts
Get alerts for an entity
findRelatedEntities GET /v1alpha/{instance}:findRelatedEntities
Finds all the entities associated with provided entity.
findUdmFieldValues GET /v1alpha/{instance}:findUdmFieldValues
Finds ingested UDM field values that match a query.
generateCollectionAgentAuth POST /v1alpha/{name}:generateCollectionAgentAuth
GenerateCollectionAgentAuth generates an auth json file for the collection agent.
generateSoarAuthJwt POST /v1alpha/{name}:generateSoarAuthJwt
GenerateSoarAuthJwt signs a jwt in order to proceed with jwt exchange based authenticate with soar.
generateUdmKeyValueMappings POST /v1alpha/{instance}:generateUdmKeyValueMappings
GenerateUDMKeyValueMappings generates key value mapping of a raw log.
generateWorkspaceConnectionToken POST /v1alpha/{name}:generateWorkspaceConnectionToken
Generates a token that can be used to connect a workspace customer to a chronicle instance
get GET /v1alpha/{name}
Gets a Instance.
getBigQueryExport GET /v1alpha/{name}
Get the BigQuery export configuration for a Chronicle instance.
getMultitenantDirectory GET /v1alpha/{name}
Gets the super and subtenants and gets the current tenant name.
getRiskConfig GET /v1alpha/{name}
Queries the instance to get the Risk Configurations used for the computation of Entity Risk Score.
listAllFindingsRefinementDeployments GET /v1alpha/{instance}:listAllFindingsRefinementDeployments
Lists all findings refinement deployments.
queryProductSourceStats GET /v1alpha/{instance}:queryProductSourceStats
Gets available product sources along with their stats.
report GET /v1alpha/{name}:report
Generate a report summarizing this chronicle instance.
searchEntities GET /v1alpha/{instance}:searchEntities
Identifies the entity type and retrieves relevant data associated with a specified indicator.
searchRawLogs POST /v1alpha/{instance}:searchRawLogs
Api to get events, entities, or unparsed raw logs matching the given raw log query.
summarizeEntitiesFromQuery GET /v1alpha/{instance}:summarizeEntitiesFromQuery
Parses the query and identifies the entities contained within the search query.
summarizeEntity GET /v1alpha/{instance}:summarizeEntity
Returns all entity data over specified time.
testFindingsRefinement POST /v1alpha/{instance}:testFindingsRefinement
Tests for and returns past activity for a findings refinement, including, potentially, times when the findings refinement was not yet created.
translateUdmQuery POST /v1alpha/{instance}:translateUdmQuery
Translate natural language to a UDM Search query.
translateYlRule POST /v1alpha/{instance}:translateYlRule
Translate natural language to a Yara-L rule.
udmSearch GET /v1alpha/{instance}:udmSearch
Performs a UDM search that returns matching events for the query.
undelete POST /v1alpha/{name}:undelete
UndeleteInstance undeletes a soft-deleted Instance.
updateBigQueryExport PATCH /v1alpha/{bigQueryExport.name}
Update the BigQuery export configuration for a Chronicle instance.
updateRiskConfig PATCH /v1alpha/{riskConfig.name}
Updates RiskConfig used for the computation of Entity Risk Score.
validateQuery GET /v1alpha/{instance}:validateQuery
Validates UDM search query by compiling the query.
verifyReferenceList POST /v1alpha/{instance}:verifyReferenceList
VerifyReferenceList validates list content and returns line errors, if any.
verifyRuleText POST /v1alpha/{instance}:verifyRuleText
Verifies the given rule text.

REST Resource: v1alpha.projects.locations.instances.analytics

Methods
list GET /v1alpha/{parent}/analytics
Lists all supported analytics for APIs which can filter by analytic type, such as ListAnalyticValues.

REST Resource: v1alpha.projects.locations.instances.analytics.entities.analyticValues

Methods
list GET /v1alpha/{parent}/analyticValues
Lists analytic values.

REST Resource: v1alpha.projects.locations.instances.bigQueryAccess

Methods
provide POST /v1alpha/{parent}/bigQueryAccess:provide
Provide BigQuery access for the given email.

REST Resource: v1alpha.projects.locations.instances.bigQueryExport

Methods
provision POST /v1alpha/{parent}/bigQueryExport:provision
Provision the BigQuery export for a Chronicle instance.

REST Resource: v1alpha.projects.locations.instances.cases

Methods
countPriorities GET /v1alpha/{parent}/cases:countPriorities
Count a selection of cases by priority.

REST Resource: v1alpha.projects.locations.instances.curatedRuleSetCategories

Methods
get GET /v1alpha/{name}
Gets a CuratedRuleSetCategory.
list GET /v1alpha/{parent}/curatedRuleSetCategories
Lists CuratedRuleSetCategories.

REST Resource: v1alpha.projects.locations.instances.curatedRuleSetCategories.curatedRuleSets

Methods
countCuratedRuleSetDetections POST /v1alpha/{name}:countCuratedRuleSetDetections
Counts the detections generated by a CuratedRuleSet.
get GET /v1alpha/{name}
Gets a CuratedRuleSet.
list GET /v1alpha/{parent}/curatedRuleSets
Lists CuratedRuleSets.

REST Resource: v1alpha.projects.locations.instances.curatedRuleSetCategories.curatedRuleSets.curatedRuleSetDeployments

Methods
batchUpdate POST /v1alpha/{parent}/curatedRuleSetDeployments:batchUpdate
Update multiple deployments of curated rule sets.
get GET /v1alpha/{name}
Get a deployment of a curated rule set.
list GET /v1alpha/{parent}/curatedRuleSetDeployments
Lists deployments for a curated rule set.
patch PATCH /v1alpha/{curatedRuleSetDeployment.name}
Update a deployment of a curated rule set.

REST Resource: v1alpha.projects.locations.instances.curatedRules

Methods
get GET /v1alpha/{name}
Gets a CuratedRule.
list GET /v1alpha/{parent}/curatedRules
Lists CuratedRules.

REST Resource: v1alpha.projects.locations.instances.dashboardCharts

Methods
batchGet GET /v1alpha/{parent}/dashboardCharts:batchGet
Get dashboard charts in batches.
get GET /v1alpha/{name}
Get a dashboard chart.

REST Resource: v1alpha.projects.locations.instances.dashboardQueries

Methods
execute POST /v1alpha/{parent}/dashboardQueries:execute
Execute a query and return the data.
get GET /v1alpha/{name}
Get a dashboard query.

REST Resource: v1alpha.projects.locations.instances.dashboards

Methods
copy POST /v1alpha/{name}:copy
Copy a dashboard of one type to a dashbooard of another type.
create POST /v1alpha/{parent}/dashboards
Create a dashboard.
delete DELETE /v1alpha/{name}
Delete a dashboard.
get GET /v1alpha/{name}
Get a dashboard.
list GET /v1alpha/{parent}/dashboards
List all dashboards.

REST Resource: v1alpha.projects.locations.instances.dataAccessLabels

Methods
create POST /v1alpha/{parent}/dataAccessLabels
Creates a data access label.
delete DELETE /v1alpha/{name}
Deletes a data access label.
get GET /v1alpha/{name}
Gets a data access label.
list GET /v1alpha/{parent}/dataAccessLabels
Lists all data access labels for the customer.
patch PATCH /v1alpha/{dataAccessLabel.name}
Updates a data access label.

REST Resource: v1alpha.projects.locations.instances.dataAccessScopes

Methods
create POST /v1alpha/{parent}/dataAccessScopes
Creates a data access scope.
delete DELETE /v1alpha/{name}
Deletes a data access scope.
get GET /v1alpha/{name}
Retrieves an existing data access scope.
list GET /v1alpha/{parent}/dataAccessScopes
Lists all existing data access scopes for the customer.
patch PATCH /v1alpha/{dataAccessScope.name}
Updates a data access scope.

REST Resource: v1alpha.projects.locations.instances.dataExports

Methods
cancel POST /v1alpha/{name}:cancel
Cancels a DataExport.
create POST /v1alpha/{parent}/dataExports
Creates a new DataExport.
fetchavailablelogtypes POST /v1alpha/{parent}/dataExports:fetchavailablelogtypes
Fetches available log types for export.
get GET /v1alpha/{name}
Gets a DataExport.

REST Resource: v1alpha.projects.locations.instances.dataTableOperationErrors

Methods
get GET /v1alpha/{name}
Get the error for a data table operation.

REST Resource: v1alpha.projects.locations.instances.dataTables

Methods
create POST /v1alpha/{parent}/dataTables
Create a new data table.
delete DELETE /v1alpha/{name}
Delete data table.
get GET /v1alpha/{name}
Get data table info.
list GET /v1alpha/{parent}/dataTables
List data tables.
patch PATCH /v1alpha/{dataTable.name}
Update data table.
upload POST /v1alpha/{parent}/dataTables:bulkCreateDataTableAsync
POST /upload/v1alpha/{parent}/dataTables:bulkCreateDataTableAsync
Create data table from a bulk file.

REST Resource: v1alpha.projects.locations.instances.dataTables.dataTableRows

Methods
bulkCreate POST /v1alpha/{parent}/dataTableRows:bulkCreate
Create data table rows in bulk.
bulkCreateAsync POST /v1alpha/{parent}/dataTableRows:bulkCreateAsync
Create data table rows in bulk asynchronously.
bulkGet POST /v1alpha/{parent}/dataTableRows:bulkGet
Get data table rows in bulk.
bulkReplace POST /v1alpha/{parent}/dataTableRows:bulkReplace
Replace all existing data table rows with new data table rows.
bulkReplaceAsync POST /v1alpha/{parent}/dataTableRows:bulkReplaceAsync
Replace all existing data table rows with new data table rows asynchronously.
bulkUpdate POST /v1alpha/{parent}/dataTableRows:bulkUpdate
Update data table rows in bulk.
bulkUpdateAsync POST /v1alpha/{parent}/dataTableRows:bulkUpdateAsync
Update data table rows in bulk asynchronously.
create POST /v1alpha/{parent}/dataTableRows
Create a new data table row.
delete DELETE /v1alpha/{name}
Delete data table row.
get GET /v1alpha/{name}
Get data table row
list GET /v1alpha/{parent}/dataTableRows
List data table rows.
patch PATCH /v1alpha/{dataTableRow.name}
Update data table row

REST Resource: v1alpha.projects.locations.instances.dataTaps

Methods
create POST /v1alpha/{parent}/dataTaps
Creates a DataTap.
delete DELETE /v1alpha/{name}
Deletes a DataTap.
get GET /v1alpha/{name}
Gets a DataTap.
list GET /v1alpha/{parent}/dataTaps
Lists DataTaps.
patch PATCH /v1alpha/{dataTap.name}
Updates a DataTap.

REST Resource: v1alpha.projects.locations.instances.enrichmentControls

Methods
create POST /v1alpha/{parent}/enrichmentControls
Create an EnrichmentControl resource.
delete DELETE /v1alpha/{name}
Delete an EnrichmentControl.
get GET /v1alpha/{name}
Get an EnrichmentControl.
list GET /v1alpha/{parent}/enrichmentControls
List all EnrichmentControls.

REST Resource: v1alpha.projects.locations.instances.entities

Methods
get GET /v1alpha/{name}
Gets an entity by name.
import POST /v1alpha/{parent}/entities:import
ImportEntities import the entities.
modifyEntityRiskScore POST /v1alpha/{name}:modifyEntityRiskScore
Modify base entity risk score for an entity.
queryEntityRiskScoreModifications GET /v1alpha/{name}:queryEntityRiskScoreModifications
Query modifications to base entity risk score for an entity.

REST Resource: v1alpha.projects.locations.instances.entityRiskScores

Methods
query GET /v1alpha/{instance}/entityRiskScores:query
Queries the instance for EntityRiskScores.

REST Resource: v1alpha.projects.locations.instances.errorNotificationConfigs

Methods
create POST /v1alpha/{parent}/errorNotificationConfigs
Creates a new error notification config for the customer
delete DELETE /v1alpha/{name}
Deletes an error notification config.
get GET /v1alpha/{name}
Gets a single error notification config.
list GET /v1alpha/{parent}/errorNotificationConfigs
Lists error notification configurations for the customer.
patch PATCH /v1alpha/{errorNotificationConfig.name}
Updates an error notification config.

REST Resource: v1alpha.projects.locations.instances.events

Methods
batchGet GET /v1alpha/{parent}/events:batchGet
Gets a batch (list) of events given a list of names and a parent.
get GET /v1alpha/{name}
Gets an event given a name.
import POST /v1alpha/{parent}/events:import
ImportEvents import the events.

REST Resource: v1alpha.projects.locations.instances.federationGroups

Methods
create POST /v1alpha/{parent}/federationGroups
CreateFederationGroup method creates a new Federation group.
delete DELETE /v1alpha/{name}
DeleteFederationGroup method deletes a Federation group.
get GET /v1alpha/{name}
GetFederationGroup method gets a Federation group.
list GET /v1alpha/{parent}/federationGroups
ListFederationGroups method lists all Federation groups.
patch PATCH /v1alpha/{federationGroup.name}
UpdateFederationGroup method updates a Federation group.

REST Resource: v1alpha.projects.locations.instances.feedPacks

Methods
get GET /v1alpha/{name}
Gets a feed pack.
list GET /v1alpha/{parent}/feedPacks
Lists Packs for which feeds can be configured.

REST Resource: v1alpha.projects.locations.instances.feedServiceAccounts

Methods
fetchServiceAccountForCustomer GET /v1alpha/{parent}/feedServiceAccounts:fetchServiceAccountForCustomer
Fetch Chronicle's service account used for ingesting data from Cloud Storage buckets.

REST Resource: v1alpha.projects.locations.instances.feedSourceTypeSchemas

Methods
list GET /v1alpha/{parent}/feedSourceTypeSchemas
List all FeedSourceTypeSchemas.

REST Resource: v1alpha.projects.locations.instances.feedSourceTypeSchemas.logTypeSchemas

Methods
list GET /v1alpha/{parent}/logTypeSchemas
List all LogTypeSchemas compatible with a given FeedSourceType.

REST Resource: v1alpha.projects.locations.instances.feeds

Methods
create POST /v1alpha/{parent}/feeds
Creates a feed.
delete DELETE /v1alpha/{name}
Deletes a feed.
disable POST /v1alpha/{name}:disable
Disable feed for ingestion.
enable POST /v1alpha/{name}:enable
Enable feed for ingestion.
generateSecret POST /v1alpha/{name}:generateSecret
Generates a new secret for https push feeds which do not support jwt tokens.
get GET /v1alpha/{name}
Gets a feed.
importPushLogs POST /v1alpha/{parent}:importPushLogs
Import logs coming from https push feeds.
list GET /v1alpha/{parent}/feeds
Lists all feeds for the customer.
patch PATCH /v1alpha/{feed.name}
Updates the full feed.
scheduleTransfer POST /v1alpha/{name}:scheduleTransfer
Schedules a feed transfer for the feed.

REST Resource: v1alpha.projects.locations.instances.findingsGraph

Methods
exploreNode GET /v1alpha/{name}:exploreNode
Explores a node to find related nodes if it is an IndividualNode or retrieve the individual nodes within the group if it is a GroupNode and return a graph composed by the nodes and their edges over a time range.
initializeGraph GET /v1alpha/{name}:initializeGraph
Initialize a graph from a resource such as a detection or an entity.

REST Resource: v1alpha.projects.locations.instances.findingsRefinements

Methods
computeFindingsRefinementActivity POST /v1alpha/{name}:computeFindingsRefinementActivity
Returns findings refinement activity for a specific findings refinement.
create POST /v1alpha/{parent}/findingsRefinements
Creates a new findings refinement.
get GET /v1alpha/{name}
Gets a single findings refinement.
getDeployment GET /v1alpha/{name}
Gets a findings refinement deployment.
list GET /v1alpha/{parent}/findingsRefinements
Lists a collection of findings refinements.
patch PATCH /v1alpha/{findingsRefinement.name}
Updates a findings refinement.
updateDeployment PATCH /v1alpha/{findingsRefinementDeployment.name}
Updates a findings refinement deployment.

REST Resource: v1alpha.projects.locations.instances.forwarders

Methods
create POST /v1alpha/{parent}/forwarders
Create a forwarder.
delete DELETE /v1alpha/{name}
Delete a forwarder by forwarder ID.
generateForwarderFiles GET /v1alpha/{name}:generateForwarderFiles
Generates a forwarder's configuration files.
get GET /v1alpha/{name}
Get a forwarder by forwarder ID.
importStatsEvents POST /v1alpha/{name}:importStatsEvents
ImportStatsEvents imports stats events from a forwarder.
list GET /v1alpha/{parent}/forwarders
List all forwarders for the instance.
patch PATCH /v1alpha/{forwarder.name}
Update a forwarder.

REST Resource: v1alpha.projects.locations.instances.forwarders.collectors

Methods
create POST /v1alpha/{parent}/collectors
Create a collector.
delete DELETE /v1alpha/{name}
Delete a collector by collector ID.
get GET /v1alpha/{name}
Get a collector by collector ID.
list GET /v1alpha/{parent}/collectors
List all collectors for the forwarder.
patch PATCH /v1alpha/{collector.name}
Update a collector.

REST Resource: v1alpha.projects.locations.instances.ingestionLogLabels

Methods
get GET /v1alpha/{name}
Gets an ingestion log label.
list GET /v1alpha/{parent}/ingestionLogLabels
Returns the ingestion log labels for the customer.

REST Resource: v1alpha.projects.locations.instances.ingestionLogNamespaces

Methods
get GET /v1alpha/{name}
Gets an ingestion log namespace.
list GET /v1alpha/{parent}/ingestionLogNamespaces
Lists ingestion log namespaces for the customer.

REST Resource: v1alpha.projects.locations.instances.iocs

Methods
batchGet GET /v1alpha/{parent}/iocs:batchGet
Gets a batch (list) of iocs given a list of names and a parent.
findFirstAndLastSeen GET /v1alpha/{name}:findFirstAndLastSeen
FindFirstAndLastSeen for an Ioc.
get GET /v1alpha/{name}
Get an Ioc.
getIocState GET /v1alpha/{name}
Gets the status of an ioc
searchCuratedDetectionsForIoc GET /v1alpha/{name}:searchCuratedDetectionsForIoc
Search curated detections for an Ioc.
updateIocState PATCH /v1alpha/{iocState.name}
Update an Ioc state.

REST Resource: v1alpha.projects.locations.instances.legacy

Methods
legacyBatchGetCases GET /v1alpha/{instance}/legacy:legacyBatchGetCases
RPC for fetching cases for the given caseNames.
legacyBatchGetCollections GET /v1alpha/{instance}/legacy:legacyBatchGetCollections
RPC for getting a batch of collections based on their Collection Ids.
legacyCreateOrUpdateCase POST /v1alpha/{instance}/legacy:legacyCreateOrUpdateCase
Legacy RPC for creating or updating an existing case.
legacyCreateSoarAlert POST /v1alpha/{instance}/legacy:legacyCreateSoarAlert
RPC for creating a SOAR alert.
legacyFetchAlertsView GET /v1alpha/{instance}/legacy:legacyFetchAlertsView
Legacy streaming endpoint for getting alerts (and in some cases, non-alerting detections) along with aggregated fields that match the query.
legacyFetchUdmSearchCsv POST /v1alpha/{instance}/legacy:legacyFetchUdmSearchCsv
Legacy endpoint for fetching csv rows for matching UDM search.
legacyFetchUdmSearchView POST /v1alpha/{instance}/legacy:legacyFetchUdmSearchView
Legacy endpoint for fetching events, filters, and histograms matching UDM search.
legacyFindAssetEvents GET /v1alpha/{instance}/legacy:legacyFindAssetEvents
Legacy endpoint for getting events for an asset indicator.
legacyFindRawLogs GET /v1alpha/{instance}/legacy:legacyFindRawLogs
Legacy endpoint for getting events for a raw log search query.
legacyFindUdmEvents GET /v1alpha/{instance}/legacy:legacyFindUdmEvents
Legacy endpoint for finding UDM/entity events using tokens or ids.
legacyGetAlert GET /v1alpha/{instance}/legacy:legacyGetAlert
RPC for fetching an alert based on its Alert Id.
legacyGetCuratedRulesTrends GET /v1alpha/{instance}/legacy:legacyGetCuratedRulesTrends
Legacy RPC for listing detection counts and last detection timestamp for a list of Curated Rule ids.
legacyGetDetection GET /v1alpha/{instance}/legacy:legacyGetDetection
Legacy endpoint for fetching a Detection.
legacyGetEventForDetection GET /v1alpha/{instance}/legacy:legacyGetEventForDetection
Legacy endpoint for getting event for curated detection.
legacyGetRuleCounts GET /v1alpha/{instance}/legacy:legacyGetRuleCounts
RPC to get rule counts.
legacyGetRulesTrends GET /v1alpha/{instance}/legacy:legacyGetRulesTrends
Legacy RPC for listing detection counts and last detection timestamp for a list of user-defined rule ids.
legacyRunTestRule POST /v1alpha/{instance}/legacy:legacyRunTestRule
Legacy RPC to test a rule and stream back the responses.
legacySearchArtifactEvents GET /v1alpha/{instance}/legacy:legacySearchArtifactEvents
Legacy endpoint for getting events for a given artifact.
legacySearchArtifactIoCDetails GET /v1alpha/{instance}/legacy:legacySearchArtifactIoCDetails
Rpc to search for IoC details for a particular artifact.
legacySearchAssetEvents GET /v1alpha/{instance}/legacy:legacySearchAssetEvents
Legacy endpoint for getting events for a given asset.
legacySearchCuratedDetections GET /v1alpha/{instance}/legacy:legacySearchCuratedDetections
Legacy endpoint for searcing detections for a Curated Rule.
legacySearchCustomerStats POST /v1alpha/{instance}/legacy:legacySearchCustomerStats
LegacySearchCustomerStats gets data collection stats about a customer, e.g., the first time data was seen from a customer, the last time, etc.
legacySearchDetections GET /v1alpha/{instance}/legacy:legacySearchDetections
Legacy endpoint for searching detections for a rule version.
legacySearchDomainsRecentlyRegistered GET /v1alpha/{instance}/legacy:legacySearchDomainsRecentlyRegistered
Given a list of domain names and a time, returns only the domains that were recently registered relative to that time.
legacySearchDomainsTimingStats GET /v1alpha/{instance}/legacy:legacySearchDomainsTimingStats
Given a list of domain names, returns time-related statistics for those domains (ex: the first seen in the enterprise time).
legacySearchEnterpriseWideAlerts GET /v1alpha/{instance}/legacy:legacySearchEnterpriseWideAlerts
RPC for getting all alerts in a time range in legacy page site.
legacySearchEnterpriseWideIoCs GET /v1alpha/{instance}/legacy:legacySearchEnterpriseWideIoCs
RPC for listing IoC matches against ingested events.
legacySearchFindings GET /v1alpha/{instance}/legacy:legacySearchFindings
Legacy endpoint for listing Findings.
legacySearchIngestionStats POST /v1alpha/{instance}/legacy:legacySearchIngestionStats
LegacySearchIngestionStats gets data ingestion stats about a given customer, e.g.
legacySearchIoCInsights GET /v1alpha/{instance}/legacy:legacySearchIoCInsights
Rpc to list IoC insights on given artifacts.
legacySearchRawLogs GET /v1alpha/{instance}/legacy:legacySearchRawLogs
Legacy endpoint for getting events for a raw log search.
legacySearchRuleDetectionCountBuckets GET /v1alpha/{instance}/legacy:legacySearchRuleDetectionCountBuckets
Legacy endpoint for listing detection count buckets for a Rules Engine rule.
legacySearchRuleDetectionEvents GET /v1alpha/{instance}/legacy:legacySearchRuleDetectionEvents
Legacy RPC for listing events associated with a particular Detection generated by a Rules Engine rule.
legacySearchRuleResults GET /v1alpha/{instance}/legacy:legacySearchRuleResults
Legacy endpoint for listing aggregated results for a Rules Engine rule.
legacySearchRulesAlerts GET /v1alpha/{instance}/legacy:legacySearchRulesAlerts
RPC to get the list of Rules Enginer generated alerts for a customer.
legacySearchUserEvents GET /v1alpha/{instance}/legacy:legacySearchUserEvents
Legacy endpoint for getting events for a given user.
legacyStreamDetectionAlerts POST /v1alpha/{instance}/legacy:legacyStreamDetectionAlerts
Legacy StreamDetectionAlerts continuously streams new detection alerts as they are discovered.
legacyTestRuleStreaming POST /v1alpha/{instance}/legacy:legacyTestRuleStreaming
LegacyTestRuleStreaming tests the given rule text over a specified time range and streams detections/errors back without persisting them.
legacyUpdateAlert POST /v1alpha/{instance}/legacy:legacyUpdateAlert
Legacy endpoint for updating an alert.

REST Resource: v1alpha.projects.locations.instances.logTypes

Methods
create POST /v1alpha/{parent}/logTypes
Create LogType.
generateEventTypesSuggestions POST /v1alpha/{logtype}:generateEventTypesSuggestions
GenerateEventTypesSuggestions generates event types suggestions that can be mapped by a lowcode parser.
get GET /v1alpha/{name}
Gets a LogType.
getLogTypeSetting GET /v1alpha/{name}
Gets a LogTypeSetting.
legacySubmitParserExtension POST /v1alpha/{parent}:legacySubmitParserExtension
LegacySubmitParserExtension creates validates and then makes the extension live.
list GET /v1alpha/{parent}/logTypes
Lists all LogTypes.
patch PATCH /v1alpha/{logType.name}
Update LogType.
runParser POST /v1alpha/{logtype}:runParser
RunParser runs the parser against a log and returns normalized events or any error that occurred during the normalization.
updateLogTypeSetting PATCH /v1alpha/{logTypeSetting.name}
UpdateLogTypeSetting updates the log type setting for a log type.

REST Resource: v1alpha.projects.locations.instances.logTypes.logs

Methods
export POST /v1alpha/{parent}/logs:export
Export log telemetry.
get GET /v1alpha/{name}
Gets a Log.
import POST /v1alpha/{parent}/logs:import
Import log telemetry.
list GET /v1alpha/{parent}/logs
Lists all Logs.

REST Resource: v1alpha.projects.locations.instances.logTypes.parserExtensions

Methods
activate POST /v1alpha/{name}:activate
ActivateParserExtension switches the customer to use requested parser extension, This will set the extension state to ACTIVE.
create POST /v1alpha/{parent}/parserExtensions
Create a parser extension.
delete DELETE /v1alpha/{name}
Delete a parser extension.
get GET /v1alpha/{name}
Get a parser extension.
list GET /v1alpha/{parent}/parserExtensions
List all parser extensions.

REST Resource: v1alpha.projects.locations.instances.logTypes.parserExtensions.extensionValidationReports

Methods
get GET /v1alpha/{name}
Get a parser vaildation report.
list GET /v1alpha/{parent}/extensionValidationReports
List all parser validation reports for a parser extension.

REST Resource: v1alpha.projects.locations.instances.logTypes.parserExtensions.extensionValidationReports.validationErrors

Methods
list GET /v1alpha/{parent}/validationErrors
List validation errors of a parser extension validation report.

REST Resource: v1alpha.projects.locations.instances.logTypes.parserExtensions.validationReports

Methods
get GET /v1alpha/{name}
Get a validation report.

REST Resource: v1alpha.projects.locations.instances.logTypes.parserExtensions.validationReports.parsingErrors

Methods
list GET /v1alpha/{parent}/parsingErrors
List parsing errors of a validation report.

REST Resource: v1alpha.projects.locations.instances.logTypes.parsers

Methods
activate POST /v1alpha/{name}:activate
ActivateParser switches the customer to use requested parser, This will set the Parser state to ACTIVE.
activateReleaseCandidateParser POST /v1alpha/{name}:activateReleaseCandidateParser
ActivateReleaseCandidateParser makes the release candidate parser live for that customer.
copy POST /v1alpha/{name}:copy
CopyPrebuiltParser makes a copy of a prebuilt parser.
create POST /v1alpha/{parent}/parsers
Create a parser.
deactivate POST /v1alpha/{name}:deactivate
DeactivateParser deactivates the requested parser, and activates the prebuilt release parser.
delete DELETE /v1alpha/{name}
Delete a parser.
get GET /v1alpha/{name}
Get a parser.
list GET /v1alpha/{parent}/parsers
List all parsers.

REST Resource: v1alpha.projects.locations.instances.logTypes.parsers.validationReports

Methods
get GET /v1alpha/{name}
Get a validation report.

REST Resource: v1alpha.projects.locations.instances.logTypes.parsers.validationReports.parsingErrors

Methods
list GET /v1alpha/{parent}/parsingErrors
List parsing errors of a validation report.

REST Resource: v1alpha.projects.locations.instances.logs

Methods
classify POST /v1alpha/{parent}/logs:classify
Classify the logs to the corresponding logType.

REST Resource: v1alpha.projects.locations.instances.nativeDashboards

Methods
addChart POST /v1alpha/{name}:addChart
Add chart in a dashboard.
create POST /v1alpha/{parent}/nativeDashboards
Create a dashboard.
delete DELETE /v1alpha/{name}
Delete a dashboard.
duplicate POST /v1alpha/{name}:duplicate
Duplicate a dashboard.
duplicateChart POST /v1alpha/{name}:duplicateChart
Duplicate chart in a dashboard.
editChart POST /v1alpha/{name}:editChart
Edit chart in a dashboard.
export POST /v1alpha/{parent}/nativeDashboards:export
Exports the dashboards.
get GET /v1alpha/{name}
Get a dashboard.
import POST /v1alpha/{parent}/nativeDashboards:import
Imports the dashboards.
list GET /v1alpha/{parent}/nativeDashboards
List all dashboards.
patch PATCH /v1alpha/{nativeDashboard.name}
Update a dashboard.
removeChart POST /v1alpha/{name}:removeChart
Remove chart from a dashboard.

REST Resource: v1alpha.projects.locations.instances.operations

Methods
cancel POST /v1alpha/{name}:cancel
Starts asynchronous cancellation on a long-running operation.
delete DELETE /v1alpha/{name}
Deletes a long-running operation.
get GET /v1alpha/{name}
Gets the latest state of a long-running operation.
list GET /v1alpha/{name}/operations
Lists operations that match the specified filter in the request.
streamSearch GET /v1alpha/{name}:streamSearch
Streams the results of an in-progress search operation, or returns the final results of a completed operation.

REST Resource: v1alpha.projects.locations.instances.referenceLists

Methods
create POST /v1alpha/{parent}/referenceLists
Creates a new reference list.
get GET /v1alpha/{name}
Gets a single reference list.
list GET /v1alpha/{parent}/referenceLists
Lists a collection of reference lists.
patch PATCH /v1alpha/{referenceList.name}
Updates an existing reference list.

REST Resource: v1alpha.projects.locations.instances.ruleExecutionErrors

Methods
list GET /v1alpha/{parent}/ruleExecutionErrors
Lists rule execution errors.

REST Resource: v1alpha.projects.locations.instances.rules

Methods
create POST /v1alpha/{parent}/rules
Creates a new Rule.
delete DELETE /v1alpha/{name}
Deletes a Rule.
get GET /v1alpha/{name}
Gets a Rule.
getDeployment GET /v1alpha/{name}
Gets a RuleDeployment.
list GET /v1alpha/{parent}/rules
Lists Rules.
listRevisions GET /v1alpha/{name}:listRevisions
Lists all revisions of the rule.
patch PATCH /v1alpha/{rule.name}
Updates a Rule.
updateDeployment PATCH /v1alpha/{ruleDeployment.name}
Updates a RuleDeployment.

REST Resource: v1alpha.projects.locations.instances.rules.deployments

Methods
list GET /v1alpha/{parent}/deployments
Lists RuleDeployments across all Rules.

REST Resource: v1alpha.projects.locations.instances.rules.retrohunts

Methods
create POST /v1alpha/{parent}/retrohunts
Create a Retrohunt.
get GET /v1alpha/{name}
Get a Retrohunt.
list GET /v1alpha/{parent}/retrohunts
List Retrohunts.

REST Resource: v1alpha.projects.locations.instances.users

Methods
clearConversationHistory POST /v1alpha/{name}:clearConversationHistory
ClearConversationHistory deletes all the user's data (messages and conversations) except of feedbacks.
getPreferenceSet GET /v1alpha/{name}
Endpoint for getting a user's PreferenceSet
updatePreferenceSet PATCH /v1alpha/{preferenceSet.name}
Endpoint for updating user data saved query

REST Resource: v1alpha.projects.locations.instances.users.conversations

Methods
create POST /v1alpha/{parent}/conversations
CreateConversation is used to create a new conversation.
delete DELETE /v1alpha/{name}
DeleteConversation is used to delete a conversation.
get GET /v1alpha/{name}
GetConversation is used to retrieve an existing conversation.
list GET /v1alpha/{parent}/conversations
ListConversations is used to retrieve existing conversations.
patch PATCH /v1alpha/{conversation.name}
UpdateConversation is used to update an existing conversation.

REST Resource: v1alpha.projects.locations.instances.users.conversations.messages

Methods
create POST /v1alpha/{parent}/messages
CreateMessage is used to create a new message in a conversation.
delete DELETE /v1alpha/{name}
DeleteMessage is used to delete a message.
get GET /v1alpha/{name}
GetMessage is used to retrieve a message.
list GET /v1alpha/{parent}/messages
ListMessages is used to retrieve existing messages for a conversation.
patch PATCH /v1alpha/{message.name}
UpdateMessage is used to update an existing message.

REST Resource: v1alpha.projects.locations.instances.users.searchQueries

Methods
create POST /v1alpha/{parent}/searchQueries
Endpoint for adding a new entry to the specified collection of user data
delete DELETE /v1alpha/{name}
Endpoint for deleting a user data saved query entry
get GET /v1alpha/{name}
Endpoint for getting a user's Saved query entry
list GET /v1alpha/{parent}/searchQueries
Endpoint for listing the user data saved queries owned by the specified user
patch PATCH /v1alpha/{searchQuery.name}
Endpoint for updating user data saved query

REST Resource: v1alpha.projects.locations.instances.watchlists

Methods
create POST /v1alpha/{parent}/watchlists
Creates a watchlist for the given instance.
delete DELETE /v1alpha/{name}
Deletes the watchlist for the given instance.
get GET /v1alpha/{name}
Gets watchlist details for the given watchlist ID.
list GET /v1alpha/{parent}/watchlists
Lists all watchlists for the given instance.
listEntities GET /v1alpha/{parent}:listEntities
Lists all entities for the given watchlist.
patch PATCH /v1alpha/{watchlist.name}
Updates the watchlist for the given instance.

REST Resource: v1alpha.projects.locations.instances.watchlists.entities

Methods
add POST /v1alpha/{parent}/entities:add
Adds an entity in watchlist.
batchAdd POST /v1alpha/{parent}/entities:batchAdd
Adds a batch of entities under watchlist.
batchRemove POST /v1alpha/{parent}/entities:batchRemove
Removes entities in batch in the given watchlist.
remove POST /v1alpha/{name}:remove
Removes the entity in the given watchlist.

REST Resource: v1.projects.locations.instances

Methods
get GET /v1/{name}
Gets a Instance.

REST Resource: v1.projects.locations.instances.dataAccessLabels

Methods
create POST /v1/{parent}/dataAccessLabels
Creates a data access label.
delete DELETE /v1/{name}
Deletes a data access label.
get GET /v1/{name}
Gets a data access label.
list GET /v1/{parent}/dataAccessLabels
Lists all data access labels for the customer.
patch PATCH /v1/{dataAccessLabel.name}
Updates a data access label.

REST Resource: v1.projects.locations.instances.dataAccessScopes

Methods
create POST /v1/{parent}/dataAccessScopes
Creates a data access scope.
delete DELETE /v1/{name}
Deletes a data access scope.
get GET /v1/{name}
Retrieves an existing data access scope.
list GET /v1/{parent}/dataAccessScopes
Lists all existing data access scopes for the customer.
patch PATCH /v1/{dataAccessScope.name}
Updates a data access scope.

REST Resource: v1.projects.locations.instances.operations

Methods
cancel POST /v1/{name}:cancel
Starts asynchronous cancellation on a long-running operation.
delete DELETE /v1/{name}
Deletes a long-running operation.
get GET /v1/{name}
Gets the latest state of a long-running operation.
list GET /v1/{name}/operations
Lists operations that match the specified filter in the request.

REST Resource: v1.projects.locations.instances.referenceLists

Methods
create POST /v1/{parent}/referenceLists
Creates a new reference list.
get GET /v1/{name}
Gets a single reference list.
list GET /v1/{parent}/referenceLists
Lists a collection of reference lists.
patch PATCH /v1/{referenceList.name}
Updates an existing reference list.

REST Resource: v1.projects.locations.instances.rules

Methods
create POST /v1/{parent}/rules
Creates a new Rule.
delete DELETE /v1/{name}
Deletes a Rule.
get GET /v1/{name}
Gets a Rule.
getDeployment GET /v1/{name}
Gets a RuleDeployment.
list GET /v1/{parent}/rules
Lists Rules.
listRevisions GET /v1/{name}:listRevisions
Lists all revisions of the rule.
patch PATCH /v1/{rule.name}
Updates a Rule.
updateDeployment PATCH /v1/{ruleDeployment.name}
Updates a RuleDeployment.

REST Resource: v1.projects.locations.instances.rules.deployments

Methods
list GET /v1/{parent}/deployments
Lists RuleDeployments across all Rules.

REST Resource: v1.projects.locations.instances.rules.retrohunts

Methods
create POST /v1/{parent}/retrohunts
Create a Retrohunt.
get GET /v1/{name}
Get a Retrohunt.
list GET /v1/{parent}/retrohunts
List Retrohunts.

REST Resource: v1.projects.locations.instances.watchlists

Methods
create POST /v1/{parent}/watchlists
Creates a watchlist for the given instance.
delete DELETE /v1/{name}
Deletes the watchlist for the given instance.
get GET /v1/{name}
Gets watchlist details for the given watchlist ID.
list GET /v1/{parent}/watchlists
Lists all watchlists for the given instance.
patch PATCH /v1/{watchlist.name}
Updates the watchlist for the given instance.