Method: legacy.legacyFetchAlertsView

Full name: projects.locations.instances.legacy.legacyFetchAlertsView

Legacy streaming endpoint for getting alerts (and in some cases, non-alerting detections) along with aggregated fields that match the query.

HTTP request


Path parameters

Parameters
instance

string

Required. The name of the parent resource, which is the SecOps instance. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
baselineQuery

string

The baseline query to search for. The baseline query is used for this request and its results are cached for subseqent requests, so that supplying additional filters in the snapshotQuery will not require re-running the baseline query. This uses a syntax similar to UDM search, with all fields other than the following path prefixes supported: - collectionElements.references.event - collectionElements.references.entity

snapshotQuery

string

Required. The snapshot query to search for. This uses a syntax similar to UDM search, with support for all fields within 7 levels of nesting within the collection proto. For composite detections, the filters prefixed with "collectionElements.references.event" or "collectionElements.references.entity" are also checked against one-level of producer detections.

timeRange

object (Interval)

Required. The time range to search for [Inclusive, Exclusive).

alertListOptions

object (AlertListOptions)

Parameters for the Alerts that will be streamed back.

fieldAggregationOptions

object (AlertFieldAggregationOptions)

Parameters for the Aggregated Alert fields that will be streamed back.

enableCache

enum (AlertsFeaturePreference)

If enabled, subsequent requests for the same time range and baseline query will try to leverage our cache to serve the response with filters applied in the snapshot query.

includeNonAlertingDetections

enum (AlertsFeaturePreference)

Whether to include non-alerting detections in the response.

plaqueTraceLevel
(deprecated)

integer

Optional. Deprecated. An internal trace level.

maxShardCount
(deprecated)

integer

Optional. Deprecated. An internal optimization value.

maxBaselineResults
(deprecated)

integer

Optional. Deprecated. Maximum number of alerts that will be processed for a single request.

Request body

The request body must be empty.

Response body

Depending on the parameters in FetchAlertsViewRequest, stream back some combination of |alerts| and |fieldAggregations|.

NEXT TAG: 12;

If successful, the response body contains data with the following structure:

JSON representation
{
  "progress": number,
  "tooManyAlerts": boolean,
  "complete": boolean,
  "validBaselineQuery": boolean,
  "baselineAlertsCount": integer,
  "validSnapshotQuery": boolean,
  "queryValidationErrors": [
    {
      object (ErrorMessage)
    }
  ],
  "runtimeErrors": [
    {
      object (RuntimeError)
    }
  ],
  "filteredAlertsCount": integer,
  "alerts": {
    object (AlertList)
  },
  "fieldAggregations": {
    object (AlertFieldAggregations)
  }
}
Fields
progress

number

Progress of the query represented as a double between 0 and 1.

tooManyAlerts

boolean

If true, there are too many alerts matched and some have been omitted from both the alerts and from the fieldAggregations.

"Too many alerts" depends on the server-side limit of 1,000,000 matched alerts to serve as a base for the field aggregations, rather than on the maxReturnedAlerts option.

complete

boolean

Streaming for this response is done. There will be no additional updates.

validBaselineQuery

boolean

Whether the request baselineQuery is a valid structured query. If not, queryValidationErrors will include the parse error.

baselineAlertsCount

integer

The number of alerts matched by the baseline query.

validSnapshotQuery

boolean

Whether the request baseline and snapshot queries are valid. If not, queryValidationErrors will include the parse error.

queryValidationErrors[]

object (ErrorMessage)

Parse error for the baselineQuery and/or the snapshotQuery.

runtimeErrors[]

object (RuntimeError)

Runtime errors.

filteredAlertsCount

integer

The number of alerts in the snapshot that match the snapshotQuery. This is <= baselineAlertsCount. If the snapshot query is empty this will be equivalent to baselineAlertsCount.

alerts

object (AlertList)

The list of the first N matched alerts. The value of N is determined by the AlertListOptions.max_returned_alerts field in the request.

fieldAggregations

object (AlertFieldAggregations)

List of fields with aggregated values.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacyFetchAlertsView

For more information, see the IAM documentation.

AlertListOptions

JSON representation
{
  "maxReturnedAlerts": integer,
  "entityIndicator": {
    object (EntityIndicator)
  }
}
Fields
maxReturnedAlerts

integer

entityIndicator

object (EntityIndicator)

EntityIndicator

JSON representation
{
  "indicatorNamespace": string,

  // Union field indicator can be only one of the following:
  "hostname": string,
  "assetIpAddress": string,
  "mac": string,
  "productId": string,
  "userName": string,
  "email": string,
  "employeeId": string,
  "windowsSid": string,
  "projectObjectId": string,
  "productObjectId": string,
  "rawPid": string,
  "processId": string,
  "fullCommandLine": string,
  "parentProcessId": string,
  "hashMd5": string,
  "hashSha1": string,
  "hashSha256": string,
  "filePath": string,
  "destinationIpAddress": string,
  "domainName": string,
  "resourceProjectObjectId": string,
  "resourceName": string
  // End of list of possible types for union field indicator.
}
Fields
indicatorNamespace

string

Union field indicator.

indicator can be only one of the following:

hostname

string

assetIpAddress

string

mac

string

productId

string

userName

string

email

string

employeeId

string

windowsSid

string

projectObjectId
(deprecated)

string

productObjectId

string

rawPid

string

processId

string

fullCommandLine

string

parentProcessId

string

hashMd5

string

hashSha1

string

hashSha256

string

filePath

string

destinationIpAddress

string

domainName

string

resourceProjectObjectId
(deprecated)

string

resourceName

string

AlertFieldAggregationOptions

JSON representation
{
  "maxValuesPerField": integer
}
Fields
maxValuesPerField

integer

AlertsFeaturePreference

A generic option to enable or disable a feature. NEXT TAG = 3;

Enums
ALERTS_FEATURE_PREFERENCE_UNSPECIFIED An unspecified preference. Behavior will depend on the server defaults.
ALERTS_FEATURE_PREFERENCE_ENABLED Enable the feature.
ALERTS_FEATURE_PREFERENCE_DISABLED Disable the feature.

AlertList

JSON representation
{
  "alerts": [
    {
      object (Collection)
    }
  ]
}
Fields
alerts[]

object (Collection)