- HTTP request
- Path parameters
- Query parameters
- Request body
- Response body
- Authorization scopes
- IAM Permissions
- AlertListOptions
- EntityIndicator
- AlertFieldAggregationOptions
- AlertsFeaturePreference
- AlertList
- Try it!
Full name: projects.locations.instances.legacy.legacyFetchAlertsView
Legacy streaming endpoint for getting alerts (and in some cases, non-alerting detections) along with aggregated fields that match the query.
HTTP request
Path parameters
Parameters | |
---|---|
instance |
Required. The name of the parent resource, which is the SecOps instance. Format: projects/{project}/locations/{location}/instances/{instance} |
Query parameters
Parameters | |
---|---|
baselineQuery |
The baseline query to search for. The baseline query is used for this request and its results are cached for subseqent requests, so that supplying additional filters in the snapshotQuery will not require re-running the baseline query. This uses a syntax similar to UDM search, with all fields other than the following path prefixes supported: - collectionElements.references.event - collectionElements.references.entity |
snapshotQuery |
Required. The snapshot query to search for. This uses a syntax similar to UDM search, with support for all fields within 7 levels of nesting within the collection proto. For composite detections, the filters prefixed with "collectionElements.references.event" or "collectionElements.references.entity" are also checked against one-level of producer detections. |
timeRange |
Required. The time range to search for [Inclusive, Exclusive). |
alertListOptions |
Parameters for the Alerts that will be streamed back. |
fieldAggregationOptions |
Parameters for the Aggregated Alert fields that will be streamed back. |
enableCache |
If enabled, subsequent requests for the same time range and baseline query will try to leverage our cache to serve the response with filters applied in the snapshot query. |
includeNonAlertingDetections |
Whether to include non-alerting detections in the response. |
plaqueTraceLevel |
Optional. Deprecated. An internal trace level. |
maxShardCount |
Optional. Deprecated. An internal optimization value. |
maxBaselineResults |
Optional. Deprecated. Maximum number of alerts that will be processed for a single request. |
Request body
The request body must be empty.
Response body
Depending on the parameters in FetchAlertsViewRequest, stream back some combination of |alerts| and |fieldAggregations|.
NEXT TAG: 12;
If successful, the response body contains data with the following structure:
JSON representation |
---|
{ "progress": number, "tooManyAlerts": boolean, "complete": boolean, "validBaselineQuery": boolean, "baselineAlertsCount": integer, "validSnapshotQuery": boolean, "queryValidationErrors": [ { object ( |
Fields | |
---|---|
progress |
Progress of the query represented as a double between 0 and 1. |
tooManyAlerts |
If true, there are too many alerts matched and some have been omitted from both the "Too many alerts" depends on the server-side limit of 1,000,000 matched alerts to serve as a base for the field aggregations, rather than on the |
complete |
Streaming for this response is done. There will be no additional updates. |
validBaselineQuery |
Whether the request baselineQuery is a valid structured query. If not, |
baselineAlertsCount |
The number of alerts matched by the baseline query. |
validSnapshotQuery |
Whether the request baseline and snapshot queries are valid. If not, |
queryValidationErrors[] |
Parse error for the baselineQuery and/or the snapshotQuery. |
runtimeErrors[] |
Runtime errors. |
filteredAlertsCount |
The number of alerts in the snapshot that match the snapshotQuery. This is <= |
alerts |
The list of the first N matched alerts. The value of N is determined by the AlertListOptions.max_returned_alerts field in the request. |
fieldAggregations |
List of fields with aggregated values. |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IAM Permissions
Requires the following IAM permission on the instance
resource:
chronicle.legacies.legacyFetchAlertsView
For more information, see the IAM documentation.
AlertListOptions
JSON representation |
---|
{
"maxReturnedAlerts": integer,
"entityIndicator": {
object ( |
Fields | |
---|---|
maxReturnedAlerts |
|
entityIndicator |
|
EntityIndicator
JSON representation |
---|
{ "indicatorNamespace": string, // Union field |
Fields | |
---|---|
indicatorNamespace |
|
Union field
|
|
hostname |
|
assetIpAddress |
|
mac |
|
productId |
|
userName |
|
email |
|
employeeId |
|
windowsSid |
|
projectObjectId |
|
productObjectId |
|
rawPid |
|
processId |
|
fullCommandLine |
|
parentProcessId |
|
hashMd5 |
|
hashSha1 |
|
hashSha256 |
|
filePath |
|
destinationIpAddress |
|
domainName |
|
resourceProjectObjectId |
|
resourceName |
|
AlertFieldAggregationOptions
JSON representation |
---|
{ "maxValuesPerField": integer } |
Fields | |
---|---|
maxValuesPerField |
|
AlertsFeaturePreference
A generic option to enable or disable a feature. NEXT TAG = 3;
Enums | |
---|---|
ALERTS_FEATURE_PREFERENCE_UNSPECIFIED |
An unspecified preference. Behavior will depend on the server defaults. |
ALERTS_FEATURE_PREFERENCE_ENABLED |
Enable the feature. |
ALERTS_FEATURE_PREFERENCE_DISABLED |
Disable the feature. |
AlertList
JSON representation |
---|
{
"alerts": [
{
object ( |
Fields | |
---|---|
alerts[] |
|