Method: legacy.legacySearchDetections

Full name: projects.locations.instances.legacy.legacySearchDetections

Legacy endpoint for searching detections for a rule version.

HTTP request


Path parameters

Parameters
instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
ruleId

string

Required. The specific rule revision to search detections for. There are four acceptable formats: - {ruleId} retrieves detections for the latest revision of the Rule with rule ID |ruleId| - {ruleId}@{revisionId} retrieves detections for the Rule revision with rule ID |ruleId| and revision ID |revisionId|. - {ruleId}@{wildcard} retrieves detections for all revisions of the Rule with rule ID |ruleId|. - {wildcard} retrieves detections for all revisions of all Rules.
alertState

enum (AlertState)

Optional. An enum that filters which detections are returned by their AlertState.
startTime

string (Timestamp format)

Optional. The time to start search detections from, inclusive.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
endTime

string (Timestamp format)

Optional. The time to end searching detections to, exclusive.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
listBasis

enum (ListBasis)

Optional. Basis for determining whether to apply startTime and endTime filters for detection time or creation time of the detection.
pageSize

integer

Optional. Maximum number of detections to return.
pageToken

string

Optional. A page token, received from a previous legacy.legacySearchDetections call. Provide this to retrieve the subsequent page.

When paginating, all other parameters provided to legacy.legacySearchDetections must match the call that provided the page token.
maxRespSizeBytes

integer

Optional. The maximum size of response in bytes. If it is set to 0 (or is omitted), the server will not enforce any max response size limit.
includeNestedDetections

boolean

Optional. If true, include one level of nested detections in the response.

Request body

The request body must be empty.

Response body

legacy.legacySearchDetections response message.

If successful, the response body contains data with the following structure:

JSON representation 
{
  "detections": [
    {
      object (Collection)
    }
  ],
  "nestedDetectionSamples": [
    {
      object (DetectionWithSamples)
    }
  ],
  "nextPageToken": string,
  "respTooLargeDetectionsTruncated": boolean
}
Fields
detections[]

object (Collection)

Either detections or nestedDetections will be populated, but not both. List of detections in Collection protos corresponding to the ruleId. Only returned if includeNestedDetections is false or missing in the request.
nestedDetectionSamples[]

object (DetectionWithSamples)

Detections generated by the rule named by ruleId in the request, along with one level of nested detections. Only returned if includeNestedDetections is true in the request.
nextPageToken

string

A token that can be sent as pageToken to retrieve the next page. If this field is omitted, there are no subsequent pages.
respTooLargeDetectionsTruncated

boolean

This is related to the maxRespSizeBytes field in the request. If the original response size is larger than the maxRespSizeBytes, we will truncate detections so that the response size is smaller than maxRespSizeBytes, and this field will be set to true.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacySearchDetections

For more information, see the IAM documentation.

ListBasis

Type of Timestamp to use for listing detections.

Enums
LIST_BASIS_UNSPECIFIED Unspecified list basis.
DETECTION_TIME List detections by detection time.
CREATED_TIME List detections by created time.