Method: legacy.legacySearchRuleDetectionEvents
Stay organized with collections Save and categorize content based on your preferences.

Full name: projects.locations.instances.legacy.legacySearchRuleDetectionEvents

Legacy RPC for listing events associated with a particular Detection generated by a Rules Engine rule.

GET https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacySearchRuleDetectionEvents

Parameters

Parameters
`instance`	`string` Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Parameters
`ruleId`	`string` Required. The rule ID that generated the detection.
`versionTimestamp`	`string (Timestamp format)` Optional. The version timestamp of the rule that generated the detection. If omitted, the latest version of the rule will be used. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`detectionId`	`string` Required. The ID of the detection.
`maxEvents`	`integer` Optional. Max events returned over all event variables. The default and limit is 100k events over all event variables. The events of this detection are sorted by event timestamp, truncated to max_events events, and grouped by event variable in the response.

The request body must be empty.

Events associated with a Rule-generated Detection. NEXT TAG: 3

If successful, the response body contains data with the following structure:

JSON representation
{ "result_events": { string: { object (`OnDemandEventSampleList`) }, ... }, "too_many_events": boolean }

Fields

Fields
`result_events`	`map (key: string, value: object (OnDemandEventSampleList))` Map from event variable to the event samples. The events for each event variable are sorted by the event timestamp. An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
`too_many_events`	`boolean` True if the request would have returned more event samples than max_events allows.

result_events

map (key: string, value: object (OnDemandEventSampleList))

Map from event variable to the event samples. The events for each event variable are sorted by the event timestamp.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

too_many_events

boolean

True if the request would have returned more event samples than max_events allows.

Requires the following OAuth scope:

For more information, see the Authentication Overview.

Requires the following IAM permission on the instance resource:

For more information, see the IAM documentation.