Method: legacy.legacySearchRuleDetectionEvents

Full name: projects.locations.instances.legacy.legacySearchRuleDetectionEvents

Legacy RPC for listing events associated with a particular Detection generated by a Rules Engine rule.

HTTP request


Path parameters

Parameters
instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
ruleId

string

Required. The rule ID that generated the detection.
versionTimestamp

string (Timestamp format)

Optional. The version timestamp of the rule that generated the detection. If omitted, the latest version of the rule will be used.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
detectionId

string

Required. The ID of the detection.
maxEvents

integer

Optional. Max events returned over all event variables. The default and limit is 100k events over all event variables. The events of this detection are sorted by event timestamp, truncated to maxEvents events, and grouped by event variable in the response.

Request body

The request body must be empty.

Response body

Events associated with a Rule-generated Detection. NEXT TAG: 5

If successful, the response body contains data with the following structure:

JSON representation 
{
  "resultEvents": {
    string: {
      object (OnDemandEventSampleList)
    },
    ...
  },
  "resultEntities": {
    string: {
      object (OnDemandEventSampleList)
    },
    ...
  },
  "resultDetections": {
    string: {
      object (OnDemandDetectionSampleList)
    },
    ...
  },
  "tooManyEvents": boolean
}
Fields
resultEvents

map (key: string, value: object (OnDemandEventSampleList))

Map from event variable to the event samples. The events for each event variable are sorted by the event timestamp. Note: This field contains both event and entity samples.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
resultEntities

map (key: string, value: object (OnDemandEventSampleList))

Map from entity event variable to the entity samples. The entities for each event variable are sorted by the entity timerange.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
resultDetections

map (key: string, value: object (OnDemandDetectionSampleList))

Map from detection event variable to the detection samples. The detection ids for each event variable are sorted by the detection timestamp.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
tooManyEvents

boolean

True if the request would have returned more event samples than maxEvents allows.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacySearchRuleDetectionEvents

For more information, see the IAM documentation.

OnDemandEventSampleList

JSON representation 
{
  "eventSamples": [
    {
      object (EventSample)
    }
  ]
}
Fields
eventSamples[]

object (EventSample)

EventSample

JSON representation 
{
  "rawLogEventInformation": {
    object (RawLogEventInformation)
  },
  "rawLogToken": string,
  "eventId": string,
  "joinedDataTableRows": [
    {
      object (DataTableRowDetails)
    }
  ],
  "graphEnrichment": {
    object (DataTableEntityGraphEnrichment)
  },
  "udmNounProvenances": [
    {
      object (EnrichmentProvenance)
    }
  ],
  "udmProvenance": {
    object (UdmProvenance)
  },

  // Union field event_sample can be only one of the following:
  "event": {
    object (UDM)
  },
  "entity": {
    object (Entity)
  }
  // End of list of possible types for union field event_sample.
}
Fields
rawLogEventInformation
(deprecated)

object (RawLogEventInformation)
rawLogToken

string
eventId

string
joinedDataTableRows[]

object (DataTableRowDetails)
graphEnrichment

object (DataTableEntityGraphEnrichment)
udmNounProvenances[]

object (EnrichmentProvenance)
udmProvenance

object (UdmProvenance)

Union field event_sample.

event_sample can be only one of the following:
event

object (UDM)
entity

object (Entity)

RawLogEventInformation

JSON representation 
{
  "batchId": string,
  "offset": integer,
  "timestamp": string,
  "eventType": enum (EventType),
  "disambiguationKey": string,
  "normalizedEventType": enum (EventType),
  "customerId": string
}
Fields
batchId

string (bytes format)

A base64-encoded string.
offset

integer
timestamp

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
eventType

enum (EventType)
disambiguationKey

string (bytes format)

A base64-encoded string.
normalizedEventType

enum (EventType)
customerId

string (bytes format)

A base64-encoded string.

DataTableEntityGraphEnrichment

JSON representation 
{
  "dataTable": string,
  "enrichmentType": enum (EnrichmentType),
  "overriddenEntity": {
    object (Entity)
  }
}
Fields
dataTable

string
enrichmentType

enum (EnrichmentType)
overriddenEntity

object (Entity)

EnrichmentType

Enums
ENRICHMENT_TYPE_UNSPECIFIED
APPEND
OVERRIDE

OnDemandDetectionSampleList

JSON representation 
{
  "detectionSamples": [
    {
      object (DetectionSample)
    }
  ]
}
Fields
detectionSamples[]

object (DetectionSample)

DetectionSample

JSON representation 
{
  "detectionId": string,
  "ruleId": string,
  "ruleVersion": string
}
Fields
detectionId

string
ruleId

string
ruleVersion

string