- HTTP request
- Path parameters
- Query parameters
- Request body
- Response body
- Authorization scopes
- IAM Permissions
- OnDemandEventSampleList
- EventSample
- RawLogEventInformation
- DataTableEntityGraphEnrichment
- EnrichmentType
- OnDemandDetectionSampleList
- DetectionSample
- Try it!
Full name: projects.locations.instances.legacy.legacySearchRuleDetectionEvents
Legacy RPC for listing events associated with a particular Detection generated by a Rules Engine rule.
HTTP request
Path parameters
Parameters | |
---|---|
instance |
Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance} |
Query parameters
Parameters | |
---|---|
ruleId |
Required. The rule ID that generated the detection. |
versionTimestamp |
Optional. The version timestamp of the rule that generated the detection. If omitted, the latest version of the rule will be used. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
detectionId |
Required. The ID of the detection. |
maxEvents |
Optional. Max events returned over all event variables. The default and limit is 100k events over all event variables. The events of this detection are sorted by event timestamp, truncated to maxEvents events, and grouped by event variable in the response. |
Request body
The request body must be empty.
Response body
Events associated with a Rule-generated Detection. NEXT TAG: 5
If successful, the response body contains data with the following structure:
JSON representation |
---|
{ "resultEvents": { string: { object ( |
Fields | |
---|---|
resultEvents |
Map from event variable to the event samples. The events for each event variable are sorted by the event timestamp. Note: This field contains both event and entity samples. An object containing a list of |
resultEntities |
Map from entity event variable to the entity samples. The entities for each event variable are sorted by the entity timerange. An object containing a list of |
resultDetections |
Map from detection event variable to the detection samples. The detection ids for each event variable are sorted by the detection timestamp. An object containing a list of |
tooManyEvents |
True if the request would have returned more event samples than maxEvents allows. |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IAM Permissions
Requires the following IAM permission on the instance
resource:
chronicle.legacies.legacySearchRuleDetectionEvents
For more information, see the IAM documentation.
OnDemandEventSampleList
JSON representation |
---|
{
"eventSamples": [
{
object ( |
Fields | |
---|---|
eventSamples[] |
|
EventSample
JSON representation |
---|
{ "rawLogEventInformation": { object ( |
Fields | |
---|---|
rawLogEventInformation |
|
rawLogToken |
|
eventId |
|
joinedDataTableRows[] |
|
graphEnrichment |
|
udmNounProvenances[] |
|
udmProvenance |
|
Union field
|
|
event |
|
entity |
|
RawLogEventInformation
JSON representation |
---|
{ "batchId": string, "offset": integer, "timestamp": string, "eventType": enum ( |
Fields | |
---|---|
batchId |
A base64-encoded string. |
offset |
|
timestamp |
Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
eventType |
|
disambiguationKey |
A base64-encoded string. |
normalizedEventType |
|
customerId |
A base64-encoded string. |
DataTableEntityGraphEnrichment
JSON representation |
---|
{ "dataTable": string, "enrichmentType": enum ( |
Fields | |
---|---|
dataTable |
|
enrichmentType |
|
overriddenEntity |
|
EnrichmentType
Enums | |
---|---|
ENRICHMENT_TYPE_UNSPECIFIED |
|
APPEND |
|
OVERRIDE |
OnDemandDetectionSampleList
JSON representation |
---|
{
"detectionSamples": [
{
object ( |
Fields | |
---|---|
detectionSamples[] |
|
DetectionSample
JSON representation |
---|
{ "detectionId": string, "ruleId": string, "ruleVersion": string } |
Fields | |
---|---|
detectionId |
|
ruleId |
|
ruleVersion |
|