Optional. The version timestamp of the rule. - If not specified for customer rules, use the latest version of the rule. - If not specified for Uppercase rules, aggregate across all versions of the rule.
Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
Optional. The rule source to return results for. If omitted, default to returning results for customer rules. If it does not match the ruleId field, an error will be returned.
maxRespSizeBytes
integer
Optional. The maximum size of response in bytes. If it is set to 0 (or is omitted), the server will not enforce any max response size limit.
Request body
The request body must be empty.
Response body
Response with list of matches that have been found from a Rules Engine rule. NEXT TAG: 4
If successful, the response body contains data with the following structure:
For YARA 2.0 Whether the request would have resulted in more detections than the default limit allows. If true, the detections field will contain only the number of allowed matches.
For YARA 2.0 A list of detections found by applying the rule.
respTooLargeDetectionsTruncated
boolean
This is related to the maxRespSizeBytes field in the request. If the original response size is larger than the maxRespSizeBytes, we will truncate detections so that the response size is smaller than maxRespSizeBytes, and this field will be set to true.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis endpoint, \u003ccode\u003eprojects.locations.instances.legacy.legacySearchRuleResults\u003c/code\u003e, is a legacy tool for retrieving aggregated results from a Rules Engine rule within the Chronicle platform.\u003c/p\u003e\n"],["\u003cp\u003eThe HTTP request uses a \u003ccode\u003eGET\u003c/code\u003e method with a specific URL structure: \u003ccode\u003ehttps://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacySearchRuleResults\u003c/code\u003e, and requires the \u003ccode\u003einstance\u003c/code\u003e as a path parameter.\u003c/p\u003e\n"],["\u003cp\u003eThe endpoint uses several query parameters to filter results, including \u003ccode\u003eruleId\u003c/code\u003e, \u003ccode\u003eversionTimestamp\u003c/code\u003e, \u003ccode\u003etimeRange\u003c/code\u003e, \u003ccode\u003emaxMatches\u003c/code\u003e, \u003ccode\u003eruleSource\u003c/code\u003e, and \u003ccode\u003emaxRespSizeBytes\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe request body must be empty, while the response body contains information about the matches found by the rule, with fields like \u003ccode\u003eyara_l_2_too_many_detections\u003c/code\u003e, \u003ccode\u003eyara_l_2_detections[]\u003c/code\u003e, and \u003ccode\u003eresp_too_large_detections_truncated\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eTo use this endpoint, you must have the \u003ccode\u003echronicle.legacies.legacySearchRuleResults\u003c/code\u003e IAM permission on the target \u003ccode\u003einstance\u003c/code\u003e resource, and the \u003ccode\u003ehttps://www.googleapis.com/auth/cloud-platform\u003c/code\u003e OAuth scope is also required.\u003c/p\u003e\n"]]],[],null,["# Method: legacy.legacySearchRuleResults\n\n- [HTTP request](#body.HTTP_TEMPLATE)\n- [Path parameters](#body.PATH_PARAMETERS)\n- [Query parameters](#body.QUERY_PARAMETERS)\n- [Request body](#body.request_body)\n- [Response body](#body.response_body)\n - [JSON representation](#body.LegacySearchRuleResultsResponse.SCHEMA_REPRESENTATION)\n- [Authorization scopes](#body.aspect)\n- [IAM Permissions](#body.aspect_1)\n- [Try it!](#try-it)\n\n**Full name**: projects.locations.instances.legacy.legacySearchRuleResults\n\nLegacy endpoint for listing aggregated results for a Rules Engine rule.\n\n### HTTP request\n\nChoose a location: \nafrica-south1 asia-northeast1 asia-south1 asia-southeast1 asia-southeast2 australia-southeast1 europe-west12 europe-west2 europe-west3 europe-west6 europe-west9 me-central1 me-central2 me-west1 northamerica-northeast2 southamerica-east1 us eu \n\n\u003cbr /\u003e\n\n### Path parameters\n\n### Query parameters\n\n### Request body\n\nThe request body must be empty.\n\n### Response body\n\nResponse with list of matches that have been found from a Rules Engine rule. NEXT TAG: 4\n\nIf successful, the response body contains data with the following structure:\n\n### Authorization scopes\n\nRequires the following OAuth scope:\n\n- `https://www.googleapis.com/auth/cloud-platform`\n\nFor more information, see the [Authentication Overview](/docs/authentication#authorization-gcp).\n\n### IAM Permissions\n\nRequires the following [IAM](https://cloud.google.com/iam/docs) permission on the `instance` resource:\n\n- `chronicle.legacies.legacySearchRuleResults`\n\nFor more information, see the [IAM documentation](https://cloud.google.com/iam/docs)."]]
