- HTTP request
- Path parameters
- Query parameters
- Request body
- Response body
- Authorization scopes
- IAM Permissions
- Try it!
Full name: projects.locations.instances.legacy.legacySearchRuleResults
Legacy endpoint for listing aggregated results for a Rules Engine rule.
HTTP request
Path parameters
Parameters | |
---|---|
instance |
Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance} |
Query parameters
Parameters | |
---|---|
ruleId |
Required. The rule ID to return results for. |
versionTimestamp |
Optional. The version timestamp of the rule. - If not specified for customer rules, use the latest version of the rule. - If not specified for Uppercase rules, aggregate across all versions of the rule. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
timeRange |
Optional. If it is empty, return latest maxMatches number of matches. |
maxMatches |
Optional. The maximum number of matches to return. If maxMatches is set to 0 (or is omitted), the server will use the default limit (10K). |
ruleSource |
Optional. The rule source to return results for. If omitted, default to returning results for customer rules. If it does not match the ruleId field, an error will be returned. |
maxRespSizeBytes |
Optional. The maximum size of response in bytes. If it is set to 0 (or is omitted), the server will not enforce any max response size limit. |
Request body
The request body must be empty.
Response body
Response with list of matches that have been found from a Rules Engine rule. NEXT TAG: 4
If successful, the response body contains data with the following structure:
JSON representation |
---|
{
"yaraL2TooManyDetections": boolean,
"yaraL2Detections": [
{
object ( |
Fields | |
---|---|
yaraL2TooManyDetections |
For YARA 2.0 Whether the request would have resulted in more detections than the default limit allows. If true, the |
yaraL2Detections[] |
For YARA 2.0 A list of detections found by applying the rule. |
respTooLargeDetectionsTruncated |
This is related to the maxRespSizeBytes field in the request. If the original response size is larger than the maxRespSizeBytes, we will truncate detections so that the response size is smaller than maxRespSizeBytes, and this field will be set to true. |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IAM Permissions
Requires the following IAM permission on the instance
resource:
chronicle.legacies.legacySearchRuleResults
For more information, see the IAM documentation.