Method: legacy.legacySearchRuleResults

HTTP request
Path parameters
Query parameters
Request body
Response body
- JSON representation
Authorization scopes
IAM Permissions
Try it!

Full name: projects.locations.instances.legacy.legacySearchRuleResults

Legacy endpoint for listing aggregated results for a Rules Engine rule.

HTTP request

Choose a location:

Path parameters

Parameters

Parameters
`instance`	`string` Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
`ruleId`	`string` Required. The rule ID to return results for.
`versionTimestamp`	`string (Timestamp format)` Optional. The version timestamp of the rule. - If not specified for customer rules, use the latest version of the rule. - If not specified for Uppercase rules, aggregate across all versions of the rule. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`timeRange`	`object (Interval)` Optional. If it is empty, return latest maxMatches number of matches.
`maxMatches`	`integer` Optional. The maximum number of matches to return. If maxMatches is set to 0 (or is omitted), the server will use the default limit (10K).
`ruleSource`	`enum (RuleSource)` Optional. The rule source to return results for. If omitted, default to returning results for customer rules. If it does not match the ruleId field, an error will be returned.
`maxRespSizeBytes`	`integer` Optional. The maximum size of response in bytes. If it is set to 0 (or is omitted), the server will not enforce any max response size limit.

Request body

The request body must be empty.

Response body

Response with list of matches that have been found from a Rules Engine rule. NEXT TAG: 4

If successful, the response body contains data with the following structure:

JSON representation
{ "yaraL2TooManyDetections": boolean, "yaraL2Detections": [ { object (`YaraL2Detection`) } ], "respTooLargeDetectionsTruncated": boolean }

Fields

Fields
`yaraL2TooManyDetections`	`boolean` For YARA 2.0 Whether the request would have resulted in more detections than the default limit allows. If true, the `detections` field will contain only the number of allowed matches.
`yaraL2Detections[]`	`object (YaraL2Detection)` For YARA 2.0 A list of detections found by applying the rule.
`respTooLargeDetectionsTruncated`	`boolean` This is related to the maxRespSizeBytes field in the request. If the original response size is larger than the maxRespSizeBytes, we will truncate detections so that the response size is smaller than maxRespSizeBytes, and this field will be set to true.

yaraL2TooManyDetections

boolean

For YARA 2.0 Whether the request would have resulted in more detections than the default limit allows. If true, the detections field will contain only the number of allowed matches.

yaraL2Detections[]

object (YaraL2Detection)

For YARA 2.0 A list of detections found by applying the rule.

respTooLargeDetectionsTruncated

boolean

This is related to the maxRespSizeBytes field in the request. If the original response size is larger than the maxRespSizeBytes, we will truncate detections so that the response size is smaller than maxRespSizeBytes, and this field will be set to true.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

chronicle.legacies.legacySearchRuleResults

For more information, see the IAM documentation.

Method: legacy.legacySearchRuleResults Stay organized with collections Save and categorize content based on your preferences.