Method: legacy.legacySearchRulesAlerts

Full name: projects.locations.instances.legacy.legacySearchRulesAlerts

RPC to get the list of Rules Engine generated alerts for a customer.

HTTP request

Choose a location:

Path parameters

Parameters

Parameters
`instance`	`string` Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters

Parameters
`timeRange`	`object (Interval)` Required. Time range [start, end) for alerts to retrieve. All RE alerts with the detection _time that fall in this time range are returned.
`maxNumAlertsToReturn`	`integer` Optional. The maximum number of alerts to return. The default and maximum value is 10,000; values above that will be coerced to 10,000. When the number of available alerts is greater than this value, the response will contain a tooManyAlerts field set to true.
`status`	`enum (RuleStatus)` Optional. When this field is not set, uses ACTIVE by default.

timeRange

object (Interval)

Required. Time range [start, end) for alerts to retrieve. All RE alerts with the detection _time that fall in this time range are returned.

maxNumAlertsToReturn

integer

Optional. The maximum number of alerts to return. The default and maximum value is 10,000; values above that will be coerced to 10,000. When the number of available alerts is greater than this value, the response will contain a tooManyAlerts field set to true.

status

enum (RuleStatus)

Optional. When this field is not set, uses ACTIVE by default.

Request body

The request body must be empty.

Response body

List of Rules alerts aggregated by Rule NEXT TAG: 3

If successful, the response body contains data with the following structure:

JSON representation
{ "ruleAlerts": [ { object (`RuleAlertsList`) } ], "tooManyAlerts": boolean }

Fields

Fields
`ruleAlerts[]`	`object (RuleAlertsList)` Alerts generated by the Rules engine. One entry for each Rule created by the customer
`tooManyAlerts`	`boolean` Indicates that more data was available but not sent due to more hits than maxNumAlertsToReturn.

ruleAlerts[]

object (RuleAlertsList)

Alerts generated by the Rules engine. One entry for each Rule created by the customer

tooManyAlerts

boolean

Indicates that more data was available but not sent due to more hits than maxNumAlertsToReturn.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

chronicle.legacies.legacySearchRulesAlerts

For more information, see the IAM documentation.

RuleStatus

Enums
`ACTIVE`
`ARCHIVED`
`ALL`

RuleAlertsList

JSON representation
{ "ruleMetadata": { object (`Rule`) }, "alerts": [ { object (`YaraL2Detection`) } ] }

Fields
`ruleMetadata`	`object (Rule)`
`alerts[]`	`object (YaraL2Detection)`

Rule

JSON representation
{ "ruleId": string, "properties": { object (`RuleProperties`) }, "ruleCompilationError": { object (`RuleCompilationError`) } }

Fields
`ruleId`	`string`
`properties`	`object (RuleProperties)`
`ruleCompilationError`	`object (RuleCompilationError)`

RuleProperties

JSON representation

JSON representation
{ "name": string, "metadata": { string: string, ... }, "lastUpdateTime": string, "liveRuleStatus": enum (`LiveRuleStatus`), "executionState": enum (`ExecutionState`), "ruleNotificationEnabled": boolean, "lastAlertStatusChangeTime": string, "userFacingRuleType": enum (`UserFacingRuleType`), "text": string, "creationTime": string, "archivedTimestamp": string, "runFrequency": enum (`RunFrequency`), "allowedRunFrequencies": [ enum (`RunFrequency`) ], "nearRealTimeLiveRuleEligible": boolean, "rlNameVersions": { object (`RLNameVersions`) }, "policy": string, "policyRuleType": enum (`PolicyRuleType`), "dtNameVersions": { object (`DTNameVersions`) } }

{
  "name": string,
  "metadata": {
    string: string,
    ...
  },
  "lastUpdateTime": string,
  "liveRuleStatus": enum (LiveRuleStatus),
  "executionState": enum (ExecutionState),
  "ruleNotificationEnabled": boolean,
  "lastAlertStatusChangeTime": string,
  "userFacingRuleType": enum (UserFacingRuleType),
  "text": string,
  "creationTime": string,
  "archivedTimestamp": string,
  "runFrequency": enum (RunFrequency),
  "allowedRunFrequencies": [
    enum (RunFrequency)
  ],
  "nearRealTimeLiveRuleEligible": boolean,
  "rlNameVersions": {
    object (RLNameVersions)
  },
  "policy": string,
  "policyRuleType": enum (PolicyRuleType),
  "dtNameVersions": {
    object (DTNameVersions)
  }
}

Fields
`name`	`string`
`metadata`	`map (key: string, value: string)` An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
`lastUpdateTime`	`string (Timestamp format)` Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`liveRuleStatus`	`enum (LiveRuleStatus)`
`executionState`	`enum (ExecutionState)` Output only.
`ruleNotificationEnabled`	`boolean`
`lastAlertStatusChangeTime`	`string (Timestamp format)` Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`userFacingRuleType`	`enum (UserFacingRuleType)`
`text`	`string`
`creationTime`	`string (Timestamp format)` Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`archivedTimestamp`	`string (Timestamp format)` Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`runFrequency`	`enum (RunFrequency)`
`allowedRunFrequencies[]`	`enum (RunFrequency)`
`nearRealTimeLiveRuleEligible`	`boolean`
`rlNameVersions`	`object (RLNameVersions)`
`policy`	`string`
`policyRuleType`	`enum (PolicyRuleType)`
`dtNameVersions`	`object (DTNameVersions)`

LiveRuleStatus

Enums
`LIVE_RULE_STATUS_UNSPECIFIED`
`ENABLED`
`DISABLED`

ExecutionState

Enums
`EXECUTION_STATE_UNSPECIFIED`
`DEFAULT`
`LIMITED`
`PAUSED`

RunFrequency

Enums
`RUN_FREQUENCY_UNSPECIFIED`
`RUN_FREQUENCY_REALTIME`
`RUN_FREQUENCY_HOURLY`
`RUN_FREQUENCY_DAILY`

RLNameVersions

JSON representation
{ "nameVersions": { string: string, ... } }

Fields

Fields
`nameVersions`	`map (key: string, value: string (Timestamp format))` An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.

nameVersions

map (key: string, value: string (Timestamp format))

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

PolicyRuleType

Enums
`POLICY_RULE_TYPE_UNSPECIFIED`
`HUNTING`
`PRODUCTION`
`FOUNDATIONAL`

DTNameVersions

JSON representation
{ "nameVersions": { string: string, ... } }

Fields

Fields
`nameVersions`	`map (key: string, value: string (int64 format))` An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.

nameVersions

map (key: string, value: string (int64 format))

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.