Method: legacy.legacySearchRulesAlerts

Full name: projects.locations.instances.legacy.legacySearchRulesAlerts

RPC to get the list of Rules Enginer generated alerts for a customer.

HTTP request

GET https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacySearchRulesAlerts

Path parameters

Parameters

Parameters
`instance`	`string` Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters

Parameters
`timeRange`	`object (Interval)` Required. Time range [start, end) for alerts to retrieve. All RE alerts with the detection _time that fall in this time range are returned.
`maxNumAlertsToReturn`	`integer` Optional. Maximum number of alerts to return.
`status`	`enum (RuleStatus)` Optional. When this field is not set, uses ACTIVE by default.

timeRange

object (Interval)

Required. Time range [start, end) for alerts to retrieve. All RE alerts with the detection _time that fall in this time range are returned.

maxNumAlertsToReturn

integer

Optional. Maximum number of alerts to return.

status

enum (RuleStatus)

Optional. When this field is not set, uses ACTIVE by default.

Request body

The request body must be empty.

Response body

List of Rules alerts aggregated by Rule NEXT TAG: 3

If successful, the response body contains data with the following structure:

JSON representation
{ "rule_alerts": [ { object (`RuleAlertsList`) } ], "too_many_alerts": boolean }

Fields

Fields
`rule_alerts[]`	`object (RuleAlertsList)` Alerts generated by the Rules engine. One entry for each Rule created by the customer
`too_many_alerts`	`boolean` Indicates that more data was available but not sent due to more hits than max_matches_to_return.

rule_alerts[]

object (RuleAlertsList)

Alerts generated by the Rules engine. One entry for each Rule created by the customer

too_many_alerts

boolean

Indicates that more data was available but not sent due to more hits than max_matches_to_return.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

chronicle.legacies.legacySearchRulesAlerts

For more information, see the IAM documentation.

RuleStatus

Enums
`ACTIVE`
`ARCHIVED`
`ALL`

RuleAlertsList

JSON representation
{ "rule_metadata": { object (`Rule`) }, "alerts": [ { object (`YaraL2Detection`) } ] }

Fields
`rule_metadata`	`object (Rule)`
`alerts[]`	`object (YaraL2Detection)`

Rule

JSON representation
{ "rule_id": string, "properties": { object (`RuleProperties`) }, "rule_compilation_error": { object (`RuleCompilationError`) } }

Fields
`rule_id`	`string`
`properties`	`object (RuleProperties)`
`rule_compilation_error`	`object (RuleCompilationError)`

RuleProperties

JSON representation

JSON representation
{ "name": string, "metadata": { string: string, ... }, "last_update_time": string, "live_rule_status": enum (`LiveRuleStatus`), "execution_state": enum (`ExecutionState`), "rule_notification_enabled": boolean, "last_alert_status_change_time": string, "user_facing_rule_type": enum (`UserFacingRuleType`), "text": string, "creation_time": string, "archived_timestamp": string, "run_frequency": enum (`RunFrequency`), "allowed_run_frequencies": [ enum (`RunFrequency`) ], "near_real_time_live_rule_eligible": boolean, "rl_name_versions": { object (`RLNameVersions`) }, "policy": string, "policy_rule_type": enum (`PolicyRuleType`), "dt_name_versions": { object (`DTNameVersions`) } }

{
  "name": string,
  "metadata": {
    string: string,
    ...
  },
  "last_update_time": string,
  "live_rule_status": enum (LiveRuleStatus),
  "execution_state": enum (ExecutionState),
  "rule_notification_enabled": boolean,
  "last_alert_status_change_time": string,
  "user_facing_rule_type": enum (UserFacingRuleType),
  "text": string,
  "creation_time": string,
  "archived_timestamp": string,
  "run_frequency": enum (RunFrequency),
  "allowed_run_frequencies": [
    enum (RunFrequency)
  ],
  "near_real_time_live_rule_eligible": boolean,
  "rl_name_versions": {
    object (RLNameVersions)
  },
  "policy": string,
  "policy_rule_type": enum (PolicyRuleType),
  "dt_name_versions": {
    object (DTNameVersions)
  }
}

Fields
`name`	`string`
`metadata`	`map (key: string, value: string)` An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
`last_update_time`	`string (Timestamp format)` Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`live_rule_status`	`enum (LiveRuleStatus)`
`execution_state`	`enum (ExecutionState)` Output only.
`rule_notification_enabled`	`boolean`
`last_alert_status_change_time`	`string (Timestamp format)` Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`user_facing_rule_type`	`enum (UserFacingRuleType)`
`text`	`string`
`creation_time`	`string (Timestamp format)` Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`archived_timestamp`	`string (Timestamp format)` Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`run_frequency`	`enum (RunFrequency)`
`allowed_run_frequencies[]`	`enum (RunFrequency)`
`near_real_time_live_rule_eligible`	`boolean`
`rl_name_versions`	`object (RLNameVersions)`
`policy`	`string`
`policy_rule_type`	`enum (PolicyRuleType)`
`dt_name_versions`	`object (DTNameVersions)`

LiveRuleStatus

Enums
`LIVE_RULE_STATUS_UNSPECIFIED`
`ENABLED`
`DISABLED`

ExecutionState

Enums
`EXECUTION_STATE_UNSPECIFIED`
`DEFAULT`
`LIMITED`
`PAUSED`

RunFrequency

Enums
`RUN_FREQUENCY_UNSPECIFIED`
`RUN_FREQUENCY_REALTIME`
`RUN_FREQUENCY_HOURLY`
`RUN_FREQUENCY_DAILY`

RLNameVersions

JSON representation
{ "name_versions": { string: string, ... } }

Fields

Fields
`name_versions`	`map (key: string, value: string (Timestamp format))` An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.

name_versions

map (key: string, value: string (Timestamp format))

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

PolicyRuleType

Enums
`POLICY_RULE_TYPE_UNSPECIFIED`
`HUNTING`
`PRODUCTION`
`FOUNDATIONAL`

DTNameVersions

JSON representation
{ "name_versions": { string: string, ... } }

Fields

Fields
`name_versions`	`map (key: string, value: string (int64 format))` An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.

name_versions

map (key: string, value: string (int64 format))

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.