Method: legacy.legacyTestRuleStreaming

HTTP request
Path parameters
Request body
- JSON representation
Response body
- JSON representation
Authorization scopes
IAM Permissions
ExecutionError
- JSON representation
Try it!

Full name: projects.locations.instances.legacy.legacyTestRuleStreaming

legacy.legacyTestRuleStreaming tests the given rule text over a specified time range and streams detections/errors back without persisting them.

HTTP request

Choose a location:

Path parameters

Parameters

Parameters
`instance`	`string` Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Request body

The request body contains data with the following structure:

JSON representation
{ "ruleText": string, "startTime": string, "endTime": string, "maxDetections": integer, "scope": string }

Fields
`ruleText`	`string` Required. The rule text to test as a UTF-8 string.
`startTime`	`string (Timestamp format)` Optional. The start time of the time range of events to test the rule text over. If unspecified, will default to 12 hours before endTime. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`endTime`	`string (Timestamp format)` Optional. The end time of the time range of events to test the rule text over. If unspecified, will either default to 12 hours after startTime, or the current day bucket if startTime is also unspecified. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`maxDetections`	`integer` Optional. The maximum number of detections to return. The service may return fewer than this value. If unspecified, at most 1,000 detections will be returned. The maximum value is 10,000; values above 10,000 will be coerced to 10,000.
`scope`	`string` Optional. The data access scope to use to run the rule. This field is only required if data access control is enabled. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".

Response body

legacy.legacyTestRuleStreaming response message.

If successful, the response body contains data with the following structure:

JSON representation

JSON representation
{ "ruleCompilationError": { object (`RuleCompilationError`) }, "tooManyDetections": boolean, "progressPercent": number, // Union field `result` can be only one of the following: "detection": { object (`Collection`) }, "executionError": { object (`ExecutionError`) } // End of list of possible types for union field `result`. }

{
  "ruleCompilationError": {
    object (RuleCompilationError)
  },
  "tooManyDetections": boolean,
  "progressPercent": number,

  // Union field result can be only one of the following:
  "detection": {
    object (Collection)
  },
  "executionError": {
    object (ExecutionError)
  }
  // End of list of possible types for union field result.
}

Fields
`ruleCompilationError`	`object (RuleCompilationError)` The compilation error generated from the rule text.
`tooManyDetections`	`boolean` Indicates if the request would have streamed more detections than maxResults allows.
`progressPercent`	`number` The progress percent of the run, from 0.0-100.0.
Union field `result`. `result` can be only one of the following:
`detection`	`object (Collection)` A detection generated from the test. The following fields will not be set because the detection is not persisted: - createdTime - detection[].rule_id - detection[].rule_version id will be set, but cannot be passed to other methods to retrieve the detection since it is not persisted.
`executionError`	`object (ExecutionError)` An execution error generated from the test.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

chronicle.legacies.legacyTestRuleStreaming

For more information, see the IAM documentation.

ExecutionError

An execution error generated from the test.

JSON representation
{ "error": { object (`Status`) }, "timeRange": { object (`Interval`) } }

Fields

Fields
`error`	`object (Status)` The error status corresponding with the execution error.
`timeRange`	`object (Interval)` The event time range that the execution error corresponds with.

error

object (Status)

The error status corresponding with the execution error.

timeRange

object (Interval)

The event time range that the execution error corresponds with.

Method: legacy.legacyTestRuleStreaming Stay organized with collections Save and categorize content based on your preferences.