To learn more, visit the Chronicle documentation.

Basic Parameters

ParameterDescription
Alert StateFilter detection by their state.
Rule IDThe ID of the rule of the detections. Can be also a rule version, for all versions for a specific rule, use <ruleID>@-. For all rules use -.

Advanced Parameters

ParameterDescription
Page SizeThe amount of alerts that will be returned every page.
Page TokenUse to retrieve another page of detections.
Sort By-
Sort End TimeThe end time of the chosen Sort By Parameter.
Sort Start TimeThe start time of the chosen Sort By Parameter.

Example Output

{  "detections": [    {      "type": "RULE_DETECTION",      "detection": [        {          "ruleName": "singleEventRule2",          "description": "description of this rule",          "urlBackToProduct": "https://customername.backstory.chronicle.security/ruleDetections?          ruleId=ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d&selectedList=RuleDetectionsViewTimeline&          selectedParentDetectionId=de_69d1ff3c-3528-6171-fb48-28ee813ec3ec&          selectedTimestamp=2020-12-03T16:59:55.124243Z",          "ruleId": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d",          "ruleVersion": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d@v_1605892822_687503000",          "alertState": "NOT_ALERTING",          "ruleType": "SINGLE_EVENT"          "ruleLabels": [            {              "key": "description",              "value": "description of this rule"            }          ],        }      ],      "createdTime": "2020-12-03T19:19:19.720174Z",      "id": "de_69d1ff3c-3528-6171-fb48-28ee813ec3ec",      "timeWindow": {        "startTime": "2020-12-03T16:59:55.124243Z",        "endTime": "2020-12-03T16:59:55.124243Z"      },      "collectionElements": [        {          "references": [            {              "event": {                "metadata": {                  "eventTimestamp": "2020-12-03T16:59:55.124243Z",                  "collectedTimestamp": "2020-12-03T16:59:55.126201345Z",                  "eventType": "NETWORK_DNS",                  "productName": "ProductName",                  "ingestedTimestamp": "2020-12-03T16:59:59.011915Z"                },                "principal": {                  "ip": [                    "10.0.123.15"                  ]                },                "target": {                  "ip": [                    "10.0.10.10"                  ]                },                "securityResult": [                  {                    "action": [                      "UNKNOWN_ACTION"                    ]                  }                ],                "network": {                  "applicationProtocol": "DNS",                  "dns": {                    "questions": [                      {                        "name": "altostrat.com",                        "type": 1,                        "class": 1                      }                    ],                    "id": 12345,                    "recursionDesired": true                  }                }              }            }          ],          "label": "e"        }      ],      "detectionTime": "2020-12-03T16:59:55.124243Z"    },    {      "type": "RULE_DETECTION",      "detection": [        {          "ruleName": "singleEventRule2",          "description": "description of this rule",          "urlBackToProduct": "https://customername.backstory.chronicle.security/ruleDetections?          ruleId=ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d&selectedList=RuleDetectionsViewTimeline&          selectedParentDetectionId=de_ec2bc52b-a522-aeaf-6a94-f7c7ce0eff15&          selectedTimestamp=2020-12-03T16:59:48.916995Z",          "ruleId": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d",          "ruleVersion": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d@v_1605892822_687503000",          "alertState": "NOT_ALERTING",          "ruleType": "SINGLE_EVENT"          "ruleLabels": [            {              "key": "description",              "value": "description of this rule"            }          ],        }      ],      "createdTime": "2020-12-03T19:19:19.720174Z",      "id": "de_ec2bc52b-a522-aeaf-6a94-f7c7ce0eff15",      "timeWindow": {        "startTime": "2020-12-03T16:59:48.916995Z",        "endTime": "2020-12-03T16:59:48.916995Z"      },      "collectionElements": [        {          "references": [            {              "event": {                "metadata": {                  "eventTimestamp": "2020-12-03T16:59:48.916995Z",                  "collectedTimestamp": "2020-12-03T16:59:48.918238257Z",                  "eventType": "NETWORK_DNS",                  "productName": "ProductName",                  "ingestedTimestamp": "2020-12-03T16:59:59.011915Z"                },                "principal": {                  "ip": [                    "127.0.0.1"                  ]                },                "target": {                  "ip": [                    "127.0.0.1"                  ]                },                "securityResult": [                  {                    "action": [                      "UNKNOWN_ACTION"                    ]                  }                ],                "network": {                  "applicationProtocol": "DNS",                  "dns": {                    "questions": [                      {                        "name": "altostrat.com",                        "type": 1,                        "class": 1                      }                    ],                    "id": 12346,                    "recursionDesired": true                  }                }              }            }          ],          "label": "e"        }      ],      "detectionTime": "2020-12-03T16:59:48.916995Z"    }  ],  "nextPageToken": "CgsIkdvj_gUQ2M2IXBIMCISzpP4FELj3oLUDGidkZV9lYzJiYzUyYi1hNTIyLWFlYWYtNmE5NC1mN2M3Y2UwZWZmMTU="}

Workflow Library Example

List Detections with Chronicle and Send Results Via Email

Preview this Workflow on desktop

Was this page helpful?

List AssetsList Events