List Detections
List and query all detections.
External Documentation
To learn more, visit the Chronicle documentation.
Basic Parameters
| Parameter | Description |
|---|---|
| Alert State | Filter detection by their state. |
| Rule ID | The ID of the rule of the detections. Can be also a rule version, for all versions for a specific rule, use <ruleID>@-. For all rules use -. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Page Size | The amount of alerts that will be returned every page. |
| Page Token | Use to retrieve another page of detections. |
| Sort By | - |
| Sort End Time | The end time of the chosen Sort By Parameter. |
| Sort Start Time | The start time of the chosen Sort By Parameter. |
Example Output
{
"detections": [
{
"type": "RULE_DETECTION",
"detection": [
{
"ruleName": "singleEventRule2",
"description": "description of this rule",
"urlBackToProduct": "https://customername.backstory.chronicle.security/ruleDetections?
ruleId=ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d&selectedList=RuleDetectionsViewTimeline&
selectedParentDetectionId=de_69d1ff3c-3528-6171-fb48-28ee813ec3ec&
selectedTimestamp=2020-12-03T16:59:55.124243Z",
"ruleId": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d",
"ruleVersion": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d@v_1605892822_687503000",
"alertState": "NOT_ALERTING",
"ruleType": "SINGLE_EVENT"
"ruleLabels": [
{
"key": "description",
"value": "description of this rule"
}
],
}
],
"createdTime": "2020-12-03T19:19:19.720174Z",
"id": "de_69d1ff3c-3528-6171-fb48-28ee813ec3ec",
"timeWindow": {
"startTime": "2020-12-03T16:59:55.124243Z",
"endTime": "2020-12-03T16:59:55.124243Z"
},
"collectionElements": [
{
"references": [
{
"event": {
"metadata": {
"eventTimestamp": "2020-12-03T16:59:55.124243Z",
"collectedTimestamp": "2020-12-03T16:59:55.126201345Z",
"eventType": "NETWORK_DNS",
"productName": "ProductName",
"ingestedTimestamp": "2020-12-03T16:59:59.011915Z"
},
"principal": {
"ip": [
"10.0.123.15"
]
},
"target": {
"ip": [
"10.0.10.10"
]
},
"securityResult": [
{
"action": [
"UNKNOWN_ACTION"
]
}
],
"network": {
"applicationProtocol": "DNS",
"dns": {
"questions": [
{
"name": "altostrat.com",
"type": 1,
"class": 1
}
],
"id": 12345,
"recursionDesired": true
}
}
}
}
],
"label": "e"
}
],
"detectionTime": "2020-12-03T16:59:55.124243Z"
},
{
"type": "RULE_DETECTION",
"detection": [
{
"ruleName": "singleEventRule2",
"description": "description of this rule",
"urlBackToProduct": "https://customername.backstory.chronicle.security/ruleDetections?
ruleId=ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d&selectedList=RuleDetectionsViewTimeline&
selectedParentDetectionId=de_ec2bc52b-a522-aeaf-6a94-f7c7ce0eff15&
selectedTimestamp=2020-12-03T16:59:48.916995Z",
"ruleId": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d",
"ruleVersion": "ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d@v_1605892822_687503000",
"alertState": "NOT_ALERTING",
"ruleType": "SINGLE_EVENT"
"ruleLabels": [
{
"key": "description",
"value": "description of this rule"
}
],
}
],
"createdTime": "2020-12-03T19:19:19.720174Z",
"id": "de_ec2bc52b-a522-aeaf-6a94-f7c7ce0eff15",
"timeWindow": {
"startTime": "2020-12-03T16:59:48.916995Z",
"endTime": "2020-12-03T16:59:48.916995Z"
},
"collectionElements": [
{
"references": [
{
"event": {
"metadata": {
"eventTimestamp": "2020-12-03T16:59:48.916995Z",
"collectedTimestamp": "2020-12-03T16:59:48.918238257Z",
"eventType": "NETWORK_DNS",
"productName": "ProductName",
"ingestedTimestamp": "2020-12-03T16:59:59.011915Z"
},
"principal": {
"ip": [
"127.0.0.1"
]
},
"target": {
"ip": [
"127.0.0.1"
]
},
"securityResult": [
{
"action": [
"UNKNOWN_ACTION"
]
}
],
"network": {
"applicationProtocol": "DNS",
"dns": {
"questions": [
{
"name": "altostrat.com",
"type": 1,
"class": 1
}
],
"id": 12346,
"recursionDesired": true
}
}
}
}
],
"label": "e"
}
],
"detectionTime": "2020-12-03T16:59:48.916995Z"
}
],
"nextPageToken": "CgsIkdvj_gUQ2M2IXBIMCISzpP4FELj3oLUDGidkZV9lYzJiYzUyYi1hNTIyLWFlYWYtNmE5NC1mN2M3Y2UwZWZmMTU="
}
Workflow Library Example
List Detections with Chronicle and Send Results Via Email
Preview this Workflow on desktop