Re: pagination issue with chronicle API legacySear...

JerryHsu · 09-03-2024 07:54 PM

Hi, I attempted to use the Chronicle API (legacySearchAlerts ) to retrieve alert information, but I'm unsure how to apply pagination. I set the startTime, endTime, and pageSize query parameters, but I don't know how to set the pageToken for the first call. Additionally, the response body only contains alerts and user_alerts without a next_page_token, which is not match to the API document, so I can't retrieve the next page.

tameri

Did you try to start your first call with pageToken="" or without pageToken?
Did you compare the results manually against the web UI?

JerryHsu

Yes, I have tried both pageToken="" and without pageToken. I didn't compare the result with web UI yet, because I only get the service account credentials from my colleague to test the API, I don't have the account to directly access to the web UI. I can confirm that call with pageSize the response is different to call without pageSize, so I think that the pagination is worked, just missing the next_page_token.

tameri

maybe to try this workaround, use empty next_page_token="" for your subsequent call when you've reached the last page of results. idealy, The API should return an empty result set in this scenario, when it reached the end of pagination.

let me know if it is going to work for you

JerryHsu

It not works, the API does not accept next_page_token as a query parameter.
I think maybe I can only get the last page without pageToken in the query parameter, because when I set pageSize to 10, the result only contains 9 elements (3 in alerts and 6 in userAlerts).

And I found another weird thing, if I change the pageSize to 20, and use the same time range, the result contains 14 elements(5 in alerts and 9 in userAlerts). I don't know how to explain the results produced by these two pageSize in a way that makes them reasonable.

David-French

@JerryHsu - I think this is a bug, which I'll follow up on internally here.

I made an API call to the legacySearchAlerts method and don't see a next page token value either.

While we investigate that, have you looked at the legacySearchRulesAlerts API method, which lets you search for alerts generated by your rules in Google SecOps? Please let me know if you think that is a good fit for your use case and I'll be happy to share some example code with you for using it with pagination.

JerryHsu

Hi, I tried the legacySearchRulesAlerts API and I think it is also very useful for our use case, please give me the instruction on how to use it with pagination, thank you.

David-French

Apologies, it looks like the legacySearchRulesAlerts method doesn't support pagination. Let me try and find out what the maximum no of alerts is that this method can return and get back to you. Thanks

jeff_bryner

Any update on pagination or alert volume? I'm trying to retrieve alerts for stats/summaries.

David-French

Hi @jeff_bryner. I'm following up on this internally and will hopefully be able to report back soon. Thanks

David-French

@jeff_bryner, @JerryHsu,

The legacySearchRulesAlerts API method will return a maximum of 10,000 alerts. This is the default value if no value is provided for the max_num_alerts_to_return parameter.

When the number of available alerts is greater than 10,000, the response will contain a too_many_alerts field that's set to True.

We're working on updating the documentation to include this information.

This API method doesn't support pagination at the moment.

jeff_bryner

Ah, thanks for the clarification. I think that will suffice!

The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms.

Read more and check out our FAQ.

pagination issue with chronicle API legacySearchAlerts