Solved: Re: Prevalence of entity using HTTP request

vanitharaj1208

Im using this endpoint https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances/summariz...

but the issue not able to figure out the URL Params values

I tried like this {"timeRange": { "start_time": "2025-07-10T00:00:00Z", "end_time": "2025-07-12T00:00:00Z" }, "pageSize": 10, "returnPrevalence" : true, "entityId" : "xxxxxxxxxxxxxxxxxx" }

Also how to pass entity and entity type and how to get entityid?

cmmartin_google

Here's a working example using Python I have used before:

    url = f"https://us-chronicle.googleapis.com/v1alpha/{instance_id}:summarizeEntity"
    headers = {
        "Authorization": f"Bearer {access_token}",
        "Content-Type": "application/json"
    }
    params = {
        "entityId": entity_id,
        "timeRange.startTime": start_time,
        "timeRange.endTime": end_time,
        "returnAlerts": "True"
    }

I think the issue may be that timeRange isn't a nested Dictionary, rather you call it using the above syntax.

Best Regards,

Chris

View solution in original post

josemarin

For the summarize entity, try the params as follows:

{
    "timeRange.end_time": "2025-07-12T00:00:00Z",
    "timeRange.start_time": "2025-07-10T00:00:00Z",
    "pageSize": 10,
    "entityId" : "xxxxxxxxxxxxxxxxxx" 
}

If setting return prevalence to true, you also need to provide a specific udm field to use for calculating prevalence, otherwise you will get 400 error.

To get the Entity ID, use the SearchEntities endpoint: for example, to get the details of entity jondoe:

params = {"indicator":"jondoe"}

Response will look like this:

{
  "entities": [
    {
      "name": "projects/*******/locations/**/instances/******/entities/xxxxxxxx",
      "metadata": { "entityType": "USER" },
      "entity": { "user": { "userid": "jondoe" } }
    }
  ]
}

The entity ID will be the xxxxxxxxx string after entities in the entity name. That is what you woudl use in the summarize entity endpoint.