Aggregates AnalyzedSessions across MonitoredAgents. To aggregate across all MonitoredAgents in a location, use the following format for the parent field: `projects/{project}/locations/{location}/monitoredAgents/-`

Method Details

aggregate(parent, filter=None, pageSize=None, pageToken=None, x__xgafv=None)

Args:
parent: string, Required. The parent MonitoredAgent resource. Use the `-` wildcard for the monitored_agent segment to aggregate across multiple agents in the location. Format: `projects/{project}/locations/{location}/monitoredAgents/{monitored_agent}` (required)
filter: string, Optional. Filter expression restricting which AnalyzedSessions are included in the aggregation. Uses a subset of the `ListAnalyzedSessionsRequest.filter` grammar: a closed `detection_time` window with both bounds required, e.g. detection_time >= "2024-01-01T00:00:00Z" AND detection_time <= "2024-01-08T00:00:00Z" The `severity` clause supported on ListAnalyzedSessions is intentionally rejected here: this response groups by severity (one entry per bucket per agent), so a severity filter would collapse the rollup to a single bucket and produce a misleading per-agent view. If empty, the aggregation covers the last 3 days.
pageSize: integer, Optional. The standard list page size. The maximum value is 100; values above 100 will be coerced to 100. If unspecified, at most 10 MonitoredAgents will be returned.
pageToken: string, Optional. The standard list page token.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format

Returns:
An object of the form:

{ # Response containing aggregated AnalyzedSession statistics, grouped by MonitoredAgent.
"agentAggregates": [ # Aggregated statistics — exactly one entry per unique MonitoredAgent matched by the request.
{ # Aggregated statistics for one MonitoredAgent.
"agentDisplayName": "A String", # Output only. The human-readable display name of the MonitoredAgent, denormalized from `monitored_agents.display_name`.
"agentResourceName": "A String", # The agent resource name. Format: `projects/{project}/locations/{location}/reasoningEngines/{agent}`
"agentStatus": "A String", # Output only. The enablement state of the MonitoredAgent (e.g. ACTIVE, DISABLED, ENABLING, INELIGIBLE, NEEDS_ACTION), denormalized from `monitored_agents.state`.
"anomalousSessionsCount": 42, # The number of anomalous (SESSION_STATE_FLAGGED) sessions for this agent.
"latestSessionTime": "A String", # The latest session update_time observed for this agent.
"location": "A String", # Output only. The GCP location (region) of the agent (e.g. `us-central1`). Denormalized from `monitored_agents.location`; empty when the agent is not enrolled or its location column is empty.
"monitoredAgent": "A String", # The MonitoredAgent resource name. Format: `projects/{project}/locations/{location}/monitoredAgents/{monitored_agent}`
"severities": { # Map of severity level (string representation of Severity) to detector summaries aggregated across all sessions for this agent. The key is the string representation of Severity enum: "SEVERITY_UNSPECIFIED", "SEVERITY_CRITICAL", "SEVERITY_HIGH", "SEVERITY_MEDIUM", "SEVERITY_LOW".
"a_key": { # Breakdown of anomalies by severity.
"detectorIds": [ # The list of detectors summaries for this severity level.
"A String",
],
"sessionsCount": 42, # Output only. The number of distinct sessions whose MAX severity equals `severity_level`. Each session is counted in exactly one bucket -- the highest severity that any of its detectors reached -- so summing `sessions_count` across all populated entries in a `severities` map equals the total anomalous session count for that scope (per-agent or view summary). Distinct from `detector_ids.size`: a session whose detectors fire at LOW and CRITICAL contributes one entry to `sessions_count` (in CRITICAL only) but contributes detector IDs to BOTH the LOW and CRITICAL buckets' `detector_ids` lists. For AAD audit landing-page scorecards, prefer `sessions_count` -- "Critical anomalies" means sessions ranked critical, not distinct critical-firing detectors. On AggregateAnalyzedSessionsResponse.summary, this is a TRUE GLOBAL count across all anomalous active agents in scope (not page-scoped). On per-agent entries within `agent_aggregates`, it's per-agent. On ListAnalyzedSessionsResponse, it is currently page-scoped to match the existing summary semantics on that API.
"severityLevel": "A String", # The severity level of the detector.
},
},
"totalSessionsCount": 42, # The number of analyzed sessions for this agent matched by the request.
},
],
"nextPageToken": "A String", # A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages.
"summary": { # The view summary. # Overall summary across every MonitoredAgent included in the response.
"anomalousAgentsCount": 42, # Output only. The number of distinct agents matching the request scope that have at least one anomalous session in the time window. On `AggregateAnalyzedSessionsResponse.summary` (wildcard parent), this is a true GLOBAL count across all anomalous active agents, NOT the page-row count. The denominator for an "anomalous active agents" scorecard pairs this with `ListMonitoredAgentsResponse.total_size` (filtered to `state = ACTIVE`). On `ListAnalyzedSessionsResponse.summary`, this field is not populated (the API is per-session, not per-agent).
"anomalousSessionsCount": 42, # Number of anomalous sessions.
"llmScannedSessionsCount": 42, # Output only. The number of distinct sessions in the time window that were scanned by Stage 2 LLM judges.
"severities": { # The list of severity summaries for the analyzed sessions. The key is the string representation of Severity enum: "SEVERITY_UNSPECIFIED", "SEVERITY_CRITICAL", "SEVERITY_HIGH", "SEVERITY_MEDIUM", "SEVERITY_LOW".
"a_key": { # Breakdown of anomalies by severity.
"detectorIds": [ # The list of detectors summaries for this severity level.
"A String",
],
"sessionsCount": 42, # Output only. The number of distinct sessions whose MAX severity equals `severity_level`. Each session is counted in exactly one bucket -- the highest severity that any of its detectors reached -- so summing `sessions_count` across all populated entries in a `severities` map equals the total anomalous session count for that scope (per-agent or view summary). Distinct from `detector_ids.size`: a session whose detectors fire at LOW and CRITICAL contributes one entry to `sessions_count` (in CRITICAL only) but contributes detector IDs to BOTH the LOW and CRITICAL buckets' `detector_ids` lists. For AAD audit landing-page scorecards, prefer `sessions_count` -- "Critical anomalies" means sessions ranked critical, not distinct critical-firing detectors. On AggregateAnalyzedSessionsResponse.summary, this is a TRUE GLOBAL count across all anomalous active agents in scope (not page-scoped). On per-agent entries within `agent_aggregates`, it's per-agent. On ListAnalyzedSessionsResponse, it is currently page-scoped to match the existing summary semantics on that API.
"severityLevel": "A String", # The severity level of the detector.
},
},
"totalSessionsCount": 42, # Total number of sessions.
},
}

aggregate_next()

Retrieves the next page of results.

        Args:
          previous_request: The request for the previous page. (required)
          previous_response: The response from the request for the previous page. (required)

        Returns:
          A request object that you can call 'execute()' on to request the next
          page. Returns None if there are no more items in the collection.

close()

Close httplib2 connections.

get(name, view=None, x__xgafv=None)

Gets the details of a specific AnalyzedSession.

Args:
  name: string, Required. The name of the AnalyzedSession resource. Format: `projects/{project}/locations/{location}/monitoredAgents/{monitored_agent}/analyzedSessions/{analyzed_session}` (required)
  view: string, Optional. Resource view to control which fields are returned.
    Allowed values
      ANALYZED_SESSION_VIEW_UNSPECIFIED - The default view: BASIC.
      ANALYZED_SESSION_VIEW_BASIC - Basic view includes only the fields needed for the list table (name, session_id, created_time, severity counts).
      ANALYZED_SESSION_VIEW_FULL - Full view includes all fields, including the detailed assessment.
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # An analyzed session for a monitored agent.
  "agentDisplayName": "A String", # Output only. The human-readable display name of the MonitoredAgent that owns this session, denormalized from `monitored_agents.display_name` so the UI can render an agent name in the per-session feed without an extra `getMonitoredAgent` round-trip. May be empty when the session's agent_id is not enrolled as a MonitoredAgent (i.e. the JOIN missed); the `agent_resource_name` URN is always present and can be used as a fallback identifier.
  "agentResourceName": "A String", # Output only. The agent resource name. Format: `projects/{project}/locations/{location}/reasoningEngines/{agent}`
  "agentState": "A String", # Output only. The current enablement state of the MonitoredAgent that owns this session (e.g. ACTIVE, DISABLED, ENABLING, INELIGIBLE, NEEDS_ACTION), denormalized from `monitored_agents.state`. Defaults to ENABLEMENT_STATE_UNSPECIFIED when the agent is not enrolled (the JOIN missed) or its state column is empty / unknown.
  "assessment": { # Detailed assessment for an analyzed session. # Output only. Overall security assessment. Populated only in FULL view.
    "detectorFindings": [ # The list of detector findings.
      { # The details of a detector's assessment within an analyzed session.
        "detectorId": "A String", # The detector ID.
        "displayName": "A String", # The detector display name.
        "explanation": "A String", # The explanation of the finding.
        "probability": 3.14, # The probability that this finding is an anomaly, in the range [0.0, 1.0].
        "recommendations": [ # The list of recommendations for this detector finding.
          "A String",
        ],
        "severity": "A String", # The severity of the finding.
      },
    ],
  },
  "createTime": "A String", # Output only. The creation time of the session.
  "latestAnalyzedTime": "A String", # Output only. The latest analyzed time of the session.
  "location": "A String", # Output only. The GCP location (region) of the agent that ran this session (e.g. `us-central1`). Denormalized from `monitored_agents.location`; empty when the agent is not enrolled or its location column is empty.
  "name": "A String", # Identifier. The resource name of the AnalyzedSession.
  "sessionId": "A String", # Output only. The session ID.
  "sessionState": "A String", # Output only. The state of the session.
  "severities": { # Output only. Map of severity counts for listing analyzed sessions. The key is the string representation of Severity. Populated in BASIC view only.
    "a_key": { # Breakdown of anomalies by severity.
      "detectorIds": [ # The list of detectors summaries for this severity level.
        "A String",
      ],
      "sessionsCount": 42, # Output only. The number of distinct sessions whose MAX severity equals `severity_level`. Each session is counted in exactly one bucket -- the highest severity that any of its detectors reached -- so summing `sessions_count` across all populated entries in a `severities` map equals the total anomalous session count for that scope (per-agent or view summary). Distinct from `detector_ids.size`: a session whose detectors fire at LOW and CRITICAL contributes one entry to `sessions_count` (in CRITICAL only) but contributes detector IDs to BOTH the LOW and CRITICAL buckets' `detector_ids` lists. For AAD audit landing-page scorecards, prefer `sessions_count` -- "Critical anomalies" means sessions ranked critical, not distinct critical-firing detectors. On AggregateAnalyzedSessionsResponse.summary, this is a TRUE GLOBAL count across all anomalous active agents in scope (not page-scoped). On per-agent entries within `agent_aggregates`, it's per-agent. On ListAnalyzedSessionsResponse, it is currently page-scoped to match the existing summary semantics on that API.
      "severityLevel": "A String", # The severity level of the detector.
    },
  },
  "userId": "A String", # Output only. The user ID.
}

list(parent, filter=None, orderBy=None, pageSize=None, pageToken=None, view=None, x__xgafv=None)

Lists AnalyzedSessions in a MonitoredAgent.

Args:
parent: string, Required. The parent MonitoredAgent resource. Format: `projects/{project}/locations/{location}/monitoredAgents/{monitored_agent}` (required)
filter: string, Optional. Filter expression restricting which AnalyzedSessions are returned. A subset of AIP-160 supporting two clauses joined by AND: 1. A closed time window on `detection_time`. If included, both bounds are required: detection_time >= "" AND detection_time <= "" 2. An equality on `severity`, where the value is the string representation of a Severity enum value (e.g., "CRITICAL", "HIGH", "MEDIUM", "LOW"). "SEVERITY_UNSPECIFIED" is not supported. The filter matches sessions whose maximum severity equals the requested bucket (a session whose detectors fire at LOW and CRITICAL is matched by `severity = "CRITICAL"`, not `severity = "LOW"`): severity = "CRITICAL" Both clauses are independently optional and may appear in either order. Each clause may appear at most once. Example (time window + severity): detection_time >= "2024-01-01T00:00:00Z" AND detection_time <= "2024-01-08T00:00:00Z" AND severity = "CRITICAL" If empty, results are restricted to the last 3 days with no severity restriction. Other fields, additional operators, set membership (IN), and boolean combinations (OR, NOT, parentheses) are not yet supported.
orderBy: string, Optional. Comma-separated list of fields to sort by, following AIP-132 syntax. The default sort direction is ascending; append " desc" to a field to sort descending. Subfields are not supported (no field listed below has any). Supported fields (any other field yields INVALID_ARGUMENT): * `latest_detection_time` - the session's most-recent flagged detection time. This is the column the landing page's "Detection time" header sorts on. Sorted by the underlying TIMESTAMP value (newer is "greater" so `latest_detection_time desc` puts the newest sessions first). * `max_severity_rank` - the session's bucketed maximum severity, ranked LOW=1 < MEDIUM=2 < HIGH=3 < CRITICAL=4 (matches `Severity` enum ordering). `max_severity_rank desc` puts the most-severe sessions first. The ranking is documented here per AIP-132 because the field is not a natural-comparator type. The server always appends `session_id ASC` as a stable tiebreak so pagination remains consistent across pages when the primary sort field has duplicates (e.g. multiple sessions with the same latest_detection_time within a second). If empty, defaults to `latest_detection_time desc` (the prior implicit behavior). Multi-field sort (e.g. `max_severity_rank desc, latest_detection_time desc`) is supported. The `order_by` value MUST match the value used on the call that minted any supplied `page_token` (AIP-158). Mismatches yield INVALID_ARGUMENT.
pageSize: integer, Optional. The maximum number of analyzed sessions to return.
pageToken: string, Optional. A page token, received from a previous `ListAnalyzedSessions` call.
view: string, Optional. Resource view to control which fields are returned.
Allowed values
ANALYZED_SESSION_VIEW_UNSPECIFIED - The default view: BASIC.
ANALYZED_SESSION_VIEW_BASIC - Basic view includes only the fields needed for the list table (name, session_id, created_time, severity counts).
ANALYZED_SESSION_VIEW_FULL - Full view includes all fields, including the detailed assessment.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format

Returns:
An object of the form:

{ # Response to list analyzed sessions.
"analyzedSessions": [ # The list of analyzed sessions.
{ # An analyzed session for a monitored agent.
"agentDisplayName": "A String", # Output only. The human-readable display name of the MonitoredAgent that owns this session, denormalized from `monitored_agents.display_name` so the UI can render an agent name in the per-session feed without an extra `getMonitoredAgent` round-trip. May be empty when the session's agent_id is not enrolled as a MonitoredAgent (i.e. the JOIN missed); the `agent_resource_name` URN is always present and can be used as a fallback identifier.
"agentResourceName": "A String", # Output only. The agent resource name. Format: `projects/{project}/locations/{location}/reasoningEngines/{agent}`
"agentState": "A String", # Output only. The current enablement state of the MonitoredAgent that owns this session (e.g. ACTIVE, DISABLED, ENABLING, INELIGIBLE, NEEDS_ACTION), denormalized from `monitored_agents.state`. Defaults to ENABLEMENT_STATE_UNSPECIFIED when the agent is not enrolled (the JOIN missed) or its state column is empty / unknown.
"assessment": { # Detailed assessment for an analyzed session. # Output only. Overall security assessment. Populated only in FULL view.
"detectorFindings": [ # The list of detector findings.
{ # The details of a detector's assessment within an analyzed session.
"detectorId": "A String", # The detector ID.
"displayName": "A String", # The detector display name.
"explanation": "A String", # The explanation of the finding.
"probability": 3.14, # The probability that this finding is an anomaly, in the range [0.0, 1.0].
"recommendations": [ # The list of recommendations for this detector finding.
"A String",
],
"severity": "A String", # The severity of the finding.
},
],
},
"createTime": "A String", # Output only. The creation time of the session.
"latestAnalyzedTime": "A String", # Output only. The latest analyzed time of the session.
"location": "A String", # Output only. The GCP location (region) of the agent that ran this session (e.g. `us-central1`). Denormalized from `monitored_agents.location`; empty when the agent is not enrolled or its location column is empty.
"name": "A String", # Identifier. The resource name of the AnalyzedSession.
"sessionId": "A String", # Output only. The session ID.
"sessionState": "A String", # Output only. The state of the session.
"severities": { # Output only. Map of severity counts for listing analyzed sessions. The key is the string representation of Severity. Populated in BASIC view only.
"a_key": { # Breakdown of anomalies by severity.
"detectorIds": [ # The list of detectors summaries for this severity level.
"A String",
],
"sessionsCount": 42, # Output only. The number of distinct sessions whose MAX severity equals `severity_level`. Each session is counted in exactly one bucket -- the highest severity that any of its detectors reached -- so summing `sessions_count` across all populated entries in a `severities` map equals the total anomalous session count for that scope (per-agent or view summary). Distinct from `detector_ids.size`: a session whose detectors fire at LOW and CRITICAL contributes one entry to `sessions_count` (in CRITICAL only) but contributes detector IDs to BOTH the LOW and CRITICAL buckets' `detector_ids` lists. For AAD audit landing-page scorecards, prefer `sessions_count` -- "Critical anomalies" means sessions ranked critical, not distinct critical-firing detectors. On AggregateAnalyzedSessionsResponse.summary, this is a TRUE GLOBAL count across all anomalous active agents in scope (not page-scoped). On per-agent entries within `agent_aggregates`, it's per-agent. On ListAnalyzedSessionsResponse, it is currently page-scoped to match the existing summary semantics on that API.
"severityLevel": "A String", # The severity level of the detector.
},
},
"userId": "A String", # Output only. The user ID.
},
],
"nextPageToken": "A String", # A token to retrieve the next page of results.
"summary": { # The view summary. # Summary statistics for the sessions returned on the current page. This is computed across the current page only (not the full result set) and is populated on every page. Callers that need aggregate statistics across the entire result set should use AggregateAnalyzedSessions.
"anomalousAgentsCount": 42, # Output only. The number of distinct agents matching the request scope that have at least one anomalous session in the time window. On `AggregateAnalyzedSessionsResponse.summary` (wildcard parent), this is a true GLOBAL count across all anomalous active agents, NOT the page-row count. The denominator for an "anomalous active agents" scorecard pairs this with `ListMonitoredAgentsResponse.total_size` (filtered to `state = ACTIVE`). On `ListAnalyzedSessionsResponse.summary`, this field is not populated (the API is per-session, not per-agent).
"anomalousSessionsCount": 42, # Number of anomalous sessions.
"llmScannedSessionsCount": 42, # Output only. The number of distinct sessions in the time window that were scanned by Stage 2 LLM judges.
"severities": { # The list of severity summaries for the analyzed sessions. The key is the string representation of Severity enum: "SEVERITY_UNSPECIFIED", "SEVERITY_CRITICAL", "SEVERITY_HIGH", "SEVERITY_MEDIUM", "SEVERITY_LOW".
"a_key": { # Breakdown of anomalies by severity.
"detectorIds": [ # The list of detectors summaries for this severity level.
"A String",
],
"sessionsCount": 42, # Output only. The number of distinct sessions whose MAX severity equals `severity_level`. Each session is counted in exactly one bucket -- the highest severity that any of its detectors reached -- so summing `sessions_count` across all populated entries in a `severities` map equals the total anomalous session count for that scope (per-agent or view summary). Distinct from `detector_ids.size`: a session whose detectors fire at LOW and CRITICAL contributes one entry to `sessions_count` (in CRITICAL only) but contributes detector IDs to BOTH the LOW and CRITICAL buckets' `detector_ids` lists. For AAD audit landing-page scorecards, prefer `sessions_count` -- "Critical anomalies" means sessions ranked critical, not distinct critical-firing detectors. On AggregateAnalyzedSessionsResponse.summary, this is a TRUE GLOBAL count across all anomalous active agents in scope (not page-scoped). On per-agent entries within `agent_aggregates`, it's per-agent. On ListAnalyzedSessionsResponse, it is currently page-scoped to match the existing summary semantics on that API.
"severityLevel": "A String", # The severity level of the detector.
},
},
"totalSessionsCount": 42, # Total number of sessions.
},
}

Agent Platform API . projects . locations . monitoredAgents . analyzedSessions

Instance Methods

Method Details