Access UDM search for the first time
To access Chronicle UDM Search from the Chronicle landing page for the first time, enter any full or partial UDM field in the search bar (for example, type
principal.ip="10.1.2.3"). Click the search icon. On
the top right of the user interface, click TRY NEW SEARCH. The UDM Search window is displayed. You can switch back to previous version of search by clicking BACK TO LEGACY SEARCH.
Figure 1. UDM Search
Enter a UDM query
Complete the following steps to enter a UDM query in the UDM Search field. When you finish entering a UDM search, click RUN QUERY to proceed. The Chronicle user interface only allows you to enter valid UDM and syntax. You can also adjust the range of data to search by opening the date range window.
UDM queries are based on UDM fields. All the UDM fields are listed in the Unified Data Model field list. You can also view UDM fields within the context of searches by using the Procedural Filtering menu or Raw Log Scan.
To search for events, enter a UDM query in the search field. The user interface includes automatic completion and surfaces valid UDM based on what you have entered. Once you have entered a valid UDM field, you need to select a valid operator. The user interface displays the available valid operators based on the UDM field you entered. The following operators are supported:
nocase-- supported for strings
Once you have entered a valid UDM field and operator, you need to enter the corresponding log data you are searching for. The following data types are supported:
- Enumerated values—the user interface displays a list of valid enumerated
values for a given UDM field. For example (must use double quotes and be all
metadata.event_type = "NETWORK_CONNECTION"
- Integers—for example,
target.port = 443
Regular expressions (regular expression must be within slash (/) characters)—for example,
principal.ip = /10.*/
For more information on regular expressions, see https://github.com/google/re2/wiki/Syntax
String—for example (must use double quotes),
metadata.product_name = "GCP VPC Flow Logs"
- Enumerated values—the user interface displays a list of valid enumerated values for a given UDM field. For example (must use double quotes and be all capitalized),
You can use the
nocaseoperator to search for any combination of upper and lower case versions of a given string:
$e.principal.hostname != "http-server" nocase
$e1.principal.hostname = $e2.target.hostname nocase
$e.principal.hostname = /dns-server-[0-9]+/ nocase
You can use boolean expressions to further narrow possible range of data displayed. The following examples illustrate some types of supported boolean expressions (
NOTboolean operators can be used):
A AND B
A OR B
(A OR B) AND (B OR C) AND (C OR NOT D)
The following examples illustrate how the actual syntax might appear:
# Login events to the finance server. metadata.event_type = "USER_LOGIN" and target.hostname = "finance-svr"
# Example of using a regular expression. # Execution of the psexec.exe tool on Windows. target.process.command_line = /\bpsexec(\.exe)?\b/ nocase
# Example of using the less than operator. # Look for connections where more than 10MB of data was sent. metadata.event_type = "NETWORK_CONNECTION" and network.sent_bytes > 10000000
# Example using multiple conditions. # Winword launching cmd.exe or powershell.exe. metadata.event_type = "PROCESS_LAUNCH" and principal.process.file.full_path = /winword/ and (target.process.file.full_path = /cmd.exe/ or target.process.file.full_path = /powershell.exe/)
Events are displayed on the UDM Search page in the Events timeline table. You can narrow the results further by adding additional UDM fields manually or by using the interface.
Use the Interface to Search UDM Fields
You can use the UDM search user interface to search through UDM fields as an alternative to entering a UDM search manually.
Events timelines chart
The events timelines chart provides a graphical representation of the number of events occurring each day that are being surfaced by the current UDM query. The width of each bar depends on the time interval searched. For example, each bar will represent 10 minutes when the query spans 24 hours of data. This chart is updated dynamically as you modify the existing UDM query.
Figure 2. Events timelines chart
You can click on the Filtered Events and Query Events checkboxes to show or hide bars.
Figure 3. Events timelines chart with Filtered Events and Query Events
Modify the UDM Query with the UDM Fields and Values list
Using the UDM Fields and Values list, you can further narrow your UDM query. You can either scroll through the list of UDM fields or conduct a search. The UDM fields listed here are associated with the existing lists of events generated by your UDM query. Each UDM field includes the number of events within your current UDM search that also include this piece of data. The list of UDM Fields and Values display the total unique number of Values within a field (first number) and the total number of Events within the field (second number). This feature enables you to hunt for particular types of log data that might be of further interest.
Figure 4. UDM Fields and Values list
Modify the UDM Query with UDM Filters and the Filter events field
If you select another UDM field, you are given the option to either Show only events which also include that UDM field or to Filter out that UDM field. If you select an integer value (example:
target.port) you will also see options to filter by
<,>,<=,>=. Filter options will shorten the list of displayed events.
Figure 5. UDM Filters
These additional UDM fields are also added to the Filter events field above. The Filter events field helps you to keep track of the additional UDM fields you have added to the UDM search. You can also quickly remove these additional UDM fields as needed.
Figure 6. Filter events
If you click in the Filter events field, a display similar to that shown in the UDM Fields and Values list is shown, enabling you to select additional UDM fields.
Figure 7. Filter events dialogue
If you click APPLY TO QUERY AND RUN, the UDM fields you have added to the Filter events field are added to the main UDM Search field at the top of the page and the query is automatically run using the same date and time parameters.
View events in the Event timelines table
All of these filters and controls will update the list of events displayed in the Event timelines table. Click on any of the listed events to open the Log Viewer where you can examine the raw log and the UDM for that event. If you click on the timestamp for an event, you can also navigate to the associated Asset or Domain view.
Figure 8. Event timelines table