Method: legacy.legacyFetchUdmSearchCsv

Full name: projects.locations.instances.legacy.legacyFetchUdmSearchCsv

Legacy endpoint for fetching csv rows for matching UDM search.

HTTP request

POST https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacyFetchUdmSearchCsv

Path parameters

Parameters
instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Request body

The request body contains data with the following structure:

JSON representation 
{
  "baseline_query": string,
  "snapshot_query": string,
  "baseline_time_range": {
    object (Interval)
  },
  "snapshot_time_range": {
    object (Interval)
  },
  "fields": {
    object (FetchUdmSearchCsvFields)
  },
  "case_insensitive": boolean
}
Fields
baseline_query

string

Required. The baseline query to search for.
snapshot_query

string

The snapshot query to search for.
baseline_time_range

object (Interval)

Required. The time range to search for [inclusive start time, exclusive end time).
snapshot_time_range

object (Interval)

The time range to filter for [inclusive start time, exclusive end time). This time range must be completely within baseline_time_range. If not set, it is assumed to match baseline_time_range.
fields

object (FetchUdmSearchCsvFields)

Required. The fields in UDM Event whose values need to be used to create the CSV File.
case_insensitive

boolean

If true, the search should be performed in a case-insensitive manner. This applies to both baseline and snapshot queries.

Response body

Response with the CSV entries to append to file in UI along with progress.

If successful, the response body contains data with the following structure:

JSON representation 
{
  "progress": number,
  "too_many_events": boolean,
  "complete": boolean,
  "valid_baseline_query": boolean,
  "valid_snapshot_query": boolean,
  "query_validation_errors": [
    {
      object (ErrorMessage)
    }
  ],
  "runtime_errors": [
    {
      object (RuntimeError)
    }
  ],
  "csv": {
    object (CsvEntries)
  }
}
Fields
progress

number

Progress of the query represented as a double between 0 and 1.
too_many_events

boolean

If true, there are too many events to return and some have been omitted.
complete

boolean

Streaming for this response is done. There will be no additional updates.
valid_baseline_query

boolean

Indicates whether the request baseline_query is a valid structured query or not. If not, query_validation_errors will include the parse error.
valid_snapshot_query

boolean

Indicates whether the request baseline and snapshot queries are valid. If not, query_validation_errors will include the parse error.
query_validation_errors[]

object (ErrorMessage)

Parse error for the baseline_query and/or the snapshot_query.
runtime_errors[]

object (RuntimeError)

Runtime errors.
csv

object (CsvEntries)

List of CSV rows

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacyFetchUdmSearchCsv

For more information, see the IAM documentation.

FetchUdmSearchCsvFields

JSON representation 
{
  "fields": [
    string
  ]
}
Fields
fields[]

string

CsvEntries

JSON representation 
{
  "row": [
    string
  ]
}
Fields
row[]

string