Method: legacy.legacyFetchUdmSearchView

Full name: projects.locations.instances.legacy.legacyFetchUdmSearchView

Legacy endpoint for fetching events, filters, and histograms matching UDM search.

HTTP request

POST https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacyFetchUdmSearchView

Path parameters

Parameters
instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Request body

The request body contains data with the following structure:

JSON representation 
{
  "baseline_query": string,
  "snapshot_query": string,
  "baseline_time_range": {
    object (Interval)
  },
  "snapshot_time_range": {
    object (Interval)
  },
  "event_list": {
    object (UdmEventListOptions)
  },
  "timeline": {
    object (EventCountTimelineOptions)
  },
  "field_aggregations": {
    object (UdmFieldAggregationsOptions)
  },
  "case_insensitive": boolean,
  "detection_options": {
    object (DetectionOptions)
  },
  "stats_function_parameter": {
    object (FunctionParameter)
  },
  "draft_data_access_scope": {
    object (DataAccessScope)
  },
  "prevalence": {
    object (UdmPrevalenceOptions)
  }
}
Fields
baseline_query

string

Required. Boolean query to search for events. You can refer to https://cloud.google.com/chronicle/docs/investigation/udm-search for the query syntax. Example: 'ip=/172.*/ AND metadata.event_type!="NETWORK_CONNECTION" AND ( target.ip = "3.225.179.73" OR target.ip = "23.47.48.70")'
snapshot_query

string

Query applied to the baseline query's events. In other words, this query is applied to the Snapshot produced from the baseline query. The snapshot_query has the same syntax as baseline_query and is implicitly ANDed with baseline_query to produce events.
baseline_time_range

object (Interval)

Required. Required, the time range to search for [inclusive start time, exclusive end time).
snapshot_time_range

object (Interval)

The time range to filter for [inclusive start time, exclusive end time). This time range must be completely within baseline_time_range. If not set, it is assumed to match baseline_time_range.
event_list

object (UdmEventListOptions)

Parameters for the Events that will be streamed back.
timeline

object (EventCountTimelineOptions)

Parameters for the EventCountTimeline that will be streamed back.
field_aggregations

object (UdmFieldAggregationsOptions)

Parameters for the Aggregated UDM fields that will be streamed back.
case_insensitive

boolean

If true, the search should be performed in a case-insensitive manner. This applies to both baseline and snapshot queries.
detection_options

object (DetectionOptions)

Fetch alerts/detections relevant to the search result.
stats_function_parameter

object (FunctionParameter)

The request to apply statistical function on filtered data.
draft_data_access_scope

object (DataAccessScope)

Data access scope used to filter events. This is intended to be used by admins to preview in-development scopes. Should only be called by users with global access. If the caller does not have global access, the request will fail.
prevalence

object (UdmPrevalenceOptions)

Parameters to get prevalence counts on Events returned by UDM Search

Response body

Depending on the parameters in ListUdmEventsV3Request, stream back some combination of UDM Events, EventCountTimeline, and UdmFieldAggregations.

If successful, the response body contains data with the following structure:

JSON representation 
{
  "progress": number,
  "too_many_events": boolean,
  "complete": boolean,
  "valid_baseline_query": boolean,
  "baseline_events_count": integer,
  "valid_snapshot_query": boolean,
  "query_validation_errors": [
    {
      object (ErrorMessage)
    }
  ],
  "runtime_errors": [
    {
      object (RuntimeError)
    }
  ],
  "filtered_events_count": integer,
  "stats_function_parameter_validation_error_message": string,
  "prevalence": {
    object (UdmPrevalenceResponse)
  },
  "events": {
    object (UdmEventList)
  },
  "timeline": {
    object (EventCountTimeline)
  },
  "field_aggregations": {
    object (UdmFieldAggregations)
  },
  "grouped_field_aggregations": {
    object (UdmFieldAggregations)
  },
  "detections": {
    object (Detections)
  },
  "stats_function_response": {
    object (FunctionResponse)
  }
}
Fields
progress

number

Progress of the query represented as a double between 0 and 1.
too_many_events

boolean

If true, there are too many events to return and some have been omitted.
complete

boolean

Streaming for this response is done. There will be no additional updates.
valid_baseline_query

boolean

Indicates whether the request baseline_query is a valid structured query or not. If not, query_validation_errors will include the parse error.
baseline_events_count

integer

The number of events in the baseline query.
valid_snapshot_query

boolean

Indicates whether the request baseline and snapshot queries are valid. If not, query_validation_errors will include the parse error.
query_validation_errors[]

object (ErrorMessage)

Parse error for the baseline_query and/or the snapshot_query.
runtime_errors[]

object (RuntimeError)

Runtime errors.
filtered_events_count

integer

The number of events in the snapshot that match the snapshot_query. This is <= baseline_events_count. If the snapshot query is empty this will be equivalent to baseline_events_count.
stats_function_parameter_validation_error_message

string

If the request's stats_function_parameter` is invalid, this field will contain the detailed error message.
prevalence

object (UdmPrevalenceResponse)

Prevalence results on Events returned by UDM Search
events

object (UdmEventList)

List of UDM events.
timeline

object (EventCountTimeline)

Timeline of event counts broken into buckets.
field_aggregations

object (UdmFieldAggregations)

List of UDM fields with aggregated values.
grouped_field_aggregations

object (UdmFieldAggregations)

List of grouped fields with aggregated values.
detections

object (Detections)

List of relevant detections, if detection_list.max_returned_detections was set.
stats_function_response

object (FunctionResponse)

Result for statistical function.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacyFetchUdmSearchView

For more information, see the IAM documentation.

UdmEventListOptions

JSON representation 
{
  "max_returned_events": integer
}
Fields
max_returned_events

integer

EventCountTimelineOptions

This type has no fields.

UdmFieldAggregationsOptions

JSON representation 
{
  "max_values_per_field": integer
}
Fields
max_values_per_field

integer

DetectionOptions

JSON representation 
{
  "snapshot_query": string,
  "detection_list": {
    object (DetectionListOptions)
  },
  "field_aggregations": {
    object (UdmFieldAggregationsOptions)
  }
}
Fields
snapshot_query

string
detection_list

object (DetectionListOptions)
field_aggregations

object (UdmFieldAggregationsOptions)

DetectionListOptions

JSON representation 
{
  "max_returned_detections": integer
}
Fields
max_returned_detections

integer

FunctionParameter

JSON representation 
{
  "grouped_fields": [
    {
      object (GroupByField)
    }
  ],
  "selected_fields": [
    {
      object (SelectedField)
    }
  ],
  "orders": [
    {
      object (OrderBy)
    }
  ],
  "max_returned_rows": integer
}
Fields
grouped_fields[]

object (GroupByField)
selected_fields[]

object (SelectedField)
orders[]

object (OrderBy)
max_returned_rows

integer (uint32 format)

GroupByField

JSON representation 
{
  "udm_field_path": string,
  "to_lower_case": boolean,

  // Union field transformation can be only one of the following:
  "resolution_in_nano_seconds": string,
  "cidr_prefix_length_in_bits": integer,
  "top_n_level_domain": integer,
  "get_registered_domain": boolean
  // End of list of possible types for union field transformation.
}
Fields
udm_field_path

string
to_lower_case

boolean

Union field transformation.

transformation can be only one of the following:
resolution_in_nano_seconds

string
cidr_prefix_length_in_bits

integer (uint32 format)
top_n_level_domain

integer (uint32 format)
get_registered_domain

boolean

SelectedField

JSON representation 
{
  "udm_field_path": string,
  "function_type": enum (FunctionType),
  "percentile": number
}
Fields
udm_field_path

string
function_type

enum (FunctionType)
percentile

number

FunctionType

Enums
FUNCTION_TYPE_UNSPECIFIED
FUNCTION_TYPE_SUM
FUNCTION_TYPE_COUNT
FUNCTION_TYPE_COUNT_DISTINCT
FUNCTION_TYPE_AVERAGE
FUNCTION_TYPE_STDDEV
FUNCTION_TYPE_MIN
FUNCTION_TYPE_MAX

OrderBy

JSON representation 
{
  "field_index": integer,
  "is_descending_order": boolean
}
Fields
field_index

integer (uint32 format)
is_descending_order

boolean

UdmPrevalenceOptions

JSON representation 
{
  "get_prevalence": boolean,
  "bucket_size": {
    object (UdmSearchAggregationBucketFunction)
  }
}
Fields
get_prevalence

boolean
bucket_size

object (UdmSearchAggregationBucketFunction)

UdmSearchAggregationBucketFunction

JSON representation 
{
  "resolution_in_seconds": integer
}
Fields
resolution_in_seconds

integer

UdmEventList

JSON representation 
{
  "events": [
    {
      object (UdmEventInfo)
    }
  ]
}
Fields
events[]

object (UdmEventInfo)

EventCountTimeline

JSON representation 
{
  "buckets": [
    {
      object (EventCountTimelineBucket)
    }
  ],
  "size_of_bucket_ms": string
}
Fields
buckets[]

object (EventCountTimelineBucket)
size_of_bucket_ms

string (int64 format)

EventCountTimelineBucket

JSON representation 
{
  "baseline_event_count": integer,
  "event_count": integer,
  "baseline_alert_count": integer,
  "alert_count": integer
}
Fields
baseline_event_count

integer
event_count

integer
baseline_alert_count

integer
alert_count

integer

UdmFieldAggregations

JSON representation 
{
  "fields": [
    {
      object (UdmFieldAggregation)
    }
  ]
}
Fields
fields[]

object (UdmFieldAggregation)

UdmFieldAggregation

JSON representation 
{
  "field_name": string,
  "baseline_event_count": integer,
  "event_count": integer,
  "too_many_values": boolean,
  "value_count": integer,
  "all_values": [
    {
      object (UdmValueCount)
    }
  ],
  "top_values": [
    {
      object (UdmValueCount)
    }
  ],
  "bottom_values": [
    {
      object (UdmValueCount)
    }
  ]
}
Fields
field_name

string
baseline_event_count

integer
event_count

integer
too_many_values

boolean
value_count

integer
all_values[]

object (UdmValueCount)
top_values[]

object (UdmValueCount)
bottom_values[]

object (UdmValueCount)

UdmValueCount

JSON representation 
{
  "value": {
    object (UdmFieldValue)
  },
  "baseline_event_count": integer,
  "event_count": integer
}
Fields
value

object (UdmFieldValue)
baseline_event_count

integer
event_count

integer

UdmFieldValue

JSON representation 
{

  // Union field value can be only one of the following:
  "string_value": string,
  "int32_value": integer,
  "uint32_value": integer,
  "int64_value": string,
  "uint64_value": string,
  "float_value": number,
  "double_value": number,
  "enum_value": string,
  "bool_value": boolean,
  "bytes_value": string,
  "is_null": boolean,
  "timestamp_value": string
  // End of list of possible types for union field value.
}
Fields

Union field value.

value can be only one of the following:
string_value

string
int32_value

integer
uint32_value

integer (uint32 format)
int64_value

string (int64 format)
uint64_value

string
float_value

number
double_value

number
enum_value

string
bool_value

boolean
bytes_value

string (bytes format)

A base64-encoded string.
is_null

boolean
timestamp_value

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Detections

JSON representation 
{
  "detections": [
    {
      object (Collection)
    }
  ],
  "complete": boolean,
  "too_many_detections": boolean,
  "valid_snapshot_query": boolean,
  "baseline_alerts_count": integer,
  "filtered_alerts_count": integer,
  "detection_field_aggregations": {
    object (AlertFieldAggregations)
  }
}
Fields
detections[]

object (Collection)
complete

boolean
too_many_detections

boolean
valid_snapshot_query

boolean
baseline_alerts_count

integer
filtered_alerts_count

integer
detection_field_aggregations

object (AlertFieldAggregations)

FunctionResponse

JSON representation 
{
  "rows": [
    {
      object (FunctionResponseRow)
    }
  ],
  "too_many_rows": boolean
}
Fields
rows[]

object (FunctionResponseRow)
too_many_rows

boolean

FunctionResponseRow

JSON representation 
{
  "values": [
    {
      object (UdmFieldValue)
    }
  ]
}
Fields
values[]

object (UdmFieldValue)

UdmPrevalenceResponse

JSON representation 
{
  "buckets": [
    {
      object (UdmPrevalenceBucket)
    }
  ]
}
Fields
buckets[]

object (UdmPrevalenceBucket)

UdmPrevalenceBucket

JSON representation 
{
  "prevalence": [
    {
      object (UdmPrevalence)
    }
  ]
}
Fields
prevalence[]

object (UdmPrevalence)

UdmPrevalence

JSON representation 
{
  "artifacts": [
    {
      object (FieldAndValue)
    }
  ],
  "prevalence": integer
}
Fields
artifacts[]

object (FieldAndValue)
prevalence

integer

FieldAndValue

JSON representation 
{
  "value": string,
  "entity_namespace": string,

  // Union field type can be only one of the following:
  "field_path": string,
  "kvalue_type": enum (KValueType)
  // End of list of possible types for union field type.
}
Fields
value

string
entity_namespace

string

Union field type.

type can be only one of the following:
field_path

string
kvalue_type

enum (KValueType)

KValueType

Enums
UNKNOWN
COLLECTOR_ID
EVENT_SHARD
ASSET_IP_ADDRESS
MAC
HOSTNAME
PRODUCT_SPECIFIC_ID
NAMESPACE
DOMAIN_NAME
RESOLVED_IP_ADDRESS
STEMMED_DOMAIN_NAME
PROCESS_ID
FULL_COMMAND_LINE
FILE_NAME
FILE_PATH
HASH_MD5
HASH_SHA256
HASH_SHA1
RAW_PID
PARENT_PROCESS_ID
EMAIL
USERNAME
WINDOWS_SID
EMPLOYEE_ID
PRODUCT_OBJECT_ID
CLOUD_RESOURCE_NAME
REGISTRY_KEY
REGISTRY_VALUE_DATA
REGISTRY_VALUE_NAME