- HTTP request
- Path parameters
- Request body
- Response body
- Authorization scopes
- IAM Permissions
- UdmEventListOptions
- EventCountTimelineOptions
- UdmFieldAggregationsOptions
- DetectionOptions
- DetectionListOptions
- FunctionParameter
- GroupByField
- SelectedField
- FunctionType
- OrderBy
- UdmPrevalenceOptions
- UdmSearchAggregationBucketFunction
- UdmEventList
- ColumnNames
- EventCountTimeline
- EventCountTimelineBucket
- EntityChangedCountTimelineBucket
- EntityChangedInfo
- FieldAndValue
- KValueType
- UdmFieldAggregations
- UdmFieldAggregation
- UdmValueCount
- UdmFieldValue
- UdmFieldAggregationType
- GroupAggregationByField
- Detections
- FunctionResponse
- FunctionResponseRow
- UdmPrevalenceResponse
- UdmPrevalenceBucket
- UdmPrevalence
- Stats
- ColumnData
- ColumnType
- ColumnValue
- List
- ColumnSort
- SearchDataSource
- AIOverview
- Try it!
Full name: projects.locations.instances.legacy.legacyFetchUdmSearchView
Legacy endpoint for fetching events, filters, and histograms matching UDM search.
HTTP request
POST https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacyFetchUdmSearchView
Path parameters
Parameters | |
---|---|
instance |
Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance} |
Request body
The request body contains data with the following structure:
JSON representation |
---|
{ "baseline_query": string, "snapshot_query": string, "baseline_time_range": { object ( |
Fields | |
---|---|
baseline_ |
Required. Boolean query to search for events. You can refer to https://cloud.google.com/chronicle/docs/investigation/udm-search for the query syntax. Example: 'ip=/172.*/ AND metadata.event_type!="NETWORK_CONNECTION" AND ( target.ip = "3.225.179.73" OR target.ip = "23.47.48.70")' |
snapshot_ |
Query applied to the baseline query's events. In other words, this query is applied to the Snapshot produced from the baseline query. The |
baseline_ |
Required. Required, the time range to search for [inclusive start time, exclusive end time). |
snapshot_ |
The time range to filter for [inclusive start time, exclusive end time). This time range must be completely within |
event_ |
Parameters for the Events that will be streamed back. |
timeline |
Parameters for the EventCountTimeline that will be streamed back. |
field_ |
Parameters for the Aggregated UDM fields that will be streamed back. |
case_ |
If true, the search should be performed in a case-insensitive manner. |
generate_ |
Optional. If true, generate AI overview for the search results. |
return_ |
Optional. If this field is set to true, the response will only contain the operation resource name. The actual search results (events) will be streamed back when the client invokes the |
detection_ |
Fetch alerts/detections relevant to the search result. |
stats_ |
The request to apply statistical function on filtered data. |
draft_ |
Data access scope used to filter events. This is intended to be used by admins to preview in-development scopes. Should only be called by users with global access. If the caller does not have global access, the request will fail. |
prevalence |
Parameters to get prevalence counts on Events returned by UDM Search |
enable_ |
If true, search will limit max_baseline_results to 30K events and remove time-order guarantee (i.e., results may not be the most-recent events in baseline query time range). In this mode, replayed search queries are not guaranteed to yield the same results each time. This option is for poc use-cases only. |
Response body
Depending on the parameters in ListUdmEventsV3Request, stream back some combination of UDM Events, EventCountTimeline, and UdmFieldAggregations.
If successful, the response body contains data with the following structure:
JSON representation |
---|
{ "operation": string, "progress": number, "too_many_events": boolean, "too_large_response": boolean, "complete": boolean, "valid_baseline_query": boolean, "baseline_events_count": integer, "valid_snapshot_query": boolean, "query_validation_errors": [ { object ( |
Fields | |
---|---|
operation |
The name of the operation resource representing the UDM Search operation. This can be passed to The metadata type of the operation is Format: projects/{project}/locations/{location}/instances/{instance}/operations/{operation} |
progress |
Progress of the query represented as a double between 0 and 1. |
too_ |
If true, there are too many events to return and some have been omitted. |
too_ |
If true, the response to be returned to the UI is too large and some events have been omitted. |
complete |
Streaming for this response is done. There will be no additional updates. |
valid_ |
Indicates whether the request baseline_query is a valid structured query or not. If not, |
baseline_ |
The number of events in the baseline query. |
valid_ |
Indicates whether the request baseline and snapshot queries are valid. If not, |
query_ |
Parse error for the baseline_query and/or the snapshot_query. |
runtime_ |
Runtime errors. |
filtered_ |
The number of events in the snapshot that match the snapshot_query. This is <= |
stats_ |
If the request's stats_function_parameter` is invalid, this field will contain the detailed error message. |
prevalence |
Prevalence results on Events returned by UDM Search |
stats |
Stats results when the query is for statistics |
data_ |
Datasource of the query and results in case of a statistics query |
ai_ |
AI generated overview for the search results. Only populated if the AI features are enabled for the customer and generate_ai_overview is set to true in the request. |
events |
List of UDM events. NOTE: After complete is set to true, the |
timeline |
Timeline of event counts broken into buckets. |
field_ |
List of UDM fields with aggregated values. |
grouped_ |
List of grouped fields with aggregated values. |
detections |
List of relevant detections, if detection_list.max_returned_detections was set. |
stats_ |
Result for statistical function. |
activity_ |
Timeline of event counts broken into hourly/daily buckets to identify activity. |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IAM Permissions
Requires the following IAM permission on the instance
resource:
chronicle.legacies.legacyFetchUdmSearchView
For more information, see the IAM documentation.
UdmEventListOptions
JSON representation |
---|
{ "max_returned_events": integer } |
Fields | |
---|---|
max_ |
|
EventCountTimelineOptions
This type has no fields.
UdmFieldAggregationsOptions
JSON representation |
---|
{ "max_values_per_field": integer } |
Fields | |
---|---|
max_ |
|
DetectionOptions
JSON representation |
---|
{ "snapshot_query": string, "detection_list": { object ( |
Fields | |
---|---|
snapshot_ |
|
detection_ |
|
field_ |
|
DetectionListOptions
JSON representation |
---|
{ "max_returned_detections": integer } |
Fields | |
---|---|
max_ |
|
FunctionParameter
JSON representation |
---|
{ "grouped_fields": [ { object ( |
Fields | |
---|---|
grouped_ |
|
selected_ |
|
orders[] |
|
max_ |
|
GroupByField
JSON representation |
---|
{ "udm_field_path": string, "to_lower_case": boolean, // Union field |
Fields | |
---|---|
udm_ |
|
to_ |
|
Union field
|
|
resolution_ |
|
cidr_ |
|
top_ |
|
get_ |
|
SelectedField
JSON representation |
---|
{
"udm_field_path": string,
"function_type": enum ( |
Fields | |
---|---|
udm_ |
|
function_ |
|
percentile |
|
FunctionType
Enums | |
---|---|
FUNCTION_TYPE_UNSPECIFIED |
|
FUNCTION_TYPE_SUM |
|
FUNCTION_TYPE_COUNT |
|
FUNCTION_TYPE_COUNT_DISTINCT |
|
FUNCTION_TYPE_AVERAGE |
|
FUNCTION_TYPE_STDDEV |
|
FUNCTION_TYPE_MIN |
|
FUNCTION_TYPE_MAX |
OrderBy
JSON representation |
---|
{ "field_index": integer, "is_descending_order": boolean } |
Fields | |
---|---|
field_ |
|
is_ |
|
UdmPrevalenceOptions
JSON representation |
---|
{
"get_prevalence": boolean,
"bucket_size": {
object ( |
Fields | |
---|---|
get_ |
|
bucket_ |
|
UdmSearchAggregationBucketFunction
JSON representation |
---|
{ "resolution_in_seconds": integer } |
Fields | |
---|---|
resolution_ |
|
UdmEventList
JSON representation |
---|
{ "events": [ { object ( |
Fields | |
---|---|
events[] |
|
column_ |
|
progress |
|
too_ |
|
complete |
|
ColumnNames
JSON representation |
---|
{ "names": [ string ] } |
Fields | |
---|---|
names[] |
|
EventCountTimeline
JSON representation |
---|
{
"buckets": [
{
object ( |
Fields | |
---|---|
buckets[] |
|
size_ |
|
EventCountTimelineBucket
JSON representation |
---|
{
"baseline_event_count": integer,
"event_count": integer,
"baseline_alert_count": integer,
"alert_count": integer,
"baseline_timed_entity_count": integer,
"filtered_timed_entity_count": integer,
"entity_changed_count": {
object ( |
Fields | |
---|---|
baseline_ |
|
event_ |
|
baseline_ |
|
alert_ |
|
baseline_ |
|
filtered_ |
|
entity_ |
|
EntityChangedCountTimelineBucket
JSON representation |
---|
{
"total_changed_entities_count": integer,
"entity_changed_info": [
{
object ( |
Fields | |
---|---|
total_ |
|
entity_ |
|
EntityChangedInfo
JSON representation |
---|
{
"artifacts": {
object ( |
Fields | |
---|---|
artifacts |
|
entity_ |
|
FieldAndValue
JSON representation |
---|
{ "value": string, "entity_namespace": string, // Union field |
Fields | |
---|---|
value |
|
entity_ |
|
Union field
|
|
field_ |
|
kvalue_ |
|
KValueType
Enums | |
---|---|
UNKNOWN |
|
COLLECTOR_ID |
|
EVENT_SHARD |
|
ASSET_IP_ADDRESS |
|
MAC |
|
HOSTNAME |
|
PRODUCT_SPECIFIC_ID |
|
NAMESPACE |
|
DOMAIN_NAME |
|
RESOLVED_IP_ADDRESS |
|
STEMMED_DOMAIN_NAME |
|
PROCESS_ID |
|
FULL_COMMAND_LINE |
|
FILE_NAME |
|
FILE_PATH |
|
HASH_MD5 |
|
HASH_SHA256 |
|
HASH_SHA1 |
|
RAW_PID |
|
PARENT_PROCESS_ID |
|
EMAIL |
|
USERNAME |
|
WINDOWS_SID |
|
EMPLOYEE_ID |
|
PRODUCT_OBJECT_ID |
|
USER_DISPLAY_NAME |
|
CLOUD_RESOURCE_NAME |
|
REGISTRY_KEY |
|
REGISTRY_VALUE_DATA |
|
REGISTRY_VALUE_NAME |
UdmFieldAggregations
JSON representation |
---|
{ "fields": [ { object ( |
Fields | |
---|---|
fields[] |
|
group_ |
|
complete |
|
UdmFieldAggregation
JSON representation |
---|
{ "field_name": string, "baseline_event_count": integer, "event_count": integer, "too_many_values": boolean, "value_count": integer, "all_values": [ { object ( |
Fields | |
---|---|
field_ |
|
baseline_ |
|
event_ |
|
too_ |
|
value_ |
|
all_ |
|
top_ |
|
bottom_ |
|
aggregation_ |
|
UdmValueCount
JSON representation |
---|
{
"value": {
object ( |
Fields | |
---|---|
value |
|
baseline_ |
|
event_ |
|
UdmFieldValue
JSON representation |
---|
{ // Union field |
Fields | |
---|---|
Union field
|
|
string_ |
|
int32_ |
|
uint32_ |
|
int64_ |
|
uint64_ |
|
float_ |
|
double_ |
|
enum_ |
|
bool_ |
|
bytes_ |
A base64-encoded string. |
is_ |
|
timestamp_ |
Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
UdmFieldAggregationType
Enums | |
---|---|
UNSPECIFIED_FIELD_AGGREGATION_TYPE |
|
UDM_FIELD_AGGREGATION_TYPE |
|
ENTITY_FIELD_AGGREGATION_TYPE |
GroupAggregationByField
JSON representation |
---|
{ "field_name": string, "field_value": { object ( |
Fields | |
---|---|
field_ |
|
field_ |
|
fields[] |
|
baseline_ |
|
event_ |
|
value_ |
|
Detections
JSON representation |
---|
{ "detections": [ { object ( |
Fields | |
---|---|
detections[] |
|
complete |
|
too_ |
|
valid_ |
|
baseline_ |
|
filtered_ |
|
detection_ |
|
FunctionResponse
JSON representation |
---|
{
"rows": [
{
object ( |
Fields | |
---|---|
rows[] |
|
too_ |
|
FunctionResponseRow
JSON representation |
---|
{
"values": [
{
object ( |
Fields | |
---|---|
values[] |
|
UdmPrevalenceResponse
JSON representation |
---|
{
"buckets": [
{
object ( |
Fields | |
---|---|
buckets[] |
|
partial_ |
|
UdmPrevalenceBucket
JSON representation |
---|
{
"prevalence": [
{
object ( |
Fields | |
---|---|
prevalence[] |
|
UdmPrevalence
JSON representation |
---|
{
"artifacts": [
{
object ( |
Fields | |
---|---|
artifacts[] |
|
prevalence |
|
Stats
LINT.IfChange (stats_data) Stats results when the query is for statistics NEXT TAG = 6;
JSON representation |
---|
{ "results": [ { object ( |
Fields | |
---|---|
results[] |
Result rows that are queried. |
data_ |
Expression that represent the subset of the requested query used to filter data. The expression will be used to enable features such as drill-down from stats results to UDM events. In that case, the new query will be composed by this expression and the expression related to a stats result. |
too_ |
If true, there are too many results to return and some have been omitted. |
total_ |
The total number of results returned. |
sort_ |
Indicates the columns used for sorting and the order in which they are sorted. If no ORDER section is specified in the query, this will be empty. |
ColumnData
Represents a single column in the set of columns returned as the stats query result.
JSON representation |
---|
{
"column": string,
"values": [
{
object ( |
Fields | |
---|---|
column |
Used to store column names. |
values[] |
To store store column data. |
filterable |
To identify if the column can be used for filtering/drill-downs. |
filter_ |
Expression used to compose a query for filtering/drill-downs related to the data in this column. |
ColumnType
Singular vs list of values in a column.
JSON representation |
---|
{ // Union field |
Fields | |
---|---|
Union field
|
|
value |
Single value in a column. |
list |
List of values in a column e.g. IPs |
ColumnValue
Value of the column based on data type
JSON representation |
---|
{ // Union field |
Fields | |
---|---|
Union field
|
|
null_ |
True if the value is NULL. |
bool_ |
Boolean value. |
bytes_ |
Bytes value. A base64-encoded string. |
double_ |
Double value. |
int64_ |
Integer value (signed). |
uint64_ |
Un-signed integer value. |
string_ |
String value. Enum values are returned as strings. |
timestamp_ |
Timestamp values. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
date_ |
Date values. |
proto_ |
For any proto values that are not any of the above. An object containing fields of an arbitrary type. An additional field |
List
Store list of values in a column.
JSON representation |
---|
{
"values": [
{
object ( |
Fields | |
---|---|
values[] |
List of values in one cell of the column. |
ColumnSort
Contains the column name and which direction the column is sorted (ascending or descenging).
JSON representation |
---|
{ "name": string, "descending": boolean } |
Fields | |
---|---|
name |
Name of the column. |
descending |
Whether the column is sorted in descending order (ascending by default); |
SearchDataSource
Data source for stats results in LegacyFetchUdmSearchViewResponse Equivalent to dashboard API LINT.IfChange(data_sources)
Enums | |
---|---|
SEARCH_DATA_SOURCE_UNSPECIFIED |
Unspecified data source. |
SEARCH_UDM |
Events |
SEARCH_ENTITY |
Entities |
SEARCH_RULE_DETECTIONS |
To be used for detections data source. |
SEARCH_RULESETS |
To be used for ruleset with detections datasource. |
AIOverview
AI generated overview for the search results.
JSON representation |
---|
{
"ai_summary": string,
"suggestions": [
{
object ( |
Fields | |
---|---|
ai_ |
AI summary for the search results. Markdown formatted. |
suggestions[] |
Suggested actions to continue the investigation in chat. |
complete |
Whether AI overview generation is complete. |