- HTTP request
- Path parameters
- Query parameters
- Request body
- Response body
- Authorization scopes
- IAM Permissions
- RawLogEvent
- GenericEvent
- EventInfo
- RawLogBucketStat
- SearchRawLogsValidationError
- ValidationErrorCode
- RawLogBucketSize
- Try it!
Full name: projects.locations.instances.legacy.legacySearchRawLogs
Legacy endpoint for getting events for a raw log search.
HTTP request
GET https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacySearchRawLogs
Path parameters
| Parameters | |
|---|---|
instance |
Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance} |
Query parameters
| Parameters | |
|---|---|
query |
Required. Search query to match raw logs. |
timestampRange |
Required. Timestamp range to query within [inclusive start time, exclusive end time). |
maxResults |
The maximum number of results to return. |
regexSearch |
Whether search by query as a regex query, or not. By default it is false. |
caseSensitive |
Whether search in case sensitivity, or not. By default it is false. |
productSources[] |
Specific product sources to search for, if unspecified all product sources will be included in the search. |
Request body
The request body must be empty.
Response body
Message passed back to the client containing the search results.
If successful, the response body contains data with the following structure:
| JSON representation |
|---|
{ "domain_network_events": [ { object ( |
| Fields | |
|---|---|
domain_network_events[] |
A list of normalized network events with domains associated with them. DomainNetworkEvent would be a more accurate name for this message type. Network events that have no domains are returned in ip_network_events. Sorting order not guaranteed. |
alerts[] |
A list of alerts returned for above query. This will be populated only for an asset being queried. Sorting order not guaranteed. |
ip_network_events[] |
A list of domain-less network events. Sorting order not guaranteed. |
edr_events[] |
A list of EDR events. Sorting order not guaranteed. |
typed_user_events[] |
A list of User events. Sorting order is not guaranteed. |
raw_log_events[] |
A list of Raw Log entries from which no normalized event was produced. By default the chip will be populated as "Unparsed Raw Log" Sorting order not guaranteed. |
generic_events[] |
A list of Generic events. Sorting order not guaranteed. |
events[] |
List of normalized events for a given query and time range. Sorting order not guaranteed. |
total_records |
The total number of scanned raw log lines. |
too_many_results |
If there are too many results to return and some have been omitted. |
md5_file_hashes[] |
All unique md5 file hashes within all events being returned. |
sha1_file_hashes[] |
All unique sha1 file hashes within all events being returned. |
sha256_file_hashes[] |
All unique sha256 file hashes within all events being returned. |
raw_log_bucket_stats[] |
The raw log scan status of every bucket. |
validation_error |
The validation error returned by the search. |
max_returned_raw_log_lines |
The max number of raw log lines will be returned. |
raw_log_bucket_stat_frequency |
The frequency of RawLogBucketStats captures raw log counts. Currently only supports day and hour. |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IAM Permissions
Requires the following IAM permission on the instance resource:
chronicle.legacies.legacySearchRawLogs
For more information, see the IAM documentation.
RawLogEvent
Raw log event passed back to the client. This is an event that was not normalized as any other event type.
| JSON representation |
|---|
{ "event_time": string, "chip": { object ( |
| Fields | |
|---|---|
event_time |
Date/time of event (i.e. not the time that the event was ingested) A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
chip |
The chip to display. |
snippet |
Snippet of the log event. This will contain the queried term and preceding preceding 10 characters (if available). |
raw_logs_token |
A token to request raw logs, this is opaque to the client. |
filter_properties |
A list of filter properties associated the event. |
GenericEvent
Represents all telemetry data associated with a generic event for returning to the client. It is the search code's responsibility to convert UDM into this format.
| JSON representation |
|---|
{ "event_time": string, "chip": { object ( |
| Fields | |
|---|---|
event_time |
Date/time of the event. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
chip |
The chip to display. |
filter_properties |
A list of filter properties associated the event. |
raw_logs_token |
A token to request raw logs, this is opaque to the client. If empty, no raw logs can be requested. |
source_udm_event_info |
The source UDM event info. |
EventInfo
EventInfo is a wrapper containing a UDM or Entity event and its token.
| JSON representation |
|---|
{ "token": string, // Union field |
| Fields | |
|---|---|
token |
The token for the UDM or Entity event. |
Union field event_info. event_info contains either UDM event or Entity event. Even though entities contain context information, they are ingested and processed in indexing/search as events. event_info can be only one of the following: |
|
event |
A UDM event. |
entity |
An Entity event. |
RawLogBucketStat
Number of raw log lines for one bucket (interval of time).
| JSON representation |
|---|
{ "event_time": string, "total_raw_log_lines": integer, "returned_raw_log_lines": integer, "scan_succeeded": boolean, "too_many_results": boolean } |
| Fields | |
|---|---|
event_time |
The start time of bucket. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
total_raw_log_lines |
The number of raw log lines matched search query in this bucket. If |
returned_raw_log_lines |
The number of raw log lines converted to events in response in this bucket. |
scan_succeeded |
The process status of bucket. If the flag is false, it means backend failed to scan this bucket. By default it is false. |
too_many_results |
If there are too many results to return and some have been omitted. |
SearchRawLogsValidationError
SearchRawLogsValidationError contains ValidationErrorCode and a string to specify error details.
| JSON representation |
|---|
{
"error_code": enum ( |
| Fields | |
|---|---|
error_code |
A Enum to indicate the error_code. |
error_message |
A string to specify error details. |
ValidationErrorCode
Specific Raw Log Scan validation errors.
| Enums | |
|---|---|
VALIDATION_ERROR_CODE_UNSPECIFIED |
Unspecified validation error. |
VALIDATION_ERROR_CODE_INVALID_REGEX |
The request query isn't a valid regex. |
VALIDATION_ERROR_CODE_QUERY_TOO_LONG |
The request query is too long. |
VALIDATION_ERROR_CODE_QUERY_TOO_SHORT |
The request query is too short. |
VALIDATION_ERROR_CODE_QUERY_OVER_LONG_TIME_RANGE |
The query searches over a long time range. |
RawLogBucketSize
The frequency of RawLogBucketSize captures raw log counts.
| Enums | |
|---|---|
RAW_LOG_BUCKET_SIZE_UNSPECIFIED |
UNSPECIFIED, this should not happen. |
RAW_LOG_BUCKET_SIZE_DAY |
RawLogBucketStat bucketed by day. |
RAW_LOG_BUCKET_SIZE_HOUR |
RawLogBucketStat bucketed by hour. |