- JSON representation
- ErrorMessage
- RuntimeError
- UdmEventList
- UdmEventInfo
- SearchDataTableRowInfo
- SearchDataTableRow
- FilterProperties
- StringValues
- StringValue
- Chip
- UdmColumnType
- UdmColumnValue
- Date
- UdmColumnList
- ColumnNames
- SearchDataTableInfo
- SearchDataTableColumnInfo
- UdmFieldAggregations
- UdmFieldAggregation
- UdmValueCount
- UdmFieldValue
- GroupAggregationByField
- FunctionResponse
- FunctionResponseRow
- Stats
- ColumnData
- ColumnType
- ColumnValue
- List
- ColumnSort
- EventCountTimeline
- EventCountTimelineBucket
- EntityChangedCountTimelineBucket
- EntityChangedInfo
- FieldAndValue
- InstanceUdmSearchResponse
- Detections
- AlertFieldAggregations
- AlertFieldAggregation
- AlertFieldValueCount
- AlertFieldValue
- UdmPrevalenceResponse
- UdmPrevalenceBucket
- UdmPrevalence
Response to a Federated UDM Search query. This will be used by StreamSearchOperation RPC to return the results of a federated search operation.
| JSON representation |
|---|
{ "operation": string, "progress": number, "too_many_events": boolean, "too_large_response": boolean, "complete": boolean, "valid_baseline_query": boolean, "baseline_events_count": integer, "valid_snapshot_query": boolean, "query_validation_errors": [ { object ( |
| Fields | |
|---|---|
operation |
The name of the operation resource representing the UDM Search operation. This can be passed to The metadata type of the operation is Format: projects/{project}/locations/{location}/instances/{instance}/operations/{operation} |
progress |
Progress of the query represented as a double between 0 and 1. |
too_many_events |
If true, there are too many events to return and some have been omitted. |
too_large_response |
If true, the response to be returned to the UI is too large and some events have been omitted. |
complete |
Streaming for this response is done. There will be no additional updates. |
valid_baseline_query |
Indicates whether the request baseline_query is a valid structured query or not. If not, |
baseline_events_count |
The number of events in the baseline query. |
valid_snapshot_query |
Indicates whether the request baseline and snapshot queries are valid. If not, |
query_validation_errors[] |
Parse error for the baseline_query and/or the snapshot_query. |
runtime_errors[] |
Runtime errors. |
filtered_events_count |
The number of events in the snapshot that match the snapshot_query. This is <= |
data_sources[] |
Datasource of the query and results in case of a statistics query |
instance_udm_search_responses[] |
All the instance specific UDM search responses. |
events |
List of UDM events. NOTE: After complete is set to true, the |
field_aggregations |
List of UDM fields with aggregated values. |
grouped_field_aggregations |
List of grouped fields with aggregated values. |
stats_function_response |
Result for statistical function. |
stats_function_parameter_validation_error_message |
If the request's stats_function_parameter` is invalid, this field will contain the detailed error message. |
stats |
Stats results when the query is for statistics |
ai_overview |
LINT.ThenChange( //depot/google3/google/cloud/chronicle/v1main/dashboard_query.proto:data_sources, //depot/google3/googlex/security/malachite/proto/udm_search.proto:data_sources ) AI generated overview for the search results. Only populated if the AI features are enabled for the customer and generate_ai_overview is set to true in the request. |
activity_timeline |
Timeline of event counts broken into hourly/daily buckets to identify activity. |
timeline |
Timeline of event counts broken into buckets. This populates the trend-over-time chart in the UI. |
instance_aggregations |
Instance aggregations for the search results. Provides information on the number of events per instance for the aggregations panel in the UI. This allows users to easily drill-down into the individual instances. |
detection_field_aggregations |
List of detection fields with aggregated values. This enabled filtering in the Alerts panel for federated search. |
detection_instance_aggregations |
Instance aggregations for the detection search results. Provides information on the number of detections per instance for the detections aggregations panel in the UI. This allows users to easily drill-down into the individual instances. |
ErrorMessage
| JSON representation |
|---|
{
"type": enum ( |
| Fields | |
|---|---|
type |
|
error_text |
|
RuntimeError
| JSON representation |
|---|
{
"time_range": {
object ( |
| Fields | |
|---|---|
time_range |
|
error_text |
|
UdmEventList
| JSON representation |
|---|
{ "events": [ { object ( |
| Fields | |
|---|---|
events[] |
|
column_names |
|
progress |
|
too_many_events |
|
complete |
|
datatable_info[] |
|
UdmEventInfo
| JSON representation |
|---|
{ "event": { object ( |
| Fields | |
|---|---|
event |
|
entity |
|
datatable_row_info[] |
|
filter_properties |
|
event_log_token |
|
alert_number |
|
display_name |
|
chip |
|
uid |
A base64-encoded string. |
annotations[] |
|
detections[] |
|
outcomes[] |
|
connected_component_label |
Optional. A base64-encoded string. |
tenant_id |
Optional. |
SearchDataTableRowInfo
| JSON representation |
|---|
{
"data_table": string,
"rows": [
{
object ( |
| Fields | |
|---|---|
data_table |
|
rows[] |
|
SearchDataTableRow
| JSON representation |
|---|
{ "column": string, "value": string } |
| Fields | |
|---|---|
column |
|
value |
|
FilterProperties
| JSON representation |
|---|
{
"string_properties": {
string: {
object ( |
| Fields | |
|---|---|
string_properties |
An object containing a list of |
hidden |
|
StringValues
| JSON representation |
|---|
{
"values": [
{
object ( |
| Fields | |
|---|---|
values[] |
|
StringValue
| JSON representation |
|---|
{ "raw_value": string, "display_value": string } |
| Fields | |
|---|---|
raw_value |
|
display_value |
|
Chip
| JSON representation |
|---|
{
"type": enum ( |
| Fields | |
|---|---|
type |
|
text |
|
UdmColumnType
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field
|
|
value |
|
list |
|
UdmColumnValue
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field
|
|
null_val |
|
bool_val |
|
bytes_val |
A base64-encoded string. |
double_val |
|
int64_val |
|
uint64_val |
|
string_val |
|
timestamp_val |
Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
date_val |
|
proto_val |
An object containing fields of an arbitrary type. An additional field |
Date
Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following:
- A full date, with non-zero year, month, and day values.
- A month and day, with a zero year (for example, an anniversary).
- A year on its own, with a zero month and a zero day.
- A year and month, with a zero day (for example, a credit card expiration date).
Related types:
google.type.TimeOfDaygoogle.type.DateTimegoogle.protobuf.Timestamp
| JSON representation |
|---|
{ "year": integer, "month": integer, "day": integer } |
| Fields | |
|---|---|
year |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
month |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
day |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
UdmColumnList
| JSON representation |
|---|
{
"values": [
{
object ( |
| Fields | |
|---|---|
values[] |
|
ColumnNames
| JSON representation |
|---|
{ "names": [ string ] } |
| Fields | |
|---|---|
names[] |
|
SearchDataTableInfo
| JSON representation |
|---|
{
"data_table": string,
"column_info": [
{
object ( |
| Fields | |
|---|---|
data_table |
|
column_info[] |
|
SearchDataTableColumnInfo
| JSON representation |
|---|
{ "original_column": string, "is_default": boolean } |
| Fields | |
|---|---|
original_column |
|
is_default |
|
UdmFieldAggregations
| JSON representation |
|---|
{ "fields": [ { object ( |
| Fields | |
|---|---|
fields[] |
|
group_by_fields[] |
|
complete |
|
UdmFieldAggregation
| JSON representation |
|---|
{ "field_name": string, "baseline_event_count": integer, "event_count": integer, "too_many_values": boolean, "value_count": integer, "all_values": [ { object ( |
| Fields | |
|---|---|
field_name |
|
baseline_event_count |
|
event_count |
|
too_many_values |
|
value_count |
|
all_values[] |
|
top_values[] |
|
bottom_values[] |
|
aggregation_type |
|
UdmValueCount
| JSON representation |
|---|
{
"value": {
object ( |
| Fields | |
|---|---|
value |
|
baseline_event_count |
|
event_count |
|
UdmFieldValue
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field
|
|
string_value |
|
int32_value |
|
uint32_value |
|
int64_value |
|
uint64_value |
|
float_value |
|
double_value |
|
enum_value |
|
bool_value |
|
bytes_value |
A base64-encoded string. |
is_null |
|
timestamp_value |
Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
GroupAggregationByField
| JSON representation |
|---|
{ "field_name": string, "field_value": { object ( |
| Fields | |
|---|---|
field_name |
|
field_value |
|
fields[] |
|
baseline_event_count |
|
event_count |
|
value_count |
|
FunctionResponse
| JSON representation |
|---|
{
"rows": [
{
object ( |
| Fields | |
|---|---|
rows[] |
|
too_many_rows |
|
FunctionResponseRow
| JSON representation |
|---|
{
"values": [
{
object ( |
| Fields | |
|---|---|
values[] |
|
Stats
LINT.IfChange(stats_data) Stats results when the query is for statistics NEXT TAG = 6;
| JSON representation |
|---|
{ "results": [ { object ( |
| Fields | |
|---|---|
results[] |
Result rows that are queried. |
data_query_expression |
Expression that represent the subset of the requested query used to filter data. The expression will be used to enable features such as drill-down from stats results to UDM events. In that case, the new query will be composed by this expression and the expression related to a stats result. |
too_many_results |
If true, there are too many results to return and some have been omitted. |
total_results |
The total number of results returned. |
sort_order[] |
Indicates the columns used for sorting and the order in which they are sorted. If no ORDER section is specified in the query, this will be empty. |
ColumnData
Represents a single column in the set of columns returned as the stats query result.
| JSON representation |
|---|
{
"column": string,
"values": [
{
object ( |
| Fields | |
|---|---|
column |
Used to store column names. |
values[] |
To store store column data. |
filterable |
To identify if the column can be used for filtering/drill-downs. |
filter_expression |
Expression used to compose a query for filtering/drill-downs related to the data in this column. |
ColumnType
Singular vs list of values in a column.
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field type. Store single value or list of values in a column. type can be only one of the following: |
|
value |
Single value in a column. |
list |
List of values in a column e.g. IPs |
ColumnValue
Value of the column based on data type
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field value. Value of the column based on data type value can be only one of the following: |
|
null_val |
True if the value is NULL. |
bool_val |
Boolean value. |
bytes_val |
Bytes value. A base64-encoded string. |
double_val |
Double value. |
int64_val |
Integer value (signed). |
uint64_val |
Un-signed integer value. |
string_val |
String value. Enum values are returned as strings. |
timestamp_val |
Timestamp values. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
date_val |
Date values. |
proto_val |
For any proto values that are not any of the above. An object containing fields of an arbitrary type. An additional field |
List
Store list of values in a column.
| JSON representation |
|---|
{
"values": [
{
object ( |
| Fields | |
|---|---|
values[] |
List of values in one cell of the column. |
ColumnSort
Contains the column name and which direction the column is sorted (ascending or descenging).
| JSON representation |
|---|
{ "name": string, "descending": boolean } |
| Fields | |
|---|---|
name |
Name of the column. |
descending |
Whether the column is sorted in descending order (ascending by default); |
EventCountTimeline
| JSON representation |
|---|
{
"buckets": [
{
object ( |
| Fields | |
|---|---|
buckets[] |
|
size_of_bucket_ms |
|
EventCountTimelineBucket
| JSON representation |
|---|
{
"baseline_event_count": integer,
"event_count": integer,
"baseline_alert_count": integer,
"alert_count": integer,
"baseline_timed_entity_count": integer,
"filtered_timed_entity_count": integer,
"entity_changed_count": {
object ( |
| Fields | |
|---|---|
baseline_event_count |
|
event_count |
|
baseline_alert_count |
|
alert_count |
|
baseline_timed_entity_count |
|
filtered_timed_entity_count |
|
entity_changed_count |
|
EntityChangedCountTimelineBucket
| JSON representation |
|---|
{
"total_changed_entities_count": integer,
"entity_changed_info": [
{
object ( |
| Fields | |
|---|---|
total_changed_entities_count |
|
entity_changed_info[] |
|
EntityChangedInfo
| JSON representation |
|---|
{
"artifacts": {
object ( |
| Fields | |
|---|---|
artifacts |
|
entity_count |
|
FieldAndValue
| JSON representation |
|---|
{ "value": string, "entity_namespace": string, // Union field |
| Fields | |
|---|---|
value |
|
entity_namespace |
|
Union field
|
|
field_path |
|
kvalue_type |
|
InstanceUdmSearchResponse
| JSON representation |
|---|
{ "progress": number, "too_many_events": boolean, "complete": boolean, "baseline_events_count": integer, "filtered_events_count": integer, "instance_id": string, "timeline": { object ( |
| Fields | |
|---|---|
progress |
|
too_many_events |
|
complete |
|
baseline_events_count |
|
filtered_events_count |
|
instance_id |
|
timeline |
|
detections |
|
prevalence |
|
runtime_errors |
|
Detections
| JSON representation |
|---|
{ "detections": [ { object ( |
| Fields | |
|---|---|
detections[] |
|
complete |
|
too_many_detections |
|
valid_snapshot_query |
|
baseline_alerts_count |
|
filtered_alerts_count |
|
detection_field_aggregations |
|
AlertFieldAggregations
| JSON representation |
|---|
{
"fields": [
{
object ( |
| Fields | |
|---|---|
fields[] |
|
AlertFieldAggregation
| JSON representation |
|---|
{ "field_name": string, "baseline_alert_count": integer, "alert_count": integer, "too_many_values": boolean, "value_count": integer, "all_values": [ { object ( |
| Fields | |
|---|---|
field_name |
|
baseline_alert_count |
|
alert_count |
|
too_many_values |
|
value_count |
|
all_values[] |
|
top_values[] |
|
bottom_values[] |
|
AlertFieldValueCount
| JSON representation |
|---|
{
"value": {
object ( |
| Fields | |
|---|---|
value |
|
baseline_alert_count |
|
alert_count |
|
AlertFieldValue
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field
|
|
string_value |
|
int32_value |
|
uint32_value |
|
int64_value |
|
uint64_value |
|
float_value |
|
double_value |
|
enum_value |
|
bool_value |
|
bytes_value |
A base64-encoded string. |
UdmPrevalenceResponse
| JSON representation |
|---|
{
"buckets": [
{
object ( |
| Fields | |
|---|---|
buckets[] |
|
partial_prevalence |
|
UdmPrevalenceBucket
| JSON representation |
|---|
{
"prevalence": [
{
object ( |
| Fields | |
|---|---|
prevalence[] |
|
UdmPrevalence
| JSON representation |
|---|
{
"artifacts": [
{
object ( |
| Fields | |
|---|---|
artifacts[] |
|
prevalence |
|