Method: legacy.legacyFindRawLogs

{
  "timestamp": string,
  "collection_time": string,
  "ingested_time": string,
  "source": {
    object (EventSource)
  },
  "raw_log_index": integer,
  "disambiguation_key": string,
  "si_event_data": {
    object (SIEventData)
  },
  "idm": {
    object (IDM)
  },
  "is_duplicate": boolean,

  // Union field payload can be only one of the following:
  "stats": {
    object (StatsEvent)
  },
  "dns": {
    object (DnsEvent)
  },
  "dhcp": {
    object (DhcpEvent)
  },
  "alert": {
    object (AlertEvent)
  },
  "webproxy": {
    object (WebProxyEvent)
  },
  "edr": {
    object (EdrEvent)
  },
  "ioc": {
    object (IocEvent)
  },
  "whois_record": {
    object (WhoisRecord)
  },
  "asset_info": {
    object (AssetInfo)
  },
  "binary": {
    object (BinaryInfo)
  },
  "agent_stats": {
    object (AgentStatsEvent)
  }
  // End of list of possible types for union field payload.
}

{
  "client": {
    object (Device)
  },
  "server": {
    object (Device)
  },
  "class": enum (DnsEventClass),
  "querying_ip_ttl": integer,
  "id": integer,
  "response": boolean,
  "opcode": integer,
  "authoritative": boolean,
  "truncated": boolean,
  "recursion_desired": boolean,
  "recursion_available": boolean,
  "response_code": integer,
  "questions": [
    {
      object (DnsQuestion)
    }
  ],
  "answers": [
    {
      object (DnsRR)
    }
  ],
  "authority": [
    {
      object (DnsRR)
    }
  ],
  "additional": [
    {
      object (DnsRR)
    }
  ],
  "action": enum (Action),
  "summary": {
    object (DnsSummary)
  }
}

{
  "hostname": string,
  "ip_addresses": [
    string
  ],
  "mac": [
    string
  ],
  "on_enterprise_network": boolean,
  "product_identifier_type": string,
  "product_identifier_value": string,
  "namespace": string
}

{
  "name": string,
  "type": integer,
  "class": integer
}

{
  "name": string,
  "type": integer,
  "class": integer,
  "ttl": integer,
  "data": string
}

{
  "queries": [
    {
      object (Query)
    }
  ],
  "edr": {
    object (EdrEvent)
  }
}

{
  "name": string,
  "ip_addresses": [
    string
  ],
  "url": string,
  "md5": string,
  "sha256": string,
  "filename": string,
  "http_details": {
    object (HttpDetails)
  },
  "network_connection_details": {
    object (NetworkConnectionDetails)
  }
}

{
  "status": enum (Action)
}

{
  "client": {
    object (Device)
  },
  "server": {
    object (Device)
  },
  "data_source": enum (Product),
  "raw_event_name": string,
  "category": enum (Category),
  "process_id_type": string,
  "process_id_value": string,
  "process_filename": string,
  "process_md5": string,
  "process_sha256": string,
  "current_process": {
    object (ProcessDetails)
  },
  "target_process": {
    object (ProcessDetails)
  },
  "child_process": {
    object (ProcessDetails)
  },
  "parent_process": {
    object (ProcessDetails)
  },
  "target_file": {
    object (FileDetails)
  },
  "source_file": {
    object (FileDetails)
  },
  "user": {
    object (UserDetails)
  },
  "firewall": {
    object (FirewallDetails)
  },
  "service": {
    object (ServiceDetails)
  },
  "share": {
    object (ShareDetails)
  },
  "registry": {
    object (RegistryDetails)
  },
  "device": {
    object (DeviceDetails)
  },
  "uac": {
    object (UACDetails)
  },
  "task": {
    object (TaskDetails)
  },
  "volume": {
    object (VolumeDetails)
  },

  // Union field event_details can be only one of the following:
  "network": {
    object (EdrNetworkEvent)
  },
  "alert": {
    object (AlertEvent)
  },
  "mapping": {
    object (EdrMappingEvent)
  }
  // End of list of possible types for union field event_details.
}

{
  "direction": enum (Direction),
  "target_ip": string,
  "target_domain": string,
  "client_port": integer,
  "target_port": integer,
  "process_filename": string,
  "process_md5": string,
  "process_sha256": string,
  "process_id_type": string,
  "process_id_value": string,
  "protocol": integer
}

{
  "devices": [
    {
      object (Device)
    }
  ],
  "raw_alert_message": string,
  "source_product": string,
  "alert_short_name": string,
  "severity": enum (AlertSeverity),
  "raw_severity": string,
  "is_significant": boolean,
  "hash_md5": string,
  "hash_sha1": string,
  "hash_sha256": string
}

{
  "type": enum (MappingType)
}

{
  "process_id": string,
  "raw_pid": string,
  "process_file": {
    object (FileDetails)
  },
  "full_command_line": string,
  "user_name": {
    object (UserDetails)
  },
  "access_mask": string
}

{
  "file_name": string,
  "full_path": string,
  "hash_md5": string,
  "hash_sha256": string,
  "hash_sha1": string
}

{
  "user_name": string,
  "authentication_id": string,
  "user_principal": string,
  "user_sid": string
}

{
  "firewall_rule": string,
  "firewall_rule_id": string,
  "firewall_option": string
}

{
  "service_name": string,
  "service_user": string
}

{
  "share_name": string
}

{
  "reg_object_name": string,
  "reg_value_name": string,
  "reg_string_value": string
}

{
  "product_name": string,
  "device_name": string
}

{
  "exe_to_validate": string,
  "dll_to_validate": string,
  "command_line_to_validate": string,
  "application_name_to_validate": string,
  "msi_product_name": string,
  "msi_package_path": string,
  "com_friendly_name": string,
  "com_server_binary": string,
  "com_requestor_path": string,
  "axis_install_point": string,
  "axis_url": string
}

{
  "task_name": string,
  "task_author": string,
  "task_command": {
    object (ProcessDetails)
  }
}

{
  "volume_name": string,
  "volume_device": {
    object (DeviceDetails)
  },
  "volume_mount_point": string
}

{
  "client": {
    object (Device)
  },
  "server": {
    object (Device)
  },
  "class": enum (DhcpEventClass),
  "op": enum (DhcpOp),
  "htype": enum (DhcpHType),
  "hlen": integer,
  "hops": integer,
  "xid": integer,
  "secs": integer,
  "flags": integer,
  "ciaddr": string,
  "yiaddr": string,
  "siaddr": string,
  "giaddr": string,
  "chaddr": string,
  "sname": string,
  "file": string,
  "options": [
    {
      object (DhcpOption)
    }
  ],
  "opt_type": enum (MessageType),
  "opt_hostname": string,
  "opt_lease_time": integer,
  "opt_requested_address": string,
  "opt_client_identifier": string
}

{
  "type": enum (DhcpOptionType),
  "data": string
}

{
  "client": {
    object (Device)
  },
  "client_port": integer,
  "server": {
    object (Device)
  },
  "target": {
    object (Device)
  },
  "target_port": integer,
  "protocol": enum (HttpProtocol),
  "request": {
    object (Request)
  },
  "response": {
    object (Response)
  },
  "action": enum (Action),
  "block_reason": string,
  "user_identifier": string
}

{
  "method": enum (HttpMethod),
  "resource": string,
  "user_agent": string,
  "referer": string
}

{
  "code": integer,
  "size": string,
  "hash_md5": string
}

{
  "domain_name": string,
  "registrar_name": string,
  "contact_email": string,
  "whois_server": string,
  "name_server": [
    string
  ],
  "creation_time": string,
  "update_time": string,
  "expiration_time": string,
  "audit_update_time": string,
  "status": string,
  "registrant": {
    object (Contact)
  },
  "admin_contact": {
    object (Contact)
  },
  "tech_contact": {
    object (Contact)
  },
  "billing_contact": {
    object (Contact)
  },
  "zone_contact": {
    object (Contact)
  },
  "whois_record_raw_text": string,
  "registry_data_raw_text": string,
  "iana_registrar_id": integer,
  "private_registration": boolean
}

{
  "email_address": string,
  "name": string,
  "organization": string,
  "phone_number": string,
  "phone_number_ext": string,
  "fax_number": string,
  "fax_number_ext": string,
  "address": {
    object (Address)
  },
  "raw_text": string
}

{
  "country": string,
  "street": [
    string
  ],
  "city": string,
  "state": string,
  "postal_code": string
}

{
  "client": {
    object (Device)
  },
  "operating_system": string,
  "vulnerabilities": [
    {
      object (AssetVulnerability)
    }
  ]
}

{
  "name": string,
  "description": string,
  "scan_start_time": string,
  "scan_end_time": string,
  "first_found": string,
  "last_found": string,
  "severity": string,
  "cvss_base_score": number,
  "cvss_vector": string,
  "cvss_version": string
}

{
  "hash_md5": string,
  "hash_sha256": string,
  "hash_sha1": string,
  "size_bytes": string,
  "mime_type": string,
  "type": enum (FileType),
  "version": {
    object (VersionInfo)
  },
  "sign": {
    object (SigningInfo)
  }
}

{
  "company_name": string,
  "file_description": string,
  "file_version": string,
  "internal_name": string,
  "original_name": string,
  "product_name": string,
  "product_version": string
}

{
  "status": enum (SignStatus),
  "subject": string,
  "issuer": string
}

{
  "customer_id": string,
  "collector_id": string,
  "filename": string,
  "namespace": string,
  "labels": [
    {
      object (Label)
    }
  ]
}

{
  "batch_id": string,
  "raw_log_type": enum (LogType),
  "snippet": string,
  "raw_log_index": integer,
  "disambiguation_key": string,
  "event_type": enum (EventType),
  "timestamp": string,
  "replay_time": string
}

{
  "read_only_udm": {
    object (UDM)
  },
  "filtered_udm": {
    object (UDM)
  },
  "context": {
    object (Noun)
  },
  "entity": {
    object (Entity)
  },
  "is_alert": boolean,
  "is_significant": boolean,
  "base_labels": {
    object (DataAccessLabels)
  },
  "enrichment_labels": {
    object (DataAccessLabels)
  },
  "enrichment_provenances": [
    {
      object (EnrichmentProvenance)
    }
  ]
}

{
  "noun_type": enum (NounType),
  "type_enrichment_provenances": [
    {
      object (TypeEnrichmentProvenance)
    }
  ]
}

{
  "enrichment_type": enum (EnrichmentType),
  "field_enrichment_provenances": [
    {
      object (FieldEnrichmentProvenance)
    }
  ]
}

{
  "enriching_events": [
    {
      object (EnrichingEvent)
    }
  ]
}

{
  "enriching_event_type": enum (EnrichingEventType),
  "event_id": string
}

{
  "raw_logs": [
    {
      object (RawLog)
    }
  ]
}

{
  "timestamp": string,
  "source_product": string,
  "log_bytes": string,
  "search_results": [
    {
      object (Range)
    }
  ],
  "type": enum (LogType)
}

{
  "start": string,
  "end": string
}