- HTTP request
- Path parameters
- Query parameters
- Request body
- Response body
- Authorization scopes
- IAM Permissions
- StatsData
- StatsColumnData
- StatsColumnType
- StatsColumnValue
- StatsList
Full name: projects.locations.instances.udmSearch
Performs a UDM search that returns matching events for the query.
HTTP request
GET https://chronicle.googleapis.com/v1alpha/{instance}:udmSearch
Path parameters
| Parameters | |
|---|---|
instance |
Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance} |
Query parameters
| Parameters | |
|---|---|
query |
Required. The boolean query to search for. Example: 'ip=/172.*/ AND metadata.event_type!="NETWORK_CONNECTION" AND ( target.ip = "3.225.179.73" OR target.ip = "23.47.48.70")' |
timeRange |
Required. Time range to search for [Inclusive start time, exclusive end time). |
limit |
Maximum number of results to be returned for the query. Anything over 10000 will be coerced to 10000. |
Request body
The request body must be empty.
Response body
Returns results matching the query and time range in UdmSearchRequest.
If successful, the response body contains data with the following structure:
| JSON representation |
|---|
{ "events": [ { object ( |
| Fields | |
|---|---|
events[] |
List of matched events. |
more_data_available |
Too many events matched the search criterion, some results have been omitted. |
stats |
LINT.ThenChange( //depot/google3/googlex/security/malachite/proto/udm_search.proto:stats_data ) Stats response for the query. |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IAM Permissions
Requires the following IAM permission on the instance resource:
chronicle.events.udmSearch
For more information, see the IAM documentation.
StatsData
LINT.IfChange(stats_data) Stats results when the query is for statistics
| JSON representation |
|---|
{
"results": [
{
object ( |
| Fields | |
|---|---|
results[] |
Result rows that are queried. |
too_many_results |
If true, there are too many results to return and some have been omitted. |
StatsColumnData
Represents a single column in the set of columns returned as the stats query result.
| JSON representation |
|---|
{
"column": string,
"values": [
{
object ( |
| Fields | |
|---|---|
column |
Used to store column names. |
values[] |
Store list of values in a column. |
StatsColumnType
Singular vs list of values in a column.
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field type. Store single value or list of values in a column. type can be only one of the following: |
|
value |
Single value in a column. |
list |
List of values in a column e.g. IPs |
StatsColumnValue
Represents a single value in the set of values returned as the stats query result.
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field value. Value of the column based on data type value can be only one of the following: |
|
null_val |
True if the value is NULL. |
bool_val |
Boolean value. |
bytes_val |
Bytes value. A base64-encoded string. |
double_val |
Double value. |
int64_val |
Integer value (signed). |
uint64_val |
Un-signed integer value. |
string_val |
String value. Enum values are returned as strings. |
timestamp_val |
Timestamp values. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
date_val |
Date values. |
proto_val |
For any proto values that are not any of the above. An object containing fields of an arbitrary type. An additional field |
StatsList
Store list of values in a column.
| JSON representation |
|---|
{
"values": [
{
object ( |
| Fields | |
|---|---|
values[] |
List of values in one cell of the column. |