Method: searchedResults.list

Full name: projects.locations.instances.searchSessions.searchedResults.list

Retrieves results from a completed Search operation.

HTTP request

GET https://{endpoint}/v1alpha/{parent}/searchedResults

Where {endpoint} is one of the supported service endpoints.

Path parameters

Parameters
parent

string

Required. The parent SearchSession resource name. Format: projects/{project}/locations/{location}/instances/{instance}/searchSessions/{searchSession}

Query parameters

Parameters
pageSize

integer

Optional. The maximum number of results to return. The service may return fewer. If unspecified, at most 100 results will be returned. The maximum value is 1000.
pageToken

string

Optional. A page token, received from a previous searchedResults.list call. Provide this to retrieve the subsequent page.
orderBy

string

Optional. The column to sort the results on. Example: "eventTimestamp desc", "principal.hostname asc". Multi-columnar sorting is not supported.
skip

integer

Optional. The number of results to skip before starting to return results. This field should not be used in conjunction with pageToken.

Request body

The request body must be empty.

Response body

Response message for the searchedResults.list method. Next ID: 6

If successful, the response body contains data with the following structure:

JSON representation 
{
  "searchedResults": [
    {
      object (SearchedResult)
    }
  ],
  "totalSize": integer,
  "columnNames": {
    object (ColumnNames)
  },
  "columnSchema": {
    object (ColumnSchema)
  },
  "nextPageToken": string
}
Fields
searchedResults[]

object (SearchedResult)

List of Searched Results.
totalSize

integer

Total number of rows in the result set of the search query.
columnNames

object (ColumnNames)

List of column names for the outcome section of the query result.
columnSchema

object (ColumnSchema)

Column schema for the results based on the query columns. Contains metadata like data source, eventName etc.
nextPageToken

string

A token, which can be sent as pageToken to retrieve the next page. If this field is omitted, there are no subsequent pages.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/chronicle
  • https://www.googleapis.com/auth/chronicle.readonly

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the parent resource:

  • chronicle.searchedResults.list

For more information, see the IAM documentation.

SearchedResult

SearchedResult contains the results of a Search operation. Next ID: 4

JSON representation 
{
  "name": string,
  "resultRow": {
    object (ResultRow)
  }
}
Fields
name

string

Identifier. The resource name of the search results. Format: projects/{project}/locations/{location}/instances/{instance}/searchSessions/{searchSession}/searchedResults/{searchedResult}
resultRow

object (ResultRow)

Contains a flexible row which can support a standard UDM Event, Stats, Entity Context, Join result, Data Table, etc.

ResultRow

ResultRow is a flexible collection that captures a search result row. It can currently support UDM Events, Entity Contexts, Data Tables, Join results, etc. and will support all other data sources in the future. Next ID: 8

JSON representation 
{
  "outcomes": [
    {
      object (ColumnType)
    }
  ],

  // Union field result can be only one of the following:
  "eventRecord": {
    object (EventRecord)
  },
  "statsRecord": {
    object (StatsRecord)
  },
  "entityContextRecord": {
    object (EntityContextRecord)
  },
  "joinRecord": {
    object (JoinRecord)
  },
  "detectionRecord": {
    object (DetectionRecord)
  },
  "dataTableRecord": {
    object (DataTableRecord)
  }
  // End of list of possible types for union field result.
}
Fields
outcomes[]

object (ColumnType)

Outcome fields for an event specified in query request.
Union field result. A result row of the search query. result can be only one of the following:
eventRecord

object (EventRecord)

UDM event.
statsRecord

object (StatsRecord)

Stats record.
entityContextRecord

object (EntityContextRecord)

Entity context graph.
joinRecord

object (JoinRecord)

Join results.
detectionRecord

object (DetectionRecord)

Detection.
dataTableRecord

object (DataTableRecord)

Data table.

EventRecord

EventRecord stores information about a UDM event. Next ID: 8

JSON representation 
{
  "event": {
    object (Event)
  },
  "eventLogToken": string,
  "alertNumber": integer,
  "alertViewId": string,
  "annotations": [
    enum (Annotation)
  ],
  "detections": [
    {
      object (Collection)
    }
  ],
  "table": string
}
Fields
event

object (Event)

The UDM Event.
eventLogToken

string (bytes format)

Raw log tokens mapped to the event. Can be used to locate the raw log entry that generated the event.

A base64-encoded string.
alertNumber

integer

If the event should be treated as an alert, the unique identifier for the alert.
alertViewId

string (bytes format)

Alert View specific Id. Helps create a link to Alert View.

A base64-encoded string.
annotations[]

enum (Annotation)

Annotations added to an event.
detections[]

object (Collection)

Detections associated with an event.
table

string

User defined table name for the event in joins query.

Annotation

Annotation for an event.

Enums
ANNOTATION_UNSPECIFIED Unspecified - no annotation to display.
ANNOTATION_ALERT Event is associated with one or more alerts.

StatsRecord

StatsRecord contains a row in the response of a stats query. Next ID: 2

JSON representation 
{
  "results": [
    {
      object (StatsColumnData)
    }
  ]
}
Fields
results[]

object (StatsColumnData)

Contains all columns resulting from a stats query and one row of values.

StatsColumnData

Represents a single column with a single cell in the set of columns returned as the stats query result. Next ID: 3

JSON representation 
{
  "column": string,
  "values": {
    object (ColumnType)
  }
}
Fields
column

string

Used to store column names.
values

object (ColumnType)

Store the values in a single column.

ColumnType

Singular vs list of values in a single column. Next ID: 3

JSON representation 
{

  // Union field type can be only one of the following:
  "value": {
    object (ColumnValue)
  },
  "list": {
    object (ColumnValueList)
  }
  // End of list of possible types for union field type.
}
Fields
Union field type. Store single value or list of values in a column. type can be only one of the following:
value

object (ColumnValue)

Single value in a column.
list

object (ColumnValueList)

List of values in a column e.g. IPs.

ColumnValue

Represents a single value in the set of values returned as the query result. Next ID: 11

JSON representation 
{

  // Union field value can be only one of the following:
  "nullVal": boolean,
  "boolVal": boolean,
  "bytesVal": string,
  "doubleVal": number,
  "int64Val": string,
  "uint64Val": string,
  "stringVal": string,
  "timestampVal": string,
  "dateVal": {
    object (Date)
  },
  "protoVal": {
    "@type": string,
    field1: ...,
    ...
  }
  // End of list of possible types for union field value.
}
Fields
Union field value. Value of the column based on data type. value can be only one of the following:
nullVal

boolean

True if the value is NULL.
boolVal

boolean

Boolean value.
bytesVal

string (bytes format)

Bytes value.

A base64-encoded string.
doubleVal

number

Double value.
int64Val

string (int64 format)

Integer value (signed).
uint64Val

string

Un-signed integer value.
stringVal

string

String value. Enum values are returned as strings.
timestampVal

string (Timestamp format)

Timestamp values.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
dateVal

object (Date)

Date values.
protoVal

object

For any proto values that are not any of the above.

An object containing fields of an arbitrary type. An additional field "@type" contains a URI identifying the type. Example: { "id": 1234, "@type": "types.example.com/standard/id" }.

ColumnValueList

Store list of values for a single column. Next ID: 2

JSON representation 
{
  "values": [
    {
      object (ColumnValue)
    }
  ]
}
Fields
values[]

object (ColumnValue)

List of values in one cell of the column.

EntityContextRecord

EntityContextRecord stores information about a entity context graph. Next ID: 5

JSON representation 
{
  "entity": {
    object (Entity)
  },
  "eventLogToken": string,
  "timed": boolean,
  "table": string
}
Fields
entity

object (Entity)

The entity information to be retrieved with UDM ECG search.
eventLogToken

string

Raw log tokens mapped to the event that created the entity. This is only for entity context events.
timed

boolean

If the entity is timed or not.
table

string

User defined table name for the entity in joins query.

JoinRecord

JoinRecord stores information about a join result. Next ID: 4

JSON representation 
{
  "events": [
    {
      object (EventRecord)
    }
  ],
  "entities": [
    {
      object (EntityContextRecord)
    }
  ],
  "dataTables": [
    {
      object (DataTableRecord)
    }
  ]
}
Fields
events[]

object (EventRecord)

The events that are joined.
entities[]

object (EntityContextRecord)

The entities that are joined.
dataTables[]

object (DataTableRecord)

The data tables that are joined.

DataTableRecord

DataTableRecord contains information about a Data table. Next ID: 3

JSON representation 
{
  "dataTable": string,
  "cells": [
    {
      object (SearchDataTableRowCell)
    }
  ]
}
Fields
dataTable

string

The resource name of the Data table. Format: projects/{projectId}/locations/{location}/instances/{instances}/dataTables/{dataTable}
cells[]

object (SearchDataTableRowCell)

Stores information about a single row of a Data table.

SearchDataTableRowCell

Contains a key-value pair of column name and its value. It represents a cell in the Data Table. Next ID: 3

JSON representation 
{
  "column": string,
  "value": string
}
Fields
column

string

The name of the column.
value

string

The value of the column.

DetectionRecord

DetectionRecord stores information about a detection. Next ID: 3

JSON representation 
{
  "id": string,
  "collection": {
    object (Collection)
  }
}
Fields
id

string (bytes format)

The ID of the detection.

A base64-encoded string.
collection

object (Collection)

The detection.

ColumnNames

List of column names for the outcome section of the query result. Next ID: 2

JSON representation 
{
  "names": [
    string
  ]
}
Fields
names[]

string

List of column names.

ColumnSchema

Schema of the tables used in a query. Next ID: 2

JSON representation 
{
  "metadata": [
    {
      object (TableMetadata)
    }
  ]
}
Fields
metadata[]

object (TableMetadata)

Metadata about the tables used in the query.

TableMetadata

Metadata about a table used in a query.

JSON representation 
{
  "table": string,
  "dataSource": enum (DataSource),
  "index": integer
}
Fields
table

string

The alias of the table in the query.
dataSource

enum (DataSource)

The type of data source.
index

integer

The index of the table in the query.

DataSource

The type of data source.

Enums
DATA_SOURCE_UNSPECIFIED Unspecified data source.
EVENTS UDM events.
ENTITY_CONTEXT Entity context.
DATA_TABLES Data tables.
DETECTIONS Detections.