This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Best way to export events from broad queries

Posted on 12-11-2024 04:41 PM
wonjulee
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi,

What is the best way to export large amounts of results from (very) broad queries? It seems that the SecOps UI only shows and allows the exporting of 1,000,000 events when very broad queries are executed. I want to export a large amount of parsed event data (more than 20 million individual events) and analyse the data through pandas on python. 

I understand that I can do this through the SecOps API or through BigQuery, but are there any costs incurred through these processes? Would there be any more efficient methods that I could try out?

Thank you very much.

Solved Solved
0 2 240
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
gkush
Staff
Reply posted on --/--/---- --:-- AM

Hi Wonjulee,

As part of the shared resource of the SecOps SaaS, SecOps limits your queries, whether UI based or API-based, to 1M results in a UDM Search. This doesn't mean that aggregate information gets cut off at 1M records. Suppose you wanted a count of all DNS lookups done across all endpoints for a month?  In most places that would reach past 1M results, and with Stats Search you could get the aggregate count, but not the full set of data.

Since you said you wanted the records themselves for analysis, you could try to break your query up into chunks and align based on timestamps.  That would be something you could try in a script - get a set, figure out the timestamp, keep looking backwards from the last returned result.

Depending on your license tier, another option might be the BigQuery data lake?  You should be able to run your SQL-based query on the UDM fields you want and then pull the data out.  

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
gkush
Staff
Reply posted on --/--/---- --:-- AM

Hi Wonjulee,

As part of the shared resource of the SecOps SaaS, SecOps limits your queries, whether UI based or API-based, to 1M results in a UDM Search. This doesn't mean that aggregate information gets cut off at 1M records. Suppose you wanted a count of all DNS lookups done across all endpoints for a month?  In most places that would reach past 1M results, and with Stats Search you could get the aggregate count, but not the full set of data.

Since you said you wanted the records themselves for analysis, you could try to break your query up into chunks and align based on timestamps.  That would be something you could try in a script - get a set, figure out the timestamp, keep looking backwards from the last returned result.

Depending on your license tier, another option might be the BigQuery data lake?  You should be able to run your SQL-based query on the UDM fields you want and then pull the data out.  

Jump to Solution

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

Hi @wonjulee,

It may be worth looking into the following API endpoint: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/l...

I've not personally tried this, but our Customer Success Team has previously suggested using it to export a large amount of data.

Kind Regards,

Ayman

Jump to Solution
Top Solution Authors
View all