This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Chronicle Search API to Pull UDM data

Posted on 12-12-2024 07:00 AM
russell_pfeifer
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Good morning--

Looking for some feedback on the feasibility of pulling large UDM datasets out of Chronicle using a curl command. We previously did this successfully using Splunk but I'd prefer to not waste my time going down any rabbit-holes if it is simply not possible in Chronicle. 

Basically I'd like to query our Tenable vulnerability data (currently parsed out into UDM fields in Chronicle) and export 15 or so of the fields to a csv which would then be uploaded to JIRA for remediation. 

I see within the API documentation there is a way to search UDM but I don't see any documentation around pulling all events from a specific log type. 

I've been using the following documentation as a guide so far:

https://cloud.google.com/chronicle/docs/reference/search-api

Thanks in advance for any help you can provide

Solved Solved
0 17 1,326
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
mikewilusz
Staff
Reply posted on --/--/---- --:-- AM

The UDM search endpoint is documented here: https://cloud.google.com/chronicle/docs/reference/search-api#udmsearch

You can see one of the parameters is a query, so for your example if you want to pull your Tenable data, the query would look like: 

metadata.log_type = "TENABLE_IO"

That should retrieve all the Tenable events from the time span you specify in the API request.

-mike 

View solution in original post

Jump to Solution
17 REPLIES 17
Top Solution Authors
View all