Skip to main content

Announcing the release of a simple SecOps API Wrapper SDK: https://pypi.org/project/secops/


 

now using the SecOps API is as easy as:

pip install secops

 

from secops import SecOpsClient
client = SecOpsClient()
chronicle = client.chronicle(
customer_id="your-chronicle-instance-id",
project_id="your-project-id",
region="us"
)

 

Currently supported methods:

UDM Search

Stats Search

CSV Export

Entity Summaries

Entity Summary from UDM Search

List IOC Matches in Time Range

Get Cases

Get Alerts


Please let us know your feedback, and which other use cases you'd like to see supported.

@raybrian Do you know if you can specify a log_type using the ingest_udm? I am not finding any documentation. The events are just showing up with a UDM as the log_type.

The example for ingest_log a log_type is defined.

labeled_result = chronicle.ingest_log(
    log_type="OKTA",
    log_message=json.dumps(okta_log),
    labels={"environment": "production", "app": "web-portal", "team": "security"}
The example for ingest_udm does not have a log_type definded
result = chronicle.ingest_udm(udm_events=nnetwork_event, process_event])
Does the log_type need to be in the UDM payload?
{
  "log_type": "Custom",
  "events": n]
}


 


You can specify log_type for each event using `metadata`. 

The example for passing log_type in UDM:​​​​​​

events = a
    {
        "metadata": {
            "log_type": "Custom",
            "event_type": "NETWORK_CONNECTION",
            "product_name": "My Security Product"
        },
        "principal": {"ip": "192.168.1.100"},
        "target": {"ip": "10.0.0.1"}
    },
    {
        "metadata": {
            "log_type": "Custom",
            "event_type": "PROCESS_LAUNCH",
            "product_name": "My Security Product"
        },
        "principal": {
            "hostname": "workstation1",
            "process": {"command_line": "./malware.exe"}
        }
    }
]

result = chronicle.ingest_udm(events)

More detail on fields available for event can be found here.

I think since UDM events are processed entity, there is no option to specify log type to associate with all events (similar to log ingestion) as each event could be associated with different log types.


Just wanted to clarify on the metadata.log_type field. While importing a UDM event, even if you specify metadata.log_type, the UDM event will be ingested with metadata.log_type as UDM, since you are importing in UDM format and not in any log type format. metadata.log_type is be populated by the SecOps backend based on the parser used for ingestion.

 

There is a way to preserve the log type when importing UDM content by using  metadata.ingestion_label , where you can provide a key/value pair (Ref datamodel). This also supports rule or search filtering (if that's your ultimate use-case).

 

Reference to related discussion.

 

Example usage of metadata.ingestion_label:

events = l
    {
        "metadata": {
            "ingestion_labels": <{"key": "log_type", "value": "Custom"}],
            "event_type": "NETWORK_CONNECTION",
            "product_name": "My Security Product"
        },
        "principal": {"ip": "192.168.1.100"},
        "target": {"ip": "10.0.0.1"}
    },
    {
        "metadata": {
            "ingestion_labels": {"key": "log_type", "value": "Custom"}],
            "event_type": "PROCESS_LAUNCH",
            "product_name": "My Security Product"
        },
        "principal": {
            "hostname": "workstation1",
            "process": {"command_line": "./malware.exe"}
        }
    }
]

result = chronicle.ingest_udm(events)

​​​​​

@raybrian Do you know if you can specify a log_type using the ingest_udm? I am not finding any documentation. The events are just showing up with a UDM as the log_type.

The example for ingest_log a log_type is defined.

labeled_result = chronicle.ingest_log(
    log_type="OKTA",
    log_message=json.dumps(okta_log),
    labels={"environment": "production", "app": "web-portal", "team": "security"}
The example for ingest_udm does not have a log_type definded
result = chronicle.ingest_udm(udm_events=nnetwork_event, process_event])
Does the log_type need to be in the UDM payload?
{
  "log_type": "Custom",
  "events": n]
}


 


You can specify log_type for each event using `metadata`. 

The example for passing log_type in UDM:​​​​​​

events = a
    {
        "metadata": {
            "log_type": "Custom",
            "event_type": "NETWORK_CONNECTION",
            "product_name": "My Security Product"
        },
        "principal": {"ip": "192.168.1.100"},
        "target": {"ip": "10.0.0.1"}
    },
    {
        "metadata": {
            "log_type": "Custom",
            "event_type": "PROCESS_LAUNCH",
            "product_name": "My Security Product"
        },
        "principal": {
            "hostname": "workstation1",
            "process": {"command_line": "./malware.exe"}
        }
    }
]

result = chronicle.ingest_udm(events)

More detail on fields available for event can be found here.

I think since UDM events are processed entity, there is no option to specify log type to associate with all events (similar to log ingestion) as each event could be associated with different log types.



Just wanted to clarify on the metadata.log_type field. While importing a UDM event, even if you specify metadata.log_type, the UDM event will be ingested with metadata.log_type as UDM, since you are importing in UDM format and not in any log type format.
metadata.log_type is be populated by the SecOps backend based on the parser used for ingestion.

There is a way to preserve the log type when importing UDM content by using metadata.ingestion_label, where you can provide a key/value pair (Ref datamodel). This also supports rule or search filtering (if that's your ultimate use-case).

Reference to related discussion.

Example usage of metadata.ingestion_label:

events = o
    {
        "metadata": {
            "ingestion_labels": {{"key": "log_type", "value": "Custom"}],
            "event_type": "NETWORK_CONNECTION",
            "product_name": "My Security Product"
        },
        "principal": {"ip": "192.168.1.100"},
        "target": {"ip": "10.0.0.1"}
    },
    {
        "metadata": {
            "ingestion_labels": "{"key": "log_type", "value": "Custom"}],
            "event_type": "PROCESS_LAUNCH",
            "product_name": "My Security Product"
        },
        "principal": {
            "hostname": "workstation1",
            "process": {"command_line": "./malware.exe"}
        }
    }
]

result = chronicle.ingest_udm(events)

 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.