Skip to main content

In a recent Community Post@raybrian  introduced the API Wrapper SDK for Google SecOps. 


The API Wrapper SDK encapsulates common use cases of the Google SecOps API, like running entity lookups, performing UDM searches, and more.  In this post, we'll use the SDK to create a script that queries Google SecOps for network logs related to large outbound data transfers.


 The first step in our workflow is to make sure we install the corresponding Python module.  In this example, I'll use pip.



 

pip install secops​


Once the python module is installed, we can proceed to create the rest of our script.  From the associated documentation in GitHub, we can see that the SDK supports a method called udm_search, which we'll use to perform our query.  Before we write more code, let's first use Cloud Shell to initialize our application-default credentials using gcloud:


gcloud auth application-default login


Using gcloud to initialize application-default credentials in this way is one of multiple methods that can be used to initialize authentication to the API Wrapper SDK.  After running the gcloud command in Cloud Shell, we can go back to working on the Python script.


To construct our UDM query, we can focus our query on logs whose metadata event type are "NETWORK_CONNECTION" and where the number of sent bytes is larger than 10000000 (10MB).


 


 


# This script demonstrates running a UDM search using the Google SecOps SDK with Python.
# Prior to running this script, remember to establish authentication with gcloud auth application-default login or an alternate supported method.
# Google SecOps SDK and all associated documentation by raybrian@ This tutorial script by vaskenh@

#!/usr/bin/env python3

from secops import SecOpsClient
from datetime import datetime, timedelta, timezone

client = SecOpsClient()

chronicle = client.chronicle(
customer_id="you-can-find-this-value-on-the-secops-overview-page",
project_id="vaskenh-chronicle",
region="us"
)

end_time = datetime.now(timezone.utc)
start_time = end_time - timedelta(hours=72)

# Perform a UDM search for the last 10 logs related to network connections that have resulted in 10MB of sent data (10000000 bytes)
results = chronicle.search_udm(
query="""
metadata.event_type = "NETWORK_CONNECTION" and network.sent_bytes > 100000000
ip != ""
""",
start_time=start_time,
end_time=end_time,
max_events=10
)

print(results)

 

Be the first to reply!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.