Ingestion methods (new)
This document describes how the new Ingestion methods in the Chronicle API forward logs directly to your Google Security Operations instance. This process eliminates the need for additional hardware or software (for example, forwarders) in your environment.
The Chronicle API service for Google SecOps improves, expands, and adds to the functionality of existing ingestion management API methods and partner API services, for example, the Chronicle Ingestion API .
| Existing Ingestion method | Replaced by new Ingestion method in the Chronicle API | Description |
|---|---|---|
udmEvents
|
ImportEvents
|
Import UDM events. |
unstructuredLogEntries
|
ImportLogs
|
Import unstructured log entries. |
createEntities
|
ImportEntities
|
Import entity context. |
logTypes
|
ListLogTypes
|
List supported log types. |
Explore the Chronicle API
The Chronicle API is a RESTful API with a JSON payload. You can develop systems to call Chronicle API methods directly and forward logs to Google SecOps. Managed Security Service Providers (MSSPs) and your Technology Partners can use these API methods to send logs to Google SecOps.
Forward log data
If you've formatted your log data using Google SecOps Unified
Data Model (UDM), you can forward UDM events to your
Google SecOps account using the ImportEvents
endpoint.
Google SecOps can more effectively process this data and improve
threat detection because it standardizes UDM events. For information about
converting raw logs to UDM, see Format log data as
UDM
.
You can also forward your data to Google SecOps as unstructured
logs using the ImportLogs
endpoint. Your unstructured log data is normalized
within the Google SecOps infrastructure and made available to you
through the Google SecOps console. However, some information may be
difficult to extract from the unstructured log data and might only be searchable
using the Raw Log Scan.
When an Ingestion method processes a batch of logs, it assigns a batch ID for those logs. If the batch ID matches an existing batch ID, the new batch of logs is not forwarded to the Google SecOps instance. Deduplication is based on the batch ID, which is identical if the batches contain the same logs.
To use Ingestion methods in the Chronicle API, you must grant a user or service account the Chronicle API EditorIAM (Identity and Access Management) role. This role provides the necessary permissions to call the API.
Client libraries
Client libraries provide code samples for using Ingestion methods, offering a quick way to access these methods from a supported language. Although you can use the Ingestion methods by making raw requests to the server, client libraries offer simplifications that significantly reduce the amount of code you need to write. Client libraries for Ingestion methods are available on GitHub, in the public Google secops-wrapper examples folder.
Example: UDM event ingestion
The following client library Python script, ingest_udm_events.py
,
demonstrates how to ingest UDM events into Google SecOps, using
the secops
library to interact with the Chronicle API.
Script functions
The script uses a series of functions to demonstrate each scenario.
-
Event creation
The following functions create sample UDM events that include metadata, such as
id,event_timestamp,event_type,product_name, andvendor_name, along with specific details for each event type (for example,IP addresses,ports,command lines,MD5 hashes):-
create_sample_network_event()generates a network connection event. -
create_sample_process_event()generates a process launch event.
-
-
Ingestion
The following functions send (one or more) Chronicle client objects and UDM events to Google SecOps:
-
ingest_single_event()sends a single UDM event (a network event in this example) to the API. -
ingest_multiple_events()sends a list of UDM events (a network event and a process event) to Google SecOps in a single API call. -
ingest_event_without_id()shows that if you omit theidfield, Google SecOps automatically generates one during ingestion.
-
Run the script
The main()
function parses command-line arguments for customer-id
, project-id
, and region
to configure the Chronicleclient. It then calls
the ingestion example functions to demonstrate each scenario. The
script includes error handling to catch APIError
exceptions during ingestion.
Regional endpoints
Your API endpoint depends on the region where your customer account is provisioned. Google SecOps provides the following list of Regional service endpoints .
API behavior and limitations
-
Limitations:
- Maximum individual log size: 4 MB
- Maximum batch size (uncompressed): 4 MB
- Maximum request size: 6 MB
- Request timeout: 60 seconds
-
Best practices:
- Request timeout: Set to 60 seconds
- Number of log lines per batch should be less than 100.
- Batch size should be less than 1 MB.
API reference
Use the Ingestion methods in this section to ingest data into your Google SecOps instance.
ImportEvents
Use this method to import UDM events into Google SecOps.
Reference Documentation: Method: events.import
Full name: projects.locations.instances.events.import
Request
POST https://chronicle.{region}.rep.googleapis.com/v1alpha/{parent}/events:import
Path parameters
| Field | Value | Required | Description |
|---|---|---|---|
{region}
|
string | Yes | The location for the service endpoint. Choose from the Regional service endpoint list. |
{parent}
|
string | Yes | The parent that owns this collection of events. Format: projects/{project}/locations/{region}/instances/{instance}
|
Request body
The following example shows how to import log data in UDM format using the ImportEvents
API method.
{
"parent"
:
"projects/gcp_project_id/locations/us/instances/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
,
"inlineSource"
:
{
"events"
:
[{
"udm"
:
{
"metadata"
:
{
"eventTimestamp"
:
"1970-01-01T03:25:45.000000123Z"
,
"eventType"
:
"USER_LOGIN"
,
"vendorName"
:
"Acme"
,
"productName"
:
"Acme SSO"
},
"principal"
:
{
"ip"
:
[
"10.1.2.3"
]
},
"target"
:
{
"user"
:
{
"userid"
:
"mary@altostrat.com"
,
"userDisplayName"
:
"Mary Jane"
},
"application"
:
"Acme Connect"
},
"extensions"
:
{
"auth"
:
{
"type"
:
"MACHINE"
,
"mechanism"
:
[
"NETWORK"
]
}
}
}
},
{
"udm"
:
{
"metadata"
:
{
"eventTimestamp"
:
"1970-01-01T03:25:45.000000123Z"
,
"eventType"
:
"NETWORK_HTTP"
,
"vendorName"
:
"Acme"
,
"productName"
:
"Acme Proxy"
},
"principal"
:
{
"hostname"
:
"host0"
,
"ip"
:
[
"10.1.2.3"
],
"port"
:
6000
},
"target"
:
{
"hostname"
:
"www.altostrat.com"
,
"ip"
:
[
"198.51.100.68"
],
"port"
:
443
,
"url"
:
"www.altostrat.com/images/logo.png"
},
"network"
:
{
"http"
:
{
"method"
:
"GET"
,
"responseCode"
:
200
}
}
}
}]
}
}
Body parameters
| Field | Value | Required | Description |
|---|---|---|---|
inlineSource
|
object | Yes | The import source with the events
to import, specified inline. |
events[]
|
array | Yes | The events to import. |
events.udm
|
object ( UDM ) | Yes | The event data in UDM format. The object can contain the events.udm object fields , shown in the following table. |
Events.udm object fields
| Field | Description |
|---|---|
metadata
|
Event metadata, such as |
additional
|
Any important vendor-specific event data that can't be adequately represented within the formal sections of the UDM. |
principal
|
Represents the acting entity that originates the activity described in the event. The |
src
|
Represents a source entity being acted upon by the participant, along with the device or process context for the source object (the machine where the source object resides). |
target
|
Represents a |
intermediary[]
|
Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a |
observer
|
Represents an |
about[]
|
Represents entities referenced by the event, that are not otherwise described in |
security_result[]
|
A list of security results. |
network
|
All network details go here, including |
extensions
|
Place all core and event-specific metadata in this message, and use |
extracted
|
Flattened fields extracted from the log. |
Response
You shouldn't receive a response unless there is an error in the method syntax.
Response error codes
See HTTP response codes for common error codes.
ImportLogs
Import log telemetry. Use this method to send unstructured log entries to Google SecOps in batches. Each batch of log data has a maximum size limit of 4 MB (uncompressed).
Reference Documentation: Method: logs.import
Full name: projects.locations.instances.logTypes.logs.import
Request
POST https://chronicle.{region}.rep.googleapis.com/v1alpha/{parent}/logs:import
Path parameters
| Field | Value | Required | Description |
|---|---|---|---|
{region}
|
string | Yes | The location for the service endpoint. Choose from the Regional service endpoint list. |
{parent}
|
string | Yes | The parent that owns this collection of logs. Format: projects/{project}/locations/{region}/instances/{instance}/logTypes/{log_type}
|
Request body
The following example shows how to format AZURE_AD log data from a source file, using the ImportLogs
API method.
{
"parent"
:
"projects/gcp_project_id/locations/us/instances/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/logTypes/AZURE_AD"
,
"inlineSource"
:
{
"logs"
:
[{
"data"
:
"dGVzdC5sb2c="
,
"logEntryTime"
:
"2025-06-25T06:07:51.000001234Z"
,
"collectionTime"
:
"2025-06-25T06:07:51.000000123Z"
,
"labels"
:
{
"google"
:
{
"value"
:
"dev"
,
"rbacEnabled"
:
true
}
}
}],
"sourceFilename"
:
"source_filename.txt"
}
}
Body parameters
| Field | Value | Required | Description |
|---|---|---|---|
inlineSource
|
object | Yes | The log data import source, with the logs
specified inline. |
logs[]
|
object ( Log
) |
Yes | Log data to import. The object can contain the log object fields , shown in the following table. |
forwarder
|
string | No | The forwarder sending the import request. |
source_filename
|
string | No | Source filename. Populated for certain types of files processed by the outofband processor, which may have metadata encoded in it for use by the parser. |
Log object fields
| Field | Description |
|---|---|
name
|
Output only. The resource name of this log. |
data
|
Required. Raw data for the log entry. A base64-encoded string. |
log_entry_time
|
Required. Timestamp of the log entry. Uses RFC 3339, where generated output is always Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. |
collection_time
|
Required. The time at which the log entry was collected. Must be after the Uses RFC 3339, where generated output is always Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. |
environment_namespace
|
Optional. The user-configured environment namespace to identify the data domain the logs originated from. This namespace is used as a tag to identify the appropriate data domain for indexing and enrichment functionality. |
labels
|
Optional. The user-configured custom metadata labels. An object containing a list of |
additionals
|
Optional. Metadata in JSON format. |
Response
You shouldn't receive a response unless there is an error in the method syntax.
Response error codes
See HTTP response codes for common error codes.
ImportEntities
Use this method to import entities into Google SecOps.
An entity provides additional context about an entity in a UDM event, like asset
or user
details. For example, a PROCESS_LAUNCH
event describes that
user abc@example.corp
launched process shady.exe
. The event does not include
information that user abc@example.com
is a recently terminated employee who
administers a server storing finance data. Information stored in one or more
entities can add this additional context.
You are limited to 4MB of data per request.
Reference Documentation: Method: entities.import
Full name: projects.locations.instances.entities.import
Request
POST https://chronicle.{region}.rep.googleapis.com/v1alpha/{parent}/entities:import
Path parameters
| Field | Value | Required | Description |
|---|---|---|---|
{region}
|
string | Yes | The location for the service endpoint. Choose from the Regional service endpoint list. |
{parent}
|
string | Yes | The parent that owns this collection of entities. Format: projects/{project}/locations/{region}/instances/{instance}
|
Request body
The following example shows how to import entities data using
the ImportEntities
API method.
{
"parent": "projects/gcp_project_id/locations/us/instances/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"inlineSource": {
"entities": [{
"metadata": {
"collectedTimestamp": "1970-01-01T03:25:45.000000124Z",
"vendorName": "vendor",
"productName": "product",
"entityType": "USER"
},
"entity": {
"user": {
"userid": "google dev",
"productObjectId": "dev google"
}
}
}, {
"metadata": {
"collectedTimestamp": "1970-01-01T03:25:45.000000124Z",
"vendorName": "vendor",
"productName": "product",
"entityType": "USER"
},
"entity": {
"user": {
"userid": "google dev",
"productObjectId": "dev google"
}
}
}],
"logType": "AZURE_AD_CONTEXT"
}
}
Body parameters
| Field | Value | Required | Description |
|---|---|---|---|
inlineSource
|
object | Yes | The import source with the entities
to import, specified inline. |
entities[]
|
object ( Entity
) |
Yes | The entities to import. The object can contain the entity object fields , shown in the following table. |
log_type
|
string | Yes | The log type of the log that this entity is created from. |
Entity object fields
| Field | Description |
|---|---|
metadata
|
Entity metadata, such as |
entity
|
Noun in the UDM event that this entity represents. |
additional
|
Important entity data that cannot be adequately represented within the formal sections of the Entity. |
risk_score
|
Entity risk scores resource. |
metric
|
Metric details of the entity. Used if EntityType is METRIC. |
relations[]
|
One or more relationships between the entity (a) and other entities, including the relationship type and related entity. |
Response
If successful, the response body is empty.
Response error codes
See HTTP response codes for common error codes.
ListLogTypes
Use this method to retrieve a list of all the supported log types.
Reference Documentation: Method: logTypes.list
Full name: projects.locations.instances.logTypes.list
Request
GET https://chronicle.{region}.rep.googleapis.com/v1alpha/{parent}/logTypes
Path parameters
| Field | Value | Required | Description |
|---|---|---|---|
{region}
|
string | Yes | The location for the service endpoint. Choose from the Regional service endpoint list. |
{parent}
|
string | Yes | The parent that owns this collection of log types. Format: projects/{project}/locations/{region}/instances/{instance}
|
Query parameters
| Field | Description |
|---|---|
pageSize
|
The maximum number of log types to return. The service may return fewer than this value. |
pageToken
|
A page token, received from a previous When paginating, all other parameters provided to |
filter
|
Optional. A filter that follows AIP-160 guidelines. |
Request body
The request body must be empty.
Response
The following example shows the information returned from the ListLogTypes API method.
{
"logTypes": [{
"name": "projects/gcp_project_id/locations/us/instances/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/logTypes/A10_LOAD_BALANCER",
"displayName": "A10 Load Balancer"
}, {
"name": "projects/gcp_project_id/locations/us/instances/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/logTypes/ABNORMAL_SECURITY",
"displayName": "Abnormal Security"
}, {
"name": "projects/gcp_project_id/locations/us/instances/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/logTypes/ABSOLUTE",
"displayName": "Absolute Mobile Device Management"
}, {
"name": "projects/gcp_project_id/locations/us/instances/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/logTypes/ACALVIO",
"displayName": "Acalvio"
}, {
"name": "projects/gcp_project_id/locations/us/instances/aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/logTypes/ACTIVE_IDENTITY_HID",
"displayName": "Active Identity HID"
}],
"nextPageToken": "Qp4b7jgMSY3Byb2plY3RzL21hbGFjaGl0ZS1jYXRmb29kLWJ5b3Atc3RhZ2"
}
Response fields
| Field | Description |
|---|---|
log_types[]
|
Log types from the specified Google SecOps instance. |
next_page_token
|
A token, which can be sent as |
LogType object fields
| Field | Description |
|---|---|
name
|
Output only. The resource name of this log type. |
custom_log_type_label
|
Output only. The custom log type label. |
display_name
|
Required. The display name of this log type. This is the tag used in YARA-l rules and search queries. |
golden
|
Output only. Whether a log type is a 'Golden' log type or not. Log types that support rapid customer onboarding are considered 'Golden' log types. |
product_source
|
Required. The display name of this log type when a user creates a feed. |
is_custom
|
Required. Whether the log type is custom or globally available. |
Response error codes
See HTTP response codes for common error codes.
Error handling
Here's what to do if an HTTP request fails, depending on the HTTP response code:
HTTP response codes
- 400 Bad Request: The request is invalid.
Check the error message for details. Don't retry without modification. - 401 Unauthorized: Authentication failed.
Check your credentials. - 403 Forbidden: Permission denied.
Make sure the caller has the correct IAM permissions. - 404 Not Found: The resource specified in the request doesn't exist.
Check the resource name. - 429 Resource Exhausted: Quota limit reached or rate limit exceeded.
Retry using exponential backoff , with a minimum delay of 30 seconds. If the request continues to fail, see What to do when reaching the burst limit . - 500 Internal Server Error: An error occurred on the server.
Retry using exponential backoff , with a minimum delay of 1 second. - 503 Service Unavailable: The service is temporarily unavailable.
Retry using exponential backoff , with a minimum delay of 1 second.
View Chronicle API HTTP errors
You can view Chronicle API HTTP errors for your Bring Your Own Project (BYOP) projects using the Metrics Explorer in Cloud Monitoring .
To see the HTTP errors for your BYOP project, follow these steps:
- Go to the Google Cloud consoleand select your project.
- Go to Monitoring> Metrics Explorer.
- Click Select a Metric.
- Choose Consumed APIas the resource type.
- Choose API request count(serviceruntime.googleapis.com/api/request_count) as the metric.
- Add filters to narrow down the results:
-
service: Specify the API service name (e.g., compute.googleapis.com). -
response_code_class: Filter for 4xx or 5xx. -
method: Specify the API method.
-
- You can group the results to analyze the errors, for example, by:
method,response_code, orservice.
Frequently asked questions
Can customers create an allowlist of specific public IP addresses permitted to connect to the collector API endpoint, or is another form of client authorization supported?
Google SecOps doesn't support allowlisting specific IP addresses. Any connection with a valid API key can connect to the collector API endpoint.
Do you support standard HTTP GZIP compression (for example, Accept-Encoding: gzip header)?
Yes. The collector API endpoint supports standard HTTP GZIP compression using the Accept-Encoding: gzip
header.
Need more help? Get answers from Community members and Google SecOps professionals.
