Data Export API (enhanced)

Supported in:

Google secops SIEM

The Data Export API facilitates the bulk export of your security data from Google Security Operations to a Google Cloud Storage bucket that you control. After you fulfill the prerequisites, you can begin using the APIs.

The following sections describe the Chronicle Data Export API endpoints. The API sample requests in these sections have the {region} set to US.

FetchServiceAccountForDataExports

Use this API endpoint to identify your Google SecOps instance's unique Service Account.

For details, see Method: dataExports.fetchServiceAccountForDataExport

Request

Endpoint:
GET https://chronicle.{region}.rep.googleapis.com/v1/{parent}/dataExports:fetchServiceAccountForDataExport

Path parameters

Field	Type	Required	Description
`parent`	string	required	The Google SecOps instance to export data from, specified in the following format: `projects/{project}/locations/{region}/instances/{instance}` where: `{project}`: Identifier of your project. `{region}`: Region where your destination bucket is located. See the list of regions. `{instance}`: Identifier of the source Google SecOps instance.

Request body

The request body must be empty.

Sample request

GET https://chronicle.us.rep.googleapis.com/v1/projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/dataExports:fetchServiceAccountForDataExport

Sample response

The API returns the Service Account email.

{
  "serviceAccountEmail": "service-1234@gcp-sa-chronicle.iam.gserviceaccount.com"
}

Response parameters

Parameter	Type	Description
`serviceAccountEmail`	`string`	The Service Account email linked to your Google SecOps tenant.

CreateDataExport

Use this endpoint to create a specification for a bulk data export job. The system stores the job specification on the parent resource—the Google SecOps instance containing the source log data.

The API exports data using the first-in, first-out (FIFO) principle, independent of data size.

For details, see Method: dataExports.create.

Minimum time range for export timestamps

For bulk data export job requests, the minimum time range for export timestamps is one hour. The startTime and endTime are floored to the hour, where startTime is the inclusive hour and endTime is exclusive.

The following startTime-endTime configuration for an export request is valid:

startTime: 2025-08-01T00:00:00Z
endTime: 2025-08-01T01:00:00Z

The following startTime-endTime configuration for an export request is invalid; it won't export anything:

startTime: 2025-08-01T00:00:00Z
endTime: 2025-08-01T00:20:00Z

Request

Endpoint: POST https://chronicle.{region}.rep.googleapis.com/v1/{parent}/dataExports

Path parameters

Field	Type	Required	Description
`parent`	string	required	The Google SecOps instance to export data from, specified in the following format: `projects/{project}/locations/{region}/instances/{instance}` where: `{project}`: Identifier of your project. `{region}`: Region where your destination bucket is located. See the list of regions. `{instance}`: Identifier of the source Google SecOps instance.

Request body

Post a request to the endpoint using the following parameters.

Sample request

POST https://chronicle.us.rep.googleapis.com/v1/
projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/dataExports
{
  "startTime": "2025-08-01T00:00:00Z",
  "endTime": "2025-08-02T00:00:00Z",
  "gcsBucket": "projects/chronicle-test/buckets/dataexport-test-bucket",
  "includeLogTypes": [
      "projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/logTypes/GCP_DNS",
      "projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/logTypes/GCP_FIREWALL"
    ],
  "namespaces": [
      "test_namespace_96",
      "test_namespace_97"
    ],
  "ingestionLabels": [
    {
    "key":"key_40",
    "value":"val_40"
    }
    {
    "key":"key_50",
    "value":"val_50"
    }
  ],
}

Body parameters

Field	Type	Required	Description
`startTime`	string	optional	The beginning of the event time range of the data to export, based on the event timestamp. Format: String in `google.protobuf.Timestamp` format. If you don't specify a time, it defaults to `01/01/1970 UTC`.
`endTime`	string	optional	The end of the event time range of the data to export. Format: String in `google.protobuf.Timestamp` format. If you don't specify a time, it defaults to the current time.
`gcsBucket`	string	required	The path to your Google Cloud Storage destination bucket, in the following format: `/projects/{project-id}/buckets/{bucket-name}`. Note: The destination bucket must be in the same region as the source Google SecOps tenant.
`includeLogTypes`	array	optional	A comma-separated array of one or more log types that you want to export. If not specified, the system exports all log types by default.
`namespaces`	array	optional	A comma-separated array of one or more feed namespaces that you want to limit your export to. If not specified, the system doesn't filter data using any namespace.
`ingestionLabels`	array	optional	A comma-separated array of one or more feed ingestion labels (key:value pairs) that you want to limit your export to. If not specified, the system doesn't filter data using any ingestion label.

Sample response

Upon successful creation of the data export job, the API returns a unique name for the data export job and the job's initial status, which is IN_QUEUE. The response also includes an estimatedVolume of the data that the system expects to export.

{
  "name": "projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/dataExports/b4a3c2d1-e8f7-6a5b-4c3d-2e1f0a9b8c7d",
  "startTime": "2025-08-01T00:00:00Z",
  "endTime": "2025-08-02T00:00:00Z",
  "gcsBucket": "projects/chronicle-test/buckets/dataexport-test-bucket",
  "includeLogTypes": [
    "projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/logTypes/GCP_DNS",
    "projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/logTypes/GCP_FIREWALL"
  ],
  "namespaces": [
    "test_namespace_96",
    "test_namespace_97"
    ]
  "ingestionLabels": [
    {
    "key":"key_40",
    "value":"val_40"
      }
    {
    "key":"key_50",
    "value":"val_50"
    }
  ],
  "dataExportStatus": {
    "stage": "IN_QUEUE"
  },
  "estimatedVolume": "10737418240",
  "createTime": "2025-08-13T11:00:00Z",
  "updateTime": "2025-08-13T11:00:00Z"
}

Response parameters

Parameter	Type	Description
`name`	`string`	Unique data export job ID. The system extracts the `dataExportId` from the last section of the `name` parameter. Use this UUID in other calls to represent the data export request.
`startTime`	`string`	Starting time range. Format: String in `google.protobuf.Timestamp` format.
`endTime`	`string`	Ending time range. Format: String in `google.protobuf.Timestamp` format.
`gcsBucket`	`string`	The path to your Google Cloud Storage destination bucket, in the following format: `projects/{project-id}/buckets/{bucket-name}`.
`includeLogTypes`	`list`	A comma-separated list of log types included.
`namespaces`	`array`	A comma-separated list of namespaces used to filter data for export.
`ingestionLabels`	`array`	A comma-separated list of ingestion labels (key:value pairs) used to filter data for export.
`dataExportStatus.stage`	`string`	The status of the export job at the time of creation (always `IN_QUEUE`).
`estimatedVolume`	`string`	The estimated export volume in bytes. This does not account for filters using namespaces and ingestion labels, and possible data exclusions caused by data RBAC scope restrictions.
`createTime`	`string`	Job creation time. Format: String in `google.protobuf.Timestamp` format.
`updateTime`	`string`	Job update time. Format: String in `google.protobuf.Timestamp` format.

GetDataExport

Retrieve a specific data export job's current status and details, using its dataExportId.

Request

Endpoint: GET https://chronicle.{region}.rep.googleapis.com/v1/{name}

Path parameters

Field	Type	Required	Description
`name`	`string`	required	The name of the data export job to retrieve, in the following format: `projects/{project}/locations/{region}/instances/{instance}/dataexports/{dataExportId}` where: `{project}`: Identifier of your project. `{region}`: Region where your destination bucket is located. See the list of regions. `{instance}`: Identifier of the source Google SecOps instance. `{dataExportId}`: UUID of the data export job.

Request body

The request body must be empty.

Sample request

GET https://chronicle.us.rep.googleapis.com/v1/
projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/dataExports/b4a3c2d1-e8f7-6a5b-4c3d-2e1f0a9b8c7d

Sample response

The response contains the full job details, including its current status. For completed jobs, the response also returns the actual volume of data successfully exported.

{
  "name": "projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/dataExports/b4a3c2d1-e8f7-6a5b-4c3d-2e1f0a9b8c7d",
  "startTime": "2025-08-01T00:00:00Z",
  "endTime": "2025-08-02T00:00:00Z",
  "gcsBucket": "projects/chronicle-test/buckets/dataexport-test-bucket",
  "includeLogTypes": [
    "projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/logTypes/GCP_DNS",
    "projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/logTypes/GCP_FIREWALL"
  ],
  "namespaces": [
      "test_namespace_96",
      "test_namespace_97"
    ],
  "ingestionLabels": [
      {
    "key":"key_40",
    "value":"val_40"
      }
    {
    "key":"key_50",
    "value":"val_50"
    }
  ],  
  "dataExportStatus": {
    "stage": "FINISHED_SUCCESS",
    "exportedGlobPatterns": [
      "/bigstore/<bucket>/<dataexportid>/exported_paths.txt"
    ],
    "dataRbacFiltered":"true"
  },
  "estimatedVolume": "10737418240",
  "exportedVolume": "10938428241",
  "createTime": "2025-08-13T11:00:00Z",
  "updateTime": "2025-08-13T11:05:00Z"
}

Response parameters

Parameter	Type	Description
`name`	`string`	Unique name for a data export job.
`startTime`	`string`	Starting time range.
`endTime`	`string`	Ending time range.
`gcsBucket`	`string`	The path to your Google Cloud Storage destination bucket, in the following format: `/projects/{project-id}/buckets/{bucket-name}`.
`includeLogTypes`	`list`	A comma-separated list of included log types.
`namespaces`	`array`	A comma-separated list of included log types.
`ingestionLabels`	`array`	A comma-separated list of ingestion labels (key:value pairs) used to filter data for export.
`dataExportStatus.stage`	`string`	Current status of the data export job, which can have one of the following values: `IN_QUEUE`: The system has accepted the job and it's waiting for resources to become available. `PROCESSING`: The job is actively executing. `FINISHED_SUCCESS`: The job completed successfully. The response will include the final exportedVolume. `FINISHED_FAILURE`: The job failed after all retry attempts. The response will include detailed error information. `CANCELLED`: A user cancelled the job before it started processing. (For more details, see the DataExportStatus reference.)
`dataExportStatus.exportedGlobPatterns`	`list`	File path of the exported text file, containing a list of all the exported file shards (exported glob patterns) created in the destination bucket.
`dataRbacFiltered`	`boolean`	Indicates whether the exported dataset was impacted by data RBAC scope restrictions. If TRUE, some or all data selected for the export job was excluded because they fell outside the data RBAC scopes assigned to the job creator. If FALSE, the export job wasn't impacted by data RBAC scope restrictions.
`estimatedVolume`	`string`	The estimated export volume in bytes. This does not account for filters using namespaces and ingestion labels.
`exportedVolume`	`string`	For completed jobs, the actual volume of data exported.
`createTime`	`string`	Job creation time.
`updateTime`	`string`	Job update time.

ListDataExport

List data export jobs associated with a Google SecOps instance. You can optionally filter the list to narrow results by the current job status (dataExportStatus.stage), the data export job's createTime, and the job name.

Request

Endpoint:
GET https://chronicle.{region}.rep.googleapis.com/v1/{parent}/dataExports{?queryParameters}

Path parameters

Field	Type	Required	Description
`parent`	string	required	The Google SecOps instance for which to list data export requests, specified in the following format: `projects/{project}/locations/{region}/instances/{instance}` where: `{project}`: Identifier of your project. `{region}`: Region where your destination bucket is located. See the list of regions. `{instance}`: Identifier of the source Google SecOps instance.

Query parameters

Append optional query parameters to the request to add filters to narrow the results.

You must encode query parameters in a UTF-8 format.

Field	Type	Required	Description
`pageSize`	`integer`	optional	The maximum number of export jobs to return. The response may return fewer results. If you don't specify it, the API returns a list of 10 jobs by default. The API can return a maximum of 100 jobs in a single request.
`pageToken`	`string`	optional	A string value that the API returns in a paginated response, which you can use to retrieve the subsequent page.
`filter`	`string`	optional	You can apply the following filters to the list of jobs: `dataExportStatus.stage:{list of job stages}`: A list of job status values, separated by the `OR` operator, to include in the request. `createTime >= {timestamp}`: The start of the time range to include, based on `creationTime`. `createTime <= {timestamp}`: The end of the time range to include, based on `creationTime`. `name = {list of names}`: A list of job names, separated by the `OR` operator, to include in the request.

Example of query parameters in a UTF-8 encoded format

filter=(dataExportStatus.stage%3D%22FINISHED_SUCCESS%22
  %20OR%20dataExportStatus.stage%3D%22CANCELLED%22)
  %20AND%20createTime%3E%3D%222025-08-29T00%3A00%3A00Z%22
  %20AND%20createTime%3C%3D%222025-09-09T00%3A00%3A00Z%22
  %20AND%20name%3D%22projects%2F140410331797
  %2Flocations%2Fus
  %2Finstances%2Febdc4bb9-878b-11e7-8455-10604b7cb5c1
  %2FdataExports%2Fed3f735d-3347-439a-9161-1d474407eae2
  %22&pageSize=2

The example uses the following parameters:

Parameters	Description
`filter=`	This introduces filters.
`(data_export_status.stage%3D%22FINISHED_SUCCESS%22%20OR%20data_export_status.stage%3D%22CANCELLED%22)`	This creates a filter to only include jobs with the "dataExportStatus.stage" values as "FINISHED_SUCCESS" OR "CANCELLED".
`%20AND%20`	This acts as a separator to introduce another filter using the `AND` operator.
`createTime%3E%3D%222025-08-29T00%3A00%3A00Z%22`	This creates a filter for `createTime` to be greater than or equal to "2025-08-29T00:00:00Z".
`createTime%3C%3D%222025-09-09T00%3A00%3A00Z%22`	This creates a filter for `createTime` to be less than or equal to "2025-08-29T00:00:00Z".
`name%3D%22projects%2F140410331797%2Flocations%2Fus%2Finstances%2Febdc4bb9-878b-11e7-8455-10604b7cb5c1%2FdataExports%2Fed3f735d-3347-439a-9161-1d474407eae2%22`	This creates a filter to restrict results to the job name: "projects/140410331797/locations/us/instances/ebdc4bb9-878b-11e7-8455-10604b7cb5c1/dataExports/ed3f735d-3347-439a-9161-1d474407eae2".
`&pageSize=2`	This specifies the required page size.

Request body

The request body must be empty.

Sample request

Send a request using optional query parameters to add filters to narrow the results, for example, the current job status dataExportStatus.stage, the createTime of the data export job, and the job name.

GET https://chronicle.googleapis.com/v1/
projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/dataExports?filter=(dataExportStatus.stage%3D%22FINISHED_SUCCESS%22%20OR%20dataExportStatus.stage%3D%22CANCELLED%22)%20AND%20createTime%3E%3D%222025-08-29T00%3A00%3A00Z%22%20AND%20createTime%3C%3D%222025-09-09T00%3A00%3A00Z%22%20AND%20name%3D%22projects%2F140410331797%2Flocations%2Fus%2Finstances%2Febdc4bb9-878b-11e7-8455-10604b7cb5c1%2FdataExports%2Fed3f735d-3347-439a-9161-1d474407eae2%22&pageSize=2

Sample response

The response returns a paginated array of data export job objects that match the filter criteria. Each object contains full job details and the current job status. Completed jobs include the actual volume of data successfully exported.

{
  "dataExports": [
    {
      "name": "projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/dataExports/b4a3c2d1-e8f7-6a5b-4c3d-2e1f0a9b8c7d",
      "startTime": "2025-08-01T00:00:00Z",
      "endTime": "2025-08-03T00:00:00Z",
      "gcsBucket": "projects/chronicle-test/buckets/dataexport-test-bucket",
      "includeLogTypes": [
        "projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/logTypes/GCP_DNS",
        "projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/logTypes/GCP_FIREWALL"
      ],
      "namespaces": [
        "test_namespace_96",
        "test_namespace_97"
        ],
      "ingestionLabels": [
        {
        "key":"key_40",
        "value":"val_40"
        }
        {
          "key":"key_50",
          "value":"val_50"
        }
      ],
      "dataExportStatus": {
        "stage": "CANCELLED"
      },
      "estimatedVolume": "10737418240",
      "createTime": "2025-08-01T11:00:00Z",
      "updateTime": "2025-08-13T11:10:00Z"
    },
    {
      "name": "projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/dataExports/f1e2d3c4-b5a6-7890-1234-567890abcdef",
      "startTime": "2025-08-03T00:00:00Z",
      "endTime": "2025-08-04T00:00:00Z",
      "gcsBucket": "projects/chronicle-test/buckets/dataexport-test-bucket",
      "dataExportStatus": {
        "stage": "FINISHED_SUCCESS",
        "exportedGlobPatterns": [
          "/bigstore/<bucket>/<dataexportid>/exported_paths.txt"
        ],
        "dataRbacFiltered":"false",
      },
      "estimatedVolume": "53687091200",
      "exportedVolume": "54687091205",
      "createTime": "2025-08-01T09:00:00Z",
      "updateTime": "2025-08-13T10:30:00Z"
    }
  ],
  "nextPageToken": "aecg2S1w"
}

Response parameters

Parameter	Type	Description
`dataExports`	`array`	Array of data export job objects that match the specified filters: `name`: Unique data export job ID. `startTime`: Starting time range. `endTime`: Ending time range. `gcsBucket`: The path to your Google Cloud Storage destination bucket, specified in the following format: `/projects/{project-id}/buckets/{bucket-name}`. `includeLogTypes`: A comma-separated list of included log types. `namespaces`: A comma-separated list of namespaces used to filter data for export. `ingestionLabels`: A comma-separated list of ingestion labels (key:value pairs) used to filter data for export. `dataExportStatus.stage`: Current status of the data export job. `dataExportStatus.exportedGlobPatterns`: File path of the exported text file, containing a list of all the exported file shards created in the destination bucket. `dataRbacFiltered`: Indicates whether any data was excluded from the export job caused by data RBAC scope restrictions applicable to the job creator. `estimatedVolume`: The estimated export volume in bytes, without applying filters using namespaces and ingestion labels. This does not account for filters using namespaces and ingestion labels, and possible data exclusions due to data RBAC scope restrictions. `exportedVolume`: For completed jobs, the actual volume of data exported. `createTime`: Job creation time. `updateTime`: Job update time.
`nextPageToken`	`string`	A token (string) used to retrieve the subsequent page in a different request.

CancelDataExport

You can only cancel an existing job when it is in the IN_QUEUE status.

Reference Documentation: Method: dataExports.cancel

Request

Endpoint: POST https://chronicle.{region}.rep.googleapis.com/v1/{name}:cancel

Path parameters

Field	Type	Required	Description
`name`	`string`	required	The name of the data export job to cancel, in the following format: `projects/{project}/locations/{region}/instances/{instance}/dataexports/{id}` where: `{project}`: Identifier of your project. `{region}`: Region where your destination bucket is located. See the list of regions. `{instance}`: Identifier of the source Google SecOps instance. `{id}`: UUID identifier of the data export request.

Request body

The request body must be empty.

Sample request

POST https://chronicle.us.rep.googleapis.com/v1/
projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/dataExports/b4a3c2d1-e8f7-6a5b-4c3d-2e1f0a9b8c7d:cancel

Sample response

A successful response shows the job's status as CANCELLED.

{
  "name": "projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/dataExports/b4a3c2d1-e8f7-6a5b-4c3d-2e1f0a9b8c7d",
  "startTime": "2025-08-01T00:00:00Z",
  "endTime": "2025-08-02T00:00:00Z",
  "gcsBucket": "projects/chronicle-test/buckets/dataexport-test-bucket",
  "includeLogTypes": [
    "projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/logTypes/GCP_DNS",
    "projects/myproject/locations/us/instances/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/logTypes/GCP_FIREWALL"
  ],
  "namespaces": [
    "test_namespace_96",
    "test_namespace_97"
    ],
  "ingestionLabels": [
      {
    "key":"key_40",
    "value":"val_40"
      }
    {
    "key":"key_50",
    "value":"val_50"
      }
  ],
  "dataExportStatus": {
    "stage": "CANCELLED"
  },
  "estimatedVolume": "10737418240",
  "createTime": "2025-08-13T11:00:00Z",
  "updateTime": "2025-08-13T11:10:00Z"
}

Need more help? Get answers from Community members and Google SecOps professionals.