Skip to main content

Hello,

I need help accessing the value from a specific key within the returned results of a UDM query via a playbook.

I am looking to use the value from the key “isManaged” within a condition.

For example:

  • if isManaged == “True” take branch 1
    • else, take branch 2

I am struggling to isolate the specific value from that key to use within a conditional action.

Here is an example JSON which is returned from the UDM Query within the playbook: 

{
 "events": v
 {
 "name": "nREDACTED_EVENT_NAME]",
 "udm": {
 "metadata": {
 "productLogId": "oREDACTED_PRODUCT_LOG_ID]",
 "eventTimestamp": "2025-08-21T14:43:04Z",
 "eventType": "USER_LOGIN",
 "vendorName": "Microsoft",
 "productName": "Azure AD",
 "ingestedTimestamp": "2025-08-21T14:49:01.321370Z",
 "id": " REDACTED_METADATA_ID]",
 "enrichmentState": "ENRICHED",
 "logType": "AZURE_AD",
 "baseLabels": { "logTypes": T"AZURE_AD"], "allowScopedAccess": true },
 "enrichmentLabels": {
 "logTypes": T"AZURE_AD_CONTEXT", "CS_EDR"],
 "allowScopedAccess": true
 }
 },
 "additional": {
 "riskState": "none",
 "conditionalAccessStatus": "notApplied",
 "failureReason": "Error validating credentials due to invalid username or password.",
 "riskDetail": "none",
 "riskLevelAggregated": "none",
 "riskLevelDuringSignIn": "none"
 },
 "principal": {
 "hostname": "nREDACTED_HOSTNAME]",
 "assetId": "Device ID:vREDACTED_ASSET_ID]",
 "platform": "WINDOWS",
 "ip": >""REDACTED_IP_ADDRESS]"],
 "administrativeDomain": "example.com",
 "application": "Mobile Apps and Desktop clients",
 "platformVersion": "Windows",
 "location": {
 "city": "cREDACTED_CITY]",
 "state": "Haryana",
 "countryOrRegion": "IN",
 "regionLatitude": 0.0,
 "regionLongitude": 0.0,
 "regionCoordinates": { "latitude": 0.0, "longitude": 0.0 }
 },
 "asset": {
 "hostname": "nREDACTED_HOSTNAME]",
 "assetId": "Device ID:vREDACTED_ASSET_ID]",
 "ip": >""REDACTED_IP_ADDRESS]"],
 "hardware": d
 {
 "manufacturer": "HP",
 "model": "HP ProBook 640 G8 Notebook PC"
 },
 { "model": "oREDACTED_HOSTNAME]" }
 ],
 "platformSoftware": {
 "platform": "WINDOWS",
 "platformPatchLevel": "Windows 11"
 },
 "location": { "city": "cREDACTED_CITY]", "countryOrRegion": "India" },
 "networkDomain": "none",
 "attribute": {
 "labels": a
 { "key": "agent_version", "value": "7.28.20006.0" },
 { "key": "agent_load_flags", "value": "17" },
 { "key": "bios_manufacture", "value": "HP" },
 { "key": "config_build", "value": "1007.3.0020006.11" },
 { "key": "continent", "value": "Asia" },
 { "key": "host_hidden_status", "value": "Visible" },
 { "key": "pointer_size", "value": "8" },
 { "key": "service_pack_major", "value": "none" },
 { "key": "site_name", "value": "none" },
 { "key": "cid", "value": "aREDACTED_CID]" },
 { "key": "isCompliant", "value": "true" },
 { "key": "isManaged", "value": "true" },
 { "key": "trustType", "value": "Azure AD joined" }
 ]
 },
 "natIp": n"tREDACTED_IP_ADDRESS]"],
 "firstSeenTime": "2025-08-21T12:32:44Z"
 },
 "ipGeoArtifact": i
 {
 "ip": " REDACTED_IP_ADDRESS]",
 "location": {
 "state": "Haryana",
 "countryOrRegion": "India",
 "regionLatitude": 0.0,
 "regionLongitude": 0.0,
 "regionCoordinates": {
 "latitude": 0.0,
 "longitude": 0.0
 }
 },
 "network": {
 "asn": ""REDACTED_ASN]",
 "dnsDomain": "redacted-isp.com",
 "carrierName": "REDACTED ISP NAME",
 "organizationName": "REDACTED ISP NAME"
 }
 }
 ]
 },
 "target": {
 "user": {
 "userid": "user.name@example.com",
 "userDisplayName": "John Doe",
 "emailAddresses": e
 "user.name@example.com"
 ],
 "employeeId": "eREDACTED_EMPLOYEE_ID]",
 "productObjectId": "cREDACTED_USER_OBJECT_ID]",
 "attribute": {
 "labels": a
 { "key": "accountEnabled", "value": "true" },
 { "key": "IsOnCloudAccount", "value": "true" },
 { "key": "mailNickname", "value": "user.name" },
 {
 "key": "userPrincipalName",
 "value": "user.name@example.com"
 },
 {
 "key": "refreshTokensValidFromDateTime",
 "value": "2025-05-12T11:11:43Z"
 },
 { "key": "manager_src_usageLocation", "value": "GB" }
 ],
 "roles": r{ "name": "Member" }],
 "creationTime": "2022-08-24T08:34:28Z"
 },
 "firstName": "John",
 "lastName": "Doe",
 "title": "Technology Specialist",
 "department": t"Technology & Product"],
 "managers": a
 {
 "userDisplayName": "Jane Smith",
 "emailAddresses": e
 "manager.name@example.com"
 ],
 "employeeId": "eREDACTED_MANAGER_ID]",
 "productObjectId": "cREDACTED_MANAGER_OBJECT_ID]",
 "attribute": {
 "labels": a
 { "key": "manager accountEnabled", "value": "true" },
 {
 "key": "userPrincipalName",
 "value": "manager.name@example.com"
 },
 {
 "key": "refreshTokensValidFromDateTime",
 "value": "2025-05-12T11:11:43Z"
 }
 ],
 "roles": r{ "name": "Member" }]
 },
 "firstName": "Jane",
 "lastName": "Smith",
 "title": "Technology Operations Manager",
 "department": t"Technology & Product"]
 }
 ],
 "userAuthenticationStatus": "ACTIVE"
 },
 "application": "Windows Sign In",
 "resource": {
 "id": " "removed by moderator] -c tremoved by moderator] 00",
 "name": "Windows Azure Active Directory",
 "attribute": {
 "labels": a
 {
 "key": "App Id",
 "value": "38aa3b87-a06d-4817-b275-7a316988d93b"
 }
 ]
 },
 "productObjectId": " tremoved by moderator] -c tremoved by moderator] 00"
 }
 },
 "securityResult": e
 {
 "category": e"AUTH_VIOLATION"],
 "summary": "Failed login occurred",
 "description": "The user didn't enter the right credentials. \u00a0It's expected to see some number of these errors in your logs due to users making mistakes.",
 "action": c"BLOCK"],
 "severity": "ERROR",
 "ruleId": "50126",
 "detectionFields": i
 { "key": "is_interactive", "value": "true" },
 {
 "key": "CorrelationId",
 "value": "aREDACTED_CORRELATION_ID]"
 }
 ]
 }
 ],
 "extensions": {
 "auth": { "type": "SSO", "mechanism": a"INTERACTIVE"] }
 }
 }
 }
 ]
}

Any help on this would be great!

Thanks

Any time I’m trying to wield large JSON data, our TemplateEngine integration/Jinja2 is perfect for this: https://cloud.google.com/chronicle/docs/soar/marketplace-and-integrations/power-ups/templateengine

 

Once that’s installed, it’s as easy as using this template which will return the value for that key.

{{ (events 0].udm.principal.asset.attribute.labels | selectattr("key", "equalto", "isManaged") | first).value }}

 

Here’s how it looks on your data using an online testing tool.

 

-mike

Hi Mike, 

 

Thanks for your reply on this! 

 

So I am using the “Render Template” and have the JSON Object set as “sGet User Sign-In.JsonResult]” and in the Editor I have the template you have provided, however I seem to get an error - is it perhaps related to accessing the “events 0]...”

 

Execution Failed: Scripts - TemplateEngine_Render Template. Message: Error to Run Script TemplateEngine_Render Template - script output: Script did not return expected data. Did you call build_result/end_script?
Check DebugOutput for details:t2025-08-27,12:48:53,000 INFO] ================= Main - Param Init =================
=2025-08-27,12:48:53,000 INFO] Parameter Template was not found or was empty, used default_value None instead
o2025-08-27,12:48:53,000 INFO] ----------------- Main - Started -----------------
-2025-08-27,12:48:53,000 INFO] Unable to load CustomFilters
s2025-08-27,12:48:53,000 INFO] No module named 'CustomFilters'
t2025-08-27,12:48:53,000 ERROR] General error performing action RenderTemplate
d2025-08-27,12:48:53,000 ERROR] 'events' is undefined
Traceback (most recent call last):

 

Thanks! 

Sounds like the template can’t see the data you’re trying to process. Here’s an example of a template I use, and you can see in the first line I create a variable, data_set, that I then use in the template. That variable points to the placeholder for my data.

 

{% set data_set = _Get CPU Metrics - Last 1 Hour.JsonResult| "response_data.timeSeries"] %}
{% set ns = namespace(total=0) %}
{% for point in data_set.points %}
    {% set ns.total = ns.total + ( point.value.doubleValue * 100 ) %}
{% endfor %}
{{ (ns.total / data_set.points|length) | round(2) }}

 

-mike

Thats done the trick! 

Thanks for your help Mike :) 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.