Skip to main content

Chronicle join tables

  • January 8, 2025
  • 3 replies
  • 116 views
Roni11

Hello,

I have two logs that share a common field: ID

I need to create a single table with the following columns:

  • The ID field
  • Field X from the first log
  • Field Y from the second log

Here's what I have so far:

  • From the first log, I ran a search that produced a table containing the ID and X fields.
  • From the second log, I ran a different search that produced a table containing the ID and Y fields.

Now, I want to combine these results into one table that includes all three fields (ID, X, and Y).

How can I achieve this in Chronicle?

Thank you!

3 replies

cmmartin_google
Staff
Forum|alt.badge.img+11

At present Joins are not supported in UDM Search, but this is on the roadmap for later on in the year.

A potential workaround, and depending on the number of results you need, is to use Detection Engine and write a multi-event detection (not a detection alert), and then you can use outcome variables to output a table of values that you need.  You can then view the results in Detection View, or else create a Dashboard of the results.

Alternatively, if you have an export of your event data into BigQuery, you can use SQL with a Join statement.

    Roni11
    • Roni11Bronze 3
    • Author
    • January 14, 2025

    HI,

    Could you clarify what you meant by use Detection Engine and write a multi-event detection (not a detection alert)?

    What actions should I undertake to achieve this?

    Thanks

    jstoner
    Staff
    Forum|alt.badge.img+22
    • jstoner
    • Staff
    • January 14, 2025

    If you use the rules editor and write a rule, you can build a detection. Below is a quick primer on how to write a multi-event rule. The detection v alert is a toggle in the rule editor that provides a method to not generate an alert in queue that someone might triage and just have a detection that can be viewed in the UI. I liken detection v alert to running a rule in an evaluation mode prior to deploying it to the the team who is tasked with triage and responding to alerts.

    https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Multi-Event-Rules/ba-p/722663

     

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.