Hi Community,
We are currently working on UDM-based SIEM saved searches in Google SecOps and are running into an inconsistency across different SecOps instances.
Issue Description
When we paste the same UDM saved search query (using the Graph data model) into a new Saved Search, we receive the error:
“Invalid data source provided”
However, the exact same query works successfully on a different Google SecOps instance.
What We’ve Verified
-
The query uses the Graph data model, which is documented as a supported data source for Saved Searches.
-
We are following the exact same steps in both instances.
-
The issue reproduces consistently on one instance and never on the other.
Observed Difference
The only noticeable difference between the two environments is the UDM Search UI:
-
One instance has a newer UI layout (with options shown at the top).
-
The other instance shows Search Manager and related options near the Run Search button.
This led us to suspect a possible SIEM search version / UI version mismatch between the two instances.
- Working on this SIEM Search Version
-
- Not Working on this SIEM Search Version
-
Questions
-
Are there known differences in Saved Search or Graph query support across different Google SecOps SIEM versions?
-
Can a SIEM or Search UI version mismatch cause a “Invalid data source provided” error for the same query?
-
Is there a way to identify the SIEM / Search version currently running on a Google SecOps instance, given that there is no visible version indicator in the UI?
-
Is it possible to upgrade or migrate an instance to the latest Google SecOps SIEM / Search version, or is this managed entirely by Google?
Any guidance or pointers would be greatly appreciated, especially if others have encountered similar behavior across different SecOps instances.
Thanks in advance!
