Hi,
Currently creating a playbook where its needed to do a UDM query to find a events that are created around the same time of the events of the case.
When the case starts runs the playbook and the GoogleChronicle - Execute UDM Query action, where it doesnt find the specfic event. i even made sure that the time range is correct and its not missing the event for a couple minutes by generating the start time and end time based on the timestamp of the events of the case using the action “Functions - Convert Time Format”, start time being 2 months before and the end time being 2 DAYS AFTER.
The action run but doesnt return any result, but if i do the EXACTLY same query directly on the SIEM, it is able to find that event.
I realize that after 30/40 minutos after the case being created, i can run(or rerun i guess) that action and its able to find the event.
I could fix the playbook just by adding a delay on the start of it of 1 hours or something and the action would run well and find the events but i want to run the playbook as fast as possible being the case be related to phishing with possible malware.
I have the version 61.0 right now and i know there a 62.0 version available.
Any idea?
