Skip to main content

Hi Security Community,

I’m currently working on a custom detection rule in my security operations environment, specifically focusing on tracking user file sharing activities and permission changes. The goal is to automatically notify users if they share files more broadly within the organization, prompting them to review the action. In addition, I want to monitor if any changes are made to file permissions by users over time. This involves integrating with the Google Chronicle platform and using SOAR playbooks to automate the entire workflow.

To build this, I’ve been trying to leverage the Google Chronicle UDM search functionality to identify and track these file permission changes by users. My workflow begins by detecting when a file is shared more widely than usual, which triggers an email notification to the user, alerting them about the action. The second phase of the workflow aims to verify whether any modifications are made to the file’s permissions after it’s shared. This information would then be used for further investigation, with appropriate tags being added to the security cases for visibility and reporting purposes.

However, while attempting to execute a UDM query in the SOAR workflow, I encountered the following error:
"Error executing action Google Chronicle - Execute UDM Query. Reason: SIEM tenant short-lived service account email not found in SOAR context."

At this point, I’m stuck, as the error seems to indicate an issue with the service account configuration. I’ve tried a few potential fixes, but I haven't been able to resolve the issue yet. Additionally, I’m looking for guidance on best practices for ensuring the playbook properly tracks file permission changes and flags cases for visibility.

Has anyone encountered a similar issue or implemented a similar workflow in Google Chronicle or SOAR? Any advice on how to resolve the service account error or on improving the playbook to monitor file permission changes effectively would be greatly appreciated.

Thanks,

Dnyaneshwar

Hi @DNYC,

This issue seems to be related to the integration you are using for your action (see below image):

 

 

Essentially, it is likely you have it set to the default integration, which may not be configured correctly. You'll need to ensure your integration is correctly configured (you can create an additional one) so it can call the integration you're trying to execute - in this case the Chronicle search API. The below reference will provide more information.

Reference: https://cloud.google.com/chronicle/docs/soar/respond/integrations-setup/supporting-multiple-instances

Kind Regards,

Ayman

Hello Ayman,

Thank you for your prompt response. I’ve set up the default environment and verified that we have only one global view, not multiple instances.

We’ve troubleshot the issue and discovered that we need to configure the service account in the marketplace to execute UDM queries, which has been successfully done. However, we’re now encountering a syntax error with an "invalid argument" message.

Can anyone help me understand how to search through the UDM Execute API? Should the query be structured similarly to how we search in SIEM, or is there a different approach, like SQL, where we need to define the source and conditions explicitly?

Error which i am currently facing -

Error executing action Google Chronicle - Execute UDM Query. Reason: generic::invalid_argument: compilation error generating predicates: getting event field descriptors: accessing field "udm.SecOpstestforpermission": field "SecOpstestforpermission" does not exist, valid fields are: "metadata", "additional", "principal", "src", "target", "intermediary", "observer", "about", "security_result", "network", "extensions", "extracted"
line: 6

Thanks,

Dnyaneshwar

 

Hello Ayman,

Thank you for your prompt response. I’ve set up the default environment and verified that we have only one global view, not multiple instances.

We’ve troubleshot the issue and discovered that we need to configure the service account in the marketplace to execute UDM queries, which has been successfully done. However, we’re now encountering a syntax error with an "invalid argument" message.

Can anyone help me understand how to search through the UDM Execute API? Should the query be structured similarly to how we search in SIEM, or is there a different approach, like SQL, where we need to define the source and conditions explicitly?

Error which i am currently facing -

Error executing action Google Chronicle - Execute UDM Query. Reason: generic::invalid_argument: compilation error generating predicates: getting event field descriptors: accessing field "udm.SecOpstestforpermission": field "SecOpstestforpermission" does not exist, valid fields are: "metadata", "additional", "principal", "src", "target", "intermediary", "observer", "about", "security_result", "network", "extensions", "extracted"
line: 6

Thanks,

Dnyaneshwar

 


Looking to a SIEM log entry/UDM, how-where is SecOpstestforpermission presented?

Hello Andy,

Thanks for your reply.

Just to clarify, we're trying to use the UDM query to track any changes to file permissions after sending out a notification. Our goal is to see how many users make changes within a few hours, and we want to automate this check within our SOAR playbook.

The error we’re getting seems to be because the field "SecOpstestforpermission" doesn’t exist in the data. We were hoping to query for file permission changes, but it looks like this specific field isn’t available.

Do you have any suggestions on how we can query for these permission changes in SIEM log, or is there another way to track this using UDM?

Thanks again for your help!

Thanks,

Dnyaneshwar

Hello Andy,

Thanks for your reply.

Just to clarify, we're trying to use the UDM query to track any changes to file permissions after sending out a notification. Our goal is to see how many users make changes within a few hours, and we want to automate this check within our SOAR playbook.

The error we’re getting seems to be because the field "SecOpstestforpermission" doesn’t exist in the data. We were hoping to query for file permission changes, but it looks like this specific field isn’t available.

Do you have any suggestions on how we can query for these permission changes in SIEM log, or is there another way to track this using UDM?

Thanks again for your help!

Thanks,

Dnyaneshwar


Here is a description of the UDM model, I don't think 'udm.SecOpstestforpermission' exists?
https://cloud.google.com/chronicle/docs/reference/udm-field-list#udm_entity_data_model


I suggest you get the logs into SIEM, then use "Investigation SIEM" to find a hit you are interested in, then either build your UDM query and copy paste to SOAR Actions


HTH


 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.