Skip to main content
Solved

Help with Resolving UDM Query Error and Automating File Permission Change Detection in SOAR Playbook

  • December 5, 2024
  • 5 replies
  • 161 views
dnyaneshwar
Forum|alt.badge.img+3

Hi Security Community,

I’m currently working on a custom detection rule in my security operations environment, specifically focusing on tracking user file sharing activities and permission changes. The goal is to automatically notify users if they share files more broadly within the organization, prompting them to review the action. In addition, I want to monitor if any changes are made to file permissions by users over time. This involves integrating with the Google Chronicle platform and using SOAR playbooks to automate the entire workflow.

To build this, I’ve been trying to leverage the Google Chronicle UDM search functionality to identify and track these file permission changes by users. My workflow begins by detecting when a file is shared more widely than usual, which triggers an email notification to the user, alerting them about the action. The second phase of the workflow aims to verify whether any modifications are made to the file’s permissions after it’s shared. This information would then be used for further investigation, with appropriate tags being added to the security cases for visibility and reporting purposes.

However, while attempting to execute a UDM query in the SOAR workflow, I encountered the following error:
"Error executing action Google Chronicle - Execute UDM Query. Reason: SIEM tenant short-lived service account email not found in SOAR context."

At this point, I’m stuck, as the error seems to indicate an issue with the service account configuration. I’ve tried a few potential fixes, but I haven't been able to resolve the issue yet. Additionally, I’m looking for guidance on best practices for ensuring the playbook properly tracks file permission changes and flags cases for visibility.

Has anyone encountered a similar issue or implemented a similar workflow in Google Chronicle or SOAR? Any advice on how to resolve the service account error or on improving the playbook to monitor file permission changes effectively would be greatly appreciated.

Thanks,

Dnyaneshwar

Best answer by SoarAndy

Hello Andy,

Thanks for your reply.

Just to clarify, we're trying to use the UDM query to track any changes to file permissions after sending out a notification. Our goal is to see how many users make changes within a few hours, and we want to automate this check within our SOAR playbook.

The error we’re getting seems to be because the field "SecOpstestforpermission" doesn’t exist in the data. We were hoping to query for file permission changes, but it looks like this specific field isn’t available.

Do you have any suggestions on how we can query for these permission changes in SIEM log, or is there another way to track this using UDM?

Thanks again for your help!

Thanks,

Dnyaneshwar


Here is a description of the UDM model, I don't think 'udm.SecOpstestforpermission' exists?
https://cloud.google.com/chronicle/docs/reference/udm-field-list#udm_entity_data_model

I suggest you get the logs into SIEM, then use "Investigation SIEM" to find a hit you are interested in, then either build your UDM query and copy paste to SOAR Actions

HTH

 

5 replies

AymanC
Forum|alt.badge.img+13
  • AymanCBronze 5
  • Bronze 5
  • December 5, 2024

Hi @DNYC,

This issue seems to be related to the integration you are using for your action (see below image):

 

 

Essentially, it is likely you have it set to the default integration, which may not be configured correctly. You'll need to ensure your integration is correctly configured (you can create an additional one) so it can call the integration you're trying to execute - in this case the Chronicle search API. The below reference will provide more information.

Reference: https://cloud.google.com/chronicle/docs/soar/respond/integrations-setup/supporting-multiple-instances

Kind Regards,

Ayman

    dnyaneshwar
    Forum|alt.badge.img+3
    • dnyaneshwarBronze 5
    • Author
    • Bronze 5
    • January 3, 2025

    Hello Ayman,

    Thank you for your prompt response. I’ve set up the default environment and verified that we have only one global view, not multiple instances.

    We’ve troubleshot the issue and discovered that we need to configure the service account in the marketplace to execute UDM queries, which has been successfully done. However, we’re now encountering a syntax error with an "invalid argument" message.

    Can anyone help me understand how to search through the UDM Execute API? Should the query be structured similarly to how we search in SIEM, or is there a different approach, like SQL, where we need to define the source and conditions explicitly?

    Error which i am currently facing -

    Error executing action Google Chronicle - Execute UDM Query. Reason: generic::invalid_argument: compilation error generating predicates: getting event field descriptors: accessing field "udm.SecOpstestforpermission": field "SecOpstestforpermission" does not exist, valid fields are: "metadata", "additional", "principal", "src", "target", "intermediary", "observer", "about", "security_result", "network", "extensions", "extracted"
    line: 6

    Thanks,

    Dnyaneshwar

     

    SoarAndy
    Staff
    Forum|alt.badge.img+12
    • SoarAndy
    • Staff
    • January 3, 2025

    Hello Ayman,

    Thank you for your prompt response. I’ve set up the default environment and verified that we have only one global view, not multiple instances.

    We’ve troubleshot the issue and discovered that we need to configure the service account in the marketplace to execute UDM queries, which has been successfully done. However, we’re now encountering a syntax error with an "invalid argument" message.

    Can anyone help me understand how to search through the UDM Execute API? Should the query be structured similarly to how we search in SIEM, or is there a different approach, like SQL, where we need to define the source and conditions explicitly?

    Error which i am currently facing -

    Error executing action Google Chronicle - Execute UDM Query. Reason: generic::invalid_argument: compilation error generating predicates: getting event field descriptors: accessing field "udm.SecOpstestforpermission": field "SecOpstestforpermission" does not exist, valid fields are: "metadata", "additional", "principal", "src", "target", "intermediary", "observer", "about", "security_result", "network", "extensions", "extracted"
    line: 6

    Thanks,

    Dnyaneshwar

     


    Looking to a SIEM log entry/UDM, how-where is SecOpstestforpermission presented?

    dnyaneshwar
    Forum|alt.badge.img+3
    • dnyaneshwarBronze 5
    • Author
    • Bronze 5
    • January 3, 2025

    Hello Andy,

    Thanks for your reply.

    Just to clarify, we're trying to use the UDM query to track any changes to file permissions after sending out a notification. Our goal is to see how many users make changes within a few hours, and we want to automate this check within our SOAR playbook.

    The error we’re getting seems to be because the field "SecOpstestforpermission" doesn’t exist in the data. We were hoping to query for file permission changes, but it looks like this specific field isn’t available.

    Do you have any suggestions on how we can query for these permission changes in SIEM log, or is there another way to track this using UDM?

    Thanks again for your help!

    Thanks,

    Dnyaneshwar

    SoarAndy
    Staff
    Forum|alt.badge.img+12
    • SoarAndy
    • Staff
    • Answer
    • January 13, 2025

    Hello Andy,

    Thanks for your reply.

    Just to clarify, we're trying to use the UDM query to track any changes to file permissions after sending out a notification. Our goal is to see how many users make changes within a few hours, and we want to automate this check within our SOAR playbook.

    The error we’re getting seems to be because the field "SecOpstestforpermission" doesn’t exist in the data. We were hoping to query for file permission changes, but it looks like this specific field isn’t available.

    Do you have any suggestions on how we can query for these permission changes in SIEM log, or is there another way to track this using UDM?

    Thanks again for your help!

    Thanks,

    Dnyaneshwar


    Here is a description of the UDM model, I don't think 'udm.SecOpstestforpermission' exists?
    https://cloud.google.com/chronicle/docs/reference/udm-field-list#udm_entity_data_model

    I suggest you get the logs into SIEM, then use "Investigation SIEM" to find a hit you are interested in, then either build your UDM query and copy paste to SOAR Actions

    HTH

     

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.