Hi, Greetings.
I am looking to perform an aggregated query as below
I am looking for total count of hits by endpoint
I could execute this query in the siem query, but unable to execute via automation "Execute UDM Query"
Can you help me how to best achieve the result via Automation (Action/Script)?
metadata.vendor_name = "Akamai"
$endpoint = additional.fields["RequestHeader x-operationname"]
match:
$endpoint
outcome:
$deny_count = count($endpoint)
Hey @UmaPadisetty ,
IIRC aggregation and complex queries are not supported by the UDM query functionality within the SOAR actions. If you try run it you'll most likely get an error along the lines of:
Error executing action Google Chronicle - Execute UDM Query. Reason: generic::invalid_argument: compilation error query uses a feature that is not yet allowed: invalid argument
Google's docs for UDM shows examples of how UDM search currently works: https://cloud.google.com/chronicle/docs/event-processing/udm-overview#example_udm_searches. For the most part, you can use it as a retriever for logs / information but your aggregation functionality will need to be performed via another action.
Hey @UmaPadisetty ,
IIRC aggregation and complex queries are not supported by the UDM query functionality within the SOAR actions. If you try run it you'll most likely get an error along the lines of:
Error executing action Google Chronicle - Execute UDM Query. Reason: generic::invalid_argument: compilation error query uses a feature that is not yet allowed: invalid argument
Google's docs for UDM shows examples of how UDM search currently works: https://cloud.google.com/chronicle/docs/event-processing/udm-overview#example_udm_searches. For the most part, you can use it as a retriever for logs / information but your aggregation functionality will need to be performed via another action.
This is crazy. couldn’t do aggregated queries in UDM Search.
this sucks.
Hi
The following blog post may be of interest - Use Natural Language to Query Google SecOps - SecOps API Wrapper SDK | Community
Kind Regards,
Ayman
Hey
Support for aggregated queries was added in version 64 of the Google Chronicle integration. For more information, refer to this community post.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.