Skip to main content

How to do aggregated query using "Execute UDM Query"

  • March 21, 2025
  • 4 replies
  • 111 views
UmaPadisetty
Forum|alt.badge.img

Hi, Greetings.

I am looking to perform an aggregated query as below
I am looking for total count of hits by endpoint
I could execute this query in the siem query, but unable to execute via automation "Execute UDM Query"

Can you help me how to best achieve the result via Automation (Action/Script)?

metadata.vendor_name = "Akamai"
$endpoint = additional.fields["RequestHeader x-operationname"]
match:
    $endpoint
outcome:
    $deny_count = count($endpoint)

 

 

4 replies

_K_O
Forum|alt.badge.img+12
  • _K_OBronze 5
  • Bronze 5
  • March 21, 2025

Hey @UmaPadisetty , 

IIRC aggregation and complex queries are not supported by the UDM query functionality within the SOAR actions. If you try run it you'll most likely get an error along the lines of:

 

Error executing action Google Chronicle - Execute UDM Query. Reason: generic::invalid_argument: compilation error query uses a feature that is not yet allowed: invalid argument

 

Google's docs for UDM shows examples of how UDM search currently works: https://cloud.google.com/chronicle/docs/event-processing/udm-overview#example_udm_searches. For the most part, you can use it as a retriever for logs / information but your aggregation functionality will need to be performed via another action. 

UmaPadisetty
Forum|alt.badge.img
  • UmaPadisetty
  • Author
  • New Member
  • July 30, 2025

Hey @UmaPadisetty , 

IIRC aggregation and complex queries are not supported by the UDM query functionality within the SOAR actions. If you try run it you'll most likely get an error along the lines of:

 

Error executing action Google Chronicle - Execute UDM Query. Reason: generic::invalid_argument: compilation error query uses a feature that is not yet allowed: invalid argument

 

Google's docs for UDM shows examples of how UDM search currently works: https://cloud.google.com/chronicle/docs/event-processing/udm-overview#example_udm_searches. For the most part, you can use it as a retriever for logs / information but your aggregation functionality will need to be performed via another action. 

This is crazy. couldn’t do aggregated queries in UDM Search.
this sucks.

AymanC
Forum|alt.badge.img+13
  • AymanCBronze 5
  • Bronze 5
  • August 3, 2025

Hi ​@UmaPadisetty,

 

The following blog post may be of interest - Use Natural Language to Query Google SecOps - SecOps API Wrapper SDK | Community

 

Kind Regards,

Ayman

ylandovskyy
Staff
Forum|alt.badge.img+16
  • ylandovskyy
  • Staff
  • August 21, 2025

Hey ​@UmaPadisetty ​@AymanC ​@_K_O ,

 

Support for aggregated queries was added in version 64 of the Google Chronicle integration. For more information, refer to this community post.

 

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.