Hey folks,

In version 64 of Google Chronicle Response Integration, we updated the “Execute UDM Query” action to support Aggregated Queries and YL2 functions.

Important Note: Aggregated Queries are only supported for Chronicle API. Backstory API doesn’t support it. To change the integration to work with Chronicle API, you need to adjust the API Root in the integration configuration. Keep in mind that this will affect the whole integration and some action outputs are slightly different, if executed with Chronicle API.

Example 1. Basic Matching

principal.hostname = "siemplify"

match:
 target.file.vhash

UI

JSON Result

{
 "events":  
 {
 "target.file.vhash": {
 "values":  
 {
 "stringVal": "d6e1387847bdaafd8a024f52a74ace7a"
 }
 ]
 }
 },
 {
 "target.file.vhash": {
 "values":  
 {
 "stringVal": "673961a71ba82e0556ef95cb2147e212"
 }
 ]
 }
 }
 ]
}

Widget

Example 2. Using Functions and Variables

principal.hostname = "siemplify"

match:
 target.file.vhash
outcome:
 $avg_seconds = avg(metadata.event_timestamp.seconds)

UI

JSON Result

{
 "events":  
 {
 "target.file.vhash": {
 "values":  
 {
 "stringVal": "d6e1387847bdaafd8a024f52a74ace7a"
 }
 ]
 },
 "avg_seconds": {
 "values":  
 {
 "doubleVal": 1 dremoved by moderator] 705
 }
 ]
 }
 },
 {
 "target.file.vhash": {
 "values":  
 {
 "stringVal": "673961a71ba82e0556ef95cb2147e212"
 }
 ]
 },
 "avg_seconds": {
 "values":  
 {
 "doubleVal": 1 dremoved by moderator] 692
 }
 ]
 }
 }
 ]
}

Widget

JSON Result Structure

Based on these examples you can see that the JSON Result is designed in a way, where each object under “events” key represents a row. This output is very different from the raw response, but it should make it easier to work in the playbooks.