Skip to main content

I have a Python script that fetches IOCs (potentially thousands), runs a UDM search to find matching events, and then forwards the results to a 3rd-party tool.

Previously, I used Reference Lists to store the IOCs and it worked fine. Since Reference Lists are deprecated, I’m re-working the script to use Data Tables instead.

The issue I’m seeing:  
- When I create a Data Table, populate it with IOCs, and immediately run a UDM search, I get no results.  
- If I wait ~3 minutes and rerun the exact same UDM search, then I get the expected results.  

Example query:

metadata.event_type = "NETWORK_CONNECTION" AND target.ip IN %my_data_table.ioc

A similar lag happens if I modify an existing Data Table. For example:  
- If I insert some test data and immediately run a UDM search, it still shows results (even though it shouldn’t).  
- Only after ~3 minutes I get the correct/expected results.

So my question is: how should I handle this delay?
Waiting a fixed 3 minutes in the script doesn’t seem like a reliable solution.

 "The backend infra induces a delay of ~5 mins for data to be persisted and made available for reads primarily because it creates a snapshot so there is a replication delay. "

 

A little different from ref lists due to the additional capabilities and complexity.  

Thank you ​@dnehoda, so I guess my best option would be to wait 6 minutes before running the UDM search.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.