I have an playbook that extracts IOCs from an email, and then adds them to reference lists. These lists are then referred in stats UDM queries that are executed using the marketplace “Execute UDM Query” action in the Google Chronicle.
Reference lists will no longer be usable after Sep 2026 so I’m trying to replace them with data tables. However when doing testing and encountering a 400 error, a limitation was flagged to me saying that data tables cant be used in searches via the Chronicle API:
https://docs.cloud.google.com/chronicle/docs/investigation/data-tables#search-data-tables
Is that correct? given the nearing EoL deadline for reference lists, do we have an ETA on getting the limitation removed?
