Skip to main content

When I run a UDM search directly in Google SecOps, it returns exactly the data I need, including aggregated statistics. However, when I use the 'Execute UDM Query' playbook action, it only returns raw UDM events without any aggregation or statistical summaries. Is there a way to configure the playbook action so that it returns the same aggregated results as a standard SIEM search?

Hi @teeeeeeeeeee The Execute UDM Query action does not support aggregation or stats summaries, it only supports returning raw UDM events.  I think it's worthwhile to highlight your feedback because there’s always the possibility of this action getting updated in the future.

 

Separately, have you worked with the new SecOps Wrapper SDK?   I have not explored your specific use case with it yet but there might be a way to leverage the wrapper instead of this specific playbook action to programmatically return this type of data along with the raw UDM queries, but I would have to experiment with this further on my side.

Another option would be to create a custom action using the v1alpha UDMSearch API. This API endpoint does support stat queries.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.