Skip to main content
Question

UDM SEARCH

  • August 11, 2025
  • 2 replies
  • 113 views
T

When I run a UDM search directly in Google SecOps, it returns exactly the data I need, including aggregated statistics. However, when I use the 'Execute UDM Query' playbook action, it only returns raw UDM events without any aggregation or statistical summaries. Is there a way to configure the playbook action so that it returns the same aggregated results as a standard SIEM search?

2 replies

vaskenh
Staff
Forum|alt.badge.img+13
  • vaskenh
  • Staff
  • August 11, 2025

Hi @teeeeeeeeeee The Execute UDM Query action does not support aggregation or stats summaries, it only supports returning raw UDM events.  I think it's worthwhile to highlight your feedback because there’s always the possibility of this action getting updated in the future.

 

Separately, have you worked with the new SecOps Wrapper SDK?   I have not explored your specific use case with it yet but there might be a way to leverage the wrapper instead of this specific playbook action to programmatically return this type of data along with the raw UDM queries, but I would have to experiment with this further on my side.

James_E
James_E
Staff
Forum|alt.badge.img+8
  • James_E
  • Staff
  • August 11, 2025

Another option would be to create a custom action using the v1alpha UDMSearch API. This API endpoint does support stat queries.

vaskenh
AbdElHafez
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.