Skip to main content

Unflattened Raw Event Data

  • May 27, 2025
  • 3 replies
  • 34 views
K
Forum|alt.badge.img+1

For events that were ingested into SOAR via the Google Chronicle - Chronicle Alerts Connector, is there a way to access the UNflattened raw event JSON data containing the UDM fields for an alert?

It appears all events are being flattened using the dict_to_flat function which I may have found some bugs in that make unflattening very difficult if not impossible. So I'm wondering if there's another way to access the unflattened UDM data for an event either via an API or if it gets stored away somewhere else in a property of the alert or event

3 replies

ylandovskyy
Staff
Forum|alt.badge.img+16

Hey @Kmart95 ,

Use action "Get Detection Details" , it has a useful predefined widget associated with it + JSON result will contain the unflattened version of detection.

    K
    Forum|alt.badge.img+1
    • Kmart95
    • Author
    • New Member
    • May 28, 2025

    This is perfect thank you. 

    I could see some potential issues with needing to make API calls for every alert that comes in, so I think it would still be nice to have this data saved somewhere during the ingestion process - in case you want my feedback.

    But ultimately this does provide what i was looking for. Thanks

      mokatsu
      Forum|alt.badge.img+6
      • mokatsuBronze 5
      • Bronze 5
      • May 30, 2025

      This is perfect thank you. 

      I could see some potential issues with needing to make API calls for every alert that comes in, so I think it would still be nice to have this data saved somewhere during the ingestion process - in case you want my feedback.

      But ultimately this does provide what i was looking for. Thanks


      I agree, I seen this done with having the ability to just call the field name:
      principal_ip = to get the list of all the value and when you want a specific index from the array you just use principal_ip_x

      Some thing like this would be nice especially when using variables.

      Trying to pass all potential IPs into an action gets messy when you have to account for all possible indexes.

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.