Skip to main content
Question

Validate Full Event List (15 Events) Against Chronicle SIEM Logs and Display Missing Events

  • May 22, 2026
  • 4 replies
  • 58 views
Rohith_RIO
Forum|alt.badge.img

Hi All

I am working on a query in Google Chronicle SIEM where I have predefined list of 15 events. However, only 11 of those events are currently present in the SIEM Logs. 

My requirement is to use the full list of 15 events as a reference and build a query that validates whether each exists in the SIEM logs or not. The output should includes all 15 events, not just the ones found in the logs. 

 

Expected output format:

PRODUCT | EVENT (From predefined list) | status

----------------------------------------------------------------------------------

Product | Event1 | Logs are Available

Product | Event1 | Logs are not Available

 

Logs Available - events exists I'm both siem and predefined list

Log not Available - event exists in the predefined list but not in siem logs. 

 

I attempted using Data Tables, but I'm facing issues correlating the table values with Metadata field's. I was also unable to correctly store and reference the value in variables. 

 

Looking for the correct approach or query structure to achieve this requirement. 

Thankyou.... 

    4 replies

    hliu
    Forum|alt.badge.img+3
    • hliuBronze 2
    • Bronze 2
    • May 22, 2026

    It looks like you are looking for an outer join, being the primary data set the data table with those 15 values.

    While Secops features now the outer joins, it is still quite limited at the moment. One of those limitations is

    The primary Unified Data Model (UDM) event must be the preserved side of the outer join.

    that limitation prevents taking the table as the preserved side, in other words: no event = no result.

    I don’t know of any hack to work around that limitation. If there’s no other suggestion from the community, you might have to switch to bigquery.

      Rene_Figueroa
      Staff
      Forum|alt.badge.img+10

      The limitation ​@hliu shared above is the reason why the UDM Search query cannot be completed since we currently require the UDM events. You can use BigQuery as suggested. 

        hliu
        Forum|alt.badge.img+3
        • hliuBronze 2
        • Bronze 2
        • May 22, 2026

        I hope to see SecOps move from event-centric models toward a more flexible, data-driven approach. It’s frustrating for customers to have to look at external tools for this, particularly when some licenses still involve pay-per-query/per-scanned-data costs in BigQuery.

          Rohith_RIO
          Forum|alt.badge.img
          • Rohith_RIOBronze 1
          • Author
          • Bronze 1
          • May 23, 2026

          Hi Mates,

          Thanks for the update.

          If possible, could we build a Google Chronicle SIEM query using these conditions instead of a data table? I need the exact same structure.

          Also, I explored another approach but it’s not convincing. Below is the output I produced:

           

          Product | Event1 | Event2 | Event3

          -------------------------------------------------------------------------------------

          productname | logs are available | logs are not available | logs are available

           

          Thank you.

          Terms & ConditionsAccessibility statement
          Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

          © 2025 Google. All rights reserved.