This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

How to do aggregated query using "Execute UDM Query"

Posted on 03-21-2025 07:03 AM
UmaPadisetty
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi, Greetings.

I am looking to perform an aggregated query as below
I am looking for total count of hits by endpoint
I could execute this query in the siem query, but unable to execute via automation "Execute UDM Query"

Can you help me how to best achieve the result via Automation (Action/Script)?

metadata.vendor_name = "Akamai"
$endpoint = additional.fields["RequestHeader x-operationname"]
match:
    $endpoint
outcome:
    $deny_count = count($endpoint)

 

 

0 1 94
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
_K_O
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hey @UmaPadisetty , 

IIRC aggregation and complex queries are not supported by the UDM query functionality within the SOAR actions. If you try run it you'll most likely get an error along the lines of:

 

Error executing action Google Chronicle - Execute UDM Query. Reason: generic::invalid_argument: compilation error query uses a feature that is not yet allowed: invalid argument

 

Google's docs for UDM shows examples of how UDM search currently works: https://cloud.google.com/chronicle/docs/event-processing/udm-overview#example_udm_searches. For the most part, you can use it as a retriever for logs / information but your aggregation functionality will need to be performed via another action. 

0 Likes
Top Solution Authors
View all