This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Increase Timeout on UDM Query Action

Posted a month ago
jasonsigman
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Trying to perform a 30 day search for a list of IOC's found in a Reference list using this query. I can run this in the UI but trying to run it via SOAR gives me error below any tips?

 

(ip IN %TH_Requested_IOC_Hunts OR hash IN %TH_Requested_IOC_Hunts) AND metadata.vendor_name != "Palo Alto Networks"



Error executing action Google Chronicle - Execute UDM Query. Reason: HTTPSConnectionPool(host='backstory.googleapis.com', port=443): Read timed out. (read timeout=120)

0 2 194
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
Reply posted on --/--/---- --:-- AM

Hey @jasonsigman,

My suggestion would be to split the execution in 2 parts using the custom Time Frame option. So, you would split the search into 2 15 Day searches.

In the meantime, I will check internally with the team. This action is sync, so the timeout for it at max can reach 5 minutes. It looks like currently it stops execution after 2 minutes.

0 Likes

Posted on --/--/---- --:-- AM
jasonsigman
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Thanks I will split it up for now. I was wondering why it felt like it stopped a lot sooner then expected. I am just worried about hitting the limit of 120 queries once we have this running on cases/alerts coming into the platform.

0 Likes
Top Solution Authors
View all