Skip to main content
All CollectionsTemplatesBasic
Search Observables by Grouped UDM Fields in Chronicle - Workflow Template
Search Observables by Grouped UDM Fields in Chronicle - Workflow Template

Receives Observables as hash, IP address, domain, username or email and performs a query to Chronicle SIEM using Grouped UDM fields.

Updated over a week ago

This Torq workflow template enables security teams to efficiently investigate potential threats by inputting various observables—hashes, IP addresses, domains, usernames, or emails—into Chronicle SIEM. It constructs an UDM (Unified Data Model) query by combining all provided observables with an AND operator. This flexible approach streamlines threat analysis and enhances response capabilities, as it allows for the optional inclusion of each observable type. Results are output in JSON and tabulated CSV format, providing clear, actionable data for security operations.

Take Me to the Template

Optional Triggers

"It can be used as a nested workflow as it outputs all items found by Chronicle."

Use Cases

null

Workflow Breakdown

  1. Receives hash, ip, email, username and domain observables. All fields are optional.

  2. Builds an UDM query appending all items with an AND operator.

Vendors

Utils, Google Chronicle

Workflow Output

Output provides the time range, all items output from Chronicle in JSON format and a CSV formatted extraction of main values to be tabulated.

Tips

Show the CSV output in an Slack Snippet using the filetype CSV

Related Articles
Extract Multiple Observables - Workflow Template
Recorded Future - IoC Enrichment - Workflow Template
AlienVault Combined Observable Enrichment - Workflow Template
Pangea - File Hash Enrichment with Cache - Workflow Template
VirusTotal Combined Observable Enrichment - Workflow Template
Did this answer your question?