Skip to main content

Workflow Template: Search Observables by Grouped UDM Fields in Chronicle

Receives Observables as hash, IP address, domain, username or email and performs a query to Chronicle SIEM using Grouped UDM fields.

Updated this week

The "Search Observables by Grouped UDM Fields in Chronicle" workflow template is designed for threat hunting by efficiently querying Google Chronicle using various observables such as hash, IP address, email, username, and domain. This workflow builds a Unified Data Model (UDM) query by appending observables with an AND operator, allowing security teams to identify potential threats across multiple data points. It outputs comprehensive results, including CSV format, for streamlined analysis and reporting.

Take Me to the Template

Optional Triggers

["It can be used as a nested workflow as it outputs all items found by Chronicle."]

Use Cases

Threat Hunting

Workflow Breakdown

  1. Receives hash, ip, email, username and domain observables. All fields are optional.

  2. Builds an UDM query appending all items with an AND operator.

Vendors

Utils, Google Chronicle

Workflow Output

Output provides the time range, all items output from Chronicle in JSON format and a CSV formatted extraction of main values to be tabulated.

Tips

  • Show the CSV output in an Slack Snippet using the filetype CSV.

Related Articles
Workflow Template: Extract Multiple Observables
Workflow Template: AlienVault Combined Observable Enrichment
Workflow Template: VirusTotal Combined Observable Enrichment
Workflow Template: Create Torq Cases from SentinelOne Threats Reported in Chronicle
Workflow Template: Extract Multiple Observables with AI Task
Did this answer your question?