Skip to main content

Alerting on log ingestion anomalies using UDM Events

  • April 30, 2025
  • 6 replies
  • 71 views
NPC0101
Forum|alt.badge.img+2

Hello everyone,

I'm reaching out to see if anyone has encountered similar challenges or has insights to share regarding monitoring and alerting on the health of log ingestion in Google SecOps.

Here's a bit of context: We've set up a Cloud Function that queries our BigQuery table for information related to Google SecOps ingestion. We then import this data using the event import API : https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.events/import

So far, everything works smoothly until we try to implement alerting rules on this data. The UDM events we are dealing with look like this :

 

The useful information is placed in the additional fields of the UDM. However, it seems that the SIEM struggles to process these fields as strings or floats. For instance, I can't compare these numeric values, even if I cast them as floats beforehand :

I suspect this issue might be due to the use of additional fields, which are the only ones without a specified type in the API documentation (type: object): https://cloud.google.com/chronicle/docs/reference/rest/Shared.Types/UDM

  • Has anyone else faced this problem?
  • How do you handle numeric comparisons from additional fields?
  • Or could the issue be stemming from something else

 

Any advice would be greatly appreciated! Thank you!

    6 replies

    NPC0101
    Forum|alt.badge.img+2
    • NPC0101Bronze 2
    • Author
    • Bronze 2
    • April 30, 2025

    Interestingly, in the BigQuery export, these data are correctly typed as floats:

     

    jstoner
    Staff
    Forum|alt.badge.img+22
    • jstoner
    • Staff
    • May 13, 2025

    Have you tried using the cast.as_float in the outcome section when you are applying the aggregation function?  I am pulling the task from additional fields but it is a text string that is storing a number.

    For my testing I found that I needed both of these lines in my events section to get my minimum value to be not 0, so try neither, one or both and see what you get.
     
    $event.additional.fields["Task"] != "0"
    $event.additional.fields["Task"] != ""
    outcome:
    $task_array = array_distinct($event.additional.fields["Task"])
    $task_max = max(cast.as_float($event.additional.fields["Task"]))
    $task_min = min(cast.as_float($event.additional.fields["Task"]))
    $task_count = count($event.additional.fields["Task"])

     


     

      NPC0101
      Forum|alt.badge.img+2
      • NPC0101Bronze 2
      • Author
      • Bronze 2
      • May 14, 2025

      Have you tried using the cast.as_float in the outcome section when you are applying the aggregation function?  I am pulling the task from additional fields but it is a text string that is storing a number.

      For my testing I found that I needed both of these lines in my events section to get my minimum value to be not 0, so try neither, one or both and see what you get.
       
      $event.additional.fields["Task"] != "0"
      $event.additional.fields["Task"] != ""
      outcome:
      $task_array = array_distinct($event.additional.fields["Task"])
      $task_max = max(cast.as_float($event.additional.fields["Task"]))
      $task_min = min(cast.as_float($event.additional.fields["Task"]))
      $task_count = count($event.additional.fields["Task"])

       


       


      Hi,

      Thank you very much for your detailed answer and for sharing your testing approach! I tried your suggestions, but unfortunately, the issue seems to be deeper.

      Based       on what you shared, I realized that all the strings in my case are actually equal to "", even though when I display these values, they appear different.

      So, it looks like the problem is not just with the aggregation or casting, but rather with how the solution is handling or reading these values.


      If you have any idea why this could happen, I would really appreciate your help. Thanks again for your time!

      Best regards,

      mwisener
      Forum|alt.badge.img+3
      • mwisenerBronze 1
      • Bronze 1
      • May 14, 2025

      I don't have a solution to your problem inside SecOps but I just wanted to make sure you were aware the ingestion metrics are also inside GCP in metrics viewer.

      You can write promql against the metrics data then use an alerting rule to send alerts (in GCP). I presume you are using cloud-functions run against the bigquery data because it's much easier to do stats calculations in general programming language but just wanted to make sure you (and future vieweres) were aware of the alternative approach. Good luck!

       

       

        jstoner
        Staff
        Forum|alt.badge.img+22
        • jstoner
        • Staff
        • May 15, 2025

        Hi,

        Thank you very much for your detailed answer and for sharing your testing approach! I tried your suggestions, but unfortunately, the issue seems to be deeper.

        Based         on what you shared, I realized that all the strings in my case are actually equal to "", even though when I display these values, they appear different.

        So, it looks like the problem is not just with the aggregation or casting, but rather with how the solution is handling or reading these values.


        If you have any idea why this could happen, I would really appreciate your help. Thanks again for your time!

        Best regards,


        I find it odd that these values are showing up but you are specifying value being null. Is it possible that you have more than one key of the same name? If there is anything more to your rule than the screenshot snippets you provided that might provide a clue but understand if you can't share it.

        NPC0101
        Forum|alt.badge.img+2
        • NPC0101Bronze 2
        • Author
        • Bronze 2
        • June 3, 2025

        Hi everyone,

        For those who might find this helpful, I managed to work around this issue: It seems the additionals fields don't handle float casting correctly.
        I was able to get my log type monitoring rule to work by using the         detection_fields instead, as they do handle the cast to float properly.

         

        Hope this helps someone!

          Terms & ConditionsCookie settingsAccessibility statement
          Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

          © 2025 Google. All rights reserved.