When dealing with a log source that includes a tenant identifier, what would be the appropriate UDM field to map this to in order to distinguish between events originating from different tenants?
For example, this would be relevant in a scenario where there are both production and test tenants for the same product.
I do this with the ingestion labels:
https://cloud.google.com/chronicle/docs/install/forwarder-linux#configure_arbitrary_labels
You can also stack ingestion labels.
So let's say you have Azure Prod and Azure Dev I would say do something like:
[Key] : [Value]
Ingestion Type : Feed UI
Tenant : Prod (for Prod)
Tenant : Dev (for Dev)
You should be able to do this from all the ways you can get data into Chronicle (Feeds UI/API, Ingestion API's and the on-prem forwarders.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.