Skip to main content
Question

clarification on UDM enrichment

  • May 14, 2026
  • 1 reply
  • 10 views
Mahesh1313

I would like to clarify one point regarding context enrichment in Google SecOps.

Currently, our logs are already ingested and enriched with Azure AD context in UDM fields. As I understand, if we update Azure AD context, SecOps will ingest the updated data into the entity context, and future logs will use this updated information for enrichment.

However, I would like to confirm what happens to the previously ingested logs that were already enriched using the older context. Will those historical logs get updated automatically, or will they retain the past original enrichment values.

 

Example 1:

A user’s location was initially enriched as:

  • City = Chennai
  • Country = US

Later, the information was corrected to:

  • Country = India

In this scenario, if historical correlation is used, earlier events may continue to reflect the previously enriched country value (US), even after the correction has been made.

    1 reply

    cmorris
    Staff
    Forum|alt.badge.img+12
    • cmorris
    • Staff
    • May 14, 2026

    Enrichment is point in time. If the context data is updated, future events will use the new data, but old events will not.

    If new enrichment values updated historical records, we could have a scenario, where a user transfers from the IT Operations department to the Marketing department.

    March 1st: While in IT Operations, the user logs into a restricted database to perform routine maintenance within the scope of their role.

    March 15th: User transfers to Marketing. Their Azure AD context is updated, and their access to the database is revoked.

    April 1st: A security analyst is doing a routine historical audit of database access.

    In this scenario, if the historical log was updated to the new context:
    The analyst looks at the March 1st log, which now reads: User | Department: Marketing | Action: Accessed Critical Database resulting in an incident for something that was previously in the scope of their former role.

    Similar scenarios would be applicable for changing updating geolocation information related to an IP address as another example.

    Terms & ConditionsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.