Skip to main content

Hey everybody!

Is anyone successfully ingesting entities via the createentities-Endpoint of the ingestion API (https://cloud.google.com/chronicle/docs/reference/ingestion-api#createentities) and able to find those entities in their bigquery datalake or able to use those entities via the entitiy_graph in detection rules?

After ingesting the entities, receiving a 200 from the api, none of the entities can be found. Any experiences here and caveats I might have not thought of or low hanging fruits I can try to get the desired outcome?

Thank you in advance and best regards

Tim

Hi @dithmer 

I've used the Entity API to successfully send data to SecOps. Entities can't be searched via /Search, but you can do a raw log search to find them.

Query for .* on the Ingestion label you're using, and if they exist you can see the data raw log and normalized data. Entity data I believe only persists for 5 days before aging out.

You can also confirm their existence by reviewing the Ingestion Dashboard for the Entity data label.

First of all: Thank you for the answer.

Sadly I have already tried to use the Raw log search, looker dashboards and querying the BigQuery Datalake directly.
No data findable, but I am absolutely sure (checked it like a thousand times), that I was using the right service account file and using the right customer id in the request body. I also double checked multiple times, that when we are querying, we are using the correct log type. Still no data to find.

But if you say, you did it already successfully, there is at least some hope. I hope there are people here, experiencing the same issue in the past.

I've seen issues in the past with logs when the date wasn't current( I believe its anything over 6 months) not being saved. 

I'm not sure what error the service would report if the Entity payload was malformed, but it might be worth reviewing your Entity data as well for any issues. The fact you get a 200 response  tells me you're likely doing everything right. 

Thanks for your input.

Even though I was pretty sure, I was doing everything right with dates/times, I went again to look into it. Without success. For me it looks absolutely correct. Nothing too far in the back, rather very current data.

I already had an issue before, which I was able to fix with an engineer from Google itself, causing a "400 - Bad Request". So I already know the things which can go wrong about malforming the request.

I start to become absolutely clueless 🙂

Apologies you're still having trouble. Good to know the service reports a 400 for malformed Entity data.

I did check our most recent service call using that endpoint just in case. I was able to verify that the expected data was available within my tenants.

I could provide you with a sample payload from our service, but likely not very valuable since your service is reporting a 200 response.

Since the response is successful, and the data is unavailable, this might unfortunately require a support case with Google.

To close this one:

I found the mistake in having a very slight mistake in the datetime format, which caused the entities to be that far in the past, they were not be able to find.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.