Skip to main content

Based on available documentation I created a data table with data about my assets (hosts). I mapped columns to entity.asset.hostname, entity.asset.software.version etc. and I was expecting that this is enough to see this data being used to enrich entities and events. Unfortunately, I’m not seeing any effect neither in entity nor events. I’m running following search to confirm the there is a match between the events and data table (principal.hostname = "my_hostname" and principal.hostname in %my_datatable.Hostname) and I’m getting results, but the enriched data is just not there. I do realize that stitching enrichment takes place once every 24h, but I checked after a few days.

User that I have is RBAC based with Chronicle API Admin rights level. 

What troubleshooting can I do to fix this issue?

Go to Settings > SIEM Settings > Profile in your Google SecOps console and take a look at your assigned scopes,  If you have any scopes listed then you are a restricted user.  To fix this, you would need to have your administrator add a scope that includes the relevant data, or grant you a global access role.  You can take a look at Access control with scopes and labels for more detail.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.