Skip to main content
Question

Data Tables use for Event and Entity Enrichment

  • September 4, 2025
  • 2 replies
  • 137 views
Walker_81
Forum|alt.badge.img+1

Based on available documentation I created a data table with data about my assets (hosts). I mapped columns to entity.asset.hostname, entity.asset.software.version etc. and I was expecting that this is enough to see this data being used to enrich entities and events. Unfortunately, I’m not seeing any effect neither in entity nor events. I’m running following search to confirm the there is a match between the events and data table (principal.hostname = "my_hostname" and principal.hostname in %my_datatable.Hostname) and I’m getting results, but the enriched data is just not there. I do realize that stitching enrichment takes place once every 24h, but I checked after a few days.

User that I have is RBAC based with Chronicle API Admin rights level. 

What troubleshooting can I do to fix this issue?

2 replies

kentphelps
Staff
Forum|alt.badge.img+11
  • kentphelps
  • Staff
  • September 9, 2025

Go to Settings > SIEM Settings > Profile in your Google SecOps console and take a look at your assigned scopes,  If you have any scopes listed then you are a restricted user.  To fix this, you would need to have your administrator add a scope that includes the relevant data, or grant you a global access role.  You can take a look at Access control with scopes and labels for more detail.

Walker_81
AbdElHafez
Staff
Forum|alt.badge.img+12
  • AbdElHafez
  • Staff
  • September 10, 2025

The entities ingested should be visible under the UDM graph search ;

graph.metadata.entity_type = "ASSET"
graph.entity.asset.hostname = …..

If there are no ingested entities then this would indicate the data was not ingested.

If you see some data, you need to make sure that the interval.start_time and interval.end_time cover your UDM events event_time as these 2 parameters define the validity window of the enrichment, you would also need to check that the hostnames in the entities ingested (graph.entity.asset.hostname) match exactly the noun(principal,source,target).hostname

If not then could you share the parser/log type and a sample log or the parsed entity event ?

Reference: https://cloud.google.com/chronicle/docs/investigation/entity-context-in-search

 

Walker_81
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.