-
I created a entity parser and ingested entities.
-
The Ingested logs appear immediately in Raw Log Search, but the corresponding entities only become visible in UDM Search and Native Dashboards after almost a full day.
-
I ensured that timestamp fields such as
graph.metadata.cllected_timestamp,graph.metadata.interval.start_timeandgraph.metadata.collected_timestampare set to the current time. -
Parser map the IOC model fields as well, as they are Indicators of Compromise data data sources.
-
We also vlaidted that, the entity data visible in raw_log search as a parsed entity, so this is not an parse processing time issue, It somehow related to SecOps UDM Search and Native Dashboard issue, where entity data not populated immediately.
-
This behaviour is not with single data source, we observed this issue with mutiple data sources.
-
Can someone help to understand this issue and if this is a know issue, can someone raise the bug in SecOps as it’s important to resolve quickly as UDM search and Dashbaord are important feature of the SIEM component.
