I created a entity parser and ingested entities. The Ingested logs appear immediately in Raw Log Search, but the corresponding entities only become visible in UDM Search and Native Dashboards after almost a full day. I ensured that timestamp fields such as graph.metadata.cllected_timestamp , graph.metadata.interval.start_time and graph.metadata.collected_timestamp are set to the current time. Parser map the IOC model fields as well, as they are Indicators of Compromise data data sources. We also vlaidted that, the entity data visible in raw_log search as a parsed entity, so this is not an parse processing time issue, It somehow related to SecOps UDM Search and Native Dashboard issue, where entity data not populated immediately. This behaviour is not with single data source, we observed this issue with mutiple data sources. Can someone help to understand this issue and if this is a know issue, can someone raise the bug in SecOps as it’s important to resolve quickly as UDM search and Dashbaord are important feature of the SIEM component.

Question

Delay in Entity Visibility

I created a entity parser and ingested entities.
The Ingested logs appear immediately in Raw Log Search, but the corresponding entities only become visible in UDM Search and Native Dashboards after almost a full day.
I ensured that timestamp fields such as graph.metadata.cllected_timestamp , graph.metadata.interval.start_time and graph.metadata.collected_timestamp are set to the current time.
Parser map the IOC model fields as well, as they are Indicators of Compromise data data sources.
We also vlaidted that, the entity data visible in raw_log search as a parsed entity, so this is not an parse processing time issue, It somehow related to SecOps UDM Search and Native Dashboard issue, where entity data not populated immediately.
This behaviour is not with single data source, we observed this issue with mutiple data sources.
Can someone help to understand this issue and if this is a know issue, can someone raise the bug in SecOps as it’s important to resolve quickly as UDM search and Dashbaord are important feature of the SIEM component.