+1Hello,
I have integrated the Azure Organizational Context and noticed that some log sources are now being enriched based on this data. For example, my Netskope logs are successfully using principal.user.userid for enrichment.
However, in other log sources that contain the same principal.user.userid value—such as my FortiGate logs—the enrichment does not occur.
Is there any additional configuration required to enable enrichment for these sources?
+11I will suggest:
Contact Support: If you've verified the data seems to match and the parser should be populating the field, reach out to Google Cloud Support, providing examples of raw logs, the corresponding UDM, and the expected Azure AD Context match. There might be a need to adjust the parser or investigate the enrichment pipeline for this specific log type.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.