Skip to main content

I am building a custom parser in Chronicle. I am trying to add data to the Security Result field.

Documentation that I am using: https://cloud.google.com/chronicle/docs/unified-data-model/udm-usage#securityresultabout

I originally was trying to put data in: 

event.idm.read_only_udm.securityresult (based on the documentation), but that produced the error:
 
recursive rawDataToProto failed: field \\"securityresult\\": no descriptor found"
 
That I understand to mean that the thing I was trying to assign it to isn't in the UDM. Digging around I found: https://medium.com/@thatsiemguy/parsing-101-best-practices-tips-c2e8b7ce9db8 and that used security_result instead.
 
Using that, switched to:
 
"event.idm.read_only_udm.security_result.action" => "ALLOW"
"event.idm.read_only_udm.security_result.severity" => "LOW"
}
 
Now I get an error: 
\\"security_result\\": failed to make strategy: received non-slice or non-array raw output for repeated field

 Any ideas what that means or how to address? Any ideas on how to assign values to a security result?

Do you have just one event type or multiple? It looks like it is making a conflict with the repeated fields. Best way is to store all the values in a variable first and at the end change the variable name to a UDM field. 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.