I'm also researching this, except i'm interested in a parser setting metadata.base_labels.ingestion_kv_labels so that I can have a way to segregate data in the gcp monitoring/metrics.. I don't think that's going to be possible but anyway, came across this you might find useful:

It appears maybe base_labels are not accessible? I'm not sure, but I've this blog about 1,000 times so far to try to tease out more details: https://medium.com/@thatsiemguy/data-rbac-in-chronicle-siem-6cb0ea32294e

For you, looks like base_labels.namespaces are sourced from principal.namespace, src.namespace and target.namespace. I hope google can chime in and clarify base_labels.

"A dynamic Parser based Namespace will override an Ingestion based Namespace, e.g., if a Parser sets principal.namespaces it will supersede the Namespace configured during Ingestion; however, both Namespace values will be stored in the metadata.base_labels.namespaces repeated UDM field."

and looking at his parser, he's updating the namespace in src.namespace, target.namespace and principal.namespace.

I have used the principal.namespace and then metadata.base_labels.namespaces is populated with value that is assigned to the principal.namespace. But the problem is enrichment is not happening i.e, principal.hostname value is supposed to enriched based on the principal.asset_id value for CrowdStrike EDR logs. Enrichment is working fine in other instances except for one instance. We are using the same CrowdStrike EDR parser in all instances

@mwisener did you figure this out?

We have the exact same problem.

It seems that the "legacy" ingestion API (xxx-malachiteingestion-pa.googleapis.com) works fine, but using the v1Alpha chronicle API (chronicle.googleapis.com) dosent enrich with base_labels.