Ingesting the same entity with different severity levels

Hi ​@jaymin .  The scenario you are describing is one in which you are ingesting an entity multiple times, and where you can see each of these multiple instances in raw log search;  but outside of raw log search you only see a single entity.  Is that correct?

This is by design; when an entity is ingested multiple times, each of those ingested entries will show up as its own raw log.  Once the raw logs are processed and normalized into UDM, only a single instance of this entity will exist as part of the entity graph.

The following documentation has additional detail around this behavior.

https://cloud.google.com/chronicle/docs/event-processing/data-enrichment

Hi ​@vaskenh Thank you for your reponse. As you confirmed, an entity will have only a single instance in the entity graph, even when ingested multiple times.Issue I'm Experiencing:I'm building a dashboard for entities and noticed inconsistent behavior when querying the same entity (192.168.0.1) that was ingested multiple times with different severity, risk scores, and timestamps:

- When searching within the entity's default time range: Only the latest entry appears (expected)
- When extending the search to include past dates (e.g., 3 days prior): Older entries of the same entity become visible

Expected Behavior:
Based on our previous discussion and Chronicle's documentation, I expected that regardless of the time range selected, only the latest version of an entity would be displayed in the dashboard.

Current Workaround:
I've implemented `window.last()` to ensure only the latest entry appears, but this approach requires:
1. Applying it separately to each field (severity, risk score, ingestion time)
2. Working around the limitation that `window.last()` only accepts string parameters facing this error when trying with enum types.

compilation error compiling query: validating query: expect type [int bytes bool], got type backstory.SecurityResult.ProductSeverity for "$severity"

Question:
Is there a more efficient approach to ensure dashboards always display only the latest entity data regardless of the selected time range? Or is using `window.last()` for each field the recommended solution?

Thank you.

​@vaskenh ,
Based on our observations and Chronicle’s behavior:

• When the same entity is ingested multiple times with different severity levels, risk scores, or timestamps:
  • Each ingestion appears as a separate raw log entry.
  • In UDM / dashboards, only the latest entry is displayed by default.
• However, window.last() does not work with all field types, which makes it difficult to maintain dashboards consistently — some panels show the latest value while others may display both historical and latest values.

Therefore, we conclude that when the time range is extended, both entries of the ingested indicator may be displayed. This happens because the entries are not automatically merged by the Google SecOps platform in every case.