Hello Community ,
I want to know what is the identifier of each log source in chronicle. For example, in other SIEM each log source is identified by a proprety called '" log source identifier "'.
What is the UDM used for identifying log sources in Chronicle ?
I want to use this UDM in a table dashboard to monitor the status of each log source .
Thanks
metadata.log_type
ex.:
There is also a log_type field in the ingestion metrics schema - https://cloud.google.com/chronicle/docs/reference/ingestion-metrics-schema. If you have the preview dashboards, may be able to do something like this to get started:
ingestion.log_type != ""
$date = timestamp.get_date(ingestion.end_time)
$log_type = ingestion.log_type
match:
$date, $log_type
outcome:
$log_volume_GiB = sum(ingestion.log_volume) / (1024 * 1024 * 1024)
order:
$log_type asc
Hello Rached,
Unfortunately, there is no global "individual log source (i.e. "device") identifier" field. It will depend on the log_type you're studying. For some it's in `intermediary.hostname`, for others it's in `principal.hostname`, etc...
See you soon 😉
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.