Skip to main content
Solved

Ordering events

  • January 5, 2024
  • 3 replies
  • 26 views
mountaincode2
Forum|alt.badge.img+8

I was checking out the following video on ordering events:

https://www.googlecloudcommunity.com/gc/Chronicle-Best-Practices/Getting-to-Know-Chronicle-Building-a-Multi-Event-Rule-Ordering/ta-p/677993/jump-to/first-unread-message

I am unable to understand what is the difference between `target.user.userid` and `principal.user.userid` fields?

 

Best answer by ion_

Similar to the message on your other thread, theres the idea in UDM of a Principal being the one acting and the Target being the one acted upon. In some instances this is clear and intuitive. However, I often find myself digging into the logs to understand how various fields have been filled in.

In this instance, the principal user for a USER_CREATION event is going to be the user creating another user, while the target will be the new user account. Going further with this example:
  • tim.smith (principal.user.userid) created a user account called alice.young (target.user.userid)
  • The account alice.young was logged into and performed some actions
  • tim.smith then deleted the account.

Does that help?

3 replies

I
Forum|alt.badge.img+6
  • ion_Bronze 2
  • Bronze 2
  • Answer
  • January 5, 2024

Similar to the message on your other thread, theres the idea in UDM of a Principal being the one acting and the Target being the one acted upon. In some instances this is clear and intuitive. However, I often find myself digging into the logs to understand how various fields have been filled in.

In this instance, the principal user for a USER_CREATION event is going to be the user creating another user, while the target will be the new user account. Going further with this example:
  • tim.smith (principal.user.userid) created a user account called alice.young (target.user.userid)
  • The account alice.young was logged into and performed some actions
  • tim.smith then deleted the account.

Does that help?

mountaincode2
jstoner
Staff
Forum|alt.badge.img+22
  • jstoner
  • Staff
  • January 5, 2024

In this example, the target_user is used as a placeholder variable and a common value that exists across all 3 types of events, a creation event, a login event and a deletion event.

The userid is defined in the events section as a placeholder variable but for our aggregation, we are also using it as a match variable so all of the events that occur in a 1 hour window with the same userid value are aggregated together.

The same field that is used to join events together does not need to be the same as the one that is being aggregated against. In fact when there are multiple joins across event variables, they don't need to always be on the same field either. So depending on the data sets, you could end up having a placeholder variable that bridged the principal.user.userid of one event and the target.user.userid of another event (for example).

L
mountaincode2
Forum|alt.badge.img+8
  • mountaincode2Silver 2
  • Author
  • Silver 2
  • February 7, 2024

Thank you!

Ray_a
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.