Hi everyone,We are troubleshooting an issue related to Raw events in Google Chronicle SOAR.Raw Event properties- Because of this, we are unable to see or select any raw event fields during ontology mapping.Observations: This behavior is occurring across multiple sources/products. Some sources appear to use default views, while others have custom configurations. Normally we would expect raw event data to appear at least at the source level, but currently nothing is populating. Raw events appear to exist in Chronicle, so it’s unclear why they are not appearing in the ontology configuration page. Has anyone encountered a similar issue where raw event properties are not visible in the ontology configuration UI?Could this potentially be related to: a connector/data ingestion issue, or custom view/configuration changes affecting how raw event fields are exposed? Any guidance would be appreciated.Thanks!

Question

raw events data

+14

Hi everyone,

We are troubleshooting an issue related to Raw events in Google Chronicle SOAR.

Raw Event properties- Because of this, we are unable to see or select any raw event fields during ontology mapping.

Observations:

This behavior is occurring across multiple sources/products.
Some sources appear to use default views, while others have custom configurations.
Normally we would expect raw event data to appear at least at the source level, but currently nothing is populating.
Raw events appear to exist in Chronicle, so it’s unclear why they are not appearing in the ontology configuration page.

Has anyone encountered a similar issue where raw event properties are not visible in the ontology configuration UI?

Could this potentially be related to:

a connector/data ingestion issue, or
custom view/configuration changes affecting how raw event fields are exposed?

Any guidance would be appreciated.

Thanks!