Skip to main content
Question

Unable to create UDM event

  • December 12, 2025
  • 1 reply
  • 40 views
ashwinve

New to Google secops.

I have an application that emits network connection/flow events, which I am trying to map to udm event.

Referred,

  1. https://docs.cloud.google.com/chronicle/docs/reference/udm-field-list#Noun
  2. https://docs.cloud.google.com/chronicle/docs/reference/udm-field-list#metadataeventtype
  3. https://docs.cloud.google.com/chronicle/docs/unified-data-model/udm-usage#required_and_optional_entity_fields

And ended up with,

        {
        "metadata": {
            "eventTimestamp": "current_time",
            "id": "event_id",
            "eventType": "NETWORK_CONNECTION",
            "vendorName": "company",
            "productEventType": "Risky Services Insight",
            "description": "1024 bytes max desc",
            "productLogId": "8b2373b6-afa5-55a7-93da-cced77fd5f7f",
            "urlBackToProduct": "some url",
        },

        "principal": {
            "port": 7000,
            "application": "virtual_machine",
            "assetId": "some asset",
            "hostname": "pinguino-01",
        },
        "target": {
            "hostname": "pinguino-01",
        },
        "network": {
            "applicationProtocol": "AFP",
            "ipProtocol": "TCP",
            "receivedBytes": 46602,
            "sentBytes":  85083,
          }
    }

I am calling ingest_udm method in a python script, this method belongs to google sdk for secops.

It fails with, 

Error ingesting event: Failed to ingest UDM events: {
  "error": {
    "code": 400,
    "message": "ImportEvents failed",
    "status": "INVALID_ARGUMENT"
  }
}

 

1 reply

JeremyLand
Staff
Forum|alt.badge.img+7
  • JeremyLand
  • Staff
  • December 17, 2025

Your payload is using field types instead of field names in the path.  Many of the API endpoints will pass and accept values as the fieldType, but you do need to use the field_names when creating events (the field names are also what you use in the UI and any of the search/query api).

This is mentioned briefly at the very top of the udm field list, but is easy to miss.  Basically switch all your fields from camelCase (first word lowercase, subsequent words capitalized) to snake_case (all lowercase, words seperated by underscores) and you should be good.

The 2nd thing I notice is you are passing values to metadata.event_timestamp and metadata.id; these two values are automatically filled by the ingest pipeline and should be left blank when creating events.

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.