New to Google secops.
I have an application that emits network connection/flow events, which I am trying to map to udm event.
Referred,
- https://docs.cloud.google.com/chronicle/docs/reference/udm-field-list#Noun
- https://docs.cloud.google.com/chronicle/docs/reference/udm-field-list#metadataeventtype
- https://docs.cloud.google.com/chronicle/docs/unified-data-model/udm-usage#required_and_optional_entity_fields
And ended up with,
{
"metadata": {
"eventTimestamp": "current_time",
"id": "event_id",
"eventType": "NETWORK_CONNECTION",
"vendorName": "company",
"productEventType": "Risky Services Insight",
"description": "1024 bytes max desc",
"productLogId": "8b2373b6-afa5-55a7-93da-cced77fd5f7f",
"urlBackToProduct": "some url",
},
"principal": {
"port": 7000,
"application": "virtual_machine",
"assetId": "some asset",
"hostname": "pinguino-01",
},
"target": {
"hostname": "pinguino-01",
},
"network": {
"applicationProtocol": "AFP",
"ipProtocol": "TCP",
"receivedBytes": 46602,
"sentBytes": 85083,
}
}I am calling ingest_udm method in a python script, this method belongs to google sdk for secops.
It fails with,
Error ingesting event: Failed to ingest UDM events: {
"error": {
"code": 400,
"message": "ImportEvents failed",
"status": "INVALID_ARGUMENT"
}
}