This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Adding blank entities to parser to be filled in by IDE

Posted on 09-11-2024 09:18 AM
bvenn
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I want to add blank parser fields so that I can go through later using a script made with SecOps in the IDE to map custom identifiers to those blank fields. Is there any way to do this?

0 2 93
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
matthewnichols
Community Manager
Community Manager
Reply posted on --/--/---- --:-- AM

Hi @bvenn Thank you for your post. Can you share with us a little more around what you are trying to accomplish?

0 Likes

Posted on --/--/---- --:-- AM
matthewnichols
Community Manager
Community Manager
Reply posted on --/--/---- --:-- AM

@bvenn The schema we have in UDM for events is very extensible and we will consider adding additional fields upon request if they are unique. However, unlike other schemas, CEF comes to mind, that have custom fields that are ambiguous, UDM does not have them. That said, in addition to the UDM field list found here, https://cloud.google.com/chronicle/docs/reference/udm-field-list, if we needed a place to store data where it would not fit anywhere else, something like the noun of about in the schema is worth looking into and using the concept of labels which is essentially key value pairs. That might be something to consider if you are looking to store data in the UDM SIEM schema if it doesn't go anywhere else.

Let us know if that helps. Thanks

0 Likes
Top Solution Authors
View all