This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Check out the new Professional Security Operations Engineer certification beta!
Log in to ask a question

Parsing Error Message

Posted on 03-13-2025 02:38 PM
AJMSecOps
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Has anyone encountered this error before when testing a parser: "udm validation failed: principal field is not set: invalid argument"?

0 3 199
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
mikewilusz
Staff
Reply posted on --/--/---- --:-- AM

My guess is you're using a metadata.event_type that requires the use of principal fields, which are currently not set. This is documented here. If you provide more details on the parser and data I can offer some ideas.

-mike

Posted on --/--/---- --:-- AM
AJMSecOps
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Here's the code snippet. I see the "SETTINGS_MODIFICATION" in statedump output, but UDM fails overall due to error from original post.

unnamed (1).png

 

 

0 Likes

Posted on --/--/---- --:-- AM
cmorris
Staff
In response to AJMSecOps
Reply posted on --/--/---- --:-- AM

Like Mike shared, metadata.event_types may have required fields. For the SETTING_MODIFICATION event type, those fields are here - https://cloud.google.com/chronicle/docs/unified-data-model/udm-usage#udm_example_setting_. It looks like the error you are getting is due to the requirement for "principal: Must be present, non-empty, and include a machine identifier." From that link, in addition to adding a principal, you are going to need to add a target as well.

Top Solution Authors
View all