This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Send events in uncompressed format using Ingestion API

Posted on 09-25-2024 12:24 AM
yashdatabahn
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Team, 

I am trying to send data to SecOps in UDM format using the Ingestion API. After sending the data, the rawevent  field shows some gibberish values instead of the actual rawevent (my JSON UDM payload). This might be due to compression ? . How can I ingest the data in UDM while keeping the rawevent field intact?

yashdatabahn_0-1727416754221.png

 

Thanks in advance

0 1 139
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
DanDye
Staff
Reply posted on --/--/---- --:-- AM

Hi yashdatabahn,

I was also surprised by that gibberish when I first saw it and learned the cause from Chris Martin's blog post "Creating UDM Objects in Python":

Q. Why does a UDM Event appear as gibberish?

A UDM event appears to be stored in Proto3 format (Google Protocol Buffer format). At the time of writing Chronicle SIEM doesn’t support rendering Proto3 in the event viewer, hence they appear with some gibberish characters...The easiest option is to turn off the Raw Log tab and use the UDM Events tab only.

0 Likes
Top Solution Authors
View all