This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

what is "idm" in UDM fields in Chronicle?

Posted on 03-07-2024 10:42 PM
mountaincode2
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

In Chronicle, UDM stands for Unified Data Model.

But in some UDM fields, like the following, there is an "idm":

-event.idm.read_only_udm.additional

What does "idm" stand for and what is its significance?

0 2 431
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
DanHansen
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

"identity management" and it's likely used to categorize users or groups within in a specific organization or indicate it was categorized for SSO authentication, workforce identity, etc.

0 Likes

Posted on --/--/---- --:-- AM
citreno
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

It stands for "internal data model". The reason initially was that there were fields that were not necessarily parsed from the log, but that may change the behavior (in fact the first use case was is_alert that added a little red triangle to the parser based alerts, is_significant that exposed them to the ListAlerts api etc. There were also disambiguation keys other internal uses). So initially it was just a couple of fields that changed how things behaved. Over time this evolved as the Chronicle internal data model started including the Entity Data model as parallel to UDM, so now idm is the wrapper around idm.entity and idm.read_only_udm, both of which you can access in rules in their own ways.  

Top Solution Authors
View all