This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

what is `event.idm.read_only_udm`

Posted on 02-17-2024 07:55 PM
mountaincode2
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

In the following doc:

https://cloud.google.com/chronicle/docs/reference/udm-field-list

it says:

> When writing configuration-based normalizer (CBN) parsers, use the <prefix> pattern event.idm.read_only_udm for UDM Event fields and event.idm.graph for UDM Entity fields. 

I am very confused. What does `idm`, `read_only_udm`, and `graph` mean here?

 

 

0 3 169
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
Dimarsky
Staff
Reply posted on --/--/---- --:-- AM

I'm not sure the words themselves have significance here. The document you're referring to is simply calling out the base of our datamodel for the two different UDM object types (events and entities). 

When you're writing a parser and wish to write a UDM event then all the fields that are mentioned in that document will need to be prefixed with event.idm.read_only_udm. Alternatively, when you're writing a parser and wish to include a UDM entity then all of the fields mentioned will be prefixed with entity.graph

In reality the name doesn't even have to begin with event or entity, it can begin with any string, but for the sake of readability we stick to event/entity. You could use the prefix my_awesome_event_like_object.idm.read_only_udm or no_enitity_to_be_seen_here.graph as long as the rest of the fields are kept correct. You just have to make sure that the final merge into @output is done correctly

mutate {
  merge => { "@output" => "my_awesome_event_like_object" }
}

or

mutate {
  merge => { "@output" => "no_entity_to_be_seen_here" }
}

There are underlying reasons for the naming scheme that have to do with the protobuf definitions, but that doesn't really explain it any better nor does it have any impact on the way things are written. Just consider <something>.idm.read_only_udm and the corresponding <something>.graph to be a requirement. 

I suspect that someone could probably explain the historical reasons for the naming scheme, but that will be getting more into the equivalent of the etymology of a word versus the definition of it. 

Posted on --/--/---- --:-- AM
mountaincode2
Bronze 5
Bronze 5
In response to Dimarsky
Reply posted on --/--/---- --:-- AM

Thanks @Dimarsky 

So, per your explanaton:

Fields for UDM event needs to be prefixed with `event.idm.read_only_udm`.

Fields for UDM entity needs to be prefixed with `entity.graph`.

 

But the documentation seems to be saying something different for UDM entity fields when writing CBN parsers:

It says to use the prefix pattern `event.idm.graph` for UDM entity fields as opposed to `entity.graph`.

This is what i am confused about - the documentation makes no reference to `entity.graph` in the context of a prefix pattern for CBN parsers.

Why are there different prefix patterns when writing rules for Detect Engine vs when writing CBN parsers.

Also a quick followup: what does `idm` mean here?

 

0 Likes

Posted on --/--/---- --:-- AM
mountaincode2
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Also, ran into the following in https://cloud.google.com/chronicle/docs/unified-data-model/udm-usage#event-metadata

> For rules engine evaluation, the prefix begins udm., while configuration-based normalizer (CBN) prefix begins event.idm.read_only_udm.

 

0 Likes