Key UDM fields for parsers

Some Google Security Operations features depend on data populated incertain UDM fields. If this data is missing or incorrect, the feature may notfunction as intended.

When creating a parser, make sure the data mapping instructions populate as manyimportant Unified Data Model(UDM) fields as possible.Parser data mapping instructions control how original raw log data is mapped tofields in the UDM data structure. For a list of all UDM fields, see theUnifiedData Model field list.

Feature areas

Key UDM fields fall into the following feature areas (and use cases). TheFeature area or use cases column in theKey UDM field list includes the following feature areas:

• Curated detections: Prebuilt rule sets, managed byGoogle SecOps, that analyze your data to detect potential threats.
• Indexing: Lets security analysts search forinformation about resources, such as assets, domains, IP addresses, users, andfiles. It also enriches UDM records with details about prevalence,first time seen, last time seen, and more.
• Artifact aliasing: Enriches UDM records with additional data,such as geolocation data using an external IP address.
• Asset aliasing: Identifies relationships across individualUDM records related to the same physical asset, such as a server, laptop, ormobile device.
• Process aliasing: Identifies relationships across individualUDM records that describe one or more related processes, files, and users whoexecuted the process.
• User aliasing: Identifies relationships across individual UDMrecords related to the same user.
• Entity graph: Identifies relationships between entities andresources in your environment.
• IoC: Matches your data against data ingested from IoC feeds.
• Threat hunting: This is a use case, not a feature. Fields with thisvalue are recommended to facilitate Threat hunting activities.

Key UDM fields

Use this keyword lookup to find important UDM fields.