Stay organized with collections Save and categorize content based on your preferences.

Use context-enriched data in UDM Search

To enable security analysts during an investigation, Chronicle ingests contextual data from different sources, normalizes the ingested data, and provides additional context about artifacts in a customer environment. This document provides examples of how analysts can use contextually-enriched data in UDM Search.

For more information about data enrichment, see How Chronicle enriches event and entity data.

Chronicle enriches events containing external IP addresses with geolocation data. This provides additional context during an investigation. This document explains how you can use geolocation-enriched fields when performing investigative searches.

Geolocation-enriched UDM fields can be accessed through UDM Search as shown in the following examples.

Search by country name (country_or_region)

src.ip_geo_artifact.location.country_or_region = "Netherlands" OR 
principal.ip_geo_artifact.location.country_or_region = "Netherlands"

Search by state

src.ip_geo_artifact.location.state = "North Holland" OR
principal.ip_geo_artifact.location.state = "North Holland"

Search by longitude and latitude

UDM Search does not support Longitude and Latitude.

Search by unauthorized target geographies

metadata.event_type = "NETWORK_CONNECTION" AND
(
    target.ip_geo_artifact.location.country_or_region = "Cuba" OR
    target.ip_geo_artifact.location.country_or_region = "Iran" OR
    target.ip_geo_artifact.location.country_or_region = "North Korea" OR
    target.ip_geo_artifact.location.country_or_region = "Russia" OR
    target.ip_geo_artifact.location.country_or_region = "Syria"
)

Search by Autonomous System Number (ASN)

metadata.event_type = "NETWORK_CONNECTION" AND
(
    target.ip_geo_artifact.network.asn = 33915
)

By organization name

metadata.event_type = "NETWORK_CONNECTION" AND
(
    target.ip_geo_artifact.network.organization_name = "google"
)

By carrier name

metadata.event_type = "NETWORK_CONNECTION" AND
(
    target.ip_geo_artifact.network.carrier_name = "google llc"
)

By DNS domain

metadata.event_type = "NETWORK_CONNECTION" AND
(
    target.ip_geo_artifact.network.dns_domain = "lightower.net"
)

View geolocation-enriched fields in investigative views

Geolocation-enriched fields are displayed in UDM grid views including those in UDM Search, Detection View, User View, and Event Viewer.

Geolocation-enriched data in event viewer UDM event viewer

View image in new window

What's next

For information about how to use enriched data with other Chronicle features, see the following: