Stay organized with collections Save and categorize content based on your preferences.

Chronicle Events schema changes and how to view

Recent changes

The udm_events table in BigQuery has been replaced with the new Events table.

The Events table schema is largely the same as previous version except for the field that stores date partitions. A new field, called hour_time_bucket identifies the partition as the hour of day in the metadata.event_timestamp field. This new field replaces the _PARTIONTIME pseudo column in the original udm_events table.

Values in the hour_time_bucket field are hourly time stamps that take the form: <YYYY-MM-DD HH:MM:SS UTC>. Here are examples:

  • 2022-05-20 00:00:00 UTC
  • 2022-05-20 01:00:00 UTC
  • 2022-05-20 02:00:00 UTC
  • 2022-05-20 03:00:00 UTC

For example, the value 2022-05-20 00:00:00 UTC labels data with an event_timestamp between 2022-05-20 00:00:00 UTC and 2022-05-20 00:59:59 UTC.

In BigQuery, you'll notice the table called Events.

Field list in BigQuery

Figure: Field list in BigQuery

In Chronicle dashboards, you'll notice a new data structure called Events (Preview).

Table list in Chronicle dashboards

Figure: Table list in Chronicle dashboards explorer

Viewing the Event schema

The Events schema in BigQuery is modeled after the Unified Data Model (UDM) schema. Choose one or more of the following options to learn more about Events schema fields and the structure:

  • View a description of each UDM field in the UDM field list.
  • View the Events schema document Events schema in BigQuery.
  • In the Cloud console BigQuery Explorer, select <project name> > datalake > events to browse the schema.
  • In Chronicle Dashboards:

    1. Create a new dashboard or edit an existing dashboard.
    2. Add a Tile. Select Visualization as the type if prompted.
    3. In the list of tables, choose the Events (Preview) table.
    4. Browse the list of fields.

    Field list in Chronicle dashboards

Figure: Field list in Chronicle Events (preview)