Chronicle Events schema changes and how to view

Recent changes

The udm_events table in BigQuery has been replaced with the new Events table. The Events table schema is largely the same except for the field that stores date partitions.

The Events table has a new field, called hour_time_bucket that stores the partition label that is based on the hour of the day in the metadata.event_timestamp field. This new field replaces the _PARTIONTIME pseudo column in the original udm_events table.

The values stored in the hour_time_bucket field take the form: <YYYY-MM-DD-HH>, where HH is the two digit hour of day. Here are examples:

  • 2022-04-18-00
  • 2022-04-18-01
  • 2022-04-18-02
  • 2022-04-18-03

In BigQuery, you'll notice the table called Events.

Field list in BigQuery

Field list in BigQuery

In Chronicle dashboards, you'll notice a new data structure called Events (Preview).

Table list in Chronicle dashboards

Table list in Chronicle dashboards explorer

Viewing the Event schema

The Events schema in BigQuery is modeled after the Unified Data Model (UDM) schema. Choose one or more of the following options to learn more about Events schema fields and the structure:

  • View a description of each UDM field in the UDM field list.
  • View the Events schema document Events schema in BigQuery.
  • In the Cloud console BigQuery Explorer, select <project name> > datalake > events to browse the schema.
  • In Chronicle Dashboards:

    1. Create a new dashboard or edit an existing dashboard.
    2. Add a Tile. Select Visualization as the type if prompted.
    3. In the list of tables, choose the Events (Preview) table.
    4. Browse the list of fields.

    Field list in Chronicle dashboards