drop google chronicle udm export · parse normalized security events · runs locally
udm schema · principal/target · security_result · local only
heuristic screener · vendor schema varies · not definitive proof