New Google Cloud Security Customer Success Services Available!
We are excited to announce the availability of Google Cloud Security Customer Success subscriptions. Optimize ...
Forum Posts
Kubernetes textPayload Split
HiWithin the Kubernetes Node parser, I am trying to split the textPayload into separate fields. The textPayloa...
CSV log Parsing
Hello Team,Can you please help me with parsing the CSV log? While there are no errors during parsing, I am onl...
Sharepoint parser or not?
Hello everybody!A client requested to inject "Sharepoint" into their SIEM instance so, as usual, the first thi...
Parser extension Multiple Raw field to same UDM Field
In a predefined parser, 2 different raw fields are parsed to same UDM field:"var_target.resource.resource_subt...
Has anyone got successful with 1password logs ingestion in Chronicle SIEM?
Hi,I have been struggling to find the right approach to ingest 1password audit events into Chronicle SIEM. Upo...
Json parsing inside Message
Hello Team, we are trying to parse fields from json log format, but there are nested fields Within the "Messag...
Got an error as - "udm and entity are both non-nil"
Hi Team, While parsing UDM Entity and UDM Event for under the same parser, I got following error. generic::inv...
Ingesting custom log data to Chronicle SIEM - Not existing Log Source and Log type
Hi Community,Did anyone try to ingest a completely custom log data to Chronicle SIEM?I mean log data which doe...
Snare Windows Event Logs with WINEVTLOG default parser
Dear Community,Did anyone manage to successfully transform or parse Windows Event Logs (System, Security) that...
ingestion labels for cloudflare & zscaler internet access logs
what is the correct log type OR ingestion label to use in the chronicle forwarder configuration for the follow...
Parse Nested Json
Hi,Would like to ask for your help on how can I parse this nested json in a udm{"type": "POTENTIAL_RISKY_ACTIV...
merge in parser extension overwrites the value instead of merging
I am writing parser extension and want to update security_result.description field.if [@computed][message] != ...
What events Does the `Unix system` parser actually parse?
I have a situation where I need to advise some clients and users that the default `Unix System` parser will pa...
how to develop the parser
Hi All,I am very much looking forward to learning more about parsers, but we do not understand how to develop ...
Metadata Time Start and End Time Interval is not being followed
Hello,I'm setting up asset enrichment through the ENTITY_CONTEXT. I have configured time interval as below:By ...
Parsing CEF format or other fields containing separator character within
Hello everyone,I am having a quite hard time trying to parse a MalwareByte logs in CEF + KV format, since the ...
Parser extension vs. modify parser ?
I have an existing parser that is working fine, but doesn't contain UDM mappings for a few RAW fields. This is...
what is `event.idm.read_only_udm`
In the following doc:https://cloud.google.com/chronicle/docs/reference/udm-field-listit says:> When writing co...
Proper JSON Format for an Entity such as a Server
Hello,I need to develop some code to that will export the characteristics of servers and various network eleme...
Statedump of a for loop
Hello!I am trying to understand the statedump of a for loop.Raw log in JSON: { "data":{ "businessPhones":[ "(1...
Merge function does not append, it's just overwriting for this event field - "event.idm.read_only_ud
Hi I'm trying to append a new label into the "event.idm.read_only_udm.target.resource.attribute.labels" field ...
Chronicle parser for Oracle DB audit logs
Hello Team,Not able to parser the required fields from the oracle database audit logs.Sample log - [".*DATABAS...
How to identify each device that sends logs to a single forwarder collector?
I have multiple firewalls (same log type) sending logs to a single collector and I need to identify them by th...
Maximum character in log message
Hi Team,We are using Wazuh agent in some of our endpoint and using Chronicle forwarder to ingest those logs in...
Can a parser extension overwrite the timestamp?
I have tested a date filter that imports the metadata.event_timestamp correctly when used in a custom parser. ...
CSV Custom IOC Parser
I am trying to pull data by using the CSV Custom IOC feed from a GCP storage bucket. Looking at the Parser I s...
Parser Extension Error
What is the issue with below extension code: filter { json { source => "message" array_function => "split_colu...
Parser validation random responses??
Hello everyone,I am in the process of finalizing a parser, trying to debug the validation errors I recive when...
JSON Parser
We are currently trying to get our feet wet in managing our own parsers in Chronicle. We have started with Vir...