Supported default parsers
Parsers normalize raw log data into structured Unified Data Model format. This section lists devices, and ingestion labels, that have a default parser. A default parser is considered supported by Chronicle as long as the device's raw logs are received in the required format.
For a list of supported ingestion labels, see Supported data sets
The Format column indicates the high-level structure of the raw log, as:
- CSV: Comma Separated Values
- JSON: JavaScript Object Notation
- SYSLOG: syslog formatted message
- KV: key-value pair
- XML: Extensible Markup Language
- SYSLOG + KV: syslog header with key-value body
- SYSLOG + JSON: syslog header with key-value body
- SYSLOG + XML: syslog header with XML body
- LEEF: Log Event Extended Format
- CEF: Common Event Format
| Vendor / Product | Category | Ingestion Label | Format | Latest Update |
|---|---|---|---|---|
| AWS VPC Flow | AWS Specific | AWS_VPC_FLOW | SYSLOG | 2022-05-05 View Change |
| Juniper IPS | IDS/IPS | JUNIPER_IPS | SYSLOG + KV | 2020-06-02 |
| Dell EMC Data Domain | Storage system | DELL_EMC_DATA_DOMAIN | SYSLOG + KV | 2022-04-27 View Change |
| Proofpoint On Demand | Email Server | PROOFPOINT_ON_DEMAND | JSON | 2022-04-13 View Change |
| Cisco Switch | Switches, Routers | CISCO_SWITCH | SYSLOG | 2021-10-13 |
| AWS Cloudtrail | Cloud Log Aggregator | AWS_CLOUDTRAIL | JSON | 2022-04-13 View Change |
| Semperis DSP | LDAP | SEMPERIS_DSP | SYSLOG | 2021-04-29 |
| ForgeRock OpenAM | Identity and Access Management | OPENAM | CSV, SYSLOG + KV | 2022-04-29 View Change |
| Static IP | DHCP | ASSET_STATIC_IP | CSV | 2020-04-30 |
| Linux Auditing System (AuditD) | OS | AUDITD | SYSLOG | 2022-04-26 View Change |
| Cloudian hyperstore | Storage Solutions | CLOUDIAN_HYPERSTORE | SYSLOG | 2021-05-05 |
| F5 BIGIP LTM | Load Balancer, Traffic Shaper, ADC | F5_BIGIP_LTM | SYSLOG | 2022-05-02 View Change |
| Windows DHCP | DHCP | WINDOWS_DHCP | JSON, SYSLOG, CSV | 2022-04-13 View Change |
| IBM CICS | Service Bus | IBM_CICS | LEEF | 2021-10-27 |
| Elastic Packet Beats | Log Aggregator | ELASTIC_PACKETBEATS | SYSLOG + JSON | 2022-05-09 View Change |
| Microsoft Exchange | Email Server | EXCHANGE_MAIL | SYSLOG | 2022-05-02 View Change |
| CrowdStrike Falcon Stream | Alerts | CS_STREAM | KV (LEEF) | 2021-09-23 |
| Oracle | DATABASE | ORACLE_DB | SYSLOG + KV | 2022-01-11 |
| Duo User Context | Identity and Access Management | DUO_USER_CONTEXT | JSON | 2021-04-12 |
| McAfee Web Protection | SaaS Application | MCAFEE_WEB_PROTECTION | JSON | 2020-11-02 |
| Fireeye ETP | Email Server | FIREEYE_ETP | JSON | 2021-06-11 |
| SecureLink | Remote Access Tools | SECURELINK | SYSLOG | 2020-07-13 |
| Symantec Event export | SEP | SYMANTEC_EVENT_EXPORT | JSON | 2021-09-28 |
| ServiceNow Security | SaaS Application | SERVICENOW_SECURITY | JSON | 2021-05-24 |
| Comodo | AV / Endpoint | COMODO_AV | SYSLOG + KV (CEF) | 2021-04-09 |
| AWS CloudWatch | Cloud service monitoring | AWS_CLOUDWATCH | JSON, GROK | 2022-01-15 |
| Cisco NX-OS | OS | CISCO_NX_OS | SYSLOG | 2022-02-21 |
| Cisco Prime | Network Management and Optimization | CISCO_PRIME | SYSLOG | 2021-05-21 |
| Cisco Stealthwatch | Log Aggregator | CISCO_STEALTHWATCH | JSON | 2021-09-16 |
| Cloud Passage | SaaS Application | CLOUD_PASSAGE | JSON | 2021-08-02 |
| Sophos DHCP | DHCP | SOPHOS_DHCP | SYSLOG + KV | 2022-02-10 |
| Azure Cosmos DB | Database | AZURE_COSMOS_DB | JSON | 2022-04-13 View Change |
| Signal Sciences WAF | WAF | SIGNAL_SCIENCES_WAF | JSON | 2022-03-03 |
| Symantec Endpoint Protection | AV / Endpoint | SEP | SYSLOG | 2022-01-28 |
| AWS Key Management Service | AWS Specific | AWS_KMS | JSON | 2022-02-23 |
| Check Point | Firewall | CHECKPOINT_FIREWALL | SYSLOG + KV , JSON | 2022-03-21 |
| Suricata IDS | IDS/IPS | SURICATA_IDS | JSON | 2021-03-07 |
| Workspace ChromeOS Devices | GCP Specific | WORKSPACE_CHROMEOS | JSON | 2021-11-30 |
| CA ACF2 | Mainframe | CA_ACF2 | LEEF | 2020-06-11 |
| IBM DataPower Gateway | API Gateway | IBM_DATAPOWER | Message | 2022-01-17 |
| VMware vRealize Suite | Cloud | VMWARE_VREALIZE | SYSLOG | 2022-04-27 View Change |
| Kemp Load Balancer | Load Balancer, Traffic Shaper, ADC | KEMP_LOADBALANCER | SYSLOG | 2021-04-04 |
| RH-ISAC | IOC | RH_ISAC_IOC | JSON | 2022-03-22 View Change |
| Sophos Capsule8 | Container Security | SOPHOS_CAPSULE8 | JSON | 2021-12-22 |
| Nutanix Prism | Firewall | NUTANIX_PRISM | JSON | 2022-02-14 |
| Avatier Password Management | SaaS Application | AVATIER | SYSLOG + KV | 2021-08-05 |
| Symantec VIP Gateway | Email Server | SYMANTEC_VIP | SYSLOG | 2022-03-02 |
| Netskope Web Proxy | Web Proxy | NETSKOPE_WEBPROXY | SYSLOG | 2022-04-06 View Change |
| Symantec Web Isolation | Secure Access Service Edge | SYMANTEC_WEB_ISOLATION | JSON | 2021-08-27 |
| SailPoint IAM | Identity and Access Management | SAILPOINT_IAM | JSON | 2021-08-25 |
| Bluecat DDI | DDI (DNS, DHCP, IPAM) | BLUECAT_DDI | SYSLOG | 2022-05-05 View Change |
| ESET Threat Intelligence | IOC | ESET_IOC | JSON | 2020-05-06 |
| Archer Integrated Risk Management | Risk Management Solution | ARCHER_IRM | SYSLOG | 2022-05-04 View Change |
| FireEye HX | EDR | FIREEYE_HX | JSON | 2022-02-03 |
| Sourcefire | IDS/IPS | SOURCEFIRE_IDS | JSON | 2020-10-05 |
| GCP VPC Flow | GCP Specific | GCP_VPC_FLOW | JSON | 2022-03-09 |
| GCP Cloud Identity Devices | GCP Specific | GCP_CLOUDIDENTITY_DEVICES | JSON | 2022-04-13 View Change |
| Apache Cassandra | Web server | CASSANDRA | JSON | 2022-04-13 View Change |
| Cisco VPN | VPN | CISCO_VPN | SYSLOG | 2020-12-07 |
| Duo Auth | Authentication | DUO_AUTH | JSON | 2022-03-21 |
| McAfee ePolicy Orchestrator | Policy Management | MCAFEE_EPO | SYSLOG + XML, CSV | 2022-05-05 View Change |
| IBM Guardium | Database DLP | GUARDIUM | CSV | 2022-03-24 View Change |
| Imperva | WAF | IMPERVA_WAF | SYSLOG + KV + JSON | 2022-05-10 View Change |
| Dell EMC Isilon NAS | Storage | DELL_EMC_NAS | SYSLOG | 2021-10-12 |
| Quest Active Directory | Authentication log | QUEST_AD | CEF Syslog | 2022-01-31 |
| Forcepoint Proxy | Web Proxy | FORCEPOINT_WEBPROXY | SYSLOG + KV (CEF), LEEF | 2022-05-05 View Change |
| Infoblox DNS | DNS | INFOBLOX_DNS | SYSLOG | 2021-12-12 |
| ISC DHCP | DHCP | ISC_DHCP | JSON + SYSLOG + KV | 2022-02-08 |
| Microsoft Azure Activity | Misc Windows Specific | AZURE_ACTIVITY | JSON | 2021-04-22 |
| Imperva Database | Cloud Application and Edge Security | IMPERVA_DB | SYSLOG | 2021-12-13 |
| Recorded Future | IOC | RECORDED_FUTURE_IOC | JSON | 2021-11-17 |
| F5 Shape | Security log | F5_SHAPE | JSON | 2022-02-21 |
| Symantec DLP | DLP | SYMANTEC_DLP | SYSLOG + KV (CEF), XML | 2022-01-13 |
| Kubernetes Node logs | Cloud security | KUBERNETES_NODE | JSON | 2021-11-03 |
| Thales Digital Identity and Security | Digital Identity & Security | THALES_DIS | SYSLOG | 2022-03-17 |
| Juniper MX Router | Routers and Switches | JUNIPER_MX | SYSLOG + KV | 2022-01-24 |
| Netfilter IPtables | Firewall | NETFILTER_IPTABLES | SYSLOG + KV | 2022-03-11 |
| BIND | DNS | BIND_DNS | SYSLOG | 2022-04-22 View Change |
| OpenVPN | Network | OPEN_VPN | SYSLOG + KV | 2022-04-28 View Change |
| Check Point Sandblast | EDR | CHECKPOINT_EDR | SYSLOG + KV | 2020-11-23 |
| Fortinet FortiEDR | EDR | FORTINET_FORTIEDR | SYSLOG + KV | 2022-01-24 |
| Palo Alto Prisma Cloud | SECURITY PLATFORM | PAN_PRISMA_CLOUD | JSON | 2021-12-31 |
| Cisco Umbrella DNS | DNS | UMBRELLA_DNS | CSV,JSON | 2022-04-13 View Change |
| Azure AD | LDAP | AZURE_AD | JSON | 2022-04-20 View Change |
| Google Chrome Browser Cloud Management (CBCM) | Alerts | N/A | JSON | 2021-10-06 |
| Zscaler | Web Proxy | ZSCALER_WEBPROXY | SYSLOG + KV, CSV | 2022-03-08 |
| Forcepoint NGFW | Network | FORCEPOINT_FIREWALL | JSON | 2021-08-27 |
| Palo Alto Networks Firewall | Firewall | PAN_FIREWALL | SYSLOG + LEEF | 2022-03-28 View Change |
| McAfee Unified Cloud Edge | SaaS Application | MCAFEE_UCE | JSON | 2021-07-20 |
| HP Aruba(Clearpass) | Identity and Access Management | CLEARPASS | SYSLOG + KV | 2022-01-03 |
| F5 DNS | DNS | F5_DNS | SYSLOG | 2021-06-17 |
| SentinelOne EDR | EDR | SENTINEL_EDR | SYSLOG + JSON | 2022-04-18 View Change |
| Cisco Email Security | Email Server | CISCO_EMAIL_SECURITY | SYSLOG + KV | 2022-04-20 View Change |
| ESET | EDR | ESET_EDR | SYSLOG + JSON | 2020-01-26 |
| Workday | SaaS Application | WORKDAY | JSON | 2020-08-04 |
| Suricata EVE | IPS IDS | SURICATA_EVE | JSON | 2021-09-14 |
| ForgeRock OpenDJ | LDAP | OPENDJ | SYSLOG + KV | 2020-10-01 |
| Tanium Insight | Tanium Specific | TANIUM_INSIGHT | SYSLOG + KV | 2021-03-10 |
| Digital Guardian | EDR | DIGITALGUARDIAN_EDR | KV | 2020-11-12 |
| Microsoft CASB | CASB | MICROSOFT_CASB | SYSLOG + KV (CEF) | 2021-10-20 |
| Workspace Groups | GCP Specific | WORKSPACE_GROUPS | JSON | 2021-09-22 |
| Workspace Users | GCP Specific | WORKSPACE_USERS | JSON | 2022-03-28 View Change |
| Thinkst Canary | Deception Software | THINKST_CANARY | JSON | 2021-06-14 |
| ThreatConnect | IOC | THREATCONNECT_IOC | JSON | 2022-01-13 |
| Crowdstrike IOC | IOC | CROWDSTRIKE_IOC | JSON | 2021-08-17 |
| Cisco CTS | Telephone Software | CISCO_CTS | SYSLOG + KV | 2021-05-20 |
| VMware ESXi | Hypervisor | VMWARE_ESX | SYSLOG | 2022-05-02 View Change |
| Salesforce | SaaS Application | SALESFORCE | KV (LEEF), CSV | 2022-04-18 View Change |
| Zeek TSV | Format Specific | BRO_TSV | SYSLOG + TSV | 2022-01-31 |
| Red Hat Directory Server LDAP | Identity and Access Management | REDHAT_DIRECTORY_SERVER | JSON + SYSLOG + KV | 2022-04-11 View Change |
| Aruba Airwave | Wireless | ARUBA_AIRWAVE | XML | 2021-03-16 |
| CIS Albert Alerts | Alerts | CIS_ALBERT_ALERT | SYSLOG | 2022-02-18 |
| GMAIL Logs | GCP Specific | GMAIL_LOGS | JSON | 2022-01-06 |
| Tripwire | DLP | TRIPWIRE_FIM | SYSLOG | 2021-09-01 |
| Linux DHCP | DHCP | LINUX_DHCP | SYSLOG | 2022-02-07 |
| Workspace Mobile Devices | GCP Specific | WORKSPACE_MOBILE | JSON | 2021-07-28 |
| OSSEC | IDS/IPS | OSSEC | SYSLOG | 2022-03-02 |
| Tanium Comply | Tanium Specific | TANIUM_COMPLY | JSON | 2021-08-04 |
| ZScaler VPN | VPN | ZSCALER_VPN | SYSLOG + CSV | 2022-01-13 |
| Azure AD Directory Audit | Audit | AZURE_AD_AUDIT | JSON | 2022-02-08 |
| AWS CloudFront | CDN | AWS_CLOUDFRONT | SYSLOG | 2022-02-21 |
| PAN Autofocus | IOC | PAN_IOC | JSON | 2021-08-09 |
| NXLog Manager | Log Aggregator | NXLOG_MANAGER | SYSLOG | 2022-01-13 |
| Rapid7 | Vunerability Scanner | RAPID7_NEXPOSE | JSON | 2021-07-29 |
| Mobileiron | ENDPOINT MANAGEMENT | MOBILEIRON | JSON | 2022-04-25 View Change |
| GCP Apigee | GCP Specific | GCP_APIGEE | JSON | 2021-11-02 |
| Brocade ServerIron ADX | Load Balancer | BROCADE_SERVERIRON | SYSLOG | 2022-01-13 |
| Thales MFA | Authentication | THALES_MFA | SYSLOG + KV (CEF) | 2020-07-13 |
| Rubrik | Backup software | RUBRIK | SYSLOG | 2022-02-02 |
| Windows Network Policy Server | Authentication | WINDOWS_NET_POLICY_SERVER | SYSLOG, JSON, SYSLOG + XML | 2022-02-18 |
| GMV Checker ATM Security | ATM Audit | GMV_CHECKER | SYSLOG | 2022-04-20 View Change |
| Akamai Cloud Monitor | Load Balancer, Traffic Shaper, ADC | AKAMAI_CLOUD_MONITOR | JSON | 2021-07-20 |
| IBM Informix | DATABASE | INFORMIX | JSON + SYSLOG | 2022-02-18 |
| FireEye NX | NDR | FIREEYE_NX | JSON | 2022-01-17 |
| CloudGenix SD-WAN | Switches, Routers | CLOUDGENIX_SDWAN | SYSLOG + KV | 2020-11-20 |
| Anomali | IOC | ANOMALI_IOC | JSON, CEF | 2022-03-14 |
| ServiceNow CMDB | Policy Management | SERVICENOW_CMDB | JSON | 2022-04-13 View Change |
| Elastic Windows Event Log Beats | Log Aggregator | ELASTIC_WINLOGBEAT | SYSLOG + JSON | 2022-05-04 View Change |
| Nucleus Asset Metadata | Nucleus Specific | NUCLEUS_ASSET | JSON | 2021-08-05 |
| SentinelOne Deep Visibility | EDR | SENTINEL_DV | JSON | 2021-01-25 |
| Digital Shadows SearchLight | Threat Intelligence | DIGITAL_SHADOWS_SEARCHLIGHT | JSON | 2022-05-02 |
| Windows Event (XML) | AV / Endpoint | WINEVTLOG_XML | SYSLOG + XML | 2022-01-25 |
| Cato Networks | NDR | CATO_NETWORKS | JSON | 2020-07-14 |
| F5 ASM | WAF | F5_ASM | SYSLOG | 2022-04-27 View Change |
| LimaCharlie | EDR | LIMACHARLIE_EDR | JSON | 2021-10-18 |
| Palo Alto Cortex XDR | NDR | CORTEX_XDR | JSON | 2022-01-23 |
| Cisco Meraki | Wireless | CISCO_MERAKI | SYSLOG, JSON | 2022-05-04 View Change |
| McAfee Web Gateway | Web Proxy | MCAFEE_WEBPROXY | SYSLOG + KV (CEF), JSON | 2022-01-18 |
| SonicWall | Firewall | SONIC_FIREWALL | SYSLOG + KV | 2020-04-09 |
| Aqua Security | IaaS Applications | AQUA_SECURITY | JSON | 2022-02-03 |
| Tanium Asset | Tanium Specific | TANIUM_ASSET | JSON | 2021-06-14 |
| Corelight | NDR | CORELIGHT | JSON | 2022-04-23 View Change |
| Microsoft Defender for Identity | EDR | MICROSOFT_DEFENDER_IDENTITY | JSON | 2022-04-22 View Change |
| GCP Load Balancing | Load Balancer | GCP_LOADBALANCING | JSON | 2022-01-11 |
| AWS Elastic Load Balancer | AWS Specific | AWS_ELB | SYSLOG | 2021-11-18 |
| Azure AD Organizational Context | LDAP | AZURE_AD_CONTEXT | JSON | 2022-05-09 View Change |
| Citrix Storefront | Remote Access Tools | CITRIX_STOREFRONT | JSON | 2021-12-29 |
| Silverfort Authentication Platform | Identity and Access Management | SILVERFORT | CEF Syslog | 2022-01-18 |
| Proofpoint Email Filter | Email Server | PROOFPOINT_MAIL_FILTER | KV | 2021-11-15 |
| Centrify | SSO | CENTRIFY_SSO | JSON | 2020-07-08 |
| F5 VPN | VPN | F5_VPN | SYSLOG | 2020-10-08 |
| COVID-19 Cyber Threat Coalition | IOC | COVID_CTC_IOC | Value Entry | 2020-06-02 |
| Imperva SecureSphere Management | Data Security / Insider Threat | IMPERVA_SECURESPHERE | SYSLOG + KV (CEF) | 2021-09-06 |
| JAMF CMDB | Computer Inventory | JAMF | JSON | 2021-12-03 |
| pfSense | FIREWALL | PFSENSE | SYSLOG | 2022-04-11 View Change |
| Tanium Stream | Tanium Specific | TANIUM_TH | JSON | 2022-03-30 View Change |
| Red Canary | EDR | REDCANARY_EDR | JSON | 2021-01-12 |
| FortiGate | Firewall | FORTINET_FIREWALL | JSON, SYSLOG + KV | 2022-04-29 View Change |
| VMware AirWatch | Wireless | AIRWATCH | SYSLOG + KV | 2021-12-06 |
| Cisco TACACS+ | Authentication | CISCO_TACACS | SYSLOG + KV | 2022-03-22 View Change |
| Dell OpenManage | Systems Management Application | DELL_OPENMANAGE | Syslog | 2022-03-03 |
| Microsoft Azure NSG Flow | Network Flow | AZURE_NSG_FLOW | JSON | 2022-04-18 View Change |
| CyberArk | Privilege Account Management | CYBERARK | KV (CEF) | 2021-12-31 |
| tenable.io | Vunerability Scanner | TENABLE_IO | JSON | 2022-03-07 |
| Microsoft IIS | Web Server | IIS | SYSLOG + KV | 2022-03-30 View Change |
| Stealthbits Audit | File system monitoring | STEALTHBITS_AUDIT | JSON | 2021-11-09 |
| Symantec EDR | EDR | SYMANTEC_EDR | JSON | 2022-03-31 View Change |
| VanDyke SFTP | Data Transfer | VANDYKE_SFTP | JSON,SYSLOG | 2022-03-25 View Change |
| Vectra Detect | NDR | VECTRA_DETECT | SYSLOG + JSON | 2021-01-14 |
| AlgoSec Security Management | Policy Management | ALGOSEC | SYSLOG + KV (CEF) | 2021-05-13 |
| Squid Web Proxy | Web Proxy | SQUID_WEBPROXY | SYSLOG | 2021-02-16 |
| Workspace Activities | GCP Specific | WORKSPACE_ACTIVITY | JSON | 2022-04-27 View Change |
| Thycotic | Identity and Access Management | THYCOTIC | SYSLOG + KV (CEF) | 2020-08-22 |
| VMware Tanzu Kubernetes Grid | IDS/IPS | VMWARE_TANZU | JSON | 2022-04-27 View Change |
| Kyriba Treasury Management | SaaS Application | KYRIBA | CSV | 2021-02-24 |
| Okta Access Gateway | OKTA specific | OKTA_ACCESS_GATEWAY | JSON | 2022-01-24 |
| HP Procurve Switch | Switches | HP_PROCURVE | SYSLOG | 2021-09-27 |
| Cybereason EDR | EDR | CYBEREASON_EDR | JSON | 2021-06-29 |
| Tanium Reveal | Tanium Specific | TANIUM_REVEAL | JSON | 2021-11-15 |
| Microsoft Intune | Mobile Device Management | AZURE_MDM_INTUNE | JSON | 2021-04-15 |
| Sophos Firewall (Next Gen) | Firewall | SOPHOS_FIREWALL | KV | 2022-01-11 |
| Acalvio | Deception Software | ACALVIO | SYSLOG + KV | 2020-10-13 |
| GCP Compute | GCP Specific | GCP_COMPUTE | JSON | 2022-03-08 |
| Ordr IoT | IoT | ORDR_IOT | SYSLOG + JSON | 2022-04-13 View Change |
| Darktrace | NDR | DARKTRACE | SYSLOG + KV (CEF) | 2022-04-22 View Change |
| CA Access Control | Access Management | CA_ACCESS_CONTROL | JSON+SYSLOG, SYSLOG | 2022-04-13 View Change |
| Cloudflare | SaaS Application | CLOUDFLARE | JSON | 2021-10-21 |
| Akamai DNS | DNS | AKAMAI_DNS | CSV | 2021-06-28 |
| Forescout NAC | NAC | FORESCOUT_NAC | SYSLOG | 2022-02-06 |
| ZScaler DNS | DNS | ZSCALER_DNS | SYSLOG + KV | 2020-12-03 |
| Cisco DHCP | DHCP | CISCO_DHCP | CSV + Syslog | 2022-02-07 |
| Absolute Mobile Device Management | Mobile Device Management | ABSOLUTE | SYSLOG + KV (CEF) | 2021-06-15 |
| Mimecast | Email Server | MIMECAST_MAIL | KV | 2022-03-07 |
| Honeyd | Deception Software | HONEYD | SYSLOG | 2021-04-05 |
| SecureAuth | SSO | SECUREAUTH_SSO | SYSLOG, XML | 2022-04-25 View Change |
| IBM DB2 | Database | DB2_DB | LEEF | 2022-05-04 View Change |
| Apache | Web Server | APACHE | SYSLOG | 2021-10-07 |
| Fidelis Network | NDR | FIDELIS_NETWORK | SYSLOG + KV | 2021-03-22 |
| RSA | Identity and Access Management | RSA_AUTH_MANAGER | CSV | 2021-10-07 |
| GitHub | SaaS Application | GITHUB | JSON | 2021-07-26 |
| OpenSSH | Logging and Troubleshooting | OPENSSH | SYSLOG | 2021-12-08 |
| AlphaSOC | Alert | ASOC_ALERT | JSON | 2021-06-21 |
| Fortinet FortiNAC | NAC | FORTINET_FORTINAC | SYSLOG | 2021-12-16 |
| Cisco Umbrella Cloud Firewall | Firewall | UMBRELLA_FIREWALL | CSV | 2021-03-15 |
| Cisco ASA | Firewall | CISCO_ASA_FIREWALL | JSON, SYSLOG | 2022-02-27 |
| Cisco ACS | Authentication | CISCO_ACS | SYSLOG + KV | 2022-05-05 View Change |
| CrowdStrike Falcon | EDR | CS_EDR | JSON | 2022-04-27 View Change |
| Netskope | Cloud Security | NETSKOPE_ALERT | JSON | 2021-09-15 |
| Stealthbits Defend | Security System for Active Directory and File Systems. | STEALTHBITS_DEFEND | SYSLOG + KV (LEEF) | 2022-01-17 |
| Centripetal Networks IOC | IOC | CENTRIPETAL_IOC | SYSLOG + KV | 2022-01-06 |
| D3 Banking | BANKING | D3_BANKING | JSON | 2022-03-23 View Change |
| Rapid7 Insight | Vunerability Scanner | RAPID7_INSIGHT | JSON | 2021-12-20 |
| Shibboleth IDP | Identity and Access Management | SHIBBOLETH_IDP | SYSLOG | 2021-04-19 |
| Elastic Audit Beats | ALERTING | ELASTIC_AUDITBEAT | JSON | 2022-05-07 View Change |
| Cisco Application Control Engine | Load Balancer, Traffic Shaper, ADC | CISCO_ACE | SYSLOG | 2021-01-13 |
| Carbon Black | EDR | CB_EDR | JSON | 2022-01-24 |
| Windows Firewall | Firewall | WINDOWS_FIREWALL | Space Separated Value | 2021-08-26 |
| Windows Applocker | Application Locker | WINDOWS_APPLOCKER | SYSLOG + KV | 2022-02-07 |
| Juniper Junos | Network Device | JUNIPER_JUNOS | SYSLOG + KV | 2022-05-02 View Change |
| PostFix Mail | Email Server | POSTFIX_MAIL | SYSLOG | 2020-09-18 |
| Cylance Protect | Alerts | CYLANCE_PROTECT | SYSLOG + KV | 2020-07-06 |
| GCP IDS | IDS | GCP_IDS | JSON | 2021-09-14 |
| Kaspersky AV | AV / Endpoint | KASPERSKY_AV | KV + CEF | 2022-03-29 View Change |
| Ping Identity | Authentication | PING | JSON, SYSLOG + KV | 2022-03-21 |
| Tanium Threat Response | Tanium Specific | TANIUM_THREAT_RESPONSE | JSON | 2021-06-30 |
| Apache Tomcat | Web server | TOMCAT | JSON | 2022-04-20 View Change |
| IBM AS/400 | Application System | IBM_AS400 | SYSLOG + KV | 2022-04-13 View Change |
| ExtraHop RevealX | Firewall IDS/IPS | EXTRAHOP | JSON,SYSLOG | 2022-05-10 View Change |
| Falco IDS | IDS/IPS | FALCO_IDS | JSON | 2021-07-29 |
| Citrix Netscaler | Load Balancer, Traffic Shaper, ADC | CITRIX_NETSCALER | SYSLOG + KV | 2022-05-09 View Change |
| ClamAV | AV / Endpoint | CLAM_AV | JSON | 2022-02-07 |
| Preempt Auth | Identity and Access Management | PREEMPT_AUTH | SYSLOG + JSON | 2021-06-16 |
| Windows Defender ATP | AV / Endpoint | WINDOWS_DEFENDER_ATP | SYSLOG + JSON, XML | 2020-08-22 |
| Qualys VM | Vulnerability Scanner | QUALYS_VM | KV | 2020-08-16 |
| Microsoft Graph API Alerts | Gateway to data and intelligence | MICROSOFT_GRAPH_ALERT | JSON | 2022-01-21 |
| Big Switch BigCloudFabric | Switches, Routers | BIGSWITCH_BCF | SYSLOG | 2021-04-20 |
| BeyondTrust | Privilege Account Activity | BOMGAR | SYSLOG | 2022-02-18 |
| McAfee DLP | DLP | MCAFEE_DLP | CSV | 2022-04-13 View Change |
| Microsoft Defender for Endpoint | EDR | MICROSOFT_DEFENDER_ENDPOINT | JSON | 2022-03-30 View Change |
| EPIC Systems | Discovery and Monitoring | EPIC | LEEF + KV | 2022-04-14 View Change |
| Proofpoint Tap Alerts | Email Server | PROOFPOINT_MAIL | JSON | 2022-01-06 |
| FireEye | Alerts | FIREEYE_ALERT | SYSLOG + JSON | 2022-03-15 |
| Microsoft SQL Server | Database | MICROSOFT_SQL | SYSLOG + KV | 2020-06-12 |
| ManageEngine ADAudit Plus | Active Directory Audit | ADAUDIT_PLUS | SYSLOG + KV (CEF) | 2021-10-07 |
| Tanium Patch | Tanium Specific | TANIUM_PATCH | JSON | 2022-02-08 |
| VMware vCenter | Server | VMWARE_VCENTER | SYSLOG + JSON | 2022-05-06 View Change |
| Proofpoint Observeit | Email Server | OBSERVEIT | JSON, KV | 2022-01-17 |
| Okta | Identity and Access Management | OKTA | JSON | 2022-03-22 View Change |
| ZScaler NGFW | Firewall | ZSCALER_FIREWALL | SYSLOG + KV (CEF), CSV | 2022-04-29 View Change |
| HCL BigFix | Network Management and Optimization | HCL_BIGFIX | JSON | 2022-04-27 View Change |
| Fortinet | DHCP | FORTINET_DHCP | KV | 2021-04-28 |
| TeamViewer | Remote Support | TEAMVIEWER | JSON | 2021-11-24 |
| EfficientIP DDI | Network | EFFICIENTIP_DDI | SYSLOG + KV | 2022-01-24 |
| CSV Custom IOC | IOC | CSV_CUSTOM_IOC | CSV | 2021-11-10 |
| Trend Micro AV | AV / Endpoint | TRENDMICRO_AV | SYSLOG + KV | 2020-08-22 |
| Atlassian Confluence | Knowledge base | ATLASSIAN_CONFLUENCE | SYSLOG | 2022-02-01 |
| Medigate IoT | IoT | MEDIGATE_IOT | SYSLOG + JSON | 2021-07-22 |
| Cisco ISE | Identity and Access Management | CISCO_ISE | SYSLOG | 2022-05-02 View Change |
| Slack Audit | Productivity | SLACK_AUDIT | JSON | 2022-04-07 View Change |
| OneLogin | SSO | ONELOGIN_SSO | JSON | 2022-03-23 View Change |
| TrendMicro Web Proxy | Web Proxy | TRENDMICRO_WEBPROXY | SYSLOG + KV | 2021-03-05 |
| Blue Coat Proxy | Web Proxy | BLUECOAT_WEBPROXY | SYSLOG + JSON, SYSLOG + KV | 2022-04-20 View Change |
| Men and Mice DNS | DNS | MENANDMICE_DNS | SYSLOG | 2021-11-12 |
| Unix system | OS | NIX_SYSTEM | SYSLOG | 2022-03-03 |
| Tanium Discover | Tanium Specific | TANIUM_DISCOVER | JSON | 2021-08-10 |
| Windows Defender AV | AV / Endpoint | WINDOWS_DEFENDER_AV | JSON, XML | 2022-01-10 |
| Varonis | Data Security / Insider Threat | VARONIS | SYSLOG + KV (CEF) | 2021-04-22 |
| Nokia VitalQIP | DDI (DNS, DHCP, IPAM) | VITALQIP | SYSLOG | 2022-03-01 |
| Unbound DNS | DNS | UNBOUND_DNS | SYSLOG | 2020-06-09 |
| Workspace Privileges | GCP Specific | WORKSPACE_PRIVILEGES | JSON | 2021-08-22 |
| Amazon Guardduty | IDS/IPS | GUARDDUTY | JSON | 2022-03-31 View Change |
| HPE ILO | Server Management | HPE_ILO | SYSLOG | 2022-03-14 |
| Palo Alto Networks Traps | EDR | PAN_EDR | JSON | 2020-03-17 |
| Sophos UTM | Unified Threat Management | SOPHOS_UTM | KV | 2022-04-13 View Change |
| FileZilla | File transer | FILEZILLA_FTP | SYSLOG | 2022-03-23 View Change |
| Custom Security Data Analytics | Log Aggregation | CUSTOM_SECURITY_DATA_ANALYTICS | JSON | 2021-04-14 |
| DMP | Physcial Security | DMP_ENTRE | SYSLOG | 2020-09-23 |
| Pulse Secure | VPN | PULSE_SECURE_VPN | SYSLOG | 2022-04-13 View Change |
| ExtraHop DNS | DNS | EXTRAHOP_DNS | JSON | 2021-12-13 |
| Box | Collaboration | BOX | JSON | 2021-02-16 |
| Apple MacOS | AV / Endpoint | MACOS | SYSLOG | 2022-05-04 View Change |
| Automation Anywhere | Automation Tools | AUTOMATION_ANYWHERE | SYSLOG + KV | 2021-04-28 |
| Active Countermeasures | Alert | AI_HUNTER | SYSLOG | 2020-12-08 |
| Infoblox | DHCP, DNS | INFOBLOX | SYSLOG | 2022-04-08 View Change |
| Preempt Alert | Identity and Access Management | PREEMPT | SYSLOG + KV (CEF) | 2020-06-08 |
| Tenable Security Center | Vulnerability Scanner | TENABLE_SC | SYSLOG | 2021-05-18 |
| Sendmail | Email Server | SENDMAIL | SYSLOG + KV | 2022-05-06 View Change |
| AWS Config | AWS Specific | AWS_CONFIG | JSON | 2022-03-30 View Change |
| Carbon Black App Control | Security log | CB_APP_CONTROL | CEF | 2021-12-02 |
| Kea DHCP | DHCP | KEA_DHCP | SYSLOG | 2022-03-22 View Change |
| Cisco Firepower NGFW | Firewall | CISCO_FIREPOWER_FIREWALL | SYSLOG | 2022-05-05 View Change |
| Juniper | Firewall | JUNIPER_FIREWALL | SYSLOG + KV | 2021-12-21 |
| Aruba | Wireless | ARUBA_WIRELESS | SYSLOG | 2022-03-30 View Change |
| MySQL | Database | MYSQL | SYSLOG | 2021-04-12 |
| Microsoft Powershell | Misc. Windows-specific | POWERSHELL | SYSLOG + JSON | 2022-04-21 |
| Nucleus Unified Vulnerability Management | Nucleus Specific | NUCLEUS_VULNERABILITY | JSON | 2021-06-30 |
| Sophos AV | AV / Endpoint | SOPHOS_AV | CSV, JSON | 2022-01-26 |
| Strong Swan VPN | VPN | STRONGSWAN_VPN | JSON | 2021-06-04 |
| File Scanning Framework | File scanning | FILE_SCANNING_FRAMEWORK | JSON | 2021-09-27 |
| Cisco AMP | AV / Endpoint | CISCO_AMP | JSON | 2021-12-12 |
| Passive DNS | DNS | PASSIVE_DNS | JSON | 2021-05-19 |
| Symantec CloudSOC CASB | CASB | SYMANTEC_CASB | SYSLOG+JSON | 2021-12-17 |
| Microsoft ATA | IDS/IPS | MICROSOFT_ATA | SYSLOG + KV | 2021-07-13 |
| Zeek JSON | Format Specific | BRO_JSON | SYSLOG + JSON | 2021-11-01 |
| Mongo Database | DATABASE | MONGO_DB | JSON | 2022-03-07 |
| Cisco Router | Switches, Routers | CISCO_ROUTER | SYSLOG | 2022-02-28 |
| Office 365 | SaaS Application | OFFICE_365 | JSON | 2022-05-05 View Change |
| NIMBLE OS | OS | NIMBLE_OS | SYSLOG | 2020-10-05 |
| McAfee IPS | IDS/IPS | MCAFEE_IPS | SYSLOG | 2021-04-15 |
| Symantec Web Security Service | Web Proxy | SYMANTEC_WSS | JSON | 2021-07-01 |
| Thales Luna Hardware Security Module | THALES_LUNA_HSM specific | THALES_LUNA_HSM | JSON/GROK | 2022-02-14 |
| Cisco Umbrella IP | Web Proxy | UMBRELLA_IP | SYSLOG | 2021-04-26 |
| Microsoft AD | LDAP | WINDOWS_AD | JSON | 2022-03-21 |
| Cisco FireSIGHT Management Center | SaaS Application | CISCO_FIRESIGHT | KV | 2021-12-10 |
| Ubiquiti UniFi Switch | Switch | UBIQUITI_SWITCH | SYSLOG | 2022-02-07 |
| Windows Sysmon | DNS | WINDOWS_SYSMON | JSON, XML | 2022-04-09 View Change |
| Uptycs EDR | Endpoint detection and response | UPTYCS_EDR | JSON | 2021-11-23 |
| Azure Firewall | Azure Firewall Application Rule | AZURE_FIREWALL | JSON | 2022-04-29 View Change |
| Wazuh | Log Aggregator | WAZUH | SYSLOG + JSON | 2022-01-21 |
| Cisco Internetwork Operating System | Network Infrastructure | CISCO_IOS | SYSLOG | 2021-12-03 |
| IBM Tivoli | Monitoring | IBM_TIVOLI | JSON,SYSLOG | 2022-01-10 |
| Aruba IPS | IPS | ARUBA_IPS | JSON | 2022-03-16 |
| Layer7 SiteMinder | SSO | SITEMINDER_SSO | KV+JSON | 2022-04-19 View Change |
| Windows Event | Endpoint | WINEVTLOG | JSON + KV | 2022-05-10 View Change |
| Azure SQL | Database | AZURE_SQL | JSON | 2022-02-08 |
| IBM Websphere Application Server | Web server | IBM_WEBSPHERE_APP_SERVER | JSON,SYSLOG | 2022-01-20 |
| Digital Shadows Indicators | IOC | DIGITAL_SHADOWS_IOC | JSON | 2022-04-23 |
| WatchGuard | Syslog and KV | WATCHGUARD | JSON | 2021-12-08 |
| Ipswitch SFTP | Data Transfer | IPSWITCH_SFTP | SYSLOG, JSON | 2022-03-15 |
| Barracuda Email | Email Server | BARRACUDA_EMAIL | JSON | 2020-03-17 |
| Cofense | Email Server | COFENSE_TRIAGE | SYSLOG + KV (CEF) | 2021-04-07 |
| Akamai WAF | WAF | AKAMAI_WAF | SYSLOG | 2022-03-23 View Change |
| Forseti Open Source | GCP Specific | FORSETI | JSON | 2021-12-23 |
| Infoblox DHCP | DHCP | INFOBLOX_DHCP | SYSLOG | 2022-04-13 View Change |
| Thales Vormetric | Encryption | VORMETRIC | SYSLOG | 2021-12-17 |
| Bitdefender | AV / Endpoint | BITDEFENDER | CSV | 2022-04-14 View Change |
| GCP Cloud Identity Device Users | GCP Specific | GCP_CLOUDIDENTITY_DEVICEUSERS | JSON | 2022-04-21 View Change |
| Bluecat Edge DNS Resolver | DNS | BLUECAT_EDGE | JSON,KV,SYSLOG | 2022-01-18 |
| Windows DNS | DNS | WINDOWS_DNS | JSON, XML, SYSLOG + KV | 2022-04-13 View Change |
| Cisco WLC/WCS | Wireless | CISCO_WIRELESS | SYSLOG | 2021-02-16 |
| Emerging Threats Pro | IOC | ET_PRO_IOC | CSV | 2021-12-09 |
| Okta User Context | Identity and Access Management | OKTA_USER_CONTEXT | JSON | 2022-03-29 View Change |
| Radware Web Application Firewall | Firewall | RADWARE_FIREWALL | SYSLOG | 2021-09-08 |
| Snort | IDS/IPS | SNORT_IDS | SYSLOG + JSON | 2021-12-23 |
| Duo Entity context data | Identity and Access Management | DUO_CONTEXT | JSON | 2022-03-14 |
| Avanan Email Security | Email Server | AVANAN_EMAIL | JSON | 2020-09-15 |
| McAfee Enterprise Security Manager | Log Aggregator | MCAFEE_ESM | SYSLOG + JSON | 2022-02-25 |
| Cisco Umbrella Web Proxy | Web Proxy | UMBRELLA_WEBPROXY | CSV | 2022-03-29 |
| Unifi AP | Switches and Routers | UNIFI_AP | SYSLOG + KV, SYSLOG + JSON | 2022-04-13 View Change |
| VMware Horizon | VDI | VMWARE_HORIZON | SYSLOG | 2022-02-15 |
| Atlassian Jira | Ticketing Application | ATLASSIAN_JIRA | SYSLOG | 2022-01-18 |
| Vectra Stream | NDR | VECTRA_STREAM | SYSLOG + KV | 2022-03-03 |
| Cisco CloudLock | CASB | CISCO_CLOUDLOCK_CASB | JSON | 2021-10-04 |
| Workspace Alerts | WORKSPACE_ALERTS | JSON | 2022-04-13 View Change |