Supported default parsers

Parsers normalize raw log data into structured Unified Data Model format. This section lists devices, and ingestion labels, that have a default parser. A default parser is considered supported by Chronicle as long as the device's raw logs are received in the required format.

For a list of supported ingestion labels, see Supported data sets

The Format column indicates the high-level structure of the raw log, as:

  • CSV: Comma Separated Values
  • JSON: JavaScript Object Notation
  • SYSLOG: syslog formatted message
  • KV: key-value pair
  • XML: Extensible Markup Language
  • SYSLOG + KV: syslog header with key-value body.
  • SYSLOG + JSON: syslog header with key value body.
  • SYSLOG + XML: syslog header with XML body.
  • LEEF: Log Event Extended Format
  • CEF: Common Event Format
Vendor / Product Category Ingestion Label Format Last Update
Absolute Mobile Device Management Mobile Device Management ABSOLUTE SYSLOG + KV (CEF) 2021-05
Acalvio Deception Software ACALVIO SYSLOG + KV 2020-10
ManageEngine ADAudit Plus Misc. Windows-specific ADAUDIT_PLUS SYSLOG + KV 2020-09
VMware AirWatch Wireless AIRWATCH SYSLOG 2020-08
Active Countermeasures Alert AI_HUNTER SYSLOG 2020-12
Akamai WAF WAF AKAMAI_WAF SYSLOG, JSON 2021-06
Akamai Cloud Monitor Load Balancer, Traffic Shaper, ADC AKAMAI_CLOUD_MONITOR JSON 2021-06
AlgoSec Security Management Policy Management ALGOSEC SYSLOG + KV (CEF) 2021-05
Apache Web Server APACHE SYSLOG 2021-04
Aqua Security IaaS Applications AQUA_SECURITY JSON 2021-06
Aruba Airwave Wireless ARUBA_AIRWAVE XML 2021-03
Aruba Wireless ARUBA_WIRELESS SYSLOG 2021-03
Static IP DHCP ASSET_STATIC_IP CSV 2020-04
Linux Auditing System OS AUDITD SYSLOG 2021-05
Automation Anywhere Automation Tools AUTOMATION_ANYWHERE SYSLOG + KV 2021-04
Avanan Email Security Email Server AVANAN_EMAIL JSON 2020-09
Avatier Password Management Identity and Access Management AVATIER SYSLOG + KV 2020-12
AWS VPC Flow AWS-specific AWS_VPC_FLOW SYSLOG 2021-01
Azure Activity Misc. Windows-specific AZURE_ACTIVITY JSON 2021-04
Azure AD Misc. Windows-specific AZURE_AD JSON 2021-02
Azure AD Organizational Context Misc. Windows-specific AZURE_AD_CONTEXT JSON 2021-05
Microsoft Graph API Mobile Device Management AZURE_MDM_INTUNE JSON 2021-03
Barracuda Email Email Server BARRACUDA_EMAIL JSON 2020-03
Big Switch Big Cloud Fabric Switches, Routers BIGSWITCH_BCF SYSLOG 2021-04
BIND DNS BIND_DNS SYSLOG 2021-05
Bitdefender AV / Endpoint BITDEFENDER CSV 2021-05
Bitdefender Internal Analytics AV / Endpoint BITDEFENDER_ANALYTICS CSV 2021-05
Bluecat DDI DDI (DNS, DHCP, IPAM) BLUECAT_DDI SYSLOG 2021-05
Blue Coat Proxy Web Proxy BLUECOAT_WEBPROXY SYSLOG + JSON, SYSLOG + KV 2021-03
BeyondTrust Privilege Account Activity BOMGAR SYSLOG 2020-06
Box Collaboration BOX JSON 2021-02
Brocade ServerIron ADX Load Balancer, Traffic Shaper, ADC BROCADE_SERVERIRON SYSLOG 2021-01
Bro Format Specific BRO_JSON SYSLOG + JSON 2021-06
Bro Format Specific BRO_TSV SYSLOG + TSV 2020-11
Cato Networks NDR CATO_NETWORKS JSON 2020-08
CA ACF2 Mainframe CA_ACF2 LEEF 2021-02
Carbon Black EDR CB_EDR JSON 2020-09
Centrify SSO CENTRIFY_SSO JSON 2020-07
Check Point Sandblast EDR CHECKPOINT_EDR SYSLOG + KV 2020-11
Check Point Firewall CHECKPOINT_FIREWALL SYSLOG + KV 2021-02
CIS Albert Alerts Alerts CIS_ALBERT_ALERT SYSLOG 2021-04
Cisco Application Control Engine Load Balancer, Traffic Shaper, ADC CISCO_ACE SYSLOG 2021-01
Cisco ACS Authentication CISCO_ACS SYSLOG + KV 2020-11
Cisco AMP AV / Endpoint CISCO_AMP JSON 2020-07
Cisco ASA Firewall CISCO_ASA_FIREWALL JSON, SYSLOG 2021-06
Cisco CTS Telephone Software CISCO_CTS SYSLOG + KV 2021-05
Cisco Email Security Email Server CISCO_EMAIL_SECURITY SYSLOG 2021-04
Cisco Firepower NGFW Firewall CISCO_FIREPOWER_FIREWALL SYSLOG 2021-05
Cisco ISE Identity and Access Management CISCO_ISE SYSLOG 2021-03
Cisco Meraki Format Specific CISCO_MERAKI SYSLOG 2021-05
Cisco NX-OS OS CISCO_NX_OS SYSLOG 2021-02
Cisco Prime Network Management and Optimization CISCO_PRIME SYSLOG 2021-05
Cisco Router Switches, Routers CISCO_ROUTER SYSLOG 2021-05
Cisco Switch Switches, Routers CISCO_SWITCH SYSLOG 2020-12
Cisco Stealthwatch Netflow CISCO_STEALTHWATCH JSON 2019-07
Cisco VPN VPN CISCO_VPN SYSLOG 2020-12
Cisco WLC Wireless CISCO_WIRELESS SYSLOG 2021-02
Citrix Netscaler Load Balancer, Traffic Shaper, ADC CITRIX_NETSCALER SYSLOG + KV 2021-03
Citrix Storefront Remote Access Tools CITRIX_STOREFRONT JSON 2021-05
ClamAV AV / Endpoint CLAM_AV JSON 2020-10
HP Aruba(Clearpass) Identity and Access Management CLEARPASS SYSLOG + KV 2020-08
Cloudflare SaaS Application CLOUDFLARE JSON 2020-06
CloudGenix SD-WAN Switches, Routers CLOUDGENIX_SDWAN SYSLOG + KV 2020-11
Cloudian hyperstore Storage solutions CLOUDIAN_HYPERSTORE SYSLOG 2021-05
Cloud Passage SaaS Application CLOUD_PASSAGE JSON 2020-09
Cofense Triage Email Server COFENSE_TRIAGE SYSLOG + KV (CEF) 2021-04
Comodo AV / Endpoint COMODO_AV SYSLOG + KV (CEF) 2021-04
Corelight NDR CORELIGHT JSON 2020-12
Palo Alto Cortex XDR NDR CORTEX_XDR JSON 2021-02
COVID-19 Cyber Threat Coalition IOC COVID_CTC_IOC VALUE ENTRY 2020-06
Crowdstrike IOC CROWDSTRIKE_IOC JSON 2020-05
CSV Custom IOC IOC CSV_CUSTOM_IOC CSV 2021-01
CrowdStrike Falcon EDR CS_EDR JSON
CrowdStrike Falcon Stream Alerts CS_STREAM KV (LEEF) 2020-12
Custom Security Data Analytics Log Aggregation / SIEM CUSTOM_SECURITY_DATA_ANALYTICS JSON 2021-04
CyberArk Privilege Account Activity CYBERARK KV (CEF) 2021-02
Cylance Alerts CYLANCE_PROTECT SYSLOG + KV 2020-07
Darktrace NDR DARKTRACE SYSLOG + KV (CEF) 2020-09
IBM DB2 Database DB2_DB LEEF 2020-11
Digital Guardian EDR DIGITALGUARDIAN_EDR KV 2020-11
DMP Physical Security (Facilities) DMP_ENTRE SYSLOG 2020-09
Duo Auth Authentication DUO_AUTH JSON 2020-10
Duo User Context Identity and Access Management DUO_USER_CONTEXT JSON 2021-04
Elastic Packet Beats Log Aggregator - DHCP, DNS ELASTIC_PACKETBEATS SYSLOG + JSON 2021-02
Elastic Windows Event Log Beats Log Aggregator - Windows ELASTIC_WINLOGBEAT SYSLOG + JSON 2021-05
ESET EDR ESET_EDR SYSLOG + JSON 2020-01
ESET Threat Intelligence IOC ESET_IOC JSON 2020-05
Microsoft Exchange Email Server EXCHANGE_MAIL SYSLOG 2020-07
F5 ASM WAF F5_ASM SYSLOG 2020-07
F5 BIGIP LTM Load Balancer, Traffic Shaper, ADC F5_BIGIP_LTM SYSLOG 2020-10
F5 VPN VPN F5_VPN SYSLOG 2020-10
Fidelis Network NDR FIDELIS_NETWORK SYSLOG + KV 2021-03
FireEye Alerts FIREEYE_ALERT SYSLOG + JSON 2019-08
Fireeye ETP Email Server FIREEYE_ETP JSON 2021-05
FireEye NX NDR FIREEYE_NX JSON 2021-03
Forcepoint Proxy Web Proxy FORECEPOINT_WEBPROXY SYSLOG + KV 2020-08
Forescout NAC NAC FORESCOUT_NAC SYSLOG 2020-09
Forseti GCP Specific FORSETI JSON 2021-04
Fortinet DHCP FORTINET_DHCP KV 2021-04
Fortigate Firewall FORTINET_FIREWALL JSON, SYSLOG + KV 2021-05
Fortinet FortiEDR EDR FORTINET_FORTIEDR SYSLOG + KV 2021-05
Google Cloud Platform GCP Specific GCP JSON 2021-05
GCP Cloud Audit GCP Specific GCP_CLOUDAUDIT JSON 2021-06
GCP Cloud NAT GCP Specific GCP_CLOUD_NAT JSON 2020-04
GCP Compute Context GCP Specific GCP_COMPUTE_CONTEXT JSON 2021-06
GCP CSCC GCP Specific GCP_CSCC JSON 2021-03
GCP DNS GCP Specific GCP_DNS JSON 2021-06
GCP Firewall Rules GCP Specific GCP_FIREWALL JSON 2020-05
GCP Identity and Access Management Context GCP Specific GCP_IAM_CONTEXT JSON 2021-06
GCP VPC Flow GCP Specific GCP_VPC_FLOW JSON 2021-03
GMAIL Logs Email Server GMAIL_LOGS JSON 2020-11
Google Workspace Audit SaaS Application GSUITE_AUDIT JSON 2021-05
Honeyd Deception Software HONEYD SYSLOG 2021-04
IBM CICS Service Bus IBM_CICS LEEF 2020-11
Microsoft IIS Web Server IIS JSON, SYSLOG 2020-11
Imperva WAF IMPERVA_WAF SYSLOG + KV 2021-05
Infoblox DHCP, DNS INFOBLOX SYSLOG 2021-05
Infoblox DHCP DHCP INFOBLOX_DHCP SYSLOG 2020-10
Infoblox DNS DNS INFOBLOX_DNS SYSLOG 2021-04
Juniper Firewall JUNIPER_FIREWALL SYSLOG + KV 2020-12
Juniper IPS IDS/IPS JUNIPER_IPS SYSLOG + KV 2020-06
Kemp Load Balancer Load Balancer, Traffic Shaper, ADC KEMP_LOADBALANCER SYSLOG 2021-04
Kea DHCP DHCP KEA_DHCP SYSLOG 2021-06
Kyriba Treasury Management SaaS Application KYRIBA CSV 2021-02
LimaCharlie EDR LIMACHARLIE_EDR JSON 2020-04
Linux DHCP DHCP LINUX_DHCP SYSLOG 2020-06
McAfee ePolicy Orchestrator Format Specific MCAFEE_EPO SYSLOG + XML 2021-03
McAfee Enterprise Security Manager Log Aggregator MCAFEE_ESM SYSLOG + JSON 2019-10
McAfee IPS IDS/IPS MCAFEE_IPS SYSLOG 2020-07
McAfee Web Gateway Web Proxy MCAFEE_WEBPROXY SYSLOG 2019-12
McAfee Web Protection SaaS Application MCAFEE_WEB_PROTECTION JSON 2020-11
Medigate IoT IoT MEDIGATE_IOT SYSLOG + JSON 2021-06
Microsoft ATA IDS/IPS MICROSOFT_ATA SYSLOG + KV 2020-07
Microsoft CASB CASB MICROSOFT_CASB SYSLOG + KV (CEF) 2020-09
Microsoft Graph API Alerts Alerts MICROSOFT_GRAPH_ALERT JSON 2021-03
Microsoft Security Center Alerts MICROSOFT_SECURITY_CENTER_ALERT JSON 2020-09
Microsoft SQL Server Database MICROSOFT_SQL SYSLOG + KV 2020-06
Mimecast Email Server MIMECAST_MAIL KV 2020-11
MySQL Database MYSQL SYSLOG 2021-04
Nauthilus IDP Identity and Access Management NAUTHILUS JSON 2021-05
Netskope Web Proxy Web Proxy NETSKOPE_WEBPROXY SYSLOG 2020-09
NIMBLE OS OS NIMBLE_OS SYSLOG 2020-10
Unix system Unix NIX_SYSTEM SYSLOG 2021-06
Office 365 SaaS Application OFFICE_365 JSON 2021-06
Okta Identity and Access Management OKTA JSON 2021-06
Okta User Context Identity and Access Management OKTA_USER_CONTEXT JSON 2020-08
OneLogin SSO ONELOGIN_SSO JSON 2020-08
ForgeRock OpenAM Identity and Access Management OPENAM CSV, SYSLOG + KV 2020-09
ForgeRock OpenDJ LDAP Software OPENDJ SYSLOG + KV 2020-10
Ordr IoT IoT ORDR_IOT SYSLOG + JSON 2021-05
OSSEC IDS/IPS OSSEC SYSLOG 2021-03
Palo Alto Networks Traps EDR PAN_EDR SYSLOG 2020-03
Palo Alto Networks Firewall PAN_FIREWALL SYSLOG 2020-11
PAN Autofocus IOC PAN_IOC JSON 2020-11
Passive DNS DNS PASSIVE_DNS JSON 2021-05
PostFix Mail Email Server POSTFIX_MAIL SYSLOG 2020-09
Microsoft Powershell Misc. Windows-specific POWERSHELL SYSLOG + JSON 2020-07
Preempt Alert Identity and Access Management PREEMPT SYSLOG + KV (CEF) 2020-06
Preempt Auth Identity and Access Management PREEMPT_AUTH SYSLOG + JSON 2020-08
Proofpoint On Demand Email Server PROOFPOINT_ON_DEMAND JSON 2020-07
Pulse Secure VPN PULSE_SECURE_VPN SYSLOG 2021-01
Qualys VM Vulnerability Scanner QUALYS_VM KV 2020-08
Red Canary EDR REDCANARY_EDR JSON 2021-01
RH-ISAC IOC RH_ISAC_IOC JSON 2020-11
RSA Identity and Access Management RSA_AUTH_MANAGER CSV 2020-05
SailPoint IAM Identity and Access Management SAILPOINT_IAM JSON 2021-06
Salesforce SaaS Application SALESFORCE KV (LEEF) 2021-03
SecureLink Remote Access Tools SECURELINK SYSLOG 2020-07
Semperis DSP LDAP SEMPERIS_DSP SYSLOG 2021-04
Sendmail Email Server SENDMAIL SYSLOG 2020-08
SentinelOne Deep Visibility EDR SENTINEL_DV JSON 2021-01
SentinelOne EDR EDR SENTINEL_EDR SYSLOG + JSON 2021-02
Symantec AV / Endpoint SEP SYSLOG 2021-05
ServiceNow CMDB Policy Management SERVICENOW_CMDB JSON 2021-02
ServiceNow Security SaaS SERVICENOW_SECURITY JSON 2021-05
Shibboleth IdP Identity and Access Management SHIBBOLETH_IDP SYSLOG 2021-04
Signal Sciences WAF WAF SIGNAL_SCIENCES_WAF JSON 2021-04
Snort IDS/IPS SNORT_IDS SYSLOG 2020-01
SonicWall Firewall SONIC_FIREWALL SYSLOG + KV 2020-04
Sophos AV / Endpoint SOPHOS_AV CSV, JSON 2020-08
Sourcefire IDS/IPS SOURCEFIRE_IDS JSON 2020-09
Squid Web Proxy Web Proxy SQUID_WEBPROXY SYSLOG 2021-02
Strong Swan VPN VPN STRONGSWAN_VPN JSON 2021-06
Suricata IDS/IPS SURICATA_IDS JSON 2020-01
Symantec DLP DLP SYMANTEC_DLP SYSLOG + KV (CEF), XML 2021-05
Symantec EDR EDR SYMANTEC_EDR JSON 2021-05
Symantec VIP Gateway Email Server SYMANTEC_VIP SYSLOG 2021-04
Tanium Asset Tanium Specific TANIUM_ASSET JSON 2021-06
Tanium Discover Tanium Specific TANIUM_DISCOVER JSON 2021-03
Tanium Threat Response Tanium Specific TANIUM_EDR JSON 2019-10
Tanium Insight Tanium Specific TANIUM_INSIGHT SYSLOG + KV 2021-03
Tanium Reveal Tanium Specific TANIUM_REVEAL SYSLOG + KV 2021-06
Tanium Stream Tanium Specific TANIUM_TH JSON 2021-02
Tenable Security Center Vulnerability Scanner TENABLE_SC SYSLOG 2021-05
Thales MFA Authentication THALES_MFA SYSLOG + KV (CEF) 2020-07
Thinkst Canary Honeypots THINKST_CANARY JSON 2021-06
Thycotic Identity and Access Management THYCOTIC SYSLOG + KV (CEF) 2020-08
Trend Micro AV / Endpoint TRENDMICRO_AV SYSLOG + KV 2020-08
TrendMicro Web Proxy Web Proxy TRENDMICRO_WEBPROXY SYSLOG + KV 2021-03
Tripwire DLP TRIPWIRE_FIM SYSLOG 2021-03
Cisco Umbrella DNS DNS UMBRELLA_DNS CSV 2021-05
Cisco Umbrella Cloud Firewall Firewall UMBRELLA_FIREWALL CSV 2021-03
Cisco Umbrella IP Firewall UMBRELLA_IP SYSLOG 2021-04
Cisco Umbrella Web Proxy Web Proxy UMBRELLA_WEBPROXY CSV 2021-05
Unbound DNS DNS UNBOOUND_DNS SYSLOG 2020-06
Varonis Data Security / Insider Threat VARONIS SYSLOG + KV (CEF) 2021-04
Vectra Detect NDR VECTRA_DETECT SYSLOG + JSON 2021-01
Vectra Stream NDR VECTRA_STREAM SYSLOG + KV 2019-10
Nokia VitalQIP Format Specific VITALQIP SYSLOG 2019-10
VMWare Hypervisor VMWARE_ESX SYSLOG 2021-06
Thales Encryption VORMETRIC SYSLOG 2020-09
Wazuh Log Aggregator WAZUH SYSLOG + JSON 2020-09
Microsoft AD Misc. Windows-specific WINDOWS_AD JSON 2020-07
Windows Defender ATP AV / Endpoint WINDOWS_DEFENDER_ATP SYSLOG + JSON, XML 2020-08
Windows Defender AV AV / Endpoint WINDOWS_DEFENDER_AV JSON, XML 2020-07
Windows DNS XML DNS WINDOWS_DNS_XML XML 2021-06
Windows Sysmon EDR WINDOWS_SYSMON SYSLOG + JSON 2021-03
Windows Event Misc. Windows-specific WINEVTLOG SYSLOG + JSON 2021-06
Windows Event Format Specific WINEVTLOG_XML SYSLOG + XML 2021-06
Workday SaaS Application WORKDAY JSON 2020-08
ZScaler DNS DNS ZSCALER_DNS SYSLOG + KV 2020-12
ZScaler NGFW Firewall ZSCALER_FIREWALL SYSLOG + KV (CEF), CSV 2021-02
ZScaler VPN VPN ZSCALER_VPN SYSLOG + CSV 2021-05
ZScaler Web Proxy ZSCALER_WEBPROXY SYSLOG + KV 2020-09