Release Notes

This page documents production updates to Chronicle. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, or browse and filter all release notes in the Google Cloud Console.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/chronicle-release-notes.xml

June 01, 2021

Chronicle Automated GCP Log Ingestion

Google Cloud customers can now send logs directly to their Chronicle account. Customers can send both Cloud Audit and Cloud DNS logs. See Ingesting GCP Logs in to Chronicle for more information.

May 15, 2021

Archive Rules

You can now archive rules specified for the Detection Engine. Archiving a rule hides the security data related to that rule (and all of its versions) without actually deleting the rule. See Archive rules for more information.

April 23, 2021

Supported Data Sets

Chronicle can now ingest and parse data from the following additional systems and services:

  • Aruba Airwave
  • Blue Coat Proxy
  • Brocade ServerIron ADX
  • CIS Albert Alerts
  • Cisco Application Control Engine
  • Cisco Email Security
  • Cisco NX-OS
  • Citrix StoreFront
  • Cofense Triage
  • Comodo
  • Fidelis Network
  • FireEye NX
  • Honeyd
  • Kemp Load Balancer
  • Kyriba Treasury Management
  • Microsoft Intune
  • MySQL
  • Palo Alto Networks Cortex XDR
  • Red Canary EDR
  • ServiceNow CMDB
  • Symantec VIP Enterprise Gateway
  • Tanium Discover
  • Tripwire File Integrity Monitoring

January 25, 2021

  • Chronicle Detection Engine

    Enables customers to automate the process of searching across their data for security issues. You can specify Rules to search all of your data and notify you when potential and known threats appear in your enterprise. For more information on the Chronicle Detection Engine, please see the following:

    • Chronicle Detection Engine UI: The Chronicle Detection Engine is integrated within the Chronicle UI. It includes the Rules Dashboard for monitoring Rule activity and the Rules Editor, enabling you to create, test, and activate new Rules.

    • Chronicle Detection Engine API: The Chronicle Detection Engine API enables you to programmatically modify and operate all of the Detection Engine functionality that is also provided by the Detection Engine UI.

    • YARA-L 2.0: Use the YARA-L 2.0 language to specify Rules for the Detection Engine.

September 02, 2020

  • Chronicle User View

    Enables customers to better understand how users within an enterprise might be impacted by security events. By focusing on the behavior of individual users, security administrators can search for activity indicating an account compromise or other security concern.

June 12, 2020

  • Chronicle Rules Engine API

    The Chronicle Rules Engine API now includes the StreamRuleNotifications method. This method enables you to continuously receive rules engine results over an HTTP stream as the results are discovered. Contact your Chronicle representative for more information.

  • Chronicle API Query Limits

    The query limits for the Chronicle Search API calls are now documented.

  • Chronicle Tooling and Management APIs

    The query limits for the Chronicle Tooling and Management API calls are now documented. Contact your Chronicle representative for more information.

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • Access Management—Added support for OpenAM.
    • Audit—Added support for ManageEngine ADAudit Plus.
    • Authentication—Added support for Preempt, Symantec SiteMinder, and Thycotic.
    • Badging—Added support for Honeywell Pro-Watch.
    • Cloud—Added support for Microsoft Cloud Access Security Broker (CASB) and Salesforce.
    • DHCP—Added support for Linux DHCP Server.
    • Hypervisor—Added support for VMware ESXi JSON.
    • Intrusion Detection and Prevention—Added support for Juniper Intrusion Prevention System (IPS).
    • Security Management—Added support for AlgoSec, BeyondTrust, and DMP Entré.
    • Server—Added support for Microsoft Internet Information Services (IIS) and Microsoft SQL Server.

May 15, 2020

  • Chronicle Rules Engine API

    The Chronicle Rules Engine API now includes the Live Rules API. The Live Rules API enables you to run and manage security rules in real time. Once activated, a Live Rule monitors your incoming logs for threats until it is deleted or disabled. Contact your Chronicle representative for more information.

  • UDM Reference

    Location Metadata—Added the location metadata fields.

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • ATP—Added support for Microsoft Defender ATP.
    • Antivirus—Added support for Bitdefender and Trend Micro.
    • Authentication—Added support for Cisco ACS and RSA Authentication Manager version 8.1.
    • EDR—Added support for Digital Guardian.
    • IDM and PAM—Added support for Cyberark.
    • NAC—Added support for Forescout.
    • VPN—Added support for Zscaler.

May 08, 2020

  • Chronicle Tooling API

    Helps partners to develop new parsers to normalize new log data types. Contact your Chronicle representative for more information.

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • Alerts—Added support for Suricata.
    • Antivirus—Added support for Cisco.
    • Application—Added support for Microsoft Office 365.
    • Authentications—Added support for Aruba ClearPass, Cisco ISE, and Duo.
    • Deception—Added support for Acalvio.
    • EDR—For Red Canary customers, Chronicle can ingest EDR logs from Endgame.
    • Endpoint—Added support for McAfee ePolicy Orchestrator.
    • Firewall—Added support for Zscaler.
    • IoC—Added support for Emerging Threats Pro.
    • Router—Added support for Cisco.
    • SAAS—Added support for Cloudflare and Google G Suite Audit.
    • Switch—Added support for Cisco.
    • VPN—Added support for Pulse Connect Secure.

March 30, 2020

  • Chronicle User Guide

    Column sort—You can now sort columns on the Enterprise Insights page and from the Timeline sidebar lists.

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • DHCP—Added support for Elastic Packetbeat.
    • DNS—Added support for Elastic Packetbeat.
    • EDR—Added support for ESET.
    • Mail Gateway—Added support for Barracuda Email Security and Mimecast Email Security.
    • Web Application Firewall—Added support for Citrix Netscaler.

March 19, 2020

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • Traffic Management—Added support for F5 Big-IP Local Traffic Manager (LTM).
    • Unified Threat Management—Added support for Cisco Meraki.

January 01, 2020

  • Chronicle Partner Ingestion API

    Added the udmevents endpoint to enable you to send UDM events in batches.

  • Chronicle Search API

    Enables you to programmatically access your security data directly through API calls to Chronicle.

December 01, 2019

  • Chronicle Unified Data Model

    Describes how to generate properly constructed UDM events for consumption by Chronicle's cyber-security analytics platform.

July 01, 2019

  • Raw Log Scan

    Enables you to examine your raw unparsed logs.

  • Regular Expressions

    Enables you to search your raw logs using regular expressions.

  • Hash View

    Enables you to search for and investigate files based on their hash value.

June 01, 2019

  • Chronicle Data Flow Overview

    Information on how customer security data flows from customers to Chronicle and how Chronicle handles that data.

May 01, 2019

  • Chronicle Partner Ingestion API

    Enables you to forward raw logs directly to Chronicle.

March 01, 2019

  • Enterprise Insights

    Now includes the Procedural Filtering menu and lists all of the Assets with Alerts within your enterprise.

  • Viewing EDR Data in the Timeline

    Viewing Endpoint Detection and Response (EDR) data in the timeline.

  • Domain Context

    Analytics and insights from VirusTotal, EmergingThreats, WHOIS, and Department of Homeland Security's (DHS) Automated Indicator Sharing (AIS) data sources.

  • Investigating Domains and IP Addresses

    Searching for external IP addresses and URLs.

  • Chronicle Chrome Extension

    Search for indicators using the Chrome extension.