Release Notes

This page documents production updates to Chronicle. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly:

May 11, 2022

The following supported default parsers have changed (listed by product name and ingestion label):

  • ExtraHop RevealX (EXTRAHOP)
  • Imperva (IMPERVA_WAF)
  • Windows Event (WINEVTLOG)
  • Azure AD Organizational Context (AZURE_AD_CONTEXT)
  • Citrix Netscaler (CITRIX_NETSCALER)
  • Elastic Packet Beats (ELASTIC_PACKETBEATS)
  • Elastic Audit Beats (ELASTIC_AUDITBEAT)
  • Sendmail (SENDMAIL)
  • VMware vCenter (VMWARE_VCENTER)
  • Bluecat DDI (BLUECAT_DDI)
  • Cisco ACS (CISCO_ACS)
  • Forcepoint Proxy (FORCEPOINT_WEBPROXY)
  • McAfee ePolicy Orchestrator (MCAFEE_EPO)
  • Office 365 (OFFICE_365)
  • Apple MacOS (MACOS)
  • Archer Integrated Risk Management (ARCHER_IRM)
  • Cisco Meraki (CISCO_MERAKI)
  • Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
  • IBM DB2 (DB2_DB)
  • Cisco ISE (CISCO_ISE)
  • Juniper Junos (JUNIPER_JUNOS)
  • Microsoft Exchange (EXCHANGE_MAIL)
  • VMware ESXi (VMWARE_ESX)
  • Digital Shadows SearchLight (DIGITAL_SHADOWS_SEARCHLIGHT)
  • Azure Firewall (AZURE_FIREWALL)
  • ForgeRock OpenAM (OPENAM)
  • OpenVPN (OPEN_VPN)

For details about the changes in each parser, see Supported default parsers.

May 10, 2022

The following new fields are available in the Unified Data Model:

For a list of fields in the Unified Data Model, and descriptions, see the Unified Data Model field list.

April 27, 2022

The following supported default parsers have changed (listed by product name and ingestion label):

  • Apache Tomcat (TOMCAT)
  • Azure AD (AZURE_AD)
  • Bitdefender (BITDEFENDER)
  • Blue Coat Proxy (BLUECOAT_WEBPROXY)
  • Cisco ACS (CISCO_ACS)
  • Cisco Email Security (CISCO_EMAIL_SECURITY)
  • Cisco ISE (CISCO_ISE)
  • Citrix Netscaler (CITRIX_NETSCALER)
  • CrowdStrike Falcon (CS_EDR)
  • Darktrace (DARKTRACE)
  • Dell EMC Data Domain (DELL_EMC_DATA_DOMAIN)
  • Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
  • EPIC Systems (EPIC)
  • F5 ASM (F5_ASM)
  • GMV Checker ATM Security (GMV_CHECKER)
  • Layer7 SiteMinder (SITEMINDER_SSO)
  • Microsoft Azure NSG Flow (AZURE_NSG_FLOW)
  • Microsoft Defender for Identity(MICROSOFT_DEFENDER_IDENTITY)
  • Microsoft Powershell (POWERSHELL)
  • Mobileiron (MOBILEIRON)
  • Office 365 (OFFICE_365)
  • Salesforce (SALESFORCE)
  • SecureAuth (SECUREAUTH_SSO)
  • SentinelOne EDR (SENTINEL_EDR)
  • Windows Event (WINEVTLOG)
  • Workspace Activities (WORKSPACE_ACTIVITY)

For details about the changes in each parser, see Supported default parsers.

Chronicle now supports the following functions in Detection Engine rules:

  • strings.concat(a, b)
  • strings.to_lower(stringText)
  • strings.to_upper(stringText)
  • strings.base64_decode(encodedString)
  • re.capture(stringText, regex)
  • re.replace(stringText, replaceRegex, replacementText)
  • timestamp.get_minute(unix_seconds [, time_zone])
  • timestamp.get_hour(unix_seconds [, time_zone])
  • timestamp.get_day_of_week(unix_seconds [, time_zone])
  • timestamp.get_week(unix_seconds [, time_zone])
  • timestamp.current_seconds()
  • math.abs(intExpression)

For more information about these functions, see YARA-L 2.0 language syntax.

April 26, 2022

The Chronicle Container Registry key is no longer needed and has been removed. The corresponding documentation on the Container Registry key for the Linux version of the Chronicle Forwarder has also been removed.

April 25, 2022

Rules run frequency

Rules can now be run at different frequencies. Rule run frequency impacts the latency with which detections are discovered for each rule. Longer run frequencies increase the amount of time between when an event occurs and when a detection is processed for that event. Rules with a window size of at least one hour are limited to either 1 hour or 24 hour run frequencies.

April 15, 2022

Chronicle Detection Engine now supports the min() function and subtraction operator in the outcome section of a rule.

April 13, 2022

The following supported default parsers have changed (listed by ingestion label)

  • CS_EDR
  • IIS
  • OFFICE_365
  • OKTA

For details about the changes in each parser, see Supported default parsers

April 07, 2022

Exporting Google Cloud Logs to Chronicle

There are now lists of the specific Google Cloud Logs and Google Cloud Asset Metadata that are exported to Chronicle when you enable GCP log ingestion.

February 15, 2022


The DeleteSubject method has been added to the Chronicle Role-Based Access Control (RBAC) API. DeleteSubject enables you to remove user and group role assignments.

February 08, 2022

Chronicle Forwarder

For the Chronicle Forwarder to function properly, an additional firewall rule is needed for host This information has been added to both the Windows and Linux versions of the Forwarder documentation.

December 14, 2021

Role-based access control (RBAC)

Role-based access control (RBAC) enables you to tailor access to Chronicle features based on an employee's role in the organization. Assigning a role to a user grants that user the permissions associated with the role, which enables the user to access role-appropriate Chronicle features.

December 08, 2021


Chronicle provides a set of default dashboards to monitor data ingestion status, health, rule detection context, IOC matches and alert prioritization, and user sign-ins. Reporting is available by converting a dashboard to a shareable file (PDF, Excel, CSV, etc.). You can also create custom personal and shared dashboards.

November 19, 2021

This document describes Chronicle's recommendations for writing rules in YARA-L.

October 15, 2021

Detection Engine API

The ListDetections method has been updated to allow customers to list detections efficiently across rule versions and rules by either detection timestamp or commit timestamp. Parameters originally used to list detections by detection timestamp will eventually be deprecated.

September 28, 2021

Uppercase has been rebranded as Google Cloud Threat Intelligence (GCTI).

September 22, 2021

The Linux Forwarder has been enhanced to support load balancing and high-availability. This enables you to deploy the forwarder in an environment where a Layer 4 load balancer is installed between syslog data sources and forwarder instances.

July 13, 2021

New documentation to support Chronicle data ingestion planning

You can now find information about Chronicle supported default parsers.

Supported default parsers provides information about which ingestion labels (LogTypes) also support a default parser. You can find the supported data format (KV, JSON, CEF, etc), the parser category, and when the default parser was last updated.

July 01, 2021

Asset Namespaces

The asset namespaces feature enables you to classify categories of assets sharing a common network environment, or namespace, and then perform searches for those assets within the Chronicle user interface based on that namespace. See also the Linux Forwarder documentation for information on how to configure the Forwarder to add namespaces to your security data before it is ingested into your Chronicle account.

Linux Forwarder Updates

The Linux Forwarder has been enhanced with the following additional capabilities:

Disk Buffering—Disk buffering enables you to buffer backlogged messages to disk as opposed to memory. The backlogged messages can be stored in case the forwarder crashes or the underlying host crashes.

Regular Expression Filters—Regular expression filters enable you to filter logs based on regular expression matches.

Arbitrary labels—Use labels to attach arbitrary metadata to logs using key and value pairs.

Namespaces—Use namespace labels to identify logs from distinct network segments and to deconflict overlapping IP addresses.

Kafka Input—You can ingest data from Kafka topics just as you can for syslog. Consumer groups are leveraged to enable you to deploy up to 3 Forwarders and pull data from the same Kafka topic.

June 30, 2021

Downloading Events

You can download large numbers of the events associated with each threat detection as a CSV file, enabling you to search across a broad set of the data stored in your Chronicle account to hunt for security issues.

June 28, 2021

Detection Engine API

The VerifyRule method has been added to the Detection Engine API. This method verifies that a rule is a valid YARA-L 2.0 rule without creating a new rule or evaluating it over data.

June 21, 2021

Uppercase Alerts

For Chronicle customers who are also Uppercase customers, Uppercase alerts are now displayed on the Enterprise Insights page. Uppercase alerts are derived from both Google's internal threat detection infrastructure and research provided by Uppercase security analysts.

You can view these alerts in Uppercase Alert view. This view also enables you to provide feedback that can be shared with your own security team and with Uppercase.

You can also use the Uppercase API to retrieve alerts from your Chronicle account.

June 01, 2021

Chronicle Automated GCP Log Ingestion

Google Cloud customers can now send logs directly to their Chronicle account. Customers can send both Cloud Audit and Cloud DNS logs. See Ingesting GCP Logs in to Chronicle for more information.

May 15, 2021

Archive Rules

You can now archive rules specified for the Detection Engine. Archiving a rule hides the security data related to that rule (and all of its versions) without actually deleting the rule. See Archive rules for more information.

April 23, 2021

Supported Data Sets

Chronicle can now ingest and parse data from the following additional systems and services:

  • Aruba Airwave
  • Blue Coat Proxy
  • Brocade ServerIron ADX
  • CIS Albert Alerts
  • Cisco Application Control Engine
  • Cisco Email Security
  • Cisco NX-OS
  • Citrix StoreFront
  • Cofense Triage
  • Comodo
  • Fidelis Network
  • FireEye NX
  • Honeyd
  • Kemp Load Balancer
  • Kyriba Treasury Management
  • Microsoft Intune
  • MySQL
  • Palo Alto Networks Cortex XDR
  • Red Canary EDR
  • ServiceNow CMDB
  • Symantec VIP Enterprise Gateway
  • Tanium Discover
  • Tripwire File Integrity Monitoring

January 25, 2021

  • Chronicle Detection Engine

    Enables customers to automate the process of searching across their data for security issues. You can specify Rules to search all of your data and notify you when potential and known threats appear in your enterprise. For more information on the Chronicle Detection Engine, please see the following:

    • Chronicle Detection Engine UI: The Chronicle Detection Engine is integrated within the Chronicle UI. It includes the Rules Dashboard for monitoring Rule activity and the Rules Editor, enabling you to create, test, and activate new Rules.

    • Chronicle Detection Engine API: The Chronicle Detection Engine API enables you to programmatically modify and operate all of the Detection Engine functionality that is also provided by the Detection Engine UI.

    • YARA-L 2.0: Use the YARA-L 2.0 language to specify Rules for the Detection Engine.

September 02, 2020

  • Chronicle User View

    Enables customers to better understand how users within an enterprise might be impacted by security events. By focusing on the behavior of individual users, security administrators can search for activity indicating an account compromise or other security concern.

June 12, 2020

  • Chronicle Rules Engine API

    The Chronicle Rules Engine API now includes the StreamRuleNotifications method. This method enables you to continuously receive rules engine results over an HTTP stream as the results are discovered. Contact your Chronicle representative for more information.

  • Chronicle API Query Limits

    The query limits for the Chronicle Search API calls are now documented.

  • Chronicle Tooling and Management APIs

    The query limits for the Chronicle Tooling and Management API calls are now documented. Contact your Chronicle representative for more information.

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • Access Management—Added support for OpenAM.
    • Audit—Added support for ManageEngine ADAudit Plus.
    • Authentication—Added support for Preempt, Symantec SiteMinder, and Thycotic.
    • Badging—Added support for Honeywell Pro-Watch.
    • Cloud—Added support for Microsoft Cloud Access Security Broker (CASB) and Salesforce.
    • DHCP—Added support for Linux DHCP Server.
    • Hypervisor—Added support for VMware ESXi JSON.
    • Intrusion Detection and Prevention—Added support for Juniper Intrusion Prevention System (IPS).
    • Security Management—Added support for AlgoSec, BeyondTrust, and DMP Entré.
    • Server—Added support for Microsoft Internet Information Services (IIS) and Microsoft SQL Server.

May 15, 2020

  • Chronicle Rules Engine API

    The Chronicle Rules Engine API now includes the Live Rules API. The Live Rules API enables you to run and manage security rules in real time. Once activated, a Live Rule monitors your incoming logs for threats until it is deleted or disabled. Contact your Chronicle representative for more information.

  • UDM Reference

    Location Metadata—Added the location metadata fields.

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • ATP—Added support for Microsoft Defender ATP.
    • Antivirus—Added support for Bitdefender and Trend Micro.
    • Authentication—Added support for Cisco ACS and RSA Authentication Manager version 8.1.
    • EDR—Added support for Digital Guardian.
    • IDM and PAM—Added support for Cyberark.
    • NAC—Added support for Forescout.
    • VPN—Added support for Zscaler.

May 08, 2020

  • Chronicle Tooling API

    Helps partners to develop new parsers to normalize new log data types. Contact your Chronicle representative for more information.

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • Alerts—Added support for Suricata.
    • Antivirus—Added support for Cisco.
    • Application—Added support for Microsoft Office 365.
    • Authentications—Added support for Aruba ClearPass, Cisco ISE, and Duo.
    • Deception—Added support for Acalvio.
    • EDR—For Red Canary customers, Chronicle can ingest EDR logs from Endgame.
    • Endpoint—Added support for McAfee ePolicy Orchestrator.
    • Firewall—Added support for Zscaler.
    • IoC—Added support for Emerging Threats Pro.
    • Router—Added support for Cisco.
    • SAAS—Added support for Cloudflare and Google G Suite Audit.
    • Switch—Added support for Cisco.
    • VPN—Added support for Pulse Connect Secure.

March 30, 2020

  • Chronicle User Guide

    Column sort—You can now sort columns on the Enterprise Insights page and from the Timeline sidebar lists.

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • DHCP—Added support for Elastic Packetbeat.
    • DNS—Added support for Elastic Packetbeat.
    • EDR—Added support for ESET.
    • Mail Gateway—Added support for Barracuda Email Security and Mimecast Email Security.
    • Web Application Firewall—Added support for Citrix Netscaler.

March 19, 2020

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • Traffic Management—Added support for F5 Big-IP Local Traffic Manager (LTM).
    • Unified Threat Management—Added support for Cisco Meraki.

January 01, 2020

  • Chronicle Partner Ingestion API

    Added the udmevents endpoint to enable you to send UDM events in batches.

  • Chronicle Search API

    Enables you to programmatically access your security data directly through API calls to Chronicle.

December 01, 2019

  • Chronicle Unified Data Model

    Describes how to generate properly constructed UDM events for consumption by Chronicle's cyber-security analytics platform.

July 01, 2019

  • Raw Log Scan

    Enables you to examine your raw unparsed logs.

  • Regular Expressions

    Enables you to search your raw logs using regular expressions.

  • Hash View

    Enables you to search for and investigate files based on their hash value.

June 01, 2019

  • Chronicle Data Flow Overview

    Information on how customer security data flows from customers to Chronicle and how Chronicle handles that data.

May 01, 2019

  • Chronicle Partner Ingestion API

    Enables you to forward raw logs directly to Chronicle.

March 01, 2019

  • Enterprise Insights

    Now includes the Procedural Filtering menu and lists all of the Assets with Alerts within your enterprise.

  • Viewing EDR Data in the Timeline

    Viewing Endpoint Detection and Response (EDR) data in the timeline.

  • Domain Context

    Analytics and insights from VirusTotal, EmergingThreats, WHOIS, and Department of Homeland Security's (DHS) Automated Indicator Sharing (AIS) data sources.

  • Investigating Domains and IP Addresses

    Searching for external IP addresses and URLs.

  • Chronicle Chrome Extension

    Search for indicators using the Chrome extension.