Release Notes

Stay organized with collections Save and categorize content based on your preferences.

This page documents production updates to Chronicle. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/chronicle-release-notes.xml

November 30, 2022

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

  • Akamai WAF (AKAMAI_WAF)
  • AlgoSec Security Management (ALGOSEC)
  • Ansible AWX (ANSIBLE_AWX)
  • Arcsight CEF (ARCSIGHT_CEF)
  • AWS Cloudtrail (AWS_CLOUDTRAIL)
  • AWS Control Tower (AWS_CONTROL_TOWER)
  • AWS GuardDuty (GUARDDUTY)
  • Azure AD Directory Audit (AZURE_AD_AUDIT)
  • BIND (BIND_DNS)
  • Bluecat DDI (BLUECAT_DDI)
  • Carbon Black (CB_EDR)
  • Check Point (CHECKPOINT_FIREWALL)
  • Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
  • Cisco Meraki (CISCO_MERAKI)
  • Cisco Router (CISCO_ROUTER)
  • Deep Instinct EDR (DEEP_INSTINCT_EDR)
  • Department of Homeland Security (DHS_IOC)
  • Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
  • Emerging Threats Pro (ET_PRO_IOC)
  • ESET Threat Intelligence (ESET_IOC)
  • FortiGate (FORTINET_FIREWALL)
  • Fortinet (FORTINET_DHCP)
  • Cloud Audit (N/A)
  • Security Command Center (N/A)
  • GitHub (GITHUB)
  • Hitachi Cloud Platform (HITACHI_CLOUD_PLATFORM)
  • Juniper (JUNIPER_FIREWALL)
  • Linux Auditing System (AuditD) (AUDITD)
  • Mandiant Threat Intelligence (MANDIANT_IOC)
  • Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
  • Microsoft Exchange (EXCHANGE_MAIL)
  • Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
  • Microsoft Powershell (POWERSHELL)
  • Netscout Arbor Sightline (ARBOR_SIGHTLINE)
  • Office 365 (OFFICE_365)
  • Okta (OKTA)
  • Palo Alto Networks Firewall (PAN_FIREWALL)
  • Palo Alto Prisma Access (PAN_CASB)
  • Sentinelone Alerts (SENTINELONE_ALERT)
  • Shrubbery TACACS+ (SHRUBBERY_TACACS)
  • Signal Sciences WAF (SIGNAL_SCIENCES_WAF)
  • Solarwinds Kiwi Syslog Server (SOLARWINDS_KSS)
  • Splunk Platform (SPLUNK)
  • Stealthbits Defend (STEALTHBITS_DEFEND)
  • STIX Threat Intelligence (STIX)
  • Symantec Endpoint Protection (SEP)
  • Tanium Discover (TANIUM_DISCOVER)
  • Tanium Threat Response (TANIUM_THREAT_RESPONSE)
  • WatchGuard (WATCHGUARD)
  • Windows Event (WINEVTLOG)
  • Windows Network Policy Server (WINDOWS_NET_POLICY_SERVER)

For details about changes in each parser, see Supported default parsers.

November 16, 2022

You can collect Splunk CIM logs by using the Chronicle forwarder and Splunk default parser. For more information, see Collect Splunk CIM logs.

November 15, 2022

UDM Search

UDM Search is a new Chronicle search feature which enables you to find UDM events within your Chronicle instance. You can search both for individual UDM events and groups of UDM events tied to shared search terms. UDM search includes a number of search features, enabling you to navigate through your UDM data:

  • Quick Filters—Fast access to saved searches and search history.
  • Event Viewer—View the raw log and UDM for the event.
  • Search Manager—Comprehensive view of your saved searches and search history.

There is also a new UDM search API method available for the Chronicle Search API.

Be sure to review Google's recommended best practices for conducting searches using UDM Search. UDM searches can require substantial computational resources to complete if they are not constructed carefully. Performance also varies depending on the size and complexity of the data in your Chronicle instance.

Reference Lists

Google has made enhancements to the Chronicle reference lists feature, it now enables you to perform more complex matching beyond exact string matches. These new types of reference lists can be used in Detection Engine rules.

For more detailed information about these special list types, see the reference lists documentation.

When creating a list, you must provide a "List Type" to indicate how you want Chronicle to interpret your list. List type cannot be changed after list creation, and can be STRING, REGEX, or CIDR. The list type for any existing lists has been set to STRING, since all reference lists made by preview customers perform exact string matching.

You can create Reference Lists using the Chronicle user interface or programmatically using the Reference List API. For information on how to embed a Reference List within a Rule, see the documentation.

November 10, 2022

Chronicle Curated Detections has been enhanced with the following additional detection content:

  • Windows-based threats:
    • Security Posture Downgrade: detects activity attempting to disable or decrease the effectiveness of security tools.
  • Cloud threats:
    • Suspicious Behavior: detects activity that is thought to be uncommon and suspicious in most environments.
    • Service Disruption: detects destructive or disruptive actions that, if performed in a functioning production environment, may cause a significant outage.
    • Suspicious Infrastructure Change: detects modifications to production infrastructure that align with known persistence tactics.

November 09, 2022

Alerts and IOC Matches

The Alerts and Indicators of Compromise (IOC) page displays all the alerts and IOCs currently impacting your enterprise. It provides tools that enable you to filter and view your alerts and IOCs.

  • Alerts can be designated by your security infrastructure, by your security personnel, or by Chronicle Uppercase.

  • IOCs are designated automatically by Chronicle. Chronicle is always absorbing data from both your own infrastructure and numerous other security data sources. It automatically correlates suspicious security indicators with your security data. If a match is found (for example, a suspicious domain is found within your enterprise), Chronicle labels the event as an IOC and displays it on the IOC matches tab.

You can also still navigate to the Enterprise Insights page using the link provided at the top of the Alerts and IOCS page. To view CBN alerts, you still need to use the Enterprise Insights page.

Alert view

Alert view shows a variety of information with regards to a specific alert, including:

  • Alert Status

  • Alert Details—Displays an alert's creation time, recent updates, and its associated rule.

  • Decision States—Displays the verdict for the alert and if it is an indication of a security issue. History—Displays the history of changes made to the alert by your security team. For alerts originating from Chronicle SOAR, Alert view also includes the number and a link to the associated Chronicle SOAR case. You can pivot to your Chronicle SOAR account using this link.

Chronicle SOAR Authentication

You can authenticate with your Chronicle SOAR account from Chronicle. Once you have authenticated with your Chronicle SOAR account, you can pivot between your Chronicle account and your Chronicle SOAR account as needed.

Chronicle SOAR Cases

Chronicle SOAR ingests alerts from a variety of sources. You can conduct additional investigations of Chronicle SOAR cases from Chronicle or pivot to Chronicle SOAR. You can pivot to your Chronicle SOAR Cases from the Chronicle application menu. For more information on Chronicle SOAR cases, see the Chronicle SOAR documentation.

Chronicle SOAR Playbooks

Chronicle SOAR Playbooks define a series of automatic steps taken when triggered by an incoming alert and can be used to investigate and respond to security issues. You can pivot to your Chronicle SOAR Playbooks from the Chronicle application menu. For more information on Chronicle SOAR Playbooks, see the Chronicle SOAR documentation.

The following default parsers have changed. Each is listed by product name and ingestion label, if applicable.

  • Akeyless Vault Platform (AKEYLESS_VAULT)
  • AWS Control Tower (AWS_CONTROL_TOWER)
  • AWS VPC Flow (AWS_VPC_FLOW)
  • Azure AD (AZURE_AD)
  • Azure AD Directory Audit (AZURE_AD_AUDIT)
  • Azure WAF (AZURE_WAF)
  • BeyondTrust Privileged Identity (BEYONDTRUST_PI)
  • Check Point (CHECKPOINT_FIREWALL)
  • Cisco Router (CISCO_ROUTER)
  • Cisco Wireless IPS (CISCO_WIPS)
  • Citrix Monitor (CITRIX_MONITOR)
  • CrowdStrike Falcon (CS_EDR)
  • Darktrace (DARKTRACE)
  • Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
  • EPIC Systems (EPIC)
  • F5 ASM (F5_ASM)
  • Forcepoint DLP (FORCEPOINT_DLP)
  • FortiGate (FORTINET_FIREWALL)
  • Google Cloud Audit (N/A)
  • Security Command Center (N/A)
  • HAProxy (HAPROXY)
  • InterSystems Cache (INTERSYSTEMS_CACHE)
  • Lenel Onguard Badge Management (LENEL_ONGUARD)
  • Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
  • Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
  • Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
  • Microsoft IIS (IIS)
  • Netscout (ARBOR_EDGE_DEFENSE)
  • Netscout Arbor Sightline (ARBOR_SIGHTLINE)
  • Okta (OKTA)
  • Okta User Context (OKTA_USER_CONTEXT)
  • OpenSSH (OPENSSH)
  • Palo Alto Cortex XDR Alerts (CORTEX_XDR)
  • Palo Alto Networks Firewall (PAN_FIREWALL)
  • Proofpoint Tap Alerts (PROOFPOINT_MAIL)
  • Pulse Secure (PULSE_SECURE_VPN)
  • RSA NetWitness (RSA_NETWITNESS)
  • Sentinelone Alerts (SENTINELONE_ALERT)
  • Signal Sciences WAF (SIGNAL_SCIENCES_WAF)
  • Sourcefire (SOURCEFIRE_IDS)
  • Symantec Endpoint Protection (SEP)
  • Unix system (NIX_SYSTEM)
  • Vectra Stream (VECTRA_STREAM)
  • Versa Firewall (VERSA_FIREWALL)
  • WatchGuard (WATCHGUARD)
  • Wazuh (WAZUH)
  • Windows Defender ATP (WINDOWS_DEFENDER_ATP)
  • Zix Email Encryption (ZIX_EMAIL_ENCRYPTION)
  • Zoom Operation Logs (ZOOM_OPERATION_LOGS)

For details about changes in each parser, see Supported default parsers.

November 07, 2022

Chronicle Feed Management added support for the Sentinel One Alerts API. See the Feed Management documentation for information about how to configure this feed.

When downloading data to CSV file format from the Chronicle user interface, raw log data is now excluded unless you are using Raw Log Scan. For example, raw log data is no longer included when you download events.

This resolves an issue where downloading to CSV was failing.

November 02, 2022

Enhancements to the Detection Engine API

The StreamDetectionAlerts method in the Detection Engine API has been enhanced to return detections generated by both user-created rules and Chronicle Curated Detections. For more information about this method, see StreamDetectionAlerts.

November 01, 2022

The Ingestion API udmevents and createentities methods now accept both uppercase and lowercase characters in the following fields:

  • <_Noun_>.mac: defined when calling the udmeevents method, where Noun is either principal, src, target, observer, intermediary, or about.

  • entity.asset.mac: defined when calling the createentities method.

These fields are defined in the UDM record in the request body when calling the method. For more information about these methods, see Chronicle Ingestion API documentation. For more information about UDM fields, see the Unified Data Model field list.

October 31, 2022

Chronicle Feed Management added a hostname field to the configuration workflow of certain log types. The hostname field enables you to configure the API endpoint for the feed. If you do not define a value for this field, the following default values are used:

  • AzureAD (AZURE_AD) default hostname is graph.microsoft.com.
  • AzureADAudit (AZURE_AD_AUDIT) default hostname is graph.microsoft.com.
  • AzureADContext (AZURE_AD_CONTEXT) default hostname is graph.microsoft.com.
  • AzureMDMIntune (AZURE_MDM_INTUNE) default hostname is graph.microsoft.com.
  • MicrosoftGraphAlert (MICROSOFT_GRAPH_ALERT) default hostname is graph.microsoft.com.
  • MicrosoftSecurityCenterAlert (MICROSOFT_SECURITY_CENTER_ALERT) default hostname is management.azure.com.
  • Office365 (OFFICE_365) default hostname is manage.office.com.

Chronicle Feed Management API was also updated to support the hostname field for these log types.

October 27, 2022

Chronicle Feed Management added support for the CrowdStrike Detection API. See the Feed Management documentation for information about how to configure this feed.

October 19, 2022

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

  • 1Password (ONEPASSWORD)
  • Accellion (ACCELLION)
  • Akamai Cloud Monitor (AKAMAI_CLOUD_MONITOR)
  • AWS Cloudtrail (AWS_CLOUDTRAIL)
  • BeyondTrust (BOMGAR)
  • BeyondTrust Secure Remote Access (BEYONDTRUST_REMOTE_ACCESS)
  • Bitdefender (BITDEFENDER)
  • Blue Coat Proxy (BLUECOAT_WEBPROXY)
  • Carbon Black (CB_EDR)
  • Check Point (CHECKPOINT_FIREWALL)
  • CIS Albert Alerts (CIS_ALBERT_ALERT)
  • Cisco ASA (CISCO_ASA_FIREWALL)
  • Cisco FireSIGHT Management Center (CISCO_FIRESIGHT)
  • Cisco ISE (CISCO_ISE)
  • Cisco Meraki (CISCO_MERAKI)
  • Cloudflare (CLOUDFLARE)
  • CrowdStrike Detection Monitoring (CS_DETECTS)
  • CrowdStrike Falcon (CS_EDR)
  • CyberArk (CYBERARK)
  • Darktrace (DARKTRACE)
  • Forcepoint NGFW (FORCEPOINT_FIREWALL)
  • Forescout NAC (FORESCOUT_NAC)
  • FortiGate (FORTINET_FIREWALL)
  • Cloud Audit (N/A)
  • Cloud Identity Device Users (GCP_CLOUDIDENTITY_DEVICEUSERS)
  • Load Balancing (GCP_LOADBALANCING)
  • Google Chrome Browser Cloud Management (CBCM) (N/A)
  • IBM Guardium (GUARDIUM)
  • Ipswitch MOVEit Transfer (IPSWITCH_MOVEIT_TRANSFER)
  • Juniper (JUNIPER_FIREWALL)
  • Kaspersky AV (KASPERSKY_AV)
  • Linux Auditing System (AuditD) (AUDITD)
  • Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
  • Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
  • Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
  • Microsoft IIS (IIS)
  • Microsoft Powershell (POWERSHELL)
  • Netfilter IPtables (NETFILTER_IPTABLES)
  • Netscout (ARBOR_EDGE_DEFENSE)
  • Netscout Arbor Sightline (ARBOR_SIGHTLINE)
  • Okta (OKTA)
  • Oracle (ORACLE_DB)
  • Palo Alto Networks Firewall (PAN_FIREWALL)
  • Palo Alto Prisma Access (PAN_CASB)
  • pfSense (PFSENSE)
  • PostFix Mail (POSTFIX_MAIL)
  • Proofpoint Email Filter (PROOFPOINT_MAIL_FILTER)
  • Pulse Secure (PULSE_SECURE_VPN)
  • Qualys VM (QUALYS_VM)
  • Sentinelone Alerts (SENTINELONE_ALERT)
  • SentinelOne EDR (SENTINEL_EDR)
  • Shrubbery TACACS+ (SHRUBBERY_TACACS)
  • Symantec Endpoint Protection (SEP)
  • Sysdig (SYSDIG)
  • Tanium Integrity Monitor (TANIUM_INTEGRITY_MONITOR)
  • Varonis (VARONIS)
  • VyOS Open Source Router (VYOS)
  • ZScaler DNS (ZSCALER_DNS)

For details about changes in each parser, see Supported default parsers.

October 14, 2022

There is now an additional parameter you can specify for Chronicle feeds, "display_name". This additional parameter can be specified and will be returned when using the following Feed Management API methods:

  • CreateFeed
  • DisableFeed
  • EnableFeed
  • GetFeed
  • ListFeeds
  • UpdateFeed

For additional information and examples, see Feed Management API.

October 13, 2022

Chronicle CLI provides a text-based interface to initiate all Chronicle user workflows, acting as an alternative to the graphical user interface for advanced users.

Access to fields stored as key-value pairs in Detection Engine rules

You can now create Detection Engine rules that include UDM fields stored as key-value pairs, such as google.protobuf.Struct and Label data type. Using the map syntax, you access fields stored as the:

  • google.protobuf.Struct data type using syntax similar to $e.additional.fields["key"] = "value".

  • Label data type using syntax similar to $e.target.labels["key"] = "value".

For more details about the map syntax, see the YARA-L 2.0 language syntax.

October 06, 2022

Chronicle Feed Management for the Rapid7 Insight log type now enables you to configure the Rapid7 API endpoint.

A new field, called hostname, was added to the Rapid7 Insight configuration workflow. Use this field to change the API endpoint to any one of the supported Rapid7 regions, by specifying value using the following pattern {region_id}.api.insight.rapid7.com. If you do not specify an endpoint, the default is us.api.insight.rapid7.com. The Chronicle Feed Management API was also updated to support a configurable value for the hostname field.

October 04, 2022

Chronicle Curated Detections has been enhanced with the following additional detection content:

  • Windows-based threats:
    • Living off the land (LotL): identifies tools native to Microsoft Windows operating systems that can be abused by threat actors for malicious purposes.
  • Cloud attacks and cloud misconfigurations:
    • Cloud Hacktool: detects activity from known offensive security platforms or tools used by threat actors that target resources on Google Cloud.
    • IAM Abuse: detects activity associated with abusing IAM roles and permissions to potentially escalate privilege or move laterally within a given Google Cloud project or across a Google Cloud organization.

October 03, 2022

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

  • Apache (APACHE)
  • Aruba (ARUBA_WIRELESS)
  • AWS GuardDuty (GUARDDUTY)
  • Azure AD Directory Audit (AZURE_AD_AUDIT)
  • Azure AD Organizational Context (AZURE_AD_CONTEXT)
  • BeyondTrust (BOMGAR)
  • Box (BOX)
  • Cisco Application Centric Infrastructure (CISCO_ACI)
  • Cisco Application Control Engine (CISCO_ACE)
  • Cisco ASA (CISCO_ASA_FIREWALL)
  • Cisco Email Security (CISCO_EMAIL_SECURITY)
  • Citrix Netscaler (CITRIX_NETSCALER)
  • Cloudflare WAF (CLOUDFLARE_WAF)
  • CrowdStrike Detection Monitoring (CS_DETECTS)
  • CrowdStrike Falcon (CS_EDR)
  • Crowdstrike IOC (CROWDSTRIKE_IOC)
  • F5 ASM (F5_ASM)
  • Fluentd Logs (FLUENTD)
  • FortiGate (FORTINET_FIREWALL)
  • Fortinet FortiAnalyzer (FORTINET_FORTIANALYZER)
  • Cloud Audit (N/A)
  • Cloud DNS (N/A)
  • Cloud Load Balancing (GCP_LOADBALANCING)
  • HCNET Account Adapter Plus (HCNET_ACCOUNT_ADAPTER)
  • Kong API Gateway (KONG_GATEWAY)
  • ManageEngine AD360 (MANAGE_ENGINE_AD360)
  • McAfee ePolicy Orchestrator (MCAFEE_EPO)
  • McAfee Web Gateway (MCAFEE_WEBPROXY)
  • McAfee Web Protection (MCAFEE_WEB_PROTECTION)
  • Microsoft Azure Activity (AZURE_ACTIVITY)
  • Mongo Database (MONGO_DB)
  • Office 365 (OFFICE_365)
  • Okta (OKTA)
  • OSQuery (OSQUERY_EDR)
  • OSSEC (OSSEC)
  • Palo Alto Networks Firewall (PAN_FIREWALL)
  • Red Canary (REDCANARY_EDR)
  • Snort (SNORT_IDS)
  • Squid Web Proxy (SQUID_WEBPROXY)
  • Symantec Endpoint Protection (SEP)
  • Tanium Asset (TANIUM_ASSET)
  • Tanium Stream (TANIUM_TH)
  • Windows Defender ATP (WINDOWS_DEFENDER_ATP)
  • Workday (WORKDAY)
  • Zeek JSON (BRO_JSON)

For details about changes in each parser, see Supported default parsers.

September 29, 2022

The following changes are available in the Unified Data Model:

For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.

September 26, 2022

Context Aware Detections - Risk Dashboard

The Context Aware Detections - Risk dashboard provides insight into the current threat status of assets and users in your enterprise.

Contextual enrichment in events and entities

To enable a security investigation, Chronicle provides additional context about artifacts in a customer environment by calculating prevalence statistics and ingesting data from Safe Browsing threat lists related to file hashes. For more information, see:

September 21, 2022

ListAssetAliases and ListUserAliases

The ListAssetAliases and ListUserAliases API methods are now available as part of the Chronicle Search API. Use ListAssetAliases to list all the aliases of an asset in an enterprise and use ListUserAliases to list all the aliases of a user in an enterprise.

September 14, 2022

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

  • Apache (APACHE)
  • Barracuda WAF (BARRACUDA_WAF)
  • Bluecat DDI (BLUECAT_DDI)
  • Cisco Umbrella Cloud Firewall (UMBRELLA_FIREWALL)
  • Cisco Umbrella Web Proxy (UMBRELLA_WEBPROXY)
  • Cisco WLC/WCS (CISCO_WIRELESS)
  • CloudGenix SD-WAN (CLOUDGENIX_SDWAN)
  • Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
  • FortiGate (FORTINET_FIREWALL)
  • Cloud Audit (N/A)
  • Google Cloud Identity Context (CLOUD_IDENTITY_CONTEXT)
  • IBM Guardium (GUARDIUM)
  • IBM z/OS (IBM_ZOS)
  • Infoblox DNS (INFOBLOX_DNS)
  • Ipswitch SFTP (IPSWITCH_SFTP)
  • Kubernetes auth proxy logs (KUBERNETES_AUTH_PROXY)
  • Linux DHCP (LINUX_DHCP)
  • McAfee ePolicy Orchestrator (MCAFEE_EPO)
  • Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
  • NGINX (NGINX)
  • OSSEC (OSSEC)
  • pfSense (PFSENSE)
  • Ribbon Analytics Platform (RIBBON_ANALYTICS_PLATFORM)
  • Ruckus Networks (RUCKUS_WIRELESS)
  • Salesforce (SALESFORCE)
  • Sentinelone Alerts (SENTINELONE_ALERT)
  • SentinelOne Deep Visibility (SENTINEL_DV)
  • SentinelOne EDR (SENTINEL_EDR)
  • Trend Micro Deep Security (TRENDMICRO_DEEP_SECURITY)
  • VMware AirWatch (AIRWATCH)
  • VMware ESXi (VMWARE_ESX)
  • VMware Workspace ONE (VMWARE_WORKSPACE_ONE)
  • Zscaler (ZSCALER_WEBPROXY)

For details about changes in each parser, see Supported default parsers.

September 02, 2022

GetLog

The GetLog API method is now available as part of the Chronicle Search API. Use GetLog to retrieve a specific raw log using an event's UID.

September 01, 2022

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

  • Arcsight CEF (ARCSIGHT_CEF)
  • Aruba (ARUBA_WIRELESS)
  • AWS Security Hub (AWS_SECURITY_HUB)
  • Azure AD (AZURE_AD)
  • BeyondTrust (BOMGAR)
  • Bitdefender (BITDEFENDER)
  • Blue Coat Proxy (BLUECOAT_WEBPROXY)
  • Bluecat DDI (BLUECAT_DDI)
  • CA LDAP (CA_LDAP)
  • Check Point (CHECKPOINT_FIREWALL)
  • Cisco ACS (CISCO_ACS)
  • Cisco Router (CISCO_ROUTER)
  • Cisco UCM (CISCO_UCM)
  • Cisco Umbrella IP (UMBRELLA_IP)
  • Cisco Umbrella Web Proxy (UMBRELLA_WEBPROXY)
  • Cisco VPN (CISCO_VPN)
  • Cisco WLC/WCS (CISCO_WIRELESS)
  • CrowdStrike Falcon (CS_EDR)
  • Falco IDS (FALCO_IDS)
  • FireEye HX (FIREEYE_HX)
  • Forcepoint CASB (FORCEPOINT_CASB)
  • FortiGate (FORTINET_FIREWALL)
  • Cloud Load Balancing (GCP_LOADBALANCING)
  • Cloud Audit (N/A)
  • HP Aruba Clearpass (CLEARPASS)
  • Infoblox DNS (INFOBLOX_DNS)
  • Linux DHCP (LINUX_DHCP)
  • Microsoft Intune (AZURE_MDM_INTUNE)
  • Office 365 (OFFICE_365)
  • Open LDAP (OPENLDAP)
  • Ordr IoT (ORDR_IOT)
  • Palo Alto Networks Traps (PAN_EDR)
  • Pivotal (PIVOTAL)
  • Proofpoint Threat Response (PROOFPOINT_TRAP)
  • Red Hat OpenShift (REDHAT_OPENSHIFT)
  • Sophos Firewall Next Gen (SOPHOS_FIREWALL)
  • Sourcefire (SOURCEFIRE_IDS)
  • Suricata EVE (SURICATA_EVE)
  • Symantec Event export (SYMANTEC_EVENT_EXPORT)
  • Tanium Comply (TANIUM_COMPLY)
  • Vectra Detect (VECTRA_DETECT)
  • VMware ESXi (VMWARE_ESX)
  • Windows Event (WINEVTLOG)

For details about changes in each parser, see Supported default parsers.

The following changes are available in the Unified Data Model:

  • The ip_location field was added to Noun type.
  • The day_max_sub_domains field was added to the Prevalence type.
  • The source_type field was added to the EntityMetadata type.

For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.

August 18, 2022

VirusTotal Context

Chronicle's integration with VirusTotal has been revised and enhanced. This feature enables you to pivot from finding domains linked to an asset in Chronicle to viewing information about that domain from VirusTotal. From a Chronicle event view, such as Asset view, Domain view, or IP Address view, click VT Context to open the VirusTotal Context window. Some of the VirusTotal information is only available to users with a VirusTotal Enterprise account.

Some of the older links in the Chronicle user interface to VirusTotal, for example the option in Asset view to display the first 50 results in VirusTotal Graph and the VirusTotal Insights results panel, have been removed. Clicking VT Context provides access to the same information and VirusTotal functionality, including access to VirusTotal Graph.

August 17, 2022

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

  • Akamai WAF (AKAMAI_WAF)
  • Arista Switch (ARISTA_SWITCH)
  • AWS CloudWatch (AWS_CLOUDWATCH)
  • AWS GuardDuty (GUARDDUTY)
  • AWS Macie (AWS_MACIE)
  • AWS Route 53 DNS (AWS_ROUTE_53)
  • AWS WAF (AWS_WAF)
  • Azure AD (AZURE_AD)
  • Azure AD Organizational Context (AZURE_AD_CONTEXT)
  • Bitdefender (BITDEFENDER)
  • Bluecat DDI (BLUECAT_DDI)
  • Centrify (CENTRIFY_SSO)
  • Check Point (CHECKPOINT_FIREWALL)
  • Cisco Application Centric Infrastructure (CISCO_ACI)
  • Cisco ISE (CISCO_ISE)
  • Custom DNS (CUSTOM_DNS)
  • Cylance Protect (CYLANCE_PROTECT)
  • Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
  • FireEye (FIREEYE_ALERT)
  • Forcepoint Proxy (FORCEPOINT_WEBPROXY)
  • FortiGate (FORTINET_FIREWALL)
  • IBM z/OS (IBM_ZOS)
  • Linux DHCP (LINUX_DHCP)
  • Microsoft AD FS (ADFS)
  • Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
  • Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
  • Microsoft SQL Server (MICROSOFT_SQL)
  • Nasuni File Services Platform (NASUNI_FILE_SERVICES)
  • Palo Alto Prisma Cloud (PAN_PRISMA_CLOUD)
  • Ping Identity (PING)
  • Riverbed Steelhead (STEELHEAD)
  • SiteMinder Web Access Management (CA_SSO_WEB)
  • Snoopy Logger (SNOOPY_LOGGER)
  • Stormshield Firewall (STORMSHIELD_FIREWALL)
  • Symantec Endpoint Protection (SEP)
  • Tanium Stream (TANIUM_TH)
  • VMware ESXi (VMWARE_ESX)
  • VMware Horizon (VMWARE_HORIZON)
  • Windows Event (WINEVTLOG)
  • Windows Sysmon (WINDOWS_SYSMON)

For details about changes in each parser, see Supported default parsers.

Chronicle curated detections provide out-of-the-box threat detection content curated, built, and maintained by Google Cloud Threat Intelligence (GCTI) researchers. This release of curated detections cover the following range of threats:

  • Windows-based threats: Coverage for several classes of threats including infostealers, ransomware, RATs, misused software, and crypto activity.
  • Cloud attacks and cloud misconfigurations: Secure cloud workloads with additional coverage around exfiltration of data, suspicious behavior, and additional vectors.

August 16, 2022

Feed Management

You can now configure new data feeds for your Chronicle account using Feed Management. This feature makes it possible for you to setup your own data feeds without the assistance of Chronicle support personnel. You can setup new data feeds using either the Feed Management user interface or the Feed Management API. Chronicle returns error messages in the event you have misconfigured a feed and need to make changes.

August 08, 2022

The following changes are available in the Unified Data Model:

  • The File.ashash field was deprecated and replaced with the File.authentihash field.
  • The day_max field was added to the Prevalence type.

Descriptions of the File.FileType Enum values are now available in the Unified Data Model field list document.

For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.

August 03, 2022

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

  • AWS Cloudtrail (AWS_CLOUDTRAIL)
  • AWS Route 53 DNS (AWS_ROUTE_53)
  • AWS S3 Server Access (AWS_S3_SERVER_ACCESS)
  • AWS WAF (AWS_WAF)
  • Box (BOX)
  • Cisco Switch (CISCO_SWITCH)
  • Citrix Storefront (CITRIX_STOREFRONT)
  • CrowdStrike Falcon (CS_EDR)
  • Dell OpenManage (DELL_OPENMANAGE)
  • F5 VPN (F5_VPN)
  • Falco IDS (FALCO_IDS)
  • Cloud SQL (GCP_CLOUDSQL)
  • Cloud VPC Flow (GCP_VPC_FLOW)
  • Imperva SecureSphere Management (IMPERVA_SECURESPHERE)
  • Linux Auditing System AuditD (AUDITD)
  • McAfee ePolicy Orchestrator (MCAFEE_EPO)
  • Microsoft Defender for Identity (MICROSOFT_DEFENDER_IDENTITY)
  • Netskope (NETSKOPE_ALERT)
  • NIMBLE OS (NIMBLE_OS)
  • Office 365 (OFFICE_365)
  • Oracle (ORACLE_DB)
  • Ping Identity (PING)
  • SentinelOne EDR (SENTINEL_EDR)
  • Snare System Diagnostic Logs (SNARE_SOLUTIONS)
  • Sophos AV (SOPHOS_AV)
  • Suricata EVE (SURICATA_EVE)
  • Symantec Endpoint Protection (SEP)
  • TeamViewer (TEAMVIEWER)
  • Vectra Stream (VECTRA_STREAM)
  • VMware ESXi (VMWARE_ESX)
  • Windows Defender ATP (WINDOWS_DEFENDER_ATP)
  • Windows Event (WINEVTLOG)
  • Workspace Activities (WORKSPACE_ACTIVITY)

For details about changes in each parser, see Supported default parsers.

July 29, 2022

Detection Engine now includes the following new features:

  • You can define an outcome section in single event rules. Previously, the outcome section was supported in multi-event rules only. If you have multi-event rules that use only one event variable, you can refactor them by deleting the match section to make them more performant. For an example rule, see YARA-L 2.0 language overview. For more detailed information about rule syntax, see YARA-L 2.0 language syntax.

  • In the existing condition section, you can now use variables defined in the outcome section. This enables you to filter on aggregates (variables in the outcome section can be defined using aggregate functions) and on the $risk_score outcome variable. For more detailed information about the condition section, see YARA-L 2.0 language syntax.

  • You can assign a placeholder variable to the result of a function call. You can then use the placeholder variable in other sections of the rule, such as the match section, outcome section, or condition section. For information about the syntax for function to placeholder assignments and any restrictions, see the YARA-L 2.0 language syntax.

July 28, 2022

The following changes are available in the Unified Data Model:

For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.

July 26, 2022

Export filter for Cloud logs

Previously, you could export DNS and Cloud Audit logs using the Chronicle panel within the Google Cloud Console. You can now configure the default export filter to export additional log types. You can not only control the log types, but also the source projects producing these logs. Both inclusion and exclusion of logs are supported as well. In addition, semantic validation of the log filters can catch malformed log filters with invalid log types or identifiers. The filter language is defined by the Google logging query language that is shared with Cloud Logging.

For more information about the Export Log Filter Settings, see Exporting Google Cloud Logs to Chronicle.

July 21, 2022

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

  • Avanan Email Security (AVANAN_EMAIL)
  • AWS Cloudtrail (AWS_CLOUDTRAIL)
  • AWS GuardDuty (GUARDDUTY)
  • AWS VPC Flow (AWS_VPC_FLOW)
  • Barracuda Firewall (BARRACUDA_FIREWALL)
  • BeyondTrust Secure Remote Access (BEYONDTRUST_REMOTE_ACCESS)
  • Carbon Black (CB_EDR)
  • Centrify (CENTRIFY_SSO)
  • Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
  • Cisco ISE (CISCO_ISE)
  • CrowdStrike Falcon (CS_EDR)
  • CrowdStrike Falcon Stream (CS_STREAM)
  • Custom Security Data Analytics (CUSTOM_SECURITY_DATA_ANALYTICS)
  • Dell EMC Data Domain (DELL_EMC_DATA_DOMAIN)
  • Department of Homeland Security (DHS_IOC)
  • Elastic Audit Beats (ELASTIC_AUDITBEAT)
  • F5 VPN (F5_VPN)
  • FortiGate (FORTINET_FIREWALL)
  • Fortinet FortiNAC (FORTINET_FORTINAC)
  • Cloud Run (GCP_RUN)
  • GitHub (GITHUB)
  • Google Chrome Browser Cloud Management
  • HCL BigFix (HCL_BIGFIX)
  • HP Aruba(Clearpass) (CLEARPASS)
  • IBM Guardium (GUARDIUM)
  • Infoblox (INFOBLOX)
  • Infoblox DNS (INFOBLOX_DNS)
  • Kubernetes audit logs (KUBERNETES_AUDIT)
  • Linux Sysmon (LINUX_SYSMON)
  • McAfee ePolicy Orchestrator (MCAFEE_EPO)
  • Medigate IoT (MEDIGATE_IOT)
  • Microsoft AD FS (ADFS)
  • Nasuni File Services Platform (NASUNI_FILE_SERVICES)
  • Office 365 (OFFICE_365)
  • Okta (OKTA)
  • Ping Identity (PING)
  • PostFix Mail (POSTFIX_MAIL)
  • Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
  • Proofpoint Tap Alerts (PROOFPOINT_MAIL)
  • SailPoint IAM (SAILPOINT_IAM)
  • SecureLink (SECURELINK)
  • SentinelOne EDR (SENTINEL_EDR)
  • ServiceNow CMDB (SERVICENOW_CMDB)
  • Suricata EVE (SURICATA_EVE)
  • Suricata IDS (SURICATA_IDS)
  • Symantec Web Isolation (SYMANTEC_WEB_ISOLATION)
  • Thales Luna Hardware Security Module (THALES_LUNA_HSM)
  • Thales MFA (THALES_MFA)
  • Uptycs EDR (UPTYCS_EDR)
  • Windows DNS (WINDOWS_DNS)
  • Windows Event (WINEVTLOG)
  • Workspace Activities (WORKSPACE_ACTIVITY)

For details about changes in each parser, see Supported default parsers.

July 06, 2022

The following supported default parsers have changed (listed by product name and ingestion label):

  • Azure DevOps Audit (AZURE_DEVOPS)
  • Bitdefender (BITDEFENDER)
  • CA Access Control (CA_ACCESS_CONTROL)
  • Carbon Black App Control (CB_APP_CONTROL)
  • Check Point (CHECKPOINT_FIREWALL)
  • Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
  • Cisco Router (CISCO_ROUTER)
  • Cloud Passage (CLOUD_PASSAGE)
  • Digital Guardian (DIGITALGUARDIAN_EDR)
  • ExtraHop RevealX (EXTRAHOP)
  • Forcepoint NGFW (FORCEPOINT_FIREWALL)
  • IBM DataPower Gateway (IBM_DATAPOWER)
  • IBM Guardium (GUARDIUM)
  • Imperva (IMPERVA_WAF)
  • Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
  • Microsoft SQL Server (MICROSOFT_SQL)
  • Office 365 (OFFICE_365)
  • pfSense (PFSENSE)
  • Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
  • Proofpoint Tap Alerts (PROOFPOINT_MAIL)
  • SonicWall (SONIC_FIREWALL)
  • Sophos UTM (SOPHOS_UTM)
  • VMware AirWatch (AIRWATCH)
  • VMware ESXi (VMWARE_ESX)
  • Workspace Activities (WORKSPACE_ACTIVITY)

For details about changes in each parser, see Supported default parsers.

The following new fields are available in the Unified Data Model:

  • The new fields prevalence, first_seen_time, and last_seen_time were added to the File object.
  • A new field, bounce_address, was added to the Email object.
  • A new field, artifact, was added to the Noun object. Artifact is a new object.
  • A new field, rolling_max_sub_domains, was added to the Prevalence object.
  • A new field, first_seen_time, was added to the User object.
  • The following new fields were added to the Smtp object:
    • helo
    • mail_from
    • rcpt_to
    • server_response
    • message_path
    • is_webmail
    • is_tls

For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list

June 29, 2022

Chronicle Forwarder configuration on Linux has been updated to include two separate configuration files. The <x>.conf file stores the configuration related to log ingestion. The <x>_auth.conf file stores the authentication credentials.

For more information, see Installing and configuring the forwarder on Linux.

June 22, 2022

The following supported default parsers have changed (listed by product name and ingestion label):

  • Akamai WAF (AKAMAI_WAF)
  • Aruba IPS (ARUBA_IPS)
  • Azure AD Directory Audit (AZURE_AD_AUDIT)
  • Carbon Black App Control (CB_APP_CONTROL)
  • Check Point (CHECKPOINT_FIREWALL)
  • Cisco ACS (CISCO_ACS)
  • Cisco Email Security (CISCO_EMAIL_SECURITY)
  • Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
  • Cisco ISE (CISCO_ISE)
  • Cisco Meraki (CISCO_MERAKI)
  • Citrix Netscaler (CITRIX_NETSCALER)
  • CloudM (CLOUDM)
  • CrowdStrike Falcon (CS_EDR)
  • EPIC Systems (EPIC)
  • Forescout NAC (FORESCOUT_NAC)
  • FortiGate (FORTINET_FIREWALL)
  • Cloud Compute (GCP_COMPUTE)
  • IBM DataPower Gateway (IBM_DATAPOWER)
  • Imperva (IMPERVA_WAF)
  • JAMF Protect (JAMF_PROTECT)
  • Linux Auditing System (AuditD) (AUDITD)
  • Microsoft Exchange (EXCHANGE_MAIL)
  • Netskope (NETSKOPE_ALERT)
  • Office 365 (OFFICE_365)
  • Okta (OKTA)
  • Preempt Alert (PREEMPT)
  • RSA (RSA_AUTH_MANAGER)
  • SentinelOne EDR (SENTINEL_EDR)
  • ServiceNow CMDB (SERVICENOW_CMDB)
  • Sourcefire (SOURCEFIRE_IDS)
  • Suricata IDS (SURICATA_IDS)
  • Symantec Web Isolation (SYMANTEC_WEB_ISOLATION)
  • Tripwire (TRIPWIRE_FIM)
  • Unix system (NIX_SYSTEM)
  • VMware AirWatch (AIRWATCH)
  • VMware ESXi (VMWARE_ESX)
  • VMware NSX (VMWARE_NSX)
  • WatchGuard (WATCHGUARD)
  • Workspace Alerts (WORKSPACE_ALERTS)
  • Zscaler (ZSCALER_WEBPROXY)

For details about changes in each parser, see Supported default parsers.

June 14, 2022

Enhancements to YARA-L 2.0 syntax in Detection Engine rules

We have enhanced the outcome section that can be used in Detection Engine rules.

  • We now support up to 10 outcome variables.
  • We now support integer and string data type outcome variables.
  • We have added new aggregate functions: count(), count_distinct(), array(), array_distinct()

For more details about the outcome section, see Outcome section syntax.

June 08, 2022

The following supported default parsers have changed (listed by product name and ingestion label):

  • Amazon Guardduty (GUARDDUTY)
  • Atlassian Jira (ATLASSIAN_JIRA)
  • AWS CloudFront (AWS_CLOUDFRONT)
  • AWS Cloudtrail (AWS_CLOUDTRAIL)
  • AWS CloudWatch (AWS_CLOUDWATCH)
  • AWS Config (AWS_CONFIG)
  • AWS Elastic Load Balancer (AWS_ELB)
  • AWS Key Management Service (AWS_KMS)
  • AWS VPC Flow (AWS_VPC_FLOW)
  • Check Point (CHECKPOINT_FIREWALL)
  • Cisco ACS (CISCO_ACS)
  • Cisco Email Security (CISCO_EMAIL_SECURITY)
  • CrowdStrike Falcon (CS_EDR)
  • Elastic Audit Beats (ELASTIC_AUDITBEAT)
  • Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
  • ESET Threat Intelligence (ESET_IOC)
  • F5 BIGIP LTM (F5_BIGIP_LTM)
  • Fastly WAF (FASTLY_WAF)
  • Cloud IOT (GCP_CLOUDIOT)
  • HCL BigFix (HCL_BIGFIX)
  • IBM z/OS (IBM_ZOS)
  • Imperva (IMPERVA_WAF)
  • Infoblox DNS (INFOBLOX_DNS)
  • Juniper IPS (JUNIPER_IPS)
  • Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
  • Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
  • Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
  • Microsoft SQL Server (MICROSOFT_SQL)
  • Okta (OKTA)
  • Tanium Stream (TANIUM_TH)
  • Trend Micro AV (TRENDMICRO_AV)
  • Unix system (NIX_SYSTEM)
  • Windows Event (WINEVTLOG)
  • Zscaler (ZSCALER_WEBPROXY)

For details about changes in each parser, see Supported default parsers.

May 25, 2022

The following supported default parsers have changed, listed by product name and ingestion label:

  • Apache Hadoop (HADOOP)
  • Suricata IDS (SURICATA_IDS)
  • Cloud Compute (GCP_COMPUTE)
  • Elastic Audit Beats (ELASTIC_AUDITBEAT)
  • Cloudflare (CLOUDFLARE)
  • Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
  • FortiGate (FORTINET_FIREWALL)
  • CSV Custom IOC (CSV_CUSTOM_IOC)
  • CrowdStrike Falcon (CS_EDR)
  • Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
  • CIS Albert Alerts (CIS_ALBERT_ALERT)
  • SonicWall (SONIC_FIREWALL)
  • Okta User Context (OKTA_USER_CONTEXT)
  • Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
  • Check Point (CHECKPOINT_FIREWALL)
  • Barracuda Email (BARRACUDA_EMAIL)
  • Microsoft Azure Activity (AZURE_ACTIVITY)
  • Carbon Black App Control (CB_APP_CONTROL)
  • OpenSSH (OPENSSH)
  • OneLogin (ONELOGIN_SSO)
  • Office 365 (OFFICE_365)
  • FireEye NX (FIREEYE_NX)
  • ExtraHop RevealX (EXTRAHOP)
  • Cisco Umbrella DNS (UMBRELLA_DNS)
  • Kaspersky AV (KASPERSKY_AV)
  • IBM Guardium (GUARDIUM)
  • F5 ASM (F5_ASM)
  • Cisco Email Security (CISCO_EMAIL_SECURITY)
  • Workspace Activities (WORKSPACE_ACTIVITY)
  • Forcepoint Proxy (FORCEPOINT_WEBPROXY)
  • Azure AD Organizational Context (AZURE_AD_CONTEXT)
  • Tanium Stream (TANIUM_TH)
  • Apache (APACHE)

For details about the changes in each parser, see Supported default parsers.

May 11, 2022

The following supported default parsers have changed (listed by product name and ingestion label):

  • ExtraHop RevealX (EXTRAHOP)
  • Imperva (IMPERVA_WAF)
  • Windows Event (WINEVTLOG)
  • Azure AD Organizational Context (AZURE_AD_CONTEXT)
  • Citrix Netscaler (CITRIX_NETSCALER)
  • Elastic Packet Beats (ELASTIC_PACKETBEATS)
  • Elastic Audit Beats (ELASTIC_AUDITBEAT)
  • Sendmail (SENDMAIL)
  • VMware vCenter (VMWARE_VCENTER)
  • AWS VPC Flow (AWS_VPC_FLOW)
  • Bluecat DDI (BLUECAT_DDI)
  • Cisco ACS (CISCO_ACS)
  • Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
  • Forcepoint Proxy (FORCEPOINT_WEBPROXY)
  • McAfee ePolicy Orchestrator (MCAFEE_EPO)
  • Office 365 (OFFICE_365)
  • Apple MacOS (MACOS)
  • Archer Integrated Risk Management (ARCHER_IRM)
  • Cisco Meraki (CISCO_MERAKI)
  • Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
  • IBM DB2 (DB2_DB)
  • Cisco ISE (CISCO_ISE)
  • F5 BIGIP LTM (F5_BIGIP_LTM)
  • Juniper Junos (JUNIPER_JUNOS)
  • Microsoft Exchange (EXCHANGE_MAIL)
  • VMware ESXi (VMWARE_ESX)
  • Digital Shadows SearchLight (DIGITAL_SHADOWS_SEARCHLIGHT)
  • Azure Firewall (AZURE_FIREWALL)
  • ForgeRock OpenAM (OPENAM)
  • FortiGate (FORTINET_FIREWALL)
  • ZScaler NGFW (ZSCALER_FIREWALL)
  • OpenVPN (OPEN_VPN)

For details about the changes in each parser, see Supported default parsers.

May 10, 2022

The following new fields are available in the Unified Data Model:

For a list of fields in the Unified Data Model, and descriptions, see the Unified Data Model field list.

April 27, 2022

The following supported default parsers have changed (listed by product name and ingestion label):

  • Apache Tomcat (TOMCAT)
  • Azure AD (AZURE_AD)
  • BIND (BIND_DNS)
  • Bitdefender (BITDEFENDER)
  • Blue Coat Proxy (BLUECOAT_WEBPROXY)
  • Cisco ACS (CISCO_ACS)
  • Cisco Email Security (CISCO_EMAIL_SECURITY)
  • Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
  • Cisco ISE (CISCO_ISE)
  • Citrix Netscaler (CITRIX_NETSCALER)
  • CrowdStrike Falcon (CS_EDR)
  • Darktrace (DARKTRACE)
  • Dell EMC Data Domain (DELL_EMC_DATA_DOMAIN)
  • Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
  • EPIC Systems (EPIC)
  • F5 ASM (F5_ASM)
  • Cloud Identity Device Users (GCP_CLOUDIDENTITY_DEVICEUSERS)
  • GMV Checker ATM Security (GMV_CHECKER)
  • HCL BigFix (HCL_BIGFIX)
  • Layer7 SiteMinder (SITEMINDER_SSO)
  • Microsoft Azure NSG Flow (AZURE_NSG_FLOW)
  • Microsoft Defender for Identity(MICROSOFT_DEFENDER_IDENTITY)
  • Microsoft Powershell (POWERSHELL)
  • Mobileiron (MOBILEIRON)
  • Office 365 (OFFICE_365)
  • Salesforce (SALESFORCE)
  • SecureAuth (SECUREAUTH_SSO)
  • SentinelOne EDR (SENTINEL_EDR)
  • Windows Event (WINEVTLOG)
  • Workspace Activities (WORKSPACE_ACTIVITY)
  • ZScaler NGFW (ZSCALER_FIREWALL)

For details about the changes in each parser, see Supported default parsers.

Chronicle now supports the following functions in Detection Engine rules:

  • strings.concat(a, b)
  • strings.to_lower(stringText)
  • strings.to_upper(stringText)
  • strings.base64_decode(encodedString)
  • re.capture(stringText, regex)
  • re.replace(stringText, replaceRegex, replacementText)
  • timestamp.get_minute(unix_seconds [, time_zone])
  • timestamp.get_hour(unix_seconds [, time_zone])
  • timestamp.get_day_of_week(unix_seconds [, time_zone])
  • timestamp.get_week(unix_seconds [, time_zone])
  • timestamp.current_seconds()
  • math.abs(intExpression)

For more information about these functions, see YARA-L 2.0 language syntax.

April 26, 2022

The Chronicle Container Registry key is no longer needed and has been removed. The corresponding documentation on the Container Registry key for the Linux version of the Chronicle Forwarder has also been removed.

April 25, 2022

Rules run frequency

Rules can now be run at different frequencies. Rule run frequency impacts the latency with which detections are discovered for each rule. Longer run frequencies increase the amount of time between when an event occurs and when a detection is processed for that event. Rules with a window size of at least one hour are limited to either 1 hour or 24 hour run frequencies.

April 15, 2022

Chronicle Detection Engine now supports the min() function and subtraction operator in the outcome section of a rule.

April 13, 2022

The following supported default parsers have changed (listed by ingestion label)

  • AKAMAI_WAF
  • ARUBA_WIRELESS
  • AWS_CLOUDTRAIL
  • AWS_CONFIG
  • AZURE_AD_CONTEXT
  • AZURE_COSMOS_DB
  • BITDEFENDER
  • CA_ACCESS_CONTROL
  • CASSANDRA
  • CISCO_EMAIL_SECURITY
  • CISCO_FIREPOWER_FIREWALL
  • CISCO_ISE
  • CISCO_MERAKI
  • CISCO_TACACS
  • CS_EDR
  • D3_BANKING
  • ELASTIC_WINLOGBEAT
  • FILEZILLA_FTP
  • GCP_CLOUDIDENTITY_DEVICES
  • GCP_CLOUDIDENTITY_DEVICEUSERS
  • GMV_CHECKER
  • GUARDDUTY
  • GUARDIUM
  • IIS
  • INFOBLOX_DHCP
  • KASPERSKY_AV
  • KEA_DHCP
  • MCAFEE_DLP
  • MCAFEE_EPO
  • MICROSOFT_DEFENDER_ENDPOINT
  • NETSKOPE_WEBPROXY
  • OFFICE_365
  • OKTA
  • OKTA_USER_CONTEXT
  • ONELOGIN_SSO
  • ORDR_IOT
  • PAN_FIREWALL
  • PROOFPOINT_ON_DEMAND
  • PULSE_SECURE_VPN
  • RH_ISAC_IOC
  • SALESFORCE
  • SERVICENOW_CMDB
  • SLACK_AUDIT
  • SOPHOS_UTM
  • SYMANTEC_EDR
  • TANIUM_TH
  • UMBRELLA_DNS
  • UNIFI_AP
  • VANDYKE_SFTP
  • VMWARE_ESX
  • VMWARE_VREALIZE
  • WINDOWS_DHCP
  • WINDOWS_DNS
  • WINDOWS_SYSMON
  • WORKSPACE_ACTIVITY
  • WORKSPACE_ALERTS
  • WORKSPACE_USERS

For details about the changes in each parser, see Supported default parsers

April 07, 2022

Exporting Google Cloud Logs to Chronicle

There are now lists of the specific Google Cloud Logs and Google Cloud Asset Metadata that are exported to Chronicle when you enable Google Cloud log ingestion.

February 15, 2022

DeleteSubject

The DeleteSubject method has been added to the Chronicle Role-Based Access Control (RBAC) API. DeleteSubject enables you to remove user and group role assignments.

February 08, 2022

Chronicle Forwarder

For the Chronicle Forwarder to function properly, an additional firewall rule is needed for host oauth2.googleapis.com. This information has been added to both the Windows and Linux versions of the Forwarder documentation.

December 14, 2021

Role-based access control (RBAC)

Role-based access control (RBAC) enables you to tailor access to Chronicle features based on an employee's role in the organization. Assigning a role to a user grants that user the permissions associated with the role, which enables the user to access role-appropriate Chronicle features.

December 08, 2021

Dashboards

Chronicle provides a set of default dashboards to monitor data ingestion status, health, rule detection context, IOC matches and alert prioritization, and user sign-ins. Reporting is available by converting a dashboard to a shareable file (PDF, Excel, CSV, etc.). You can also create custom personal and shared dashboards.

November 19, 2021

This document describes Chronicle's recommendations for writing rules in YARA-L.

October 15, 2021

Detection Engine API

The ListDetections method has been updated to allow customers to list detections efficiently across rule versions and rules by either detection timestamp or commit timestamp. Parameters originally used to list detections by detection timestamp will eventually be deprecated.

September 28, 2021

Uppercase has been rebranded as Google Cloud Threat Intelligence (GCTI).

September 22, 2021

The Linux Forwarder has been enhanced to support load balancing and high-availability. This enables you to deploy the forwarder in an environment where a Layer 4 load balancer is installed between syslog data sources and forwarder instances.

July 13, 2021

New documentation to support Chronicle data ingestion planning

You can now find information about Chronicle supported default parsers.

Supported default parsers provides information about which ingestion labels (LogTypes) also support a default parser. You can find the supported data format (KV, JSON, CEF, etc), the parser category, and when the default parser was last updated.

July 01, 2021

Asset Namespaces

The asset namespaces feature enables you to classify categories of assets sharing a common network environment, or namespace, and then perform searches for those assets within the Chronicle user interface based on that namespace. See also the Linux Forwarder documentation for information on how to configure the Forwarder to add namespaces to your security data before it is ingested into your Chronicle account.

Linux Forwarder Updates

The Linux Forwarder has been enhanced with the following additional capabilities:

Disk Buffering—Disk buffering enables you to buffer backlogged messages to disk as opposed to memory. The backlogged messages can be stored in case the forwarder crashes or the underlying host crashes.

Regular Expression Filters—Regular expression filters enable you to filter logs based on regular expression matches.

Arbitrary labels—Use labels to attach arbitrary metadata to logs using key and value pairs.

Namespaces—Use namespace labels to identify logs from distinct network segments and to deconflict overlapping IP addresses.

Kafka Input—You can ingest data from Kafka topics just as you can for syslog. Consumer groups are leveraged to enable you to deploy up to 3 Forwarders and pull data from the same Kafka topic.

June 30, 2021

Downloading Events

You can download large numbers of the events associated with each threat detection as a CSV file, enabling you to search across a broad set of the data stored in your Chronicle account to hunt for security issues.

June 28, 2021

Detection Engine API

The VerifyRule method has been added to the Detection Engine API. This method verifies that a rule is a valid YARA-L 2.0 rule without creating a new rule or evaluating it over data.

June 21, 2021

Uppercase Alerts

For Chronicle customers who are also Uppercase customers, Uppercase alerts are now displayed on the Enterprise Insights page. Uppercase alerts are derived from both Google's internal threat detection infrastructure and research provided by Uppercase security analysts.

You can view these alerts in Uppercase Alert view. This view also enables you to provide feedback that can be shared with your own security team and with Uppercase.

You can also use the Uppercase API to retrieve alerts from your Chronicle account.

June 01, 2021

Chronicle Automated Google Cloud Log Ingestion

Google Cloud customers can now send logs directly to their Chronicle account. Customers can send both Cloud Audit and Cloud DNS logs. See Ingesting Google Cloud Logs in to Chronicle for more information.

May 15, 2021

Archive Rules

You can now archive rules specified for the Detection Engine. Archiving a rule hides the security data related to that rule (and all of its versions) without actually deleting the rule. See Archive rules for more information.

April 23, 2021

Supported Data Sets

Chronicle can now ingest and parse data from the following additional systems and services:

  • Aruba Airwave
  • Blue Coat Proxy
  • Brocade ServerIron ADX
  • CIS Albert Alerts
  • Cisco Application Control Engine
  • Cisco Email Security
  • Cisco NX-OS
  • Citrix StoreFront
  • Cofense Triage
  • Comodo
  • Fidelis Network
  • FireEye NX
  • Honeyd
  • Kemp Load Balancer
  • Kyriba Treasury Management
  • Microsoft Intune
  • MySQL
  • Palo Alto Networks Cortex XDR
  • Red Canary EDR
  • ServiceNow CMDB
  • Symantec VIP Enterprise Gateway
  • Tanium Discover
  • Tripwire File Integrity Monitoring

January 25, 2021

  • Chronicle Detection Engine

    Enables customers to automate the process of searching across their data for security issues. You can specify Rules to search all of your data and notify you when potential and known threats appear in your enterprise. For more information on the Chronicle Detection Engine, please see the following:

    • Chronicle Detection Engine UI: The Chronicle Detection Engine is integrated within the Chronicle UI. It includes the Rules Dashboard for monitoring Rule activity and the Rules Editor, enabling you to create, test, and activate new Rules.

    • Chronicle Detection Engine API: The Chronicle Detection Engine API enables you to programmatically modify and operate all of the Detection Engine functionality that is also provided by the Detection Engine UI.

    • YARA-L 2.0: Use the YARA-L 2.0 language to specify Rules for the Detection Engine.

September 02, 2020

  • Chronicle User View

    Enables customers to better understand how users within an enterprise might be impacted by security events. By focusing on the behavior of individual users, security administrators can search for activity indicating an account compromise or other security concern.

June 12, 2020

  • Chronicle Rules Engine API

    The Chronicle Rules Engine API now includes the StreamRuleNotifications method. This method enables you to continuously receive rules engine results over an HTTP stream as the results are discovered. Contact your Chronicle representative for more information.

  • Chronicle API Query Limits

    The query limits for the Chronicle Search API calls are now documented.

  • Chronicle Tooling and Management APIs

    The query limits for the Chronicle Tooling and Management API calls are now documented. Contact your Chronicle representative for more information.

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • Access Management—Added support for OpenAM.
    • Audit—Added support for ManageEngine ADAudit Plus.
    • Authentication—Added support for Preempt, Symantec SiteMinder, and Thycotic.
    • Badging—Added support for Honeywell Pro-Watch.
    • Cloud—Added support for Microsoft Cloud Access Security Broker (CASB) and Salesforce.
    • DHCP—Added support for Linux DHCP Server.
    • Hypervisor—Added support for VMware ESXi JSON.
    • Intrusion Detection and Prevention—Added support for Juniper Intrusion Prevention System (IPS).
    • Security Management—Added support for AlgoSec, BeyondTrust, and DMP Entré.
    • Server—Added support for Microsoft Internet Information Services (IIS) and Microsoft SQL Server.

May 15, 2020

  • Chronicle Rules Engine API

    The Chronicle Rules Engine API now includes the Live Rules API. The Live Rules API enables you to run and manage security rules in real time. Once activated, a Live Rule monitors your incoming logs for threats until it is deleted or disabled. Contact your Chronicle representative for more information.

  • UDM Reference

    Location Metadata—Added the location metadata fields.

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • ATP—Added support for Microsoft Defender ATP.
    • Antivirus—Added support for Bitdefender and Trend Micro.
    • Authentication—Added support for Cisco ACS and RSA Authentication Manager version 8.1.
    • EDR—Added support for Digital Guardian.
    • IDM and PAM—Added support for Cyberark.
    • NAC—Added support for Forescout.
    • VPN—Added support for Zscaler.

May 08, 2020

  • Chronicle Tooling API

    Helps partners to develop new parsers to normalize new log data types. Contact your Chronicle representative for more information.

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • Alerts—Added support for Suricata.
    • Antivirus—Added support for Cisco.
    • Application—Added support for Microsoft Office 365.
    • Authentications—Added support for Aruba ClearPass, Cisco ISE, and Duo.
    • Deception—Added support for Acalvio.
    • EDR—For Red Canary customers, Chronicle can ingest EDR logs from Endgame.
    • Endpoint—Added support for McAfee ePolicy Orchestrator.
    • Firewall—Added support for Zscaler.
    • IoC—Added support for Emerging Threats Pro.
    • Router—Added support for Cisco.
    • SAAS—Added support for Cloudflare and Google G Suite Audit.
    • Switch—Added support for Cisco.
    • VPN—Added support for Pulse Connect Secure.

March 30, 2020

  • Chronicle User Guide

    Column sort—You can now sort columns on the Enterprise Insights page and from the Timeline sidebar lists.

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • DHCP—Added support for Elastic Packetbeat.
    • DNS—Added support for Elastic Packetbeat.
    • EDR—Added support for ESET.
    • Mail Gateway—Added support for Barracuda Email Security and Mimecast Email Security.
    • Web Application Firewall—Added support for Citrix Netscaler.

March 19, 2020

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • Traffic Management—Added support for F5 Big-IP Local Traffic Manager (LTM).
    • Unified Threat Management—Added support for Cisco Meraki.

January 01, 2020

  • Chronicle Partner Ingestion API

    Added the udmevents endpoint to enable you to send UDM events in batches.

  • Chronicle Search API

    Enables you to programmatically access your security data directly through API calls to Chronicle.

December 01, 2019

  • Chronicle Unified Data Model

    Describes how to generate properly constructed UDM events for consumption by Chronicle's cyber-security analytics platform.

July 01, 2019

  • Raw Log Scan

    Enables you to examine your raw unparsed logs.

  • Regular Expressions

    Enables you to search your raw logs using regular expressions.

  • Hash View

    Enables you to search for and investigate files based on their hash value.

June 01, 2019

  • Chronicle Data Flow Overview

    Information on how customer security data flows from customers to Chronicle and how Chronicle handles that data.

May 01, 2019

  • Chronicle Partner Ingestion API

    Enables you to forward raw logs directly to Chronicle.

March 01, 2019

  • Enterprise Insights

    Now includes the Procedural Filtering menu and lists all of the Assets with Alerts within your enterprise.

  • Viewing EDR Data in the Timeline

    Viewing Endpoint Detection and Response (EDR) data in the timeline.

  • Domain Context

    Analytics and insights from VirusTotal, EmergingThreats, WHOIS, and Department of Homeland Security's (DHS) Automated Indicator Sharing (AIS) data sources.

  • Investigating Domains and IP Addresses

    Searching for external IP addresses and URLs.

  • Chronicle Chrome Extension

    Search for indicators using the Chrome extension.