Chronicle SIEM release notes

The following supported default parsers have changed. Each is listed by product name and log_type value, if applicable.

• AWS Cloudtrail (AWS_CLOUDTRAIL)
• Azure AD (AZURE_AD)
• Azure AD Directory Audit (AZURE_AD_AUDIT)
• Azure AD Organizational Context (AZURE_AD_CONTEXT)
• Azure Application Gateway (AZURE_GATEWAY)
• Azure DevOps Audit (AZURE_DEVOPS)
• Blue Coat Proxy (BLUECOAT_WEBPROXY)
• Chrome Management (N/A)
• Cisco ASA (CISCO_ASA_FIREWALL)
• Cisco ISE (CISCO_ISE)
• Cisco Wireless IPS (CISCO_WIPS)
• Citrix Netscaler (CITRIX_NETSCALER)
• Clearswift (CLEARSWIFT)
• Cloud Audit Logs (N/A)
• Cloud Load Balancing (GCP_LOADBALANCING)
• Cloud SQL (GCP_CLOUDSQL)
• Cloudflare (CLOUDFLARE)
• Corelight (CORELIGHT)
• CrowdStrike Falcon (CS_EDR)
• Cyberark Privilege Cloud (CYBERARK_PRIVILEGE_CLOUD)
• Darktrace (DARKTRACE)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• Evision FircoSoft (EVISION_FIRCOSOFT)
• Fluentd Logs (FLUENTD)
• FortiGate (FORTINET_FIREWALL)
• HPE ILO (HPE_ILO)
• IBM WebSEAL (IBM_WEBSEAL)
• Jamf Protect Telemetry (JAMF_TELEMETRY)
• Jenkins (JENKINS)
• JumpCloud Directory Insights (JUMPCLOUD_DIRECTORY_INSIGHTS)
• Juniper MX Router (JUNIPER_MX)
• Kubernetes Node (KUBERNETES_NODE)
• Linux Auditing System (AuditD) (AUDITD)
• Mandiant Custom IOC (MANDIANT_CUSTOM_IOC)
• Microsoft CASB (MICROSOFT_CASB)
• Microsoft Exchange (EXCHANGE_MAIL)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Nokia Router (NOKIA_ROUTER)
• Ntopng (NTOPNG)
• Office 365 (OFFICE_365)
• OpenVPN (OPEN_VPN)
• Opnsense (OPNSENSE)
• OSQuery (OSQUERY_EDR)
• OSSEC (OSSEC)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• Radware Web Application Firewall (RADWARE_FIREWALL)
• RH-ISAC (RH_ISAC_IOC)
• Security Command Center Threat (N/A)
• Sierra Wireless (SIERRA_WIRELESS)
• Signal Sciences WAF (SIGNAL_SCIENCES_WAF)
• Sophos Firewall (Next Gen) (SOPHOS_FIREWALL)
• Splunk Platform (SPLUNK)
• Suricata IDS (SURICATA_IDS)
• Symantec Endpoint Protection (SEP)
• Teleport Access Plane (TELEPORT_ACCESS_PLANE)
• Ubiquiti UniFi Switch (UBIQUITI_SWITCH)
• VMware NSX (VMWARE_NSX)
• Vsftpd (VSFTPD)
• WatchGuard (WATCHGUARD)
• Windows Defender ATP (WINDOWS_DEFENDER_ATP)
• Windows DHCP (WINDOWS_DHCP)
• Windows DNS (WINDOWS_DNS)
• Windows Event (WINEVTLOG)
• Windows Event (XML) (WINEVTLOG_XML)
• Windows Sysmon (WINDOWS_SYSMON)
• Workspace Activities (WORKSPACE_ACTIVITY)
• Workspace Alerts (WORKSPACE_ALERTS)
• Workspace ChromeOS Devices (WORKSPACE_CHROMEOS)
• Workspace Groups (WORKSPACE_GROUPS)
• Workspace Mobile Devices (WORKSPACE_MOBILE)
• Workspace Privileges (WORKSPACE_PRIVILEGES)
• Workspace Users (WORKSPACE_USERS)
• Zeek JSON (BRO_JSON)
• Zscaler (ZSCALER_WEBPROXY)

The following log types, without a default parser, were added. Each is listed by product name and log_type value, if applicable.

• No new log types were added.

For a list of supported log types and details about default parser changes, see Supported log types and default parsers.

The following supported default parsers have changed. Each is listed by product name and log_type value, if applicable.

• Abnormal Security (ABNORMAL_SECURITY)
• Akamai Enterprise Application Access (AKAMAI_EAA)
• Atlassian Confluence (ATLASSIAN_CONFLUENCE)
• Atlassian Jira (ATLASSIAN_JIRA)
• AWS Aurora (AWS_AURORA)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• Bitwarden Events (BITWARDEN_EVENTS)
• Check Point Harmony (CHECKPOINT_HARMONY)
• Cisco Router (CISCO_ROUTER)
• Cisco Switch (CISCO_SWITCH)
• Cisco Umbrella DNS (UMBRELLA_DNS)
• Cloud Audit Logs (N/A)
• Dell Switch (DELL_SWITCH)
• Elastic Search (ELASTIC_SEARCH)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• F5 ASM (F5_ASM)
• FireEye (FIREEYE_ALERT)
• Firewall Rule Logging (N/A)
• IBM DataPower Gateway (IBM_DATAPOWER)
• Infoblox (INFOBLOX)
• Jamf Protect Alerts (JAMF_PROTECT)
• Juniper (JUNIPER_FIREWALL)
• Lacework Cloud Security (LACEWORK)
• Linux Sysmon (LINUX_SYSMON)
• Medigate IoT (MEDIGATE_IOT)
• Microsoft Sentinel (MICROSOFT_SENTINEL)
• Netskope (NETSKOPE_ALERT)
• Openpath (OPENPATH)
• Palo Alto Cortex XDR Alerts (CORTEX_XDR)
• Proofpoint Observeit (OBSERVEIT)
• Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
• Pulse Secure (PULSE_SECURE_VPN)
• Pulse Secure Virtual Traffic Manager (PULSE_SECURE_VTM)
• SentinelOne EDR (SENTINEL_EDR)
• Sophos Firewall (Next Gen) (SOPHOS_FIREWALL)
• SpyCloud (SPYCLOUD)
• Stealthbits Defend (STEALTHBITS_DEFEND)
• Stealthbits PAM (STEALTHBITS_PAM)
• STIX Threat Intelligence (STIX)
• Symantec Endpoint Protection (SEP)
• Symantec Event export (SYMANTEC_EVENT_EXPORT)
• Tenable Active Directory Security (TENABLE_ADS)
• Unix system (NIX_SYSTEM)
• VMware vCenter (VMWARE_VCENTER)
• Windows Event (XML) (WINEVTLOG_XML)
• Zscaler (ZSCALER_WEBPROXY)

The following log types, without a default parser, were added. Each is listed by product name and log_type value, if applicable.

• Aruba Orchestrator (ARUBA_ORCHESTRATOR)
• AWS Shield (AWS_SHIELD)
• Azure DNS logs (AZURE_DNS)
• Backbox (BACKBOX)
• Bitvise SSHd (BITVISE_SSHD)
• Cylera IOT (CYLERA_IOT)
• Druva Backup (DRUVA_BACKUP)
• Ensono Cloud Mainframe Solution (ENSONO)
• xtreme Networks ExtremeControl NAC Solution (EXTREME_CONTROL)
• EzProxy (EZPROXY)
• Github Events (GITHUB_EVENTS)
• Glean (GLEAN)
• ISM Xtraction (IVANTI_XTRACTION)
• Lira (LIRA)
• LogonBox (LOGONBOX)
• Mandiant Custom IOC (MANDIANT_CUSTOM_IOC)
• Monday (MONDAY)
• Onapsis (ONAPSIS)
• Opentelemetry (OPENTELEMETRY)
• Opswat Kiosk (OPSWAT_KIOSK)
• Outpost24 (OUTPOST24)
• Pentera Leef (PENTERA_LEEF)
• Phishlabs (PHISHLABS)
• Portnix Audit (PORTNOX_AUDIT)
• Portnix CEF (PORTNOX_CEF)
• Proofpoint Sendmail Sentrion (PROOFPOINT_SENDMAIL_SENTRION)
• SAP SM20 (SAP_SM20)
• Splunk Attack Analyzer (SPLUNK_ATTACK_ANALYZER)
• Stellar Cyber (STELLAR_CYBER)
• Talon (TALON)
• Teradici PCoIP (TERADICI_PCOIP)
• TrendMicro Apex Central (TRENDMICRO_APEX_CENTRAL)
• TrendMicro Webproxy DSM (TRENDMICRO_WEBPROXY_DSM)
• Vonage (VONAGE)
• Waterfall Data Security Manager (WATERFALL_DSM)
• Ysoft Data Security Manager (YSOFT_DSM)
• Zscaler Client Connector (ZSCALER_ZCC)
• Zscaler ZDX (ZSCALER_ZDX)

For a list of supported log types and details about default parser changes, see Supported log types and default parsers.

The following supported default parsers have changed. Each is listed by product name and log_type value, if applicable.

• Akamai WAF (AKAMAI_WAF)
• Atlassian Confluence (ATLASSIAN_CONFLUENCE)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• AWS EMR (AWS_EMR)
• Azure AD Organizational Context (AZURE_AD_CONTEXT)
• Carbon Black (CB_EDR)
• Cisco Router (CISCO_ROUTER)
• Cisco Umbrella Web Proxy (UMBRELLA_WEBPROXY)
• Cloud Load Balancing (GCP_LOADBALANCING)
• Cloud SQL (GCP_CLOUDSQL)
• DNSFilter (DNSFILTER)
• Duo Auth (DUO_AUTH)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• Evision FircoSoft (EVISION_FIRCOSOFT)
• ExtraHop RevealX (EXTRAHOP)
• F5 ASM (F5_ASM)
• Firewall Rule Logging (N/A)
• Fortinet FortiClient (FORTINET_FORTICLIENT)
• GCP_KUBERNETES_CONTEXT (GCP_KUBERNETES_CONTEXT)
• GitHub (GITHUB)
• Gitlab (GITLAB)
• Hashicorp Vault (HASHICORP)
• IBM DataPower Gateway (IBM_DATAPOWER)
• IBM DB2 (DB2_DB)
• IBM Security Verify SaaS (IBM_SECURITY_VERIFY_SAAS)
• Infoblox (INFOBLOX)
• JumpCloud Directory Insights (JUMPCLOUD_DIRECTORY_INSIGHTS)
• Juniper Junos (JUNIPER_JUNOS)
• Kolide Endpoint Security (KOLIDE)
• ManageEngine ADAudit Plus (ADAUDIT_PLUS)
• Microsoft Exchange (EXCHANGE_MAIL)
• Microsoft IIS (IIS)
• Office 365 (OFFICE_365)
• Open Cybersecurity Schema Framework (OCSF) (OCSF)
• Oracle (ORACLE_DB)
• Oracle Cloud Infrastructure (ORACLE_CLOUD_AUDIT)
• Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
• Qualys VM (QUALYS_VM)
• Saiwall VPN (SAIWALL_VPN)
• SentinelOne EDR (SENTINEL_EDR)
• Slack Audit (SLACK_AUDIT)
• Unix system (NIX_SYSTEM)
• Windows Event (WINEVTLOG)
• Workspace Activities (WORKSPACE_ACTIVITY)
• Workspace Alerts (WORKSPACE_ALERTS)
• Workspace ChromeOS Devices (WORKSPACE_CHROMEOS)
• Zscaler Internet Access Audit Logs (ZSCALER_INTERNET_ACCESS)

The following log types, without a default parser, were added. Each is listed by product name and log_type value, if applicable.

• Analyst1 IOC (ANALYST1_IOC)
• Amazon FSx for Windows File Server (AWS_FSX)
• DealCloud (DEAL_CLOUD)
• DomainTools Threat Intelligence (DOMAINTOOLS_THREATINTEL)
• Farsight DNSDB (FARSIGHT_DNSDB)
• Journald (JOURNALD)
• Mambu (MAMBU)
• Mattermost (MATTERMOST)
• Mitel Communications Director (MITEL_MCD)
• NordLayer VPN (NORD_LAYER)
• Paxton Access Control Systems (PAXTON_ACS)

For a list of supported log types and details about default parser changes, see Supported log types and default parsers.

Chronicle Curated Detections has been enhanced with new detection content for Google Cloud threats. These new rule sets help identify Kubernetes activity associated with abuse of role-based access controls (RBAC).

The following supported default parsers have changed. Each is listed by product name and log_type value, if applicable.

• Azure AD Directory Audit (AZURE_AD_AUDIT)
• Check Point (CHECKPOINT_FIREWALL)
• Chronicle SOAR Audit (CHRONICLE_SOAR_AUDIT)
• Cisco Internetwork Operating System (CISCO_IOS)
• Cisco Meraki (CISCO_MERAKI)
• Cisco Web Services Manager (CISCO_WSM)
• Cloud Audit Logs (N/A)
• Cloudflare (CLOUDFLARE)
• CrowdStrike Falcon (CS_EDR)
• ESET Threat Intelligence (ESET_IOC)
• GitHub (GITHUB)
• Gitlab (GITLAB)
• Infoblox DNS (INFOBLOX_DNS)
• JumpCloud Directory Insights (JUMPCLOUD_DIRECTORY_INSIGHTS)
• Kolide Endpoint Security (KOLIDE)
• McAfee ePolicy Orchestrator (MCAFEE_EPO)
• Microsoft Azure Activity (AZURE_ACTIVITY)
• Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
• Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
• Microsoft SQL Server (MICROSOFT_SQL)
• Netskope Web Proxy (NETSKOPE_WEBPROXY)
• OpenSSH (OPENSSH)
• Palo Alto Cortex XDR Alerts (CORTEX_XDR)
• Silverfort Authentication Platform (SILVERFORT)
• Vectra Stream (VECTRA_STREAM)
• VMware ESXi (VMWARE_ESX)
• VMware NSX (VMWARE_NSX)
• Windows Applocker (WINDOWS_APPLOCKER)
• Windows Defender ATP (WINDOWS_DEFENDER_ATP)
• Windows DNS (WINDOWS_DNS)
• Windows Event (WINEVTLOG)
• Windows Event (XML) (WINEVTLOG_XML)
• Windows Hyper-V (WINDOWS_HYPERV)
• Workspace ChromeOS Devices (WORKSPACE_CHROMEOS)
• Zscaler (ZSCALER_WEBPROXY)
• ZScaler DNS (ZSCALER_DNS)

The following log types, without a default parser, were added. Each is listed by product name and log_type value, if applicable.

• ADVA Fiber Service Platform (ADVA_FSP)
• Bluecat Address Manager (BLUECAT_AM)
• Fortinet Switch (FORTINET_SWITCH)
• GCP Google Kubernetes Engine Context (GCP_KUBERNETES_CONTEXT)
• Kion (KION)
• Kiteworks (KITEWORKS)
• Nokia Router (NOKIA_ROUTER)
• Ntopng (NTOPNG)
• Opnsense (OPNSENSE)
• Oracle HCM Human resources platform solution (ORACLE_HCM)
• MS Powershell Transcript (POWERSHELL_TRANSCRIPT)
• RAD ETX (RAD_ETX)
• Spamhaus (SPAMHAUS)
• UpGuard (UPGUARD)
• Vsftpd (VSFTPD)

For a list of supported log types and details about default parser changes, see Supported log types and default parsers.

The following changes are available in the Unified Data Model.

• New enum fields were added: SecurityResult.IoCStatsType and SecurityResult.VerdictType.
• A new field was added to EntityMetadata: feed.
• A new field was added to Network: ip_subnet_range.
• New fields were added to SecurityResult: last_updated_time and verdict_info.
• A new field was added to Label: rbac_enabled.
• A new field was added to SecurityResult.Association: region_code.
• New fields were added to User: last_login_time, last_password_change_time, password_expiration_time, account_expiration_time, account_lockout_time, and last_bad_password_attempt_time.
• A new value was added to the Network.ApplicationProtocol enum: GRPC.

• The following new values were added to the Resource.ResourceType enum:

  • POD
  • CONTAINER
  • FUNCTION
  • RUNTIME
  • IP_ADDRESS
  • DISK
  • VOLUME
  • IMAGE
  • SNAPSHOT
  • REPOSITORY
  • CREDENTIAL
  • LOAD_BALANCER
  • GATEWAY
  • SUBNET

For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.

The following supported default parsers have changed. Each is listed by product name and log_type value, if applicable.

• AWS Cloudtrail (AWS_CLOUDTRAIL)
• Azion (AZION)
• Azure AD Organizational Context (AZURE_AD_CONTEXT)
• Blue Coat Proxy (BLUECOAT_WEBPROXY)
• Cisco ACS (CISCO_ACS)
• Cisco FireSIGHT Management Center (CISCO_FIRESIGHT)
• Cisco ISE (CISCO_ISE)
• Cisco Umbrella DNS (UMBRELLA_DNS)
• Cloud Intrusion Detection System (GCP_IDS)
• Cloudflare (CLOUDFLARE)
• Compute Context (N/A)
• Corelight (CORELIGHT)
• Darktrace (DARKTRACE)
• F5 ASM (F5_ASM)
• FireEye (FIREEYE_ALERT)
• HAProxy (HAPROXY)
• Hashicorp Vault (HASHICORP)
• HP Procurve Switch (HP_PROCURVE)
• IBM Security Verify SaaS (IBM_SECURITY_VERIFY_SAAS)
• Imperva (IMPERVA_WAF)
• Ionix (IONIX)
• Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
• MISP Threat Intelligence (MISP_IOC)
• Office 365 (OFFICE_365)
• Oracle Cloud Infrastructure Audit Logs (OCI_AUDIT)
• Sendmail (SENDMAIL)
• Tanium Audit (TANIUM_AUDIT)
• Tanium Stream (TANIUM_TH)
• Thycotic (THYCOTIC)
• Unix system (NIX_SYSTEM)
• VMware ESXi (VMWARE_ESX)
• VMware NSX (VMWARE_NSX)
• VMware vCenter (VMWARE_VCENTER)
• WatchGuard (WATCHGUARD)
• Windows DNS (WINDOWS_DNS)
• Windows Event (WINEVTLOG)
• Workspace Activities (WORKSPACE_ACTIVITY)
• Workspace Alerts (WORKSPACE_ALERTS)
• Zeek JSON (BRO_JSON)
• Zscaler CASB (ZSCALER_CASB)

The following log types, without a default parser, were added. Each is listed by product name and log_type value, if applicable.

• AWS_EMR (AWS_EMR)
• Azure Application Gateway (AZURE_GATEWAY)
• CloudBolt (CLOUDBOLT)
• DNSFilter (DNSFILTER)
• GitGuardian Enterprise (GITGUARDIAN_ENTERPRISE)
• GoAnywhere MFT (GOANYWHERE_MFT)
• IBM Security Identity Manager (IBM_SIM)
• Jamf Pro MDM (JAMF_PRO_MDM)
• MultiPay (MULTIPAY)
• Palo Alto Networks IoT Security (PAN_IOT)
• Raritan Dominion SX II (RARITAN_DOMINION)

For a list of supported log types and details about default parser changes, see Supported log types and default parsers.

Chronicle Curated Detections has been enhanced with new detection content for Google Cloud threats. These new rule sets help identify reconnaissance and exploitation behavior from open source Kubernetes tools.

The submit_parser command now has an option to skip validation if no logs are found. For more information, see the Chronicle CLI user guide.

The following supported default parsers have changed. Each is listed by product name and log_type value, if applicable.

• Akamai Cloud Monitor (AKAMAI_CLOUD_MONITOR)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• AWS WAF (AWS_WAF)
• BIND (BIND_DNS)
• Cisco Email Security (CISCO_EMAIL_SECURITY)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Cisco Umbrella Web Proxy (UMBRELLA_WEBPROXY)
• Cloud DNS (N/A)
• Cloud SQL (GCP_CLOUDSQL)
• CSV Custom IOC (CSV_CUSTOM_IOC)
• Desynova Contido (DESYNOVA_CONTIDO)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• F5 Advanced Firewall Management (F5_AFM)
• Firewall Rule Logging (N/A)
• FortiMail Email Security (FORTINET_FORTIMAIL)
• GCP_KUBERNETES_CONTEXT (GCP_KUBERNETES_CONTEXT)
• Guardicore Centra (GUARDICORE_CENTRA)
• IBM Security Access Manager (IBM_SAM)
• Jamf Protect Telemetry (JAMF_TELEMETRY)
• Linux Auditing System (AuditD) (AUDITD)
• Microsoft Azure Activity (AZURE_ACTIVITY)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Microsoft Powershell (POWERSHELL)
• Netskope Web Proxy (NETSKOPE_WEBPROXY)
• Office 365 (OFFICE_365)
• Oracle Unified Directory (ORACLE_OUD)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• SecureLink (SECURELINK)
• Signal Sciences WAF (SIGNAL_SCIENCES_WAF)
• Skybox Firewall Assurance (SKYBOX_FIREWALL_ASSURANCE)
• SOTI MobiControl (SOTI_MOBICONTROL)
• Stealthbits PAM (STEALTHBITS_PAM)
• Thinkst Canary (THINKST_CANARY)
• Unix system (NIX_SYSTEM)
• Vectra Stream (VECTRA_STREAM)
• VMware NSX (VMWARE_NSX)
• VMware Tanzu Kubernetes Grid (VMWARE_TANZU)
• Windows Defender ATP (WINDOWS_DEFENDER_ATP)
• Windows Event (XML) (WINEVTLOG_XML)
• Workspace Activities (WORKSPACE_ACTIVITY)
• Zscaler (ZSCALER_WEBPROXY)
• Zscaler CASB (ZSCALER_CASB)
• ZScaler NGFW (ZSCALER_FIREWALL)

For details about changes in each parser, see Supported default parsers.

Chronicle feed management contains the following changes for the Google Cloud Storage source type:

• To create a new Google Cloud Storage feed, you must use the new service account. You are no longer required to use the following Chronicle global service account: 8911409095528497-0-account@partnercontent.gserviceaccount.com. The Chronicle global service account continues to be in use for existing Google Cloud Storage feeds.
• In the feed management API, the fetchFeedServiceAccount method has been added to get a Chronicle service account, which you must use when you create a new Google Cloud Storage feed.
• In the feed management UI, the new field Get service account has been added to get a Chronicle service account, which you must use when you create a new Google Cloud Storage feed.

Chronicle can now directly ingest the following log types from Google Cloud. Each is listed by product name and log_type value:

• Cloud Intrusion Detection System (GCP_IDS)
• Cloud Load Balancing (GCP_LOADBALANCING)
• Cloud SQL (GCP_CLOUDSQL)
• Windows Event logs (WINEVTLOG)
• Linux Sysmon (LINUX_SYSMON)
• Zeek (BRO_JSON)
• Google Kubernetes Engine (KUBERNETES_NODE)
• Audit Daemon (auditd) (AUDITD)
• Apigee (GCP_APIGEE_X)

For more information, see Ingest Google Cloud Data to Chronicle.

The following supported default parsers have changed. Each is listed by product name and log_type value, if applicable.

• Akamai Enterprise Application Access (AKAMAI_EAA)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• AWS CloudWatch (AWS_CLOUDWATCH)
• Chrome Management (N/A)
• Cisco ASA (CISCO_ASA_FIREWALL)
• Cisco Email Security (CISCO_EMAIL_SECURITY)
• Cloud Audit Logs (N/A)
• Cloudflare WAF (CLOUDFLARE_WAF)
• Darktrace (DARKTRACE)
• Desynova Contido (DESYNOVA_CONTIDO)
• Duo Telephony Logs (DUO_TELEPHONY)
• Elastic Audit Beats (ELASTIC_AUDITBEAT)
• F5 BIGIP LTM (F5_BIGIP_LTM)
• Fidelis Network (FIDELIS_NETWORK)
• Gitlab (GITLAB)
• Imperva FlexProtect (IMPERVA_FLEXPROTECT)
• Island Browser logs (ISLAND_BROWSER)
• Juniper (JUNIPER_FIREWALL)
• Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Microsoft Sentinel (MICROSOFT_SENTINEL)
• Netscout OCI (NETSCOUT_OCI)
• Netskope Web Proxy (NETSKOPE_WEBPROXY)
• Office 365 (OFFICE_365)
• OpenSSH (OPENSSH)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• ProofPoint Secure Email Relay (PROOFPOINT_SER)
• SentinelOne Deep Visibility (SENTINEL_DV)
• SentinelOne EDR (SENTINEL_EDR)
• Suricata IDS (SURICATA_IDS)
• Symantec DLP (SYMANTEC_DLP)
• Windows Defender ATP (WINDOWS_DEFENDER_ATP)
• Windows Event (WINEVTLOG)
• Windows Event (XML) (WINEVTLOG_XML)
• Workspace Activities (WORKSPACE_ACTIVITY)
• Workspace Alerts (WORKSPACE_ALERTS)
• Workspace Users (WORKSPACE_USERS)
• Zscaler (ZSCALER_WEBPROXY)

For details about changes in each parser, see Supported default parsers.

Chronicle has updated the rules engine's YARA-L 2.0 language compiler to report warnings. Warnings flag rules that are syntactically valid but may result in unexpected behavior. You can view and expand warnings in the Rules Editor the same way you view errors. The following warnings are currently supported:

• Multi-event non-distinct outcome section aggregations. For more information, see YARA-L known issues and limitations

• Deprecated UDM fields or enum values

The following supported default parsers have changed. Each is listed by product name and log_type value, if applicable.

• Apigee (GCP_APIGEE_X)
• AppOmni (APPOMNI)
• Attivo Networks (ATTIVO)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• AWS CloudWatch (AWS_CLOUDWATCH)
• AWS GuardDuty (GUARDDUTY)
• AWS WAF (AWS_WAF)
• Blue Coat Proxy (BLUECOAT_WEBPROXY)
• Cisco Internetwork Operating System (CISCO_IOS)
• Cisco NX-OS (CISCO_NX_OS)
• Cisco Umbrella Web Proxy (UMBRELLA_WEBPROXY)
• CrowdStrike Falcon (CS_EDR)
• Crowdstrike IOC (CROWDSTRIKE_IOC)
• CyberArk Endpoint Privilege Manager (EPM) (CYBERARK_EPM)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• F5 Advanced Firewall Management (F5_AFM)
• GMAIL Logs (GMAIL_LOGS)
• iBoss Proxy (IBOSS_WEBPROXY)
• Ipswitch MOVEit Transfer (IPSWITCH_MOVEIT_TRANSFER)
• Juniper Junos (JUNIPER_JUNOS)
• Kubernetes Audit (KUBERNETES_AUDIT)
• Kubernetes Node (KUBERNETES_NODE)
• Microsoft AD FS (ADFS)
• Microsoft Defender For Cloud (MICROSOFT_DEFENDER_CLOUD_ALERTS)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Microsoft SQL Server (MICROSOFT_SQL)
• MISP Threat Intelligence (MISP_IOC)
• Netskope Web Proxy (NETSKOPE_WEBPROXY)
• Okta User Context (OKTA_USER_CONTEXT)
• Palo Alto Prisma Cloud Alert payload (PAN_PRISMA_CA)
• Peplink Firewall (PEPLINK_FW)
• Pulse Secure (PULSE_SECURE_VPN)
• Qualys Virtual Scanner (QUALYS_VIRTUAL_SCANNER)
• SecureLink (SECURELINK)
• Security Command Center Threat (N/A)
• Sentinelone Alerts (SENTINELONE_ALERT)
• Suricata IDS (SURICATA_IDS)
• Symantec DLP (SYMANTEC_DLP)
• Unix system (NIX_SYSTEM)
• Windows DNS (WINDOWS_DNS)
• Windows Event (WINEVTLOG)
• Windows Event (XML) (WINEVTLOG_XML)
• Workspace Activities (WORKSPACE_ACTIVITY)
• Zimperium (ZIMPERIUM)
• Zscaler Internet Access Audit Logs (ZSCALER_INTERNET_ACCESS)

For details about changes in each parser, see Supported default parsers.

Enhancements to strings.concat and strings.coalesce

• strings.concat has been updated to take an unlimited number of arguments. For more information, see Concatenate strings or numeric types.
• strings.coalesce has been updated to take an unlimited number of arguments. For more information, see Coalesce string values.

Added a new argument get_validation_report to fetch the validation report for a parser or a parser extension. For more information, see Chronicle CLI user guide.

UDM Search behavior has been enhanced. When no search results are returned by a query, the page displays empty panels (Events, Quick Filters, Alerts, etc.) with messages indicating that nothing was found.

The following supported default parsers have changed. Each is listed by product name and log_type value, if applicable.

• Apache (APACHE)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• AWS GuardDuty (GUARDDUTY)
• Azure AD Directory Audit (AZURE_AD_AUDIT)
• Cambium Networks (CAMBIUM_NETWORKS)
• Cisco ASA (CISCO_ASA_FIREWALL)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Cisco ISE (CISCO_ISE)
• CrowdStrike Falcon (CS_EDR)
• Department of Homeland Security (DHS_IOC)
• Duo Auth (DUO_AUTH)
• F5 ASM (F5_ASM)
• Fortinet FortiEDR (FORTINET_FORTIEDR)
• GitHub (GITHUB)
• Imperva (IMPERVA_WAF)
• Juniper (JUNIPER_FIREWALL)
• Menlo Security (MENLO_SECURITY)
• Microsoft AD (WINDOWS_AD)
• Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
• Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
• Neosec (NEOSEC)
• Net Suite (NET_SUITE)
• Office 365 (OFFICE_365)
• Oracle Unified Directory (ORACLE_OUD)
• Palo Alto Panorama (PAN_PANORAMA)
• Proofpoint Observeit (OBSERVEIT)
• Qualys Asset Context (QUALYS_ASSET_CONTEXT)
• Qualys Virtual Scanner (QUALYS_VIRTUAL_SCANNER)
• SentinelOne Deep Visibility (SENTINEL_DV)
• Tanium Threat Response (TANIUM_THREAT_RESPONSE)
• Thinkst Canary (THINKST_CANARY)
• TrendMicro Web Proxy (TRENDMICRO_WEBPROXY)
• Vectra Stream (VECTRA_STREAM)
• VMware Workspace ONE (VMWARE_WORKSPACE_ONE)
• Windows Event (WINEVTLOG)
• Workspace Activities (WORKSPACE_ACTIVITY)

For details about changes in each parser, see Supported default parsers.

The following supported default parsers have changed. Each is listed by product name and log_type value, if applicable.

• Attivo Networks (ATTIVO)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• AWS S3 Server Access (AWS_S3_SERVER_ACCESS)
• Azure AD (AZURE_AD)
• Azure AD Directory Audit (AZURE_AD_AUDIT)
• Azure WAF (AZURE_WAF)
• Barracuda WAF (BARRACUDA_WAF)
• Barracuda Web Filter (BARRACUDA_WEBFILTER)
• CA Access Control (CA_ACCESS_CONTROL)
• Carbon Black (CB_EDR)
• Chrome Management (N/A)
• Cisco ISE (CISCO_ISE)
• Cisco Meraki (CISCO_MERAKI)
• Citrix Netscaler (CITRIX_NETSCALER)
• Cloud Audit Logs (N/A)
• Cloud Functions Context (GCP_CLOUD_FUNCTIONS_CONTEXT)
• Cloud SQL Context (GCP_SQL_CONTEXT)
• CrowdStrike Detection Monitoring (CS_DETECTS)
• Darktrace (DARKTRACE)
• Datadog (DATADOG)
• Dell EMC Isilon NAS (DELL_EMC_NAS)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• F5 BIGIP LTM (F5_BIGIP_LTM)
• FortiGate (FORTINET_FIREWALL)
• Fortinet FortiAnalyzer (FORTINET_FORTIANALYZER)
• Google Cloud Identity Context (CLOUD_IDENTITY_CONTEXT)
• IAM Context (N/A)
• IBM z/OS (IBM_ZOS)
• Imperva Advanced Bot Protection (IMPERVA_ABP)
• Imperva Database (IMPERVA_DB)
• Ipswitch MOVEit Transfer (IPSWITCH_MOVEIT_TRANSFER)
• macOS Endpoint Security (MACOS_ENDPOINT_SECURITY)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• MISP Threat Intelligence (MISP_IOC)
• Netskope (NETSKOPE_ALERT)
• Office 365 (OFFICE_365)
• Okta User Context (OKTA_USER_CONTEXT)
• Open LDAP (OPENLDAP)
• Proofpoint Observeit (OBSERVEIT)
• Qualys Asset Context (QUALYS_ASSET_CONTEXT)
• Resource Manager Context (GCP_RESOURCE_MANAGER_CONTEXT)
• Security Command Center Threat (N/A)
• Sentinelone Alerts (SENTINELONE_ALERT)
• Tanium Threat Response (TANIUM_THREAT_RESPONSE)
• TrendMicro Web Proxy (TRENDMICRO_WEBPROXY)
• Vectra Stream (VECTRA_STREAM)
• VMware ESXi (VMWARE_ESX)
• Wazuh (WAZUH)
• Windows Event (XML) (WINEVTLOG_XML)
• Workspace Activities (WORKSPACE_ACTIVITY)
• Workspace Users (WORKSPACE_USERS)

For details about changes in each parser, see Supported default parsers.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• Absolute Mobile Device Management (ABSOLUTE)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• AWS CloudWatch (AWS_CLOUDWATCH)
• BIND (BIND_DNS)
• Check Point (CHECKPOINT_FIREWALL)
• Chrome Management (N/A)
• Cisco Meraki (CISCO_MERAKI)
• Cloud Audit Logs (N/A)
• Cloud Load Balancing (GCP_LOADBALANCING)
• Cloudflare Audit (CLOUDFLARE_AUDIT)
• F5 ASM (F5_ASM)
• Fortinet FortiEDR (FORTINET_FORTIEDR)
• IBM Security Verify SaaS (IBM_SECURITY_VERIFY_SAAS)
• IBM Security Verify SaaS (IBM_SECURITY_VERIFY_SAAS)
• Imperva FlexProtect (IMPERVA_FLEXPROTECT)
• Jamf Protect Telemetry (JAMF_TELEMETRY)
• Juniper Software Defined Wide Area Network (JUNIPER_SDWAN)
• Microsoft AD (WINDOWS_AD)
• Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
• Microsoft CASB (MICROSOFT_CASB)
• Microsoft Powershell (POWERSHELL)
• Microsoft SQL Server (MICROSOFT_SQL)
• MISP Threat Intelligence (MISP_IOC)
• Netskope (NETSKOPE_ALERT)
• Okta (OKTA)
• SecureAuth (SECUREAUTH_SSO)
• Security Command Center Threat (N/A)
• SentinelOne EDR (SENTINEL_EDR)
• Sierra Wireless (SIERRA_WIRELESS)
• Sourcefire (SOURCEFIRE_IDS)
• Stormshield Firewall (STORMSHIELD_FIREWALL)
• Versa Firewall (VERSA_FIREWALL)
• Windows Event (WINEVTLOG)
• Workspace Activities (WORKSPACE_ACTIVITY)

For details about changes in each parser, see Supported default parsers.

Chronicle Curated Detections has been enhanced with new detection content for Linux threats. These new rule sets help identify threats in Linux environments using AuditD and Unix System logs.

Enhancements to outcome section in rules:

• Outcome variables can be used to derive the value of another outcome variable.

• Arithmetic expressions can include aggregations, unaggregated event fields, constants, and outcome variables as operands.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• AIX system (AIX_SYSTEM)
• Auth0 (AUTH_ZERO)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• AWS GuardDuty (GUARDDUTY)
• AWS Security Hub (AWS_SECURITY_HUB)
• AWS Session Manager (AWS_SESSION_MANAGER)
• Blue Coat Proxy (BLUECOAT_WEBPROXY)
• Check Point (CHECKPOINT_FIREWALL)
• Chrome Management (N/A)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Cisco Meraki (CISCO_MERAKI)
• Cisco NX-OS (CISCO_NX_OS)
• Cisco Stealthwatch (CISCO_STEALTHWATCH)
• CrowdStrike Falcon (CS_EDR)
• Digi modems (DIGI_MODEMS)
• GitHub (GITHUB)
• IBM Security Verify SaaS (IBM_SECURITY_VERIFY_SAAS)
• Imperva (IMPERVA_WAF)
• Infoblox DNS (INFOBLOX_DNS)
• Jamf Protect Alerts (JAMF_PROTECT)
• Jamf Protect Telemetry (JAMF_TELEMETRY)
• Kisi Access Management (KISI)
• Kubernetes Audit Azure (KUBERNETES_AUDIT_AZURE)
• Kubernetes Node (KUBERNETES_NODE)
• Linux Auditing System (AuditD) (AUDITD)
• McAfee ePolicy Orchestrator (MCAFEE_EPO)
• McAfee MVISION CASB (MCAFEE_MVISION_CASB)
• McAfee Skyhigh CASB (MCAFEE_SKYHIGH_CASB)
• McAfee Web Gateway (MCAFEE_WEBPROXY)
• Microsoft AD (WINDOWS_AD)
• Microsoft AD FS (ADFS)
• Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
• Microsoft Exchange (EXCHANGE_MAIL)
• Netskope Web Proxy (NETSKOPE_WEBPROXY)
• Office 365 (OFFICE_365)
• Open Cybersecurity Schema Framework (OCSF) (OCSF)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• Security Command Center Threat (N/A)
• Static IP (ASSET_STATIC_IP)
• Symantec Web Security Service (SYMANTEC_WSS)
• ThreatLocker Platform (THREATLOCKER)
• Tripwire (TRIPWIRE_FIM)
• VMware NSX (VMWARE_NSX)
• VMware vRealize Suite (VMWARE_VREALIZE)
• Windows DNS (WINDOWS_DNS)
• Windows Event (WINEVTLOG)
• Zscaler (ZSCALER_WEBPROXY)

For details about changes in each parser, see Supported default parsers.

The predefined reference lists for Curated Detections have been replaced by rule exclusions. You will see the following changes:

• Reference lists are not available in the Cloud Threats and Windows Threats categories and are not displayed in the settings page for these rule sets.
• Any category-specific reference lists that were currently empty have been deleted.
• Any category-specific reference lists that were not empty have been migrated to an equivalent rule exclusion.

You can now use rule exclusions to tune the number of alerts returned by Curated Detections.

A new Google Cloud Threat Intelligence (GCTI) data source is available, called GCTI Remote Access Tools, that provides additional contextual information when investigating activity in your environment. This data source contains files that have frequently been used by malicious actors. For more information, see Data about remote access tools, and Query data about remote access tools.

IOC matching has been changed so that a domain match occurs only if the event timestamp lies within the active time range interval present in the threat intelligence feed. If a threat intelligence feed does not have an active time range interval, an IOC match is returned anytime the domain is identified in feed data. For information about IOC Domain matches, see View IOC matches.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• Microsoft AD FS (ADFS)
• Apache (APACHE)
• Linux Auditing System (AuditD) (AUDITD)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• Azure Firewall (AZURE_FIREWALL)
• Zeek JSON (BRO_JSON)
• Cisco ASA (CISCO_ASA_FIREWALL)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Cisco ISE (CISCO_ISE)
• Cisco Meraki (CISCO_MERAKI)
• Cisco VCS Expressway (CISCO_VCS)
• Corelight (CORELIGHT)
• CrowdStrike Detection Monitoring (CS_DETECTS)
• Digital Guardian DLP (DIGITALGUARDIAN_DLP)
• F5 BIGIP Access Policy Manager (F5_BIGIP_APM)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• Fluentd Logs (FLUENTD)
• Forcepoint Proxy (FORCEPOINT_WEBPROXY)
• Forescout NAC (FORESCOUT_NAC)
• FortiGate (FORTINET_FIREWALL)
• Apigee (GCP_APIGEE_X)
• Cloud SQL (GCP_CLOUDSQL)
• GitHub (GITHUB)
• GMAIL Logs (GMAIL_LOGS)
• Apache Hadoop (HADOOP)
• Imperva (IMPERVA_WAF)
• Kemp Load Balancer (KEMP_LOADBALANCER)
• McAfee Web Gateway (MCAFEE_WEBPROXY)
• Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
• Cloud Audit Logs (N/A)
• Firewall Rule Logging (N/A)
• Security Command Center Threat (N/A)
• Netskope (NETSKOPE_ALERT)
• Netskope Web Proxy (NETSKOPE_WEBPROXY)
• Office 365 (OFFICE_365)
• Okta (OKTA)
• Okta User Context (OKTA_USER_CONTEXT)
• 1Password (ONEPASSWORD)
• OSQuery (OSQUERY_EDR)
• OSSEC (OSSEC)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
• Proofpoint Web Browser Isolation(PROOFPOINT_WEB_BROWSER_ISOLATION)
• Saviynt Enterprise Identity Cloud (SAVIYNT_EIP)
• SentinelOne EDR (SENTINEL_EDR)
• Sentinelone Alerts (SENTINELONE_ALERT)
• Tripwire (TRIPWIRE_FIM)
• Windows Defender ATP (WINDOWS_DEFENDER_ATP)
• Windows Event (WINEVTLOG)
• WordPress (WORDPRESS_CMS)
• Workspace Activities (WORKSPACE_ACTIVITY)
• ZScaler VPN (ZSCALER_VPN)

For details about changes in each parser, see Supported default parsers.

UDM Search

You can now search on fields of type bytes in UDM search. Chronicle uses base64 encoding for byte literals. Byte literals must be enclosed in double quotes prefixed with the letter b, as shown in the following examples:

• network.dhcp.client_identifier = b"7Ixbub6A0KMvugAAAAA"

• metadata.id = b"AAAAADg51kPYn7Ixbub6A0KMvugAAAAABQAAAAgAAAA="

The following changes are available in the Unified Data Model.

New fields were added to Entity, called risk_score and metric.

A new field was added to EntityMetadata, called event_metadata.

The following new types were added to Entity:

• EntityRisk
• Metric
• RiskDelta
• Metric.Measure

The following new types were added to Event:

• AttackDetails
• ExifInfo
• FileMetadataCodesign
• FileMetadataPE
• FileMetadataSignatureInfo
• PDFInfo
• SignatureInfo
• X509
• AttackDetails.Tactic
• AttackDetails.Technique
• SecurityResult.Association
• SecurityResult.Association.AssociationAlias
• SecurityResult.Source
• SecurityResult.ProviderMLVerdict
• SecurityResult.AnalystVerdict
• SecurityResult.Verdict

The following new enumerated types were added to Entity:

• Metric.AggregateFunction
• Metric.Dimension
• Metric.MetricName
• Relation.EntityLabel

The following new enumerated types were added to Event:

• Process
• TokenElevationType
• SecurityResult.VerdictResponse
• SecurityResult.Association.AssociationType

New field added to Relation, called entity_label.

New value added to EntityMetadata.EntityType, called METRIC.

New fields added to Event.Metadata called log_type, base_labels, enrichment_labels.

New fields added to Noun, called security_result and network.

New fields added to SecurityResult, called risk_score, attack_details, first_discovered_time, associations, campaigns, and verdicts.

New fields added to File, called pe_file, tags, last_analysis_time, embedded_urls, embedded_domains, embedded_ips, exif_info, signature_info, pdf_info.

New field added to Process, called integrity_level_rid and token_elevation_type.

New fields added to SignerInfo, called status, valid_usage, cert_issuer.

The Resource.id field was deprecated. Use resource.name or resource.product_object_id instead.

The following values were added to the EventTypes enumerated type:

• DEVICE_FIRMWARE_UPDATE
• DEVICE_CONFIG_UPDATE
• DEVICE_PROGRAM_UPLOAD
• DEVICE_PROGRAM_DOWNLOAD

The following additional values were added to the ApplicationProtocol enumerated type:

• CIP
• COTP
• DNP3
• DICOM
• GOOSE
• IEC104
• MMS
• PTP
• SNMP
• SV

New values added to the Network.IpProtocol enumerated type, called ICMP and SCTP.

For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.

Chronicle now links to a customer-supplied Google Cloud Project to integrate more closely with Google Cloud services, such as Cloud IAM, Cloud Monitoring, and Cloud Audit Logs. Customers can now use Cloud IAM and workforce identity federation to authenticate using their existing identity provider.

Chronicle provides an onboarding and migration portal, available via Cloud Console, where new customers are able to provision and configure a new Chronicle SIEM instance, and existing customers can bind their current Chronicle SIEM instance to Google Cloud services.

For more information, see the following documentation:

• Configure a Google Cloud project for Chronicle
• Configure Chronicle with a third-party identity provider
• Link a Chronicle instance to Google Cloud services

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• Aruba (ARUBA_WIRELESS)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• Azure AD Directory Audit (AZURE_AD_AUDIT)
• Cato Networks (CATO_NETWORKS)
• Cisco ISE (CISCO_ISE)
• Cisco Meraki (CISCO_MERAKI)
• Cisco PIX Firewall (CISCO_PIX_FIREWALL)
• Dope Security SWG (DOPE_SWG)
• F5 BIGIP LTM (F5_BIGIP_LTM)
• Falco IDS (FALCO_IDS)
• Fidelis Network (FIDELIS_NETWORK)
• ForgeRock OpenAM (OPENAM)
• FortiGate (FORTINET_FIREWALL)
• FortiMail Email Security (FORTINET_FORTIMAIL)
• Fortinet Web Application Firewall (FORTINET_FORTIWEB)
• GMAIL Logs (GMAIL_LOGS)
• IBM Safenet (IBM_SAFENET)
• IBM Security Access Manager (IBM_SAM)
• IBM Security QRadar SIEM (IBM_QRADAR)
• Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Mongo Database (MONGO_DB)
• Office 365 (OFFICE_365)
• Okta (OKTA)
• Oracle Cloud Infrastructure Audit Logs (OCI_AUDIT)
• Proofpoint Threat Response (PROOFPOINT_TRAP)
• Pulse Secure (PULSE_SECURE_VPN)
• Security Command Center Threat (N/A)
• Sentinelone Alerts (SENTINELONE_ALERT)
• SentinelOne EDR (SENTINEL_EDR)
• ServiceNow CMDB (SERVICENOW_CMDB)
• SonicWall (SONIC_FIREWALL)
• Strong Swan VPN (STRONGSWAN_VPN)
• ThreatLocker Platform (THREATLOCKER)
• VMware vRealize Suite (VMWARE_VREALIZE)
• VPC Flow Logs (GCP_VPC_FLOW)
• WatchGuard (WATCHGUARD)
• Windows DNS (WINDOWS_DNS)
• Windows Event (WINEVTLOG)
• Workspace Activities (WORKSPACE_ACTIVITY)

For details about changes in each parser, see Supported default parsers.

Updated content to reflect the new Alert view and Alert list. The following changes have been made to Alert view:

• New Overview and Alert History tabs. The Overview section provides a snapshot of important alert information. This is separate from the History tab to clearly differentiate between alert investigation and audit area.
• Detection widget now has a view other alerts from this rule button to get fast access to more alerts that came from this rule. Users can pivot to other alerts from this rule.
• Updated information on how to close an alert and change alert status.
• Updated information on how to adjust the time range.
• Updated information on how to apply single and multiple filters.

The following changes have been made to Alert list:

• Expanded columns to include Risk Score and Tags. This helps users to focus on and prioritize high-risk and critical security findings.
• Ingestion Time and Last Modified were also added to Alert List.
• Users can now customize columns in the Alert list, add or remove columns from the table.
• Expanded filters to include OR and AND operators to allow more complex filtering.
• Updated information on how to refresh Alert List.

These changes are documented in Investigate an alert and View Alerts and IOCs.

Chronicle Curated Detections has been enhanced with the following additional detection content for Cloud threats. A new rule set was added, called Cloud SQL Ransom, that detects activity associated with exfiltration or ransom of data within Cloud SQL databases.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• 1Password (ONEPASSWORD)
• AMD Pensando DSS Firewall (AMD_DSS_FIREWALL)
• Atlassian Confluence (ATLASSIAN_CONFLUENCE)
• AWS Network Firewall (AWS_NETWORK_FIREWALL)
• AWS Route 53 DNS (AWS_ROUTE_53)
• AWS S3 Server Access (AWS_S3_SERVER_ACCESS)
• Azure AD Directory Audit (AZURE_AD_AUDIT)
• Bitdefender (BITDEFENDER)
• Check Point (CHECKPOINT_FIREWALL)
• Cisco ASA (CISCO_ASA_FIREWALL)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Cisco Firewall Services Module (CISCO_FWSM)
• Cisco Router (CISCO_ROUTER)
• Cisco Vision Dynamic Signage Director (CISCO_STADIUMVISION)
• Cloud DNS (N/A)
• CrowdStrike Falcon (CS_EDR)
• Crowdstrike IOC (CROWDSTRIKE_IOC)
• F5 Advanced Firewall Management (F5_AFM)
• F5 ASM (F5_ASM)
• F5 BIGIP LTM (F5_BIGIP_LTM)
• FireEye HX (FIREEYE_HX)
• ForgeRock OpenAM (OPENAM)
• Fortinet FortiAnalyzer (FORTINET_FORTIANALYZER)
• Fortinet FortiEDR (FORTINET_FORTIEDR)
• HAProxy (HAPROXY)
• Juniper (JUNIPER_FIREWALL)
• Microsoft IIS (IIS)
• Microsoft SQL Server (MICROSOFT_SQL)
• Office 365 Message Trace (OFFICE_365_MESSAGETRACE)
• Okta User Context (OKTA_USER_CONTEXT)
• OpenSSH (OPENSSH)
• Oracle Cloud Infrastructure VCN Flow Logs (OCI_FLOW)
• Proofpoint Observeit (OBSERVEIT)
• Rapid7 Insight (RAPID7_INSIGHT)
• SAP Netweaver (SAP_NETWEAVER)
• Security Command Center Threat (N/A)
• Splunk Platform (SPLUNK)
• Teleport Access Plane (TELEPORT_ACCESS_PLANE)
• Thinkst Canary (THINKST_CANARY)
• Trend Micro AV (TRENDMICRO_AV)
• Trustwave webmarshal (WEBMARSHAL)
• VMware AirWatch (AIRWATCH)
• WatchGuard (WATCHGUARD)

For details about changes in each parser, see Supported default parsers.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• Aruba EdgeConnect SD-WAN (ARUBA_EDGECONNECT_SDWAN)
• AWS RDS (AWS_RDS)
• Cloud Audit Logs (N/A)
• Cloud DNS (N/A)
• Cloud Run (N/A)
• Cloud SQL (N/A)
• Cofense (COFENSE_TRIAGE)
• CoSoSys Protector (ENDPOINT_PROTECTOR_DLP)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
• pfSense (PFSENSE)
• Qualys VM (QUALYS_VM)
• SentinelOne EDR (SENTINEL_EDR)
• VMware AirWatch (AIRWATCH)
• VMware vRealize Suite (VMWARE_VREALIZE)
• Windows Event (WINEVTLOG)

For details about changes in each parser, see Supported default parsers.

Chronicle made the following changes to the detection engine rules and YARA-L language:

• Expanded support for arithmetic operations. You can now use multiplication and division in the events section and outcome section of rules. For more information, see Mathematical operations.

• You can now join an event with an entity, and then check for absence of the event. For more information, see Event and placeholder conditionals.

• Keywords, such as and, match, or condition in YARA-L 2.0 are now case-insensitive. This change does not affect function names, which are case sensitive. For a list of keywords, see Keywords.

• A new coalesce() function has been added to the YARA-L syntax. This function returns the first non-empty string passed to it. For more information, see YARA-L 2.0 language syntax.

• You can now use the nocase keyword when evaluating a reference list to perform case-insensitive matching for both String and Regex reference lists. For more information, see Reference lists syntax.

• Reference list limits have increased. Chronicle increased the maximum number of lines for Regex type reference lists to 100 and for CIDR type reference lists to 150. In addition, Chronicle increased the maximum number of statements in a rule that evaluate a reference list from 2 to 4.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• 1Password (ONEPASSWORD)
• Akamai WAF (AKAMAI_WAF)
• AppOmni (APPOMNI)
• Arcsight CEF (ARCSIGHT_CEF)
• Azure AD Directory Audit (AZURE_AD_AUDIT)
• Blue Coat Proxy (BLUECOAT_WEBPROXY)
• Check Point (CHECKPOINT_FIREWALL)
• Cisco ASA (CISCO_ASA_FIREWALL)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Cisco ISE (CISCO_ISE)
• Cisco Switch (CISCO_SWITCH)
• Cloud Audit Logs (N/A)
• Cloud Storage Context (N/A)
• Cloudflare (CLOUDFLARE)
• CrowdStrike Detection Monitoring (CS_DETECTS)
• CrowdStrike Falcon (CS_EDR)
• DigitalArts i-Filter (DIGITALARTS_IFILTER)
• FireEye HX (FIREEYE_HX)
• FortiGate (FORTINET_FIREWALL)
• Hashicorp Vault (HASHICORP)
• Imperva (IMPERVA_WAF)
• Imperva SecureSphere Management (IMPERVA_SECURESPHERE)
• Infoblox DHCP (INFOBLOX_DHCP)
• JAMF CMDB (JAMF)
• Linux Auditing System (AuditD) (AUDITD)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• NetApp SAN (NETAPP_SAN)
• Office 365 (OFFICE_365)
• Okta (OKTA)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• Ping Federate (PING_FEDERATE)
• Qualys Scan (QUALYS_SCAN)
• Security Command Center Threat (N/A)
• SentinelOne EDR (SENTINEL_EDR)
• Snyk Group level audit Logs (SNYK_SDLC)
• Symantec Endpoint Protection (SEP)
• Unix system (NIX_SYSTEM)
• Vectra Detect (VECTRA_DETECT)
• Windows DNS (WINDOWS_DNS)
• Windows Event (WINEVTLOG)
• Workspace Activities (WORKSPACE_ACTIVITY)
• Workspace Alerts (WORKSPACE_ALERTS)
• Workspace ChromeOS Devices (WORKSPACE_CHROMEOS)
• Workspace Groups (WORKSPACE_GROUPS)
• Workspace Mobile Devices (WORKSPACE_MOBILE)
• Workspace Privileges (WORKSPACE_PRIVILEGES)
• Workspace Users (WORKSPACE_USERS)

For details about changes in each parser, see Supported default parsers.

The Chronicle forwarder for Linux has been enhanced with the following changes:

• After you make a change to a configuration file, either <FORWARDER_NAME>.conf or <FORWARDER_NAME>_auth.conf, the change is automatically applied within 5 minutes. You no longer need to restart the container to apply the configuration changes. For information about changing configuration files, see Customize the configuration files.

• You can now configure automatic memory buffering which is a dynamically shared buffer used by collectors on a system. You specify the target memory utilization as a percentage of system RAM. For more information, see Configure disk buffering.

• The forwarder's minimum batch size increased to 200 KB for better performance.

• Data compression is now enabled by default, which reduces network bandwidth consumption by 80%.

If you have not updated the Chronicle forwarder for Linux Docker image since April 1, 2023, you must update it before October 31, 2023. This ensures that the Forwarder Bundle continues to receive updates.

Chronicle enhanced the detection engine so that all rules have a value set to the $risk_score variable. With this change, rules that do not have a $risk_score variable defined in the outcome section will have one of the following default values set:

• If the rule is configured to generate an alert, then $risk_score is set to 40.
• If the rule is not configured to generate an alert, then $risk_score is set to 15.

This change applies to all existing rules and new rules that do not have a $risk_score variable defined. The change does not impact rules that define the $risk_score variable in the outcome section of the rule.

For more information about the $risk_score variable, see Outcome section syntax.

UDM saved search

The UDM saved search options have been simplified and enhanced. From the UDM Search page, click Save to save your UDM search.

You can now specify placeholder variables in the format $<variable name> using the same format as is used for variables in YARA-L. If you add a variable to a UDM search, you must also include a prompt to help the user to understand what information they need to enter before they run the search. All variables must be populated with values prior to a search being run.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• Akamai WAF (AKAMAI_WAF)
• Area1 Security (AREA1)
• Atlassian Confluence (ATLASSIAN_CONFLUENCE)
• AWS VPC Flow (AWS_VPC_FLOW)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Cloud Audit Logs (N/A)
• Cloud Intrusion Detection System (GCP_IDS)
• Cloud Load Balancing (GCP_LOADBALANCING)
• Cloud NAT (N/A)
• Cloudflare (CLOUDFLARE)
• F5 ASM (F5_ASM)
• Security Command Center Threat (N/A)
• GMAIL Logs (GMAIL_LOGS)
• JumpCloud Directory Insights (JUMPCLOUD_DIRECTORY_INSIGHTS)
• Kubernetes Node logs (KUBERNETES_NODE)
• Linux Auditing System (AuditD) (AUDITD)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Mimecast (MIMECAST_MAIL)
• NetApp ONTAP (NETAPP_ONTAP)
• Office 365 (OFFICE_365)
• Okta (OKTA)
• Ping Identity (PING)
• SentinelOne Deep Visibility (SENTINEL_DV)
• Sophos Firewall (Next Gen) (SOPHOS_FIREWALL)
• Symantec Endpoint Protection (SEP)
• Trustwave SEC MailMarshal (MAILMARSHAL)
• Unix system (NIX_SYSTEM)

For details about changes in each parser, see Supported default parsers.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• Area1 Security (AREA1)
• AWS Security Hub (AWS_SECURITY_HUB)
• Azure AD (AZURE_AD)
• Carbon Black (CB_EDR)
• Cisco ASA (CISCO_ASA_FIREWALL)
• Cisco Switch (CISCO_SWITCH)
• Cloud Audit Logs (N/A)
• CrowdStrike Falcon (CS_EDR)
• Darktrace (DARKTRACE)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• Google Chrome Browser Cloud Management (CBCM) (N/A)
• Hashicorp Vault (HASHICORP)
• Illumio Core (ILLUMIO_CORE)
• Linux Auditing System (AuditD) (AUDITD)
• ManageEngine ADAudit Plus (ADAUDIT_PLUS)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Netskope (NETSKOPE_ALERT)
• Office 365 (OFFICE_365)
• Okta (OKTA)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• Seqrite Endpoint Security (EPS) (SEQRITE_ENDPOINT)
• STIX Threat Intelligence (STIX)
• Trend Micro Vision One (TRENDMICRO_VISION_ONE)
• Unix system (NIX_SYSTEM)
• VMware vRealize Suite (VMWARE_VREALIZE)
• Windows Event (WINEVTLOG)
• Windows Event (XML) (WINEVTLOG_XML)
• Workspace Alerts (WORKSPACE_ALERTS)
• ZScaler NGFW (ZSCALER_FIREWALL)

For details about changes in each parser, see Supported default parsers.

The SentinelOne Alert feed has been enhanced to enable you to configure the feed to ingest both alerts and threats or only threats.

When the Is alert API subscribed checkbox is selected in the application, or when the isAlertApiSubscribed field is set to true in the API request, the feed will ingest both alerts and threats. When the checkbox is deselected, or the isAlertApiSubscribed field is set set to false in the API request, only threats are ingested. This configuration is available when creating a new feed. Existing feeds were enhanced in a previous release to ingest both alerts and threats.

Only configure the feed to ingest both alerts and threats if you have subscribed to alerts in SentinelOne. If you have not subscribed to alerts in SentinelOne, then configure the feed to ingest threats only.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• BloxOne Threat Defense (BLOXONE)
• Carbon Black (CB_EDR)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Cisco ISE (CISCO_ISE)
• Cisco Meraki (CISCO_MERAKI)
• CrowdStrike Falcon (CS_EDR)
• Duo Administrator Logs (DUO_ADMIN)
• Elastic Audit Beats (ELASTIC_AUDITBEAT)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• F5 BIGIP LTM (F5_BIGIP_LTM)
• FortiGate (FORTINET_FIREWALL)
• Imperva CEF (IMPERVA_CEF)
• Infoblox (INFOBLOX)
• JAMF CMDB (JAMF)
• Juniper (JUNIPER_FIREWALL)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Microsoft IIS (IIS)
• Nyansa Events (NYANSA_EVENTS)
• Office 365 (OFFICE_365)
• Onfido (ONFIDO)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• Samba SMBD (SMBD)
• Sentinelone Alerts (SENTINELONE_ALERT)
• SentinelOne EDR (SENTINEL_EDR)
• SonicWall (SONIC_FIREWALL)
• Symantec VIP Gateway (SYMANTEC_VIP)
• Tanium Threat Response (TANIUM_THREAT_RESPONSE)
• Unix system (NIX_SYSTEM)
• VMware NSX (VMWARE_NSX)
• Windows Defender ATP (WINDOWS_DEFENDER_ATP)
• Workspace Activities (WORKSPACE_ACTIVITY)

For details about changes in each parser, see Supported default parsers.

The SentinelOne Alert feed has been enhanced to ingest both alerts and threats. No change is needed to the feed configuration. If data contains both alerts and threats, then both types of data will be ingested.

Chronicle Feed Management enhanced the support for the Qualys VM log type to include Qualys VM Detections API. See the Feed Management documentation for information.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• 1Password (ONEPASSWORD)
• Airlock Digital Application Allowlisting (AIRLOCK_DIGITAL)
• Apache (APACHE)
• Atlassian Confluence (ATLASSIAN_CONFLUENCE)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• Azure AD Directory Audit (AZURE_AD_AUDIT)
• Azure Cosmos DB (AZURE_COSMOS_DB)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Compute Engine (GCP_COMPUTE)
• CrowdStrike Detection Monitoring (CS_DETECTS)
• CrowdStrike Falcon (CS_EDR)
• Cybereason EDR (CYBEREASON_EDR)
• F5 BIGIP LTM (F5_BIGIP_LTM)
• Forcepoint NGFW (FORCEPOINT_FIREWALL)
• FortiGate (FORTINET_FIREWALL)
• Google Chrome Browser Cloud Management (CBCM) (N/A)
• iBoss Proxy (IBOSS_WEBPROXY)
• JumpCloud Directory Insights (JUMPCLOUD_DIRECTORY_INSIGHTS)
• Juniper Mist (JUNIPER_MIST)
• Kubernetes Node logs (KUBERNETES_NODE)
• Microsoft Azure Activity (AZURE_ACTIVITY)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Okta (OKTA)
• Okta Access Gateway (OKTA_ACCESS_GATEWAY)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• pfSense (PFSENSE)
• Salesforce (SALESFORCE)
• Sentinelone Alerts (SENTINELONE_ALERT)
• SentinelOne EDR (SENTINEL_EDR)
• Signal Sciences WAF (SIGNAL_SCIENCES_WAF)
• SonicWall (SONIC_FIREWALL)
• Windows Event (WINEVTLOG)
• Workspace Activities (WORKSPACE_ACTIVITY)
• Yubico OTP (YUBICO_OTP)
• Zscaler Private Access (ZSCALER_ZPA)

For details about changes in each parser, see Supported default parsers.

Search API

The query limit for the udmSearch method has been increased from 60 to 120 queries per hour (QPH). The maximum number of events which can be returned using the udmSearch method has been increased from 1,000 to 10,000.

UDM Search

You can now specify single-line comments and block comments in UDM search. You can also now use UDM search to find values of type float (floating point numbers) and bool (boolean).

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• 1Password (ONEPASSWORD)
• Atlassian Jira (ATLASSIAN_JIRA)
• AWS GuardDuty (GUARDDUTY)
• Azure AD Directory Audit (AZURE_AD_AUDIT)
• Azure AD Organizational Context (AZURE_AD_CONTEXT)
• Carbon Black (CB_EDR)
• Cisco Stealthwatch (CISCO_STEALTHWATCH)
• Cisco WLC/WCS (CISCO_WIRELESS)
• Cloudflare WAF (CLOUDFLARE_WAF)
• CrowdStrike Detection Monitoring (CS_DETECTS)
• CrowdStrike Falcon (CS_EDR)
• Cybereason EDR (CYBEREASON_EDR)
• DigitalArts i-Filter (DIGITALARTS_IFILTER)
• F5 ASM (F5_ASM)
• F5 BIGIP LTM (F5_BIGIP_LTM)
• Google Chrome Browser Cloud Management (CBCM) (N/A)
• Imperva (IMPERVA_WAF)
• Imperva Database (IMPERVA_DB)
• Ipswitch MOVEit Transfer (IPSWITCH_MOVEIT_TRANSFER)
• Linux Auditing System (AuditD) (AUDITD)
• Microsoft AD FS (ADFS)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Mobileiron (MOBILEIRON)
• Netskope Web Proxy (NETSKOPE_WEBPROXY)
• Palo Alto Cortex XDR Events (PAN_CORTEX_XDR_EVENTS)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• Samba SMBD (SMBD)
• Sentinelone Alerts (SENTINELONE_ALERT)
• SentinelOne Deep Visibility (SENTINEL_DV)
• SentinelOne EDR (SENTINEL_EDR)
• SonicWall (SONIC_FIREWALL)
• Trend Micro AV (TRENDMICRO_AV)
• VMware vCenter (VMWARE_VCENTER)
• Windows DNS (WINDOWS_DNS)
• Windows Event (WINEVTLOG)

For details about changes in each parser, see Supported default parsers.

Chronicle has released additional ingestion scripts, written in Python, that can be deployed as Cloud Functions. These scripts ingest data from the following log sources, listed by name and ingestion label:

• Aruba Central (ARUBA_CENTRAL)
• Azure Event Hub (configurable log type)
• Cloud Storage (configurable log type)
• Proofpoint (configurable log type)
• Tenable.io (TENABLE_IO)
• Trend Micro Cloud App Security (configurable log type)
• Trend Micro Vision One audit logs (TREND_MICRO_VISION_AUDIT)

The scripts can be used as-is or as templates to customize and ingest logs from another product. They are located in the Chronicle GitHub repository. See Use ingestion scripts deployed as Cloud Functions for instructions about how to configure and deploy the scripts in your environment.

YARA-L outcomes

In the outcome section, you can now define up to 20 outcome variables, with arbitrary names. These outcomes will be stored in the detections generated by the rule. Each detection may have different values for the outcomes.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• 1Password (ONEPASSWORD)
• Azure AD Organizational Context (AZURE_AD_CONTEXT)
• Barracuda Email (BARRACUDA_EMAIL)
• Carbon Black (CB_EDR)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Cisco Switch (CISCO_SWITCH)
• Google Chrome Browser Cloud Management (CBCM) (N/A)
• IBM Security Verify (IBM_SECURITY_VERIFY)
• Imperva (IMPERVA_WAF)
• Infoblox (INFOBLOX)
• Infoblox DNS (INFOBLOX_DNS)
• Linux Auditing System (AuditD) (AUDITD)
• McAfee Web Gateway (MCAFEE_WEBPROXY)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Microsoft SQL Server (MICROSOFT_SQL)
• Nutanix Prism (NUTANIX_PRISM)
• Office 365 (OFFICE_365)
• Okera Dynamic Access Platform (OKERA_DAP)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• Proofpoint Observeit (OBSERVEIT)
• Qualys VM (QUALYS_VM)
• Sentinelone Alerts (SENTINELONE_ALERT)
• SentinelOne EDR (SENTINEL_EDR)
• Symantec Endpoint Protection (SEP)
• WatchGuard (WATCHGUARD)
• Windows Event (WINEVTLOG)
• Windows Event (XML) (WINEVTLOG_XML)
• Windows Sysmon (WINDOWS_SYSMON)

For details about changes in each parser, see Supported default parsers.

Geolocation enrichment from an IP address

Chronicle provides geolocation data enrichment (GeoIP data) for external IP addresses to enable more powerful rule detections and greater context for investigations. Chronicle uses location data provided by Google to provide an approximate geographic location for an external IP address. For more information, see:

• How Chronicle enriches event and entity data
• How to use context-enriched data in rules
• Use context enriched data in UDM Search
• Use context enriched data in reports

The Chronicle Curated Detections > Cloud Threats policy has been enhanced with the following changes:

• Admin Action rule set: added a new exclusion list, called gcti__cld__admin_action__network_http_user_agent__exclusion_list that enables you to exclude events based on the HTTP User Agent string.
• IAM Abuse rule set: added a new exclusion list, called, gcti__cld__iamabuse__network_http_user_agent__exclusion_list that enables you to exclude events based on the HTTP User Agent string.

The following changes are available in the Unified Data Model:

• Added the following fields to the Software object:

  • Software.description
  • Software.vendor_name

• Deprecated the Location.region_latitude and Location.region_longitude fields. Use the following Location fields instead:

  • Location.region_coordinates.latitude
  • Location.region_coordinates.longitude

• Deprecated the Noun.ip_location field. Use Noun.ip_geo_artifact.location instead.

• Added the following fields to the File object, File.stat_mode, File.stat_inode, File.stat_dev, File.stat_nlink, File.stat_flags.

For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.

The following changes are available in the Unified Data Model:

• A new field, called source_labels, was added to EntityMetadata.
• A new field, called enrichment_state, was added to event.metadata.
• A new field, called ip_geo_artifact, was added to Noun.
• A new field, called parsed_user_agent, was added to network.http.
• A new enumerated list, called Metadata.EnrichmentState, was added.
• The new type was added, called Artifact.
• The following values were added to the relation.relationship enumerated list: EXECUTES, DOWNLOADED_FROM, and CONTACTS.
• The following values were added to Noun.Platform enumerated list: IOS, ANDROID, CHROME_OS.
• The following value was added to the SecurityResult.SecurityCategory enumerated list, called TOR_EXIT_NODE.

For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• Atlassian Jira (ATLASSIAN_JIRA)
• Azure AD (AZURE_AD)
• CrowdStrike Falcon (CS_EDR)
• ESET AV (ESET_AV)
• FortiGate (FORTINET_FIREWALL)
• GitHub (GITHUB)
• Infoblox (INFOBLOX)
• Juniper (JUNIPER_FIREWALL)
• Juniper Junos (JUNIPER_JUNOS)
• Kubernetes Node logs (KUBERNETES_NODE)
• McAfee Web Gateway (MCAFEE_WEBPROXY)
• Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
• Netskope Web Proxy (NETSKOPE_WEBPROXY)
• Office 365 (OFFICE_365)
• Pulse Secure (PULSE_SECURE_VPN)
• Ruckus Networks (RUCKUS_WIRELESS)
• Sentinelone Alerts (SENTINELONE_ALERT)
• SentinelOne EDR (SENTINEL_EDR)
• Silverfort Authentication Platform (SILVERFORT)
• VMware vCenter (VMWARE_VCENTER)
• Windows Event (XML) (WINEVTLOG_XML)
• Zscaler (ZSCALER_WEBPROXY)

For details about changes in each parser, see Supported default parsers.

Chronicle Curated Detections has been enhanced with the following additional detection content for Cloud threats. A new rule set was added, called Resource Masquerading, that detects Google Cloud resources created with names or characteristics of another resource or resource type. This could be used to mask malicious activity carried out by or within the resource, with the intent of appearing legitimate.

Chronicle Curated Detections has been enhanced with the following additional detection content for Windows-based threats. A new rule set was added, called Anomalous PowerShell, that identifies PowerShell commands containing obfuscation techniques or other anomalous behavior.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• AWS CloudWatch (AWS_CLOUDWATCH)
• AWS Control Tower (AWS_CONTROL_TOWER)
• AWS WAF (AWS_WAF)
• Azure AD (AZURE_AD)
• Azure AD Organizational Context (AZURE_AD_CONTEXT)
• Barracuda Email (BARRACUDA_EMAIL)
• Cisco ASA (CISCO_ASA_FIREWALL)
• Cisco Email Security (CISCO_EMAIL_SECURITY)
• Cisco ISE (CISCO_ISE)
• Cisco Umbrella Web Proxy (UMBRELLA_WEBPROXY)
• Citrix Monitor (CITRIX_MONITOR)
• Cloud Audit Logs (N/A)
• CrowdStrike Falcon (CS_EDR)
• Digital Guardian EDR (DIGITALGUARDIAN_EDR)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• ExtraHop RevealX (EXTRAHOP)
• ForgeRock OpenAM (OPENAM)
• Google Chrome Browser Cloud Management (CBCM) (N/A)
• Infoblox (INFOBLOX)
• McAfee ePolicy Orchestrator (MCAFEE_EPO)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Netscout Arbor Sightline (ARBOR_SIGHTLINE)
• Office 365 (OFFICE_365)
• Okta (OKTA)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• Rapid7 Insight (RAPID7_INSIGHT)
• Salesforce (SALESFORCE)
• Sophos Intercept EDR (SOPHOS_EDR)
• Splunk Platform (SPLUNK)
• STIX Threat Intelligence (STIX)
• Tanium Stream (TANIUM_TH)
• tenable.io (TENABLE_IO)
• ThreatLocker Platform (THREATLOCKER)
• VMware AirWatch (AIRWATCH)
• WatchGuard (WATCHGUARD)
• Windows Event (XML) (WINEVTLOG_XML)
• Windows Sysmon (WINDOWS_SYSMON)
• Zscaler (ZSCALER_WEBPROXY)

For details about changes in each parser, see Supported default parsers.

You can now enable up to 500 active rules within your Chronicle account. Up to 75 of those can be multi-event rules. See Running a rule against live data for information on how to enable rules and Manage rules using Rules Editor for information on how to configure rules.

New endpoint for UK

Chronicle has added a supported region for Chronicle customers in the UK, europe-west2.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• Cisco Router (CISCO_ROUTER)
• Digital Guardian DLP (DIGITALGUARDIAN_DLP)
• Linux Auditing System (AuditD) (AUDITD)
• Microsoft Azure Activity (AZURE_ACTIVITY)
• Rubrik (RUBRIK)
• Sentinelone Alerts (SENTINELONE_ALERT)
• SentinelOne EDR (SENTINEL_EDR)
• Sophos Firewall (Next Gen) (SOPHOS_FIREWALL)
• STIX Threat Intelligence (STIX)
• Thales Luna Hardware Security Module (THALES_LUNA_HSM)
• Thinkst Canary (THINKST_CANARY)
• Unix system (NIX_SYSTEM)
• Workspace Activities (WORKSPACE_ACTIVITY)

For details about changes in each parser, see Supported default parsers.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• Akamai WAF (AKAMAI_WAF)
• AlgoSec Security Management (ALGOSEC)
• Ansible AWX (ANSIBLE_AWX)
• Arcsight CEF (ARCSIGHT_CEF)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• AWS Control Tower (AWS_CONTROL_TOWER)
• AWS GuardDuty (GUARDDUTY)
• Azure AD Directory Audit (AZURE_AD_AUDIT)
• BIND (BIND_DNS)
• Bluecat DDI (BLUECAT_DDI)
• Carbon Black (CB_EDR)
• Check Point (CHECKPOINT_FIREWALL)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Cisco Meraki (CISCO_MERAKI)
• Cisco Router (CISCO_ROUTER)
• Deep Instinct EDR (DEEP_INSTINCT_EDR)
• Department of Homeland Security (DHS_IOC)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• Emerging Threats Pro (ET_PRO_IOC)
• ESET Threat Intelligence (ESET_IOC)
• FortiGate (FORTINET_FIREWALL)
• Fortinet (FORTINET_DHCP)
• Cloud Audit (N/A)
• Security Command Center (N/A)
• GitHub (GITHUB)
• Hitachi Cloud Platform (HITACHI_CLOUD_PLATFORM)
• Juniper (JUNIPER_FIREWALL)
• Linux Auditing System (AuditD) (AUDITD)
• Mandiant Threat Intelligence (MANDIANT_IOC)
• Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
• Microsoft Exchange (EXCHANGE_MAIL)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Microsoft Powershell (POWERSHELL)
• Netscout Arbor Sightline (ARBOR_SIGHTLINE)
• Office 365 (OFFICE_365)
• Okta (OKTA)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• Palo Alto Prisma Access (PAN_CASB)
• Sentinelone Alerts (SENTINELONE_ALERT)
• Shrubbery TACACS+ (SHRUBBERY_TACACS)
• Signal Sciences WAF (SIGNAL_SCIENCES_WAF)
• Solarwinds Kiwi Syslog Server (SOLARWINDS_KSS)
• Splunk Platform (SPLUNK)
• Stealthbits Defend (STEALTHBITS_DEFEND)
• STIX Threat Intelligence (STIX)
• Symantec Endpoint Protection (SEP)
• Tanium Discover (TANIUM_DISCOVER)
• Tanium Threat Response (TANIUM_THREAT_RESPONSE)
• WatchGuard (WATCHGUARD)
• Windows Event (WINEVTLOG)
• Windows Network Policy Server (WINDOWS_NET_POLICY_SERVER)

For details about changes in each parser, see Supported default parsers.

Reference Lists

Google has made enhancements to the Chronicle reference lists feature, it now enables you to perform more complex matching beyond exact string matches. These new types of reference lists can be used in Detection Engine rules.

For more detailed information about these special list types, see the reference lists documentation.

When creating a list, you must provide a "List Type" to indicate how you want Chronicle to interpret your list. List type cannot be changed after list creation, and can be STRING, REGEX, or CIDR. The list type for any existing lists has been set to STRING, since all reference lists made by preview customers perform exact string matching.

You can create Reference Lists using the Chronicle user interface or programmatically using the Reference List API. For information on how to embed a Reference List within a Rule, see the documentation.

Chronicle Curated Detections has been enhanced with the following additional detection content:

• Windows-based threats:
  • Security Posture Downgrade: detects activity attempting to disable or decrease the effectiveness of security tools.
• Cloud threats:
  • Suspicious Behavior: detects activity that is thought to be uncommon and suspicious in most environments.
  • Service Disruption: detects destructive or disruptive actions that, if performed in a functioning production environment, may cause a significant outage.
  • Suspicious Infrastructure Change: detects modifications to production infrastructure that align with known persistence tactics.

The following default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• Akeyless Vault Platform (AKEYLESS_VAULT)
• AWS Control Tower (AWS_CONTROL_TOWER)
• AWS VPC Flow (AWS_VPC_FLOW)
• Azure AD (AZURE_AD)
• Azure AD Directory Audit (AZURE_AD_AUDIT)
• Azure WAF (AZURE_WAF)
• BeyondTrust Privileged Identity (BEYONDTRUST_PI)
• Check Point (CHECKPOINT_FIREWALL)
• Cisco Router (CISCO_ROUTER)
• Cisco Wireless IPS (CISCO_WIPS)
• Citrix Monitor (CITRIX_MONITOR)
• CrowdStrike Falcon (CS_EDR)
• Darktrace (DARKTRACE)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• EPIC Systems (EPIC)
• F5 ASM (F5_ASM)
• Forcepoint DLP (FORCEPOINT_DLP)
• FortiGate (FORTINET_FIREWALL)
• Google Cloud Audit (N/A)
• Security Command Center (N/A)
• HAProxy (HAPROXY)
• InterSystems Cache (INTERSYSTEMS_CACHE)
• Lenel Onguard Badge Management (LENEL_ONGUARD)
• Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
• Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Microsoft IIS (IIS)
• Netscout (ARBOR_EDGE_DEFENSE)
• Netscout Arbor Sightline (ARBOR_SIGHTLINE)
• Okta (OKTA)
• Okta User Context (OKTA_USER_CONTEXT)
• OpenSSH (OPENSSH)
• Palo Alto Cortex XDR Alerts (CORTEX_XDR)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• Proofpoint Tap Alerts (PROOFPOINT_MAIL)
• Pulse Secure (PULSE_SECURE_VPN)
• RSA NetWitness (RSA_NETWITNESS)
• Sentinelone Alerts (SENTINELONE_ALERT)
• Signal Sciences WAF (SIGNAL_SCIENCES_WAF)
• Sourcefire (SOURCEFIRE_IDS)
• Symantec Endpoint Protection (SEP)
• Unix system (NIX_SYSTEM)
• Vectra Stream (VECTRA_STREAM)
• Versa Firewall (VERSA_FIREWALL)
• WatchGuard (WATCHGUARD)
• Wazuh (WAZUH)
• Windows Defender ATP (WINDOWS_DEFENDER_ATP)
• Zix Email Encryption (ZIX_EMAIL_ENCRYPTION)
• Zoom Operation Logs (ZOOM_OPERATION_LOGS)

For details about changes in each parser, see Supported default parsers.

Chronicle Feed Management added support for the Sentinel One Alerts API. See the Feed Management documentation for information about how to configure this feed.

When downloading data to CSV file format from the Chronicle user interface, raw log data is now excluded unless you are using Raw Log Scan. For example, raw log data is no longer included when you download events.

This resolves an issue where downloading to CSV was failing.

Enhancements to the Detection Engine API

The StreamDetectionAlerts method in the Detection Engine API has been enhanced to return detections generated by both user-created rules and Chronicle Curated Detections. For more information about this method, see StreamDetectionAlerts.

The Ingestion API udmevents and createentities methods now accept both uppercase and lowercase characters in the following fields:

• <_Noun_>.mac: defined when calling the udmeevents method, where Noun is either principal, src, target, observer, intermediary, or about.

• entity.asset.mac: defined when calling the createentities method.

These fields are defined in the UDM record in the request body when calling the method. For more information about these methods, see Chronicle Ingestion API documentation. For more information about UDM fields, see the Unified Data Model field list.

Chronicle Feed Management added a hostname field to the configuration workflow of certain log types. The hostname field enables you to configure the API endpoint for the feed. If you do not define a value for this field, the following default values are used:

• AzureAD (AZURE_AD) default hostname is graph.microsoft.com.
• AzureADAudit (AZURE_AD_AUDIT) default hostname is graph.microsoft.com.
• AzureADContext (AZURE_AD_CONTEXT) default hostname is graph.microsoft.com.
• AzureMDMIntune (AZURE_MDM_INTUNE) default hostname is graph.microsoft.com.
• MicrosoftGraphAlert (MICROSOFT_GRAPH_ALERT) default hostname is graph.microsoft.com.
• MicrosoftSecurityCenterAlert (MICROSOFT_SECURITY_CENTER_ALERT) default hostname is management.azure.com.
• Office365 (OFFICE_365) default hostname is manage.office.com.

Chronicle Feed Management API was also updated to support the hostname field for these log types.

Chronicle Feed Management added support for the CrowdStrike Detection API. See the Feed Management documentation for information about how to configure this feed.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• 1Password (ONEPASSWORD)
• Accellion (ACCELLION)
• Akamai Cloud Monitor (AKAMAI_CLOUD_MONITOR)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• BeyondTrust (BOMGAR)
• BeyondTrust Secure Remote Access (BEYONDTRUST_REMOTE_ACCESS)
• Bitdefender (BITDEFENDER)
• Blue Coat Proxy (BLUECOAT_WEBPROXY)
• Carbon Black (CB_EDR)
• Check Point (CHECKPOINT_FIREWALL)
• CIS Albert Alerts (CIS_ALBERT_ALERT)
• Cisco ASA (CISCO_ASA_FIREWALL)
• Cisco FireSIGHT Management Center (CISCO_FIRESIGHT)
• Cisco ISE (CISCO_ISE)
• Cisco Meraki (CISCO_MERAKI)
• Cloudflare (CLOUDFLARE)
• CrowdStrike Detection Monitoring (CS_DETECTS)
• CrowdStrike Falcon (CS_EDR)
• CyberArk (CYBERARK)
• Darktrace (DARKTRACE)
• Forcepoint NGFW (FORCEPOINT_FIREWALL)
• Forescout NAC (FORESCOUT_NAC)
• FortiGate (FORTINET_FIREWALL)
• Cloud Audit (N/A)
• Cloud Identity Device Users (GCP_CLOUDIDENTITY_DEVICEUSERS)
• Load Balancing (GCP_LOADBALANCING)
• Google Chrome Browser Cloud Management (CBCM) (N/A)
• IBM Guardium (GUARDIUM)
• Ipswitch MOVEit Transfer (IPSWITCH_MOVEIT_TRANSFER)
• Juniper (JUNIPER_FIREWALL)
• Kaspersky AV (KASPERSKY_AV)
• Linux Auditing System (AuditD) (AUDITD)
• Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
• Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Microsoft IIS (IIS)
• Microsoft Powershell (POWERSHELL)
• Netfilter IPtables (NETFILTER_IPTABLES)
• Netscout (ARBOR_EDGE_DEFENSE)
• Netscout Arbor Sightline (ARBOR_SIGHTLINE)
• Okta (OKTA)
• Oracle (ORACLE_DB)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• Palo Alto Prisma Access (PAN_CASB)
• pfSense (PFSENSE)
• PostFix Mail (POSTFIX_MAIL)
• Proofpoint Email Filter (PROOFPOINT_MAIL_FILTER)
• Pulse Secure (PULSE_SECURE_VPN)
• Qualys VM (QUALYS_VM)
• Sentinelone Alerts (SENTINELONE_ALERT)
• SentinelOne EDR (SENTINEL_EDR)
• Shrubbery TACACS+ (SHRUBBERY_TACACS)
• Symantec Endpoint Protection (SEP)
• Sysdig (SYSDIG)
• Tanium Integrity Monitor (TANIUM_INTEGRITY_MONITOR)
• Varonis (VARONIS)
• VyOS Open Source Router (VYOS)
• ZScaler DNS (ZSCALER_DNS)

For details about changes in each parser, see Supported default parsers.

There is now an additional parameter you can specify for Chronicle feeds, "display_name". This additional parameter can be specified and will be returned when using the following Feed Management API methods:

• CreateFeed
• DisableFeed
• EnableFeed
• GetFeed
• ListFeeds
• UpdateFeed

For additional information and examples, see Feed Management API.

Access to fields stored as key-value pairs in Detection Engine rules

You can now create Detection Engine rules that include UDM fields stored as key-value pairs, such as google.protobuf.Struct and Label data type. Using the map syntax, you access fields stored as the:

• google.protobuf.Struct data type using syntax similar to $e.additional.fields["key"] = "value".

• Label data type using syntax similar to $e.target.labels["key"] = "value".

For more details about the map syntax, see the YARA-L 2.0 language syntax.

Chronicle Feed Management for the Rapid7 Insight log type now enables you to configure the Rapid7 API endpoint.

A new field, called hostname, was added to the Rapid7 Insight configuration workflow. Use this field to change the API endpoint to any one of the supported Rapid7 regions, by specifying value using the following pattern {region_id}.api.insight.rapid7.com. If you do not specify an endpoint, the default is us.api.insight.rapid7.com. The Chronicle Feed Management API was also updated to support a configurable value for the hostname field.

Chronicle Curated Detections has been enhanced with the following additional detection content:

• Windows-based threats:
  • Living off the land (LotL): identifies tools native to Microsoft Windows operating systems that can be abused by threat actors for malicious purposes.
• Cloud attacks and cloud misconfigurations:
  • Cloud Hacktool: detects activity from known offensive security platforms or tools used by threat actors that target resources on Google Cloud.
  • IAM Abuse: detects activity associated with abusing IAM roles and permissions to potentially escalate privilege or move laterally within a given Google Cloud project or across a Google Cloud organization.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• Apache (APACHE)
• Aruba (ARUBA_WIRELESS)
• AWS GuardDuty (GUARDDUTY)
• Azure AD Directory Audit (AZURE_AD_AUDIT)
• Azure AD Organizational Context (AZURE_AD_CONTEXT)
• BeyondTrust (BOMGAR)
• Box (BOX)
• Cisco Application Centric Infrastructure (CISCO_ACI)
• Cisco Application Control Engine (CISCO_ACE)
• Cisco ASA (CISCO_ASA_FIREWALL)
• Cisco Email Security (CISCO_EMAIL_SECURITY)
• Citrix Netscaler (CITRIX_NETSCALER)
• Cloudflare WAF (CLOUDFLARE_WAF)
• CrowdStrike Detection Monitoring (CS_DETECTS)
• CrowdStrike Falcon (CS_EDR)
• Crowdstrike IOC (CROWDSTRIKE_IOC)
• F5 ASM (F5_ASM)
• Fluentd Logs (FLUENTD)
• FortiGate (FORTINET_FIREWALL)
• Fortinet FortiAnalyzer (FORTINET_FORTIANALYZER)
• Cloud Audit (N/A)
• Cloud DNS (N/A)
• Cloud Load Balancing (GCP_LOADBALANCING)
• HCNET Account Adapter Plus (HCNET_ACCOUNT_ADAPTER)
• Kong API Gateway (KONG_GATEWAY)
• ManageEngine AD360 (MANAGE_ENGINE_AD360)
• McAfee ePolicy Orchestrator (MCAFEE_EPO)
• McAfee Web Gateway (MCAFEE_WEBPROXY)
• McAfee Web Protection (MCAFEE_WEB_PROTECTION)
• Microsoft Azure Activity (AZURE_ACTIVITY)
• Mongo Database (MONGO_DB)
• Office 365 (OFFICE_365)
• Okta (OKTA)
• OSQuery (OSQUERY_EDR)
• OSSEC (OSSEC)
• Palo Alto Networks Firewall (PAN_FIREWALL)
• Red Canary (REDCANARY_EDR)
• Snort (SNORT_IDS)
• Squid Web Proxy (SQUID_WEBPROXY)
• Symantec Endpoint Protection (SEP)
• Tanium Asset (TANIUM_ASSET)
• Tanium Stream (TANIUM_TH)
• Windows Defender ATP (WINDOWS_DEFENDER_ATP)
• Workday (WORKDAY)
• Zeek JSON (BRO_JSON)

For details about changes in each parser, see Supported default parsers.

The following changes are available in the Unified Data Model:

• A new field, risk_score, was added to Noun.investigation.
• A new field, data_tap_config_name, was added to Event.metadata.tags.
• The following new fields were added to Network:
  • application_protocol_version
  • sent_packets
  • received_packets
• A new ENUM value, CHALLENGE, was add to SecurityResult.Action
• A new ENUM value, ANALYST_UPDATE_RISK_SCORE, was added to Metadata.EventType

For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• Apache (APACHE)
• Barracuda WAF (BARRACUDA_WAF)
• Bluecat DDI (BLUECAT_DDI)
• Cisco Umbrella Cloud Firewall (UMBRELLA_FIREWALL)
• Cisco Umbrella Web Proxy (UMBRELLA_WEBPROXY)
• Cisco WLC/WCS (CISCO_WIRELESS)
• CloudGenix SD-WAN (CLOUDGENIX_SDWAN)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• FortiGate (FORTINET_FIREWALL)
• Cloud Audit (N/A)
• Google Cloud Identity Context (CLOUD_IDENTITY_CONTEXT)
• IBM Guardium (GUARDIUM)
• IBM z/OS (IBM_ZOS)
• Infoblox DNS (INFOBLOX_DNS)
• Ipswitch SFTP (IPSWITCH_SFTP)
• Kubernetes auth proxy logs (KUBERNETES_AUTH_PROXY)
• Linux DHCP (LINUX_DHCP)
• McAfee ePolicy Orchestrator (MCAFEE_EPO)
• Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
• NGINX (NGINX)
• OSSEC (OSSEC)
• pfSense (PFSENSE)
• Ribbon Analytics Platform (RIBBON_ANALYTICS_PLATFORM)
• Ruckus Networks (RUCKUS_WIRELESS)
• Salesforce (SALESFORCE)
• Sentinelone Alerts (SENTINELONE_ALERT)
• SentinelOne Deep Visibility (SENTINEL_DV)
• SentinelOne EDR (SENTINEL_EDR)
• Trend Micro Deep Security (TRENDMICRO_DEEP_SECURITY)
• VMware AirWatch (AIRWATCH)
• VMware ESXi (VMWARE_ESX)
• VMware Workspace ONE (VMWARE_WORKSPACE_ONE)
• Zscaler (ZSCALER_WEBPROXY)

For details about changes in each parser, see Supported default parsers.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• Arcsight CEF (ARCSIGHT_CEF)
• Aruba (ARUBA_WIRELESS)
• AWS Security Hub (AWS_SECURITY_HUB)
• Azure AD (AZURE_AD)
• BeyondTrust (BOMGAR)
• Bitdefender (BITDEFENDER)
• Blue Coat Proxy (BLUECOAT_WEBPROXY)
• Bluecat DDI (BLUECAT_DDI)
• CA LDAP (CA_LDAP)
• Check Point (CHECKPOINT_FIREWALL)
• Cisco ACS (CISCO_ACS)
• Cisco Router (CISCO_ROUTER)
• Cisco UCM (CISCO_UCM)
• Cisco Umbrella IP (UMBRELLA_IP)
• Cisco Umbrella Web Proxy (UMBRELLA_WEBPROXY)
• Cisco VPN (CISCO_VPN)
• Cisco WLC/WCS (CISCO_WIRELESS)
• CrowdStrike Falcon (CS_EDR)
• Falco IDS (FALCO_IDS)
• FireEye HX (FIREEYE_HX)
• Forcepoint CASB (FORCEPOINT_CASB)
• FortiGate (FORTINET_FIREWALL)
• Cloud Load Balancing (GCP_LOADBALANCING)
• Cloud Audit (N/A)
• HP Aruba Clearpass (CLEARPASS)
• Infoblox DNS (INFOBLOX_DNS)
• Linux DHCP (LINUX_DHCP)
• Microsoft Intune (AZURE_MDM_INTUNE)
• Office 365 (OFFICE_365)
• Open LDAP (OPENLDAP)
• Ordr IoT (ORDR_IOT)
• Palo Alto Networks Traps (PAN_EDR)
• Pivotal (PIVOTAL)
• Proofpoint Threat Response (PROOFPOINT_TRAP)
• Red Hat OpenShift (REDHAT_OPENSHIFT)
• Sophos Firewall Next Gen (SOPHOS_FIREWALL)
• Sourcefire (SOURCEFIRE_IDS)
• Suricata EVE (SURICATA_EVE)
• Symantec Event export (SYMANTEC_EVENT_EXPORT)
• Tanium Comply (TANIUM_COMPLY)
• Vectra Detect (VECTRA_DETECT)
• VMware ESXi (VMWARE_ESX)
• Windows Event (WINEVTLOG)

For details about changes in each parser, see Supported default parsers.

The following changes are available in the Unified Data Model:

• The ip_location field was added to Noun type.
• The day_max_sub_domains field was added to the Prevalence type.
• The source_type field was added to the EntityMetadata type.

For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• Akamai WAF (AKAMAI_WAF)
• Arista Switch (ARISTA_SWITCH)
• AWS CloudWatch (AWS_CLOUDWATCH)
• AWS GuardDuty (GUARDDUTY)
• AWS Macie (AWS_MACIE)
• AWS Route 53 DNS (AWS_ROUTE_53)
• AWS WAF (AWS_WAF)
• Azure AD (AZURE_AD)
• Azure AD Organizational Context (AZURE_AD_CONTEXT)
• Bitdefender (BITDEFENDER)
• Bluecat DDI (BLUECAT_DDI)
• Centrify (CENTRIFY_SSO)
• Check Point (CHECKPOINT_FIREWALL)
• Cisco Application Centric Infrastructure (CISCO_ACI)
• Cisco ISE (CISCO_ISE)
• Custom DNS (CUSTOM_DNS)
• Cylance Protect (CYLANCE_PROTECT)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• FireEye (FIREEYE_ALERT)
• Forcepoint Proxy (FORCEPOINT_WEBPROXY)
• FortiGate (FORTINET_FIREWALL)
• IBM z/OS (IBM_ZOS)
• Linux DHCP (LINUX_DHCP)
• Microsoft AD FS (ADFS)
• Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
• Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
• Microsoft SQL Server (MICROSOFT_SQL)
• Nasuni File Services Platform (NASUNI_FILE_SERVICES)
• Palo Alto Prisma Cloud (PAN_PRISMA_CLOUD)
• Ping Identity (PING)
• Riverbed Steelhead (STEELHEAD)
• SiteMinder Web Access Management (CA_SSO_WEB)
• Snoopy Logger (SNOOPY_LOGGER)
• Stormshield Firewall (STORMSHIELD_FIREWALL)
• Symantec Endpoint Protection (SEP)
• Tanium Stream (TANIUM_TH)
• VMware ESXi (VMWARE_ESX)
• VMware Horizon (VMWARE_HORIZON)
• Windows Event (WINEVTLOG)
• Windows Sysmon (WINDOWS_SYSMON)

For details about changes in each parser, see Supported default parsers.

The following changes are available in the Unified Data Model:

• The File.ashash field was deprecated and replaced with the File.authentihash field.
• The day_max field was added to the Prevalence type.

Descriptions of the File.FileType Enum values are now available in the Unified Data Model field list document.

For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• AWS Cloudtrail (AWS_CLOUDTRAIL)
• AWS Route 53 DNS (AWS_ROUTE_53)
• AWS S3 Server Access (AWS_S3_SERVER_ACCESS)
• AWS WAF (AWS_WAF)
• Box (BOX)
• Cisco Switch (CISCO_SWITCH)
• Citrix Storefront (CITRIX_STOREFRONT)
• CrowdStrike Falcon (CS_EDR)
• Dell OpenManage (DELL_OPENMANAGE)
• F5 VPN (F5_VPN)
• Falco IDS (FALCO_IDS)
• Cloud SQL (GCP_CLOUDSQL)
• Cloud VPC Flow (GCP_VPC_FLOW)
• Imperva SecureSphere Management (IMPERVA_SECURESPHERE)
• Linux Auditing System AuditD (AUDITD)
• McAfee ePolicy Orchestrator (MCAFEE_EPO)
• Microsoft Defender for Identity (MICROSOFT_DEFENDER_IDENTITY)
• Netskope (NETSKOPE_ALERT)
• NIMBLE OS (NIMBLE_OS)
• Office 365 (OFFICE_365)
• Oracle (ORACLE_DB)
• Ping Identity (PING)
• SentinelOne EDR (SENTINEL_EDR)
• Snare System Diagnostic Logs (SNARE_SOLUTIONS)
• Sophos AV (SOPHOS_AV)
• Suricata EVE (SURICATA_EVE)
• Symantec Endpoint Protection (SEP)
• TeamViewer (TEAMVIEWER)
• Vectra Stream (VECTRA_STREAM)
• VMware ESXi (VMWARE_ESX)
• Windows Defender ATP (WINDOWS_DEFENDER_ATP)
• Windows Event (WINEVTLOG)
• Workspace Activities (WORKSPACE_ACTIVITY)

For details about changes in each parser, see Supported default parsers.

Detection Engine now includes the following new features:

• You can define an outcome section in single event rules. Previously, the outcome section was supported in multi-event rules only. If you have multi-event rules that use only one event variable, you can refactor them by deleting the match section to make them more performant. For an example rule, see YARA-L 2.0 language overview. For more detailed information about rule syntax, see YARA-L 2.0 language syntax.

• In the existing condition section, you can now use variables defined in the outcome section. This enables you to filter on aggregates (variables in the outcome section can be defined using aggregate functions) and on the $risk_score outcome variable. For more detailed information about the condition section, see YARA-L 2.0 language syntax.

• You can assign a placeholder variable to the result of a function call. You can then use the placeholder variable in other sections of the rule, such as the match section, outcome section, or condition section. For information about the syntax for function to placeholder assignments and any restrictions, see the YARA-L 2.0 language syntax.

The following changes are available in the Unified Data Model:

• Added the MUTEX value to the EntityMetadata.EntityType enumerated type.
• Added the id field to the Event.metadata type.
• Added the priority, root_cause, and reason fields to the Investigation type.
• Added the following new enumerated types:
  • Priority
  • Reason
• Added the rule_set and rule_set_display_name fields to the SecurityResult type.
• Added the ANALYST_UPDATE_PRIORITY, ANALYST_UPDATE_ROOT_CAUSE, and ANALYST_UPDATE_REASON values to the Metadata.EventType enumerated type.
• Added the DCERPC and KRB5 values to the Network.ApplicationProtocol enumerated type.
• Added the SOCIAL_ENGINEERING and PHISHING values to the SecurityResult.SecurityCategory enumerated type.
• Added the OPEN value to the Status enumerated type.

For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.

The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

• Avanan Email Security (AVANAN_EMAIL)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• AWS GuardDuty (GUARDDUTY)
• AWS VPC Flow (AWS_VPC_FLOW)
• Barracuda Firewall (BARRACUDA_FIREWALL)
• BeyondTrust Secure Remote Access (BEYONDTRUST_REMOTE_ACCESS)
• Carbon Black (CB_EDR)
• Centrify (CENTRIFY_SSO)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Cisco ISE (CISCO_ISE)
• CrowdStrike Falcon (CS_EDR)
• CrowdStrike Falcon Stream (CS_STREAM)
• Custom Security Data Analytics (CUSTOM_SECURITY_DATA_ANALYTICS)
• Dell EMC Data Domain (DELL_EMC_DATA_DOMAIN)
• Department of Homeland Security (DHS_IOC)
• Elastic Audit Beats (ELASTIC_AUDITBEAT)
• F5 VPN (F5_VPN)
• FortiGate (FORTINET_FIREWALL)
• Fortinet FortiNAC (FORTINET_FORTINAC)
• Cloud Run (GCP_RUN)
• GitHub (GITHUB)
• Google Chrome Browser Cloud Management
• HCL BigFix (HCL_BIGFIX)
• HP Aruba(Clearpass) (CLEARPASS)
• IBM Guardium (GUARDIUM)
• Infoblox (INFOBLOX)
• Infoblox DNS (INFOBLOX_DNS)
• Kubernetes audit logs (KUBERNETES_AUDIT)
• Linux Sysmon (LINUX_SYSMON)
• McAfee ePolicy Orchestrator (MCAFEE_EPO)
• Medigate IoT (MEDIGATE_IOT)
• Microsoft AD FS (ADFS)
• Nasuni File Services Platform (NASUNI_FILE_SERVICES)
• Office 365 (OFFICE_365)
• Okta (OKTA)
• Ping Identity (PING)
• PostFix Mail (POSTFIX_MAIL)
• Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
• Proofpoint Tap Alerts (PROOFPOINT_MAIL)
• SailPoint IAM (SAILPOINT_IAM)
• SecureLink (SECURELINK)
• SentinelOne EDR (SENTINEL_EDR)
• ServiceNow CMDB (SERVICENOW_CMDB)
• Suricata EVE (SURICATA_EVE)
• Suricata IDS (SURICATA_IDS)
• Symantec Web Isolation (SYMANTEC_WEB_ISOLATION)
• Thales Luna Hardware Security Module (THALES_LUNA_HSM)
• Thales MFA (THALES_MFA)
• Uptycs EDR (UPTYCS_EDR)
• Windows DNS (WINDOWS_DNS)
• Windows Event (WINEVTLOG)
• Workspace Activities (WORKSPACE_ACTIVITY)

For details about changes in each parser, see Supported default parsers.

The following supported default parsers have changed (listed by product name and ingestion label):

• Azure DevOps Audit (AZURE_DEVOPS)
• Bitdefender (BITDEFENDER)
• CA Access Control (CA_ACCESS_CONTROL)
• Carbon Black App Control (CB_APP_CONTROL)
• Check Point (CHECKPOINT_FIREWALL)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Cisco Router (CISCO_ROUTER)
• Cloud Passage (CLOUD_PASSAGE)
• Digital Guardian (DIGITALGUARDIAN_EDR)
• ExtraHop RevealX (EXTRAHOP)
• Forcepoint NGFW (FORCEPOINT_FIREWALL)
• IBM DataPower Gateway (IBM_DATAPOWER)
• IBM Guardium (GUARDIUM)
• Imperva (IMPERVA_WAF)
• Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
• Microsoft SQL Server (MICROSOFT_SQL)
• Office 365 (OFFICE_365)
• pfSense (PFSENSE)
• Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
• Proofpoint Tap Alerts (PROOFPOINT_MAIL)
• SonicWall (SONIC_FIREWALL)
• Sophos UTM (SOPHOS_UTM)
• VMware AirWatch (AIRWATCH)
• VMware ESXi (VMWARE_ESX)
• Workspace Activities (WORKSPACE_ACTIVITY)

For details about changes in each parser, see Supported default parsers.

The following new fields are available in the Unified Data Model:

• The new fields prevalence, first_seen_time, and last_seen_time were added to the File object.
• A new field, bounce_address, was added to the Email object.
• A new field, artifact, was added to the Noun object. Artifact is a new object.
• A new field, rolling_max_sub_domains, was added to the Prevalence object.
• A new field, first_seen_time, was added to the User object.
• The following new fields were added to the Smtp object:
  • helo
  • mail_from
  • rcpt_to
  • server_response
  • message_path
  • is_webmail
  • is_tls

For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list

Chronicle Forwarder configuration on Linux has been updated to include two separate configuration files. The <x>.conf file stores the configuration related to log ingestion. The <x>_auth.conf file stores the authentication credentials.

For more information, see Installing and configuring the forwarder on Linux.

The following supported default parsers have changed (listed by product name and ingestion label):

• Akamai WAF (AKAMAI_WAF)
• Aruba IPS (ARUBA_IPS)
• Azure AD Directory Audit (AZURE_AD_AUDIT)
• Carbon Black App Control (CB_APP_CONTROL)
• Check Point (CHECKPOINT_FIREWALL)
• Cisco ACS (CISCO_ACS)
• Cisco Email Security (CISCO_EMAIL_SECURITY)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Cisco ISE (CISCO_ISE)
• Cisco Meraki (CISCO_MERAKI)
• Citrix Netscaler (CITRIX_NETSCALER)
• CloudM (CLOUDM)
• CrowdStrike Falcon (CS_EDR)
• EPIC Systems (EPIC)
• Forescout NAC (FORESCOUT_NAC)
• FortiGate (FORTINET_FIREWALL)
• Cloud Compute (GCP_COMPUTE)
• IBM DataPower Gateway (IBM_DATAPOWER)
• Imperva (IMPERVA_WAF)
• JAMF Protect (JAMF_PROTECT)
• Linux Auditing System (AuditD) (AUDITD)
• Microsoft Exchange (EXCHANGE_MAIL)
• Netskope (NETSKOPE_ALERT)
• Office 365 (OFFICE_365)
• Okta (OKTA)
• Preempt Alert (PREEMPT)
• RSA (RSA_AUTH_MANAGER)
• SentinelOne EDR (SENTINEL_EDR)
• ServiceNow CMDB (SERVICENOW_CMDB)
• Sourcefire (SOURCEFIRE_IDS)
• Suricata IDS (SURICATA_IDS)
• Symantec Web Isolation (SYMANTEC_WEB_ISOLATION)
• Tripwire (TRIPWIRE_FIM)
• Unix system (NIX_SYSTEM)
• VMware AirWatch (AIRWATCH)
• VMware ESXi (VMWARE_ESX)
• VMware NSX (VMWARE_NSX)
• WatchGuard (WATCHGUARD)
• Workspace Alerts (WORKSPACE_ALERTS)
• Zscaler (ZSCALER_WEBPROXY)

For details about changes in each parser, see Supported default parsers.

Enhancements to YARA-L 2.0 syntax in Detection Engine rules

We have enhanced the outcome section that can be used in Detection Engine rules.

• We now support up to 10 outcome variables.
• We now support integer and string data type outcome variables.
• We have added new aggregate functions: count(), count_distinct(), array(), array_distinct()

For more details about the outcome section, see Outcome section syntax.

The following supported default parsers have changed (listed by product name and ingestion label):

• Amazon Guardduty (GUARDDUTY)
• Atlassian Jira (ATLASSIAN_JIRA)
• AWS CloudFront (AWS_CLOUDFRONT)
• AWS Cloudtrail (AWS_CLOUDTRAIL)
• AWS CloudWatch (AWS_CLOUDWATCH)
• AWS Config (AWS_CONFIG)
• AWS Elastic Load Balancer (AWS_ELB)
• AWS Key Management Service (AWS_KMS)
• AWS VPC Flow (AWS_VPC_FLOW)
• Check Point (CHECKPOINT_FIREWALL)
• Cisco ACS (CISCO_ACS)
• Cisco Email Security (CISCO_EMAIL_SECURITY)
• CrowdStrike Falcon (CS_EDR)
• Elastic Audit Beats (ELASTIC_AUDITBEAT)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• ESET Threat Intelligence (ESET_IOC)
• F5 BIGIP LTM (F5_BIGIP_LTM)
• Fastly WAF (FASTLY_WAF)
• Cloud IOT (GCP_CLOUDIOT)
• HCL BigFix (HCL_BIGFIX)
• IBM z/OS (IBM_ZOS)
• Imperva (IMPERVA_WAF)
• Infoblox DNS (INFOBLOX_DNS)
• Juniper IPS (JUNIPER_IPS)
• Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
• Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
• Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
• Microsoft SQL Server (MICROSOFT_SQL)
• Okta (OKTA)
• Tanium Stream (TANIUM_TH)
• Trend Micro AV (TRENDMICRO_AV)
• Unix system (NIX_SYSTEM)
• Windows Event (WINEVTLOG)
• Zscaler (ZSCALER_WEBPROXY)

For details about changes in each parser, see Supported default parsers.

The following supported default parsers have changed, listed by product name and ingestion label:

• Apache Hadoop (HADOOP)
• Suricata IDS (SURICATA_IDS)
• Cloud Compute (GCP_COMPUTE)
• Elastic Audit Beats (ELASTIC_AUDITBEAT)
• Cloudflare (CLOUDFLARE)
• Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
• FortiGate (FORTINET_FIREWALL)
• CSV Custom IOC (CSV_CUSTOM_IOC)
• CrowdStrike Falcon (CS_EDR)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• CIS Albert Alerts (CIS_ALBERT_ALERT)
• SonicWall (SONIC_FIREWALL)
• Okta User Context (OKTA_USER_CONTEXT)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• Check Point (CHECKPOINT_FIREWALL)
• Barracuda Email (BARRACUDA_EMAIL)
• Microsoft Azure Activity (AZURE_ACTIVITY)
• Carbon Black App Control (CB_APP_CONTROL)
• OpenSSH (OPENSSH)
• OneLogin (ONELOGIN_SSO)
• Office 365 (OFFICE_365)
• FireEye NX (FIREEYE_NX)
• ExtraHop RevealX (EXTRAHOP)
• Cisco Umbrella DNS (UMBRELLA_DNS)
• Kaspersky AV (KASPERSKY_AV)
• IBM Guardium (GUARDIUM)
• F5 ASM (F5_ASM)
• Cisco Email Security (CISCO_EMAIL_SECURITY)
• Workspace Activities (WORKSPACE_ACTIVITY)
• Forcepoint Proxy (FORCEPOINT_WEBPROXY)
• Azure AD Organizational Context (AZURE_AD_CONTEXT)
• Tanium Stream (TANIUM_TH)
• Apache (APACHE)

For details about the changes in each parser, see Supported default parsers.

The following supported default parsers have changed (listed by product name and ingestion label):

• ExtraHop RevealX (EXTRAHOP)
• Imperva (IMPERVA_WAF)
• Windows Event (WINEVTLOG)
• Azure AD Organizational Context (AZURE_AD_CONTEXT)
• Citrix Netscaler (CITRIX_NETSCALER)
• Elastic Packet Beats (ELASTIC_PACKETBEATS)
• Elastic Audit Beats (ELASTIC_AUDITBEAT)
• Sendmail (SENDMAIL)
• VMware vCenter (VMWARE_VCENTER)
• AWS VPC Flow (AWS_VPC_FLOW)
• Bluecat DDI (BLUECAT_DDI)
• Cisco ACS (CISCO_ACS)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Forcepoint Proxy (FORCEPOINT_WEBPROXY)
• McAfee ePolicy Orchestrator (MCAFEE_EPO)
• Office 365 (OFFICE_365)
• Apple MacOS (MACOS)
• Archer Integrated Risk Management (ARCHER_IRM)
• Cisco Meraki (CISCO_MERAKI)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• IBM DB2 (DB2_DB)
• Cisco ISE (CISCO_ISE)
• F5 BIGIP LTM (F5_BIGIP_LTM)
• Juniper Junos (JUNIPER_JUNOS)
• Microsoft Exchange (EXCHANGE_MAIL)
• VMware ESXi (VMWARE_ESX)
• Digital Shadows SearchLight (DIGITAL_SHADOWS_SEARCHLIGHT)
• Azure Firewall (AZURE_FIREWALL)
• ForgeRock OpenAM (OPENAM)
• FortiGate (FORTINET_FIREWALL)
• ZScaler NGFW (ZSCALER_FIREWALL)
• OpenVPN (OPEN_VPN)

For details about the changes in each parser, see Supported default parsers.

The following new fields are available in the Unified Data Model:

• parent_session_id was added to the Network object.
• first_seen_time was added to the Asset object.

For a list of fields in the Unified Data Model, and descriptions, see the Unified Data Model field list.

The following supported default parsers have changed (listed by product name and ingestion label):

• Apache Tomcat (TOMCAT)
• Azure AD (AZURE_AD)
• BIND (BIND_DNS)
• Bitdefender (BITDEFENDER)
• Blue Coat Proxy (BLUECOAT_WEBPROXY)
• Cisco ACS (CISCO_ACS)
• Cisco Email Security (CISCO_EMAIL_SECURITY)
• Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
• Cisco ISE (CISCO_ISE)
• Citrix Netscaler (CITRIX_NETSCALER)
• CrowdStrike Falcon (CS_EDR)
• Darktrace (DARKTRACE)
• Dell EMC Data Domain (DELL_EMC_DATA_DOMAIN)
• Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
• EPIC Systems (EPIC)
• F5 ASM (F5_ASM)
• Cloud Identity Device Users (GCP_CLOUDIDENTITY_DEVICEUSERS)
• GMV Checker ATM Security (GMV_CHECKER)
• HCL BigFix (HCL_BIGFIX)
• Layer7 SiteMinder (SITEMINDER_SSO)
• Microsoft Azure NSG Flow (AZURE_NSG_FLOW)
• Microsoft Defender for Identity(MICROSOFT_DEFENDER_IDENTITY)
• Microsoft Powershell (POWERSHELL)
• Mobileiron (MOBILEIRON)
• Office 365 (OFFICE_365)
• Salesforce (SALESFORCE)
• SecureAuth (SECUREAUTH_SSO)
• SentinelOne EDR (SENTINEL_EDR)
• Windows Event (WINEVTLOG)
• Workspace Activities (WORKSPACE_ACTIVITY)
• ZScaler NGFW (ZSCALER_FIREWALL)

For details about the changes in each parser, see Supported default parsers.

Chronicle now supports the following functions in Detection Engine rules:

• strings.concat(a, b)
• strings.to_lower(stringText)
• strings.to_upper(stringText)
• strings.base64_decode(encodedString)
• re.capture(stringText, regex)
• re.replace(stringText, replaceRegex, replacementText)
• timestamp.get_minute(unix_seconds [, time_zone])
• timestamp.get_hour(unix_seconds [, time_zone])
• timestamp.get_day_of_week(unix_seconds [, time_zone])
• timestamp.get_week(unix_seconds [, time_zone])
• timestamp.current_seconds()
• math.abs(intExpression)

For more information about these functions, see YARA-L 2.0 language syntax.

The Chronicle Container Registry key is no longer needed and has been removed. The corresponding documentation on the Container Registry key for the Linux version of the Chronicle Forwarder has also been removed.

Rules run frequency

Rules can now be run at different frequencies. Rule run frequency impacts the latency with which detections are discovered for each rule. Longer run frequencies increase the amount of time between when an event occurs and when a detection is processed for that event. Rules with a window size of at least one hour are limited to either 1 hour or 24 hour run frequencies.

Chronicle Detection Engine now supports the min() function and subtraction operator in the outcome section of a rule.

The following supported default parsers have changed (listed by ingestion label)

• AKAMAI_WAF
• ARUBA_WIRELESS
• AWS_CLOUDTRAIL
• AWS_CONFIG
• AZURE_AD_CONTEXT
• AZURE_COSMOS_DB
• BITDEFENDER
• CA_ACCESS_CONTROL
• CASSANDRA
• CISCO_EMAIL_SECURITY
• CISCO_FIREPOWER_FIREWALL
• CISCO_ISE
• CISCO_MERAKI
• CISCO_TACACS
• CS_EDR
• D3_BANKING
• ELASTIC_WINLOGBEAT
• FILEZILLA_FTP
• GCP_CLOUDIDENTITY_DEVICES
• GCP_CLOUDIDENTITY_DEVICEUSERS
• GMV_CHECKER
• GUARDDUTY
• GUARDIUM
• IIS
• INFOBLOX_DHCP
• KASPERSKY_AV
• KEA_DHCP
• MCAFEE_DLP
• MCAFEE_EPO
• MICROSOFT_DEFENDER_ENDPOINT
• NETSKOPE_WEBPROXY
• OFFICE_365
• OKTA
• OKTA_USER_CONTEXT
• ONELOGIN_SSO
• ORDR_IOT
• PAN_FIREWALL
• PROOFPOINT_ON_DEMAND
• PULSE_SECURE_VPN
• RH_ISAC_IOC
• SALESFORCE
• SERVICENOW_CMDB
• SLACK_AUDIT
• SOPHOS_UTM
• SYMANTEC_EDR
• TANIUM_TH
• UMBRELLA_DNS
• UNIFI_AP
• VANDYKE_SFTP
• VMWARE_ESX
• VMWARE_VREALIZE
• WINDOWS_DHCP
• WINDOWS_DNS
• WINDOWS_SYSMON
• WORKSPACE_ACTIVITY
• WORKSPACE_ALERTS
• WORKSPACE_USERS

For details about the changes in each parser, see Supported default parsers

Exporting Google Cloud Logs to Chronicle

There are now lists of the specific Google Cloud Logs and Google Cloud Asset Metadata that are exported to Chronicle when you enable Google Cloud log ingestion.

Chronicle Forwarder

For the Chronicle Forwarder to function properly, an additional firewall rule is needed for host oauth2.googleapis.com. This information has been added to both the Windows and Linux versions of the Forwarder documentation.

Detection Engine API

The ListDetections method has been updated to allow customers to list detections efficiently across rule versions and rules by either detection timestamp or commit timestamp. Parameters originally used to list detections by detection timestamp will eventually be deprecated.

Uppercase has been rebranded as Google Cloud Threat Intelligence (GCTI).

The Linux Forwarder has been enhanced to support load balancing and high-availability. This enables you to deploy the forwarder in an environment where a Layer 4 load balancer is installed between syslog data sources and forwarder instances.

New documentation to support Chronicle data ingestion planning

You can now find information about Chronicle supported default parsers.

Supported default parsers provides information about which ingestion labels (LogTypes) also support a default parser. You can find the supported data format (KV, JSON, CEF, etc), the parser category, and when the default parser was last updated.

Linux Forwarder Updates

The Linux Forwarder has been enhanced with the following additional capabilities:

Disk Buffering—Disk buffering enables you to buffer backlogged messages to disk as opposed to memory. The backlogged messages can be stored in case the forwarder crashes or the underlying host crashes.

Regular Expression Filters—Regular expression filters enable you to filter logs based on regular expression matches.

Arbitrary labels—Use labels to attach arbitrary metadata to logs using key and value pairs.

Namespaces—Use namespace labels to identify logs from distinct network segments and to deconflict overlapping IP addresses.

Kafka Input—You can ingest data from Kafka topics just as you can for syslog. Consumer groups are leveraged to enable you to deploy up to 3 Forwarders and pull data from the same Kafka topic.

Supported Data Sets

Chronicle can now ingest and parse data from the following additional systems and services:

• Aruba Airwave
• Blue Coat Proxy
• Brocade ServerIron ADX
• CIS Albert Alerts
• Cisco Application Control Engine
• Cisco Email Security
• Cisco NX-OS
• Citrix StoreFront
• Cofense Triage
• Comodo
• Fidelis Network
• FireEye NX
• Honeyd
• Kemp Load Balancer
• Kyriba Treasury Management
• Microsoft Intune
• MySQL
• Palo Alto Networks Cortex XDR
• Red Canary EDR
• ServiceNow CMDB
• Symantec VIP Enterprise Gateway
• Tanium Discover
• Tripwire File Integrity Monitoring

• Chronicle Rules Engine API

  The Chronicle Rules Engine API now includes the StreamRuleNotifications method. This method enables you to continuously receive rules engine results over an HTTP stream as the results are discovered. Contact your Chronicle representative for more information.

• Chronicle API Query Limits

  The query limits for the Chronicle Search API calls are now documented.

• Chronicle Tooling and Management APIs

  The query limits for the Chronicle Tooling and Management API calls are now documented. Contact your Chronicle representative for more information.

• Supported Data Sets

  Chronicle can now ingest and parse data from the following additional systems and services:

  • Access Management—Added support for OpenAM.
  • Audit—Added support for ManageEngine ADAudit Plus.
  • Authentication—Added support for Preempt, Symantec SiteMinder, and Thycotic.
  • Badging—Added support for Honeywell Pro-Watch.
  • Cloud—Added support for Microsoft Cloud Access Security Broker (CASB) and Salesforce.
  • DHCP—Added support for Linux DHCP Server.
  • Hypervisor—Added support for VMware ESXi JSON.
  • Intrusion Detection and Prevention—Added support for Juniper Intrusion Prevention System (IPS).
  • Security Management—Added support for AlgoSec, BeyondTrust, and DMP Entré.
  • Server—Added support for Microsoft Internet Information Services (IIS) and Microsoft SQL Server.

• Chronicle Rules Engine API

  The Chronicle Rules Engine API now includes the Live Rules API. The Live Rules API enables you to run and manage security rules in real time. Once activated, a Live Rule monitors your incoming logs for threats until it is deleted or disabled. Contact your Chronicle representative for more information.

• UDM Reference

  Location Metadata—Added the location metadata fields.

• Supported Data Sets

  Chronicle can now ingest and parse data from the following additional systems and services:

  • ATP—Added support for Microsoft Defender ATP.
  • Antivirus—Added support for Bitdefender and Trend Micro.
  • Authentication—Added support for Cisco ACS and RSA Authentication Manager version 8.1.
  • EDR—Added support for Digital Guardian.
  • IDM and PAM—Added support for Cyberark.
  • NAC—Added support for Forescout.
  • VPN—Added support for Zscaler.

• Chronicle Tooling API

  Helps partners to develop new parsers to normalize new log data types. Contact your Chronicle representative for more information.

• Supported Data Sets

  Chronicle can now ingest and parse data from the following additional systems and services:

  • Alerts—Added support for Suricata.
  • Antivirus—Added support for Cisco.
  • Application—Added support for Microsoft Office 365.
  • Authentications—Added support for Aruba ClearPass, Cisco ISE, and Duo.
  • Deception—Added support for Acalvio.
  • EDR—For Red Canary customers, Chronicle can ingest EDR logs from Endgame.
  • Endpoint—Added support for McAfee ePolicy Orchestrator.
  • Firewall—Added support for Zscaler.
  • IoC—Added support for Emerging Threats Pro.
  • Router—Added support for Cisco.
  • SAAS—Added support for Cloudflare and Google G Suite Audit.
  • Switch—Added support for Cisco.
  • VPN—Added support for Pulse Connect Secure.

• Chronicle User Guide

  Column sort—You can now sort columns on the Enterprise Insights page and from the Timeline sidebar lists.

• Supported Data Sets

  Chronicle can now ingest and parse data from the following additional systems and services:

  • DHCP—Added support for Elastic Packetbeat.
  • DNS—Added support for Elastic Packetbeat.
  • EDR—Added support for ESET.
  • Mail Gateway—Added support for Barracuda Email Security and Mimecast Email Security.
  • Web Application Firewall—Added support for Citrix Netscaler.

• Supported Data Sets

  Chronicle can now ingest and parse data from the following additional systems and services:

  • Traffic Management—Added support for F5 Big-IP Local Traffic Manager (LTM).
  • Unified Threat Management—Added support for Cisco Meraki.

• Chronicle Partner Ingestion API

  Added the udmevents endpoint to enable you to send UDM events in batches.

• Chronicle Search API

  Enables you to programmatically access your security data directly through API calls to Chronicle.

• Chronicle Unified Data Model

  Describes how to generate properly constructed UDM events for consumption by Chronicle's cyber-security analytics platform.

• Raw Log Scan

  Enables you to examine your raw unparsed logs.

• Regular Expressions

  Enables you to search your raw logs using regular expressions.

• Hash View

  Enables you to search for and investigate files based on their hash value.

• Chronicle Data Flow Overview

  Information on how customer security data flows from customers to Chronicle and how Chronicle handles that data.

• Chronicle Partner Ingestion API

  Enables you to forward raw logs directly to Chronicle.

• Enterprise Insights

  Now includes the Procedural Filtering menu and lists all of the Assets with Alerts within your enterprise.

• Viewing EDR Data in the Timeline

  Viewing Endpoint Detection and Response (EDR) data in the timeline.

• Domain Context

  Analytics and insights from VirusTotal, EmergingThreats, WHOIS, and Department of Homeland Security's (DHS) Automated Indicator Sharing (AIS) data sources.

• Investigating Domains and IP Addresses

  Searching for external IP addresses and URLs.

• Chronicle Chrome Extension

  Search for indicators using the Chrome extension.