This page documents production updates to Google Security Operations. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.
You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.
To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly.
November 09, 2024
The following parser documentation is now available.
Collect Microsoft Azure AD logs
Collect Cisco Secure Email Gateway logs
Collect Amazon CloudFront logs
Collect the General Dynamics Fidelis XPS logs
Collect Imperva Incapsula Web Application Firewall logs
Collect Microsoft Graph security API alert logs
Collect Kemp Load Balancer logs
Collect Mimecast Secure Email Gateway logs
Collect Proofpoint TAP alerts logs
Collect RSA Authentication Manager logs
Collect Symantec Event Export logs
Collect Palo Alto Prisma Cloud logs
October 28, 2024
Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have changed. Each parser is listed by product name and log_type
value, if applicable. This list now includes both released default parsers and pending parser updates.
- AIX system (
OS
) - Apache Tomcat (
Web server
) - Apigee (
Google Cloud Specific
) - Aqua Security (
IaaS Applications
) - Aruba Switch (
Network Infrastructure
) - Auth0 (
Authentication log
) - AWS Cloudtrail (
Cloud Log Aggregator
) - AWS GuardDuty (
IDS/IPS
) - AWS RDS (
Database
) - AWS Route 53 DNS (
AWS Specific
) - AWS VPC Flow (
AWS Specific
) - Azure AD (
LDAP
) - Azure AD Sign-In (
Misc Windows Specific
) - Azure VPN (
VPN
) - Blue Coat Proxy (
Web Proxy
) - BMC Client Management (
Security
) - Checkpoint Audit (
AUDIT
) - Chrome Management (
Browser
) - Cisco ASA (
firewall
) - Cisco Internetwork Operating System (
Network Infrastructure
) - Cisco IronPort (
Gateway Security
) - Cisco Meraki (
Wireless
) - Cisco Router (
Switches, Routers
) - Cisco Switch (
Switches, Routers
) - Cisco UCM (
Communication Manager
) - Cisco Unity Connection (
Administration and Management
) - Citrix Netscaler (
Load Balancer, Traffic Shaper, ADC
) - Claroty Continuous Threat Detection (
IoT
) - Cloud Audit Logs (
Google Cloud Specific
) - Cloudflare (
SaaS Application
) - CommVault (
Alert System
) - CrowdStrike Detection Monitoring (
EDR
) - CrowdStrike Falcon (
EDR
) - Darktrace (
NDR
) - Dell Switch (
Switches, Routers
) - Druva Backup (
Security
) - Entrust nShield HSM (
Hardware Security Module
) - F5 ASM (
WAF
) - F5 BIGIP LTM (
Load Balancer, Traffic Shaper, ADC
) - Fidelis Network (
NDR
) - FireEye (
Alerts
) - FireEye HX (
EDR
) - FireEye NX (
NDR
) - FortiGate (
Firewall
) - Fortinet FortiAnalyzer (
Fortinet FortiAnalyzer
) - GitGuardian Enterprise (
SaaS Applications
) - Guardicore Centra (
Deception Software
) - Halcyon Anti Ransomware (
AV and endpoint logs
) - Hashicorp Vault (
Privileged Account Activity
) - HP Linux (
OS
) - IBM Mainframe Storage (
Monitoring
) - IBM OpenPages (
Data Security
) - IBM Security QRadar SOAR (
Security
) - Imperva (
WAF
) - Imperva Advanced Bot Protection (
Bot Protection
) - Imperva Audit Trail (
IT infrastructure
) - Infoblox DHCP (
DHCP
) - INTEL471 Watcher Alerts (
Data Security
) - Jamf Protect Alerts (
Endpoint Security
) - Juniper (
Firewall
) - KnowBe4 PhishER (
Email server log types.
) - Kubernetes Node (
Kubernetes Container
) - Linux Auditing System (AuditD) (
OS
) - McAfee ePolicy Orchestrator (
Policy Management
) - Microsoft AD (
LDAP
) - Microsoft Azure Resource (
Log Aggregator
) - Microsoft Defender for Identity (
EDR
) - Microsoft Defender for Office 365 (
Email server log types.
) - Microsoft Graph Activity Logs (
AUDIT
) - Microsoft Netlogon (
Authentication
) - Microsoft SQL Server (
Database
) - Microsoft System Center Endpoint Protection (
Malware Detection
) - Netscope Client (
CASB
) - Office 365 (
SaaS Application
) - Okta User Context (
Identity and Access Management
) - One Identity Identity Manager (
unified identity security
) - Opswat Metadefender (
Threat Protection
) - Palo Alto Networks Firewall (
Firewall
) - Palo Alto Prisma Cloud Alert payload (
Cloud Security
) - pfSense (
FIREWALL
) - Ping Federate (
Authentication
) - Proofpoint Observeit (
Email Server
) - ProofPoint Secure Email Relay (
Email server
) - Pure Storage (
Data Storage
) - Red Hat Directory Server LDAP (
Identity and Access Management
) - Salesforce (
SaaS Application
) - Salesforce Commerce Cloud (
SaaS Application
) - Security Command Center Threat (
Google Cloud Specific
) - ServiceNow CMDB (
Policy Management
) - Sophos UTM (
Unified Threat Management
) - Symantec Endpoint Protection (
AV / Endpoint
) - Sysdig (
Security
) - Tanium Threat Response (
Tanium Specific
) - ThreatX WAF (
WAF
) - Thycotic (
Identity and Access Management
) - Tines (
Data Security
) - Trend Micro (
SMS, UNITY_ONE
) - Trend Micro Deep Security (
AV / Endpoint
) - Trend Micro Vision One (
AV and endpoint logs
) - Twingate (
VPN
) - Unix system (
OS
) - Velo Firewall (
FIREWALL
) - VMware AirWatch (
Wireless
) - Windows Defender ATP (
AV / Endpoint
) - Windows Event (
Endpoint
) - Windows Event (XML) (
AV / Endpoint
) - Windows Local Administrator Password Solution (
Local Administrator Password Solution
) - Windows Sysmon (
DNS
) - Workday Audit Logs (
Audit And Compliance
) - Workspace Activities (
Google Cloud Specific
) - Workspace Alerts (
Google Cloud Specific
) - Zscaler (
Web Proxy
) - Zscaler Tunnel (
N/A
)
The following log types were added without a default parser. Each parser is listed by product name and log_type
value, if applicable.
- Adobe I/O Runtime (
ADOBE_IO_RUNTIME
) - Amazon VPC Transit Gateway Flow Logs (
AWS_VPC_TRANSIT_GATEWAY
) - Appsentinels (
APPSENTINELS
) - Asset Panda (
ASSET_PANDA
) - AstriX (
ASTRIX
) - Atlan (
ATLAN
) - Azure Container Registry (
AZURE_CONTAINER_REGISTRY
) - Backbase Engagement Banking Platform (
BACKBASE
) - Barracuda Incident Response (
BARRACUDA_INCIDENTRESPONSE
) - Cloudflare Access (
CLOUDFLARE_ACCESS
) - Control D DNS (
CONTROL_D
) - Digicert (
DIGICERT
) - Elastic Defend (
ELASTIC_DEFEND
) - FingerprintJS (
FINGERPRINT_JS
) - Hashicorp Nomad (
HASHICORP_NOMAD
) - IBM NS1 (
IBM_NS1
) - Intel 471 Malware Intelligence (
INTEL471_MALWARE_INTEL
) - MacStadium (
MACSTADIUM
) - N-Able N-Central RMM (
N_ABLE_N_CENTRAL_RMM
) - Opentext Exstream (
OPENTEXT_EXSTREAM
) - OVHcloud (
OVHCLOUD
) - OX Security (
OX_SECURITY
) - Pharos (
PHAROS
) - ReliaQuest (
RELIAQUEST
) - Rublon (
RUBLON
) - Snyk Group level audit/issues logs (
SNYK_ISSUES
) - SolarWinds Network Performance Monitor (
SOLARWINDS_NPM
) - StackHawk (
STACKHAWK
) - Tencent Cloud Firewall (
TENCENT_CLOUD_FIREWALL
) - Tencent Cloud Waf (
TENCENT_CLOUD_WAF
) - Tencent Cloud Workload Protection (
TENCENT_CLOUD_WORKLOAD_PROTECTION
) - Trend Micro Server Protect (
TRENDMICRO_SERVER_PROTECT
) - UKG (
UKG
) - Uptivity (
UPTIVITY
) - USBAV Koramis (
USBAV_KORAMIS
) - Virtual Network Flow Logs (
VIRTUAL_NETWORK_FLOW_LOGS
) - Windows Performance Monitor (
MS_PERFMON
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
October 15, 2024
Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have changed. Each parser is listed by product name and log_type
value, if applicable. This list now includes both released default parsers and pending parser updates.
- Abnormal Security (
Email Server
) - AIX system (
OS
) - Akamai DNS (
DNS
) - Akamai WAF (
WAF
) - Apache (
Security
) - Apigee (
Google Cloud Specific
) - Apple macOS (
AV / Endpoint
) - Archer Integrated Risk Management (
Risk Management Solution
) - Area1 Security (
Email server
) - Aruba (
Wireless
) - Aruba Switch (
Network Infrastructure
) - Auth0 (
Authentication log
) - AWS CloudFront (
CDN
) - AWS Cloudtrail (
Cloud Log Aggregator
) - AWS CloudWatch (
Cloud service monitoring
) - AWS EMR (
AWS Specific
) - AWS VPN (
VPN
) - Azure AD (
LDAP
) - Azure AD Directory Audit (
Audit
) - Azure Firewall (
Azure Firewall Application Rule
) - Azure Key Vault logging (
Audit
) - Barracuda Firewall (
Firewall
) - Barracuda WAF (
Firewall
) - BeyondTrust Endpoint Privilege Management (
Privileged Account Activity
) - Blue Coat Proxy (
Web Proxy
) - BMC Client Management (
Security
) - Check Point (
Firewall
) - Chrome Management (
Browser
) - Cisco IronPort (
Gateway Security
) - Cisco ISE (
Identity and Access Management
) - Cisco Meraki (
Wireless
) - Cisco Router (
Switches, Routers
) - Cisco Stealthwatch (
Log Aggregator
) - Cisco Switch (
Switches, Routers
) - Cisco TACACS+ (
Authentication
) - Cisco Umbrella Web Proxy (
Web Proxy
) - Cisco WLC/WCS (
Wireless
) - Citrix Netscaler (
Load Balancer, Traffic Shaper, ADC
) - Claroty Continuous Threat Detection (
IoT
) - Cloud Audit Logs (
Google Cloud Specific
) - Cloud Data Loss Prevention (
Google Cloud Specific
) - Cloud SQL (
Google Cloud Specific
) - Cohesity (
Backup Software
) - Corelight (
NDR
) - CrowdStrike Detection Monitoring (
EDR
) - CrowdStrike Falcon (
EDR
) - CrushFTP (
Application server
) - Darktrace (
NDR
) - Delinea Secret Server (
Privileged Account Activity
) - Dell EMC Data Domain (
Storage system
) - Druva Backup (
Security
) - Duo Activity Logs (
Activity
) - Duo Administrator Logs (
Authentication
) - Elastic Windows Event Log Beats (
Log Aggregator
) - Ergon Informatik Airlock IAM (
Application Whitelisting
) - F5 BIGIP Access Policy Manager (
Access Policy Manager
) - F5 BIGIP LTM (
Load Balancer, Traffic Shaper, ADC
) - FireEye HX (
EDR
) - FortiGate (
Firewall
) - Fortinet FortiAnalyzer (
Fortinet FortiAnalyzer
) - Fortinet FortiAuthenticator (
Security
) - Fortinet FortiEDR (
EDR
) - Fortinet Fortimanager (
Network Management and Optimization software
) - GitHub (
SaaS Application
) - GMV Checker ATM Security (
ATM Audit
) - Guardicore Centra (
Deception Software
) - Hashicorp Vault (
Privileged Account Activity
) - HP Aruba (ClearPass) (
Identity and Access Management
) - IBM Cloud Activity Tracker (
Security Log
) - IBM DB2 (
Database
) - IBM Mainframe Storage (
Monitoring
) - IBM OpenPages (
Data Security
) - Imperva (
WAF
) - Imperva CEF (
CEF
) - Imperva DRA (
Data Security
) - Infoblox (
DHCP, DNS
) - Infoblox DNS (
DNS
) - JAMF Pro (
Mac Endpoint Management System
) - Keycloak (
Identity and Access Management
) - Lacework Cloud Security (
Cloud Security
) - Linux Auditing System (AuditD) (
OS
) - Linux DHCP (
DHCP
) - ManageEngine Log360 (
Alert Log
) - McAfee ePolicy Orchestrator (
Policy Management
) - Microsoft AD FS (
LDAP
) - Microsoft Azure Activity (
Misc Windows Specific
) - Microsoft Azure Resource (
Log Aggregator
) - Microsoft Defender For Cloud (
Automation and DevOps Tools
) - Microsoft Defender for Endpoint (
EDR
) - Microsoft Defender for Identity (
EDR
) - Microsoft Graph Activity Logs (
AUDIT
) - Microsoft Graph API Alerts (
Gateway to data and intelligence
) - Microsoft Intune Context (
Mobile Device Management
) - Microsoft SQL Server (
Database
) - Mimecast URL Logs (
Email server log types
) - MISP Threat Intelligence (
Cybersecurity
) - Mobile Endpoint Security (
Mobile Endpoint Security
) - NetApp ONTAP (
Rest api
) - Netskope V2 (
Cloud Security
) - Office 365 (
SaaS Application
) - Okta (
Identity and Access Management
) - One Identity Identity Manager (
unified identity security
) - Opengear Remote Management (
Secure Remote Access
) - Oracle (
DATABASE
) - Oracle Cloud Infrastructure VCN Flow Logs (
Oracle Cloud Infrastructure
) - Palo Alto Networks Firewall (
Firewall
) - Palo Alto Panorama (
Firewall
) - Palo Alto Prisma Cloud Alert payload (
Cloud Security
) - Proofpoint CASB (
CASB
) - Proofpoint Email Filter (
Email Server
) - Proofpoint On Demand (
Email Server
) - Proofpoint Threat Response (
Email Server
) - Pulse Secure (
VPN
) - Radware Web Application Firewall (
Firewall
) - SailPoint IAM (
Identity and Access Management
) - Saiwall VPN (
VPN
) - Salesforce (
SaaS Application
) - Sentinelone Alerts (
Endpoint Security
) - SonicWall (
Firewall
) - Sophos Central (
AV / Endpoint
) - Sophos Firewall (Next Gen) (
Firewall
) - Squid Web Proxy (
Web Proxy
) - STIX Threat Intelligence (
Cybersecurity Threats
) - Suricata EVE (
IPS IDS
) - Symantec DLP (
DLP
) - Symantec Endpoint Protection (
AV / Endpoint
) - Symantec Web Security Service (
Web Proxy
) - TINTRI (
Data Security
) - Trend Micro Apex one (
Endpoint Security
) - TrendMicro Apex Central (
Endpoint
) - UberAgent (
Security
) - Veeam (
Backup software
) - Velo Firewall (
FIREWALL
) - VMware AirWatch (
Wireless
) - VMware NSX (
Network and Security Virtualization
) - VMware vCenter (
Server
) - WatchGuard (
Syslog and KV
) - Wazuh (
Log Aggregator
) - Windows Event (
Endpoint
) - Windows Event (XML) (
AV / Endpoint
) - Windows Sysmon (
DNS
) - Workday User Activity (
N/A
) - Workspace Activities (
Google Cloud Specific
) - XAMS by Xiting (
Log Aggregator
) - ZeroFox Platform (
Database
) - Zscaler (
Web Proxy
) - Zywall (
Network infrastructure
)
The following log types were added without a default parser. Each parser is listed by product name and log_type
value, if applicable.
- Adaptive Shield (
ADAPTIVE_SHIELD
) - Agiloft (
AGILOFT
) - Airwatch Context (
AIRWATCH_CONTEXT
) - Attack IQ (
ATTACK_IQ
) - AWS PY Tools (
AWS_PY_TOOLS
) - Bindplane Agent (
BINDPLANE_AGENT
) - BindPlane Audit Logs (
BINDPLANE
) - Bitsight (
BITSIGHT
) - Bitvise SFTP (
BITVISE_SFTP
) - Ciena Router logs (
CIENA_ROUTER
) - Cisco Viptela (
CISCO_VIPTELA
) - Colinet Trotta GAUS SEGUROS (
CT_GAUS_SEGUROS
) - Conductor One (
CONDUCTOR_ONE
) - Crowdstrike Endpoint Security API (
CS_ENDPOINT_SECURITY_API
) - Fiserv SecureNow (
SECURE_NOW
) - Greenhouse Harvest (
GREENHOUSE_HARVEST
) - Harness IO (
HARNESS_IO
) - Hashicorp Boundary (
HASHICORP_BOUNDARY
) - HP Linux (
HP_LINUX
) - IBM Security Guardium Insights (
IBM_INSIGHTS
) - Imperva Attack Analytics (
IMPERVA_ATTACK_ANALYTICS
) - INTEL471 Watcher Alerts (
INTEL471_WATCHER_ALERTS
) - JAMF Security Cloud (
JAMF_SECURITY_CLOUD
) - JBoss Web (
JBOSS_WEB
) - Kandji Context (
KANDJI_CONTEXT
) - Lenels2 Elements Secure (
LENELS2_ELEMENTS_SECURE
) - ManageEngine OpUtils (
MANAGE_ENGINE_OPUTILS
) - Microsoft Graph Incident (
MICROSOFT_GRAPH_INCIDENT
) - Miro (
MIRO
) - Open Policy Agent (
OPA
) - Oracle Access Manager (
ORACLE_AM
) - Oracle Enterprise Manager (
ORACLE_OEM
) - Perception Point XRay (
PERCEPTION_POINT_XRAY
) - RedSift BrandTrust (
REDSIFT_BRANDTRUST
) - Riverbed (
RIVERBED
) - SAP Sybase Adaptive Server Enterprise Database (
SAP_ASE
) - Sharefile Logs (
SHAREFILE_LOGS
) - Smartsheet (
SMARTSHEET
) - Statusgator (
STATUSGATOR
) - Titan MFT (
TITAN_MFT
) - Upwind (
UPWIND
) - Vanta Context (
VANTA_CONTEXT
) - Varnish Cache (
VARNISH_CACHE
) - Vercel WAF (
VERCEL_WAF
) - Veriato Cerebral (
VERIATO_CEREBRAL
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
September 16, 2024
Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have changed. Each parser is listed by product name and log_type
value, if applicable. This list now includes both released default parsers and pending parser updates.
- Abnormal Security (
ABNORMAL_SECURITY
) - Akamai DNS (
AKAMAI_DNS
) - Amazon API Gateway (
AWS_API_GATEWAY
) - Apache (
APACHE
) - Apigee (
GCP_APIGEE_X
) - Archer Integrated Risk Management (
ARCHER_IRM
) - Arcsight CEF (
ARCSIGHT_CEF
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - AWS VPC Flow (
AWS_VPC_FLOW
) - AWS VPN (
AWS_VPN
) - Azure AD (
AZURE_AD
) - Azure AD Audit (
AZURE_AD_AUDIT
) - Azure AD Sign-In (
AZURE_AD_SIGNIN
) - Azure Storage Audit (
AZURE_STORAGE_AUDIT
) - Azure WAF (
AZURE_WAF
) - BeyondTrust Privileged Identity (
BEYONDTRUST_PI
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Carbon Black App Control (
CB_APP_CONTROL
) - Check Point (
CHECKPOINT_FIREWALL
) - Checkpoint Audit (
CHECKPOINT_AUDIT
) - Cisco ASA (
CISCO_ASA_FIREWALL
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - Cisco ISE (
CISCO_ISE
) - Cisco Meraki (
CISCO_MERAKI
) - Cisco WSA (
CISCO_WSA
) - Citrix Netscaler (
CITRIX_NETSCALER
) - Cloud Audit Logs (
N/A
) - Cloud Data Loss Prevention (
N/A
) - Cloud Load Balancing (
GCP_LOADBALANCING
) - Cloud SQL (
GCP_CLOUDSQL
) - Cloudflare WAF (
CLOUDFLARE_WAF
) - Cohesity (
COHESITY
) - Corelight (
CORELIGHT
) - CrowdStrike Falcon (
CS_EDR
) - Cyber 2.0 IDS (
CYBER_2_IDS
) - Cyberark Privilege Cloud (
CYBERARK_PRIVILEGE_CLOUD
) - CyberArk PTA Privileged Threat Analytics (
CYBERARK_PTA
) - Darktrace (
DARKTRACE
) - Dell Switch (
DELL_SWITCH
) - Duo Administrator Logs (
DUO_ADMIN
) - Duo Auth (
DUO_AUTH
) - EfficientIP DDI (
EFFICIENTIP_DDI
) - Elastic Audit Beats (
ELASTIC_AUDITBEAT
) - Elastic Packet Beats (
ELASTIC_PACKETBEATS
) - F5 ASM (
F5_ASM
) - F5 Shape (
F5_SHAPE
) - F5 Silverline (
F5_SILVERLINE
) - FireEye (
FIREEYE_ALERT
) - FireEye ETP (
FIREEYE_ETP
) - FireEye HX (
FIREEYE_HX
) - Forcepoint DLP (
FORCEPOINT_DLP
) - Forcepoint Email Security (
FORCEPOINT_EMAILSECURITY
) - Forcepoint Mail Relay (
FORCEPOINT_MAIL_RELAY
) - FortiGate (
FORTINET_FIREWALL
) - Fortinet FortiAnalyzer (
FORTINET_FORTIANALYZER
) - Fortinet Fortimanager (
FORTINET_FORTIMANAGER
) - GCP_APP_ENGINE (
GCP_APP_ENGINE
) - GitHub (
GITHUB
) - HP Aruba (ClearPass) (
CLEARPASS
) - IBM DS8000 Storage (
IBM_DS8000
) - IBM Guardium (
GUARDIUM
) - IBM OpenPages (
IBM_OPENPAGES
) - Infoblox DNS (
INFOBLOX_DNS
) - Jenkins (
JENKINS
) - Layer7 SiteMinder (
SITEMINDER_SSO
) - Linux Auditing System (AuditD) (
AUDITD
) - Malwarebytes (
MALWAREBYTES_EDR
) - McAfee ePolicy Orchestrator (
MCAFEE_EPO
) - Microsoft AD FS (
ADFS
) - Microsoft Azure Activity (
AZURE_ACTIVITY
) - Microsoft Azure Resource (
AZURE_RESOURCE_LOGS
) - Microsoft Defender for Office 365 (
MICROSOFT_DEFENDER_MAIL
) - Microsoft Exchange (
EXCHANGE_MAIL
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Microsoft PowerShell (
POWERSHELL
) - Microsoft SQL Server (
MICROSOFT_SQL
) - Microsoft System Center Endpoint Protection (
MICROSOFT_SCEP
) - Mimecast (
MIMECAST_MAIL
) - Nagios Infrastructure Monitoring (
NAGIOS
) - Network Policy Server (
MICROSOFT_NPS
) - Office 365 (
OFFICE_365
) - Okta (
OKTA
) - Okta User Context (
OKTA_USER_CONTEXT
) - Oracle (
ORACLE_DB
) - Palo Alto Cortex XDR Alerts (
CORTEX_XDR
) - Palo Alto Panorama (
PAN_PANORAMA
) - Ping Federate (
PING_FEDERATE
) - Ping Identity (
PING
) - PostgreSQL (
POSTGRESQL
) - Precisely Ironstream IBM z/OS (
IRONSTREAM_ZOS
) - Proofpoint On Demand (
PROOFPOINT_ON_DEMAND
) - Proofpoint Tap Alerts (
PROOFPOINT_MAIL
) - Pulse Secure (
PULSE_SECURE_VPN
) - Radware Web Application Firewall (
RADWARE_FIREWALL
) - Rippling Activity Logs (
RIPPLING_ACTIVITYLOGS
) - Sap Business Technology Platform (
SAP_BTP
) - Security Command Center Threat (
N/A
) - Sentinelone Alerts (
SENTINELONE_ALERT
) - SentinelOne EDR (
SENTINEL_EDR
) - SentinelOne Singularity Cloud Funnel (
SENTINELONE_CF
) - Shibboleth IDP (
SHIBBOLETH_IDP
) - Snare System Diagnostic Logs (
SNARE_SOLUTIONS
) - Snowflake (
SNOWFLAKE
) - Sophos AV (
SOPHOS_AV
) - Sophos Intercept EDR (
SOPHOS_EDR
) - Sourcefire (
SOURCEFIRE_IDS
) - Splunk Attack Analyzer (
SPLUNK_ATTACK_ANALYZER
) - SpyCloud (
SPYCLOUD
) - Squid Web Proxy (
SQUID_WEBPROXY
) - Suricata EVE (
SURICATA_EVE
) - Symantec Endpoint Protection (
SEP
) - Symantec Web Security Service (
SYMANTEC_WSS
) - Tenable Audit (
TENABLE_AUDIT
) - Thales Vormetric (
VORMETRIC
) - Trend Micro Apex one (
TRENDMICRO_APEX_ONE
) - Trend Micro Deep Security (
TRENDMICRO_DEEP_SECURITY
) - Trend Micro Vision One (
TRENDMICRO_VISION_ONE
) - TrendMicro Apex Central (
TRENDMICRO_APEX_CENTRAL
) - Twingate (
TWINGATE
) - Ubika Waf (
UBIKA_WAF
) - Unix system (
NIX_SYSTEM
) - Vectra Detect (
VECTRA_DETECT
) - Vectra Stream (
VECTRA_STREAM
) - Wazuh (
WAZUH
) - Windows DHCP (
WINDOWS_DHCP
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - Windows Local Administrator Password Solution (
MICROSOFT_LAPS
) - Windows Sysmon (
WINDOWS_SYSMON
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Workspace Alerts (
WORKSPACE_ALERTS
) - XAMS by Xiting (
XITING_XAMS
)
The following log types were added without a default parser. Each parser is listed by product name and log_type
value, if applicable.
- Active Identity HID (
ACTIVE_IDENTITY_HID
) - Akamai Event Viewer (
AKAMAI_EVT_VWR
) - Autodesk Vault (
AUTODESK_VAULT
) - Avaza (
AVAZA
) - Avigilon Access Logs (
AVIGILON_ACCESS_LOGS
) - Axis Camera (
AXIS_CAMERA
) - Axis License Plate Reader (
AXIS_LPR
) - Azure Nix System (
AZURE_NIX_SYSTEM
) - CallTower Audio Conferencing (
CALLTOWER_AUDIO
) - Canon Printers (
CANON_PRINTERS
) - Cisco Secure Endpoint (
CISCO_SECURE_ENDPOINT
) - Control UP (
CONTROL_UP
) - Cradlepoint Router Logs (
CRADLEPOINT
) - Crowdstrike Spotlight (
CROWDSTRIKE_SPOTLIGHT
) - CrushFTP (
CRUSHFTP
) - CrowdStrike Filevantage (
CS_FILEVANTAGE
) - Cybersixgill (
CYBERSIXGILL
) - Cyolo Secure Remote Access for OT (
CYOLO_OT
) - Dell Core Switch (
DELL_EMC_NETWORKING
) - DLink Switch (
DLINK_SWITCH
) - Elastic Security (
ELASTIC_EDR
) - Fireblocks (
FIREBLOCKS
) - Forescout eyeInspect (
FORESCOUT_EYEINSPECT
) - Fortinet FortiGate IPS (
FORTINET_IPS
) - H3C Router (
H3C_ROUTER
) - Hackerone (
HACKERONE
) - Halo Sensor (
HALO_SENSOR
) - Hashcast (
HASHCAST
) - Perforce Helix Core (
HELIX_CORE
) - Heroku (
HEROKU
) - Hillstone NDR (
HILLSTONE_NDR
) - HL7 (
HL7
) - HoopDev (
HOOPDEV
) - Huawei Switches (
HUAWEI_SWITCH
) - Identity Security Cloud (
IDENTITY_SECURITY_CLOUD
) - Imperva Data Risk Analytics (
IMPERVA_DATA_ANALYTICS
) - Imperva DRA (
IMPERVA_DRA
) - IM Express (
IM_EXPRESS
) - Intezer (
INTEZER
) - Jumpcloud IAM (
JUMPCLOUD_IAM
) - Maltiverse IOC (
MALTIVERSE_IOC
) - ManageEngine Log360 (
MANAGE_ENGINE_LOG360
) - McAfee Network Security Platform (
MCAFEE_NSP
) - Miro Cloud (
MIRO_CLOUD
) - Nokia Home Device Manager (
NOKIA_HDM
) - Nortel Secure Router (
NORTEL_SR
) - Notion (
NOTION
) - One Identity Identity Manager (
ONE_IDENTITY_IDENTITY_MANAGER
) - IDnomic Public Key Infrastructure (
OPENTRUST
) - Outline Activity Logs (
OUTLINE_ACTIVITY_LOGS
) - Prismatic IO (
PRISMATIC_IO
) - ProFTPD (
PROFTPD
) - Provision Asset Context (
PROVISION_ASSET_CONTEXT
) - Ransomcare (
RANSOMCARE
) - Rapid7 Insights Threat Command (
RAPID7_INSIGHTS_THREAT_COMMAND
) - Saporo (
SAPORO
) - SAS Metadata Server log (
SAS_METADATA_SERVER_LOG
) - Scylla (
SCYLLA
) - Senseon Alerts (
SENSEON_ALERTS
) - Sonic Switch (
SONIC_SWITCH
) - Symantec Data Center Security (
SYMANTEC_DCS
) - Syncplify SFTP 2 Events (
SYNCPLIFY_SFTP
) - Team Cymru Scout Threat Intelligence (
TEAM_CYMRU_SCOUT_THREATINTEL
) - Tenable CSPM (
TENABLE_CSPM
) - Teqtivity Assets (
TEQTIVITY_ASSETS
) - Tines (
TINES
) - TP Link Network Switches (
TPLINK_SWITCH
) - TT D365 (
TT_D365
) - TT MSAN DSLAM (
TT_MSAN_DSLAM
) - TT Trio Chordiant (
TT_TRIO_CHORDIANT
) - Tufin (
TUFIN
) - Tufin Secure Track (
TUFIN_SECURE_TRACK
) - UberAgent (
UBERAGENT
) - Upstream Vehicle SOC Alerts (
UPSTREAM_VSOC_ALERTS
) - URLScan IO (
URLSCAN_IO
) - Vertiv UPS (
VERTIV_UPS
) - Very Good Security (
VERY_GOOD_SECURITY
) - Virtual Browser (
VIRTUAL_BROWSER
) - VMWare VSphere (
VMWARE_VSPHERE
) - Webroot Identity Protection (
WEBROOT_IDENTITY_PROTECTION
) - WideField (
WIDEFIELD_SECURITY
) - Zscaler Sandbox (
ZSCALER_SANDBOX
) - Zywall (
ZYWALL
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
September 09, 2024
The following new YARA-L 2.0 functions are available in Rules and Search:
- arrays.concat
- arrays.join_string
- arrays.max
- arrays.min
- arrays.size
- arrays.index_to_int
- cast.as_bool
- cast.as_float
- math.ceil
- math.floor
- math.geo_distance
- math.is_increasing
- math.pow
- math.random
- strings.contains
- strings.count_substrings
- strings.extract_domain
- strings.extract_hostname
- strings.from_hex
- strings.ltrim
- strings.reverse
- strings.rtrim
- strings.trim
- strings.url_decode
- timestamp.as_unix_seconds
- timestamp.now
The following new YARA-L 2.0 functions are available in Rules:
- hash.sha256
- window.avg
- window.first
- window.last
- window.median
- window.mode
- window.stddev
- window.variance
Details on function signatures and behavior can be found in YARA-L2.0 Function Syntax Reference Documentation
September 06, 2024
Burst limits will be rolling out over the next 90 days. This should not affect customers if sources are properly configured. Review documentation for full details.
August 30, 2024
The prioritization logic of Applied Threat Intelligence (ATI) rule set has been improved to remove alerts from events that have a specified security result action of BLOCKED or QUARANTINED. This change only impacts the IP address indicator types for both High and Active Breach priority. For more information, see View details about rule sets.
August 17, 2024
The documentation for the SIEM product is currently undergoing a makeover. The upper tabs for the table of contents have been removed and the table of contents for SIEM now appears at the bottom of the left hand navigation bar.
In addition, labels have been added to the top of each page that let you know if the specific page is relevant for SIEM. You can click on the label to reach the SIEM table of contents.
August 01, 2024
Customers can now configure direct ingestion of Google Cloud data without using a 1-time Google Security Operations access code. This feature will be launched over a period of several weeks. For more information, see Enable direct ingestion from Google Cloud.
July 29, 2024
Curated Detections has been enhanced with new detection content for Cloud Threats to include rule packs covering Microsoft Entra ID, Entra ID Audit and Azure Compute and are in public preview for customers with a Google Security Operations or Enterprise Plus license.
July 26, 2024
After July 2025, the Enterprise Insights page and the CBN alerts will no longer be available. Use the Alerts and IOCs page to view the alerts. We recommend that you migrate the existing CBN alerts to the YARA-L detection engine.
July 25, 2024
Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have changed. Each parser is listed by product name and log_type
value, if applicable.
- Airlock Digital Application Allowlisting (
AIRLOCK_DIGITAL
) - Akamai SIEM Connector (
AKAMAI_SIEM_CONNECTOR
) - Apache (
APACHE
) - Arcsight CEF (
ARCSIGHT_CEF
) - Arista Switch (
ARISTA_SWITCH
) - Aruba (
ARUBA_WIRELESS
) - Aruba EdgeConnect SD-WAN (
ARUBA_EDGECONNECT_SDWAN
) - Atlassian Confluence (
ATLASSIAN_CONFLUENCE
) - Auth0 (
AUTH_ZERO
) - AWS CloudTrail (
AWS_CLOUDTRAIL
) - AWS Config (
AWS_CONFIG
) - Azure AD (
AZURE_AD
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Azure App Service (
AZURE_APP_SERVICE
) - Azure WAF (
AZURE_WAF
) - BeyondTrust Endpoint Privilege Management (
BEYONDTRUST_ENDPOINT
) - BIND (
BIND_DNS
) - BloxOne Threat Defense (
BLOXONE
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Broadcom SSL Visibility Appliance (
BROADCOM_SSL_VA
) - Cequence Bot Defense (
CEQUENCE_BOT_DEFENSE
) - Check Point (
CHECKPOINT_FIREWALL
) - Checkpoint Audit (
CHECKPOINT_AUDIT
) - Checkpoint SmartDefense (
CHECKPOINT_SMARTDEFENSE
) - Cimcor | File Integrity Monitoring (
CIMCOR
) - CipherTrust Manager (
CIPHERTRUST_MANAGER
) - Cisco ASA (
CISCO_ASA_FIREWALL
) - Cisco EStreamer (
CISCO_ESTREAMER
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - Cisco FireSIGHT Management Center (
CISCO_FIRESIGHT
) - Cisco Internetwork Operating System (
CISCO_IOS
) - Cisco IronPort (
CISCO_IRONPORT
) - Cisco Meraki (
CISCO_MERAKI
) - Cisco Router (
CISCO_ROUTER
) - Cisco Stealthwatch (
CISCO_STEALTHWATCH
) - Cisco VPN (
CISCO_VPN
) - Citrix Analytics (
CITRIX_ANALYTICS
) - Citrix Netscaler (
CITRIX_NETSCALER
) - Cloud Audit Logs (
N/A
) - Cloud Data Loss Prevention (
N/A
) - Cloud Identity Devices (
GCP_CLOUDIDENTITY_DEVICES
) - Cloud Load Balancing (
GCP_LOADBALANCING
) - Cloud SQL (
GCP_CLOUDSQL
) - Cofense (
COFENSE_TRIAGE
) - Comforte SecurDPS (
COMFORTE_SECURDPS
) - Compute Engine (
GCP_COMPUTE
) - Corelight (
CORELIGHT
) - Cribl Stream (
CRIBL_STREAM
) - CrowdStrike Falcon (
CS_EDR
) - CyberArk (
CYBERARK
) - DigitalArts i-Filter (
DIGITALARTS_IFILTER
) - Duo Auth (
DUO_AUTH
) - Duo User Context (
DUO_USER_CONTEXT
) - EfficientIP DDI (
EFFICIENTIP_DDI
) - Elastic Audit Beats (
ELASTIC_AUDITBEAT
) - Elastic Windows Event Log Beats (
ELASTIC_WINLOGBEAT
) - Ergon Informatik Airlock IAM (
ERGON_INFORMATIK_AIRLOCK_IAM
) - ESET AV (
ESET_AV
) - F5 ASM (
F5_ASM
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - F5 Shape (
F5_SHAPE
) - F5 Silverline (
F5_SILVERLINE
) - Fidelis Network (
FIDELIS_NETWORK
) - FileZilla (
FILEZILLA_FTP
) - Forcepoint Email Security (
FORCEPOINT_EMAILSECURITY
) - Forcepoint Proxy (
FORCEPOINT_WEBPROXY
) - Forgerock OpenIdM (
FORGEROCK_OPENIDM
) - Fortinet FortiAuthenticator (
FORTINET_FORTIAUTHENTICATOR
) - Google App Engine (
GCP_APP_ENGINE
) - GitHub (
GITHUB
) - IBM DataPower Gateway (
IBM_DATAPOWER
) - IBM DB2 (
DB2_DB
) - IBM Guardium (
GUARDIUM
) - IBM Security QRadar SIEM (
IBM_QRADAR
) - Imperva Audit Trail (
IMPERVA_AUDIT_TRAIL
) - Ingrian Networks DataSecure Appliance (
INGRIAN_NETWORKS_DATASECURE_APPLIANCE
) - ION Spectrum (
ION_SPECTRUM
) - JAMF Pro (
JAMF_PRO
) - Jenkins (
JENKINS
) - Juniper Junos (
JUNIPER_JUNOS
) - Juniper Mist (
JUNIPER_MIST
) - Juniper MX Router (
JUNIPER_MX
) - Keeper Enterprise Security (
KEEPER
) - Linux Auditing System (AuditD) (
AUDITD
) - Linux Sysmon (
LINUX_SYSMON
) - Lucid (
LUCID
) - Maria Database (
MARIA_DB
) - Microsoft AD (
WINDOWS_AD
) - Microsoft Azure Activity (
AZURE_ACTIVITY
) - Microsoft CyberX (
CYBERX
) - Microsoft Defender for Endpoint (
MICROSOFT_DEFENDER_ENDPOINT
) - Microsoft Defender for Identity (
MICROSOFT_DEFENDER_IDENTITY
) - Microsoft Exchange (
EXCHANGE_MAIL
) - Microsoft Graph Activity Logs (
MICROSOFT_GRAPH_ACTIVITY_LOGS
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Microsoft IIS (
IIS
) - Microsoft SQL Server (
MICROSOFT_SQL
) - Mimecast URL Logs (
MIMECAST_URL_LOGS
) - Netapp Storagegrid (
NETAPP_STORAGEGRID
) - Netskope (
NETSKOPE_ALERT
) - Netskope Web Proxy (
NETSKOPE_WEBPROXY
) - Network Policy Server (
MICROSOFT_NPS
) - Noname API Security (
NONAME_API_SECURITY
) - Office 365 (
OFFICE_365
) - Office 365 Message Trace (
OFFICE_365_MESSAGETRACE
) - Okta (
OKTA
) - Okta User Context (
OKTA_USER_CONTEXT
) - Open LDAP (
OPENLDAP
) - Oracle (
ORACLE_DB
) - Oracle Cloud Infrastructure Audit Logs (
OCI_AUDIT
) - Palo Alto Cortex XDR Alerts (
CORTEX_XDR
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Palo Alto Panorama (
PAN_PANORAMA
) - Palo Alto Prisma Cloud Alert payload (
PAN_PRISMA_CA
) - Passwordstate (
PASSWORDSTATE
) - Ping Identity (
PING
) - Portnix CEF (
PORTNOX_CEF
) - PostFix Mail (
POSTFIX_MAIL
) - Proofpoint Email Filter (
PROOFPOINT_MAIL_FILTER
) - Proofpoint Sendmail Sentrion (
PROOFPOINT_SENDMAIL_SENTRION
) - Proofpoint Threat Response (
PROOFPOINT_TRAP
) - Quest Change Auditor for EMC (
QUEST_CHANGE_AUDITOR_EMC
) - Radware Alteon (
RADWARE_ALTEON
) - Radware Web Application Firewall (
RADWARE_FIREWALL
) - Red Hat Directory Server LDAP (
REDHAT_DIRECTORY_SERVER
) - Riverbed Steelhead (
STEELHEAD
) - RSA SecurID Access Identity Router (
RSA_SECURID
) - Ruckus Networks (
RUCKUS_WIRELESS
) - Salesforce (
SALESFORCE
) - SentinelOne EDR (
SENTINEL_EDR
) - SentinelOne Singularity Cloud Funnel (
SENTINELONE_CF
) - SEPPmail Secure Email (
SEPPMAIL
) - ServiceNow CMDB (
SERVICENOW_CMDB
) - SiteMinder Web Access Management (
CA_SSO_WEB
) - Snare System Diagnostic Logs (
SNARE_SOLUTIONS
) - Solarwinds Kiwi Syslog Server (
SOLARWINDS_KSS
) - SonicWall (
SONIC_FIREWALL
) - Sonrai Enterprise Cloud Security Solution (
SONRAI
) - Symantec DLP (
SYMANTEC_DLP
) - Symantec Endpoint Protection (
SEP
) - Symantec VIP Authentication Hub (
SYMANTEC_VIP_AUTHHUB
) - Symantec Web Security Service (
SYMANTEC_WSS
) - Sysdig (
SYSDIG
) - Tableau (
TABLEAU
) - Terraform Enterprise Audit (
TERRAFORM_ENTERPRISE
) - Thinkst Canary (
THINKST_CANARY
) - Thycotic (
THYCOTIC
) - Trend Micro (
TIPPING_POINT
) - Ubika WAAP (
UBIKA_WAAP
) - Ubika Waf (
UBIKA_WAF
) - UPX AntiDDoS (
UPX_ANTIDDOS
) - Vectra Stream (
VECTRA_STREAM
) - Velo Firewall (
VELO_FIREWALL
) - VeridiumID by Veridium (
VERIDIUM_ID
) - Versa Firewall (
VERSA_FIREWALL
) - Virtru Email Encryption (
VIRTRU_EMAIL_ENCRYPTION
) - VMware ESXi (
VMWARE_ESX
) - VMware NSX (
VMWARE_NSX
) - VMware vCenter (
VMWARE_VCENTER
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - Windows Local Administrator Password Solution (
MICROSOFT_LAPS
) - Workday (
WORKDAY
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Zscaler (
ZSCALER_WEBPROXY
) - Zscaler CASB (
ZSCALER_CASB
) - Zscaler Internet Access Audit Logs (
ZSCALER_INTERNET_ACCESS
) - Zscaler Private Access (
ZSCALER_ZPA
) - Zscaler Secure Private Access Audit Logs (
ZSCALER_ZPA_AUDIT
)
The following log types were added without a default parser. Each parser is listed by product name and log_type
value, if applicable.
- Backstage (
BACKSTAGE
) - Bitwarden Password Manager User Context (
BITWARDEN_USER_CONTEXT
) - Boomi App (
BOOMI_APP
) - ChatGPT Audit Logs (
CHATGPT_AUDIT_LOGS
) - Cloudflare Warp (
CLOUDFLARE_WARP
) - Coda Io (
CODA_IO
) - Fortinet Fortimanager (
FORTINET_FORTIMANAGER
) - Fusion Auth (
FUSION_AUTH
) - Google Cloud Abuse Events (
GCP_ABUSE_EVENTS
) - Google Cloud Monitoring Alerts (
GCP_MONITORING_ALERTS
) - Gong (
GONG
) - Grafana (
GRAFANA
) - IBM Cloud Activity Tracker (
IBM_CLOUD_ACTIVITY_TRACKER
) - IBM Cloud System (
IBM_CLOUD_SYSTEM
) - Incident Io (
INCIDENT_IO
) - Kentik DDoS Detection (
KENTIK_ALERTS
) - Lockself Lockpass (
LOCKSELF_LOCKPASS
) - Magic Collaboration Studio (
MAGIC_CS
) - Metaswitch Perimeta (
METASWITCH_PERIMETA
) - Microsoft Defender Endpoint for iOS Logs (
MICROSOFT_DEFENDER_ENDPOINT_IOS
) - 9NowAudit (
NINENOW_AUDIT
) - Oracle Cloud Guard (
OCI_CLOUDGUARD
) - Oort Security Tool (
OORT
) - OpsRamp (
OPSRAMP
) - Ops Genie (
OPS_GENIE
) - People Strong (
PEOPLE_STRONG
) - Pingdom (
PINGDOM
) - Proofpoint Tap Campaign (
PROOFPOINT_TAP_CAMPAIGN
) - Proofpoint Tap Forensics (
PROOFPOINT_TAP_FORENSICS
) - Proofpoint Tap People (
PROOFPOINT_TAP_PEOPLE
) - Proofpoint Tap Threats (
PROOFPOINT_TAP_THREATS
) - Proofpoint Tis IOC (
PROOFPOINT_TIS_IOC
) - Push Security (
PUSH_SECURITY
) - Recordedfuture Alerts (
RECORDEDFUTURE_ALERTS
) - Rippling Activity Logs (
RIPPLING_ACTIVITYLOGS
) - Sentry (
SENTRY
) - Servertech PDUs (
SERVERTECH_PDUS
) - Sprinkledata(DWH) (
SPRINKLEDATA_DWH
) - Tenable Audit (
TENABLE_AUDIT
) - TINTRI (
TINTRI
) - WPass (
WPASS
) - WPEngine (
WPENGINE
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
The Google Security Operations alert metadata fields for UDM idm.is_significant
and idm.is_alert
have been deprecated. Use YARA-L detection rule alerts for alert metadata.
July 18, 2024
When you migrate an existing Google SecOps instance so that it is bound to a Google Cloud project, you can also use auto-generated commands to migrate your existing feature RBAC configuration to IAM permissions and roles. For more information, see Migrate existing permissions to IAM.
July 17, 2024
On December 31, 2024, the managed BigQuery data lake for export will not be accessible to Google SecOps customers except for customers in the Enterprise Plus Tier. Enterprise Plus Tier customers will retain access until a replacement is available. Other customers can use their own BigQuery instance to export telemetry data, a feature currently in preview. For more information, see Configure a data export to BigQuery in a self-managed Google Cloud project.
July 15, 2024
The third-party API feed Symantec Event Export
has been discontinued due to the deprecation of Symantec Event Export API. To ingest data, use a Cloud Storage bucket. For more information, see Add a feed.
June 26, 2024
You can use the BindPlane agent to collect Windows event logs, query SQL databases, read logs from files, and receive logs using syslog. The agent sends data directly to the Google Security Operations ingestion API or to a Google SecOps forwarder. For more information, see Use the BindPlane agent.
June 24, 2024
You can now configure Cloud Identity or Google Workspace as an identity provider during the Google Security Operations onboarding steps. For more information about onboarding, see Onboarding or migrating a Google Security Operations instance.
During the Google Security Operations onboarding steps, you can now specify identity provider groups that include administrators who configure user access to SOAR-related features. For more information, see Link Google SecOps to Google Cloud services.
June 18, 2024
Google SecOps now integrates with Access Transparency.
If you enabled Access Transparency in your organization, Google SecOps writes Access Transparency logs when any Google personnel accesses customer content that supports SIEM features.
For more information, see enabling Access Transparency and viewing Access Transparency logs.
Google SecOps now supports data RBAC. This feature enables you to control user access to data within your Google SecOps environment based on their assigned roles.
lastAlertStatusChangeTime
is added to the response of the GetRule
Detection Engine API. This indicates when alertingEnabled
was last updated from true
to false
or from false
to true
.
The field is also added to RuleDeployment
of Chronicle API v1 alpha.
June 07, 2024
The syntax for placeholders in UDM saved searches is updated. See Save a search for the new syntax.
May 30, 2024
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- Abnormal Security (
ABNORMAL_SECURITY
) - Akamai DNS (
AKAMAI_DNS
) - Akamai WAF (
AKAMAI_WAF
) - Apigee (
GCP_APIGEE_X
) - Array Networks SSL VPN (
ARRAYNETWORKS_VPN
) - AWS CloudFront (
AWS_CLOUDFRONT
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - Azure AD (
AZURE_AD
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Azure AD Sign-In (
AZURE_AD_SIGNIN
) - Barracuda Email (
BARRACUDA_EMAIL
) - Barracuda Firewall (
BARRACUDA_FIREWALL
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - BMC AMI Defender (
BMC_AMI_DEFENDER
) - Carbon Black (
CB_EDR
) - Check Point (
CHECKPOINT_FIREWALL
) - Check Point Sandblast (
CHECKPOINT_EDR
) - Checkpoint Audit (
CHECKPOINT_AUDIT
) - Cisco AMP (
CISCO_AMP
) - Cisco EStreamer (
CISCO_ESTREAMER
) - Cisco FireSIGHT Management Center (
CISCO_FIRESIGHT
) - Cisco ISE (
CISCO_ISE
) - Cisco Router (
CISCO_ROUTER
) - Cisco Switch (
CISCO_SWITCH
) - Cisco Umbrella DNS (
UMBRELLA_DNS
) - Cisco VPN (
CISCO_VPN
) - Cisco WLC/WCS (
CISCO_WIRELESS
) - Citrix Netscaler (
CITRIX_NETSCALER
) - Cloud Audit Logs (
N/A
) - Cloud SQL (
GCP_CLOUDSQL
) - Cloud Storage Context (
N/A
) - Cohesity (
COHESITY
) - CrowdStrike Falcon (
CS_EDR
) - CyberArk Privileged Access Manager (PAM) (
CYBERARK_PAM
) - ESET AV (
ESET_AV
) - F5 ASM (
F5_ASM
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - F5 VPN (
F5_VPN
) - Forcepoint DLP (
FORCEPOINT_DLP
) - FortiGate (
FORTINET_FIREWALL
) - GMAIL Logs (
GMAIL_LOGS
) - HID DigitalPersona (
HID_DIGITALPERSONA
) - Honeyd (
HONEYD
) - HP Aruba (ClearPass) (
CLEARPASS
) - IBM AS/400 (
IBM_AS400
) - IBM DS8000 Storage (
IBM_DS8000
) - IBM Security Verify (
IBM_SECURITY_VERIFY
) - Infoblox (
INFOBLOX
) - Island Browser logs (
ISLAND_BROWSER
) - JAMF CMDB (
JAMF
) - JumpCloud Directory Insights (
JUMPCLOUD_DIRECTORY_INSIGHTS
) - Juniper Mist (
JUNIPER_MIST
) - Kubernetes Node (
KUBERNETES_NODE
) - Linux Auditing System (AuditD) (
AUDITD
) - ManageEngine ADAudit Plus (
ADAUDIT_PLUS
) - Microsoft AD FS (
ADFS
) - Microsoft Azure Activity (
AZURE_ACTIVITY
) - Microsoft Azure Resource (
AZURE_RESOURCE_LOGS
) - Microsoft CyberX (
CYBERX
) - Microsoft Defender for Endpoint (
MICROSOFT_DEFENDER_ENDPOINT
) - Microsoft Graph Activity Logs (
MICROSOFT_GRAPH_ACTIVITY_LOGS
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Microsoft SQL Server (
MICROSOFT_SQL
) - Mikrotik Router (
MIKROTIK_ROUTER
) - NetDocuments Solutions (
NETDOCUMENTS
) - Netwrix (
NETWRIX
) - Office 365 (
OFFICE_365
) - Office 365 Message Trace (
OFFICE_365_MESSAGETRACE
) - Okta (
OKTA
) - OneLogin (
ONELOGIN_SSO
) - Opengear Remote Management (
OPENGEAR
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - pfSense (
PFSENSE
) - PostFix Mail (
POSTFIX_MAIL
) - Proofpoint Sendmail Sentrion (
PROOFPOINT_SENDMAIL_SENTRION
) - Proofpoint Tap Alerts (
PROOFPOINT_MAIL
) - Pulse Secure (
PULSE_SECURE_VPN
) - Qumulo FS (
QUMULO_FS
) - Rapid7 (
RAPID7_NEXPOSE
) - Rapid7 Insight (
RAPID7_INSIGHT
) - Rubrik Polaris (
RUBRIK_POLARIS
) - SailPoint IAM (
SAILPOINT_IAM
) - SAP SuccessFactors (
SAP_SUCCESSFACTORS
) - Semperis DSP (
SEMPERIS_DSP
) - Sentinelone Alerts (
SENTINELONE_ALERT
) - SentinelOne EDR (
SENTINEL_EDR
) - Signal Sciences WAF (
SIGNAL_SCIENCES_WAF
) - Snare System Diagnostic Logs (
SNARE_SOLUTIONS
) - SonicWall (
SONIC_FIREWALL
) - Sophos Central (
SOPHOS_CENTRAL
) - Sophos UTM (
SOPHOS_UTM
) - Spur data feeds (
SPUR_FEEDS
) - Suricata EVE (
SURICATA_EVE
) - Symantec DLP (
SYMANTEC_DLP
) - Symantec Endpoint Protection (
SEP
) - Symantec VIP Authentication Hub (
SYMANTEC_VIP_AUTHHUB
) - Tanium Audit (
TANIUM_AUDIT
) - Thinkst Canary (
THINKST_CANARY
) - Trend Micro Vision One (
TRENDMICRO_VISION_ONE
) - Twingate (
TWINGATE
) - Unix system (
NIX_SYSTEM
) - Vectra Detect (
VECTRA_DETECT
) - Veeam (
VEEAM
) - Verba Recording System (
VERBA_REC
) - VeridiumID by Veridium (
VERIDIUM_ID
) - VMware ESXi (
VMWARE_ESX
) - Windows Defender ATP (
WINDOWS_DEFENDER_ATP
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - Winscp (
WINSCP
) - WordPress (
WORDPRESS_CMS
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Zeek TSV (
BRO_TSV
) - Zix Email Encryption (
ZIX_EMAIL_ENCRYPTION
) - Zscaler (
ZSCALER_WEBPROXY
) - ZScaler DNS (
ZSCALER_DNS
) - Zscaler Private Access (
ZSCALER_ZPA
)
The following log types, without a default parser, were added. Each is listed by product name and log_type
value, if applicable.
- Akamai Log Delivery Service (
AKAMAI_LDS
) - AudioCodes Voice DNA (
AUDIOCODES
) - Amazon API Gateway (
AWS_API_GATEWAY
) - Axway (
AXWAY
) - Biztalk (
BIZTALK
) - Check Point FDE (
CHECKPOINT_FDE
) - Cimcor | File Integrity Monitoring (
CIMCOR
) - CS Alerts (
CS_ALERTS
) - Custom CSV Log (
CUSTOM_CSV_LOG
) - Cyral (
CYRAL
) - Druva (
DRUVA
) - Entrust DataControl Audit (
ENTR_DATACTRL_AUDIT
) - Ergon Informatik Airlock IAM (
ERGON_INFORMATIK_AIRLOCK_IAM
) - Eset Protect Platform (
ESET_PROTECT_PLATFORM
) - Exim Internet Mailer (
EXIM_INTERNET_MAILER
) - FM Systems Workplace Management (
FM_SYSTEMS
) - GluWare Network Automation (
GLUWARE_NETWORK_AUTOMATION
) - Guidewire Billing Center (
GUIDEWIRE_BILLING_CENTER
) - Guidewire Claim Center (
GUIDEWIRE_CLAIM_CENTER
) - Guidewire Policy Center (
GUIDEWIRE_POLICY_CENTER
) - HAVI Connect (
HAVI_CONNECT
) - IBM OpenPages (
IBM_OPENPAGES
) - Ingrian Networks DataSecure Appliance (
INGRIAN_NETWORKS_DATASECURE_APPLIANCE
) - iSecurity | Security Services and Remediation (
ISECURITY
) - iTop (
ITOP
) - Microsoft Defender for Office 365 (
MICROSOFT_DEFENDER_MAIL
) - Microsoft Graph Risky Users (
MICROSOFT_GRAPH_RISKY_USERS
) - NetApp BlueXP (
NETAPP_BLUEXP
) - Netgate Firewall (
NETGATE_FIREWALL
) - 1KOSMOS | Identity and Authentication (
ONEKOSMOS
) - Palo Alto Global Protect SVC (
PAN_GPSVC
) - Palo Alto SSLVPN Access (
PAN_SSLVPN_ACCESS
) - Palo Alto Telemetry (
PAN_TELEMETRY
) - Proofpoint Endpoint Data Loss Prevention (
PROOFPOINT_ENDPOINT_DLP
) - SAP ERP (
SAP_ERP
) - Ubika WAAP (
UBIKA_WAAP
) - Webroot Endpoint Protection (
WEBROOT
) - Wolters Kluwer Teammate (
WOLTERS_KLUWER_TEAMMATE
) - Xirrus Wireless Controller (
XIRRUS
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
May 22, 2024
Enhanced the existing curated detections for AWS rule sets in the Cloud Threats category to add 40 new detections. These new rules, added to existing rule sets, expand the coverage and are designed to identify tactics and techniques commonly employed by malicious actors that use popular open source offensive security tools against AWS resources.
May 14, 2024
Google SecOps now supports the following functions in Detection Engine rules:
- fingerprint
- sample_rate
For more information about these functions, see YARA-L 2.0 language syntax.
May 08, 2024
When Applied Threat Intelligence is enabled, it ingests IOCs curated by Mandiant Threat Intelligence with an IC-Score greater than 80 and generates an alert when a match is found.
May 06, 2024
Gemini for investigation assistance
Gemini for investigation assistance can now support you with the following:
- Search: Gemini can help you build, edit, and run searches targeted toward relevant events using natural language prompts.
- Search summaries: Gemini can automatically summarize search results after every search and subsequent filter action. Gemini can also answer contextual follow-up questions about the summaries it provides.
- Rule generation: Gemini can create new YARA-L rules from the UDM search queries it generates.
- Security questions and threat intelligence analysis: Gemini can answer general security domain questions and specific threat intelligence questions. Gemini can provide summaries about threat actors, IOCs, and other threat intelligence topics.
- Incident remediation: Based on the event information returned, Gemini can suggest follow-on steps.
For more information, see Use Gemini to investigate security issues.
May 02, 2024
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- AIX system (
AIX_SYSTEM
) - Arcsight CEF (
ARCSIGHT_CEF
) - Arista Switch (
ARISTA_SWITCH
) - Aruba (
ARUBA_WIRELESS
) - Aruba Switch (
ARUBA_SWITCH
) - Attivo Networks (
ATTIVO
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - AWS Control Tower (
AWS_CONTROL_TOWER
) - AWS Elastic Load Balancer (
AWS_ELB
) - AWS WAF (
AWS_WAF
) - Azure AD (
AZURE_AD
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Azure AD Organizational Context (
AZURE_AD_CONTEXT
) - Azure Application Gateway (
AZURE_GATEWAY
) - Azure Storage Audit (
AZURE_STORAGE_AUDIT
) - Azure WAF (
AZURE_WAF
) - Barracuda Firewall (
BARRACUDA_FIREWALL
) - BeyondTrust Endpoint Privilege Management (
BEYONDTRUST_ENDPOINT
) - BigQuery (
N/A
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Brocade Switch (
BROCADE_SWITCH
) - Check Point (
CHECKPOINT_FIREWALL
) - Cisco ASA (
CISCO_ASA_FIREWALL
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - Cisco FireSIGHT Management Center (
CISCO_FIRESIGHT
) - Cisco Internetwork Operating System (
CISCO_IOS
) - Cisco ISE (
CISCO_ISE
) - Cisco Meraki (
CISCO_MERAKI
) - Cisco VPN (
CISCO_VPN
) - Cisco WLC/WCS (
CISCO_WIRELESS
) - Citrix Netscaler (
CITRIX_NETSCALER
) - Claroty Enterprise Management Console (
CLAROTY_EMC
) - Cloud Audit Logs (
N/A
) - Cloud Intrusion Detection System (
GCP_IDS
) - Corelight (
CORELIGHT
) - CrowdStrike Detection Monitoring (
CS_DETECTS
) - CrowdStrike Falcon (
CS_EDR
) - CyberArk (
CYBERARK
) - Cyberark Privilege Cloud (
CYBERARK_PRIVILEGE_CLOUD
) - Cybergatekeeper NAC (
CYBERGATEKEEPER_NAC
) - Darktrace (
DARKTRACE
) - Dell ECS Enterprise Object Storage (
DELL_ECS
) - Dell Switch (
DELL_SWITCH
) - Elastic Packet Beats (
ELASTIC_PACKETBEATS
) - ESET (
ESET_EDR
) - ESET AV (
ESET_AV
) - F5 Advanced Firewall Management (
F5_AFM
) - F5 ASM (
F5_ASM
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - FireEye HX (
FIREEYE_HX
) - FireEye NX Audit (
FIREEYE_NX_AUDIT
) - Firewall Rule Logging (
N/A
) - Forcepoint DLP (
FORCEPOINT_DLP
) - Forescout NAC (
FORESCOUT_NAC
) - Forgerock OpenIdM (
FORGEROCK_OPENIDM
) - FortiGate (
FORTINET_FIREWALL
) - Fortinet FortiAnalyzer (
FORTINET_FORTIANALYZER
) - Fortra Powertech SIEM Agent (
FORTRA_POWERTECH_SIEM_AGENT
) - Cloud NAT (
N/A
) - GCP_SWP (
GCP_SWP
) - Gitlab (
GITLAB
) - GMAIL Logs (
GMAIL_LOGS
) - GMV Checker ATM Security (
GMV_CHECKER
) - Guardicore Centra (
GUARDICORE_CENTRA
) - HPE BladeSystem C7000 (
HPE_BLADESYSTEM_C7000
) - HYPR MFA (
HYPR_MFA
) - IBM AS/400 (
IBM_AS400
) - IBM DS8000 Storage (
IBM_DS8000
) - IBM Guardium (
GUARDIUM
) - IBM Tape Storages (
IBM_LTO
) - IBM Tivoli (
IBM_TIVOLI
) - IBM-i Operating System (
IBM_I
) - Illumio Core (
ILLUMIO_CORE
) - Imperva (
IMPERVA_WAF
) - Imperva Advanced Bot Protection (
IMPERVA_ABP
) - Imperva SecureSphere Management (
IMPERVA_SECURESPHERE
) - Infoblox (
INFOBLOX
) - ION Spectrum (
ION_SPECTRUM
) - Ipswitch MOVEit Transfer (
IPSWITCH_MOVEIT_TRANSFER
) - Jamf Protect Alerts (
JAMF_PROTECT
) - Jamf Protect Telemetry (
JAMF_TELEMETRY
) - Juniper Junos (
JUNIPER_JUNOS
) - Juniper MX Router (
JUNIPER_MX
) - Kubernetes Node (
KUBERNETES_NODE
) - LastPass Password Management (
LASTPASS
) - Linux Auditing System (AuditD) (
AUDITD
) - McAfee Enterprise Security Manager (
MCAFEE_ESM
) - Medigate IoT (
MEDIGATE_IOT
) - Microsoft AD (
WINDOWS_AD
) - Microsoft Azure Activity (
AZURE_ACTIVITY
) - Microsoft Defender for Endpoint (
MICROSOFT_DEFENDER_ENDPOINT
) - Microsoft Defender for Identity (
MICROSOFT_DEFENDER_IDENTITY
) - Microsoft Exchange (
EXCHANGE_MAIL
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Microsoft IAS Server (
MICROSOFT_IAS
) - Microsoft Intune (
AZURE_MDM_INTUNE
) - Microsoft SQL Server (
MICROSOFT_SQL
) - Mongo Database (
MONGO_DB
) - Netscout Arbor Sightline (
ARBOR_SIGHTLINE
) - Netskope Web Proxy (
NETSKOPE_WEBPROXY
) - NGFW Enterprise (
GCP_NGFW_ENTERPRISE
) - Office 365 (
OFFICE_365
) - Office 365 Message Trace (
OFFICE_365_MESSAGETRACE
) - Opengear Remote Management (
OPENGEAR
) - Oracle (
ORACLE_DB
) - OSQuery (
OSQUERY_EDR
) - OSSEC (
OSSEC
) - Palo Alto Cortex XDR Alerts (
CORTEX_XDR
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Palo Alto Prisma Cloud (
PAN_PRISMA_CLOUD
) - PerimeterX Bot Protection (
PERIMETERX_BOT_PROTECTION
) - Phishlabs (
PHISHLABS
) - Proofpoint Tap Alerts (
PROOFPOINT_MAIL
) - Pulse Secure (
PULSE_SECURE_VPN
) - Riverbed Steelhead (
STEELHEAD
) - RSA SecurID Access Identity Router (
RSA_SECURID
) - SAP SM20 (
SAP_SM20
) - SAP SuccessFactors (
SAP_SUCCESSFACTORS
) - SAP Webdispatcher (
SAP_WEBDISP
) - Security Command Center Posture Violation (
GCP_SECURITYCENTER_POSTURE_VIOLATION
) - Security Command Center Threat (
N/A
) - Security Command Center Toxic Combination (
GCP_SECURITYCENTER_TOXIC_COMBINATION
) - Sentinelone Alerts (
SENTINELONE_ALERT
) - SentinelOne EDR (
SENTINEL_EDR
) - SentinelOne Singularity Cloud Funnel (
SENTINELONE_CF
) - Snare System Diagnostic Logs (
SNARE_SOLUTIONS
) - Solaris system (
SOLARIS_SYSTEM
) - SonicWall (
SONIC_FIREWALL
) - Sonicwall Secure Mobile Access (
SONICWALL_SMA
) - Splunk Platform (
SPLUNK
) - Squid Web Proxy (
SQUID_WEBPROXY
) - Suricata EVE (
SURICATA_EVE
) - Suricata IDS (
SURICATA_IDS
) - Swift Alliance Messaging Hub (
SWIFT_AMH
) - Symantec CloudSOC CASB (
SYMANTEC_CASB
) - Symantec DLP (
SYMANTEC_DLP
) - Tenable OT (
TENABLE_OT
) - Tetragon Ebpf Audit Logs (
TETRAGON_EBPF_AUDIT_LOGS
) - Trellix HX Event Streamer (
TRELLIX_HX_ES
) - Trend Micro (
TIPPING_POINT
) - Trend Micro Cloud one (
TRENDMICRO_CLOUDONE
) - Trend Micro Deep Security (
TRENDMICRO_DEEP_SECURITY
) - TrendMicro Apex Central (
TRENDMICRO_APEX_CENTRAL
) - TrendMicro Web Proxy (
TRENDMICRO_WEBPROXY
) - Unifi AP (
UNIFI_AP
) - Unix system (
NIX_SYSTEM
) - Vectra Detect (
VECTRA_DETECT
) - VeridiumID by Veridium (
VERIDIUM_ID
) - VPC Flow Logs (
GCP_VPC_FLOW
) - Windows Defender ATP (
WINDOWS_DEFENDER_ATP
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - Windows Network Policy Server (
WINDOWS_NET_POLICY_SERVER
) - Windows Sysmon (
WINDOWS_SYSMON
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Workspace Alerts (
WORKSPACE_ALERTS
) - Workspace ChromeOS Devices (
WORKSPACE_CHROMEOS
) - Workspace Groups (
WORKSPACE_GROUPS
) - Workspace Mobile Devices (
WORKSPACE_MOBILE
) - Workspace Privileges (
WORKSPACE_PRIVILEGES
) - Workspace Users (
WORKSPACE_USERS
) - YAMAHA ROUTER RTX1200 (
YAMAHA_ROUTER
) - Zeek JSON (
BRO_JSON
) - Zimperium (
ZIMPERIUM
) - Zscaler (
ZSCALER_WEBPROXY
) - Zscaler CASB (
ZSCALER_CASB
) - ZScaler NGFW (
ZSCALER_FIREWALL
)
The following log types, without a default parser, were added. Each is listed by product name and log_type
value, if applicable.
- Adaxes (
ADAXES
) - Air Table (
AIR_TABLE
) - Alert Enterprise Guardian (
ALERT_GUARDIAN
) - Amavis (
AMAVIS
) - Atlassian Beacon (
ATLASSIAN_BEACON
) - Banner dd (
BANNER_DD
) - BetterStack Uptime (
BETTERSTACK_UPTIME
) - BloodHound (
BLOODHOUND
) - Core Privileged Access Manager (BoKS) (
BOKS
) - Cisco Secure Access (
CISCO_SECURE_ACCESS
) - Cleafy (
CLEAFY
) - Clear Bank Portal Audit (
CLEARBANK_PORTAL
) - CloudBees (
CLOUDBEES
) - Comforte SecurDPS (
COMFORTE_SECURDPS
) - Control Plane (
CONTROL_PLANE
) - Corrata (
CORRATA
) - Cubist Audit (
CUBIST_AUDIT
) - C Zentrix (
C_ZENTRIX
) - DefectDojo (
DEFECTDOJO
) - Dmarcian (
DMARCIAN
) - DocuSign (
DOCUSIGN
) - Duo Activity Logs (
DUO_ACTIVITY
) - E2 Guardian (
E2_GUARDIAN
) - Egress Defend (
EGRESS_DEFEND
) - Egress Prevent (
EGRESS_PREVENT
) - Emsisoft AntiVirus (
EMSISOFT_ANTIVIRUS
) - F5 System Logs (
F5_SYSTEM_LOGS
) - Fastly CDN (
FASTLY_CDN
) - FireEye CMS (
FIREEYE_CMS
) - Forcepoint Mail Relay (
FORCEPOINT_MAIL_RELAY
) - Google Ads (
GOOGLE_ADS
) - H3C Comware Platform Switch
- Halcyon Anti Ransomware (
HALCYON
) - Halo (
HALO
) - HP Poly (
HP_POLY
) - Huawei CloudEngine (
HUAWEI_CLOUDENGINE
) - Intruder.IO (
INTRUDER_IO
) - Ivanti Connect Secure (
IVANTI_CONNECT_SECURE
) - Keyfactor (
KEYFACTOR
) - Kyverno (
KYVERNO
) - LaunchDarkly (
LAUNCH_DARKLY
) - LeanIX Enterprise (
LEANIX
) - Leanix CMDB (
LEANIX_CMDB
) - Lucid (
LUCID
) - Lumeta Spectre (
LUMETA
) - ManageEngine Asset Explorer (
MANAGE_ENGINE_ASSET_EXPLR
) - ManageEngine Endpoint Central (
MANAGE_ENGINE_ENDPT_CNTRL
) - Mandiant Digital Threat Monitoring (
MANDIANT_DTM_ALERTS
) - Manhattan Warehouse Management System (
MANHATTAN_WMS
) - Mend IO (
MEND_IO
) - Meta Marketing (
META_MARKETING
) - Miasma SecretScanner (
MIASMA_SECRETSCANNER
) - Microsoft Ads (
MICROSOFT_ADS
) - Microsoft Purview (
MICROSOFT_PURVIEW
) - ModSecurity (
MODSECURITY
) - Netapp Storagegrid (
NETAPP_STORAGEGRID
) - NetBrain (
NETBRAIN
) - Netenrich Entity Context (
NETENRICH_ENTITY_CONTEXT
) - Netwrix Activity Monitor (
NETWRIX_ACTIVITY_MONITOR
) - Netwrix Stealth Intercept (
NETWRIX_STEALTH_INTERCEPT
) - Netwrix Threat Manager (
NETWRIX_THREAT_MANAGER
) - Nexus Sonatype (
NEXUS_SONATYPE
) - Oracle Fusion (
ORACLE_FUSION
) - PAGELY (
PAGELY
) - Palantir (
PALANTIR
) - Proofpoint Meta (
PROOFPOINT_META
) - Qumulo FS (
QUMULO_FS
) - Radware Alteon (
RADWARE_ALTEON
) - SailPoint IdentityIQ (
SAILPOINT_IIQ
) - Sentinelone Activity (
SENTINELONE_ACTIVITY
) - Siga Level Zero OT Resilience (
SIGA
) - Site24x7 (
SITE24X7
) - Winevtlog Snare (
SNARE_WINEVTLOG
) - Solar System (
SOLAR_SYSTEM
) - Stealthbits DLP (
STEALTHBITS_DLP
) - Symantec VIP Authentication Hub (
SYMANTEC_VIP_AUTHHUB
) - Temenos Journey Manager System Event Publisher (
TEMENOS_MANAGER_SYSTEMEVENT
) - Teradata Aster (
TERADATA_ASTER
) - Tiktok for Developers (
TIKTOK
) - Transmit BindID (
TRANSMIT_BINDID
) - Trend Micro Vision One Audit (
TRENDMICRO_VISION_ONE_AUDIT
) - Trend Micro Vision One Observerd Attack Techniques (
TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES
) - Trend Micro Vision One Workbench (
TRENDMICRO_VISION_ONE_WORKBENCH
) - TrueNAS (
TRUENAS
) - E-Motional Transparent Screen Lock TSL RFID (
TSL_PRO
) - UPX AntiDDoS (
UPX_ANTIDDOS
) - Verba Recording System (
VERBA_REC
) - Vercara (
VERCARA
) - Veza Access Control Platform (
VEZA
) - Web Methods Api Gateway (
WEBMETHODS_API_GATEWAY
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
April 26, 2024
The feed management feature is now enhanced to include the following:
- Feed names: You can assign custom names to new and existing data feeds.
- Troubleshooting information: You can diagnose error feeds by accessing detailed information about the cause of an issue and recommended actions.
- Last succeeded time: Stay informed about the status of a feed, with a timestamp identifying when data was last successfully fetched by each feed.
You can now set up feeds to push logs using an HTTPS endpoint by using either the feed management user interface or the feed management API. You can use the following feed management source types to set up ingestion using an HTTPS endpoint:
- Amazon Data Firehose
- Google Cloud Pub/Sub
- Webhooks
You can also generate a secret key and API key to authenticate feeds that use Amazon Data Firehose and webhooks as the feed source type.
April 22, 2024
The ingestion_stats
table in BigQuery is deprecated and will no longer be updated after May 15, 2024. We recommend that you use the Chronicle ingestion_metrics
table in BigQuery, which provides more accurate ingestion metrics.
The ingestion alerting system using Chronicle has been deprecated. This system will no longer be updated, and no alerts will be sent from this system after September 01, 2024. We recommend that you use the Cloud Monitoring integration which provides more flexibility in alert logic, alert workflow, and integration with third-party ticketing systems.
April 15, 2024
The following labels
fields for UDM nouns are deprecated and these fields will not appear in the search results after November 29, 2024: about.labels
, intermediary.labels
, observer.labels
, principal.labels
, src.labels
, security_result.about.labels
, and target.labels
. For existing parsers, in addition to these UDM fields, the logs fields are also mapped to key and value additional.fields
UDM fields. For new parsers, the key and value settings in additional.fields
UDM fields are used instead of the deprecated labels
UDM fields. We recommend that you update the existing rules to use the key and value settings in the additional.fields
UDM fields instead of the deprecated labels
UDM fields.
April 03, 2024
Curated Detections has been enhanced with new detection content for Cloud Threats category. These new rule sets identify threats in AWS environments and are generally available to customers with a Chronicle Security Operations Enterprise and Enterprise Plus license.
April 02, 2024
On or after May 1, 2024, in an effort to improve enrichment quality, the enrichment process using telemetry events and entities will prioritize values set by parsers over values from aliases in unenriched events. If a parser does not set the value, the enrichment process will set the enriched value to using aliases.
March 29, 2024
Chronicle now supports direct ingestion and parsing of Google Cloud Next Generation Firewall (NGFW) Enterprise logs.
March 25, 2024
Chronicle Applied Threat Intelligence helps you identify and respond to threats. When enabled, it ingests IOCs curated by Mandiant Threat Intelligence with an IC-Score greater than 80 and generates an error when a match is found. The following are some of the features of Applied Threat Intelligence.
Event-level enrichment: All telemetry in Chronicle is enriched with Google Threat Intelligence which is a combination of Mandiant and Virus Total, including all threat intelligence associations like campaigns and actors.
Sophisticated indicator matching: Curated out-of-the-box detections that deliver sophisticated indicator matching using augmented prioritization logic, noise reduction based on customer environment context, and other correlation techniques to maximize signal to noise.
Active breach alerting: Uses Mandiant's incident response intelligence to alert on potential active breaches delivering on our no patient 1 vision.
Curated behavioral detections for emerging threats: To protect against newly emerging risks and tactics, techniques, and procedures (TTPs), Applied Threat Intelligence uses real-time insights.
DIY detection engineering and response automation: Access to Fusion intelligence (formerly known as Mandiant Fusion) for the following.
- Customer authoring of rules
- Customer development of response playbooks
Curated views for Investigation and triage Insights: Applied Threat Intelligence provides curated views that show valuable associations between an indicator and threat actor, threat campaign, or malware, statistics about a threat observed in customer environments. These views are invaluable for all security operations workflows.
For more information about Applied Threat Intelligence, see Applied Threat Intelligence overview.
This note incorrectly states that an error is generated when an IOC match is found. See the entry for May 8, 2024 for the updated statement.
March 22, 2024
Chronicle has added a new rule set to Cloud Threat Detections , called Serverless Threats, that detects activity associated with potential compromise or abuse of server-less resources in Google Cloud, such as Cloud Run and Cloud Functions.
Chronicle now supports direct ingestion and parsing of reCAPTCHA Enterprise logs from Google Cloud.
March 20, 2024
There is no longer a limit on the number of feeds you can create for the same log type in Feed Management.
March 15, 2024
Chronicle has expanded Cloud Threat Detections to create a detection when findings from Security Command Center Event Threat Detections, Cloud Armor, Sensitive Actions Service, and Custom modules for Event Threat Detection are identified. These detections are available through the following rule sets: CDIR SCC Cloud IDS, CDIR SCC Cloud Armor, CDIR SCC Impact, CDIR SCC Enhanced Persistence, CDIR SCC Enhanced Defense Evasion, and CDIR SCC Custom Module.
March 14, 2024
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- Akamai WAF (
AKAMAI_WAF
) - Alcatel Switch (
ALCATEL_SWITCH
) - Arcsight CEF (
ARCSIGHT_CEF
) - Auth0 (
AUTH_ZERO
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - AWS Config (
AWS_CONFIG
) - AWS GuardDuty (
GUARDDUTY
) - Azure AD (
AZURE_AD
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Azure App Service (
AZURE_APP_SERVICE
) - Azure Key Vault logging (
AZURE_KEYVAULT_AUDIT
) - BIND (
BIND_DNS
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Box (
BOX
) - Chrome Management (
N/A
) - Cisco AMP (
CISCO_AMP
) - Cisco Umbrella DNS (
UMBRELLA_DNS
) - Cisco VPN (
CISCO_VPN
) - Citrix Netscaler (
CITRIX_NETSCALER
) - Cloud Audit Logs (
N/A
) - Cloudflare (
CLOUDFLARE
) - Cofense (
COFENSE_TRIAGE
) - Corelight (
CORELIGHT
) - CrowdStrike Falcon (
CS_EDR
) - CSV Custom IOC (
CSV_CUSTOM_IOC
) - Custom Application Access Logs (
CUSTOM_APPLICATION_ACCESS
) - Cybergatekeeper NAC (
CYBERGATEKEEPER_NAC
) - Extreme Wireless (
EXTREME_WIRELESS
) - F5 ASM (
F5_ASM
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - Falco IDS (
FALCO_IDS
) - FireEye (
FIREEYE_ALERT
) - FireEye ETP (
FIREEYE_ETP
) - ForgeRock Identity Cloud (
FORGEROCK_IDENTITY_CLOUD
) - FortiGate (
FORTINET_FIREWALL
) - GCP_APP_ENGINE (
GCP_APP_ENGINE
) - HP Procurve Switch (
HP_PROCURVE
) - IAM Context (
N/A
) - IBM DB2 (
DB2_DB
) - IBM Mainframe Storage (
IBM_MAINFRAME_STORAGE
) - IBM Security Access Manager (
IBM_SAM
) - Illumio Core (
ILLUMIO_CORE
) - Imperva (
IMPERVA_WAF
) - Infoblox (
INFOBLOX
) - JAMF CMDB (
JAMF
) - KerioControl Firewall (
KERIOCONTROL
) - Microsoft Azure Activity (
AZURE_ACTIVITY
) - Microsoft Azure Resource (
AZURE_RESOURCE_LOGS
) - Microsoft Defender For Cloud (
MICROSOFT_DEFENDER_CLOUD_ALERTS
) - Microsoft Defender for Endpoint (
MICROSOFT_DEFENDER_ENDPOINT
) - Microsoft Exchange (
EXCHANGE_MAIL
) - Microsoft Graph Activity Logs (
MICROSOFT_GRAPH_ACTIVITY_LOGS
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Microsoft IIS (
IIS
) - Microsoft System Center Endpoint Protection (
MICROSOFT_SCEP
) - Mobile Endpoint Security (
LOOKOUT_MOBILE_ENDPOINT_SECURITY
) - Mongo Database (
MONGO_DB
) - Netscout OCI (
NETSCOUT_OCI
) - Netskope (
NETSKOPE_ALERT
) - Netskope Web Proxy (
NETSKOPE_WEBPROXY
) - Network Policy Server (
MICROSOFT_NPS
) - Nutanix Prism (
NUTANIX_PRISM
) - Office 365 (
OFFICE_365
) - Okta (
OKTA
) - OpenCanary (
OPENCANARY
) - Ordr IoT (
ORDR_IOT
) - Palo Alto Cortex XDR Alerts (
CORTEX_XDR
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Palo Alto Prisma Cloud (
PAN_PRISMA_CLOUD
) - PerimeterX Bot Protection (
PERIMETERX_BOT_PROTECTION
) - Phishlabs (
PHISHLABS
) - Proofpoint Sendmail Sentrion (
PROOFPOINT_SENDMAIL_SENTRION
) - Pulse Secure (
PULSE_SECURE_VPN
) - RH-ISAC (
RH_ISAC_IOC
) - SailPoint IAM (
SAILPOINT_IAM
) - Salesforce (
SALESFORCE
) - Sap Business Technology Platform (
SAP_BTP
) - Security Command Center Threat (
N/A
) - Sentinelone Alerts (
SENTINELONE_ALERT
) - Shibboleth IDP (
SHIBBOLETH_IDP
) - Sourcefire (
SOURCEFIRE_IDS
) - Splunk Attack Analyzer (
SPLUNK_ATTACK_ANALYZER
) - STIX Threat Intelligence (
STIX
) - Symantec CloudSOC CASB (
SYMANTEC_CASB
) - Symantec DLP (
SYMANTEC_DLP
) - Tanium Asset (
TANIUM_ASSET
) - Thinkst Canary (
THINKST_CANARY
) - Trend Micro Deep Security (
TRENDMICRO_DEEP_SECURITY
) - Vectra Detect (
VECTRA_DETECT
) - Vectra Stream (
VECTRA_STREAM
) - VeridiumID by Veridium (
VERIDIUM_ID
) - Wazuh (
WAZUH
) - Windows Defender ATP (
WINDOWS_DEFENDER_ATP
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - Windows Local Administrator Password Solution (
MICROSOFT_LAPS
) - wiz.io (
WIZ_IO
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - XAMS by Xiting (
XITING_XAMS
) - Zscaler CASB (
ZSCALER_CASB
) - Zscaler DLP (
ZSCALER_DLP
) - Zscaler Internet Access Audit Logs (
ZSCALER_INTERNET_ACCESS
)
The following log types, without a default parser, were added. Each is listed by product name and log_type
value, if applicable.
- Aruba Switch (
ARUBA_SWITCH
) - Azure AD Password Protection (
AZURE_AD_PASSWORD_PROTECTION
) - Azure Front Door (
AZURE_FRONT_DOOR
) - Babelforce (
BABELFORCE
) - Cloudaware (
CLOUDAWARE
) - Coalition Control API (
COALITION
) - Crowdstrike Identity Protection Services (
CS_IDP
) - Cymulate (
CYMULATE
) - Dell ECS Enterprise Object Storage (
DELL_ECS
) - Google Cloud NGFW Enterprise (
GCP_NGFW_ENTERPRISE
) - Google Cloud Secure Web Proxy (
GCP_SWP
) - HaveIBeenPwned (
HIBP
) - HPE BladeSystem C7000 (
HPE_BLADESYSTEM_C7000
) - HP OpenView (
HP_OPENVIEW
) - IBM DS8000 Storage (
IBM_DS8000
) - IBM-i Operating System (
IBM_I
) - Multicom Switch (
MULTICOM_SWITCH
) - Nextthink Finder (
NEXTTHINK_FINDER
) - Palo Alto Cortex XDR Management Audit (
PAN_XDR_MGMT_AUDIT
) - PingIdentity Directory Server Logs (
PING_DIRECTORY
) - Prisma SD-WAN (
PRISMA_SD_WAN
) - Redhat Jboss (
REDHAT_JBOSS
) - SafeBreach (
SAFEBREACH
) - Scality Ring Audit (
SCALITY_RING_AUDIT
) - Sendsafely (
SENDSAFELY
) - Solace Pub Sub Cloud (
SOLACE_AUDIT
) - Sonicwall Secure Mobile Access (
SONICWALL_SMA
) - Sonrai Enterprise Cloud Security Solution (
SONRAI
) - Tenemos Journey Manager System Event Publisher (
TENEMOS_MANAGER_SYSTEMEVENT
) - TrueFort Platform (
TRUEFORT
) - Ubiquiti Accesspoint (
UBIQUITI_ACCESSPOINT
) - WithSecure Cloud Protection (
WITHSECURE_CLOUD
) - WithSecure Elements Connector (
WITHSECURE_ELEMENTS
) - YAMAHA ROUTER RTX1200 (
YAMAHA_ROUTER
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
March 12, 2024
Forwarder troubleshooting guide is now available to help you diagnose and resolve common issues that may arise while using the Chronicle Linux forwarder.
February 23, 2024
Chronicle now supports the timestamp.get_date()
function. For more information and example usage, see YARA-L 2.0 language syntax.
February 21, 2024
Fixed an issue that prevents you from using the list, percentile, and percentile_distinct functions when you create a custom measure in your dashboard.
February 20, 2024
Google has added Tokyo (Japan) as a new region for Chronicle customers. Chronicle can now store customer data in this region. This also adds a new regional endpoint for Chronicle APIs at https://asia-northeast1-backstory.googleapis.com
.
February 15, 2024
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- A10 Load Balancer (
A10_LOAD_BALANCER
) - Anomali (
ANOMALI_IOC
) - Apache (
APACHE
) - Arcsight CEF (
ARCSIGHT_CEF
) - AWS CloudWatch (
AWS_CLOUDWATCH
) - AWS EC2 Hosts (
AWS_EC2_HOSTS
) - AWS EC2 Instances (
AWS_EC2_INSTANCES
) - AWS EC2 VPCs (
AWS_EC2_VPCS
) - Azure AD (
AZURE_AD
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Azure DevOps Audit (
AZURE_DEVOPS
) - Azure Firewall (
AZURE_FIREWALL
) - BIND (
BIND_DNS
) - BloxOne Threat Defense (
BLOXONE
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Carbon Black (
CB_EDR
) - Cato Networks (
CATO_NETWORKS
) - CENSYS (
CENSYS
) - Check Point (
CHECKPOINT_FIREWALL
) - Chrome Management (
N/A
) - Cisco IronPort (
CISCO_IRONPORT
) - Cisco Meraki (
CISCO_MERAKI
) - Cisco Prime (
CISCO_PRIME
) - Cisco Secure Workload (
CISCO_SECURE_WORKLOAD
) - Citrix Netscaler (
CITRIX_NETSCALER
) - Cloud Audit Logs (
N/A
) - Cloud Load Balancing (
GCP_LOADBALANCING
) - Cloud Run (
GCP_RUN
) - Cloudflare (
CLOUDFLARE
) - CommVault Commcell (
COMMVAULT_COMMCELL
) - Compute Context (
N/A
) - Corelight (
CORELIGHT
) - CrowdStrike Detection Monitoring (
CS_DETECTS
) - CSV Custom IOC (
CSV_CUSTOM_IOC
) - Cybereason EDR (
CYBEREASON_EDR
) - Dataminr Alerts (
DATAMINR_ALERT
) - Elastic Windows Event Log Beats (
ELASTIC_WINLOGBEAT
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - FireEye ETP (
FIREEYE_ETP
) - Forescout NAC (
FORESCOUT_NAC
) - ForgeRock OpenAM (
OPENAM
) - IBM WebSEAL (
IBM_WEBSEAL
) - Imperva (
IMPERVA_WAF
) - Imperva Database (
IMPERVA_DB
) - Infoblox RPZ (
INFOBLOX_RPZ
) - ISC DHCP (
ISC_DHCP
) - Juniper (
JUNIPER_FIREWALL
) - Linux Sysmon (
LINUX_SYSMON
) - LogonBox (
LOGONBOX
) - ManageEngine ADAudit Plus (
ADAUDIT_PLUS
) - Micro Focus iManager (
MICROFOCUS_IMANAGER
) - Microsoft AD (
WINDOWS_AD
) - Microsoft ATA (
MICROSOFT_ATA
) - Microsoft Azure Activity (
AZURE_ACTIVITY
) - Microsoft Defender For Cloud (
MICROSOFT_DEFENDER_CLOUD_ALERTS
) - Microsoft Exchange (
EXCHANGE_MAIL
) - Microsoft IIS (
IIS
) - Netskope (
NETSKOPE_ALERT
) - Netskope CASB (
NETSKOPE_CASB
) - Ntopng (
NTOPNG
) - Office 365 (
OFFICE_365
) - OpenCanary (
OPENCANARY
) - OpenSSH (
OPENSSH
) - OSSEC (
OSSEC
) - Palo Alto Cortex XDR Alerts (
CORTEX_XDR
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Palo Alto Panorama (
PAN_PANORAMA
) - Quest Active Directory (
QUEST_AD
) - Recordia (
RECORDIA
) - Sangfor Next Generation Firewall (
SANGFOR_NGAF
) - SAP SM20 (
SAP_SM20
) - Security Command Center Threat (
N/A
) - SEPPmail Secure Email (
SEPPMAIL
) - ServiceNow CMDB (
SERVICENOW_CMDB
) - Snare System Diagnostic Logs (
SNARE_SOLUTIONS
) - Solaris system (
SOLARIS_SYSTEM
) - STIX Threat Intelligence (
STIX
) - Symantec CloudSOC CASB (
SYMANTEC_CASB
) - Symantec Web Security Service (
SYMANTEC_WSS
) - Trend Micro Deep Security (
TRENDMICRO_DEEP_SECURITY
) - Veritas NetBackup (
VERITAS_NETBACKUP
) - VMware ESXi (
VMWARE_ESX
) - Watchguard EDR (
WATCHGUARD_EDR
) - WindChill (
WINDCHILL
) - Windows Defender AV (
WINDOWS_DEFENDER_AV
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - wiz.io (
WIZ_IO
) - Zeek JSON (
BRO_JSON
) - Zscaler (
ZSCALER_WEBPROXY
) - Zscaler CASB (
ZSCALER_CASB
) - Zscaler Internet Access Audit Logs (
ZSCALER_INTERNET_ACCESS
) - Zscaler Private Access (
ZSCALER_ZPA
)
The following log types, without a default parser, were added. Each is listed by product name and log_type
value, if applicable.
- Arista Guardian For Network Identity (
ARISTA_AGNI
) - HPE Aruba Networking Central (
ARUBA_CENTRAL
) - Blackberry Workspaces (
BLACKBERRY_WORKSPACES
) - Barracuda CloudGen Firewall (
BARRACUDA_CLOUDGEN_FIREWALL
) - Blackberry Workspaces (
BLACKBERRY_WORKSPACES
) - Cisco EStreamer (
CISCO_ESTREAMER
) - Cyderes IOC (
CYDERES_IOC
) - Dataiku DSS Logging (
DATAIKU_DSS_LOGS
) - Edgecore Networks (
EDGECORE_NETWORKS
) - Fisglobal Quantum (
FISGLOBAL_QUANTUM
) - ForgeRock Identity Cloud (
FORGEROCK_IDENTITY_CLOUD
) - Forgerock OpenIdM (
FORGEROCK_OPENIDM
) - FS-ISAC IOC (
FS_ISAC_IOC
) - Genetec Audit (
GENETEC_AUDIT
) - HiBob (
HIBOB
) - Imperva Audit Trail (
IMPERVA_AUDIT_TRAIL
) - KerioControl Firewall (
KERIOCONTROL
) - Looker Audit (
LOOKER_AUDIT
) - Mobile Endpoint Security (
LOOKOUT_MOBILE_ENDPOINT_SECURITY
) - ManageEngine PAM360 (
MANAGE_ENGINE_PAM360
) - Melissa (
MELISSA
) - Microsoft CASB Files & Entities (
MICROSOFT_CASB_CONTEXT
) - Windows Local Administrator Password Solution (
MICROSOFT_LAPS
) - Network Policy Server (
MICROSOFT_NPS
) - Power BI Activity Log (
MICROSOFT_POWERBI_ACTIVITY_LOG
) - Nxlog Agent (
NXLOG_AGENT
) - Nxlog Fim (
NXLOG_FIM
) - Opus Codec (
OPUS
) - Oracle NetSuite (
ORACLE_NETSUITE
) - Pega Automation (
PEGA
) - Qualys Knowledgebase (
QUALYS_KNOWLEDGEBASE
) - RealiteQ (
REALITEQ
) - SAP Webdispatcher (
SAP_WEBDISP
) - Serpico (
SERPICO
) - Software House Ccure9000 (
SOFTWARE_HOUSE_CCURE9000
) - Spirion (
SPIRION
) - Spur data feeds (
SPUR_FEEDS
) - Swift (
SWIFT
) - Technitium DNS (
TECHNITIUM_DNS
) - Tetragon Ebpf Audit Logs (
TETRAGON_EBPF_AUDIT_LOGS
) - Trend Micro Email Security Advanced (
TRENDMICRO_EMAIL_SECURITY
) - Tridium Niagara Framework (
TRIDIUM_NIAGARA_FRAMEWORK
) - VeridiumID by Veridium (
VERIDIUM_ID
) - Wallarm Webhook Notifications (
WALLARM_NOTIFICATIONS
) - Winscp (
WINSCP
) - XAMS by Xiting (
XITING_XAMS
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
February 12, 2024
Google has introduced Risk Analytics to Chronicle. Risk Analytics looks for patterns of risk across your enterprise, assigning risk scores to all entities and activities. These scores are surfaced in the Risk Analytics dashboard which lets you better understand risk in your environment by visualizing entity risk trends. The dashboard helps you to identify unusual behavior and the potential risk that entities pose to your enterprise. You can specify watchlists of entities you suspect of having greater risk. The watchlists let you more easily monitor risk within your environment.
Risk Analytics also provides both predefined curated detections and YARA-L metric functions for authoring custom rules.
Risk Analytics is available with Enterprise and Enterprise Plus licenses, or as an add-on to a SIEM standalone license.
February 06, 2024
Chronicle requires a minimum Transport Layer Security (TLS) version of 1.2 to maintain security compliance. Ingestion routing connections that use lower TLS versions are automatically blocked. Upgrade any custom ingestion mechanisms to adhere to TLS 1.2 or higher.
When the data ingestion rate for a tenant reaches a certain threshold, Chronicle controls the rate of ingestion for new data feeds to prevent a source with a high ingestion rate from affecting the ingestion rate of another data source. The ingestion volume and tenant's usage history determine the threshold. If the rate of ingestion does not deviate greatly then there is no effect on the ingestion rate.
February 01, 2024
The following log types were added to the Chronicle feed management API to create AWS data feeds. These feeds can be used to get context on AWS resources such as EC2 instances and users in identity and access management (IAM). Each is listed by product name and log_type
value, if applicable.
- AWS EC2 Hosts (
AWS_EC2_HOSTS
) - AWS EC2 Instances (
AWS_EC2_INSTANCES
) - AWS EC2 VPCs (
AWS_EC2_VPCS
) - AWS Identity and Access Management (
AWS_IAM
)
To view a list of log types that Chronicle supports for third-party APIs, see Configuration by log type.
January 31, 2024
The bi-weekly release of Chronicle parsers will change to a more frequent release schedule to allow for more testing before parser changes automatically take effect in Parser Management.
Beginning on February 1, 2024, new parser updates will be released weekly as pending updates in Parser Management. Every 4 weeks beginning February 15, pending updates will automatically become active when these parser versions are promoted to default.
Any Chronicle tenants with Parser Management disabled do not use the standard Parser Management release process, so weekly parser updates will automatically take effect.
January 25, 2024
The Detection Engine added support for event variable joins on or
expressions and function calls. For examples, see Event variable join requirements.
January 24, 2024
Chronicle has expanded Cloud Threat Detections to alert on findings from GCP Security Command Center Event Threat Detections, Virtual Machine Threat Detections, and Container Threat Detections. These passthrough detections are available through the following packs: CDIR SCC Enhanced Exfiltration, CDIR SCC Enhanced Defense Evasion, CDIR SCC Enhanced Malware, CDIR SCC Enhanced Persistence, CDIR SCC Enhanced Privilege Escalation, CDIR SCC Credential Access, CDIR SCC Enhanced Discovery, CDIR SCC Brute Force, CDIR SCC Data Destruction, CDIR SCC Inhibit System Recovery, CDIR SCC Execution, CDIR SCC Initial Access, CDIR SCC Impair Defenses.
January 23, 2024
Chronicle Curated Detections has been enhanced with new detection content for Linux Threats. These new rule sets help identify malware and suspicious activity in Linux environments.
January 19, 2024
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- Alcatel Switch (
ALCATEL_SWITCH
) - Awake NDR (
AWAKE_NDR
) - AWS Aurora (
AWS_AURORA
) - Azure AD (
AZURE_AD
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Azure AD Organizational Context (
AZURE_AD_CONTEXT
) - Azure DevOps Audit (
AZURE_DEVOPS
) - Barracuda Email (
BARRACUDA_EMAIL
) - BeyondTrust (
BOMGAR
) - Box (
BOX
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - Cisco Umbrella Audit (
CISCO_UMBRELLA_AUDIT
) - Cisco VPN (
CISCO_VPN
) - Cisco WLC/WCS (
CISCO_WIRELESS
) - Cloud Audit Logs (
N/A
) - Cloudflare (
CLOUDFLARE
) - Compute Context (
N/A
) - Dell Switch (
DELL_SWITCH
) - F5 ASM (
F5_ASM
) - FireEye (
FIREEYE_ALERT
) - FireEye HX (
FIREEYE_HX
) - FireEye PX (
FIREEYE_PX
) - Fortinet Web Application Firewall (
FORTINET_FORTIWEB
) - HP Aruba (ClearPass) (
CLEARPASS
) - Infoblox DHCP (
INFOBLOX_DHCP
) - JumpCloud Directory Insights (
JUMPCLOUD_DIRECTORY_INSIGHTS
) - Kubernetes Audit Azure (
KUBERNETES_AUDIT_AZURE
) - Microsoft Azure Activity (
AZURE_ACTIVITY
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Microsoft IIS (
IIS
) - Nutanix Prism (
NUTANIX_PRISM
) - Office 365 (
OFFICE_365
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Quest Change Auditor for EMC (
QUEST_CHANGE_AUDITOR_EMC
) - Quest File Access Audit (
QUEST_FILE_AUDIT
) - RH-ISAC (
RH_ISAC_IOC
) - Riverbed Steelhead (
STEELHEAD
) - SentinelOne Singularity Cloud Funnel (
SENTINELONE_CF
) - Symantec DLP (
SYMANTEC_DLP
) - Synology (
SYNOLOGY
) - Sysdig (
SYSDIG
) - Unix system (
NIX_SYSTEM
) - Vectra Detect (
VECTRA_DETECT
) - Vectra Stream (
VECTRA_STREAM
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - Windows Sysmon (
WINDOWS_SYSMON
) - Zscaler (
ZSCALER_WEBPROXY
)
The following log types, without a default parser, were added. Each is listed by product name and log_type
value, if applicable.
- AliCloud Anti DDos (
ALICLOUD_ANTI_DDOS
) - AliCloud WAF (
ALICLOUD_WAF
) - Arista CloudVision Portal (
ARISTA_CVP
) - CypherTrust Manager (
CIPHERTRUST_MANAGER
) - Cybergatekeeper NAC (
CYBERGATEKEEPER_NAC
) - Microsoft Graph Activity Logs (
MICROSOFT_GRAPH_ACTIVITY_LOGS
) - Trend Micro EdgeIPS (
TRENDMICRO_EDGEIPS
) - Vanguard Active Alerts (
VANGUARD
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
January 17, 2024
The following changes are available in the Unified Data Model.
New objects were added:
DNSRecord
Favicon
ThreatVerdict
PopularityRank
SSLCertificate
SSLCertificate.AuthorityKeyId
SSLCertificate.CertSignature
SSLCertificate.DSA
SSLCertificate.EC
SSLCertificate.Extension
SSLCertificate.PublicKey
SSLCertificate.RSA
SSLCertificate.Subject
SSLCertificate.Validity
Tracker
Url
SecurityResult.AnalyticsMetadata
A new field was added to
Noun
:url_metadata
.New fields were added to
SecurityResult
:ruleset_category_display_name
confidence_score
analytics_metadata
threat_verdict
last_discovered_time
New fields were added to
Domain
:last_dns_records
categories
favicon
jarm
last_dns_records
last_dns_records_time
last_https_certificate
last_https_certificate_time
popularity_ranks
tags
whois_time
New fields were added to
File
:security_result
andmain_icon
.New fields were added to
SecurityResult.Association
:sponsor_region
,targeted_regions
, andtags
.New values were added to
File.FileType
:FILE_TYPE_DWG
FILE_TYPE_DXF
FILE_TYPE_THREEDS
FILE_TYPE_WEBM
FILE_TYPE_MKV
FILE_TYPE_ONE_NOTE
FILE_TYPE_OOXML
FILE_TYPE_ZST
FILE_TYPE_LZFSE
FILE_TYPE_PYTHON_WHL
FILE_TYPE_PYTHON_PKG
FILE_TYPE_M4
FILE_TYPE_OBJETIVEC
FILE_TYPE_JMOD
FILE_TYPE_MAKEFILE
FILE_TYPE_INI
FILE_TYPE_CLJ
FILE_TYPE_PDB
FILE_TYPE_SQL
FILE_TYPE_NEKO
FILE_TYPE_WER
FILE_TYPE_GOLANG
FILE_TYPE_SGML
FILE_TYPE_JSON
FILE_TYPE_CSV
FILE_TYPE_SQUASHFS
FILE_TYPE_VHD
FILE_TYPE_IPS
FILE_TYPE_PEM
FILE_TYPE_PGP
FILE_TYPE_CRT
FILE_TYPE_PYC
New values were added to
Metric.Dimension
:PRINCIPAL_PROCESS_FILE_PATH
PRINCIPAL_PROCESS_FILE_HASH
SECURITY_RESULT_RULE_NAME
A new value was added to
Metric.MetricName
:ALERT_EVENT_NAME_COUNT
.A new value was added to
SecurityResult.ProductSeverity
:NONE
.
For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.
January 16, 2024
UDM Search for entity investigation
UDM Search now includes a feature that lets you investigate entities (for example, an IP address, user, or asset) in addition to the events and alerts that match the search query terms. UDM Search query conditions can include both UDM fields (for example, principal.hostname="alice"
) and grouped fields (for example, hostname="alice"
). When a search query includes a condition that identifies a specific entity, the search results include details about that entity in addition to UDM events that match the entire search query.
January 03, 2024
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- ADVA Fiber Service Platform (
ADVA_FSP
) - Anomali (
ANOMALI_IOC
) - Apache (
APACHE
) - AWS EMR (
AWS_EMR
) - AWS Route 53 DNS (
AWS_ROUTE_53
) - AWS WAF (
AWS_WAF
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Azure Application Gateway (
AZURE_GATEWAY
) - BIND (
BIND_DNS
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Carbon Black (
CB_EDR
) - Check Point (
CHECKPOINT_FIREWALL
) - Cisco ASA (
CISCO_ASA_FIREWALL
) - Cisco DNA Center Platform (
CISCO_DNAC
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - CrowdStrike Falcon (
CS_EDR
) - Darktrace (
DARKTRACE
) - Deep Instinct EDR (
DEEP_INSTINCT_EDR
) - Elastic Windows Event Log Beats (
ELASTIC_WINLOGBEAT
) - Extreme Networks Switch (
EXTREME_SWITCH
) - F5 ASM (
F5_ASM
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - Forescout NAC (
FORESCOUT_NAC
) - Fortinet FortiClient (
FORTINET_FORTICLIENT
) - GitHub (
GITHUB
) - GMAIL Logs (
GMAIL_LOGS
) - IBM DB2 (
DB2_DB
) - IBM Guardium (
GUARDIUM
) - Jamf Protect Alerts (
JAMF_PROTECT
) - Juniper (
JUNIPER_FIREWALL
) - Kubernetes Node (
KUBERNETES_NODE
) - Mandiant Custom IOC (
MANDIANT_CUSTOM_IOC
) - Mattermost (
MATTERMOST
) - Microsoft Exchange (
EXCHANGE_MAIL
) - Microsoft IIS (
IIS
) - Microsoft SQL Server (
MICROSOFT_SQL
) - Nutanix Prism (
NUTANIX_PRISM
) - Office 365 (
OFFICE_365
) - Okta (
OKTA
) - Palo Alto Cortex XDR Events (
PAN_CORTEX_XDR_EVENTS
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Proofpoint Observeit (
OBSERVEIT
) - RH-ISAC (
RH_ISAC_IOC
) - SAP SAST Suite (
SAP_SAST
) - Security Command Center Threat (
N/A
) - SentinelOne Singularity Cloud Funnel (
SENTINELONE_CF
) - Symantec DLP (
SYMANTEC_DLP
) - Talon (
TALON
) - Tanium Stream (
TANIUM_TH
) - Trend Micro Apex one (
TRENDMICRO_APEX_ONE
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - wiz.io (
WIZ_IO
) - Zscaler (
ZSCALER_WEBPROXY
) - Zscaler CASB (
ZSCALER_CASB
) - Zscaler Tunnel (
ZSCALER_TUNNEL
)
The following log types, without a default parser, were added. Each is listed by product name and log_type
value, if applicable.
- Asimily (
ASIMILY
) - Checkpoint Gaia (
CHECKPOINT_GAIA
) - Cisco Cyber Vision (
CISCO_CYBER_VISION
) - Cisco IronPort (
CISCO_IRONPORT
) - Cyber 2.0 IDS (
CYBER_2_IDS
) - CypherTrust Manager (
CYPHERTRUST_MANAGER
) - Duo Trust Monitor (
DUO_TRUST_MONITOR
) - Extreme Wireless (
EXTREME_WIRELESS
) - FireEye PX (
FIREEYE_PX
) - Harfanglab EDR (
HARFANGLAB_EDR
) - ImageNow (
IMAGENOW
) - INFINICO NetWyvern Series Appliance (
INFINICO_NETWYVERN
) - Quest CA Audit (
QUEST_CA_AUDIT
) - Quest Change Auditor for EMC (
QUEST_CHANGE_AUDITOR_EMC
) - Quest File Access Audit (
QUEST_FILE_AUDIT
) - RadiFlow IDS (
RADIFLOW_IDS
) rigo (SENTRIGO
) - SEPPmail Secure Email (
SEPPMAIL
) - SpecterX (
SPECTERX
) - ViaControl Server Application (
VIACONTROL
) - WindChill (
WINDCHILL
) - WS Ftp (
WS_FTP
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
December 22, 2023
When you create a custom measure in a dashboard, you can't use the list, percentile, and percentile_distinct functions.
December 18, 2023
Chronicle Curated Detections has been enhanced with new detection content for Google Cloud threats. These new rule sets detect Kubernetes certificates and Certificate Signing Requests (CSRs) actions that could be used to establish persistence or to escalate privileges.
December 15, 2023
Google has added KSA (Dammam) and India (Mumbai) as new regions for Chronicle customers. Chronicle can now store customer data in these regions. This also adds new regional endpoints for Chronicle APIs at https://me-central2-backstory.googleapis.com
and http://asia-south1-backstory.googleapis.com
.
December 14, 2023
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- Aruba Airwave (
ARUBA_AIRWAVE
) - Atlassian Jira (
ATLASSIAN_JIRA
) - AWS EC2 HOSTS (
AWS_EC2_HOSTS
) - AWS EC2 INSTANCES (
AWS_EC2_INSTANCES
) - AWS EC2 VPCS (
AWS_EC2_VPCS
) - AWS Identity and Access Management (IAM) (
AWS_IAM
) - AWS WAF (
AWS_WAF
) - Azure App Service (
AZURE_APP_SERVICE
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Box (
BOX
) - Brocade Switch (
BROCADE_SWITCH
) - Cisco ASA (
CISCO_ASA_FIREWALL
) - Cisco Switch (
CISCO_SWITCH
) - Cloud Audit Logs (
N/A
) - Cloud Intrusion Detection System (
GCP_IDS
) - Corelight (
CORELIGHT
) - DomainTools Threat Intelligence (
DOMAINTOOLS_THREATINTEL
) - Elastic Windows Event Log Beats (
ELASTIC_WINLOGBEAT
) - Extreme Networks Switch (
EXTREME_SWITCH
) - F5 ASM (
F5_ASM
) - FireEye (
FIREEYE_ALERT
) - Fortinet FortiClient (
FORTINET_FORTICLIENT
) - GMAIL Logs (
GMAIL_LOGS
) - HCL BigFix (
HCL_BIGFIX
) - Kubernetes Node (
KUBERNETES_NODE
) - Mandiant Custom IOC (
MANDIANT_CUSTOM_IOC
) - Medigate IoT (
MEDIGATE_IOT
) - Microsoft Azure Resource (
AZURE_RESOURCE_LOGS
) - Microsoft CyberX (
CYBERX
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Microsoft IIS (
IIS
) - Microsoft Powershell (
POWERSHELL
) - Neo4j (
NEO4J
) - Netskope Web Proxy (
NETSKOPE_WEBPROXY
) - Onapsis (
ONAPSIS
) - Palo Alto Prisma Cloud Alert payload (
PAN_PRISMA_CA
) - PerimeterX Bot Protection (
PERIMETERX_BOT_PROTECTION
) - Ping Identity (
PING
) - Radware Web Application Firewall (
RADWARE_FIREWALL
) - Remediant SecureONE (
REMEDIANT_SECUREONE
) - SailPoint IAM (
SAILPOINT_IAM
) - SAP SM20 (
SAP_SM20
) - Security Command Center Threat (
N/A
) - Silverfort Authentication Platform (
SILVERFORT
) - Symantec DLP (
SYMANTEC_DLP
) - Thinkst Canary (
THINKST_CANARY
) - Unix system (
NIX_SYSTEM
) - WatchGuard (
WATCHGUARD
) - Windows Defender ATP (
WINDOWS_DEFENDER_ATP
) - Windows DNS (
WINDOWS_DNS
) - Workday Audit Logs (
WORKDAY_AUDIT
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Zscaler Internet Access Audit Logs (
ZSCALER_INTERNET_ACCESS
)
The following log types, without a default parser, were added. Each is listed by product name and log_type
value, if applicable.
- Akamai Guardicore (
AKAMAI_GUARDICORE
) - Alcatel Switch (
ALCATEL_SWITCH
) - Ascertia (
ASCERTIA
) - Cohesity Helios (
COHESITY_HELIOS
) - Dtex Intercept (
DTEX_INTERCEPT
) - Evidos Firewall (
EVIDOS_FIREWALL
) - F5 Distributed Cloud Services (
F5_DCS
) - Five9 (
FIVE9
) - JumpCloud Desktop (
JUMPCLOUD_DESKTOP
) - Keepalived Routing software (
KEEPALIVED
) - Mongo Atlas Audit (
MONGO_ATLAS_AUDIT
) - Mosyle (
MOSYLE
) - NetDocuments Solutions (
NETDOCUMENTS
) - Netwrix (
NETWRIX
) - Nozomi Networks Scada Guardian (
NOZOMI_GUARDIAN
) - Netwrix (
NETWRIX
) - Nozomi Networks Scada Guardian (
NOZOMI_GUARDIAN
) - OpenVAS (
OPENVAS
) - Passfort (
PASSFORT
) - Proofpoint DLP (
PROOFPOINT_DLP
) - Rabbit MQ (
RABBITMQ
) - Redis (
REDIS
) - Salesforce Commerce Cloud (
SALESFORCE_COMMERCE_CLOUD
) - Sap Business Technology Platform (
SAP_BTP
) - Syxsense (
SYXSENSE
) - Teramind (
TERAMIND
) - TXOne Stellar (
TRENDMICRO_STELLAR
) - Zscaler NSS Feeds for Alerts (
ZSCALER_NSS_FEEDS
) - Zscaler Tunnel (
ZSCALER_TUNNEL
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
December 13, 2023
Duet AI in Security Operations
You can now use Duet AI to search your event data using natural language. Duet AI can translate natural language into Chronicle's unified data model, letting you search your event data without having to know YARA-L to craft custom queries.
December 06, 2023
Chronicle Curated Detections has been enhanced with new detection content for Google Cloud threats. These new rule sets help identify anomalous activity in Google Workspace data.
Chronicle now has an additional mechanism to set up the ingestion of Google Workspace Activities logs (WORKSPACE_ACTIVITY
). This feature simplifies the configuration steps and provides a more direct data integration with Google Workspace. For more information, see Send Google Workspace data to Chronicle.
November 29, 2023
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- AWS Cloudtrail (
AWS_CLOUDTRAIL
) - Azure AD (
AZURE_AD
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Azure AD Organizational Context (
AZURE_AD_CONTEXT
) - Azure Application Gateway (
AZURE_GATEWAY
) - Azure DevOps Audit (
AZURE_DEVOPS
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Chrome Management (
N/A
) - Cisco ASA (
CISCO_ASA_FIREWALL
) - Cisco ISE (
CISCO_ISE
) - Cisco Wireless IPS (
CISCO_WIPS
) - Citrix Netscaler (
CITRIX_NETSCALER
) - Clearswift (
CLEARSWIFT
) - Cloud Audit Logs (
N/A
) - Cloud Load Balancing (
GCP_LOADBALANCING
) - Cloud SQL (
GCP_CLOUDSQL
) - Cloudflare (
CLOUDFLARE
) - Corelight (
CORELIGHT
) - CrowdStrike Falcon (
CS_EDR
) - Cyberark Privilege Cloud (
CYBERARK_PRIVILEGE_CLOUD
) - Darktrace (
DARKTRACE
) - Elastic Windows Event Log Beats (
ELASTIC_WINLOGBEAT
) - Evision FircoSoft (
EVISION_FIRCOSOFT
) - Fluentd Logs (
FLUENTD
) - FortiGate (
FORTINET_FIREWALL
) - HPE ILO (
HPE_ILO
) - IBM WebSEAL (
IBM_WEBSEAL
) - Jamf Protect Telemetry (
JAMF_TELEMETRY
) - Jenkins (
JENKINS
) - JumpCloud Directory Insights (
JUMPCLOUD_DIRECTORY_INSIGHTS
) - Juniper MX Router (
JUNIPER_MX
) - Kubernetes Node (
KUBERNETES_NODE
) - Linux Auditing System (AuditD) (
AUDITD
) - Mandiant Custom IOC (
MANDIANT_CUSTOM_IOC
) - Microsoft CASB (
MICROSOFT_CASB
) - Microsoft Exchange (
EXCHANGE_MAIL
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Nokia Router (
NOKIA_ROUTER
) - Ntopng (
NTOPNG
) - Office 365 (
OFFICE_365
) - OpenVPN (
OPEN_VPN
) - Opnsense (
OPNSENSE
) - OSQuery (
OSQUERY_EDR
) - OSSEC (
OSSEC
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Radware Web Application Firewall (
RADWARE_FIREWALL
) - RH-ISAC (
RH_ISAC_IOC
) - Security Command Center Threat (
N/A
) - Sierra Wireless (
SIERRA_WIRELESS
) - Signal Sciences WAF (
SIGNAL_SCIENCES_WAF
) - Sophos Firewall (Next Gen) (
SOPHOS_FIREWALL
) - Splunk Platform (
SPLUNK
) - Suricata IDS (
SURICATA_IDS
) - Symantec Endpoint Protection (
SEP
) - Teleport Access Plane (
TELEPORT_ACCESS_PLANE
) - Ubiquiti UniFi Switch (
UBIQUITI_SWITCH
) - VMware NSX (
VMWARE_NSX
) - Vsftpd (
VSFTPD
) - WatchGuard (
WATCHGUARD
) - Windows Defender ATP (
WINDOWS_DEFENDER_ATP
) - Windows DHCP (
WINDOWS_DHCP
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - Windows Sysmon (
WINDOWS_SYSMON
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Workspace Alerts (
WORKSPACE_ALERTS
) - Workspace ChromeOS Devices (
WORKSPACE_CHROMEOS
) - Workspace Groups (
WORKSPACE_GROUPS
) - Workspace Mobile Devices (
WORKSPACE_MOBILE
) - Workspace Privileges (
WORKSPACE_PRIVILEGES
) - Workspace Users (
WORKSPACE_USERS
) - Zeek JSON (
BRO_JSON
) - Zscaler (
ZSCALER_WEBPROXY
)
The following log types, without a default parser, were added. Each is listed by product name and log_type
value, if applicable.
- No new log types were added.
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
November 15, 2023
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- Abnormal Security (
ABNORMAL_SECURITY
) - Akamai Enterprise Application Access (
AKAMAI_EAA
) - Atlassian Confluence (
ATLASSIAN_CONFLUENCE
) - Atlassian Jira (
ATLASSIAN_JIRA
) - AWS Aurora (
AWS_AURORA
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - Bitwarden Events (
BITWARDEN_EVENTS
) - Check Point Harmony (
CHECKPOINT_HARMONY
) - Cisco Router (
CISCO_ROUTER
) - Cisco Switch (
CISCO_SWITCH
) - Cisco Umbrella DNS (
UMBRELLA_DNS
) - Cloud Audit Logs (
N/A
) - Dell Switch (
DELL_SWITCH
) - Elastic Search (
ELASTIC_SEARCH
) - Elastic Windows Event Log Beats (
ELASTIC_WINLOGBEAT
) - F5 ASM (
F5_ASM
) - FireEye (
FIREEYE_ALERT
) - Firewall Rule Logging (
N/A
) - IBM DataPower Gateway (
IBM_DATAPOWER
) - Infoblox (
INFOBLOX
) - Jamf Protect Alerts (
JAMF_PROTECT
) - Juniper (
JUNIPER_FIREWALL
) - Lacework Cloud Security (
LACEWORK
) - Linux Sysmon (
LINUX_SYSMON
) - Medigate IoT (
MEDIGATE_IOT
) - Microsoft Sentinel (
MICROSOFT_SENTINEL
) - Netskope (
NETSKOPE_ALERT
) - Openpath (
OPENPATH
) - Palo Alto Cortex XDR Alerts (
CORTEX_XDR
) - Proofpoint Observeit (
OBSERVEIT
) - Proofpoint On Demand (
PROOFPOINT_ON_DEMAND
) - Pulse Secure (
PULSE_SECURE_VPN
) - Pulse Secure Virtual Traffic Manager (
PULSE_SECURE_VTM
) - SentinelOne EDR (
SENTINEL_EDR
) - Sophos Firewall (Next Gen) (
SOPHOS_FIREWALL
) - SpyCloud (
SPYCLOUD
) - Stealthbits Defend (
STEALTHBITS_DEFEND
) - Stealthbits PAM (
STEALTHBITS_PAM
) - STIX Threat Intelligence (
STIX
) - Symantec Endpoint Protection (
SEP
) - Symantec Event export (
SYMANTEC_EVENT_EXPORT
) - Tenable Active Directory Security (
TENABLE_ADS
) - Unix system (
NIX_SYSTEM
) - VMware vCenter (
VMWARE_VCENTER
) - Windows Event (XML) (
WINEVTLOG_XML
) - Zscaler (
ZSCALER_WEBPROXY
)
The following log types, without a default parser, were added. Each is listed by product name and log_type
value, if applicable.
- Aruba Orchestrator (
ARUBA_ORCHESTRATOR
) - AWS Shield (
AWS_SHIELD
) - Azure DNS logs (
AZURE_DNS
) - Backbox (
BACKBOX
) - Bitvise SSHd (
BITVISE_SSHD
) - Cylera IOT (
CYLERA_IOT
) - Druva Backup (
DRUVA_BACKUP
) - Ensono Cloud Mainframe Solution (
ENSONO
) - xtreme Networks ExtremeControl NAC Solution (
EXTREME_CONTROL
) - EzProxy (
EZPROXY
) - GitHub Events (
GITHUB_EVENTS
) - Glean (
GLEAN
) - ISM Xtraction (
IVANTI_XTRACTION
) - Lira (
LIRA
) - LogonBox (
LOGONBOX
) - Mandiant Custom IOC (
MANDIANT_CUSTOM_IOC
) - Monday (
MONDAY
) - Onapsis (
ONAPSIS
) - Opentelemetry (
OPENTELEMETRY
) - Opswat Kiosk (
OPSWAT_KIOSK
) - Outpost24 (
OUTPOST24
) - Pentera Leef (
PENTERA_LEEF
) - Phishlabs (
PHISHLABS
) - Portnix Audit (
PORTNOX_AUDIT
) - Portnix CEF (
PORTNOX_CEF
) - Proofpoint Sendmail Sentrion (
PROOFPOINT_SENDMAIL_SENTRION
) - SAP SM20 (
SAP_SM20
) - Splunk Attack Analyzer (
SPLUNK_ATTACK_ANALYZER
) - Stellar Cyber (
STELLAR_CYBER
) - Talon (
TALON
) - Teradici PCoIP (
TERADICI_PCOIP
) - TrendMicro Apex Central (
TRENDMICRO_APEX_CENTRAL
) - TrendMicro Webproxy DSM (
TRENDMICRO_WEBPROXY_DSM
) - Vonage (
VONAGE
) - Waterfall Data Security Manager (
WATERFALL_DSM
) - Ysoft Data Security Manager (
YSOFT_DSM
) - Zscaler Client Connector (
ZSCALER_ZCC
) - Zscaler ZDX (
ZSCALER_ZDX
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
November 08, 2023
Detection Engine has added support for rule statuses for Chronicle YARA-L rules running on live data. In addition to being in Enabled or Disabled state, rules can also have Limited or Paused status depending on their resource usage.
November 02, 2023
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- Akamai WAF (
AKAMAI_WAF
) - Atlassian Confluence (
ATLASSIAN_CONFLUENCE
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - AWS EMR (
AWS_EMR
) - Azure AD Organizational Context (
AZURE_AD_CONTEXT
) - Carbon Black (
CB_EDR
) - Cisco Router (
CISCO_ROUTER
) - Cisco Umbrella Web Proxy (
UMBRELLA_WEBPROXY
) - Cloud Load Balancing (
GCP_LOADBALANCING
) - Cloud SQL (
GCP_CLOUDSQL
) - DNSFilter (
DNSFILTER
) - Duo Auth (
DUO_AUTH
) - Elastic Windows Event Log Beats (
ELASTIC_WINLOGBEAT
) - Evision FircoSoft (
EVISION_FIRCOSOFT
) - ExtraHop RevealX (
EXTRAHOP
) - F5 ASM (
F5_ASM
) - Firewall Rule Logging (
N/A
) - Fortinet FortiClient (
FORTINET_FORTICLIENT
) - GCP_KUBERNETES_CONTEXT (
GCP_KUBERNETES_CONTEXT
) - GitHub (
GITHUB
) - Gitlab (
GITLAB
) - Hashicorp Vault (
HASHICORP
) - IBM DataPower Gateway (
IBM_DATAPOWER
) - IBM DB2 (
DB2_DB
) - IBM Security Verify SaaS (
IBM_SECURITY_VERIFY_SAAS
) - Infoblox (
INFOBLOX
) - JumpCloud Directory Insights (
JUMPCLOUD_DIRECTORY_INSIGHTS
) - Juniper Junos (
JUNIPER_JUNOS
) - Kolide Endpoint Security (
KOLIDE
) - ManageEngine ADAudit Plus (
ADAUDIT_PLUS
) - Microsoft Exchange (
EXCHANGE_MAIL
) - Microsoft IIS (
IIS
) - Office 365 (
OFFICE_365
) - Open Cybersecurity Schema Framework (OCSF) (
OCSF
) - Oracle (
ORACLE_DB
) - Oracle Cloud Infrastructure (
ORACLE_CLOUD_AUDIT
) - Proofpoint On Demand (
PROOFPOINT_ON_DEMAND
) - Qualys VM (
QUALYS_VM
) - Saiwall VPN (
SAIWALL_VPN
) - SentinelOne EDR (
SENTINEL_EDR
) - Slack Audit (
SLACK_AUDIT
) - Unix system (
NIX_SYSTEM
) - Windows Event (
WINEVTLOG
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Workspace Alerts (
WORKSPACE_ALERTS
) - Workspace ChromeOS Devices (
WORKSPACE_CHROMEOS
) - Zscaler Internet Access Audit Logs (
ZSCALER_INTERNET_ACCESS
)
The following log types, without a default parser, were added. Each is listed by product name and log_type
value, if applicable.
- Analyst1 IOC (
ANALYST1_IOC
) - Amazon FSx for Windows File Server (
AWS_FSX
) - DealCloud (
DEAL_CLOUD
) - DomainTools Threat Intelligence (
DOMAINTOOLS_THREATINTEL
) - Farsight DNSDB (
FARSIGHT_DNSDB
) - Journald (
JOURNALD
) - Mambu (
MAMBU
) - Mattermost (
MATTERMOST
) - Mitel Communications Director (
MITEL_MCD
) - NordLayer VPN (
NORD_LAYER
) - Paxton Access Control Systems (
PAXTON_ACS
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
November 01, 2023
Chronicle Curated Detections has been enhanced with new detection content for Google Cloud threats. These new rule sets help identify Kubernetes activity associated with abuse of role-based access controls (RBAC).
October 27, 2023
Google has added Frankfurt (Germany) and Zurich (Switzerland) as new regions for Chronicle customers. Chronicle can now store customer data in these regions. This also adds new regional endpoints for Chronicle APIs at https://europe-west3-backstory.googleapis.com and https://europe-west6-backstory.googleapis.com.
October 18, 2023
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Check Point (
CHECKPOINT_FIREWALL
) - Chronicle SOAR Audit (
CHRONICLE_SOAR_AUDIT
) - Cisco Internetwork Operating System (
CISCO_IOS
) - Cisco Meraki (
CISCO_MERAKI
) - Cisco Web Services Manager (
CISCO_WSM
) - Cloud Audit Logs (
N/A
) - Cloudflare (
CLOUDFLARE
) - CrowdStrike Falcon (
CS_EDR
) - ESET Threat Intelligence (
ESET_IOC
) - GitHub (
GITHUB
) - Gitlab (
GITLAB
) - Infoblox DNS (
INFOBLOX_DNS
) - JumpCloud Directory Insights (
JUMPCLOUD_DIRECTORY_INSIGHTS
) - Kolide Endpoint Security (
KOLIDE
) - McAfee ePolicy Orchestrator (
MCAFEE_EPO
) - Microsoft Azure Activity (
AZURE_ACTIVITY
) - Microsoft Azure Resource (
AZURE_RESOURCE_LOGS
) - Microsoft Defender for Endpoint (
MICROSOFT_DEFENDER_ENDPOINT
) - Microsoft SQL Server (
MICROSOFT_SQL
) - Netskope Web Proxy (
NETSKOPE_WEBPROXY
) - OpenSSH (
OPENSSH
) - Palo Alto Cortex XDR Alerts (
CORTEX_XDR
) - Silverfort Authentication Platform (
SILVERFORT
) - Vectra Stream (
VECTRA_STREAM
) - VMware ESXi (
VMWARE_ESX
) - VMware NSX (
VMWARE_NSX
) - Windows Applocker (
WINDOWS_APPLOCKER
) - Windows Defender ATP (
WINDOWS_DEFENDER_ATP
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - Windows Hyper-V (
WINDOWS_HYPERV
) - Workspace ChromeOS Devices (
WORKSPACE_CHROMEOS
) - Zscaler (
ZSCALER_WEBPROXY
) - ZScaler DNS (
ZSCALER_DNS
)
The following log types, without a default parser, were added. Each is listed by product name and log_type
value, if applicable.
- ADVA Fiber Service Platform (
ADVA_FSP
) - Bluecat Address Manager (
BLUECAT_AM
) - Fortinet Switch (
FORTINET_SWITCH
) - GCP Google Kubernetes Engine Context (
GCP_KUBERNETES_CONTEXT
) - Kion (
KION
) - Kiteworks (
KITEWORKS
) - Nokia Router (
NOKIA_ROUTER
) - Ntopng (
NTOPNG
) - Opnsense (
OPNSENSE
) - Oracle HCM Human resources platform solution (
ORACLE_HCM
) - MS Powershell Transcript (
POWERSHELL_TRANSCRIPT
) - RAD ETX (
RAD_ETX
) - Spamhaus (
SPAMHAUS
) - UpGuard (
UPGUARD
) - Vsftpd (
VSFTPD
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
October 16, 2023
The following changes are available in the Unified Data Model.
- New enum fields were added:
SecurityResult.IoCStatsType
andSecurityResult.VerdictType
. - A new field was added to
EntityMetadata
:feed
. - A new field was added to
Network
:ip_subnet_range
. - New fields were added to
SecurityResult
:last_updated_time
andverdict_info
. - A new field was added to
Label
:rbac_enabled
. - A new field was added to
SecurityResult.Association
:region_code
. - New fields were added to
User
:last_login_time
,last_password_change_time
,password_expiration_time
,account_expiration_time
,account_lockout_time
, andlast_bad_password_attempt_time
. - A new value was added to the
Network.ApplicationProtocol
enum:GRPC
. The following new values were added to the
Resource.ResourceType
enum:POD
CONTAINER
FUNCTION
RUNTIME
IP_ADDRESS
DISK
VOLUME
IMAGE
SNAPSHOT
REPOSITORY
CREDENTIAL
LOAD_BALANCER
GATEWAY
SUBNET
For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.
October 10, 2023
While creating a custom parser, you can use the preview option to view the UDM output. In the preview, you can use the statedump filter plugin to validate the internal state of a parser. For more information, see Validate data using statedump plugin.
October 05, 2023
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- AWS Cloudtrail (
AWS_CLOUDTRAIL
) - Azion (
AZION
) - Azure AD Organizational Context (
AZURE_AD_CONTEXT
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Cisco ACS (
CISCO_ACS
) - Cisco FireSIGHT Management Center (
CISCO_FIRESIGHT
) - Cisco ISE (
CISCO_ISE
) - Cisco Umbrella DNS (
UMBRELLA_DNS
) - Cloud Intrusion Detection System (
GCP_IDS
) - Cloudflare (
CLOUDFLARE
) - Compute Context (
N/A
) - Corelight (
CORELIGHT
) - Darktrace (
DARKTRACE
) - F5 ASM (
F5_ASM
) - FireEye (
FIREEYE_ALERT
) - HAProxy (
HAPROXY
) - Hashicorp Vault (
HASHICORP
) - HP Procurve Switch (
HP_PROCURVE
) - IBM Security Verify SaaS (
IBM_SECURITY_VERIFY_SAAS
) - Imperva (
IMPERVA_WAF
) - Ionix (
IONIX
) - Microsoft Defender for Endpoint (
MICROSOFT_DEFENDER_ENDPOINT
) - MISP Threat Intelligence (
MISP_IOC
) - Office 365 (
OFFICE_365
) - Oracle Cloud Infrastructure Audit Logs (
OCI_AUDIT
) - Sendmail (
SENDMAIL
) - Tanium Audit (
TANIUM_AUDIT
) - Tanium Stream (
TANIUM_TH
) - Thycotic (
THYCOTIC
) - Unix system (
NIX_SYSTEM
) - VMware ESXi (
VMWARE_ESX
) - VMware NSX (
VMWARE_NSX
) - VMware vCenter (
VMWARE_VCENTER
) - WatchGuard (
WATCHGUARD
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Workspace Alerts (
WORKSPACE_ALERTS
) - Zeek JSON (
BRO_JSON
) - Zscaler CASB (
ZSCALER_CASB
)
The following log types, without a default parser, were added. Each is listed by product name and log_type
value, if applicable.
- AWS_EMR (
AWS_EMR
) - Azure Application Gateway (
AZURE_GATEWAY
) - CloudBolt (
CLOUDBOLT
) - DNSFilter (
DNSFILTER
) - GitGuardian Enterprise (
GITGUARDIAN_ENTERPRISE
) - GoAnywhere MFT (
GOANYWHERE_MFT
) - IBM Security Identity Manager (
IBM_SIM
) - Jamf Pro MDM (
JAMF_PRO_MDM
) - MultiPay (
MULTIPAY
) - Palo Alto Networks IoT Security (
PAN_IOT
) - Raritan Dominion SX II (
RARITAN_DOMINION
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
October 04, 2023
Chronicle Curated Detections has been enhanced with new detection content for Google Cloud threats. These new rule sets help identify reconnaissance and exploitation behavior from open source Kubernetes tools.
The submit_parser
command now has an option to skip validation if no logs are found. For more information, see the Chronicle CLI user guide.
October 03, 2023
The Chronicle SIEM user interface has a new top-level navigation to help you access the most commonly used Chronicle SIEM features. It works much the same as the navigation for Chronicle Security Operations. The new navigation menu expands from the left side of the screen, replacing the 9-dot icon at the top right. It is designed to make it easier to find information and resources and to help you work more efficiently. The Chronicle homepage can be accessed by clicking the Chronicle logo at the top left of the page. Reference lists can now be found within the Search page or the Rules Editor page.
September 20, 2023
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- Akamai Cloud Monitor (
AKAMAI_CLOUD_MONITOR
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - AWS WAF (
AWS_WAF
) - BIND (
BIND_DNS
) - Cisco Email Security (
CISCO_EMAIL_SECURITY
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - Cisco Umbrella Web Proxy (
UMBRELLA_WEBPROXY
) - Cloud DNS (
N/A
) - Cloud SQL (
GCP_CLOUDSQL
) - CSV Custom IOC (
CSV_CUSTOM_IOC
) - Desynova Contido (
DESYNOVA_CONTIDO
) - Elastic Windows Event Log Beats (
ELASTIC_WINLOGBEAT
) - F5 Advanced Firewall Management (
F5_AFM
) - Firewall Rule Logging (
N/A
) - FortiMail Email Security (
FORTINET_FORTIMAIL
) - GCP_KUBERNETES_CONTEXT (
GCP_KUBERNETES_CONTEXT
) - Guardicore Centra (
GUARDICORE_CENTRA
) - IBM Security Access Manager (
IBM_SAM
) - Jamf Protect Telemetry (
JAMF_TELEMETRY
) - Linux Auditing System (AuditD) (
AUDITD
) - Microsoft Azure Activity (
AZURE_ACTIVITY
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Microsoft Powershell (
POWERSHELL
) - Netskope Web Proxy (
NETSKOPE_WEBPROXY
) - Office 365 (
OFFICE_365
) - Oracle Unified Directory (
ORACLE_OUD
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - SecureLink (
SECURELINK
) - Signal Sciences WAF (
SIGNAL_SCIENCES_WAF
) - Skybox Firewall Assurance (
SKYBOX_FIREWALL_ASSURANCE
) - SOTI MobiControl (
SOTI_MOBICONTROL
) - Stealthbits PAM (
STEALTHBITS_PAM
) - Thinkst Canary (
THINKST_CANARY
) - Unix system (
NIX_SYSTEM
) - Vectra Stream (
VECTRA_STREAM
) - VMware NSX (
VMWARE_NSX
) - VMware Tanzu Kubernetes Grid (
VMWARE_TANZU
) - Windows Defender ATP (
WINDOWS_DEFENDER_ATP
) - Windows Event (XML) (
WINEVTLOG_XML
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Zscaler (
ZSCALER_WEBPROXY
) - Zscaler CASB (
ZSCALER_CASB
) - ZScaler NGFW (
ZSCALER_FIREWALL
)
For details about changes in each parser, see Supported default parsers.
September 19, 2023
Chronicle feed management contains the following changes for the Google Cloud Storage source type:
- To create a new Google Cloud Storage feed, you must use the new service account. You are no longer required to use the following Chronicle global service account:
8911409095528497-0-account@partnercontent.gserviceaccount.com
. The Chronicle global service account continues to be in use for existing Google Cloud Storage feeds. - In the feed management API, the fetchFeedServiceAccount method has been added to get a Chronicle service account, which you must use when you create a new Google Cloud Storage feed.
- In the feed management UI, the new field Get service account has been added to get a Chronicle service account, which you must use when you create a new Google Cloud Storage feed.
Chronicle recently disclosed a security vulnerability. For more information, see the GCP-2023-028 security bulletin.
September 14, 2023
You can now change the type of a Chronicle reference list. For more details, see reference lists.
You can now create and manage forwarder configurations using the Chronicle user interface and also through the Chronicle Forwarder Management API.
Chronicle can now directly ingest the following log types from Google Cloud. Each is listed by product name and log_type
value:
- Cloud Intrusion Detection System (
GCP_IDS
) - Cloud Load Balancing (
GCP_LOADBALANCING
) - Cloud SQL (
GCP_CLOUDSQL
) - Windows Event logs (
WINEVTLOG
) - Linux Sysmon (
LINUX_SYSMON
) - Zeek (
BRO_JSON
) - Google Kubernetes Engine (
KUBERNETES_NODE
) - Audit Daemon (auditd) (
AUDITD
) - Apigee (
GCP_APIGEE_X
)
For more information, see Ingest Google Cloud Data to Chronicle.
September 06, 2023
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- Akamai Enterprise Application Access (
AKAMAI_EAA
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - AWS CloudWatch (
AWS_CLOUDWATCH
) - Chrome Management (
N/A
) - Cisco ASA (
CISCO_ASA_FIREWALL
) - Cisco Email Security (
CISCO_EMAIL_SECURITY
) - Cloud Audit Logs (
N/A
) - Cloudflare WAF (
CLOUDFLARE_WAF
) - Darktrace (
DARKTRACE
) - Desynova Contido (
DESYNOVA_CONTIDO
) - Duo Telephony Logs (
DUO_TELEPHONY
) - Elastic Audit Beats (
ELASTIC_AUDITBEAT
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - Fidelis Network (
FIDELIS_NETWORK
) - Gitlab (
GITLAB
) - Imperva FlexProtect (
IMPERVA_FLEXPROTECT
) - Island Browser logs (
ISLAND_BROWSER
) - Juniper (
JUNIPER_FIREWALL
) - Microsoft Azure Resource (
AZURE_RESOURCE_LOGS
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Microsoft Sentinel (
MICROSOFT_SENTINEL
) - Netscout OCI (
NETSCOUT_OCI
) - Netskope Web Proxy (
NETSKOPE_WEBPROXY
) - Office 365 (
OFFICE_365
) - OpenSSH (
OPENSSH
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - ProofPoint Secure Email Relay (
PROOFPOINT_SER
) - SentinelOne Deep Visibility (
SENTINEL_DV
) - SentinelOne EDR (
SENTINEL_EDR
) - Suricata IDS (
SURICATA_IDS
) - Symantec DLP (
SYMANTEC_DLP
) - Windows Defender ATP (
WINDOWS_DEFENDER_ATP
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Workspace Alerts (
WORKSPACE_ALERTS
) - Workspace Users (
WORKSPACE_USERS
) - Zscaler (
ZSCALER_WEBPROXY
)
For details about changes in each parser, see Supported default parsers.
August 28, 2023
You can now use Cloud Monitoring to customize and receive notifications about ingestion health metrics. For more information, see Ingestion notifications for health metrics.
August 24, 2023
Chronicle has updated the rules engine's YARA-L 2.0 language compiler to report warnings. Warnings flag rules that are syntactically valid but may result in unexpected behavior. You can view and expand warnings in the Rules Editor the same way you view errors. The following warnings are currently supported:
Multi-event non-distinct outcome section aggregations. For more information, see YARA-L known issues and limitations
Deprecated UDM fields or enum values
August 23, 2023
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- Apigee (
GCP_APIGEE_X
) - AppOmni (
APPOMNI
) - Attivo Networks (
ATTIVO
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - AWS CloudWatch (
AWS_CLOUDWATCH
) - AWS GuardDuty (
GUARDDUTY
) - AWS WAF (
AWS_WAF
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Cisco Internetwork Operating System (
CISCO_IOS
) - Cisco NX-OS (
CISCO_NX_OS
) - Cisco Umbrella Web Proxy (
UMBRELLA_WEBPROXY
) - CrowdStrike Falcon (
CS_EDR
) - Crowdstrike IOC (
CROWDSTRIKE_IOC
) - CyberArk Endpoint Privilege Manager (EPM) (
CYBERARK_EPM
) - Elastic Windows Event Log Beats (
ELASTIC_WINLOGBEAT
) - F5 Advanced Firewall Management (
F5_AFM
) - GMAIL Logs (
GMAIL_LOGS
) - iBoss Proxy (
IBOSS_WEBPROXY
) - Ipswitch MOVEit Transfer (
IPSWITCH_MOVEIT_TRANSFER
) - Juniper Junos (
JUNIPER_JUNOS
) - Kubernetes Audit (
KUBERNETES_AUDIT
) - Kubernetes Node (
KUBERNETES_NODE
) - Microsoft AD FS (
ADFS
) - Microsoft Defender For Cloud (
MICROSOFT_DEFENDER_CLOUD_ALERTS
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Microsoft SQL Server (
MICROSOFT_SQL
) - MISP Threat Intelligence (
MISP_IOC
) - Netskope Web Proxy (
NETSKOPE_WEBPROXY
) - Okta User Context (
OKTA_USER_CONTEXT
) - Palo Alto Prisma Cloud Alert payload (
PAN_PRISMA_CA
) - Peplink Firewall (
PEPLINK_FW
) - Pulse Secure (
PULSE_SECURE_VPN
) - Qualys Virtual Scanner (
QUALYS_VIRTUAL_SCANNER
) - SecureLink (
SECURELINK
) - Security Command Center Threat (
N/A
) - Sentinelone Alerts (
SENTINELONE_ALERT
) - Suricata IDS (
SURICATA_IDS
) - Symantec DLP (
SYMANTEC_DLP
) - Unix system (
NIX_SYSTEM
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Zimperium (
ZIMPERIUM
) - Zscaler Internet Access Audit Logs (
ZSCALER_INTERNET_ACCESS
)
For details about changes in each parser, see Supported default parsers.
August 16, 2023
Chronicle has updated Rules Engine's YARA-L 2.0 language to support float literals. For more information, see Literals.
Enhancements to strings.concat
and strings.coalesce
strings.concat
has been updated to take an unlimited number of arguments. For more information, see Concatenate strings or numeric types.strings.coalesce
has been updated to take an unlimited number of arguments. For more information, see Coalesce string values.
August 14, 2023
Added a new argument get_validation_report
to fetch the validation report for a parser or a parser extension. For more information, see Chronicle CLI user guide.
August 10, 2023
UDM Search includes a new feature, called UDM Lookup, that enables you to quickly find a UDM field if you do not know which to include in a UDM Search query. You can search for a field that contains a text string in the name or that stores a specific string value. For more information, see Find a UDM field for search query.
When viewing an event using Event Viewer, each UDM field is labeled with an icon (U or E) that identifies whether the field stores enriched or unenriched data. For more information, see View events in the Event Viewer.
UDM Search behavior has been enhanced. When no search results are returned by a query, the page displays empty panels (Events, Quick Filters, Alerts, etc.) with messages indicating that nothing was found.
August 09, 2023
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- Apache (
APACHE
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - AWS GuardDuty (
GUARDDUTY
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Cambium Networks (
CAMBIUM_NETWORKS
) - Cisco ASA (
CISCO_ASA_FIREWALL
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - Cisco ISE (
CISCO_ISE
) - CrowdStrike Falcon (
CS_EDR
) - Department of Homeland Security (
DHS_IOC
) - Duo Auth (
DUO_AUTH
) - F5 ASM (
F5_ASM
) - Fortinet FortiEDR (
FORTINET_FORTIEDR
) - GitHub (
GITHUB
) - Imperva (
IMPERVA_WAF
) - Juniper (
JUNIPER_FIREWALL
) - Menlo Security (
MENLO_SECURITY
) - Microsoft AD (
WINDOWS_AD
) - Microsoft Azure Resource (
AZURE_RESOURCE_LOGS
) - Microsoft Defender for Endpoint (
MICROSOFT_DEFENDER_ENDPOINT
) - Neosec (
NEOSEC
) - Net Suite (
NET_SUITE
) - Office 365 (
OFFICE_365
) - Oracle Unified Directory (
ORACLE_OUD
) - Palo Alto Panorama (
PAN_PANORAMA
) - Proofpoint Observeit (
OBSERVEIT
) - Qualys Asset Context (
QUALYS_ASSET_CONTEXT
) - Qualys Virtual Scanner (
QUALYS_VIRTUAL_SCANNER
) - SentinelOne Deep Visibility (
SENTINEL_DV
) - Tanium Threat Response (
TANIUM_THREAT_RESPONSE
) - Thinkst Canary (
THINKST_CANARY
) - TrendMicro Web Proxy (
TRENDMICRO_WEBPROXY
) - Vectra Stream (
VECTRA_STREAM
) - VMware Workspace ONE (
VMWARE_WORKSPACE_ONE
) - Windows Event (
WINEVTLOG
) - Workspace Activities (
WORKSPACE_ACTIVITY
)
For details about changes in each parser, see Supported default parsers.
July 27, 2023
Direct Chronicle customers will begin to see the new self-service parser management feature enabled in their Chronicle instance. This feature allows you to create and customize parsers. After the feature is enabled, you will also see pre-release versions of default parsers listed on the Parsers page before they are released. The pre-release versions are identified as Pending updates.
For more information, see Overview of log parsing and Manage prebuilt and custom parsers.
July 26, 2023
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- Attivo Networks (
ATTIVO
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - AWS S3 Server Access (
AWS_S3_SERVER_ACCESS
) - Azure AD (
AZURE_AD
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Azure WAF (
AZURE_WAF
) - Barracuda WAF (
BARRACUDA_WAF
) - Barracuda Web Filter (
BARRACUDA_WEBFILTER
) - CA Access Control (
CA_ACCESS_CONTROL
) - Carbon Black (
CB_EDR
) - Chrome Management (
N/A
) - Cisco ISE (
CISCO_ISE
) - Cisco Meraki (
CISCO_MERAKI
) - Citrix Netscaler (
CITRIX_NETSCALER
) - Cloud Audit Logs (
N/A
) - Cloud Functions Context (
GCP_CLOUD_FUNCTIONS_CONTEXT
) - Cloud SQL Context (
GCP_SQL_CONTEXT
) - CrowdStrike Detection Monitoring (
CS_DETECTS
) - Darktrace (
DARKTRACE
) - Datadog (
DATADOG
) - Dell EMC Isilon NAS (
DELL_EMC_NAS
) - Elastic Windows Event Log Beats (
ELASTIC_WINLOGBEAT
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - FortiGate (
FORTINET_FIREWALL
) - Fortinet FortiAnalyzer (
FORTINET_FORTIANALYZER
) - Google Cloud Identity Context (
CLOUD_IDENTITY_CONTEXT
) - IAM Context (
N/A
) - IBM z/OS (
IBM_ZOS
) - Imperva Advanced Bot Protection (
IMPERVA_ABP
) - Imperva Database (
IMPERVA_DB
) - Ipswitch MOVEit Transfer (
IPSWITCH_MOVEIT_TRANSFER
) - macOS Endpoint Security (
MACOS_ENDPOINT_SECURITY
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - MISP Threat Intelligence (
MISP_IOC
) - Netskope (
NETSKOPE_ALERT
) - Office 365 (
OFFICE_365
) - Okta User Context (
OKTA_USER_CONTEXT
) - Open LDAP (
OPENLDAP
) - Proofpoint Observeit (
OBSERVEIT
) - Qualys Asset Context (
QUALYS_ASSET_CONTEXT
) - Resource Manager Context (
GCP_RESOURCE_MANAGER_CONTEXT
) - Security Command Center Threat (
N/A
) - Sentinelone Alerts (
SENTINELONE_ALERT
) - Tanium Threat Response (
TANIUM_THREAT_RESPONSE
) - TrendMicro Web Proxy (
TRENDMICRO_WEBPROXY
) - Vectra Stream (
VECTRA_STREAM
) - VMware ESXi (
VMWARE_ESX
) - Wazuh (
WAZUH
) - Windows Event (XML) (
WINEVTLOG_XML
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Workspace Users (
WORKSPACE_USERS
)
For details about changes in each parser, see Supported default parsers.
July 21, 2023
Chronicle is now supported on the Mozilla Firefox browser. When running Chronicle, be sure to use the latest version of Firefox.
July 12, 2023
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- Absolute Mobile Device Management (
ABSOLUTE
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - AWS CloudWatch (
AWS_CLOUDWATCH
) - BIND (
BIND_DNS
) - Check Point (
CHECKPOINT_FIREWALL
) - Chrome Management (
N/A
) - Cisco Meraki (
CISCO_MERAKI
) - Cloud Audit Logs (
N/A
) - Cloud Load Balancing (
GCP_LOADBALANCING
) - Cloudflare Audit (
CLOUDFLARE_AUDIT
) - F5 ASM (
F5_ASM
) - Fortinet FortiEDR (
FORTINET_FORTIEDR
) - IBM Security Verify SaaS (
IBM_SECURITY_VERIFY_SAAS
) - IBM Security Verify SaaS (
IBM_SECURITY_VERIFY_SAAS
) - Imperva FlexProtect (
IMPERVA_FLEXPROTECT
) - Jamf Protect Telemetry (
JAMF_TELEMETRY
) - Juniper Software Defined Wide Area Network (
JUNIPER_SDWAN
) - Microsoft AD (
WINDOWS_AD
) - Microsoft Azure Resource (
AZURE_RESOURCE_LOGS
) - Microsoft CASB (
MICROSOFT_CASB
) - Microsoft Powershell (
POWERSHELL
) - Microsoft SQL Server (
MICROSOFT_SQL
) - MISP Threat Intelligence (
MISP_IOC
) - Netskope (
NETSKOPE_ALERT
) - Okta (
OKTA
) - SecureAuth (
SECUREAUTH_SSO
) - Security Command Center Threat (
N/A
) - SentinelOne EDR (
SENTINEL_EDR
) - Sierra Wireless (
SIERRA_WIRELESS
) - Sourcefire (
SOURCEFIRE_IDS
) - Stormshield Firewall (
STORMSHIELD_FIREWALL
) - Versa Firewall (
VERSA_FIREWALL
) - Windows Event (
WINEVTLOG
) - Workspace Activities (
WORKSPACE_ACTIVITY
)
For details about changes in each parser, see Supported default parsers.
Chronicle Curated Detections has been enhanced with new detection content for Linux threats. These new rule sets help identify threats in Linux environments using AuditD and Unix System logs.
July 10, 2023
Chronicle provides multiple methods to define how data in original raw logs are parsed and normalized to a Unified Data Model (UDM) record. Using the Self Service Parser Management feature, customers can now create and customize parsers. For more information, see Overview of log parsing and Manage prebuilt and custom parsers.
July 06, 2023
When you create dashboards, you can make use of the following enhancements to UDM Events Explore:
- Search and navigation improvements. When you navigate or search for events in UDM Events Explore, the results appear instantly and field names are easy to identify.
- Improvements to field names and descriptions. The field names and path are now consistent with the pattern used in Detection Engine rules and UDM search. For example, the field name
Udm Events Principal Hostname
now appears asUDM principal.hostname
as in documentation. Also, in addition to online help, in-context descriptions are available for UDM fields. For example, deprecated fields are indicated by the suffix [D] in the field name. - User experience improvements in UDM Events Explore. When you use UDM Events Explore, user experience is improved by removing unused and rarely used fields. Also, you can filter based on the grouped fields.
- Field conversion improvements. Added fields that automatically handle conversion of formats. Here are some examples:
- Enum fields also contain human readable values. For example, the values for the
UDM.network.ip_protocol
enum also appear as ICMP, TCP, and UDP instead of 1, 2, and 3. - Timestamp fields are available in multiple date formats. Previously, timestamp fields were available only in nano and second formats.
- Location fields are parsed accurately and can be used in maps.
- Enum fields also contain human readable values. For example, the values for the
- Report improvements. Made data in reports up-to-date by using the
events
table in BigQuery. Also, existing reports that previously usedudm_events
will use theevents
table.
July 05, 2023
Enhancements to outcome section in rules:
Outcome variables can be used to derive the value of another outcome variable.
Arithmetic expressions can include aggregations, unaggregated event fields, constants, and outcome variables as operands.
June 29, 2023
Google has added Israel (Tel Aviv) as a new region for Chronicle customers. Chronicle can now store customer data in this region. This also adds a new regional endpoint for Chronicle APIs at https://me-west1-backstory.googleapis.com
.
June 28, 2023
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- AIX system (
AIX_SYSTEM
) - Auth0 (
AUTH_ZERO
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - AWS GuardDuty (
GUARDDUTY
) - AWS Security Hub (
AWS_SECURITY_HUB
) - AWS Session Manager (
AWS_SESSION_MANAGER
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Check Point (
CHECKPOINT_FIREWALL
) - Chrome Management (
N/A
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - Cisco Meraki (
CISCO_MERAKI
) - Cisco NX-OS (
CISCO_NX_OS
) - Cisco Stealthwatch (
CISCO_STEALTHWATCH
) - CrowdStrike Falcon (
CS_EDR
) - Digi modems (
DIGI_MODEMS
) - GitHub (
GITHUB
) - IBM Security Verify SaaS (
IBM_SECURITY_VERIFY_SAAS
) - Imperva (
IMPERVA_WAF
) - Infoblox DNS (
INFOBLOX_DNS
) - Jamf Protect Alerts (
JAMF_PROTECT
) - Jamf Protect Telemetry (
JAMF_TELEMETRY
) - Kisi Access Management (
KISI
) - Kubernetes Audit Azure (
KUBERNETES_AUDIT_AZURE
) - Kubernetes Node (
KUBERNETES_NODE
) - Linux Auditing System (AuditD) (
AUDITD
) - McAfee ePolicy Orchestrator (
MCAFEE_EPO
) - McAfee MVISION CASB (
MCAFEE_MVISION_CASB
) - McAfee Skyhigh CASB (
MCAFEE_SKYHIGH_CASB
) - McAfee Web Gateway (
MCAFEE_WEBPROXY
) - Microsoft AD (
WINDOWS_AD
) - Microsoft AD FS (
ADFS
) - Microsoft Defender for Endpoint (
MICROSOFT_DEFENDER_ENDPOINT
) - Microsoft Exchange (
EXCHANGE_MAIL
) - Netskope Web Proxy (
NETSKOPE_WEBPROXY
) - Office 365 (
OFFICE_365
) - Open Cybersecurity Schema Framework (OCSF) (
OCSF
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Security Command Center Threat (
N/A
) - Static IP (
ASSET_STATIC_IP
) - Symantec Web Security Service (
SYMANTEC_WSS
) - ThreatLocker Platform (
THREATLOCKER
) - Tripwire (
TRIPWIRE_FIM
) - VMware NSX (
VMWARE_NSX
) - VMware vRealize Suite (
VMWARE_VREALIZE
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Zscaler (
ZSCALER_WEBPROXY
)
For details about changes in each parser, see Supported default parsers.
June 23, 2023
The Chronicle Data in BigQuery feature, including the export pipeline and events
table, has been improved. Data for the
events
table is stored as parquet files in Google Cloud Storage which provides
more flexibility for users who want to export data. See Chronicle documentation
for more information about
data export to BigQuery,
the
events
table,
and the
BigQuery Access API.
June 22, 2023
You can now share a dashboard file between instances or within an instance between different users. The dashboard can be shared without manually creating copies.
The predefined reference lists for Curated Detections have been replaced by rule exclusions. You will see the following changes:
- Reference lists are not available in the Cloud Threats and Windows Threats categories and are not displayed in the settings page for these rule sets.
- Any category-specific reference lists that were currently empty have been deleted.
- Any category-specific reference lists that were not empty have been migrated to an equivalent rule exclusion.
You can now use rule exclusions to tune the number of alerts returned by Curated Detections.
June 16, 2023
A new Google Cloud Threat Intelligence (GCTI) data source is available, called GCTI Remote Access Tools, that provides additional contextual information when investigating activity in your environment. This data source contains files that have frequently been used by malicious actors. For more information, see Data about remote access tools, and Query data about remote access tools.
June 14, 2023
IOC matching has been changed so that a domain match occurs only if the event timestamp lies within the active time range interval present in the threat intelligence feed. If a threat intelligence feed does not have an active time range interval, an IOC match is returned anytime the domain is identified in feed data. For information about IOC Domain matches, see View IOC matches.
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- Microsoft AD FS (
ADFS
) - Apache (
APACHE
) - Linux Auditing System (AuditD) (
AUDITD
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - Azure Firewall (
AZURE_FIREWALL
) - Zeek JSON (
BRO_JSON
) - Cisco ASA (
CISCO_ASA_FIREWALL
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - Cisco ISE (
CISCO_ISE
) - Cisco Meraki (
CISCO_MERAKI
) - Cisco VCS Expressway (
CISCO_VCS
) - Corelight (
CORELIGHT
) - CrowdStrike Detection Monitoring (
CS_DETECTS
) - Digital Guardian DLP (
DIGITALGUARDIAN_DLP
) - F5 BIGIP Access Policy Manager (
F5_BIGIP_APM
) - Elastic Windows Event Log Beats (
ELASTIC_WINLOGBEAT
) - Fluentd Logs (
FLUENTD
) - Forcepoint Proxy (
FORCEPOINT_WEBPROXY
) - Forescout NAC (
FORESCOUT_NAC
) - FortiGate (
FORTINET_FIREWALL
) - Apigee (
GCP_APIGEE_X
) - Cloud SQL (
GCP_CLOUDSQL
) - GitHub (
GITHUB
) - GMAIL Logs (
GMAIL_LOGS
) - Apache Hadoop (
HADOOP
) - Imperva (
IMPERVA_WAF
) - Kemp Load Balancer (
KEMP_LOADBALANCER
) - McAfee Web Gateway (
MCAFEE_WEBPROXY
) - Microsoft Defender for Endpoint (
MICROSOFT_DEFENDER_ENDPOINT
) - Cloud Audit Logs (
N/A
) - Firewall Rule Logging (
N/A
) - Security Command Center Threat (
N/A
) - Netskope (
NETSKOPE_ALERT
) - Netskope Web Proxy (
NETSKOPE_WEBPROXY
) - Office 365 (
OFFICE_365
) - Okta (
OKTA
) - Okta User Context (
OKTA_USER_CONTEXT
) - 1Password (
ONEPASSWORD
) - OSQuery (
OSQUERY_EDR
) - OSSEC (
OSSEC
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Proofpoint On Demand (
PROOFPOINT_ON_DEMAND
) - Proofpoint Web Browser Isolation(
PROOFPOINT_WEB_BROWSER_ISOLATION
) - Saviynt Enterprise Identity Cloud (
SAVIYNT_EIP
) - SentinelOne EDR (
SENTINEL_EDR
) - Sentinelone Alerts (
SENTINELONE_ALERT
) - Tripwire (
TRIPWIRE_FIM
) - Windows Defender ATP (
WINDOWS_DEFENDER_ATP
) - Windows Event (
WINEVTLOG
) - WordPress (
WORDPRESS_CMS
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - ZScaler VPN (
ZSCALER_VPN
)
For details about changes in each parser, see Supported default parsers.
June 09, 2023
You can now search on fields of type bytes in UDM search. Chronicle uses base64 encoding for byte literals. Byte literals must be enclosed in double quotes prefixed with the letter b, as shown in the following examples:
network.dhcp.client_identifier = b"7Ixbub6A0KMvugAAAAA"
metadata.id = b"AAAAADg51kPYn7Ixbub6A0KMvugAAAAABQAAAAgAAAA="
June 06, 2023
The following changes are available in the Unified Data Model.
New fields were added to Entity
, called risk_score
and metric
.
A new field was added to EntityMetadata
, called
event_metadata
.
The following new types were added to Entity
:
EntityRisk
Metric
RiskDelta
Metric.Measure
The following new types were added to Event
:
AttackDetails
ExifInfo
FileMetadataCodesign
FileMetadataPE
FileMetadataSignatureInfo
PDFInfo
SignatureInfo
X509
AttackDetails.Tactic
AttackDetails.Technique
SecurityResult.Association
SecurityResult.Association.AssociationAlias
SecurityResult.Source
SecurityResult.ProviderMLVerdict
SecurityResult.AnalystVerdict
SecurityResult.Verdict
The following new enumerated types were added to Entity
:
Metric.AggregateFunction
Metric.Dimension
Metric.MetricName
Relation.EntityLabel
The following new enumerated types were added to Event
:
Process
TokenElevationType
SecurityResult.VerdictResponse
SecurityResult.Association.AssociationType
New field added to Relation
, called entity_label
.
New value added to EntityMetadata.EntityType
, called
METRIC
.
New fields added to Event.Metadata
called log_type
, base_labels
, enrichment_labels
.
New fields added to Noun
, called security_result
and
network
.
New fields added to SecurityResult
, called risk_score
,
attack_details
, first_discovered_time
,
associations
, campaigns
, and verdicts
.
New fields added to File
, called pe_file
,
tags
, last_analysis_time
, embedded_urls
,
embedded_domains
, embedded_ips
,
exif_info
, signature_info
, pdf_info
.
New field added to Process
, called integrity_level_rid
and token_elevation_type
.
New fields added to SignerInfo
, called status
,
valid_usage
, cert_issuer
.
The Resource.id
field was deprecated. Use
resource.name
or resource.product_object_id
instead.
The following values were added to the EventTypes
enumerated type:
DEVICE_FIRMWARE_UPDATE
DEVICE_CONFIG_UPDATE
DEVICE_PROGRAM_UPLOAD
DEVICE_PROGRAM_DOWNLOAD
The following additional values were added to the
ApplicationProtocol
enumerated type:
CIP
COTP
DNP3
DICOM
GOOSE
IEC104
MMS
PTP
SNMP
SV
New values added to the Network.IpProtocol
enumerated type, called ICMP
and SCTP
.
For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.
June 05, 2023
Chronicle now links to a customer-supplied Google Cloud Project to integrate more closely with Google Cloud services, such as Cloud IAM, Cloud Monitoring, and Cloud Audit Logs. Customers can now use Cloud IAM and workforce identity federation to authenticate using their existing identity provider.
Chronicle provides an onboarding and migration portal, available via Cloud Console, where new customers are able to provision and configure a new Chronicle SIEM instance, and existing customers can bind their current Chronicle SIEM instance to Google Cloud services.
For more information, see the following documentation:
June 02, 2023
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- Aruba (
ARUBA_WIRELESS
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Cato Networks (
CATO_NETWORKS
) - Cisco ISE (
CISCO_ISE
) - Cisco Meraki (
CISCO_MERAKI
) - Cisco PIX Firewall (
CISCO_PIX_FIREWALL
) - Dope Security SWG (
DOPE_SWG
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - Falco IDS (
FALCO_IDS
) - Fidelis Network (
FIDELIS_NETWORK
) - ForgeRock OpenAM (
OPENAM
) - FortiGate (
FORTINET_FIREWALL
) - FortiMail Email Security (
FORTINET_FORTIMAIL
) - Fortinet Web Application Firewall (
FORTINET_FORTIWEB
) - GMAIL Logs (
GMAIL_LOGS
) - IBM Safenet (
IBM_SAFENET
) - IBM Security Access Manager (
IBM_SAM
) - IBM Security QRadar SIEM (
IBM_QRADAR
) - Microsoft Defender for Endpoint (
MICROSOFT_DEFENDER_ENDPOINT
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Mongo Database (
MONGO_DB
) - Office 365 (
OFFICE_365
) - Okta (
OKTA
) - Oracle Cloud Infrastructure Audit Logs (
OCI_AUDIT
) - Proofpoint Threat Response (
PROOFPOINT_TRAP
) - Pulse Secure (
PULSE_SECURE_VPN
) - Security Command Center Threat (
N/A
) - Sentinelone Alerts (
SENTINELONE_ALERT
) - SentinelOne EDR (
SENTINEL_EDR
) - ServiceNow CMDB (
SERVICENOW_CMDB
) - SonicWall (
SONIC_FIREWALL
) - Strong Swan VPN (
STRONGSWAN_VPN
) - ThreatLocker Platform (
THREATLOCKER
) - VMware vRealize Suite (
VMWARE_VREALIZE
) - VPC Flow Logs (
GCP_VPC_FLOW
) - WatchGuard (
WATCHGUARD
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Workspace Activities (
WORKSPACE_ACTIVITY
)
For details about changes in each parser, see Supported default parsers.
June 01, 2023
Updated content to reflect the new Alert view and Alert list. The following changes have been made to Alert view:
- New Overview and Alert History tabs. The Overview section provides a snapshot of important alert information. This is separate from the History tab to clearly differentiate between alert investigation and audit area.
- Detection widget now has a view other alerts from this rule button to get fast access to more alerts that came from this rule. Users can pivot to other alerts from this rule.
- Updated information on how to close an alert and change alert status.
- Updated information on how to adjust the time range.
- Updated information on how to apply single and multiple filters.
The following changes have been made to Alert list:
- Expanded columns to include Risk Score and Tags. This helps users to focus on and prioritize high-risk and critical security findings.
- Ingestion Time and Last Modified were also added to Alert List.
- Users can now customize columns in the Alert list, add or remove columns from the table.
- Expanded filters to include OR and AND operators to allow more complex filtering.
- Updated information on how to refresh Alert List.
These changes are documented in Investigate an alert and View Alerts and IOCs.
May 26, 2023
Starting June 7, 2023, Chronicle will no longer use reference lists to reduce the number of alerts generated by Curated Detection rule sets. The predefined reference lists for Curated Detections will be replaced by rule exclusions. You will see the following changes:
- Reference lists will not be available in the Cloud Threats and Windows Threats categories and will not be displayed in the settings page for these rule sets.
- Any category-specific reference lists that are currently empty will be deleted.
- Any category-specific reference lists that are not empty will be automatically migrated to an equivalent rule exclusion.
No action is required. Rule set behavior should not be affected because category-specific reference lists will be replaced with rule exclusions.
Going forward, we recommend using rule exclusions to tune the number of alerts returned by Curated Detections.
The end of support process is gradual, and you may see some Curated Detection rule sets in a partial migration state before the process is complete. The process should complete by June 21, 2023.
May 25, 2023
On or after July 1, 2023, the existing udm_events table in Chronicle-managed BigQuery projects will be fully replaced with a new table named events. This new table is currently available for all customers. Chronicle will handle all changes in-product for this new table. Customers issuing queries against the udm_events table through the Cloud console or through the API should fully migrate queries to the new table by July 1 to avoid interruption.
May 24, 2023
Chronicle has updated Rules Engine's YARA-L 2.0 language to support more functionality for handling arrays.
A new
arrays.length()
function has been added. This function returns the number of elements in a repeated field. For more information, see YARA-L 2.0 language syntax.You can now perform array indexing on repeated fields using bracket notation. This lets you access an element of a repeated field at a specific index. For more information, see YARA-L 2.0 language syntax.
Chronicle Curated Detections has been enhanced with the following additional detection content for Cloud threats. A new rule set was added, called Cloud SQL Ransom, that detects activity associated with exfiltration or ransom of data within Cloud SQL databases.
May 23, 2023
Single event rules meeting all of the following conditions have been reclassified as multiple event rules to increase detections:
- Includes a match section.
- Includes one or more conditions on outcome variables in the condition section.
- Includes a simple existence condition on exactly one event variable in the condition section.
Affected rules will be automatically reprocessed to find any missed detections over the next 5 to 6 business days.
May 19, 2023
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- 1Password (
ONEPASSWORD
) - AMD Pensando DSS Firewall (
AMD_DSS_FIREWALL
) - Atlassian Confluence (
ATLASSIAN_CONFLUENCE
) - AWS Network Firewall (
AWS_NETWORK_FIREWALL
) - AWS Route 53 DNS (
AWS_ROUTE_53
) - AWS S3 Server Access (
AWS_S3_SERVER_ACCESS
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Bitdefender (
BITDEFENDER
) - Check Point (
CHECKPOINT_FIREWALL
) - Cisco ASA (
CISCO_ASA_FIREWALL
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - Cisco Firewall Services Module (
CISCO_FWSM
) - Cisco Router (
CISCO_ROUTER
) - Cisco Vision Dynamic Signage Director (
CISCO_STADIUMVISION
) - Cloud DNS (
N/A
) - CrowdStrike Falcon (
CS_EDR
) - Crowdstrike IOC (
CROWDSTRIKE_IOC
) - F5 Advanced Firewall Management (
F5_AFM
) - F5 ASM (
F5_ASM
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - FireEye HX (
FIREEYE_HX
) - ForgeRock OpenAM (
OPENAM
) - Fortinet FortiAnalyzer (
FORTINET_FORTIANALYZER
) - Fortinet FortiEDR (
FORTINET_FORTIEDR
) - HAProxy (
HAPROXY
) - Juniper (
JUNIPER_FIREWALL
) - Microsoft IIS (
IIS
) - Microsoft SQL Server (
MICROSOFT_SQL
) - Office 365 Message Trace (
OFFICE_365_MESSAGETRACE
) - Okta User Context (
OKTA_USER_CONTEXT
) - OpenSSH (
OPENSSH
) - Oracle Cloud Infrastructure VCN Flow Logs (
OCI_FLOW
) - Proofpoint Observeit (
OBSERVEIT
) - Rapid7 Insight (
RAPID7_INSIGHT
) - SAP Netweaver (
SAP_NETWEAVER
) - Security Command Center Threat (
N/A
) - Splunk Platform (
SPLUNK
) - Teleport Access Plane (
TELEPORT_ACCESS_PLANE
) - Thinkst Canary (
THINKST_CANARY
) - Trend Micro AV (
TRENDMICRO_AV
) - Trustwave webmarshal (
WEBMARSHAL
) - VMware AirWatch (
AIRWATCH
) - WatchGuard (
WATCHGUARD
)
For details about changes in each parser, see Supported default parsers.
May 10, 2023
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- Aruba EdgeConnect SD-WAN (
ARUBA_EDGECONNECT_SDWAN
) - AWS RDS (
AWS_RDS
) - Cloud Audit Logs (
N/A
) - Cloud DNS (
N/A
) - Cloud Run (
N/A
) - Cloud SQL (
N/A
) - Cofense (
COFENSE_TRIAGE
) - CoSoSys Protector (
ENDPOINT_PROTECTOR_DLP
) - Elastic Windows Event Log Beats (
ELASTIC_WINLOGBEAT
) - Microsoft Defender for Endpoint (
MICROSOFT_DEFENDER_ENDPOINT
) - pfSense (
PFSENSE
) - Qualys VM (
QUALYS_VM
) - SentinelOne EDR (
SENTINEL_EDR
) - VMware AirWatch (
AIRWATCH
) - VMware vRealize Suite (
VMWARE_VREALIZE
) - Windows Event (
WINEVTLOG
)
For details about changes in each parser, see Supported default parsers.
May 04, 2023
Chronicle made the following changes to the detection engine rules and YARA-L language:
Expanded support for arithmetic operations. You can now use multiplication and division in the
events
section andoutcome
section of rules. For more information, see Mathematical operations.You can now join an event with an entity, and then check for absence of the event. For more information, see Event and placeholder conditionals.
Keywords, such as
and
,match
, orcondition
in YARA-L 2.0 are now case-insensitive. This change does not affect function names, which are case sensitive. For a list of keywords, see Keywords.A new
coalesce()
function has been added to the YARA-L syntax. This function returns the first non-empty string passed to it. For more information, see YARA-L 2.0 language syntax.You can now use the
nocase
keyword when evaluating a reference list to perform case-insensitive matching for both String and Regex reference lists. For more information, see Reference lists syntax.Reference list limits have increased. Chronicle increased the maximum number of lines for Regex type reference lists to 100 and for CIDR type reference lists to 150. In addition, Chronicle increased the maximum number of statements in a rule that evaluate a reference list from 2 to 4.
May 02, 2023
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- 1Password (
ONEPASSWORD
) - Akamai WAF (
AKAMAI_WAF
) - AppOmni (
APPOMNI
) - Arcsight CEF (
ARCSIGHT_CEF
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Check Point (
CHECKPOINT_FIREWALL
) - Cisco ASA (
CISCO_ASA_FIREWALL
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - Cisco ISE (
CISCO_ISE
) - Cisco Switch (
CISCO_SWITCH
) - Cloud Audit Logs (
N/A
) - Cloud Storage Context (
N/A
) - Cloudflare (
CLOUDFLARE
) - CrowdStrike Detection Monitoring (
CS_DETECTS
) - CrowdStrike Falcon (
CS_EDR
) - DigitalArts i-Filter (
DIGITALARTS_IFILTER
) - FireEye HX (
FIREEYE_HX
) - FortiGate (
FORTINET_FIREWALL
) - Hashicorp Vault (
HASHICORP
) - Imperva (
IMPERVA_WAF
) - Imperva SecureSphere Management (
IMPERVA_SECURESPHERE
) - Infoblox DHCP (
INFOBLOX_DHCP
) - JAMF CMDB (
JAMF
) - Linux Auditing System (AuditD) (
AUDITD
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - NetApp SAN (
NETAPP_SAN
) - Office 365 (
OFFICE_365
) - Okta (
OKTA
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Ping Federate (
PING_FEDERATE
) - Qualys Scan (
QUALYS_SCAN
) - Security Command Center Threat (
N/A
) - SentinelOne EDR (
SENTINEL_EDR
) - Snyk Group level audit Logs (
SNYK_SDLC
) - Symantec Endpoint Protection (
SEP
) - Unix system (
NIX_SYSTEM
) - Vectra Detect (
VECTRA_DETECT
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Workspace Alerts (
WORKSPACE_ALERTS
) - Workspace ChromeOS Devices (
WORKSPACE_CHROMEOS
) - Workspace Groups (
WORKSPACE_GROUPS
) - Workspace Mobile Devices (
WORKSPACE_MOBILE
) - Workspace Privileges (
WORKSPACE_PRIVILEGES
) - Workspace Users (
WORKSPACE_USERS
)
For details about changes in each parser, see Supported default parsers.
May 01, 2023
The UDM Search Pivot Table enables you to further analyze your UDM search results, giving you the following capabilities:
- Group search results by up to five UDM fields.
- Perform aggregations (sum, count, count distinct, average, stddev, min, and max) on up to to five values within the UDM fields (for example, domains, users, and products).
- Sort results of the pivot table (ascending, descending)
This feature is being enabled for global customers in a phased manner and is expected to fully roll out over the next month.
April 25, 2023
Chronicle forwarder executable for Windows is deprecated and is scheduled for shutdown on March 31, 2024. To install the Chronicle forwarder on Microsoft Windows, use Chronicle forwarder for Windows on Docker.
You can now install and configure Chronicle forwarder for Windows on Docker. This Docker installation provides better security through isolation and the container distribution mechanism can be private and separate for Google Cloud and customers. This release also includes the following updates:
The forwarder signing key will be rotated every 6 months for security. You must update the Chronicle forwarder for Windows on Docker image every 6 months.
The minimum batch size for forwarder is now increased to 200KB for better performance.
Data compression is now enabled by default. It reduces the network bandwidth consumption by 80%.
Hot config loading is now supported and applies configuration changes within 5 minutes without the need to restart the forwarder.
Automatic buffering handles spikes in incoming traffic by efficiently using available memory on the host system. This feature is optional.
April 21, 2023
The Chronicle forwarder for Linux has been enhanced with the following changes:
After you make a change to a configuration file, either
<FORWARDER_NAME>.conf
or<FORWARDER_NAME>_auth.conf
, the change is automatically applied within 5 minutes. You no longer need to restart the container to apply the configuration changes. For information about changing configuration files, see Customize the configuration files.You can now configure automatic memory buffering which is a dynamically shared buffer used by collectors on a system. You specify the target memory utilization as a percentage of system RAM. For more information, see Configure disk buffering.
The forwarder's minimum batch size increased to 200 KB for better performance.
Data compression is now enabled by default, which reduces network bandwidth consumption by 80%.
If you have not updated the Chronicle forwarder for Linux Docker image since April 1, 2023, you must update it before October 31, 2023. This ensures that the Forwarder Bundle continues to receive updates.
April 20, 2023
Chronicle enhanced the detection engine so that all rules have a value set to the $risk_score
variable. With this change, rules that do not have a $risk_score
variable defined in the outcome section will have one of the following default values set:
- If the rule is configured to generate an alert, then
$risk_score
is set to 40. - If the rule is not configured to generate an alert, then
$risk_score
is set to 15.
This change applies to all existing rules and new rules that do not have a $risk_score
variable defined. The change does not impact rules that define the $risk_score
variable in the outcome
section of the rule.
For more information about the $risk_score
variable, see Outcome section syntax.
April 19, 2023
Chronicle released the following additional data enrichment and precomputed analytic capabilities that can provide additional context during an investigation:
- Enriched entities with WHOIS data.
- Enriched entities with VirusTotal relationship data.
- Enriched events with VirusTotal file metadata.
- Data from Google Cloud Threat Intelligence curated threat feeds.
- Precomputed first-seen and last-seen occurrence for domains, IP addresses, and file hashes (SHA256, SHA1, MD5).
- Precomputed first-seen occurrence for assets and users.
For more information, see the following documents:
April 14, 2023
The UDM saved search options have been simplified and enhanced. From the UDM Search page, click Save to save your UDM search.
You can now specify placeholder variables in the format $<variable name>
using the same format as is used for variables in YARA-L.
If you add a variable to a UDM search, you must also include a prompt to help the user to understand what information they need to enter before they run the search. All variables must be populated with values prior to a search being run.
April 13, 2023
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- Akamai WAF (
AKAMAI_WAF
) - Area1 Security (
AREA1
) - Atlassian Confluence (
ATLASSIAN_CONFLUENCE
) - AWS VPC Flow (
AWS_VPC_FLOW
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - Cloud Audit Logs (
N/A
) - Cloud Intrusion Detection System (
GCP_IDS
) - Cloud Load Balancing (
GCP_LOADBALANCING
) - Cloud NAT (
N/A
) - Cloudflare (
CLOUDFLARE
) - F5 ASM (
F5_ASM
) - Security Command Center Threat (
N/A
) - GMAIL Logs (
GMAIL_LOGS
) - JumpCloud Directory Insights (
JUMPCLOUD_DIRECTORY_INSIGHTS
) - Kubernetes Node logs (
KUBERNETES_NODE
) - Linux Auditing System (AuditD) (
AUDITD
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Mimecast (
MIMECAST_MAIL
) - NetApp ONTAP (
NETAPP_ONTAP
) - Office 365 (
OFFICE_365
) - Okta (
OKTA
) - Ping Identity (
PING
) - SentinelOne Deep Visibility (
SENTINEL_DV
) - Sophos Firewall (Next Gen) (
SOPHOS_FIREWALL
) - Symantec Endpoint Protection (
SEP
) - Trustwave SEC MailMarshal (
MAILMARSHAL
) - Unix system (
NIX_SYSTEM
)
For details about changes in each parser, see Supported default parsers.
April 03, 2023
Google has added Australia (Sydney) as a new region for Chronicle customers. Chronicle can now store customer data in this region. This also adds a new regional endpoint for Chronicle APIs at https://australia-southeast1-backstory.googleapis.com/
.
March 30, 2023
Grouped fields are aliases for groups of related UDM fields. You can use them to query multiple UDM fields at the same time without typing each field individually. For example, you can use the IP address grouped field to search for an IP address across most of the common UDM IP address fields.
You can match a grouped field using a regular expression and using the nocase operator. Reference lists are supported. Grouped fields can be used in combination with regular UDM fields. Grouped fields also have a separate section in Quick Filters.
March 29, 2023
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- Area1 Security (
AREA1
) - AWS Security Hub (
AWS_SECURITY_HUB
) - Azure AD (
AZURE_AD
) - Carbon Black (
CB_EDR
) - Cisco ASA (
CISCO_ASA_FIREWALL
) - Cisco Switch (
CISCO_SWITCH
) - Cloud Audit Logs (
N/A
) - CrowdStrike Falcon (
CS_EDR
) - Darktrace (
DARKTRACE
) - Elastic Windows Event Log Beats (
ELASTIC_WINLOGBEAT
) - Google Chrome Browser Cloud Management (CBCM) (
N/A
) - Hashicorp Vault (
HASHICORP
) - Illumio Core (
ILLUMIO_CORE
) - Linux Auditing System (AuditD) (
AUDITD
) - ManageEngine ADAudit Plus (
ADAUDIT_PLUS
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Netskope (
NETSKOPE_ALERT
) - Office 365 (
OFFICE_365
) - Okta (
OKTA
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Seqrite Endpoint Security (EPS) (
SEQRITE_ENDPOINT
) - STIX Threat Intelligence (
STIX
) - Trend Micro Vision One (
TRENDMICRO_VISION_ONE
) - Unix system (
NIX_SYSTEM
) - VMware vRealize Suite (
VMWARE_VREALIZE
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - Workspace Alerts (
WORKSPACE_ALERTS
) - ZScaler NGFW (
ZSCALER_FIREWALL
)
For details about changes in each parser, see Supported default parsers.
March 23, 2023
The SentinelOne Alert feed has been enhanced to enable you to configure the feed to ingest both alerts and threats or only threats.
When the Is alert API subscribed checkbox is selected in the application, or when the isAlertApiSubscribed
field is set to true
in the API request, the feed will ingest both alerts and threats. When the checkbox is deselected, or the isAlertApiSubscribed
field is set set to false
in the API request, only threats are ingested. This configuration is available when creating a new feed. Existing feeds were enhanced in a previous release to ingest both alerts and threats.
Only configure the feed to ingest both alerts and threats if you have subscribed to alerts in SentinelOne. If you have not subscribed to alerts in SentinelOne, then configure the feed to ingest threats only.
March 15, 2023
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- BloxOne Threat Defense (
BLOXONE
) - Carbon Black (
CB_EDR
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - Cisco ISE (
CISCO_ISE
) - Cisco Meraki (
CISCO_MERAKI
) - CrowdStrike Falcon (
CS_EDR
) - Duo Administrator Logs (
DUO_ADMIN
) - Elastic Audit Beats (
ELASTIC_AUDITBEAT
) - Elastic Windows Event Log Beats (
ELASTIC_WINLOGBEAT
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - FortiGate (
FORTINET_FIREWALL
) - Imperva CEF (
IMPERVA_CEF
) - Infoblox (
INFOBLOX
) - JAMF CMDB (
JAMF
) - Juniper (
JUNIPER_FIREWALL
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Microsoft IIS (
IIS
) - Nyansa Events (
NYANSA_EVENTS
) - Office 365 (
OFFICE_365
) - Onfido (
ONFIDO
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Samba SMBD (
SMBD
) - Sentinelone Alerts (
SENTINELONE_ALERT
) - SentinelOne EDR (
SENTINEL_EDR
) - SonicWall (
SONIC_FIREWALL
) - Symantec VIP Gateway (
SYMANTEC_VIP
) - Tanium Threat Response (
TANIUM_THREAT_RESPONSE
) - Unix system (
NIX_SYSTEM
) - VMware NSX (
VMWARE_NSX
) - Windows Defender ATP (
WINDOWS_DEFENDER_ATP
) - Workspace Activities (
WORKSPACE_ACTIVITY
)
For details about changes in each parser, see Supported default parsers.
March 10, 2023
The [all namespaces] menu item in Asset view will be removed on July 1, 2023. This change will not impact the ability to view and filter events assigned the default namespace, using the [untagged] menu item, or to view and filter events with custom namespace labels that were assigned to incoming logs.
March 09, 2023
The SentinelOne Alert feed has been enhanced to ingest both alerts and threats. No change is needed to the feed configuration. If data contains both alerts and threats, then both types of data will be ingested.
March 01, 2023
Schedule Chronicle dashboard reports
You can schedule the delivery of Chronicle dashboard reports over email for both the default dashboards and custom dashboards. In addition to setting the time interval, email address, and format to deliver the report, you can also set the pagination details and test the delivery of the report. For more information, see Schedule Chronicle dashboard reports.
Chronicle Feed Management enhanced the support for the Qualys VM log type to include Qualys VM Detections API. See the Feed Management documentation for information.
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- 1Password (
ONEPASSWORD
) - Airlock Digital Application Allowlisting (
AIRLOCK_DIGITAL
) - Apache (
APACHE
) - Atlassian Confluence (
ATLASSIAN_CONFLUENCE
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Azure Cosmos DB (
AZURE_COSMOS_DB
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - Compute Engine (
GCP_COMPUTE
) - CrowdStrike Detection Monitoring (
CS_DETECTS
) - CrowdStrike Falcon (
CS_EDR
) - Cybereason EDR (
CYBEREASON_EDR
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - Forcepoint NGFW (
FORCEPOINT_FIREWALL
) - FortiGate (
FORTINET_FIREWALL
) - Google Chrome Browser Cloud Management (CBCM) (
N/A
) - iBoss Proxy (
IBOSS_WEBPROXY
) - JumpCloud Directory Insights (
JUMPCLOUD_DIRECTORY_INSIGHTS
) - Juniper Mist (
JUNIPER_MIST
) - Kubernetes Node logs (
KUBERNETES_NODE
) - Microsoft Azure Activity (
AZURE_ACTIVITY
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Okta (
OKTA
) - Okta Access Gateway (
OKTA_ACCESS_GATEWAY
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - pfSense (
PFSENSE
) - Salesforce (
SALESFORCE
) - Sentinelone Alerts (
SENTINELONE_ALERT
) - SentinelOne EDR (
SENTINEL_EDR
) - Signal Sciences WAF (
SIGNAL_SCIENCES_WAF
) - SonicWall (
SONIC_FIREWALL
) - Windows Event (
WINEVTLOG
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Yubico OTP (
YUBICO_OTP
) - Zscaler Private Access (
ZSCALER_ZPA
)
For details about changes in each parser, see Supported default parsers.
February 17, 2023
The query limit for the udmSearch method has been increased from 60 to 120 queries per hour (QPH). The maximum number of events which can be returned using the udmSearch method has been increased from 1,000 to 10,000.
You can now specify single-line comments and block comments in UDM search. You can also now use UDM search to find values of type float
(floating point numbers) and bool
(boolean).
February 15, 2023
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- 1Password (
ONEPASSWORD
) - Atlassian Jira (
ATLASSIAN_JIRA
) - AWS GuardDuty (
GUARDDUTY
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Azure AD Organizational Context (
AZURE_AD_CONTEXT
) - Carbon Black (
CB_EDR
) - Cisco Stealthwatch (
CISCO_STEALTHWATCH
) - Cisco WLC/WCS (
CISCO_WIRELESS
) - Cloudflare WAF (
CLOUDFLARE_WAF
) - CrowdStrike Detection Monitoring (
CS_DETECTS
) - CrowdStrike Falcon (
CS_EDR
) - Cybereason EDR (
CYBEREASON_EDR
) - DigitalArts i-Filter (
DIGITALARTS_IFILTER
) - F5 ASM (
F5_ASM
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - Google Chrome Browser Cloud Management (CBCM) (
N/A
) - Imperva (
IMPERVA_WAF
) - Imperva Database (
IMPERVA_DB
) - Ipswitch MOVEit Transfer (
IPSWITCH_MOVEIT_TRANSFER
) - Linux Auditing System (AuditD) (
AUDITD
) - Microsoft AD FS (
ADFS
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Mobileiron (
MOBILEIRON
) - Netskope Web Proxy (
NETSKOPE_WEBPROXY
) - Palo Alto Cortex XDR Events (
PAN_CORTEX_XDR_EVENTS
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Samba SMBD (
SMBD
) - Sentinelone Alerts (
SENTINELONE_ALERT
) - SentinelOne Deep Visibility (
SENTINEL_DV
) - SentinelOne EDR (
SENTINEL_EDR
) - SonicWall (
SONIC_FIREWALL
) - Trend Micro AV (
TRENDMICRO_AV
) - VMware vCenter (
VMWARE_VCENTER
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
)
For details about changes in each parser, see Supported default parsers.
February 09, 2023
Chronicle has released additional ingestion scripts, written in Python, that can be deployed as Cloud Functions. These scripts ingest data from the following log sources, listed by name and ingestion label:
- Aruba Central (
ARUBA_CENTRAL
) - Azure Event Hub (configurable log type)
- Cloud Storage (configurable log type)
- Proofpoint (configurable log type)
- Tenable.io (
TENABLE_IO
) - Trend Micro Cloud App Security (configurable log type)
- Trend Micro Vision One audit logs (
TREND_MICRO_VISION_AUDIT
)
The scripts can be used as-is or as templates to customize and ingest logs from another product. They are located in the Chronicle GitHub repository. See Use ingestion scripts deployed as Cloud Functions for instructions about how to configure and deploy the scripts in your environment.
In the outcome
section, you can now define up to 20 outcome variables, with
arbitrary names. These outcomes will be stored in the detections generated by
the rule. Each detection may have different values for the outcomes.
February 01, 2023
The Alerts in Search feature is the newest addition to the UDM Search capability. This new feature allows you to do the following:
- View and investigate all alerts associated with the search query criteria
- See which events are associated with one or more alerts
- See details about alerts in Alert viewer and Alert details
- Pivot to the new Alert view
This feature is being enabled for global customers in a phased manner and is expected to fully roll out over the next month.
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- 1Password (ONEPASSWORD)
- Azure AD Organizational Context (AZURE_AD_CONTEXT)
- Barracuda Email (BARRACUDA_EMAIL)
- Carbon Black (CB_EDR)
- Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
- Cisco Switch (CISCO_SWITCH)
- Google Chrome Browser Cloud Management (CBCM) (N/A)
- IBM Security Verify (IBM_SECURITY_VERIFY)
- Imperva (IMPERVA_WAF)
- Infoblox (INFOBLOX)
- Infoblox DNS (INFOBLOX_DNS)
- Linux Auditing System (AuditD) (AUDITD)
- McAfee Web Gateway (MCAFEE_WEBPROXY)
- Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
- Microsoft SQL Server (MICROSOFT_SQL)
- Nutanix Prism (NUTANIX_PRISM)
- Office 365 (OFFICE_365)
- Okera Dynamic Access Platform (OKERA_DAP)
- Palo Alto Networks Firewall (PAN_FIREWALL)
- Proofpoint Observeit (OBSERVEIT)
- Qualys VM (QUALYS_VM)
- Sentinelone Alerts (SENTINELONE_ALERT)
- SentinelOne EDR (SENTINEL_EDR)
- Symantec Endpoint Protection (SEP)
- WatchGuard (WATCHGUARD)
- Windows Event (WINEVTLOG)
- Windows Event (XML) (WINEVTLOG_XML)
- Windows Sysmon (WINDOWS_SYSMON)
For details about changes in each parser, see Supported default parsers.
January 31, 2023
Geolocation enrichment from an IP address
Chronicle provides geolocation data enrichment (GeoIP data) for external IP addresses to enable more powerful rule detections and greater context for investigations. Chronicle uses location data provided by Google to provide an approximate geographic location for an external IP address. For more information, see:
The Chronicle Curated Detections > Cloud Threats policy has been enhanced with the following changes:
- Admin Action rule set: added a new exclusion list, called
gcti__cld__admin_action__network_http_user_agent__exclusion_list
that enables you to exclude events based on the HTTP User Agent string. - IAM Abuse rule set: added a new exclusion list, called,
gcti__cld__iamabuse__network_http_user_agent__exclusion_list
that enables you to exclude events based on the HTTP User Agent string.
January 30, 2023
The following changes are available in the Unified Data Model:
Added the following fields to the Software object:
- Software.description
- Software.vendor_name
Deprecated the Location.region_latitude and Location.region_longitude fields. Use the following Location fields instead:
- Location.region_coordinates.latitude
- Location.region_coordinates.longitude
Deprecated the Noun.ip_location field. Use Noun.ip_geo_artifact.location instead.
Added the following fields to the File object, File.stat_mode, File.stat_inode, File.stat_dev, File.stat_nlink, File.stat_flags.
For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.
January 20, 2023
ListCuratedRules and ListCuratedRuleDetections
Two new methods are now available for the Detection Engine API. ListCuratedRules enables you to return a current list of all of the Chronicle rules with detections. ListCuratedRuleDetections enables you to return a list of the detections associated with a specified rule.
The following changes are available in the Unified Data Model:
- A new field, called
source_labels
, was added to EntityMetadata. - A new field, called
enrichment_state
, was added to event.metadata. - A new field, called
ip_geo_artifact
, was added to Noun. - A new field, called
parsed_user_agent
, was added to network.http. - A new enumerated list, called Metadata.EnrichmentState, was added.
- The new type was added, called Artifact.
- The following values were added to the relation.relationship enumerated list:
EXECUTES
,DOWNLOADED_FROM
, andCONTACTS
. - The following values were added to Noun.Platform enumerated list:
IOS
,ANDROID
,CHROME_OS
. - The following value was added to the SecurityResult.SecurityCategory enumerated list, called
TOR_EXIT_NODE
.
For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.
January 19, 2023
Chronicle has released a set of ingestion scripts, written in Python, that can be deployed as Cloud Functions. These scripts ingest data from the following log sources, listed by name and ingestion label:
- Citrix audit logs (CITRIX_MONITOR)
- Duo Admin (DUO_ADMIN)
- One Login User Context (ONELOGIN_USER_CONTEXT)
- MISP (MISP_IOC)
- Citrix session metadata (CITRIX_SESSION_METADATA)
- Slack Audit (SLACK_AUDIT)
- Box (BOX)
- OneLogin (ONELOGIN_SSO)
- Google Cloud Pub/Sub
- STIX/TAXII threat intelligence (STIX)
The scripts can be used as-is or as templates to customize and ingest logs from another product. They are located in the Chronicle GitHub repository. See Use ingestion scripts deployed as Cloud Functions for instructions about how to configure and deploy the scripts in your environment.
January 18, 2023
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- Atlassian Jira (ATLASSIAN_JIRA)
- Azure AD (AZURE_AD)
- CrowdStrike Falcon (CS_EDR)
- ESET AV (ESET_AV)
- FortiGate (FORTINET_FIREWALL)
- GitHub (GITHUB)
- Infoblox (INFOBLOX)
- Juniper (JUNIPER_FIREWALL)
- Juniper Junos (JUNIPER_JUNOS)
- Kubernetes Node logs (KUBERNETES_NODE)
- McAfee Web Gateway (MCAFEE_WEBPROXY)
- Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
- Netskope Web Proxy (NETSKOPE_WEBPROXY)
- Office 365 (OFFICE_365)
- Pulse Secure (PULSE_SECURE_VPN)
- Ruckus Networks (RUCKUS_WIRELESS)
- Sentinelone Alerts (SENTINELONE_ALERT)
- SentinelOne EDR (SENTINEL_EDR)
- Silverfort Authentication Platform (SILVERFORT)
- VMware vCenter (VMWARE_VCENTER)
- Windows Event (XML) (WINEVTLOG_XML)
- Zscaler (ZSCALER_WEBPROXY)
For details about changes in each parser, see Supported default parsers.
January 13, 2023
Chronicle Curated Detections has been enhanced with the following additional detection content for Cloud threats. A new rule set was added, called Resource Masquerading, that detects Google Cloud resources created with names or characteristics of another resource or resource type. This could be used to mask malicious activity carried out by or within the resource, with the intent of appearing legitimate.
January 10, 2023
Multiple enhancements were made to the UDM Search capability, including the additions of search templates and shared searches. You can now do the following in UDM Search:
- Use Chronicle-provided pre-made search templates in Quick Searches and Search Manager
- Create, edit, and share searches in Search Manager (an enhancement to Saved Searches)
- Use reference lists in UDM searches
January 06, 2023
Chronicle Curated Detections has been enhanced with the following additional detection content for Windows-based threats. A new rule set was added, called Anomalous PowerShell, that identifies PowerShell commands containing obfuscation techniques or other anomalous behavior.
January 04, 2023
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- AWS CloudWatch (AWS_CLOUDWATCH)
- AWS Control Tower (AWS_CONTROL_TOWER)
- AWS WAF (AWS_WAF)
- Azure AD (AZURE_AD)
- Azure AD Organizational Context (AZURE_AD_CONTEXT)
- Barracuda Email (BARRACUDA_EMAIL)
- Cisco ASA (CISCO_ASA_FIREWALL)
- Cisco Email Security (CISCO_EMAIL_SECURITY)
- Cisco ISE (CISCO_ISE)
- Cisco Umbrella Web Proxy (UMBRELLA_WEBPROXY)
- Citrix Monitor (CITRIX_MONITOR)
- Cloud Audit Logs (N/A)
- CrowdStrike Falcon (CS_EDR)
- Digital Guardian EDR (DIGITALGUARDIAN_EDR)
- Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
- ExtraHop RevealX (EXTRAHOP)
- ForgeRock OpenAM (OPENAM)
- Google Chrome Browser Cloud Management (CBCM) (N/A)
- Infoblox (INFOBLOX)
- McAfee ePolicy Orchestrator (MCAFEE_EPO)
- Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
- Netscout Arbor Sightline (ARBOR_SIGHTLINE)
- Office 365 (OFFICE_365)
- Okta (OKTA)
- Palo Alto Networks Firewall (PAN_FIREWALL)
- Rapid7 Insight (RAPID7_INSIGHT)
- Salesforce (SALESFORCE)
- Sophos Intercept EDR (SOPHOS_EDR)
- Splunk Platform (SPLUNK)
- STIX Threat Intelligence (STIX)
- Tanium Stream (TANIUM_TH)
- tenable.io (TENABLE_IO)
- ThreatLocker Platform (THREATLOCKER)
- VMware AirWatch (AIRWATCH)
- WatchGuard (WATCHGUARD)
- Windows Event (XML) (WINEVTLOG_XML)
- Windows Sysmon (WINDOWS_SYSMON)
- Zscaler (ZSCALER_WEBPROXY)
For details about changes in each parser, see Supported default parsers.
December 16, 2022
You can now enable up to 500 active rules within your Chronicle account. Up to 75 of those can be multi-event rules. See Running a rule against live data for information on how to enable rules and Manage rules using Rules Editor for information on how to configure rules.
December 15, 2022
Starting December 15, 2022, you may not see data in your Chronicle instance that is older than the data retention period defined in your contract. For more information, see Data Retention.
December 12, 2022
Chronicle has added a supported region for Chronicle customers in the UK, europe-west2.
December 08, 2022
The following changes were made to UDM Search. You can now do the following:
- Use enhanced filtering to include Bottom 30 values in addition to Top 30 values for each UDM Field in search results
- Use 'field[key] = value' exact match to search the 'additional' and 'labels' fields
- Pin fields (using the push pin icon) in Quick Filter to save them as a favorite. They will appear at the top of the Quick Filters list
- Save column layouts and load them
- Escape special characters by using backslashes and double-quotes
December 07, 2022
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- Cisco Router (
CISCO_ROUTER
) - Digital Guardian DLP (
DIGITALGUARDIAN_DLP
) - Linux Auditing System (AuditD) (
AUDITD
) - Microsoft Azure Activity (
AZURE_ACTIVITY
) - Rubrik (
RUBRIK
) - Sentinelone Alerts (
SENTINELONE_ALERT
) - SentinelOne EDR (
SENTINEL_EDR
) - Sophos Firewall (Next Gen) (
SOPHOS_FIREWALL
) - STIX Threat Intelligence (
STIX
) - Thales Luna Hardware Security Module (
THALES_LUNA_HSM
) - Thinkst Canary (
THINKST_CANARY
) - Unix system (
NIX_SYSTEM
) - Workspace Activities (
WORKSPACE_ACTIVITY
)
For details about changes in each parser, see Supported default parsers.
November 30, 2022
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- Akamai WAF (AKAMAI_WAF)
- AlgoSec Security Management (ALGOSEC)
- Ansible AWX (ANSIBLE_AWX)
- Arcsight CEF (ARCSIGHT_CEF)
- AWS Cloudtrail (AWS_CLOUDTRAIL)
- AWS Control Tower (AWS_CONTROL_TOWER)
- AWS GuardDuty (GUARDDUTY)
- Azure AD Directory Audit (AZURE_AD_AUDIT)
- BIND (BIND_DNS)
- Bluecat DDI (BLUECAT_DDI)
- Carbon Black (CB_EDR)
- Check Point (CHECKPOINT_FIREWALL)
- Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
- Cisco Meraki (CISCO_MERAKI)
- Cisco Router (CISCO_ROUTER)
- Deep Instinct EDR (DEEP_INSTINCT_EDR)
- Department of Homeland Security (DHS_IOC)
- Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
- Emerging Threats Pro (ET_PRO_IOC)
- ESET Threat Intelligence (ESET_IOC)
- FortiGate (FORTINET_FIREWALL)
- Fortinet (FORTINET_DHCP)
- Cloud Audit (N/A)
- Security Command Center (N/A)
- GitHub (GITHUB)
- Hitachi Cloud Platform (HITACHI_CLOUD_PLATFORM)
- Juniper (JUNIPER_FIREWALL)
- Linux Auditing System (AuditD) (AUDITD)
- Mandiant Threat Intelligence (MANDIANT_IOC)
- Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
- Microsoft Exchange (EXCHANGE_MAIL)
- Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
- Microsoft Powershell (POWERSHELL)
- Netscout Arbor Sightline (ARBOR_SIGHTLINE)
- Office 365 (OFFICE_365)
- Okta (OKTA)
- Palo Alto Networks Firewall (PAN_FIREWALL)
- Palo Alto Prisma Access (PAN_CASB)
- Sentinelone Alerts (SENTINELONE_ALERT)
- Shrubbery TACACS+ (SHRUBBERY_TACACS)
- Signal Sciences WAF (SIGNAL_SCIENCES_WAF)
- Solarwinds Kiwi Syslog Server (SOLARWINDS_KSS)
- Splunk Platform (SPLUNK)
- Stealthbits Defend (STEALTHBITS_DEFEND)
- STIX Threat Intelligence (STIX)
- Symantec Endpoint Protection (SEP)
- Tanium Discover (TANIUM_DISCOVER)
- Tanium Threat Response (TANIUM_THREAT_RESPONSE)
- WatchGuard (WATCHGUARD)
- Windows Event (WINEVTLOG)
- Windows Network Policy Server (WINDOWS_NET_POLICY_SERVER)
For details about changes in each parser, see Supported default parsers.
November 16, 2022
You can collect Splunk CIM logs by using the Chronicle forwarder and Splunk default parser. For more information, see Collect Splunk CIM logs.
November 15, 2022
UDM Search is a new Chronicle search feature which enables you to find UDM events within your Chronicle instance. You can search both for individual UDM events and groups of UDM events tied to shared search terms. UDM search includes a number of search features, enabling you to navigate through your UDM data:
- Quick Filters—Fast access to saved searches and search history.
- Event Viewer—View the raw log and UDM for the event.
- Search Manager—Comprehensive view of your saved searches and search history.
There is also a new UDM search API method available for the Chronicle Search API.
Be sure to review Google's recommended best practices for conducting searches using UDM Search. UDM searches can require substantial computational resources to complete if they are not constructed carefully. Performance also varies depending on the size and complexity of the data in your Chronicle instance.
Google has made enhancements to the Chronicle reference lists feature, it now enables you to perform more complex matching beyond exact string matches. These new types of reference lists can be used in Detection Engine rules.
For more detailed information about these special list types, see the reference lists documentation.
When creating a list, you must provide a "List Type" to indicate how you want Chronicle to interpret your list. List type cannot be changed after list creation, and can be STRING, REGEX, or CIDR. The list type for any existing lists has been set to STRING, since all reference lists made by preview customers perform exact string matching.
You can create Reference Lists using the Chronicle user interface or programmatically using the Reference List API. For information on how to embed a Reference List within a Rule, see the documentation.
November 10, 2022
Chronicle Curated Detections has been enhanced with the following additional detection content:
- Windows-based threats:
- Security Posture Downgrade: detects activity attempting to disable or decrease the effectiveness of security tools.
- Cloud threats:
- Suspicious Behavior: detects activity that is thought to be uncommon and suspicious in most environments.
- Service Disruption: detects destructive or disruptive actions that, if performed in a functioning production environment, may cause a significant outage.
- Suspicious Infrastructure Change: detects modifications to production infrastructure that align with known persistence tactics.
November 09, 2022
The Alerts and Indicators of Compromise (IOC) page displays all the alerts and IOCs currently impacting your enterprise. It provides tools that enable you to filter and view your alerts and IOCs.
Alerts can be designated by your security infrastructure, by your security personnel, or by Chronicle Uppercase.
IOCs are designated automatically by Chronicle. Chronicle is always absorbing data from both your own infrastructure and numerous other security data sources. It automatically correlates suspicious security indicators with your security data. If a match is found (for example, a suspicious domain is found within your enterprise), Chronicle labels the event as an IOC and displays it on the IOC matches tab.
You can also still navigate to the Enterprise Insights page using the link provided at the top of the Alerts and IOCS page. To view CBN alerts, you still need to use the Enterprise Insights page.
Alert view shows a variety of information with regards to a specific alert, including:
Alert Status
Alert Details—Displays an alert's creation time, recent updates, and its associated rule.
Decision States—Displays the verdict for the alert and if it is an indication of a security issue. History—Displays the history of changes made to the alert by your security team. For alerts originating from Chronicle SOAR, Alert view also includes the number and a link to the associated Chronicle SOAR case. You can pivot to your Chronicle SOAR account using this link.
You can authenticate with your Chronicle SOAR account from Chronicle. Once you have authenticated with your Chronicle SOAR account, you can pivot between your Chronicle account and your Chronicle SOAR account as needed.
Chronicle SOAR ingests alerts from a variety of sources. You can conduct additional investigations of Chronicle SOAR cases from Chronicle or pivot to Chronicle SOAR. You can pivot to your Chronicle SOAR Cases from the Chronicle application menu. For more information on Chronicle SOAR cases, see the Chronicle SOAR documentation.
Chronicle SOAR Playbooks define a series of automatic steps taken when triggered by an incoming alert and can be used to investigate and respond to security issues. You can pivot to your Chronicle SOAR Playbooks from the Chronicle application menu. For more information on Chronicle SOAR Playbooks, see the Chronicle SOAR documentation.
The following default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- Akeyless Vault Platform (AKEYLESS_VAULT)
- AWS Control Tower (AWS_CONTROL_TOWER)
- AWS VPC Flow (AWS_VPC_FLOW)
- Azure AD (AZURE_AD)
- Azure AD Directory Audit (AZURE_AD_AUDIT)
- Azure WAF (AZURE_WAF)
- BeyondTrust Privileged Identity (BEYONDTRUST_PI)
- Check Point (CHECKPOINT_FIREWALL)
- Cisco Router (CISCO_ROUTER)
- Cisco Wireless IPS (CISCO_WIPS)
- Citrix Monitor (CITRIX_MONITOR)
- CrowdStrike Falcon (CS_EDR)
- Darktrace (DARKTRACE)
- Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
- EPIC Systems (EPIC)
- F5 ASM (F5_ASM)
- Forcepoint DLP (FORCEPOINT_DLP)
- FortiGate (FORTINET_FIREWALL)
- Google Cloud Audit (N/A)
- Security Command Center (N/A)
- HAProxy (HAPROXY)
- InterSystems Cache (INTERSYSTEMS_CACHE)
- Lenel Onguard Badge Management (LENEL_ONGUARD)
- Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
- Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
- Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
- Microsoft IIS (IIS)
- Netscout (ARBOR_EDGE_DEFENSE)
- Netscout Arbor Sightline (ARBOR_SIGHTLINE)
- Okta (OKTA)
- Okta User Context (OKTA_USER_CONTEXT)
- OpenSSH (OPENSSH)
- Palo Alto Cortex XDR Alerts (CORTEX_XDR)
- Palo Alto Networks Firewall (PAN_FIREWALL)
- Proofpoint Tap Alerts (PROOFPOINT_MAIL)
- Pulse Secure (PULSE_SECURE_VPN)
- RSA NetWitness (RSA_NETWITNESS)
- Sentinelone Alerts (SENTINELONE_ALERT)
- Signal Sciences WAF (SIGNAL_SCIENCES_WAF)
- Sourcefire (SOURCEFIRE_IDS)
- Symantec Endpoint Protection (SEP)
- Unix system (NIX_SYSTEM)
- Vectra Stream (VECTRA_STREAM)
- Versa Firewall (VERSA_FIREWALL)
- WatchGuard (WATCHGUARD)
- Wazuh (WAZUH)
- Windows Defender ATP (WINDOWS_DEFENDER_ATP)
- Zix Email Encryption (ZIX_EMAIL_ENCRYPTION)
- Zoom Operation Logs (ZOOM_OPERATION_LOGS)
For details about changes in each parser, see Supported default parsers.
November 07, 2022
Chronicle Feed Management added support for the Sentinel One Alerts API. See the Feed Management documentation for information about how to configure this feed.
When downloading data to CSV file format from the Chronicle user interface, raw log data is now excluded unless you are using Raw Log Scan. For example, raw log data is no longer included when you download events.
This resolves an issue where downloading to CSV was failing.
November 02, 2022
Enhancements to the Detection Engine API
The StreamDetectionAlerts method in the Detection Engine API has been enhanced to return detections generated by both user-created rules and Chronicle Curated Detections. For more information about this method, see StreamDetectionAlerts.
November 01, 2022
The Ingestion API udmevents and createentities methods now accept both uppercase and lowercase characters in the following fields:
<_Noun_>.mac
: defined when calling the udmeevents method, where Noun is either principal, src, target, observer, intermediary, or about.entity.asset.mac
: defined when calling the createentities method.
These fields are defined in the UDM record in the request body when calling the method. For more information about these methods, see Chronicle Ingestion API documentation. For more information about UDM fields, see the Unified Data Model field list.
October 31, 2022
Chronicle Feed Management added a hostname field to the configuration workflow of certain log types. The hostname field enables you to configure the API endpoint for the feed. If you do not define a value for this field, the following default values are used:
- AzureAD (AZURE_AD) default hostname is
graph.microsoft.com
. - AzureADAudit (AZURE_AD_AUDIT) default hostname is
graph.microsoft.com
. - AzureADContext (AZURE_AD_CONTEXT) default hostname is
graph.microsoft.com
. - AzureMDMIntune (AZURE_MDM_INTUNE) default hostname is
graph.microsoft.com
. - MicrosoftGraphAlert (MICROSOFT_GRAPH_ALERT) default hostname is
graph.microsoft.com
. - MicrosoftSecurityCenterAlert (MICROSOFT_SECURITY_CENTER_ALERT) default hostname is
management.azure.com
. - Office365 (OFFICE_365) default hostname is
manage.office.com
.
Chronicle Feed Management API was also updated to support the hostname field for these log types.
October 27, 2022
Chronicle Feed Management added support for the CrowdStrike Detection API. See the Feed Management documentation for information about how to configure this feed.
October 19, 2022
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- 1Password (ONEPASSWORD)
- Accellion (ACCELLION)
- Akamai Cloud Monitor (AKAMAI_CLOUD_MONITOR)
- AWS Cloudtrail (AWS_CLOUDTRAIL)
- BeyondTrust (BOMGAR)
- BeyondTrust Secure Remote Access (BEYONDTRUST_REMOTE_ACCESS)
- Bitdefender (BITDEFENDER)
- Blue Coat Proxy (BLUECOAT_WEBPROXY)
- Carbon Black (CB_EDR)
- Check Point (CHECKPOINT_FIREWALL)
- CIS Albert Alerts (CIS_ALBERT_ALERT)
- Cisco ASA (CISCO_ASA_FIREWALL)
- Cisco FireSIGHT Management Center (CISCO_FIRESIGHT)
- Cisco ISE (CISCO_ISE)
- Cisco Meraki (CISCO_MERAKI)
- Cloudflare (CLOUDFLARE)
- CrowdStrike Detection Monitoring (CS_DETECTS)
- CrowdStrike Falcon (CS_EDR)
- CyberArk (CYBERARK)
- Darktrace (DARKTRACE)
- Forcepoint NGFW (FORCEPOINT_FIREWALL)
- Forescout NAC (FORESCOUT_NAC)
- FortiGate (FORTINET_FIREWALL)
- Cloud Audit (N/A)
- Cloud Identity Device Users (GCP_CLOUDIDENTITY_DEVICEUSERS)
- Load Balancing (GCP_LOADBALANCING)
- Google Chrome Browser Cloud Management (CBCM) (N/A)
- IBM Guardium (GUARDIUM)
- Ipswitch MOVEit Transfer (IPSWITCH_MOVEIT_TRANSFER)
- Juniper (JUNIPER_FIREWALL)
- Kaspersky AV (KASPERSKY_AV)
- Linux Auditing System (AuditD) (AUDITD)
- Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
- Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
- Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
- Microsoft IIS (IIS)
- Microsoft Powershell (POWERSHELL)
- Netfilter IPtables (NETFILTER_IPTABLES)
- Netscout (ARBOR_EDGE_DEFENSE)
- Netscout Arbor Sightline (ARBOR_SIGHTLINE)
- Okta (OKTA)
- Oracle (ORACLE_DB)
- Palo Alto Networks Firewall (PAN_FIREWALL)
- Palo Alto Prisma Access (PAN_CASB)
- pfSense (PFSENSE)
- PostFix Mail (POSTFIX_MAIL)
- Proofpoint Email Filter (PROOFPOINT_MAIL_FILTER)
- Pulse Secure (PULSE_SECURE_VPN)
- Qualys VM (QUALYS_VM)
- Sentinelone Alerts (SENTINELONE_ALERT)
- SentinelOne EDR (SENTINEL_EDR)
- Shrubbery TACACS+ (SHRUBBERY_TACACS)
- Symantec Endpoint Protection (SEP)
- Sysdig (SYSDIG)
- Tanium Integrity Monitor (TANIUM_INTEGRITY_MONITOR)
- Varonis (VARONIS)
- VyOS Open Source Router (VYOS)
- ZScaler DNS (ZSCALER_DNS)
For details about changes in each parser, see Supported default parsers.
October 14, 2022
There is now an additional parameter you can specify for Chronicle feeds, "display_name". This additional parameter can be specified and will be returned when using the following Feed Management API methods:
- CreateFeed
- DisableFeed
- EnableFeed
- GetFeed
- ListFeeds
- UpdateFeed
For additional information and examples, see Feed Management API.
October 13, 2022
Chronicle CLI provides a text-based interface to initiate all Chronicle user workflows, acting as an alternative to the graphical user interface for advanced users.
Access to fields stored as key-value pairs in Detection Engine rules
You can now create Detection Engine rules that include UDM fields stored as key-value pairs, such as google.protobuf.Struct and Label data type. Using the map syntax, you access fields stored as the:
google.protobuf.Struct data type using syntax similar to
$e.additional.fields["key"] = "value"
.Label data type using syntax similar to
$e.target.labels["key"] = "value"
.
For more details about the map syntax, see the YARA-L 2.0 language syntax.
October 06, 2022
Chronicle Feed Management for the Rapid7 Insight log type now enables you to configure the Rapid7 API endpoint.
A new field, called hostname, was added to the Rapid7 Insight configuration workflow. Use this field to change the API endpoint to any one of the supported Rapid7 regions, by specifying value using the following pattern {region_id}.api.insight.rapid7.com
. If you do not specify an endpoint, the default is us.api.insight.rapid7.com
. The Chronicle Feed Management API was also updated to support a configurable value for the hostname field.
October 04, 2022
Chronicle Curated Detections has been enhanced with the following additional detection content:
- Windows-based threats:
- Living off the land (LotL): identifies tools native to Microsoft Windows operating systems that can be abused by threat actors for malicious purposes.
- Cloud attacks and cloud misconfigurations:
- Cloud Hacktool: detects activity from known offensive security platforms or tools used by threat actors that target resources on Google Cloud.
- IAM Abuse: detects activity associated with abusing IAM roles and permissions to potentially escalate privilege or move laterally within a given Google Cloud project or across a Google Cloud organization.
October 03, 2022
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- Apache (APACHE)
- Aruba (ARUBA_WIRELESS)
- AWS GuardDuty (GUARDDUTY)
- Azure AD Directory Audit (AZURE_AD_AUDIT)
- Azure AD Organizational Context (AZURE_AD_CONTEXT)
- BeyondTrust (BOMGAR)
- Box (BOX)
- Cisco Application Centric Infrastructure (CISCO_ACI)
- Cisco Application Control Engine (CISCO_ACE)
- Cisco ASA (CISCO_ASA_FIREWALL)
- Cisco Email Security (CISCO_EMAIL_SECURITY)
- Citrix Netscaler (CITRIX_NETSCALER)
- Cloudflare WAF (CLOUDFLARE_WAF)
- CrowdStrike Detection Monitoring (CS_DETECTS)
- CrowdStrike Falcon (CS_EDR)
- Crowdstrike IOC (CROWDSTRIKE_IOC)
- F5 ASM (F5_ASM)
- Fluentd Logs (FLUENTD)
- FortiGate (FORTINET_FIREWALL)
- Fortinet FortiAnalyzer (FORTINET_FORTIANALYZER)
- Cloud Audit (N/A)
- Cloud DNS (N/A)
- Cloud Load Balancing (GCP_LOADBALANCING)
- HCNET Account Adapter Plus (HCNET_ACCOUNT_ADAPTER)
- Kong API Gateway (KONG_GATEWAY)
- ManageEngine AD360 (MANAGE_ENGINE_AD360)
- McAfee ePolicy Orchestrator (MCAFEE_EPO)
- McAfee Web Gateway (MCAFEE_WEBPROXY)
- McAfee Web Protection (MCAFEE_WEB_PROTECTION)
- Microsoft Azure Activity (AZURE_ACTIVITY)
- Mongo Database (MONGO_DB)
- Office 365 (OFFICE_365)
- Okta (OKTA)
- OSQuery (OSQUERY_EDR)
- OSSEC (OSSEC)
- Palo Alto Networks Firewall (PAN_FIREWALL)
- Red Canary (REDCANARY_EDR)
- Snort (SNORT_IDS)
- Squid Web Proxy (SQUID_WEBPROXY)
- Symantec Endpoint Protection (SEP)
- Tanium Asset (TANIUM_ASSET)
- Tanium Stream (TANIUM_TH)
- Windows Defender ATP (WINDOWS_DEFENDER_ATP)
- Workday (WORKDAY)
- Zeek JSON (BRO_JSON)
For details about changes in each parser, see Supported default parsers.
September 29, 2022
The following changes are available in the Unified Data Model:
- A new field, risk_score, was added to Noun.investigation.
- A new field, data_tap_config_name, was added to Event.metadata.tags.
- The following new fields were added to Network:
- application_protocol_version
- sent_packets
- received_packets
- A new ENUM value, CHALLENGE, was add to SecurityResult.Action
- A new ENUM value, ANALYST_UPDATE_RISK_SCORE, was added to Metadata.EventType
For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.
September 26, 2022
Context Aware Detections - Risk Dashboard
The Context Aware Detections - Risk dashboard provides insight into the current threat status of assets and users in your enterprise.
Contextual enrichment in events and entities
To enable a security investigation, Chronicle provides additional context about artifacts in a customer environment by calculating prevalence statistics and ingesting data from Safe Browsing threat lists related to file hashes. For more information, see:
September 21, 2022
ListAssetAliases and ListUserAliases
The ListAssetAliases and ListUserAliases API methods are now available as part of the Chronicle Search API. Use ListAssetAliases to list all the aliases of an asset in an enterprise and use ListUserAliases to list all the aliases of a user in an enterprise.
September 14, 2022
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- Apache (APACHE)
- Barracuda WAF (BARRACUDA_WAF)
- Bluecat DDI (BLUECAT_DDI)
- Cisco Umbrella Cloud Firewall (UMBRELLA_FIREWALL)
- Cisco Umbrella Web Proxy (UMBRELLA_WEBPROXY)
- Cisco WLC/WCS (CISCO_WIRELESS)
- CloudGenix SD-WAN (CLOUDGENIX_SDWAN)
- Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
- FortiGate (FORTINET_FIREWALL)
- Cloud Audit (N/A)
- Google Cloud Identity Context (CLOUD_IDENTITY_CONTEXT)
- IBM Guardium (GUARDIUM)
- IBM z/OS (IBM_ZOS)
- Infoblox DNS (INFOBLOX_DNS)
- Ipswitch SFTP (IPSWITCH_SFTP)
- Kubernetes auth proxy logs (KUBERNETES_AUTH_PROXY)
- Linux DHCP (LINUX_DHCP)
- McAfee ePolicy Orchestrator (MCAFEE_EPO)
- Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
- NGINX (NGINX)
- OSSEC (OSSEC)
- pfSense (PFSENSE)
- Ribbon Analytics Platform (RIBBON_ANALYTICS_PLATFORM)
- Ruckus Networks (RUCKUS_WIRELESS)
- Salesforce (SALESFORCE)
- Sentinelone Alerts (SENTINELONE_ALERT)
- SentinelOne Deep Visibility (SENTINEL_DV)
- SentinelOne EDR (SENTINEL_EDR)
- Trend Micro Deep Security (TRENDMICRO_DEEP_SECURITY)
- VMware AirWatch (AIRWATCH)
- VMware ESXi (VMWARE_ESX)
- VMware Workspace ONE (VMWARE_WORKSPACE_ONE)
- Zscaler (ZSCALER_WEBPROXY)
For details about changes in each parser, see Supported default parsers.
September 02, 2022
The GetLog API method is now available as part of the Chronicle Search API. Use GetLog to retrieve a specific raw log using an event's UID.
September 01, 2022
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- Arcsight CEF (ARCSIGHT_CEF)
- Aruba (ARUBA_WIRELESS)
- AWS Security Hub (AWS_SECURITY_HUB)
- Azure AD (AZURE_AD)
- BeyondTrust (BOMGAR)
- Bitdefender (BITDEFENDER)
- Blue Coat Proxy (BLUECOAT_WEBPROXY)
- Bluecat DDI (BLUECAT_DDI)
- CA LDAP (CA_LDAP)
- Check Point (CHECKPOINT_FIREWALL)
- Cisco ACS (CISCO_ACS)
- Cisco Router (CISCO_ROUTER)
- Cisco UCM (CISCO_UCM)
- Cisco Umbrella IP (UMBRELLA_IP)
- Cisco Umbrella Web Proxy (UMBRELLA_WEBPROXY)
- Cisco VPN (CISCO_VPN)
- Cisco WLC/WCS (CISCO_WIRELESS)
- CrowdStrike Falcon (CS_EDR)
- Falco IDS (FALCO_IDS)
- FireEye HX (FIREEYE_HX)
- Forcepoint CASB (FORCEPOINT_CASB)
- FortiGate (FORTINET_FIREWALL)
- Cloud Load Balancing (GCP_LOADBALANCING)
- Cloud Audit (N/A)
- HP Aruba Clearpass (CLEARPASS)
- Infoblox DNS (INFOBLOX_DNS)
- Linux DHCP (LINUX_DHCP)
- Microsoft Intune (AZURE_MDM_INTUNE)
- Office 365 (OFFICE_365)
- Open LDAP (OPENLDAP)
- Ordr IoT (ORDR_IOT)
- Palo Alto Networks Traps (PAN_EDR)
- Pivotal (PIVOTAL)
- Proofpoint Threat Response (PROOFPOINT_TRAP)
- Red Hat OpenShift (REDHAT_OPENSHIFT)
- Sophos Firewall Next Gen (SOPHOS_FIREWALL)
- Sourcefire (SOURCEFIRE_IDS)
- Suricata EVE (SURICATA_EVE)
- Symantec Event export (SYMANTEC_EVENT_EXPORT)
- Tanium Comply (TANIUM_COMPLY)
- Vectra Detect (VECTRA_DETECT)
- VMware ESXi (VMWARE_ESX)
- Windows Event (WINEVTLOG)
For details about changes in each parser, see Supported default parsers.
The following changes are available in the Unified Data Model:
- The ip_location field was added to Noun type.
- The day_max_sub_domains field was added to the Prevalence type.
- The source_type field was added to the EntityMetadata type.
For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.
August 18, 2022
Chronicle's integration with VirusTotal has been revised and enhanced. This feature enables you to pivot from finding domains linked to an asset in Chronicle to viewing information about that domain from VirusTotal. From a Chronicle event view, such as Asset view, Domain view, or IP Address view, click VT Context to open the VirusTotal Context window. Some of the VirusTotal information is only available to users with a VirusTotal Enterprise account.
Some of the older links in the Chronicle user interface to VirusTotal, for example the option in Asset view to display the first 50 results in VirusTotal Graph and the VirusTotal Insights results panel, have been removed. Clicking VT Context provides access to the same information and VirusTotal functionality, including access to VirusTotal Graph.
August 17, 2022
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- Akamai WAF (AKAMAI_WAF)
- Arista Switch (ARISTA_SWITCH)
- AWS CloudWatch (AWS_CLOUDWATCH)
- AWS GuardDuty (GUARDDUTY)
- AWS Macie (AWS_MACIE)
- AWS Route 53 DNS (AWS_ROUTE_53)
- AWS WAF (AWS_WAF)
- Azure AD (AZURE_AD)
- Azure AD Organizational Context (AZURE_AD_CONTEXT)
- Bitdefender (BITDEFENDER)
- Bluecat DDI (BLUECAT_DDI)
- Centrify (CENTRIFY_SSO)
- Check Point (CHECKPOINT_FIREWALL)
- Cisco Application Centric Infrastructure (CISCO_ACI)
- Cisco ISE (CISCO_ISE)
- Custom DNS (CUSTOM_DNS)
- Cylance Protect (CYLANCE_PROTECT)
- Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
- FireEye (FIREEYE_ALERT)
- Forcepoint Proxy (FORCEPOINT_WEBPROXY)
- FortiGate (FORTINET_FIREWALL)
- IBM z/OS (IBM_ZOS)
- Linux DHCP (LINUX_DHCP)
- Microsoft AD FS (ADFS)
- Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
- Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
- Microsoft SQL Server (MICROSOFT_SQL)
- Nasuni File Services Platform (NASUNI_FILE_SERVICES)
- Palo Alto Prisma Cloud (PAN_PRISMA_CLOUD)
- Ping Identity (PING)
- Riverbed Steelhead (STEELHEAD)
- SiteMinder Web Access Management (CA_SSO_WEB)
- Snoopy Logger (SNOOPY_LOGGER)
- Stormshield Firewall (STORMSHIELD_FIREWALL)
- Symantec Endpoint Protection (SEP)
- Tanium Stream (TANIUM_TH)
- VMware ESXi (VMWARE_ESX)
- VMware Horizon (VMWARE_HORIZON)
- Windows Event (WINEVTLOG)
- Windows Sysmon (WINDOWS_SYSMON)
For details about changes in each parser, see Supported default parsers.
Chronicle curated detections provide out-of-the-box threat detection content curated, built, and maintained by Google Cloud Threat Intelligence (GCTI) researchers. This release of curated detections cover the following range of threats:
- Windows-based threats: Coverage for several classes of threats including infostealers, ransomware, RATs, misused software, and crypto activity.
- Cloud attacks and cloud misconfigurations: Secure cloud workloads with additional coverage around exfiltration of data, suspicious behavior, and additional vectors.
August 16, 2022
You can now configure new data feeds for your Chronicle account using Feed Management. This feature makes it possible for you to setup your own data feeds without the assistance of Chronicle support personnel. You can setup new data feeds using either the Feed Management user interface or the Feed Management API. Chronicle returns error messages in the event you have misconfigured a feed and need to make changes.
August 08, 2022
The following changes are available in the Unified Data Model:
- The File.ashash field was deprecated and replaced with the File.authentihash field.
- The day_max field was added to the Prevalence type.
Descriptions of the File.FileType Enum values are now available in the Unified Data Model field list document.
For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.
August 03, 2022
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- AWS Cloudtrail (AWS_CLOUDTRAIL)
- AWS Route 53 DNS (AWS_ROUTE_53)
- AWS S3 Server Access (AWS_S3_SERVER_ACCESS)
- AWS WAF (AWS_WAF)
- Box (BOX)
- Cisco Switch (CISCO_SWITCH)
- Citrix Storefront (CITRIX_STOREFRONT)
- CrowdStrike Falcon (CS_EDR)
- Dell OpenManage (DELL_OPENMANAGE)
- F5 VPN (F5_VPN)
- Falco IDS (FALCO_IDS)
- Cloud SQL (GCP_CLOUDSQL)
- Cloud VPC Flow (GCP_VPC_FLOW)
- Imperva SecureSphere Management (IMPERVA_SECURESPHERE)
- Linux Auditing System AuditD (AUDITD)
- McAfee ePolicy Orchestrator (MCAFEE_EPO)
- Microsoft Defender for Identity (MICROSOFT_DEFENDER_IDENTITY)
- Netskope (NETSKOPE_ALERT)
- NIMBLE OS (NIMBLE_OS)
- Office 365 (OFFICE_365)
- Oracle (ORACLE_DB)
- Ping Identity (PING)
- SentinelOne EDR (SENTINEL_EDR)
- Snare System Diagnostic Logs (SNARE_SOLUTIONS)
- Sophos AV (SOPHOS_AV)
- Suricata EVE (SURICATA_EVE)
- Symantec Endpoint Protection (SEP)
- TeamViewer (TEAMVIEWER)
- Vectra Stream (VECTRA_STREAM)
- VMware ESXi (VMWARE_ESX)
- Windows Defender ATP (WINDOWS_DEFENDER_ATP)
- Windows Event (WINEVTLOG)
- Workspace Activities (WORKSPACE_ACTIVITY)
For details about changes in each parser, see Supported default parsers.
July 29, 2022
Detection Engine now includes the following new features:
You can define an
outcome
section in single event rules. Previously, theoutcome
section was supported in multi-event rules only. If you have multi-event rules that use only one event variable, you can refactor them by deleting the match section to make them more performant. For an example rule, see YARA-L 2.0 language overview. For more detailed information about rule syntax, see YARA-L 2.0 language syntax.In the existing
condition
section, you can now use variables defined in theoutcome
section. This enables you to filter on aggregates (variables in theoutcome
section can be defined using aggregate functions) and on the$risk_score
outcome variable. For more detailed information about thecondition
section, see YARA-L 2.0 language syntax.You can assign a placeholder variable to the result of a function call. You can then use the placeholder variable in other sections of the rule, such as the
match
section,outcome
section, orcondition
section. For information about the syntax for function to placeholder assignments and any restrictions, see the YARA-L 2.0 language syntax.
July 28, 2022
The following changes are available in the Unified Data Model:
- Added the MUTEX value to the EntityMetadata.EntityType enumerated type.
- Added the id field to the Event.metadata type.
- Added the priority, root_cause, and reason fields to the Investigation type.
- Added the following new enumerated types:
- Added the rule_set and rule_set_display_name fields to the SecurityResult type.
- Added the ANALYST_UPDATE_PRIORITY, ANALYST_UPDATE_ROOT_CAUSE, and ANALYST_UPDATE_REASON values to the Metadata.EventType enumerated type.
- Added the DCERPC and KRB5 values to the Network.ApplicationProtocol enumerated type.
- Added the SOCIAL_ENGINEERING and PHISHING values to the SecurityResult.SecurityCategory enumerated type.
- Added the OPEN value to the Status enumerated type.
For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.
July 26, 2022
Previously, you could export DNS and Cloud Audit logs using the Chronicle panel within the Google Cloud Console. You can now configure the default export filter to export additional log types. You can not only control the log types, but also the source projects producing these logs. Both inclusion and exclusion of logs are supported as well. In addition, semantic validation of the log filters can catch malformed log filters with invalid log types or identifiers. The filter language is defined by the Google logging query language that is shared with Cloud Logging.
For more information about the Export Log Filter Settings, see Exporting Google Cloud Logs to Chronicle.
July 21, 2022
The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.
- Avanan Email Security (AVANAN_EMAIL)
- AWS Cloudtrail (AWS_CLOUDTRAIL)
- AWS GuardDuty (GUARDDUTY)
- AWS VPC Flow (AWS_VPC_FLOW)
- Barracuda Firewall (BARRACUDA_FIREWALL)
- BeyondTrust Secure Remote Access (BEYONDTRUST_REMOTE_ACCESS)
- Carbon Black (CB_EDR)
- Centrify (CENTRIFY_SSO)
- Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
- Cisco ISE (CISCO_ISE)
- CrowdStrike Falcon (CS_EDR)
- CrowdStrike Falcon Stream (CS_STREAM)
- Custom Security Data Analytics (CUSTOM_SECURITY_DATA_ANALYTICS)
- Dell EMC Data Domain (DELL_EMC_DATA_DOMAIN)
- Department of Homeland Security (DHS_IOC)
- Elastic Audit Beats (ELASTIC_AUDITBEAT)
- F5 VPN (F5_VPN)
- FortiGate (FORTINET_FIREWALL)
- Fortinet FortiNAC (FORTINET_FORTINAC)
- Cloud Run (GCP_RUN)
- GitHub (GITHUB)
- Google Chrome Browser Cloud Management
- HCL BigFix (HCL_BIGFIX)
- HP Aruba(Clearpass) (CLEARPASS)
- IBM Guardium (GUARDIUM)
- Infoblox (INFOBLOX)
- Infoblox DNS (INFOBLOX_DNS)
- Kubernetes audit logs (KUBERNETES_AUDIT)
- Linux Sysmon (LINUX_SYSMON)
- McAfee ePolicy Orchestrator (MCAFEE_EPO)
- Medigate IoT (MEDIGATE_IOT)
- Microsoft AD FS (ADFS)
- Nasuni File Services Platform (NASUNI_FILE_SERVICES)
- Office 365 (OFFICE_365)
- Okta (OKTA)
- Ping Identity (PING)
- PostFix Mail (POSTFIX_MAIL)
- Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
- Proofpoint Tap Alerts (PROOFPOINT_MAIL)
- SailPoint IAM (SAILPOINT_IAM)
- SecureLink (SECURELINK)
- SentinelOne EDR (SENTINEL_EDR)
- ServiceNow CMDB (SERVICENOW_CMDB)
- Suricata EVE (SURICATA_EVE)
- Suricata IDS (SURICATA_IDS)
- Symantec Web Isolation (SYMANTEC_WEB_ISOLATION)
- Thales Luna Hardware Security Module (THALES_LUNA_HSM)
- Thales MFA (THALES_MFA)
- Uptycs EDR (UPTYCS_EDR)
- Windows DNS (WINDOWS_DNS)
- Windows Event (WINEVTLOG)
- Workspace Activities (WORKSPACE_ACTIVITY)
For details about changes in each parser, see Supported default parsers.
July 06, 2022
The following supported default parsers have changed (listed by product name and ingestion label):
- Azure DevOps Audit (AZURE_DEVOPS)
- Bitdefender (BITDEFENDER)
- CA Access Control (CA_ACCESS_CONTROL)
- Carbon Black App Control (CB_APP_CONTROL)
- Check Point (CHECKPOINT_FIREWALL)
- Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
- Cisco Router (CISCO_ROUTER)
- Cloud Passage (CLOUD_PASSAGE)
- Digital Guardian (DIGITALGUARDIAN_EDR)
- ExtraHop RevealX (EXTRAHOP)
- Forcepoint NGFW (FORCEPOINT_FIREWALL)
- IBM DataPower Gateway (IBM_DATAPOWER)
- IBM Guardium (GUARDIUM)
- Imperva (IMPERVA_WAF)
- Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
- Microsoft SQL Server (MICROSOFT_SQL)
- Office 365 (OFFICE_365)
- pfSense (PFSENSE)
- Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
- Proofpoint Tap Alerts (PROOFPOINT_MAIL)
- SonicWall (SONIC_FIREWALL)
- Sophos UTM (SOPHOS_UTM)
- VMware AirWatch (AIRWATCH)
- VMware ESXi (VMWARE_ESX)
- Workspace Activities (WORKSPACE_ACTIVITY)
For details about changes in each parser, see Supported default parsers.
The following new fields are available in the Unified Data Model:
- The new fields prevalence, first_seen_time, and last_seen_time were added to the File object.
- A new field, bounce_address, was added to the Email object.
- A new field, artifact, was added to the Noun object. Artifact is a new object.
- A new field, rolling_max_sub_domains, was added to the Prevalence object.
- A new field, first_seen_time, was added to the User object.
- The following new fields were added to the Smtp object:
- helo
- mail_from
- rcpt_to
- server_response
- message_path
- is_webmail
- is_tls
For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list
June 29, 2022
Chronicle Forwarder configuration on Linux has been updated to include two separate configuration files. The <x>.conf
file stores the configuration related to log ingestion. The <x>_auth.conf
file stores the authentication credentials.
For more information, see Installing and configuring the forwarder on Linux.
June 22, 2022
The following supported default parsers have changed (listed by product name and ingestion label):
- Akamai WAF (AKAMAI_WAF)
- Aruba IPS (ARUBA_IPS)
- Azure AD Directory Audit (AZURE_AD_AUDIT)
- Carbon Black App Control (CB_APP_CONTROL)
- Check Point (CHECKPOINT_FIREWALL)
- Cisco ACS (CISCO_ACS)
- Cisco Email Security (CISCO_EMAIL_SECURITY)
- Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
- Cisco ISE (CISCO_ISE)
- Cisco Meraki (CISCO_MERAKI)
- Citrix Netscaler (CITRIX_NETSCALER)
- CloudM (CLOUDM)
- CrowdStrike Falcon (CS_EDR)
- EPIC Systems (EPIC)
- Forescout NAC (FORESCOUT_NAC)
- FortiGate (FORTINET_FIREWALL)
- Cloud Compute (GCP_COMPUTE)
- IBM DataPower Gateway (IBM_DATAPOWER)
- Imperva (IMPERVA_WAF)
- JAMF Protect (JAMF_PROTECT)
- Linux Auditing System (AuditD) (AUDITD)
- Microsoft Exchange (EXCHANGE_MAIL)
- Netskope (NETSKOPE_ALERT)
- Office 365 (OFFICE_365)
- Okta (OKTA)
- Preempt Alert (PREEMPT)
- RSA (RSA_AUTH_MANAGER)
- SentinelOne EDR (SENTINEL_EDR)
- ServiceNow CMDB (SERVICENOW_CMDB)
- Sourcefire (SOURCEFIRE_IDS)
- Suricata IDS (SURICATA_IDS)
- Symantec Web Isolation (SYMANTEC_WEB_ISOLATION)
- Tripwire (TRIPWIRE_FIM)
- Unix system (NIX_SYSTEM)
- VMware AirWatch (AIRWATCH)
- VMware ESXi (VMWARE_ESX)
- VMware NSX (VMWARE_NSX)
- WatchGuard (WATCHGUARD)
- Workspace Alerts (WORKSPACE_ALERTS)
- Zscaler (ZSCALER_WEBPROXY)
For details about changes in each parser, see Supported default parsers.
June 14, 2022
Enhancements to YARA-L 2.0 syntax in Detection Engine rules
We have enhanced the outcome
section that can be used in Detection Engine rules.
- We now support up to 10 outcome variables.
- We now support integer and string data type outcome variables.
- We have added new aggregate functions:
count()
,count_distinct()
,array()
,array_distinct()
For more details about the outcome section, see Outcome section syntax.
June 08, 2022
The following supported default parsers have changed (listed by product name and ingestion label):
- Amazon Guardduty (GUARDDUTY)
- Atlassian Jira (ATLASSIAN_JIRA)
- AWS CloudFront (AWS_CLOUDFRONT)
- AWS Cloudtrail (AWS_CLOUDTRAIL)
- AWS CloudWatch (AWS_CLOUDWATCH)
- AWS Config (AWS_CONFIG)
- AWS Elastic Load Balancer (AWS_ELB)
- AWS Key Management Service (AWS_KMS)
- AWS VPC Flow (AWS_VPC_FLOW)
- Check Point (CHECKPOINT_FIREWALL)
- Cisco ACS (CISCO_ACS)
- Cisco Email Security (CISCO_EMAIL_SECURITY)
- CrowdStrike Falcon (CS_EDR)
- Elastic Audit Beats (ELASTIC_AUDITBEAT)
- Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
- ESET Threat Intelligence (ESET_IOC)
- F5 BIGIP LTM (F5_BIGIP_LTM)
- Fastly WAF (FASTLY_WAF)
- Cloud IOT (GCP_CLOUDIOT)
- HCL BigFix (HCL_BIGFIX)
- IBM z/OS (IBM_ZOS)
- Imperva (IMPERVA_WAF)
- Infoblox DNS (INFOBLOX_DNS)
- Juniper IPS (JUNIPER_IPS)
- Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
- Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
- Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
- Microsoft SQL Server (MICROSOFT_SQL)
- Okta (OKTA)
- Tanium Stream (TANIUM_TH)
- Trend Micro AV (TRENDMICRO_AV)
- Unix system (NIX_SYSTEM)
- Windows Event (WINEVTLOG)
- Zscaler (ZSCALER_WEBPROXY)
For details about changes in each parser, see Supported default parsers.
May 25, 2022
The following supported default parsers have changed, listed by product name and ingestion label:
- Apache Hadoop (HADOOP)
- Suricata IDS (SURICATA_IDS)
- Cloud Compute (GCP_COMPUTE)
- Elastic Audit Beats (ELASTIC_AUDITBEAT)
- Cloudflare (CLOUDFLARE)
- Proofpoint On Demand (PROOFPOINT_ON_DEMAND)
- FortiGate (FORTINET_FIREWALL)
- CSV Custom IOC (CSV_CUSTOM_IOC)
- CrowdStrike Falcon (CS_EDR)
- Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
- CIS Albert Alerts (CIS_ALBERT_ALERT)
- SonicWall (SONIC_FIREWALL)
- Okta User Context (OKTA_USER_CONTEXT)
- Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
- Check Point (CHECKPOINT_FIREWALL)
- Barracuda Email (BARRACUDA_EMAIL)
- Microsoft Azure Activity (AZURE_ACTIVITY)
- Carbon Black App Control (CB_APP_CONTROL)
- OpenSSH (OPENSSH)
- OneLogin (ONELOGIN_SSO)
- Office 365 (OFFICE_365)
- FireEye NX (FIREEYE_NX)
- ExtraHop RevealX (EXTRAHOP)
- Cisco Umbrella DNS (UMBRELLA_DNS)
- Kaspersky AV (KASPERSKY_AV)
- IBM Guardium (GUARDIUM)
- F5 ASM (F5_ASM)
- Cisco Email Security (CISCO_EMAIL_SECURITY)
- Workspace Activities (WORKSPACE_ACTIVITY)
- Forcepoint Proxy (FORCEPOINT_WEBPROXY)
- Azure AD Organizational Context (AZURE_AD_CONTEXT)
- Tanium Stream (TANIUM_TH)
- Apache (APACHE)
For details about the changes in each parser, see Supported default parsers.
May 11, 2022
The following supported default parsers have changed (listed by product name and ingestion label):
- ExtraHop RevealX (EXTRAHOP)
- Imperva (IMPERVA_WAF)
- Windows Event (WINEVTLOG)
- Azure AD Organizational Context (AZURE_AD_CONTEXT)
- Citrix Netscaler (CITRIX_NETSCALER)
- Elastic Packet Beats (ELASTIC_PACKETBEATS)
- Elastic Audit Beats (ELASTIC_AUDITBEAT)
- Sendmail (SENDMAIL)
- VMware vCenter (VMWARE_VCENTER)
- AWS VPC Flow (AWS_VPC_FLOW)
- Bluecat DDI (BLUECAT_DDI)
- Cisco ACS (CISCO_ACS)
- Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
- Forcepoint Proxy (FORCEPOINT_WEBPROXY)
- McAfee ePolicy Orchestrator (MCAFEE_EPO)
- Office 365 (OFFICE_365)
- Apple MacOS (MACOS)
- Archer Integrated Risk Management (ARCHER_IRM)
- Cisco Meraki (CISCO_MERAKI)
- Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
- IBM DB2 (DB2_DB)
- Cisco ISE (CISCO_ISE)
- F5 BIGIP LTM (F5_BIGIP_LTM)
- Juniper Junos (JUNIPER_JUNOS)
- Microsoft Exchange (EXCHANGE_MAIL)
- VMware ESXi (VMWARE_ESX)
- Digital Shadows SearchLight (DIGITAL_SHADOWS_SEARCHLIGHT)
- Azure Firewall (AZURE_FIREWALL)
- ForgeRock OpenAM (OPENAM)
- FortiGate (FORTINET_FIREWALL)
- ZScaler NGFW (ZSCALER_FIREWALL)
- OpenVPN (OPEN_VPN)
For details about the changes in each parser, see Supported default parsers.
May 10, 2022
The following new fields are available in the Unified Data Model:
- parent_session_id was added to the Network object.
- first_seen_time was added to the Asset object.
For a list of fields in the Unified Data Model, and descriptions, see the Unified Data Model field list.
April 27, 2022
The following supported default parsers have changed (listed by product name and ingestion label):
- Apache Tomcat (TOMCAT)
- Azure AD (AZURE_AD)
- BIND (BIND_DNS)
- Bitdefender (BITDEFENDER)
- Blue Coat Proxy (BLUECOAT_WEBPROXY)
- Cisco ACS (CISCO_ACS)
- Cisco Email Security (CISCO_EMAIL_SECURITY)
- Cisco Firepower NGFW (CISCO_FIREPOWER_FIREWALL)
- Cisco ISE (CISCO_ISE)
- Citrix Netscaler (CITRIX_NETSCALER)
- CrowdStrike Falcon (CS_EDR)
- Darktrace (DARKTRACE)
- Dell EMC Data Domain (DELL_EMC_DATA_DOMAIN)
- Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
- EPIC Systems (EPIC)
- F5 ASM (F5_ASM)
- Cloud Identity Device Users (GCP_CLOUDIDENTITY_DEVICEUSERS)
- GMV Checker ATM Security (GMV_CHECKER)
- HCL BigFix (HCL_BIGFIX)
- Layer7 SiteMinder (SITEMINDER_SSO)
- Microsoft Azure NSG Flow (AZURE_NSG_FLOW)
- Microsoft Defender for Identity(MICROSOFT_DEFENDER_IDENTITY)
- Microsoft Powershell (POWERSHELL)
- Mobileiron (MOBILEIRON)
- Office 365 (OFFICE_365)
- Salesforce (SALESFORCE)
- SecureAuth (SECUREAUTH_SSO)
- SentinelOne EDR (SENTINEL_EDR)
- Windows Event (WINEVTLOG)
- Workspace Activities (WORKSPACE_ACTIVITY)
- ZScaler NGFW (ZSCALER_FIREWALL)
For details about the changes in each parser, see Supported default parsers.
Chronicle now supports the following functions in Detection Engine rules:
- strings.concat(a, b)
- strings.to_lower(stringText)
- strings.to_upper(stringText)
- strings.base64_decode(encodedString)
- re.capture(stringText, regex)
- re.replace(stringText, replaceRegex, replacementText)
- timestamp.get_minute(unix_seconds [, time_zone])
- timestamp.get_hour(unix_seconds [, time_zone])
- timestamp.get_day_of_week(unix_seconds [, time_zone])
- timestamp.get_week(unix_seconds [, time_zone])
- timestamp.current_seconds()
- math.abs(intExpression)
For more information about these functions, see YARA-L 2.0 language syntax.
April 26, 2022
The Chronicle Container Registry key is no longer needed and has been removed. The corresponding documentation on the Container Registry key for the Linux version of the Chronicle Forwarder has also been removed.
April 25, 2022
Rules can now be run at different frequencies. Rule run frequency impacts the latency with which detections are discovered for each rule. Longer run frequencies increase the amount of time between when an event occurs and when a detection is processed for that event. Rules with a window size of at least one hour are limited to either 1 hour or 24 hour run frequencies.
April 15, 2022
Chronicle Detection Engine now supports the min() function and subtraction operator in the outcome section of a rule.
April 13, 2022
The following supported default parsers have changed (listed by ingestion label)
- AKAMAI_WAF
- ARUBA_WIRELESS
- AWS_CLOUDTRAIL
- AWS_CONFIG
- AZURE_AD_CONTEXT
- AZURE_COSMOS_DB
- BITDEFENDER
- CA_ACCESS_CONTROL
- CASSANDRA
- CISCO_EMAIL_SECURITY
- CISCO_FIREPOWER_FIREWALL
- CISCO_ISE
- CISCO_MERAKI
- CISCO_TACACS
- CS_EDR
- D3_BANKING
- ELASTIC_WINLOGBEAT
- FILEZILLA_FTP
- GCP_CLOUDIDENTITY_DEVICES
- GCP_CLOUDIDENTITY_DEVICEUSERS
- GMV_CHECKER
- GUARDDUTY
- GUARDIUM
- IIS
- INFOBLOX_DHCP
- KASPERSKY_AV
- KEA_DHCP
- MCAFEE_DLP
- MCAFEE_EPO
- MICROSOFT_DEFENDER_ENDPOINT
- NETSKOPE_WEBPROXY
- OFFICE_365
- OKTA
- OKTA_USER_CONTEXT
- ONELOGIN_SSO
- ORDR_IOT
- PAN_FIREWALL
- PROOFPOINT_ON_DEMAND
- PULSE_SECURE_VPN
- RH_ISAC_IOC
- SALESFORCE
- SERVICENOW_CMDB
- SLACK_AUDIT
- SOPHOS_UTM
- SYMANTEC_EDR
- TANIUM_TH
- UMBRELLA_DNS
- UNIFI_AP
- VANDYKE_SFTP
- VMWARE_ESX
- VMWARE_VREALIZE
- WINDOWS_DHCP
- WINDOWS_DNS
- WINDOWS_SYSMON
- WORKSPACE_ACTIVITY
- WORKSPACE_ALERTS
- WORKSPACE_USERS
For details about the changes in each parser, see Supported default parsers
April 07, 2022
Exporting Google Cloud Logs to Chronicle
There are now lists of the specific Google Cloud Logs and Google Cloud Asset Metadata that are exported to Chronicle when you enable Google Cloud log ingestion.
February 15, 2022
The DeleteSubject method has been added to the Chronicle Role-Based Access Control (RBAC) API. DeleteSubject enables you to remove user and group role assignments.
February 08, 2022
Chronicle Forwarder
For the Chronicle Forwarder to function properly, an additional firewall rule is needed for host oauth2.googleapis.com. This information has been added to both the Windows and Linux versions of the Forwarder documentation.
December 14, 2021
Role-based access control (RBAC)
Role-based access control (RBAC) enables you to tailor access to Chronicle features based on an employee's role in the organization. Assigning a role to a user grants that user the permissions associated with the role, which enables the user to access role-appropriate Chronicle features.
December 08, 2021
Chronicle provides a set of default dashboards to monitor data ingestion status, health, rule detection context, IOC matches and alert prioritization, and user sign-ins. Reporting is available by converting a dashboard to a shareable file (PDF, Excel, CSV, etc.). You can also create custom personal and shared dashboards.
November 19, 2021
This document describes Chronicle's recommendations for writing rules in YARA-L.
October 15, 2021
Detection Engine API
The ListDetections method has been updated to allow customers to list detections efficiently across rule versions and rules by either detection timestamp or commit timestamp. Parameters originally used to list detections by detection timestamp will eventually be deprecated.
September 28, 2021
Uppercase has been rebranded as Google Cloud Threat Intelligence (GCTI).
September 22, 2021
The Linux Forwarder has been enhanced to support load balancing and high-availability. This enables you to deploy the forwarder in an environment where a Layer 4 load balancer is installed between syslog data sources and forwarder instances.
July 13, 2021
New documentation to support Chronicle data ingestion planning
You can now find information about Chronicle supported default parsers.
Supported default parsers provides information about which ingestion labels (LogTypes) also support a default parser. You can find the supported data format (KV, JSON, CEF, etc), the parser category, and when the default parser was last updated.
July 01, 2021
The asset namespaces feature enables you to classify categories of assets sharing a common network environment, or namespace, and then perform searches for those assets within the Chronicle user interface based on that namespace. See also the Linux Forwarder documentation for information on how to configure the Forwarder to add namespaces to your security data before it is ingested into your Chronicle account.
Linux Forwarder Updates
The Linux Forwarder has been enhanced with the following additional capabilities:
Disk Buffering—Disk buffering enables you to buffer backlogged messages to disk as opposed to memory. The backlogged messages can be stored in case the forwarder crashes or the underlying host crashes.
Regular Expression Filters—Regular expression filters enable you to filter logs based on regular expression matches.
Arbitrary labels—Use labels to attach arbitrary metadata to logs using key and value pairs.
Namespaces—Use namespace labels to identify logs from distinct network segments and to deconflict overlapping IP addresses.
Kafka Input—You can ingest data from Kafka topics just as you can for syslog. Consumer groups are leveraged to enable you to deploy up to 3 Forwarders and pull data from the same Kafka topic.
June 30, 2021
You can download large numbers of the events associated with each threat detection as a CSV file, enabling you to search across a broad set of the data stored in your Chronicle account to hunt for security issues.
June 28, 2021
Detection Engine API
The VerifyRule method has been added to the Detection Engine API. This method verifies that a rule is a valid YARA-L 2.0 rule without creating a new rule or evaluating it over data.
June 21, 2021
Uppercase Alerts
For Chronicle customers who are also Uppercase customers, Uppercase alerts are now displayed on the Enterprise Insights page. Uppercase alerts are derived from both Google's internal threat detection infrastructure and research provided by Uppercase security analysts.
You can view these alerts in Uppercase Alert view. This view also enables you to provide feedback that can be shared with your own security team and with Uppercase.
You can also use the Uppercase API to retrieve alerts from your Chronicle account.
June 01, 2021
Chronicle Automated Google Cloud Log Ingestion
Google Cloud customers can now send logs directly to their Chronicle account. Customers can send both Cloud Audit and Cloud DNS logs. See Ingesting Google Cloud Logs in to Chronicle for more information.
May 15, 2021
Archive Rules
You can now archive rules specified for the Detection Engine. Archiving a rule hides the security data related to that rule (and all of its versions) without actually deleting the rule. See Archive rules for more information.
April 23, 2021
Supported Data Sets
Chronicle can now ingest and parse data from the following additional systems and services:
- Aruba Airwave
- Blue Coat Proxy
- Brocade ServerIron ADX
- CIS Albert Alerts
- Cisco Application Control Engine
- Cisco Email Security
- Cisco NX-OS
- Citrix StoreFront
- Cofense Triage
- Comodo
- Fidelis Network
- FireEye NX
- Honeyd
- Kemp Load Balancer
- Kyriba Treasury Management
- Microsoft Intune
- MySQL
- Palo Alto Networks Cortex XDR
- Red Canary EDR
- ServiceNow CMDB
- Symantec VIP Enterprise Gateway
- Tanium Discover
- Tripwire File Integrity Monitoring
January 25, 2021
Chronicle Detection Engine
Enables customers to automate the process of searching across their data for security issues. You can specify Rules to search all of your data and notify you when potential and known threats appear in your enterprise. For more information on the Chronicle Detection Engine, please see the following:
Chronicle Detection Engine UI: The Chronicle Detection Engine is integrated within the Chronicle UI. It includes the Rules Dashboard for monitoring Rule activity and the Rules Editor, enabling you to create, test, and activate new Rules.
Chronicle Detection Engine API: The Chronicle Detection Engine API enables you to programmatically modify and operate all of the Detection Engine functionality that is also provided by the Detection Engine UI.
YARA-L 2.0: Use the YARA-L 2.0 language to specify Rules for the Detection Engine.
September 02, 2020
Chronicle User View
Enables customers to better understand how users within an enterprise might be impacted by security events. By focusing on the behavior of individual users, security administrators can search for activity indicating an account compromise or other security concern.
June 12, 2020
Chronicle Rules Engine API
The Chronicle Rules Engine API now includes the StreamRuleNotifications method. This method enables you to continuously receive rules engine results over an HTTP stream as the results are discovered. Contact your Chronicle representative for more information.
Chronicle API Query Limits
The query limits for the Chronicle Search API calls are now documented.
Chronicle Tooling and Management APIs
The query limits for the Chronicle Tooling and Management API calls are now documented. Contact your Chronicle representative for more information.
Supported Data Sets
Chronicle can now ingest and parse data from the following additional systems and services:
- Access Management—Added support for OpenAM.
- Audit—Added support for ManageEngine ADAudit Plus.
- Authentication—Added support for Preempt, Symantec SiteMinder, and Thycotic.
- Badging—Added support for Honeywell Pro-Watch.
- Cloud—Added support for Microsoft Cloud Access Security Broker (CASB) and Salesforce.
- DHCP—Added support for Linux DHCP Server.
- Hypervisor—Added support for VMware ESXi JSON.
- Intrusion Detection and Prevention—Added support for Juniper Intrusion Prevention System (IPS).
- Security Management—Added support for AlgoSec, BeyondTrust, and DMP Entré.
- Server—Added support for Microsoft Internet Information Services (IIS) and Microsoft SQL Server.
May 15, 2020
Chronicle Rules Engine API
The Chronicle Rules Engine API now includes the Live Rules API. The Live Rules API enables you to run and manage security rules in real time. Once activated, a Live Rule monitors your incoming logs for threats until it is deleted or disabled. Contact your Chronicle representative for more information.
UDM Reference
Location Metadata—Added the location metadata fields.
Supported Data Sets
Chronicle can now ingest and parse data from the following additional systems and services:
- ATP—Added support for Microsoft Defender ATP.
- Antivirus—Added support for Bitdefender and Trend Micro.
- Authentication—Added support for Cisco ACS and RSA Authentication Manager version 8.1.
- EDR—Added support for Digital Guardian.
- IDM and PAM—Added support for Cyberark.
- NAC—Added support for Forescout.
- VPN—Added support for Zscaler.
May 08, 2020
Chronicle Tooling API
Helps partners to develop new parsers to normalize new log data types. Contact your Chronicle representative for more information.
Supported Data Sets
Chronicle can now ingest and parse data from the following additional systems and services:
- Alerts—Added support for Suricata.
- Antivirus—Added support for Cisco.
- Application—Added support for Microsoft Office 365.
- Authentications—Added support for Aruba ClearPass, Cisco ISE, and Duo.
- Deception—Added support for Acalvio.
- EDR—For Red Canary customers, Chronicle can ingest EDR logs from Endgame.
- Endpoint—Added support for McAfee ePolicy Orchestrator.
- Firewall—Added support for Zscaler.
- IoC—Added support for Emerging Threats Pro.
- Router—Added support for Cisco.
- SAAS—Added support for Cloudflare and Google G Suite Audit.
- Switch—Added support for Cisco.
- VPN—Added support for Pulse Connect Secure.
March 30, 2020
Chronicle User Guide
Column sort—You can now sort columns on the Enterprise Insights page and from the Timeline sidebar lists.
Supported Data Sets
Chronicle can now ingest and parse data from the following additional systems and services:
- DHCP—Added support for Elastic Packetbeat.
- DNS—Added support for Elastic Packetbeat.
- EDR—Added support for ESET.
- Mail Gateway—Added support for Barracuda Email Security and Mimecast Email Security.
- Web Application Firewall—Added support for Citrix Netscaler.
March 19, 2020
Supported Data Sets
Chronicle can now ingest and parse data from the following additional systems and services:
- Traffic Management—Added support for F5 Big-IP Local Traffic Manager (LTM).
- Unified Threat Management—Added support for Cisco Meraki.
January 01, 2020
Chronicle Partner Ingestion API
Added the udmevents endpoint to enable you to send UDM events in batches.
Chronicle Search API
Enables you to programmatically access your security data directly through API calls to Chronicle.
December 01, 2019
Chronicle Unified Data Model
Describes how to generate properly constructed UDM events for consumption by Chronicle's cyber-security analytics platform.
July 01, 2019
Raw Log Scan
Enables you to examine your raw unparsed logs.
Regular Expressions
Enables you to search your raw logs using regular expressions.
Hash View
Enables you to search for and investigate files based on their hash value.
June 01, 2019
Chronicle Data Flow Overview
Information on how customer security data flows from customers to Chronicle and how Chronicle handles that data.
May 01, 2019
Chronicle Partner Ingestion API
Enables you to forward raw logs directly to Chronicle.
March 01, 2019
Enterprise Insights
Now includes the Procedural Filtering menu and lists all of the Assets with Alerts within your enterprise.
Viewing EDR Data in the Timeline
Viewing Endpoint Detection and Response (EDR) data in the timeline.
Domain Context
Analytics and insights from VirusTotal, EmergingThreats, WHOIS, and Department of Homeland Security's (DHS) Automated Indicator Sharing (AIS) data sources.
Investigating Domains and IP Addresses
Searching for external IP addresses and URLs.
Chronicle Chrome Extension
Search for indicators using the Chrome extension.