Release Notes

This page documents production updates to Chronicle. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud Console, or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly:

November 19, 2021

This document describes Chronicle's recommendations for writing rules in YARA-L.

October 15, 2021

Detection Engine API

The ListDetections method has been updated to allow customers to list detections efficiently across rule versions and rules by either detection timestamp or commit timestamp. Parameters originally used to list detections by detection timestamp will eventually be deprecated.

September 28, 2021

Uppercase has been rebranded as Google Cloud Threat Intelligence (GCTI).

September 22, 2021

The Linux Forwarder has been enhanced to support load balancing and high-availability. This enables you to deploy the forwarder in an environment where a Layer 4 load balancer is installed between syslog data sources and forwarder instances.

July 13, 2021

New documentation to support Chronicle data ingestion planning

You can now find information about Chronicle supported default parsers.

Supported default parsers provides information about which ingestion labels (LogTypes) also support a default parser. You can find the supported data format (KV, JSON, CEF, etc), the parser category, and when the default parser was last updated.

July 01, 2021

Asset Namespaces

The asset namespaces feature enables you to classify categories of assets sharing a common network environment, or namespace, and then perform searches for those assets within the Chronicle user interface based on that namespace. See also the Linux Forwarder documentation for information on how to configure the Forwarder to add namespaces to your security data before it is ingested into your Chronicle account.

Linux Forwarder Updates

The Linux Forwarder has been enhanced with the following additional capabilities:

Disk Buffering—Disk buffering enables you to buffer backlogged messages to disk as opposed to memory. The backlogged messages can be stored in case the forwarder crashes or the underlying host crashes.

Regular Expression Filters—Regular expression filters enable you to filter logs based on regular expression matches.

Arbitrary labels—Use labels to attach arbitrary metadata to logs using key and value pairs.

Namespaces—Use namespace labels to identify logs from distinct network segments and to deconflict overlapping IP addresses.

Kafka Input—You can ingest data from Kafka topics just as you can for syslog. Consumer groups are leveraged to enable you to deploy up to 3 Forwarders and pull data from the same Kafka topic.

June 30, 2021

Downloading Events

You can download large numbers of the events associated with each threat detection as a CSV file, enabling you to search across a broad set of the data stored in your Chronicle account to hunt for security issues.

June 28, 2021

Detection Engine API

The VerifyRule method has been added to the Detection Engine API. This method verifies that a rule is a valid YARA-L 2.0 rule without creating a new rule or evaluating it over data.

June 21, 2021

Uppercase Alerts

For Chronicle customers who are also Uppercase customers, Uppercase alerts are now displayed on the Enterprise Insights page. Uppercase alerts are derived from both Google's internal threat detection infrastructure and research provided by Uppercase security analysts.

You can view these alerts in Uppercase Alert view. This view also enables you to provide feedback that can be shared with your own security team and with Uppercase.

You can also use the Uppercase API to retrieve alerts from your Chronicle account.

June 01, 2021

Chronicle Automated GCP Log Ingestion

Google Cloud customers can now send logs directly to their Chronicle account. Customers can send both Cloud Audit and Cloud DNS logs. See Ingesting GCP Logs in to Chronicle for more information.

May 15, 2021

Archive Rules

You can now archive rules specified for the Detection Engine. Archiving a rule hides the security data related to that rule (and all of its versions) without actually deleting the rule. See Archive rules for more information.

April 23, 2021

Supported Data Sets

Chronicle can now ingest and parse data from the following additional systems and services:

  • Aruba Airwave
  • Blue Coat Proxy
  • Brocade ServerIron ADX
  • CIS Albert Alerts
  • Cisco Application Control Engine
  • Cisco Email Security
  • Cisco NX-OS
  • Citrix StoreFront
  • Cofense Triage
  • Comodo
  • Fidelis Network
  • FireEye NX
  • Honeyd
  • Kemp Load Balancer
  • Kyriba Treasury Management
  • Microsoft Intune
  • MySQL
  • Palo Alto Networks Cortex XDR
  • Red Canary EDR
  • ServiceNow CMDB
  • Symantec VIP Enterprise Gateway
  • Tanium Discover
  • Tripwire File Integrity Monitoring

January 25, 2021

  • Chronicle Detection Engine

    Enables customers to automate the process of searching across their data for security issues. You can specify Rules to search all of your data and notify you when potential and known threats appear in your enterprise. For more information on the Chronicle Detection Engine, please see the following:

    • Chronicle Detection Engine UI: The Chronicle Detection Engine is integrated within the Chronicle UI. It includes the Rules Dashboard for monitoring Rule activity and the Rules Editor, enabling you to create, test, and activate new Rules.

    • Chronicle Detection Engine API: The Chronicle Detection Engine API enables you to programmatically modify and operate all of the Detection Engine functionality that is also provided by the Detection Engine UI.

    • YARA-L 2.0: Use the YARA-L 2.0 language to specify Rules for the Detection Engine.

September 02, 2020

  • Chronicle User View

    Enables customers to better understand how users within an enterprise might be impacted by security events. By focusing on the behavior of individual users, security administrators can search for activity indicating an account compromise or other security concern.

June 12, 2020

  • Chronicle Rules Engine API

    The Chronicle Rules Engine API now includes the StreamRuleNotifications method. This method enables you to continuously receive rules engine results over an HTTP stream as the results are discovered. Contact your Chronicle representative for more information.

  • Chronicle API Query Limits

    The query limits for the Chronicle Search API calls are now documented.

  • Chronicle Tooling and Management APIs

    The query limits for the Chronicle Tooling and Management API calls are now documented. Contact your Chronicle representative for more information.

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • Access Management—Added support for OpenAM.
    • Audit—Added support for ManageEngine ADAudit Plus.
    • Authentication—Added support for Preempt, Symantec SiteMinder, and Thycotic.
    • Badging—Added support for Honeywell Pro-Watch.
    • Cloud—Added support for Microsoft Cloud Access Security Broker (CASB) and Salesforce.
    • DHCP—Added support for Linux DHCP Server.
    • Hypervisor—Added support for VMware ESXi JSON.
    • Intrusion Detection and Prevention—Added support for Juniper Intrusion Prevention System (IPS).
    • Security Management—Added support for AlgoSec, BeyondTrust, and DMP Entré.
    • Server—Added support for Microsoft Internet Information Services (IIS) and Microsoft SQL Server.

May 15, 2020

  • Chronicle Rules Engine API

    The Chronicle Rules Engine API now includes the Live Rules API. The Live Rules API enables you to run and manage security rules in real time. Once activated, a Live Rule monitors your incoming logs for threats until it is deleted or disabled. Contact your Chronicle representative for more information.

  • UDM Reference

    Location Metadata—Added the location metadata fields.

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • ATP—Added support for Microsoft Defender ATP.
    • Antivirus—Added support for Bitdefender and Trend Micro.
    • Authentication—Added support for Cisco ACS and RSA Authentication Manager version 8.1.
    • EDR—Added support for Digital Guardian.
    • IDM and PAM—Added support for Cyberark.
    • NAC—Added support for Forescout.
    • VPN—Added support for Zscaler.

May 08, 2020

  • Chronicle Tooling API

    Helps partners to develop new parsers to normalize new log data types. Contact your Chronicle representative for more information.

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • Alerts—Added support for Suricata.
    • Antivirus—Added support for Cisco.
    • Application—Added support for Microsoft Office 365.
    • Authentications—Added support for Aruba ClearPass, Cisco ISE, and Duo.
    • Deception—Added support for Acalvio.
    • EDR—For Red Canary customers, Chronicle can ingest EDR logs from Endgame.
    • Endpoint—Added support for McAfee ePolicy Orchestrator.
    • Firewall—Added support for Zscaler.
    • IoC—Added support for Emerging Threats Pro.
    • Router—Added support for Cisco.
    • SAAS—Added support for Cloudflare and Google G Suite Audit.
    • Switch—Added support for Cisco.
    • VPN—Added support for Pulse Connect Secure.

March 30, 2020

  • Chronicle User Guide

    Column sort—You can now sort columns on the Enterprise Insights page and from the Timeline sidebar lists.

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • DHCP—Added support for Elastic Packetbeat.
    • DNS—Added support for Elastic Packetbeat.
    • EDR—Added support for ESET.
    • Mail Gateway—Added support for Barracuda Email Security and Mimecast Email Security.
    • Web Application Firewall—Added support for Citrix Netscaler.

March 19, 2020

  • Supported Data Sets

    Chronicle can now ingest and parse data from the following additional systems and services:

    • Traffic Management—Added support for F5 Big-IP Local Traffic Manager (LTM).
    • Unified Threat Management—Added support for Cisco Meraki.

January 01, 2020

  • Chronicle Partner Ingestion API

    Added the udmevents endpoint to enable you to send UDM events in batches.

  • Chronicle Search API

    Enables you to programmatically access your security data directly through API calls to Chronicle.

December 01, 2019

  • Chronicle Unified Data Model

    Describes how to generate properly constructed UDM events for consumption by Chronicle's cyber-security analytics platform.

July 01, 2019

  • Raw Log Scan

    Enables you to examine your raw unparsed logs.

  • Regular Expressions

    Enables you to search your raw logs using regular expressions.

  • Hash View

    Enables you to search for and investigate files based on their hash value.

June 01, 2019

  • Chronicle Data Flow Overview

    Information on how customer security data flows from customers to Chronicle and how Chronicle handles that data.

May 01, 2019

  • Chronicle Partner Ingestion API

    Enables you to forward raw logs directly to Chronicle.

March 01, 2019

  • Enterprise Insights

    Now includes the Procedural Filtering menu and lists all of the Assets with Alerts within your enterprise.

  • Viewing EDR Data in the Timeline

    Viewing Endpoint Detection and Response (EDR) data in the timeline.

  • Domain Context

    Analytics and insights from VirusTotal, EmergingThreats, WHOIS, and Department of Homeland Security's (DHS) Automated Indicator Sharing (AIS) data sources.

  • Investigating Domains and IP Addresses

    Searching for external IP addresses and URLs.

  • Chronicle Chrome Extension

    Search for indicators using the Chrome extension.