This page documents production updates to Google Security Operations. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.
You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.
To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly.
October 28, 2024
Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have changed. Each parser is listed by product name and log_type
value, if applicable. This list now includes both released default parsers and pending parser updates.
- AIX system (
OS
) - Apache Tomcat (
Web server
) - Apigee (
Google Cloud Specific
) - Aqua Security (
IaaS Applications
) - Aruba Switch (
Network Infrastructure
) - Auth0 (
Authentication log
) - AWS Cloudtrail (
Cloud Log Aggregator
) - AWS GuardDuty (
IDS/IPS
) - AWS RDS (
Database
) - AWS Route 53 DNS (
AWS Specific
) - AWS VPC Flow (
AWS Specific
) - Azure AD (
LDAP
) - Azure AD Sign-In (
Misc Windows Specific
) - Azure VPN (
VPN
) - Blue Coat Proxy (
Web Proxy
) - BMC Client Management (
Security
) - Checkpoint Audit (
AUDIT
) - Chrome Management (
Browser
) - Cisco ASA (
firewall
) - Cisco Internetwork Operating System (
Network Infrastructure
) - Cisco IronPort (
Gateway Security
) - Cisco Meraki (
Wireless
) - Cisco Router (
Switches, Routers
) - Cisco Switch (
Switches, Routers
) - Cisco UCM (
Communication Manager
) - Cisco Unity Connection (
Administration and Management
) - Citrix Netscaler (
Load Balancer, Traffic Shaper, ADC
) - Claroty Continuous Threat Detection (
IoT
) - Cloud Audit Logs (
Google Cloud Specific
) - Cloudflare (
SaaS Application
) - CommVault (
Alert System
) - CrowdStrike Detection Monitoring (
EDR
) - CrowdStrike Falcon (
EDR
) - Darktrace (
NDR
) - Dell Switch (
Switches, Routers
) - Druva Backup (
Security
) - Entrust nShield HSM (
Hardware Security Module
) - F5 ASM (
WAF
) - F5 BIGIP LTM (
Load Balancer, Traffic Shaper, ADC
) - Fidelis Network (
NDR
) - FireEye (
Alerts
) - FireEye HX (
EDR
) - FireEye NX (
NDR
) - FortiGate (
Firewall
) - Fortinet FortiAnalyzer (
Fortinet FortiAnalyzer
) - GitGuardian Enterprise (
SaaS Applications
) - Guardicore Centra (
Deception Software
) - Halcyon Anti Ransomware (
AV and endpoint logs
) - Hashicorp Vault (
Privileged Account Activity
) - HP Linux (
OS
) - IBM Mainframe Storage (
Monitoring
) - IBM OpenPages (
Data Security
) - IBM Security QRadar SOAR (
Security
) - Imperva (
WAF
) - Imperva Advanced Bot Protection (
Bot Protection
) - Imperva Audit Trail (
IT infrastructure
) - Infoblox DHCP (
DHCP
) - INTEL471 Watcher Alerts (
Data Security
) - Jamf Protect Alerts (
Endpoint Security
) - Juniper (
Firewall
) - KnowBe4 PhishER (
Email server log types.
) - Kubernetes Node (
Kubernetes Container
) - Linux Auditing System (AuditD) (
OS
) - McAfee ePolicy Orchestrator (
Policy Management
) - Microsoft AD (
LDAP
) - Microsoft Azure Resource (
Log Aggregator
) - Microsoft Defender for Identity (
EDR
) - Microsoft Defender for Office 365 (
Email server log types.
) - Microsoft Graph Activity Logs (
AUDIT
) - Microsoft Netlogon (
Authentication
) - Microsoft SQL Server (
Database
) - Microsoft System Center Endpoint Protection (
Malware Detection
) - Netscope Client (
CASB
) - Office 365 (
SaaS Application
) - Okta User Context (
Identity and Access Management
) - One Identity Identity Manager (
unified identity security
) - Opswat Metadefender (
Threat Protection
) - Palo Alto Networks Firewall (
Firewall
) - Palo Alto Prisma Cloud Alert payload (
Cloud Security
) - pfSense (
FIREWALL
) - Ping Federate (
Authentication
) - Proofpoint Observeit (
Email Server
) - ProofPoint Secure Email Relay (
Email server
) - Pure Storage (
Data Storage
) - Red Hat Directory Server LDAP (
Identity and Access Management
) - Salesforce (
SaaS Application
) - Salesforce Commerce Cloud (
SaaS Application
) - Security Command Center Threat (
Google Cloud Specific
) - ServiceNow CMDB (
Policy Management
) - Sophos UTM (
Unified Threat Management
) - Symantec Endpoint Protection (
AV / Endpoint
) - Sysdig (
Security
) - Tanium Threat Response (
Tanium Specific
) - ThreatX WAF (
WAF
) - Thycotic (
Identity and Access Management
) - Tines (
Data Security
) - Trend Micro (
SMS, UNITY_ONE
) - Trend Micro Deep Security (
AV / Endpoint
) - Trend Micro Vision One (
AV and endpoint logs
) - Twingate (
VPN
) - Unix system (
OS
) - Velo Firewall (
FIREWALL
) - VMware AirWatch (
Wireless
) - Windows Defender ATP (
AV / Endpoint
) - Windows Event (
Endpoint
) - Windows Event (XML) (
AV / Endpoint
) - Windows Local Administrator Password Solution (
Local Administrator Password Solution
) - Windows Sysmon (
DNS
) - Workday Audit Logs (
Audit And Compliance
) - Workspace Activities (
Google Cloud Specific
) - Workspace Alerts (
Google Cloud Specific
) - Zscaler (
Web Proxy
) - Zscaler Tunnel (
N/A
)
The following log types were added without a default parser. Each parser is listed by product name and log_type
value, if applicable.
- Adobe I/O Runtime (
ADOBE_IO_RUNTIME
) - Amazon VPC Transit Gateway Flow Logs (
AWS_VPC_TRANSIT_GATEWAY
) - Appsentinels (
APPSENTINELS
) - Asset Panda (
ASSET_PANDA
) - AstriX (
ASTRIX
) - Atlan (
ATLAN
) - Azure Container Registry (
AZURE_CONTAINER_REGISTRY
) - Backbase Engagement Banking Platform (
BACKBASE
) - Barracuda Incident Response (
BARRACUDA_INCIDENTRESPONSE
) - Cloudflare Access (
CLOUDFLARE_ACCESS
) - Control D DNS (
CONTROL_D
) - Digicert (
DIGICERT
) - Elastic Defend (
ELASTIC_DEFEND
) - FingerprintJS (
FINGERPRINT_JS
) - Hashicorp Nomad (
HASHICORP_NOMAD
) - IBM NS1 (
IBM_NS1
) - Intel 471 Malware Intelligence (
INTEL471_MALWARE_INTEL
) - MacStadium (
MACSTADIUM
) - N-Able N-Central RMM (
N_ABLE_N_CENTRAL_RMM
) - Opentext Exstream (
OPENTEXT_EXSTREAM
) - OVHcloud (
OVHCLOUD
) - OX Security (
OX_SECURITY
) - Pharos (
PHAROS
) - ReliaQuest (
RELIAQUEST
) - Rublon (
RUBLON
) - Snyk Group level audit/issues logs (
SNYK_ISSUES
) - SolarWinds Network Performance Monitor (
SOLARWINDS_NPM
) - StackHawk (
STACKHAWK
) - Tencent Cloud Firewall (
TENCENT_CLOUD_FIREWALL
) - Tencent Cloud Waf (
TENCENT_CLOUD_WAF
) - Tencent Cloud Workload Protection (
TENCENT_CLOUD_WORKLOAD_PROTECTION
) - Trend Micro Server Protect (
TRENDMICRO_SERVER_PROTECT
) - UKG (
UKG
) - Uptivity (
UPTIVITY
) - USBAV Koramis (
USBAV_KORAMIS
) - Virtual Network Flow Logs (
VIRTUAL_NETWORK_FLOW_LOGS
) - Windows Performance Monitor (
MS_PERFMON
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
October 15, 2024
Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have changed. Each parser is listed by product name and log_type
value, if applicable. This list now includes both released default parsers and pending parser updates.
- Abnormal Security (
Email Server
) - AIX system (
OS
) - Akamai DNS (
DNS
) - Akamai WAF (
WAF
) - Apache (
Security
) - Apigee (
Google Cloud Specific
) - Apple macOS (
AV / Endpoint
) - Archer Integrated Risk Management (
Risk Management Solution
) - Area1 Security (
Email server
) - Aruba (
Wireless
) - Aruba Switch (
Network Infrastructure
) - Auth0 (
Authentication log
) - AWS CloudFront (
CDN
) - AWS Cloudtrail (
Cloud Log Aggregator
) - AWS CloudWatch (
Cloud service monitoring
) - AWS EMR (
AWS Specific
) - AWS VPN (
VPN
) - Azure AD (
LDAP
) - Azure AD Directory Audit (
Audit
) - Azure Firewall (
Azure Firewall Application Rule
) - Azure Key Vault logging (
Audit
) - Barracuda Firewall (
Firewall
) - Barracuda WAF (
Firewall
) - BeyondTrust Endpoint Privilege Management (
Privileged Account Activity
) - Blue Coat Proxy (
Web Proxy
) - BMC Client Management (
Security
) - Check Point (
Firewall
) - Chrome Management (
Browser
) - Cisco IronPort (
Gateway Security
) - Cisco ISE (
Identity and Access Management
) - Cisco Meraki (
Wireless
) - Cisco Router (
Switches, Routers
) - Cisco Stealthwatch (
Log Aggregator
) - Cisco Switch (
Switches, Routers
) - Cisco TACACS+ (
Authentication
) - Cisco Umbrella Web Proxy (
Web Proxy
) - Cisco WLC/WCS (
Wireless
) - Citrix Netscaler (
Load Balancer, Traffic Shaper, ADC
) - Claroty Continuous Threat Detection (
IoT
) - Cloud Audit Logs (
Google Cloud Specific
) - Cloud Data Loss Prevention (
Google Cloud Specific
) - Cloud SQL (
Google Cloud Specific
) - Cohesity (
Backup Software
) - Corelight (
NDR
) - CrowdStrike Detection Monitoring (
EDR
) - CrowdStrike Falcon (
EDR
) - CrushFTP (
Application server
) - Darktrace (
NDR
) - Delinea Secret Server (
Privileged Account Activity
) - Dell EMC Data Domain (
Storage system
) - Druva Backup (
Security
) - Duo Activity Logs (
Activity
) - Duo Administrator Logs (
Authentication
) - Elastic Windows Event Log Beats (
Log Aggregator
) - Ergon Informatik Airlock IAM (
Application Whitelisting
) - F5 BIGIP Access Policy Manager (
Access Policy Manager
) - F5 BIGIP LTM (
Load Balancer, Traffic Shaper, ADC
) - FireEye HX (
EDR
) - FortiGate (
Firewall
) - Fortinet FortiAnalyzer (
Fortinet FortiAnalyzer
) - Fortinet FortiAuthenticator (
Security
) - Fortinet FortiEDR (
EDR
) - Fortinet Fortimanager (
Network Management and Optimization software
) - GitHub (
SaaS Application
) - GMV Checker ATM Security (
ATM Audit
) - Guardicore Centra (
Deception Software
) - Hashicorp Vault (
Privileged Account Activity
) - HP Aruba (ClearPass) (
Identity and Access Management
) - IBM Cloud Activity Tracker (
Security Log
) - IBM DB2 (
Database
) - IBM Mainframe Storage (
Monitoring
) - IBM OpenPages (
Data Security
) - Imperva (
WAF
) - Imperva CEF (
CEF
) - Imperva DRA (
Data Security
) - Infoblox (
DHCP, DNS
) - Infoblox DNS (
DNS
) - JAMF Pro (
Mac Endpoint Management System
) - Keycloak (
Identity and Access Management
) - Lacework Cloud Security (
Cloud Security
) - Linux Auditing System (AuditD) (
OS
) - Linux DHCP (
DHCP
) - ManageEngine Log360 (
Alert Log
) - McAfee ePolicy Orchestrator (
Policy Management
) - Microsoft AD FS (
LDAP
) - Microsoft Azure Activity (
Misc Windows Specific
) - Microsoft Azure Resource (
Log Aggregator
) - Microsoft Defender For Cloud (
Automation and DevOps Tools
) - Microsoft Defender for Endpoint (
EDR
) - Microsoft Defender for Identity (
EDR
) - Microsoft Graph Activity Logs (
AUDIT
) - Microsoft Graph API Alerts (
Gateway to data and intelligence
) - Microsoft Intune Context (
Mobile Device Management
) - Microsoft SQL Server (
Database
) - Mimecast URL Logs (
Email server log types
) - MISP Threat Intelligence (
Cybersecurity
) - Mobile Endpoint Security (
Mobile Endpoint Security
) - NetApp ONTAP (
Rest api
) - Netskope V2 (
Cloud Security
) - Office 365 (
SaaS Application
) - Okta (
Identity and Access Management
) - One Identity Identity Manager (
unified identity security
) - Opengear Remote Management (
Secure Remote Access
) - Oracle (
DATABASE
) - Oracle Cloud Infrastructure VCN Flow Logs (
Oracle Cloud Infrastructure
) - Palo Alto Networks Firewall (
Firewall
) - Palo Alto Panorama (
Firewall
) - Palo Alto Prisma Cloud Alert payload (
Cloud Security
) - Proofpoint CASB (
CASB
) - Proofpoint Email Filter (
Email Server
) - Proofpoint On Demand (
Email Server
) - Proofpoint Threat Response (
Email Server
) - Pulse Secure (
VPN
) - Radware Web Application Firewall (
Firewall
) - SailPoint IAM (
Identity and Access Management
) - Saiwall VPN (
VPN
) - Salesforce (
SaaS Application
) - Sentinelone Alerts (
Endpoint Security
) - SonicWall (
Firewall
) - Sophos Central (
AV / Endpoint
) - Sophos Firewall (Next Gen) (
Firewall
) - Squid Web Proxy (
Web Proxy
) - STIX Threat Intelligence (
Cybersecurity Threats
) - Suricata EVE (
IPS IDS
) - Symantec DLP (
DLP
) - Symantec Endpoint Protection (
AV / Endpoint
) - Symantec Web Security Service (
Web Proxy
) - TINTRI (
Data Security
) - Trend Micro Apex one (
Endpoint Security
) - TrendMicro Apex Central (
Endpoint
) - UberAgent (
Security
) - Veeam (
Backup software
) - Velo Firewall (
FIREWALL
) - VMware AirWatch (
Wireless
) - VMware NSX (
Network and Security Virtualization
) - VMware vCenter (
Server
) - WatchGuard (
Syslog and KV
) - Wazuh (
Log Aggregator
) - Windows Event (
Endpoint
) - Windows Event (XML) (
AV / Endpoint
) - Windows Sysmon (
DNS
) - Workday User Activity (
N/A
) - Workspace Activities (
Google Cloud Specific
) - XAMS by Xiting (
Log Aggregator
) - ZeroFox Platform (
Database
) - Zscaler (
Web Proxy
) - Zywall (
Network infrastructure
)
The following log types were added without a default parser. Each parser is listed by product name and log_type
value, if applicable.
- Adaptive Shield (
ADAPTIVE_SHIELD
) - Agiloft (
AGILOFT
) - Airwatch Context (
AIRWATCH_CONTEXT
) - Attack IQ (
ATTACK_IQ
) - AWS PY Tools (
AWS_PY_TOOLS
) - Bindplane Agent (
BINDPLANE_AGENT
) - BindPlane Audit Logs (
BINDPLANE
) - Bitsight (
BITSIGHT
) - Bitvise SFTP (
BITVISE_SFTP
) - Ciena Router logs (
CIENA_ROUTER
) - Cisco Viptela (
CISCO_VIPTELA
) - Colinet Trotta GAUS SEGUROS (
CT_GAUS_SEGUROS
) - Conductor One (
CONDUCTOR_ONE
) - Crowdstrike Endpoint Security API (
CS_ENDPOINT_SECURITY_API
) - Fiserv SecureNow (
SECURE_NOW
) - Greenhouse Harvest (
GREENHOUSE_HARVEST
) - Harness IO (
HARNESS_IO
) - Hashicorp Boundary (
HASHICORP_BOUNDARY
) - HP Linux (
HP_LINUX
) - IBM Security Guardium Insights (
IBM_INSIGHTS
) - Imperva Attack Analytics (
IMPERVA_ATTACK_ANALYTICS
) - INTEL471 Watcher Alerts (
INTEL471_WATCHER_ALERTS
) - JAMF Security Cloud (
JAMF_SECURITY_CLOUD
) - JBoss Web (
JBOSS_WEB
) - Kandji Context (
KANDJI_CONTEXT
) - Lenels2 Elements Secure (
LENELS2_ELEMENTS_SECURE
) - ManageEngine OpUtils (
MANAGE_ENGINE_OPUTILS
) - Microsoft Graph Incident (
MICROSOFT_GRAPH_INCIDENT
) - Miro (
MIRO
) - Open Policy Agent (
OPA
) - Oracle Access Manager (
ORACLE_AM
) - Oracle Enterprise Manager (
ORACLE_OEM
) - Perception Point XRay (
PERCEPTION_POINT_XRAY
) - RedSift BrandTrust (
REDSIFT_BRANDTRUST
) - Riverbed (
RIVERBED
) - SAP Sybase Adaptive Server Enterprise Database (
SAP_ASE
) - Sharefile Logs (
SHAREFILE_LOGS
) - Smartsheet (
SMARTSHEET
) - Statusgator (
STATUSGATOR
) - Titan MFT (
TITAN_MFT
) - Upwind (
UPWIND
) - Vanta Context (
VANTA_CONTEXT
) - Varnish Cache (
VARNISH_CACHE
) - Vercel WAF (
VERCEL_WAF
) - Veriato Cerebral (
VERIATO_CEREBRAL
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
October 06, 2024
When performing a search on entities in the SOAR search page, you can now focus on more precise results by using the new condition Equals
, in addition to the default condition Contains
.
September 30, 2024
The case report now includes all information written on the case wall.
It is now possible to merge cases where the requester is not the assignee both in the platform and through the API endpoint: api/external/v1/cases-queue/bulk-operations/MergeCases
September 16, 2024
Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have changed. Each parser is listed by product name and log_type
value, if applicable. This list now includes both released default parsers and pending parser updates.
- Abnormal Security (
ABNORMAL_SECURITY
) - Akamai DNS (
AKAMAI_DNS
) - Amazon API Gateway (
AWS_API_GATEWAY
) - Apache (
APACHE
) - Apigee (
GCP_APIGEE_X
) - Archer Integrated Risk Management (
ARCHER_IRM
) - Arcsight CEF (
ARCSIGHT_CEF
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - AWS VPC Flow (
AWS_VPC_FLOW
) - AWS VPN (
AWS_VPN
) - Azure AD (
AZURE_AD
) - Azure AD Audit (
AZURE_AD_AUDIT
) - Azure AD Sign-In (
AZURE_AD_SIGNIN
) - Azure Storage Audit (
AZURE_STORAGE_AUDIT
) - Azure WAF (
AZURE_WAF
) - BeyondTrust Privileged Identity (
BEYONDTRUST_PI
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Carbon Black App Control (
CB_APP_CONTROL
) - Check Point (
CHECKPOINT_FIREWALL
) - Checkpoint Audit (
CHECKPOINT_AUDIT
) - Cisco ASA (
CISCO_ASA_FIREWALL
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - Cisco ISE (
CISCO_ISE
) - Cisco Meraki (
CISCO_MERAKI
) - Cisco WSA (
CISCO_WSA
) - Citrix Netscaler (
CITRIX_NETSCALER
) - Cloud Audit Logs (
N/A
) - Cloud Data Loss Prevention (
N/A
) - Cloud Load Balancing (
GCP_LOADBALANCING
) - Cloud SQL (
GCP_CLOUDSQL
) - Cloudflare WAF (
CLOUDFLARE_WAF
) - Cohesity (
COHESITY
) - Corelight (
CORELIGHT
) - CrowdStrike Falcon (
CS_EDR
) - Cyber 2.0 IDS (
CYBER_2_IDS
) - Cyberark Privilege Cloud (
CYBERARK_PRIVILEGE_CLOUD
) - CyberArk PTA Privileged Threat Analytics (
CYBERARK_PTA
) - Darktrace (
DARKTRACE
) - Dell Switch (
DELL_SWITCH
) - Duo Administrator Logs (
DUO_ADMIN
) - Duo Auth (
DUO_AUTH
) - EfficientIP DDI (
EFFICIENTIP_DDI
) - Elastic Audit Beats (
ELASTIC_AUDITBEAT
) - Elastic Packet Beats (
ELASTIC_PACKETBEATS
) - F5 ASM (
F5_ASM
) - F5 Shape (
F5_SHAPE
) - F5 Silverline (
F5_SILVERLINE
) - FireEye (
FIREEYE_ALERT
) - FireEye ETP (
FIREEYE_ETP
) - FireEye HX (
FIREEYE_HX
) - Forcepoint DLP (
FORCEPOINT_DLP
) - Forcepoint Email Security (
FORCEPOINT_EMAILSECURITY
) - Forcepoint Mail Relay (
FORCEPOINT_MAIL_RELAY
) - FortiGate (
FORTINET_FIREWALL
) - Fortinet FortiAnalyzer (
FORTINET_FORTIANALYZER
) - Fortinet Fortimanager (
FORTINET_FORTIMANAGER
) - GCP_APP_ENGINE (
GCP_APP_ENGINE
) - GitHub (
GITHUB
) - HP Aruba (ClearPass) (
CLEARPASS
) - IBM DS8000 Storage (
IBM_DS8000
) - IBM Guardium (
GUARDIUM
) - IBM OpenPages (
IBM_OPENPAGES
) - Infoblox DNS (
INFOBLOX_DNS
) - Jenkins (
JENKINS
) - Layer7 SiteMinder (
SITEMINDER_SSO
) - Linux Auditing System (AuditD) (
AUDITD
) - Malwarebytes (
MALWAREBYTES_EDR
) - McAfee ePolicy Orchestrator (
MCAFEE_EPO
) - Microsoft AD FS (
ADFS
) - Microsoft Azure Activity (
AZURE_ACTIVITY
) - Microsoft Azure Resource (
AZURE_RESOURCE_LOGS
) - Microsoft Defender for Office 365 (
MICROSOFT_DEFENDER_MAIL
) - Microsoft Exchange (
EXCHANGE_MAIL
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Microsoft PowerShell (
POWERSHELL
) - Microsoft SQL Server (
MICROSOFT_SQL
) - Microsoft System Center Endpoint Protection (
MICROSOFT_SCEP
) - Mimecast (
MIMECAST_MAIL
) - Nagios Infrastructure Monitoring (
NAGIOS
) - Network Policy Server (
MICROSOFT_NPS
) - Office 365 (
OFFICE_365
) - Okta (
OKTA
) - Okta User Context (
OKTA_USER_CONTEXT
) - Oracle (
ORACLE_DB
) - Palo Alto Cortex XDR Alerts (
CORTEX_XDR
) - Palo Alto Panorama (
PAN_PANORAMA
) - Ping Federate (
PING_FEDERATE
) - Ping Identity (
PING
) - PostgreSQL (
POSTGRESQL
) - Precisely Ironstream IBM z/OS (
IRONSTREAM_ZOS
) - Proofpoint On Demand (
PROOFPOINT_ON_DEMAND
) - Proofpoint Tap Alerts (
PROOFPOINT_MAIL
) - Pulse Secure (
PULSE_SECURE_VPN
) - Radware Web Application Firewall (
RADWARE_FIREWALL
) - Rippling Activity Logs (
RIPPLING_ACTIVITYLOGS
) - Sap Business Technology Platform (
SAP_BTP
) - Security Command Center Threat (
N/A
) - Sentinelone Alerts (
SENTINELONE_ALERT
) - SentinelOne EDR (
SENTINEL_EDR
) - SentinelOne Singularity Cloud Funnel (
SENTINELONE_CF
) - Shibboleth IDP (
SHIBBOLETH_IDP
) - Snare System Diagnostic Logs (
SNARE_SOLUTIONS
) - Snowflake (
SNOWFLAKE
) - Sophos AV (
SOPHOS_AV
) - Sophos Intercept EDR (
SOPHOS_EDR
) - Sourcefire (
SOURCEFIRE_IDS
) - Splunk Attack Analyzer (
SPLUNK_ATTACK_ANALYZER
) - SpyCloud (
SPYCLOUD
) - Squid Web Proxy (
SQUID_WEBPROXY
) - Suricata EVE (
SURICATA_EVE
) - Symantec Endpoint Protection (
SEP
) - Symantec Web Security Service (
SYMANTEC_WSS
) - Tenable Audit (
TENABLE_AUDIT
) - Thales Vormetric (
VORMETRIC
) - Trend Micro Apex one (
TRENDMICRO_APEX_ONE
) - Trend Micro Deep Security (
TRENDMICRO_DEEP_SECURITY
) - Trend Micro Vision One (
TRENDMICRO_VISION_ONE
) - TrendMicro Apex Central (
TRENDMICRO_APEX_CENTRAL
) - Twingate (
TWINGATE
) - Ubika Waf (
UBIKA_WAF
) - Unix system (
NIX_SYSTEM
) - Vectra Detect (
VECTRA_DETECT
) - Vectra Stream (
VECTRA_STREAM
) - Wazuh (
WAZUH
) - Windows DHCP (
WINDOWS_DHCP
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - Windows Local Administrator Password Solution (
MICROSOFT_LAPS
) - Windows Sysmon (
WINDOWS_SYSMON
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Workspace Alerts (
WORKSPACE_ALERTS
) - XAMS by Xiting (
XITING_XAMS
)
The following log types were added without a default parser. Each parser is listed by product name and log_type
value, if applicable.
- Active Identity HID (
ACTIVE_IDENTITY_HID
) - Akamai Event Viewer (
AKAMAI_EVT_VWR
) - Autodesk Vault (
AUTODESK_VAULT
) - Avaza (
AVAZA
) - Avigilon Access Logs (
AVIGILON_ACCESS_LOGS
) - Axis Camera (
AXIS_CAMERA
) - Axis License Plate Reader (
AXIS_LPR
) - Azure Nix System (
AZURE_NIX_SYSTEM
) - CallTower Audio Conferencing (
CALLTOWER_AUDIO
) - Canon Printers (
CANON_PRINTERS
) - Cisco Secure Endpoint (
CISCO_SECURE_ENDPOINT
) - Control UP (
CONTROL_UP
) - Cradlepoint Router Logs (
CRADLEPOINT
) - Crowdstrike Spotlight (
CROWDSTRIKE_SPOTLIGHT
) - CrushFTP (
CRUSHFTP
) - CrowdStrike Filevantage (
CS_FILEVANTAGE
) - Cybersixgill (
CYBERSIXGILL
) - Cyolo Secure Remote Access for OT (
CYOLO_OT
) - Dell Core Switch (
DELL_EMC_NETWORKING
) - DLink Switch (
DLINK_SWITCH
) - Elastic Security (
ELASTIC_EDR
) - Fireblocks (
FIREBLOCKS
) - Forescout eyeInspect (
FORESCOUT_EYEINSPECT
) - Fortinet FortiGate IPS (
FORTINET_IPS
) - H3C Router (
H3C_ROUTER
) - Hackerone (
HACKERONE
) - Halo Sensor (
HALO_SENSOR
) - Hashcast (
HASHCAST
) - Perforce Helix Core (
HELIX_CORE
) - Heroku (
HEROKU
) - Hillstone NDR (
HILLSTONE_NDR
) - HL7 (
HL7
) - HoopDev (
HOOPDEV
) - Huawei Switches (
HUAWEI_SWITCH
) - Identity Security Cloud (
IDENTITY_SECURITY_CLOUD
) - Imperva Data Risk Analytics (
IMPERVA_DATA_ANALYTICS
) - Imperva DRA (
IMPERVA_DRA
) - IM Express (
IM_EXPRESS
) - Intezer (
INTEZER
) - Jumpcloud IAM (
JUMPCLOUD_IAM
) - Maltiverse IOC (
MALTIVERSE_IOC
) - ManageEngine Log360 (
MANAGE_ENGINE_LOG360
) - McAfee Network Security Platform (
MCAFEE_NSP
) - Miro Cloud (
MIRO_CLOUD
) - Nokia Home Device Manager (
NOKIA_HDM
) - Nortel Secure Router (
NORTEL_SR
) - Notion (
NOTION
) - One Identity Identity Manager (
ONE_IDENTITY_IDENTITY_MANAGER
) - IDnomic Public Key Infrastructure (
OPENTRUST
) - Outline Activity Logs (
OUTLINE_ACTIVITY_LOGS
) - Prismatic IO (
PRISMATIC_IO
) - ProFTPD (
PROFTPD
) - Provision Asset Context (
PROVISION_ASSET_CONTEXT
) - Ransomcare (
RANSOMCARE
) - Rapid7 Insights Threat Command (
RAPID7_INSIGHTS_THREAT_COMMAND
) - Saporo (
SAPORO
) - SAS Metadata Server log (
SAS_METADATA_SERVER_LOG
) - Scylla (
SCYLLA
) - Senseon Alerts (
SENSEON_ALERTS
) - Sonic Switch (
SONIC_SWITCH
) - Symantec Data Center Security (
SYMANTEC_DCS
) - Syncplify SFTP 2 Events (
SYNCPLIFY_SFTP
) - Team Cymru Scout Threat Intelligence (
TEAM_CYMRU_SCOUT_THREATINTEL
) - Tenable CSPM (
TENABLE_CSPM
) - Teqtivity Assets (
TEQTIVITY_ASSETS
) - Tines (
TINES
) - TP Link Network Switches (
TPLINK_SWITCH
) - TT D365 (
TT_D365
) - TT MSAN DSLAM (
TT_MSAN_DSLAM
) - TT Trio Chordiant (
TT_TRIO_CHORDIANT
) - Tufin (
TUFIN
) - Tufin Secure Track (
TUFIN_SECURE_TRACK
) - UberAgent (
UBERAGENT
) - Upstream Vehicle SOC Alerts (
UPSTREAM_VSOC_ALERTS
) - URLScan IO (
URLSCAN_IO
) - Vertiv UPS (
VERTIV_UPS
) - Very Good Security (
VERY_GOOD_SECURITY
) - Virtual Browser (
VIRTUAL_BROWSER
) - VMWare VSphere (
VMWARE_VSPHERE
) - Webroot Identity Protection (
WEBROOT_IDENTITY_PROTECTION
) - WideField (
WIDEFIELD_SECURITY
) - Zscaler Sandbox (
ZSCALER_SANDBOX
) - Zywall (
ZYWALL
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
September 06, 2024
Burst limits will be rolling out over the next 90 days. This should not affect customers if sources are properly configured. Review documentation for full details.
August 01, 2024
Customers can now configure direct ingestion of Google Cloud data without using a 1-time Google Security Operations access code. This feature will be launched over a period of several weeks. For more information, see Enable direct ingestion from Google Cloud.
July 28, 2024
Creating a new playbook using prompts is now supported by Gemini. This feature is in public preview. For more information, refer to Create playbooks with Gemini.
July 25, 2024
Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have changed. Each parser is listed by product name and log_type
value, if applicable.
- Airlock Digital Application Allowlisting (
AIRLOCK_DIGITAL
) - Akamai SIEM Connector (
AKAMAI_SIEM_CONNECTOR
) - Apache (
APACHE
) - Arcsight CEF (
ARCSIGHT_CEF
) - Arista Switch (
ARISTA_SWITCH
) - Aruba (
ARUBA_WIRELESS
) - Aruba EdgeConnect SD-WAN (
ARUBA_EDGECONNECT_SDWAN
) - Atlassian Confluence (
ATLASSIAN_CONFLUENCE
) - Auth0 (
AUTH_ZERO
) - AWS CloudTrail (
AWS_CLOUDTRAIL
) - AWS Config (
AWS_CONFIG
) - Azure AD (
AZURE_AD
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Azure App Service (
AZURE_APP_SERVICE
) - Azure WAF (
AZURE_WAF
) - BeyondTrust Endpoint Privilege Management (
BEYONDTRUST_ENDPOINT
) - BIND (
BIND_DNS
) - BloxOne Threat Defense (
BLOXONE
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Broadcom SSL Visibility Appliance (
BROADCOM_SSL_VA
) - Cequence Bot Defense (
CEQUENCE_BOT_DEFENSE
) - Check Point (
CHECKPOINT_FIREWALL
) - Checkpoint Audit (
CHECKPOINT_AUDIT
) - Checkpoint SmartDefense (
CHECKPOINT_SMARTDEFENSE
) - Cimcor | File Integrity Monitoring (
CIMCOR
) - CipherTrust Manager (
CIPHERTRUST_MANAGER
) - Cisco ASA (
CISCO_ASA_FIREWALL
) - Cisco EStreamer (
CISCO_ESTREAMER
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - Cisco FireSIGHT Management Center (
CISCO_FIRESIGHT
) - Cisco Internetwork Operating System (
CISCO_IOS
) - Cisco IronPort (
CISCO_IRONPORT
) - Cisco Meraki (
CISCO_MERAKI
) - Cisco Router (
CISCO_ROUTER
) - Cisco Stealthwatch (
CISCO_STEALTHWATCH
) - Cisco VPN (
CISCO_VPN
) - Citrix Analytics (
CITRIX_ANALYTICS
) - Citrix Netscaler (
CITRIX_NETSCALER
) - Cloud Audit Logs (
N/A
) - Cloud Data Loss Prevention (
N/A
) - Cloud Identity Devices (
GCP_CLOUDIDENTITY_DEVICES
) - Cloud Load Balancing (
GCP_LOADBALANCING
) - Cloud SQL (
GCP_CLOUDSQL
) - Cofense (
COFENSE_TRIAGE
) - Comforte SecurDPS (
COMFORTE_SECURDPS
) - Compute Engine (
GCP_COMPUTE
) - Corelight (
CORELIGHT
) - Cribl Stream (
CRIBL_STREAM
) - CrowdStrike Falcon (
CS_EDR
) - CyberArk (
CYBERARK
) - DigitalArts i-Filter (
DIGITALARTS_IFILTER
) - Duo Auth (
DUO_AUTH
) - Duo User Context (
DUO_USER_CONTEXT
) - EfficientIP DDI (
EFFICIENTIP_DDI
) - Elastic Audit Beats (
ELASTIC_AUDITBEAT
) - Elastic Windows Event Log Beats (
ELASTIC_WINLOGBEAT
) - Ergon Informatik Airlock IAM (
ERGON_INFORMATIK_AIRLOCK_IAM
) - ESET AV (
ESET_AV
) - F5 ASM (
F5_ASM
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - F5 Shape (
F5_SHAPE
) - F5 Silverline (
F5_SILVERLINE
) - Fidelis Network (
FIDELIS_NETWORK
) - FileZilla (
FILEZILLA_FTP
) - Forcepoint Email Security (
FORCEPOINT_EMAILSECURITY
) - Forcepoint Proxy (
FORCEPOINT_WEBPROXY
) - Forgerock OpenIdM (
FORGEROCK_OPENIDM
) - Fortinet FortiAuthenticator (
FORTINET_FORTIAUTHENTICATOR
) - Google App Engine (
GCP_APP_ENGINE
) - GitHub (
GITHUB
) - IBM DataPower Gateway (
IBM_DATAPOWER
) - IBM DB2 (
DB2_DB
) - IBM Guardium (
GUARDIUM
) - IBM Security QRadar SIEM (
IBM_QRADAR
) - Imperva Audit Trail (
IMPERVA_AUDIT_TRAIL
) - Ingrian Networks DataSecure Appliance (
INGRIAN_NETWORKS_DATASECURE_APPLIANCE
) - ION Spectrum (
ION_SPECTRUM
) - JAMF Pro (
JAMF_PRO
) - Jenkins (
JENKINS
) - Juniper Junos (
JUNIPER_JUNOS
) - Juniper Mist (
JUNIPER_MIST
) - Juniper MX Router (
JUNIPER_MX
) - Keeper Enterprise Security (
KEEPER
) - Linux Auditing System (AuditD) (
AUDITD
) - Linux Sysmon (
LINUX_SYSMON
) - Lucid (
LUCID
) - Maria Database (
MARIA_DB
) - Microsoft AD (
WINDOWS_AD
) - Microsoft Azure Activity (
AZURE_ACTIVITY
) - Microsoft CyberX (
CYBERX
) - Microsoft Defender for Endpoint (
MICROSOFT_DEFENDER_ENDPOINT
) - Microsoft Defender for Identity (
MICROSOFT_DEFENDER_IDENTITY
) - Microsoft Exchange (
EXCHANGE_MAIL
) - Microsoft Graph Activity Logs (
MICROSOFT_GRAPH_ACTIVITY_LOGS
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Microsoft IIS (
IIS
) - Microsoft SQL Server (
MICROSOFT_SQL
) - Mimecast URL Logs (
MIMECAST_URL_LOGS
) - Netapp Storagegrid (
NETAPP_STORAGEGRID
) - Netskope (
NETSKOPE_ALERT
) - Netskope Web Proxy (
NETSKOPE_WEBPROXY
) - Network Policy Server (
MICROSOFT_NPS
) - Noname API Security (
NONAME_API_SECURITY
) - Office 365 (
OFFICE_365
) - Office 365 Message Trace (
OFFICE_365_MESSAGETRACE
) - Okta (
OKTA
) - Okta User Context (
OKTA_USER_CONTEXT
) - Open LDAP (
OPENLDAP
) - Oracle (
ORACLE_DB
) - Oracle Cloud Infrastructure Audit Logs (
OCI_AUDIT
) - Palo Alto Cortex XDR Alerts (
CORTEX_XDR
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Palo Alto Panorama (
PAN_PANORAMA
) - Palo Alto Prisma Cloud Alert payload (
PAN_PRISMA_CA
) - Passwordstate (
PASSWORDSTATE
) - Ping Identity (
PING
) - Portnix CEF (
PORTNOX_CEF
) - PostFix Mail (
POSTFIX_MAIL
) - Proofpoint Email Filter (
PROOFPOINT_MAIL_FILTER
) - Proofpoint Sendmail Sentrion (
PROOFPOINT_SENDMAIL_SENTRION
) - Proofpoint Threat Response (
PROOFPOINT_TRAP
) - Quest Change Auditor for EMC (
QUEST_CHANGE_AUDITOR_EMC
) - Radware Alteon (
RADWARE_ALTEON
) - Radware Web Application Firewall (
RADWARE_FIREWALL
) - Red Hat Directory Server LDAP (
REDHAT_DIRECTORY_SERVER
) - Riverbed Steelhead (
STEELHEAD
) - RSA SecurID Access Identity Router (
RSA_SECURID
) - Ruckus Networks (
RUCKUS_WIRELESS
) - Salesforce (
SALESFORCE
) - SentinelOne EDR (
SENTINEL_EDR
) - SentinelOne Singularity Cloud Funnel (
SENTINELONE_CF
) - SEPPmail Secure Email (
SEPPMAIL
) - ServiceNow CMDB (
SERVICENOW_CMDB
) - SiteMinder Web Access Management (
CA_SSO_WEB
) - Snare System Diagnostic Logs (
SNARE_SOLUTIONS
) - Solarwinds Kiwi Syslog Server (
SOLARWINDS_KSS
) - SonicWall (
SONIC_FIREWALL
) - Sonrai Enterprise Cloud Security Solution (
SONRAI
) - Symantec DLP (
SYMANTEC_DLP
) - Symantec Endpoint Protection (
SEP
) - Symantec VIP Authentication Hub (
SYMANTEC_VIP_AUTHHUB
) - Symantec Web Security Service (
SYMANTEC_WSS
) - Sysdig (
SYSDIG
) - Tableau (
TABLEAU
) - Terraform Enterprise Audit (
TERRAFORM_ENTERPRISE
) - Thinkst Canary (
THINKST_CANARY
) - Thycotic (
THYCOTIC
) - Trend Micro (
TIPPING_POINT
) - Ubika WAAP (
UBIKA_WAAP
) - Ubika Waf (
UBIKA_WAF
) - UPX AntiDDoS (
UPX_ANTIDDOS
) - Vectra Stream (
VECTRA_STREAM
) - Velo Firewall (
VELO_FIREWALL
) - VeridiumID by Veridium (
VERIDIUM_ID
) - Versa Firewall (
VERSA_FIREWALL
) - Virtru Email Encryption (
VIRTRU_EMAIL_ENCRYPTION
) - VMware ESXi (
VMWARE_ESX
) - VMware NSX (
VMWARE_NSX
) - VMware vCenter (
VMWARE_VCENTER
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - Windows Local Administrator Password Solution (
MICROSOFT_LAPS
) - Workday (
WORKDAY
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Zscaler (
ZSCALER_WEBPROXY
) - Zscaler CASB (
ZSCALER_CASB
) - Zscaler Internet Access Audit Logs (
ZSCALER_INTERNET_ACCESS
) - Zscaler Private Access (
ZSCALER_ZPA
) - Zscaler Secure Private Access Audit Logs (
ZSCALER_ZPA_AUDIT
)
The following log types were added without a default parser. Each parser is listed by product name and log_type
value, if applicable.
- Backstage (
BACKSTAGE
) - Bitwarden Password Manager User Context (
BITWARDEN_USER_CONTEXT
) - Boomi App (
BOOMI_APP
) - ChatGPT Audit Logs (
CHATGPT_AUDIT_LOGS
) - Cloudflare Warp (
CLOUDFLARE_WARP
) - Coda Io (
CODA_IO
) - Fortinet Fortimanager (
FORTINET_FORTIMANAGER
) - Fusion Auth (
FUSION_AUTH
) - Google Cloud Abuse Events (
GCP_ABUSE_EVENTS
) - Google Cloud Monitoring Alerts (
GCP_MONITORING_ALERTS
) - Gong (
GONG
) - Grafana (
GRAFANA
) - IBM Cloud Activity Tracker (
IBM_CLOUD_ACTIVITY_TRACKER
) - IBM Cloud System (
IBM_CLOUD_SYSTEM
) - Incident Io (
INCIDENT_IO
) - Kentik DDoS Detection (
KENTIK_ALERTS
) - Lockself Lockpass (
LOCKSELF_LOCKPASS
) - Magic Collaboration Studio (
MAGIC_CS
) - Metaswitch Perimeta (
METASWITCH_PERIMETA
) - Microsoft Defender Endpoint for iOS Logs (
MICROSOFT_DEFENDER_ENDPOINT_IOS
) - 9NowAudit (
NINENOW_AUDIT
) - Oracle Cloud Guard (
OCI_CLOUDGUARD
) - Oort Security Tool (
OORT
) - OpsRamp (
OPSRAMP
) - Ops Genie (
OPS_GENIE
) - People Strong (
PEOPLE_STRONG
) - Pingdom (
PINGDOM
) - Proofpoint Tap Campaign (
PROOFPOINT_TAP_CAMPAIGN
) - Proofpoint Tap Forensics (
PROOFPOINT_TAP_FORENSICS
) - Proofpoint Tap People (
PROOFPOINT_TAP_PEOPLE
) - Proofpoint Tap Threats (
PROOFPOINT_TAP_THREATS
) - Proofpoint Tis IOC (
PROOFPOINT_TIS_IOC
) - Push Security (
PUSH_SECURITY
) - Recordedfuture Alerts (
RECORDEDFUTURE_ALERTS
) - Rippling Activity Logs (
RIPPLING_ACTIVITYLOGS
) - Sentry (
SENTRY
) - Servertech PDUs (
SERVERTECH_PDUS
) - Sprinkledata(DWH) (
SPRINKLEDATA_DWH
) - Tenable Audit (
TENABLE_AUDIT
) - TINTRI (
TINTRI
) - WPass (
WPASS
) - WPEngine (
WPENGINE
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
The Google Security Operations alert metadata fields for UDM idm.is_significant
and idm.is_alert
have been deprecated. Use YARA-L detection rule alerts for alert metadata.
July 24, 2024
The Incident Manager in Google Security Operations will be fully decommissioned on July 22, 2025. Google Cloud will provide full support and maintenance until July 22, 2025 but no new features will be released.
July 18, 2024
When you migrate an existing Google SecOps instance so that it is bound to a Google Cloud project, you can also use auto-generated commands to migrate your existing feature RBAC configuration to IAM permissions and roles. For more information, see Migrate existing permissions to IAM.
July 17, 2024
On December 31, 2024, the managed BigQuery data lake for export will not be accessible to Google SecOps customers except for customers in the Enterprise Plus Tier. Enterprise Plus Tier customers will retain access until a replacement is available. Other customers can use their own BigQuery instance to export telemetry data, a feature currently in preview. For more information, see Configure a data export to BigQuery in a self-managed Google Cloud project.
July 15, 2024
The third-party API feed Symantec Event Export
has been discontinued due to the deprecation of Symantec Event Export API. To ingest data, use a Cloud Storage bucket. For more information, see Add a feed.
July 13, 2024
Python 2.7 is being deprecated and will be fully removed on October 13, 2024.
For information on how to update Marketplace integrations to Python 3.11, refer to Upgrade the Python versions.
Support for Python 3.11: Google SecOps now supports Python 3.11 in all the certified integrations. This feature is in General Availability.
IDE Staging mode: A staging mode has been added to the IDE where you can test certified and custom integrations as well as custom items. The staging mode acts as a sandbox where you can test the new Python 3.11 code or any upgraded integration before pushing to production. For more information, refer to Test integrations in staging mode. This feature is in General Availability.
June 26, 2024
You can use the BindPlane agent to collect Windows event logs, query SQL databases, read logs from files, and receive logs using syslog. The agent sends data directly to the Google Security Operations ingestion API or to a Google SecOps forwarder. For more information, see Use the BindPlane agent.
June 24, 2024
You can now configure Cloud Identity or Google Workspace as an identity provider during the Google Security Operations onboarding steps. For more information about onboarding, see Onboarding or migrating a Google Security Operations instance.
During the Google Security Operations onboarding steps, you can now specify identity provider groups that include administrators who configure user access to SOAR-related features. For more information, see Link Google SecOps to Google Cloud services.
June 18, 2024
Google SecOps now integrates with Access Transparency.
If you enabled Access Transparency in your organization, Google SecOps writes Access Transparency logs when any Google personnel accesses customer content that supports SIEM features.
For more information, see enabling Access Transparency and viewing Access Transparency logs.
Google SecOps now supports data RBAC. This feature enables you to control user access to data within your Google SecOps environment based on their assigned roles.
lastAlertStatusChangeTime
is added to the response of the GetRule
Detection Engine API. This indicates when alertingEnabled
was last updated from true
to false
or from false
to true
.
The field is also added to RuleDeployment
of Chronicle API v1 alpha.
June 07, 2024
The syntax for placeholders in UDM saved searches is updated. See Save a search for the new syntax.
May 30, 2024
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- Abnormal Security (
ABNORMAL_SECURITY
) - Akamai DNS (
AKAMAI_DNS
) - Akamai WAF (
AKAMAI_WAF
) - Apigee (
GCP_APIGEE_X
) - Array Networks SSL VPN (
ARRAYNETWORKS_VPN
) - AWS CloudFront (
AWS_CLOUDFRONT
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - Azure AD (
AZURE_AD
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Azure AD Sign-In (
AZURE_AD_SIGNIN
) - Barracuda Email (
BARRACUDA_EMAIL
) - Barracuda Firewall (
BARRACUDA_FIREWALL
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - BMC AMI Defender (
BMC_AMI_DEFENDER
) - Carbon Black (
CB_EDR
) - Check Point (
CHECKPOINT_FIREWALL
) - Check Point Sandblast (
CHECKPOINT_EDR
) - Checkpoint Audit (
CHECKPOINT_AUDIT
) - Cisco AMP (
CISCO_AMP
) - Cisco EStreamer (
CISCO_ESTREAMER
) - Cisco FireSIGHT Management Center (
CISCO_FIRESIGHT
) - Cisco ISE (
CISCO_ISE
) - Cisco Router (
CISCO_ROUTER
) - Cisco Switch (
CISCO_SWITCH
) - Cisco Umbrella DNS (
UMBRELLA_DNS
) - Cisco VPN (
CISCO_VPN
) - Cisco WLC/WCS (
CISCO_WIRELESS
) - Citrix Netscaler (
CITRIX_NETSCALER
) - Cloud Audit Logs (
N/A
) - Cloud SQL (
GCP_CLOUDSQL
) - Cloud Storage Context (
N/A
) - Cohesity (
COHESITY
) - CrowdStrike Falcon (
CS_EDR
) - CyberArk Privileged Access Manager (PAM) (
CYBERARK_PAM
) - ESET AV (
ESET_AV
) - F5 ASM (
F5_ASM
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - F5 VPN (
F5_VPN
) - Forcepoint DLP (
FORCEPOINT_DLP
) - FortiGate (
FORTINET_FIREWALL
) - GMAIL Logs (
GMAIL_LOGS
) - HID DigitalPersona (
HID_DIGITALPERSONA
) - Honeyd (
HONEYD
) - HP Aruba (ClearPass) (
CLEARPASS
) - IBM AS/400 (
IBM_AS400
) - IBM DS8000 Storage (
IBM_DS8000
) - IBM Security Verify (
IBM_SECURITY_VERIFY
) - Infoblox (
INFOBLOX
) - Island Browser logs (
ISLAND_BROWSER
) - JAMF CMDB (
JAMF
) - JumpCloud Directory Insights (
JUMPCLOUD_DIRECTORY_INSIGHTS
) - Juniper Mist (
JUNIPER_MIST
) - Kubernetes Node (
KUBERNETES_NODE
) - Linux Auditing System (AuditD) (
AUDITD
) - ManageEngine ADAudit Plus (
ADAUDIT_PLUS
) - Microsoft AD FS (
ADFS
) - Microsoft Azure Activity (
AZURE_ACTIVITY
) - Microsoft Azure Resource (
AZURE_RESOURCE_LOGS
) - Microsoft CyberX (
CYBERX
) - Microsoft Defender for Endpoint (
MICROSOFT_DEFENDER_ENDPOINT
) - Microsoft Graph Activity Logs (
MICROSOFT_GRAPH_ACTIVITY_LOGS
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Microsoft SQL Server (
MICROSOFT_SQL
) - Mikrotik Router (
MIKROTIK_ROUTER
) - NetDocuments Solutions (
NETDOCUMENTS
) - Netwrix (
NETWRIX
) - Office 365 (
OFFICE_365
) - Office 365 Message Trace (
OFFICE_365_MESSAGETRACE
) - Okta (
OKTA
) - OneLogin (
ONELOGIN_SSO
) - Opengear Remote Management (
OPENGEAR
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - pfSense (
PFSENSE
) - PostFix Mail (
POSTFIX_MAIL
) - Proofpoint Sendmail Sentrion (
PROOFPOINT_SENDMAIL_SENTRION
) - Proofpoint Tap Alerts (
PROOFPOINT_MAIL
) - Pulse Secure (
PULSE_SECURE_VPN
) - Qumulo FS (
QUMULO_FS
) - Rapid7 (
RAPID7_NEXPOSE
) - Rapid7 Insight (
RAPID7_INSIGHT
) - Rubrik Polaris (
RUBRIK_POLARIS
) - SailPoint IAM (
SAILPOINT_IAM
) - SAP SuccessFactors (
SAP_SUCCESSFACTORS
) - Semperis DSP (
SEMPERIS_DSP
) - Sentinelone Alerts (
SENTINELONE_ALERT
) - SentinelOne EDR (
SENTINEL_EDR
) - Signal Sciences WAF (
SIGNAL_SCIENCES_WAF
) - Snare System Diagnostic Logs (
SNARE_SOLUTIONS
) - SonicWall (
SONIC_FIREWALL
) - Sophos Central (
SOPHOS_CENTRAL
) - Sophos UTM (
SOPHOS_UTM
) - Spur data feeds (
SPUR_FEEDS
) - Suricata EVE (
SURICATA_EVE
) - Symantec DLP (
SYMANTEC_DLP
) - Symantec Endpoint Protection (
SEP
) - Symantec VIP Authentication Hub (
SYMANTEC_VIP_AUTHHUB
) - Tanium Audit (
TANIUM_AUDIT
) - Thinkst Canary (
THINKST_CANARY
) - Trend Micro Vision One (
TRENDMICRO_VISION_ONE
) - Twingate (
TWINGATE
) - Unix system (
NIX_SYSTEM
) - Vectra Detect (
VECTRA_DETECT
) - Veeam (
VEEAM
) - Verba Recording System (
VERBA_REC
) - VeridiumID by Veridium (
VERIDIUM_ID
) - VMware ESXi (
VMWARE_ESX
) - Windows Defender ATP (
WINDOWS_DEFENDER_ATP
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - Winscp (
WINSCP
) - WordPress (
WORDPRESS_CMS
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Zeek TSV (
BRO_TSV
) - Zix Email Encryption (
ZIX_EMAIL_ENCRYPTION
) - Zscaler (
ZSCALER_WEBPROXY
) - ZScaler DNS (
ZSCALER_DNS
) - Zscaler Private Access (
ZSCALER_ZPA
)
The following log types, without a default parser, were added. Each is listed by product name and log_type
value, if applicable.
- Akamai Log Delivery Service (
AKAMAI_LDS
) - AudioCodes Voice DNA (
AUDIOCODES
) - Amazon API Gateway (
AWS_API_GATEWAY
) - Axway (
AXWAY
) - Biztalk (
BIZTALK
) - Check Point FDE (
CHECKPOINT_FDE
) - Cimcor | File Integrity Monitoring (
CIMCOR
) - CS Alerts (
CS_ALERTS
) - Custom CSV Log (
CUSTOM_CSV_LOG
) - Cyral (
CYRAL
) - Druva (
DRUVA
) - Entrust DataControl Audit (
ENTR_DATACTRL_AUDIT
) - Ergon Informatik Airlock IAM (
ERGON_INFORMATIK_AIRLOCK_IAM
) - Eset Protect Platform (
ESET_PROTECT_PLATFORM
) - Exim Internet Mailer (
EXIM_INTERNET_MAILER
) - FM Systems Workplace Management (
FM_SYSTEMS
) - GluWare Network Automation (
GLUWARE_NETWORK_AUTOMATION
) - Guidewire Billing Center (
GUIDEWIRE_BILLING_CENTER
) - Guidewire Claim Center (
GUIDEWIRE_CLAIM_CENTER
) - Guidewire Policy Center (
GUIDEWIRE_POLICY_CENTER
) - HAVI Connect (
HAVI_CONNECT
) - IBM OpenPages (
IBM_OPENPAGES
) - Ingrian Networks DataSecure Appliance (
INGRIAN_NETWORKS_DATASECURE_APPLIANCE
) - iSecurity | Security Services and Remediation (
ISECURITY
) - iTop (
ITOP
) - Microsoft Defender for Office 365 (
MICROSOFT_DEFENDER_MAIL
) - Microsoft Graph Risky Users (
MICROSOFT_GRAPH_RISKY_USERS
) - NetApp BlueXP (
NETAPP_BLUEXP
) - Netgate Firewall (
NETGATE_FIREWALL
) - 1KOSMOS | Identity and Authentication (
ONEKOSMOS
) - Palo Alto Global Protect SVC (
PAN_GPSVC
) - Palo Alto SSLVPN Access (
PAN_SSLVPN_ACCESS
) - Palo Alto Telemetry (
PAN_TELEMETRY
) - Proofpoint Endpoint Data Loss Prevention (
PROOFPOINT_ENDPOINT_DLP
) - SAP ERP (
SAP_ERP
) - Ubika WAAP (
UBIKA_WAAP
) - Webroot Endpoint Protection (
WEBROOT
) - Wolters Kluwer Teammate (
WOLTERS_KLUWER_TEAMMATE
) - Xirrus Wireless Controller (
XIRRUS
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
May 22, 2024
Enhanced the existing curated detections for AWS rule sets in the Cloud Threats category to add 40 new detections. These new rules, added to existing rule sets, expand the coverage and are designed to identify tactics and techniques commonly employed by malicious actors that use popular open source offensive security tools against AWS resources.
May 14, 2024
Google SecOps now supports the following functions in Detection Engine rules:
- fingerprint
- sample_rate
For more information about these functions, see YARA-L 2.0 language syntax.
May 08, 2024
When Applied Threat Intelligence is enabled, it ingests IOCs curated by Mandiant Threat Intelligence with an IC-Score greater than 80 and generates an alert when a match is found.
May 06, 2024
Gemini for investigation assistance
Gemini for investigation assistance can now support you with the following:
- Search: Gemini can help you build, edit, and run searches targeted toward relevant events using natural language prompts.
- Search summaries: Gemini can automatically summarize search results after every search and subsequent filter action. Gemini can also answer contextual follow-up questions about the summaries it provides.
- Rule generation: Gemini can create new YARA-L rules from the UDM search queries it generates.
- Security questions and threat intelligence analysis: Gemini can answer general security domain questions and specific threat intelligence questions. Gemini can provide summaries about threat actors, IOCs, and other threat intelligence topics.
- Incident remediation: Based on the event information returned, Gemini can suggest follow-on steps.
For more information, see Use Gemini to investigate security issues.
May 03, 2024
Create a new playbook using Gemini (Preview)
You can now use Gemini to create a fully structured playbook. All you need to do is write a well structured prompt and click Create. For more information, see Create playbook with Gemini.
May 02, 2024
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- AIX system (
AIX_SYSTEM
) - Arcsight CEF (
ARCSIGHT_CEF
) - Arista Switch (
ARISTA_SWITCH
) - Aruba (
ARUBA_WIRELESS
) - Aruba Switch (
ARUBA_SWITCH
) - Attivo Networks (
ATTIVO
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - AWS Control Tower (
AWS_CONTROL_TOWER
) - AWS Elastic Load Balancer (
AWS_ELB
) - AWS WAF (
AWS_WAF
) - Azure AD (
AZURE_AD
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Azure AD Organizational Context (
AZURE_AD_CONTEXT
) - Azure Application Gateway (
AZURE_GATEWAY
) - Azure Storage Audit (
AZURE_STORAGE_AUDIT
) - Azure WAF (
AZURE_WAF
) - Barracuda Firewall (
BARRACUDA_FIREWALL
) - BeyondTrust Endpoint Privilege Management (
BEYONDTRUST_ENDPOINT
) - BigQuery (
N/A
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Brocade Switch (
BROCADE_SWITCH
) - Check Point (
CHECKPOINT_FIREWALL
) - Cisco ASA (
CISCO_ASA_FIREWALL
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - Cisco FireSIGHT Management Center (
CISCO_FIRESIGHT
) - Cisco Internetwork Operating System (
CISCO_IOS
) - Cisco ISE (
CISCO_ISE
) - Cisco Meraki (
CISCO_MERAKI
) - Cisco VPN (
CISCO_VPN
) - Cisco WLC/WCS (
CISCO_WIRELESS
) - Citrix Netscaler (
CITRIX_NETSCALER
) - Claroty Enterprise Management Console (
CLAROTY_EMC
) - Cloud Audit Logs (
N/A
) - Cloud Intrusion Detection System (
GCP_IDS
) - Corelight (
CORELIGHT
) - CrowdStrike Detection Monitoring (
CS_DETECTS
) - CrowdStrike Falcon (
CS_EDR
) - CyberArk (
CYBERARK
) - Cyberark Privilege Cloud (
CYBERARK_PRIVILEGE_CLOUD
) - Cybergatekeeper NAC (
CYBERGATEKEEPER_NAC
) - Darktrace (
DARKTRACE
) - Dell ECS Enterprise Object Storage (
DELL_ECS
) - Dell Switch (
DELL_SWITCH
) - Elastic Packet Beats (
ELASTIC_PACKETBEATS
) - ESET (
ESET_EDR
) - ESET AV (
ESET_AV
) - F5 Advanced Firewall Management (
F5_AFM
) - F5 ASM (
F5_ASM
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - FireEye HX (
FIREEYE_HX
) - FireEye NX Audit (
FIREEYE_NX_AUDIT
) - Firewall Rule Logging (
N/A
) - Forcepoint DLP (
FORCEPOINT_DLP
) - Forescout NAC (
FORESCOUT_NAC
) - Forgerock OpenIdM (
FORGEROCK_OPENIDM
) - FortiGate (
FORTINET_FIREWALL
) - Fortinet FortiAnalyzer (
FORTINET_FORTIANALYZER
) - Fortra Powertech SIEM Agent (
FORTRA_POWERTECH_SIEM_AGENT
) - Cloud NAT (
N/A
) - GCP_SWP (
GCP_SWP
) - Gitlab (
GITLAB
) - GMAIL Logs (
GMAIL_LOGS
) - GMV Checker ATM Security (
GMV_CHECKER
) - Guardicore Centra (
GUARDICORE_CENTRA
) - HPE BladeSystem C7000 (
HPE_BLADESYSTEM_C7000
) - HYPR MFA (
HYPR_MFA
) - IBM AS/400 (
IBM_AS400
) - IBM DS8000 Storage (
IBM_DS8000
) - IBM Guardium (
GUARDIUM
) - IBM Tape Storages (
IBM_LTO
) - IBM Tivoli (
IBM_TIVOLI
) - IBM-i Operating System (
IBM_I
) - Illumio Core (
ILLUMIO_CORE
) - Imperva (
IMPERVA_WAF
) - Imperva Advanced Bot Protection (
IMPERVA_ABP
) - Imperva SecureSphere Management (
IMPERVA_SECURESPHERE
) - Infoblox (
INFOBLOX
) - ION Spectrum (
ION_SPECTRUM
) - Ipswitch MOVEit Transfer (
IPSWITCH_MOVEIT_TRANSFER
) - Jamf Protect Alerts (
JAMF_PROTECT
) - Jamf Protect Telemetry (
JAMF_TELEMETRY
) - Juniper Junos (
JUNIPER_JUNOS
) - Juniper MX Router (
JUNIPER_MX
) - Kubernetes Node (
KUBERNETES_NODE
) - LastPass Password Management (
LASTPASS
) - Linux Auditing System (AuditD) (
AUDITD
) - McAfee Enterprise Security Manager (
MCAFEE_ESM
) - Medigate IoT (
MEDIGATE_IOT
) - Microsoft AD (
WINDOWS_AD
) - Microsoft Azure Activity (
AZURE_ACTIVITY
) - Microsoft Defender for Endpoint (
MICROSOFT_DEFENDER_ENDPOINT
) - Microsoft Defender for Identity (
MICROSOFT_DEFENDER_IDENTITY
) - Microsoft Exchange (
EXCHANGE_MAIL
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Microsoft IAS Server (
MICROSOFT_IAS
) - Microsoft Intune (
AZURE_MDM_INTUNE
) - Microsoft SQL Server (
MICROSOFT_SQL
) - Mongo Database (
MONGO_DB
) - Netscout Arbor Sightline (
ARBOR_SIGHTLINE
) - Netskope Web Proxy (
NETSKOPE_WEBPROXY
) - NGFW Enterprise (
GCP_NGFW_ENTERPRISE
) - Office 365 (
OFFICE_365
) - Office 365 Message Trace (
OFFICE_365_MESSAGETRACE
) - Opengear Remote Management (
OPENGEAR
) - Oracle (
ORACLE_DB
) - OSQuery (
OSQUERY_EDR
) - OSSEC (
OSSEC
) - Palo Alto Cortex XDR Alerts (
CORTEX_XDR
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Palo Alto Prisma Cloud (
PAN_PRISMA_CLOUD
) - PerimeterX Bot Protection (
PERIMETERX_BOT_PROTECTION
) - Phishlabs (
PHISHLABS
) - Proofpoint Tap Alerts (
PROOFPOINT_MAIL
) - Pulse Secure (
PULSE_SECURE_VPN
) - Riverbed Steelhead (
STEELHEAD
) - RSA SecurID Access Identity Router (
RSA_SECURID
) - SAP SM20 (
SAP_SM20
) - SAP SuccessFactors (
SAP_SUCCESSFACTORS
) - SAP Webdispatcher (
SAP_WEBDISP
) - Security Command Center Posture Violation (
GCP_SECURITYCENTER_POSTURE_VIOLATION
) - Security Command Center Threat (
N/A
) - Security Command Center Toxic Combination (
GCP_SECURITYCENTER_TOXIC_COMBINATION
) - Sentinelone Alerts (
SENTINELONE_ALERT
) - SentinelOne EDR (
SENTINEL_EDR
) - SentinelOne Singularity Cloud Funnel (
SENTINELONE_CF
) - Snare System Diagnostic Logs (
SNARE_SOLUTIONS
) - Solaris system (
SOLARIS_SYSTEM
) - SonicWall (
SONIC_FIREWALL
) - Sonicwall Secure Mobile Access (
SONICWALL_SMA
) - Splunk Platform (
SPLUNK
) - Squid Web Proxy (
SQUID_WEBPROXY
) - Suricata EVE (
SURICATA_EVE
) - Suricata IDS (
SURICATA_IDS
) - Swift Alliance Messaging Hub (
SWIFT_AMH
) - Symantec CloudSOC CASB (
SYMANTEC_CASB
) - Symantec DLP (
SYMANTEC_DLP
) - Tenable OT (
TENABLE_OT
) - Tetragon Ebpf Audit Logs (
TETRAGON_EBPF_AUDIT_LOGS
) - Trellix HX Event Streamer (
TRELLIX_HX_ES
) - Trend Micro (
TIPPING_POINT
) - Trend Micro Cloud one (
TRENDMICRO_CLOUDONE
) - Trend Micro Deep Security (
TRENDMICRO_DEEP_SECURITY
) - TrendMicro Apex Central (
TRENDMICRO_APEX_CENTRAL
) - TrendMicro Web Proxy (
TRENDMICRO_WEBPROXY
) - Unifi AP (
UNIFI_AP
) - Unix system (
NIX_SYSTEM
) - Vectra Detect (
VECTRA_DETECT
) - VeridiumID by Veridium (
VERIDIUM_ID
) - VPC Flow Logs (
GCP_VPC_FLOW
) - Windows Defender ATP (
WINDOWS_DEFENDER_ATP
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - Windows Network Policy Server (
WINDOWS_NET_POLICY_SERVER
) - Windows Sysmon (
WINDOWS_SYSMON
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - Workspace Alerts (
WORKSPACE_ALERTS
) - Workspace ChromeOS Devices (
WORKSPACE_CHROMEOS
) - Workspace Groups (
WORKSPACE_GROUPS
) - Workspace Mobile Devices (
WORKSPACE_MOBILE
) - Workspace Privileges (
WORKSPACE_PRIVILEGES
) - Workspace Users (
WORKSPACE_USERS
) - YAMAHA ROUTER RTX1200 (
YAMAHA_ROUTER
) - Zeek JSON (
BRO_JSON
) - Zimperium (
ZIMPERIUM
) - Zscaler (
ZSCALER_WEBPROXY
) - Zscaler CASB (
ZSCALER_CASB
) - ZScaler NGFW (
ZSCALER_FIREWALL
)
The following log types, without a default parser, were added. Each is listed by product name and log_type
value, if applicable.
- Adaxes (
ADAXES
) - Air Table (
AIR_TABLE
) - Alert Enterprise Guardian (
ALERT_GUARDIAN
) - Amavis (
AMAVIS
) - Atlassian Beacon (
ATLASSIAN_BEACON
) - Banner dd (
BANNER_DD
) - BetterStack Uptime (
BETTERSTACK_UPTIME
) - BloodHound (
BLOODHOUND
) - Core Privileged Access Manager (BoKS) (
BOKS
) - Cisco Secure Access (
CISCO_SECURE_ACCESS
) - Cleafy (
CLEAFY
) - Clear Bank Portal Audit (
CLEARBANK_PORTAL
) - CloudBees (
CLOUDBEES
) - Comforte SecurDPS (
COMFORTE_SECURDPS
) - Control Plane (
CONTROL_PLANE
) - Corrata (
CORRATA
) - Cubist Audit (
CUBIST_AUDIT
) - C Zentrix (
C_ZENTRIX
) - DefectDojo (
DEFECTDOJO
) - Dmarcian (
DMARCIAN
) - DocuSign (
DOCUSIGN
) - Duo Activity Logs (
DUO_ACTIVITY
) - E2 Guardian (
E2_GUARDIAN
) - Egress Defend (
EGRESS_DEFEND
) - Egress Prevent (
EGRESS_PREVENT
) - Emsisoft AntiVirus (
EMSISOFT_ANTIVIRUS
) - F5 System Logs (
F5_SYSTEM_LOGS
) - Fastly CDN (
FASTLY_CDN
) - FireEye CMS (
FIREEYE_CMS
) - Forcepoint Mail Relay (
FORCEPOINT_MAIL_RELAY
) - Google Ads (
GOOGLE_ADS
) - H3C Comware Platform Switch
- Halcyon Anti Ransomware (
HALCYON
) - Halo (
HALO
) - HP Poly (
HP_POLY
) - Huawei CloudEngine (
HUAWEI_CLOUDENGINE
) - Intruder.IO (
INTRUDER_IO
) - Ivanti Connect Secure (
IVANTI_CONNECT_SECURE
) - Keyfactor (
KEYFACTOR
) - Kyverno (
KYVERNO
) - LaunchDarkly (
LAUNCH_DARKLY
) - LeanIX Enterprise (
LEANIX
) - Leanix CMDB (
LEANIX_CMDB
) - Lucid (
LUCID
) - Lumeta Spectre (
LUMETA
) - ManageEngine Asset Explorer (
MANAGE_ENGINE_ASSET_EXPLR
) - ManageEngine Endpoint Central (
MANAGE_ENGINE_ENDPT_CNTRL
) - Mandiant Digital Threat Monitoring (
MANDIANT_DTM_ALERTS
) - Manhattan Warehouse Management System (
MANHATTAN_WMS
) - Mend IO (
MEND_IO
) - Meta Marketing (
META_MARKETING
) - Miasma SecretScanner (
MIASMA_SECRETSCANNER
) - Microsoft Ads (
MICROSOFT_ADS
) - Microsoft Purview (
MICROSOFT_PURVIEW
) - ModSecurity (
MODSECURITY
) - Netapp Storagegrid (
NETAPP_STORAGEGRID
) - NetBrain (
NETBRAIN
) - Netenrich Entity Context (
NETENRICH_ENTITY_CONTEXT
) - Netwrix Activity Monitor (
NETWRIX_ACTIVITY_MONITOR
) - Netwrix Stealth Intercept (
NETWRIX_STEALTH_INTERCEPT
) - Netwrix Threat Manager (
NETWRIX_THREAT_MANAGER
) - Nexus Sonatype (
NEXUS_SONATYPE
) - Oracle Fusion (
ORACLE_FUSION
) - PAGELY (
PAGELY
) - Palantir (
PALANTIR
) - Proofpoint Meta (
PROOFPOINT_META
) - Qumulo FS (
QUMULO_FS
) - Radware Alteon (
RADWARE_ALTEON
) - SailPoint IdentityIQ (
SAILPOINT_IIQ
) - Sentinelone Activity (
SENTINELONE_ACTIVITY
) - Siga Level Zero OT Resilience (
SIGA
) - Site24x7 (
SITE24X7
) - Winevtlog Snare (
SNARE_WINEVTLOG
) - Solar System (
SOLAR_SYSTEM
) - Stealthbits DLP (
STEALTHBITS_DLP
) - Symantec VIP Authentication Hub (
SYMANTEC_VIP_AUTHHUB
) - Temenos Journey Manager System Event Publisher (
TEMENOS_MANAGER_SYSTEMEVENT
) - Teradata Aster (
TERADATA_ASTER
) - Tiktok for Developers (
TIKTOK
) - Transmit BindID (
TRANSMIT_BINDID
) - Trend Micro Vision One Audit (
TRENDMICRO_VISION_ONE_AUDIT
) - Trend Micro Vision One Observerd Attack Techniques (
TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES
) - Trend Micro Vision One Workbench (
TRENDMICRO_VISION_ONE_WORKBENCH
) - TrueNAS (
TRUENAS
) - E-Motional Transparent Screen Lock TSL RFID (
TSL_PRO
) - UPX AntiDDoS (
UPX_ANTIDDOS
) - Verba Recording System (
VERBA_REC
) - Vercara (
VERCARA
) - Veza Access Control Platform (
VEZA
) - Web Methods Api Gateway (
WEBMETHODS_API_GATEWAY
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
April 26, 2024
The feed management feature is now enhanced to include the following:
- Feed names: You can assign custom names to new and existing data feeds.
- Troubleshooting information: You can diagnose error feeds by accessing detailed information about the cause of an issue and recommended actions.
- Last succeeded time: Stay informed about the status of a feed, with a timestamp identifying when data was last successfully fetched by each feed.
You can now set up feeds to push logs using an HTTPS endpoint by using either the feed management user interface or the feed management API. You can use the following feed management source types to set up ingestion using an HTTPS endpoint:
- Amazon Data Firehose
- Google Cloud Pub/Sub
- Webhooks
You can also generate a secret key and API key to authenticate feeds that use Amazon Data Firehose and webhooks as the feed source type.
April 25, 2024
Chronicle Security Operations (Chronicle SecOps) has been rebranded to Google Security Operations (Google SecOps). Both the logo and the platform name have been rebranded as part of this change. This rebranding reflects our commitment to bringing you the best of Google security operations features. There is no change to functionality in the platform.
April 22, 2024
The ingestion_stats
table in BigQuery is deprecated and will no longer be updated after May 15, 2024. We recommend that you use the Chronicle ingestion_metrics
table in BigQuery, which provides more accurate ingestion metrics.
The ingestion alerting system using Chronicle has been deprecated. This system will no longer be updated, and no alerts will be sent from this system after September 01, 2024. We recommend that you use the Cloud Monitoring integration which provides more flexibility in alert logic, alert workflow, and integration with third-party ticketing systems.
April 15, 2024
The following labels
fields for UDM nouns are deprecated and these fields will not appear in the search results after November 29, 2024: about.labels
, intermediary.labels
, observer.labels
, principal.labels
, src.labels
, security_result.about.labels
, and target.labels
. For existing parsers, in addition to these UDM fields, the logs fields are also mapped to key and value additional.fields
UDM fields. For new parsers, the key and value settings in additional.fields
UDM fields are used instead of the deprecated labels
UDM fields. We recommend that you update the existing rules to use the key and value settings in the additional.fields
UDM fields instead of the deprecated labels
UDM fields.
April 03, 2024
On or after May 1, 2024, in an effort to improve enrichment quality, the enrichment process using telemetry events and entities will prioritize values set by parsers over values from aliases in unenriched events. If a parser does not set the value, the enrichment process will set the enriched value to using aliases.
Curated Detections rule packs covering AWS threats are generally available to Chronicle Enterprise and Enterprise Plus customers.
March 26, 2024
Duet AI in Google Cloud is now Gemini for Google Cloud. See our blog post for more information.
March 25, 2024
Chronicle Applied Threat Intelligence helps you identify and respond to threats. When enabled, it ingests IOCs curated by Mandiant Threat Intelligence with an IC-Score greater than 80 and generates an error when a match is found. The following are some of the features of Applied Threat Intelligence.
Event-level enrichment: All telemetry in Chronicle is enriched with Google Threat Intelligence which is a combination of Mandiant and Virus Total, including all threat intelligence associations like campaigns and actors.
Sophisticated indicator matching: Curated out-of-the-box detections that deliver sophisticated indicator matching using augmented prioritization logic, noise reduction based on customer environment context, and other correlation techniques to maximize signal to noise.
Active breach alerting: Uses Mandiant's incident response intelligence to alert on potential active breaches delivering on our no patient 1 vision.
Curated behavioral detections for emerging threats: To protect against newly emerging risks and tactics, techniques, and procedures (TTPs), Applied Threat Intelligence uses real-time insights.
DIY detection engineering and response automation: Access to Fusion intelligence (formerly known as Mandiant Fusion) for the following.
- Customer authoring of rules
- Customer development of response playbooks
Curated views for Investigation and triage Insights: Applied Threat Intelligence provides curated views that show valuable associations between an indicator and threat actor, threat campaign, or malware, statistics about a threat observed in customer environments. These views are invaluable for all security operations workflows.
For more information about Applied Threat Intelligence, see Applied Threat Intelligence overview.
This note incorrectly states that an error is generated when an IOC match is found. See the entry for May 8, 2024 for the updated statement.
March 22, 2024
Chronicle now supports direct ingestion and parsing of reCAPTCHA Enterprise logs from Google Cloud.
There is no longer a limit on the number of feeds you can create for the same log type in Feed Management.
Chronicle has added a new rule set to Cloud Threat Detections , called Serverless Threats, that detects activity associated with potential compromise or abuse of server-less resources in Google Cloud, such as Cloud Run and Cloud Functions.
March 20, 2024
Chronicle has expanded Cloud Threat Detections to create a detection when findings from Security Command Center Event Threat Detections, Cloud Armor, Sensitive Actions Service, and Custom modules for Event Threat Detection are identified. These detections are available through the following rule sets: CDIR SCC Cloud IDS, CDIR SCC Cloud Armor, CDIR SCC Impact, CDIR SCC Enhanced Persistence, CDIR SCC Enhanced Defense Evasion, and CDIR SCC Custom Module.
Case filter and URL now in a reciprocal relationship
In the Cases page, the filter and the URL now directly affect each other. Changing the filter changes the URL, and conversely, changing the URL changes the filter. You can take advantage of this feature by setting a filter for cases and putting the newly created URL in an external dashboard. Clicking on this link would then take you directly to the filtered case queue.
March 14, 2024
Forwarder troubleshooting guide is now available to help you diagnose and resolve common issues that may arise while using the Chronicle Linux forwarder.
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- Akamai WAF (
AKAMAI_WAF
) - Alcatel Switch (
ALCATEL_SWITCH
) - Arcsight CEF (
ARCSIGHT_CEF
) - Auth0 (
AUTH_ZERO
) - AWS Cloudtrail (
AWS_CLOUDTRAIL
) - AWS Config (
AWS_CONFIG
) - AWS GuardDuty (
GUARDDUTY
) - Azure AD (
AZURE_AD
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Azure App Service (
AZURE_APP_SERVICE
) - Azure Key Vault logging (
AZURE_KEYVAULT_AUDIT
) - BIND (
BIND_DNS
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Box (
BOX
) - Chrome Management (
N/A
) - Cisco AMP (
CISCO_AMP
) - Cisco Umbrella DNS (
UMBRELLA_DNS
) - Cisco VPN (
CISCO_VPN
) - Citrix Netscaler (
CITRIX_NETSCALER
) - Cloud Audit Logs (
N/A
) - Cloudflare (
CLOUDFLARE
) - Cofense (
COFENSE_TRIAGE
) - Corelight (
CORELIGHT
) - CrowdStrike Falcon (
CS_EDR
) - CSV Custom IOC (
CSV_CUSTOM_IOC
) - Custom Application Access Logs (
CUSTOM_APPLICATION_ACCESS
) - Cybergatekeeper NAC (
CYBERGATEKEEPER_NAC
) - Extreme Wireless (
EXTREME_WIRELESS
) - F5 ASM (
F5_ASM
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - Falco IDS (
FALCO_IDS
) - FireEye (
FIREEYE_ALERT
) - FireEye ETP (
FIREEYE_ETP
) - ForgeRock Identity Cloud (
FORGEROCK_IDENTITY_CLOUD
) - FortiGate (
FORTINET_FIREWALL
) - GCP_APP_ENGINE (
GCP_APP_ENGINE
) - HP Procurve Switch (
HP_PROCURVE
) - IAM Context (
N/A
) - IBM DB2 (
DB2_DB
) - IBM Mainframe Storage (
IBM_MAINFRAME_STORAGE
) - IBM Security Access Manager (
IBM_SAM
) - Illumio Core (
ILLUMIO_CORE
) - Imperva (
IMPERVA_WAF
) - Infoblox (
INFOBLOX
) - JAMF CMDB (
JAMF
) - KerioControl Firewall (
KERIOCONTROL
) - Microsoft Azure Activity (
AZURE_ACTIVITY
) - Microsoft Azure Resource (
AZURE_RESOURCE_LOGS
) - Microsoft Defender For Cloud (
MICROSOFT_DEFENDER_CLOUD_ALERTS
) - Microsoft Defender for Endpoint (
MICROSOFT_DEFENDER_ENDPOINT
) - Microsoft Exchange (
EXCHANGE_MAIL
) - Microsoft Graph Activity Logs (
MICROSOFT_GRAPH_ACTIVITY_LOGS
) - Microsoft Graph API Alerts (
MICROSOFT_GRAPH_ALERT
) - Microsoft IIS (
IIS
) - Microsoft System Center Endpoint Protection (
MICROSOFT_SCEP
) - Mobile Endpoint Security (
LOOKOUT_MOBILE_ENDPOINT_SECURITY
) - Mongo Database (
MONGO_DB
) - Netscout OCI (
NETSCOUT_OCI
) - Netskope (
NETSKOPE_ALERT
) - Netskope Web Proxy (
NETSKOPE_WEBPROXY
) - Network Policy Server (
MICROSOFT_NPS
) - Nutanix Prism (
NUTANIX_PRISM
) - Office 365 (
OFFICE_365
) - Okta (
OKTA
) - OpenCanary (
OPENCANARY
) - Ordr IoT (
ORDR_IOT
) - Palo Alto Cortex XDR Alerts (
CORTEX_XDR
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Palo Alto Prisma Cloud (
PAN_PRISMA_CLOUD
) - PerimeterX Bot Protection (
PERIMETERX_BOT_PROTECTION
) - Phishlabs (
PHISHLABS
) - Proofpoint Sendmail Sentrion (
PROOFPOINT_SENDMAIL_SENTRION
) - Pulse Secure (
PULSE_SECURE_VPN
) - RH-ISAC (
RH_ISAC_IOC
) - SailPoint IAM (
SAILPOINT_IAM
) - Salesforce (
SALESFORCE
) - Sap Business Technology Platform (
SAP_BTP
) - Security Command Center Threat (
N/A
) - Sentinelone Alerts (
SENTINELONE_ALERT
) - Shibboleth IDP (
SHIBBOLETH_IDP
) - Sourcefire (
SOURCEFIRE_IDS
) - Splunk Attack Analyzer (
SPLUNK_ATTACK_ANALYZER
) - STIX Threat Intelligence (
STIX
) - Symantec CloudSOC CASB (
SYMANTEC_CASB
) - Symantec DLP (
SYMANTEC_DLP
) - Tanium Asset (
TANIUM_ASSET
) - Thinkst Canary (
THINKST_CANARY
) - Trend Micro Deep Security (
TRENDMICRO_DEEP_SECURITY
) - Vectra Detect (
VECTRA_DETECT
) - Vectra Stream (
VECTRA_STREAM
) - VeridiumID by Veridium (
VERIDIUM_ID
) - Wazuh (
WAZUH
) - Windows Defender ATP (
WINDOWS_DEFENDER_ATP
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - Windows Local Administrator Password Solution (
MICROSOFT_LAPS
) - wiz.io (
WIZ_IO
) - Workspace Activities (
WORKSPACE_ACTIVITY
) - XAMS by Xiting (
XITING_XAMS
) - Zscaler CASB (
ZSCALER_CASB
) - Zscaler DLP (
ZSCALER_DLP
) - Zscaler Internet Access Audit Logs (
ZSCALER_INTERNET_ACCESS
)
The following log types, without a default parser, were added. Each is listed by product name and log_type
value, if applicable.
- Aruba Switch (
ARUBA_SWITCH
) - Azure AD Password Protection (
AZURE_AD_PASSWORD_PROTECTION
) - Azure Front Door (
AZURE_FRONT_DOOR
) - Babelforce (
BABELFORCE
) - Cloudaware (
CLOUDAWARE
) - Coalition Control API (
COALITION
) - Crowdstrike Identity Protection Services (
CS_IDP
) - Cymulate (
CYMULATE
) - Dell ECS Enterprise Object Storage (
DELL_ECS
) - Google Cloud NGFW Enterprise (
GCP_NGFW_ENTERPRISE
) - Google Cloud Secure Web Proxy (
GCP_SWP
) - HaveIBeenPwned (
HIBP
) - HPE BladeSystem C7000 (
HPE_BLADESYSTEM_C7000
) - HP OpenView (
HP_OPENVIEW
) - IBM DS8000 Storage (
IBM_DS8000
) - IBM-i Operating System (
IBM_I
) - Multicom Switch (
MULTICOM_SWITCH
) - Nextthink Finder (
NEXTTHINK_FINDER
) - Palo Alto Cortex XDR Management Audit (
PAN_XDR_MGMT_AUDIT
) - PingIdentity Directory Server Logs (
PING_DIRECTORY
) - Prisma SD-WAN (
PRISMA_SD_WAN
) - Redhat Jboss (
REDHAT_JBOSS
) - SafeBreach (
SAFEBREACH
) - Scality Ring Audit (
SCALITY_RING_AUDIT
) - Sendsafely (
SENDSAFELY
) - Solace Pub Sub Cloud (
SOLACE_AUDIT
) - Sonicwall Secure Mobile Access (
SONICWALL_SMA
) - Sonrai Enterprise Cloud Security Solution (
SONRAI
) - Tenemos Journey Manager System Event Publisher (
TENEMOS_MANAGER_SYSTEMEVENT
) - TrueFort Platform (
TRUEFORT
) - Ubiquiti Accesspoint (
UBIQUITI_ACCESSPOINT
) - WithSecure Cloud Protection (
WITHSECURE_CLOUD
) - WithSecure Elements Connector (
WITHSECURE_ELEMENTS
) - YAMAHA ROUTER RTX1200 (
YAMAHA_ROUTER
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
March 13, 2024
In the Entity Explorer page, Case Distribution has been renamed to Alert Distribution.
Jobs Enhancement
When updating an integration, the jobs will now be updated automatically. This does not apply to any legacy jobs that were created before October 2023.
The Marketplace integration will clearly identify the legacy jobs that are affected and provide instructions on how to proceed.
In addition, legacy jobs are now marked as such in the Jobs Scheduler page so that you can take action and resolve issues beforehand.
February 22, 2024
The following APIs have been deprecated and will be deleted in 6 months.
- GET
/api/external/v1/connectors/GetConnectorsData
- POST
/api/external/v1/connectors/DeleteConnector
- POST
/api/external/v1/connectors/AddOrUpdateConnector
- POST
/api/external/v1/connectors/UpdateConnectorFromIde
- POST
/api/external/v1/connectors/GetConnectorStatus
For each API above, there are one or more alternative endpoints that you can use as shown below:
Instead of
GET /api/external/v1/connectors/GetConnectorsData
Use one of the following:
GET /api/external/v1/connectors/template-cards
Provides basic information per each accessible connector definition.POST /api/external/v1/connectors/template
Retrieves detailed information regarding a specific connector definition.GET /api/external/v1/connectors/cards
Provides basic information per each accessible connector.GET /api/external/v1/connectors/{identifier}
Retrieves detailed information regarding a specific connector instance.
Instead of
POST /api/external/v1/connectors/DeleteConnector
Use
DELETE /api/external/v1/connectors/{identifier}
Instead of
POST /api/external/v1/connectors/AddOrUpdateConnector
Use
POST /api/external/v1/connectors
Instead of
POST /api/external/v1/connectors/UpdateConnectorFromIde
Use
POST /api/external/v1/connectors/update-from-ide
Instead of
POST /api/external/v1/connectors/GetConnectorStatus
Use
GET /api/external/v1/connectors/{identifier}/statistics
February 20, 2024
Google has added Tokyo (Japan) as a new region for Chronicle customers. Chronicle can now store customer data in this region. This also adds a new regional endpoint for Chronicle APIs at https://asia-northeast1-backstory.googleapis.com
.
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- A10 Load Balancer (
A10_LOAD_BALANCER
) - Anomali (
ANOMALI_IOC
) - Apache (
APACHE
) - Arcsight CEF (
ARCSIGHT_CEF
) - AWS CloudWatch (
AWS_CLOUDWATCH
) - AWS EC2 Hosts (
AWS_EC2_HOSTS
) - AWS EC2 Instances (
AWS_EC2_INSTANCES
) - AWS EC2 VPCs (
AWS_EC2_VPCS
) - Azure AD (
AZURE_AD
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Azure DevOps Audit (
AZURE_DEVOPS
) - Azure Firewall (
AZURE_FIREWALL
) - BIND (
BIND_DNS
) - BloxOne Threat Defense (
BLOXONE
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Carbon Black (
CB_EDR
) - Cato Networks (
CATO_NETWORKS
) - CENSYS (
CENSYS
) - Check Point (
CHECKPOINT_FIREWALL
) - Chrome Management (
N/A
) - Cisco IronPort (
CISCO_IRONPORT
) - Cisco Meraki (
CISCO_MERAKI
) - Cisco Prime (
CISCO_PRIME
) - Cisco Secure Workload (
CISCO_SECURE_WORKLOAD
) - Citrix Netscaler (
CITRIX_NETSCALER
) - Cloud Audit Logs (
N/A
) - Cloud Load Balancing (
GCP_LOADBALANCING
) - Cloud Run (
GCP_RUN
) - Cloudflare (
CLOUDFLARE
) - CommVault Commcell (
COMMVAULT_COMMCELL
) - Compute Context (
N/A
) - Corelight (
CORELIGHT
) - CrowdStrike Detection Monitoring (
CS_DETECTS
) - CSV Custom IOC (
CSV_CUSTOM_IOC
) - Cybereason EDR (
CYBEREASON_EDR
) - Dataminr Alerts (
DATAMINR_ALERT
) - Elastic Windows Event Log Beats (
ELASTIC_WINLOGBEAT
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - FireEye ETP (
FIREEYE_ETP
) - Forescout NAC (
FORESCOUT_NAC
) - ForgeRock OpenAM (
OPENAM
) - IBM WebSEAL (
IBM_WEBSEAL
) - Imperva (
IMPERVA_WAF
) - Imperva Database (
IMPERVA_DB
) - Infoblox RPZ (
INFOBLOX_RPZ
) - ISC DHCP (
ISC_DHCP
) - Juniper (
JUNIPER_FIREWALL
) - Linux Sysmon (
LINUX_SYSMON
) - LogonBox (
LOGONBOX
) - ManageEngine ADAudit Plus (
ADAUDIT_PLUS
) - Micro Focus iManager (
MICROFOCUS_IMANAGER
) - Microsoft AD (
WINDOWS_AD
) - Microsoft ATA (
MICROSOFT_ATA
) - Microsoft Azure Activity (
AZURE_ACTIVITY
) - Microsoft Defender For Cloud (
MICROSOFT_DEFENDER_CLOUD_ALERTS
) - Microsoft Exchange (
EXCHANGE_MAIL
) - Microsoft IIS (
IIS
) - Netskope (
NETSKOPE_ALERT
) - Netskope CASB (
NETSKOPE_CASB
) - Ntopng (
NTOPNG
) - Office 365 (
OFFICE_365
) - OpenCanary (
OPENCANARY
) - OpenSSH (
OPENSSH
) - OSSEC (
OSSEC
) - Palo Alto Cortex XDR Alerts (
CORTEX_XDR
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Palo Alto Panorama (
PAN_PANORAMA
) - Quest Active Directory (
QUEST_AD
) - Recordia (
RECORDIA
) - Sangfor Next Generation Firewall (
SANGFOR_NGAF
) - SAP SM20 (
SAP_SM20
) - Security Command Center Threat (
N/A
) - SEPPmail Secure Email (
SEPPMAIL
) - ServiceNow CMDB (
SERVICENOW_CMDB
) - Snare System Diagnostic Logs (
SNARE_SOLUTIONS
) - Solaris system (
SOLARIS_SYSTEM
) - STIX Threat Intelligence (
STIX
) - Symantec CloudSOC CASB (
SYMANTEC_CASB
) - Symantec Web Security Service (
SYMANTEC_WSS
) - Trend Micro Deep Security (
TRENDMICRO_DEEP_SECURITY
) - Veritas NetBackup (
VERITAS_NETBACKUP
) - VMware ESXi (
VMWARE_ESX
) - Watchguard EDR (
WATCHGUARD_EDR
) - WindChill (
WINDCHILL
) - Windows Defender AV (
WINDOWS_DEFENDER_AV
) - Windows DNS (
WINDOWS_DNS
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - wiz.io (
WIZ_IO
) - Zeek JSON (
BRO_JSON
) - Zscaler (
ZSCALER_WEBPROXY
) - Zscaler CASB (
ZSCALER_CASB
) - Zscaler Internet Access Audit Logs (
ZSCALER_INTERNET_ACCESS
) - Zscaler Private Access (
ZSCALER_ZPA
)
The following log types, without a default parser, were added. Each is listed by product name and log_type
value, if applicable.
- Arista Guardian For Network Identity (
ARISTA_AGNI
) - HPE Aruba Networking Central (
ARUBA_CENTRAL
) - Blackberry Workspaces (
BLACKBERRY_WORKSPACES
) - Barracuda CloudGen Firewall (
BARRACUDA_CLOUDGEN_FIREWALL
) - Blackberry Workspaces (
BLACKBERRY_WORKSPACES
) - Cisco EStreamer (
CISCO_ESTREAMER
) - Cyderes IOC (
CYDERES_IOC
) - Dataiku DSS Logging (
DATAIKU_DSS_LOGS
) - Edgecore Networks (
EDGECORE_NETWORKS
) - Fisglobal Quantum (
FISGLOBAL_QUANTUM
) - ForgeRock Identity Cloud (
FORGEROCK_IDENTITY_CLOUD
) - Forgerock OpenIdM (
FORGEROCK_OPENIDM
) - FS-ISAC IOC (
FS_ISAC_IOC
) - Genetec Audit (
GENETEC_AUDIT
) - HiBob (
HIBOB
) - Imperva Audit Trail (
IMPERVA_AUDIT_TRAIL
) - KerioControl Firewall (
KERIOCONTROL
) - Looker Audit (
LOOKER_AUDIT
) - Mobile Endpoint Security (
LOOKOUT_MOBILE_ENDPOINT_SECURITY
) - ManageEngine PAM360 (
MANAGE_ENGINE_PAM360
) - Melissa (
MELISSA
) - Microsoft CASB Files & Entities (
MICROSOFT_CASB_CONTEXT
) - Windows Local Administrator Password Solution (
MICROSOFT_LAPS
) - Network Policy Server (
MICROSOFT_NPS
) - Power BI Activity Log (
MICROSOFT_POWERBI_ACTIVITY_LOG
) - Nxlog Agent (
NXLOG_AGENT
) - Nxlog Fim (
NXLOG_FIM
) - Opus Codec (
OPUS
) - Oracle NetSuite (
ORACLE_NETSUITE
) - Pega Automation (
PEGA
) - Qualys Knowledgebase (
QUALYS_KNOWLEDGEBASE
) - RealiteQ (
REALITEQ
) - SAP Webdispatcher (
SAP_WEBDISP
) - Serpico (
SERPICO
) - Software House Ccure9000 (
SOFTWARE_HOUSE_CCURE9000
) - Spirion (
SPIRION
) - Spur data feeds (
SPUR_FEEDS
) - Swift (
SWIFT
) - Technitium DNS (
TECHNITIUM_DNS
) - Tetragon Ebpf Audit Logs (
TETRAGON_EBPF_AUDIT_LOGS
) - Trend Micro Email Security Advanced (
TRENDMICRO_EMAIL_SECURITY
) - Tridium Niagara Framework (
TRIDIUM_NIAGARA_FRAMEWORK
) - VeridiumID by Veridium (
VERIDIUM_ID
) - Wallarm Webhook Notifications (
WALLARM_NOTIFICATIONS
) - Winscp (
WINSCP
) - XAMS by Xiting (
XITING_XAMS
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
Chronicle now supports the timestamp.get_date()
function. For more information and example usage, see YARA-L 2.0 language syntax.
February 19, 2024
The AI Investigation widget is now available in Europe. For more information, refer to AI Investigation widget.
February 12, 2024
Google has introduced Risk Analytics to Chronicle. Risk Analytics looks for patterns of risk across your enterprise, assigning risk scores to all entities and activities. These scores are surfaced in the Risk Analytics dashboard which lets you better understand risk in your environment by visualizing entity risk trends. The dashboard helps you to identify unusual behavior and the potential risk that entities pose to your enterprise. You can specify watchlists of entities you suspect of having greater risk. The watchlists let you more easily monitor risk within your environment.
Risk Analytics also provides both predefined curated detections and YARA-L metric functions for authoring custom rules.
Risk Analytics is available with Enterprise and Enterprise Plus licenses.
Chronicle requires a minimum Transport Layer Security (TLS) version of 1.2 to maintain security compliance. Ingestion routing connections that use lower TLS versions are automatically blocked. Upgrade any custom ingestion mechanisms to adhere to TLS 1.2 or higher.
When the data ingestion rate for a tenant reaches a certain threshold, Chronicle controls the rate of ingestion for new data feeds to prevent a source with a high ingestion rate from affecting the ingestion rate of another data source. The ingestion volume and tenant's usage history determine the threshold. If the rate of ingestion does not deviate greatly then there is no effect on the ingestion rate.
February 08, 2024
Email settings: customer configuration change
In order to help with safe and secure communication, the Trust Certificate checkbox is scheduled to be deleted in April 2024 as it will be enabled automatically by default.
Customers who currently do not have this checkbox enabled are advised to carry out the following procedure.
- In the Email Settings > Customer Configuration tab, enable the Trust Certificate checkbox.
- Save the settings.
- Click Test to ensure the configuration works.
- Perform an action which will trigger a test email notification.
- If errors are shown, follow the instructions in the error message.
New audit logs
The platform now captures audit logs when a playbook folder is deleted.
January 31, 2024
The Detection Engine added support for event variable joins on or
expressions and function calls. For examples, see Event variable join requirements.
The following log types were added to the Chronicle feed management API to create AWS data feeds. These feeds can be used to get context on AWS resources such as EC2 instances and users in identity and access management (IAM). Each is listed by product name and log_type
value, if applicable.
- AWS EC2 Hosts (
AWS_EC2_HOSTS
) - AWS EC2 Instances (
AWS_EC2_INSTANCES
) - AWS EC2 VPCs (
AWS_EC2_VPCS
) - AWS Identity and Access Management (
AWS_IAM
)
To view a list of log types that Chronicle supports for third-party APIs, see Configuration by log type.
January 24, 2024
Chronicle has expanded Cloud Threat Detections to alert on findings from GCP Security Command Center Event Threat Detections, Virtual Machine Threat Detections, and Container Threat Detections. These passthrough detections are available through the following packs: CDIR SCC Enhanced Exfiltration, CDIR SCC Enhanced Defense Evasion, CDIR SCC Enhanced Malware, CDIR SCC Enhanced Persistence, CDIR SCC Enhanced Privilege Escalation, CDIR SCC Credential Access, CDIR SCC Enhanced Discovery, CDIR SCC Brute Force, CDIR SCC Data Destruction, CDIR SCC Inhibit System Recovery, CDIR SCC Execution, CDIR SCC Initial Access, CDIR SCC Impair Defenses.
Chronicle Curated Detections has been enhanced with new detection content for Linux Threats. These new rule sets help identify malware and suspicious activity in Linux environments.
January 17, 2024
The following supported default parsers have changed. Each is listed by product name and log_type
value, if applicable.
- ADVA Fiber Service Platform (
ADVA_FSP
) - Anomali (
ANOMALI_IOC
) - Apache (
APACHE
) - AWS EMR (
AWS_EMR
) - AWS Route 53 DNS (
AWS_ROUTE_53
) - AWS WAF (
AWS_WAF
) - Azure AD Directory Audit (
AZURE_AD_AUDIT
) - Azure Application Gateway (
AZURE_GATEWAY
) - BIND (
BIND_DNS
) - Blue Coat Proxy (
BLUECOAT_WEBPROXY
) - Carbon Black (
CB_EDR
) - Check Point (
CHECKPOINT_FIREWALL
) - Cisco ASA (
CISCO_ASA_FIREWALL
) - Cisco DNA Center Platform (
CISCO_DNAC
) - Cisco Firepower NGFW (
CISCO_FIREPOWER_FIREWALL
) - CrowdStrike Falcon (
CS_EDR
) - Darktrace (
DARKTRACE
) - Deep Instinct EDR (
DEEP_INSTINCT_EDR
) - Elastic Windows Event Log Beats (
ELASTIC_WINLOGBEAT
) - Extreme Networks Switch (
EXTREME_SWITCH
) - F5 ASM (
F5_ASM
) - F5 BIGIP LTM (
F5_BIGIP_LTM
) - Forescout NAC (
FORESCOUT_NAC
) - Fortinet FortiClient (
FORTINET_FORTICLIENT
) - GitHub (
GITHUB
) - GMAIL Logs (
GMAIL_LOGS
) - IBM DB2 (
DB2_DB
) - IBM Guardium (
GUARDIUM
) - Jamf Protect Alerts (
JAMF_PROTECT
) - Juniper (
JUNIPER_FIREWALL
) - Kubernetes Node (
KUBERNETES_NODE
) - Mandiant Custom IOC (
MANDIANT_CUSTOM_IOC
) - Mattermost (
MATTERMOST
) - Microsoft Exchange (
EXCHANGE_MAIL
) - Microsoft IIS (
IIS
) - Microsoft SQL Server (
MICROSOFT_SQL
) - Nutanix Prism (
NUTANIX_PRISM
) - Office 365 (
OFFICE_365
) - Okta (
OKTA
) - Palo Alto Cortex XDR Events (
PAN_CORTEX_XDR_EVENTS
) - Palo Alto Networks Firewall (
PAN_FIREWALL
) - Proofpoint Observeit (
OBSERVEIT
) - RH-ISAC (
RH_ISAC_IOC
) - SAP SAST Suite (
SAP_SAST
) - Security Command Center Threat (
N/A
) - SentinelOne Singularity Cloud Funnel (
SENTINELONE_CF
) - Symantec DLP (
SYMANTEC_DLP
) - Talon (
TALON
) - Tanium Stream (
TANIUM_TH
) - Trend Micro Apex one (
TRENDMICRO_APEX_ONE
) - Windows Event (
WINEVTLOG
) - Windows Event (XML) (
WINEVTLOG_XML
) - wiz.io (
WIZ_IO
) - Zscaler (
ZSCALER_WEBPROXY
) - Zscaler CASB (
ZSCALER_CASB
) - Zscaler Tunnel (
ZSCALER_TUNNEL
)
The following log types, without a default parser, were added. Each is listed by product name and log_type
value, if applicable.
- Asimily (
ASIMILY
) - Checkpoint Gaia (
CHECKPOINT_GAIA
) - Cisco Cyber Vision (
CISCO_CYBER_VISION
) - Cisco IronPort (
CISCO_IRONPORT
) - Cyber 2.0 IDS (
CYBER_2_IDS
) - CypherTrust Manager (
CYPHERTRUST_MANAGER
) - Duo Trust Monitor (
DUO_TRUST_MONITOR
) - Extreme Wireless (
EXTREME_WIRELESS
) - FireEye PX (
FIREEYE_PX
) - Harfanglab EDR (
HARFANGLAB_EDR
) - ImageNow (
IMAGENOW
) - INFINICO NetWyvern Series Appliance (
INFINICO_NETWYVERN
) - Quest CA Audit (
QUEST_CA_AUDIT
) - Quest Change Auditor for EMC (
QUEST_CHANGE_AUDITOR_EMC
) - Quest File Access Audit (
QUEST_FILE_AUDIT
) - RadiFlow IDS (
RADIFLOW_IDS
) rigo (SENTRIGO
) - SEPPmail Secure Email (
SEPPMAIL
) - SpecterX (
SPECTERX
) - ViaControl Server Application (
VIACONTROL
) - WindChill (
WINDCHILL
) - WS Ftp (
WS_FTP
)
For a list of supported log types and details about default parser changes, see Supported log types and default parsers.
The following changes are available in the Unified Data Model.
New objects were added:
DNSRecord
Favicon
ThreatVerdict
PopularityRank
SSLCertificate
SSLCertificate.AuthorityKeyId
SSLCertificate.CertSignature
SSLCertificate.DSA
SSLCertificate.EC
SSLCertificate.Extension
SSLCertificate.PublicKey
SSLCertificate.RSA
SSLCertificate.Subject
SSLCertificate.Validity
Tracker
Url
SecurityResult.AnalyticsMetadata
A new field was added to
Noun
:url_metadata
.New fields were added to
SecurityResult
:ruleset_category_display_name
confidence_score
analytics_metadata
threat_verdict
last_discovered_time
New fields were added to
Domain
:last_dns_records
categories
favicon
jarm
last_dns_records
last_dns_records_time
last_https_certificate
last_https_certificate_time
popularity_ranks
tags
whois_time
New fields were added to
File
:security_result
andmain_icon
.New fields were added to
SecurityResult.Association
:sponsor_region
,targeted_regions
, andtags
.New values were added to
File.FileType
:FILE_TYPE_DWG
FILE_TYPE_DXF
FILE_TYPE_THREEDS
FILE_TYPE_WEBM
FILE_TYPE_MKV
FILE_TYPE_ONE_NOTE
FILE_TYPE_OOXML
FILE_TYPE_ZST
FILE_TYPE_LZFSE
FILE_TYPE_PYTHON_WHL
FILE_TYPE_PYTHON_PKG
FILE_TYPE_M4
FILE_TYPE_OBJETIVEC
FILE_TYPE_JMOD
FILE_TYPE_MAKEFILE
FILE_TYPE_INI
FILE_TYPE_CLJ
FILE_TYPE_PDB
FILE_TYPE_SQL
FILE_TYPE_NEKO
FILE_TYPE_WER
FILE_TYPE_GOLANG
FILE_TYPE_SGML
FILE_TYPE_JSON
FILE_TYPE_CSV
FILE_TYPE_SQUASHFS
FILE_TYPE_VHD
FILE_TYPE_IPS
FILE_TYPE_PEM
FILE_TYPE_PGP
FILE_TYPE_CRT
FILE_TYPE_PYC
New values were added to
Metric.Dimension
:PRINCIPAL_PROCESS_FILE_PATH
PRINCIPAL_PROCESS_FILE_HASH
SECURITY_RESULT_RULE_NAME
A new value was added to
Metric.MetricName
:ALERT_EVENT_NAME_COUNT
.A new value was added to
SecurityResult.ProductSeverity
:NONE
.
For a list of all fields in the Unified Data Model, and their descriptions, see the Unified Data Model field list.
January 16, 2024
UDM Search for entity investigation
UDM Search now includes a feature that lets you investigate entities (for example, an IP address, user, or asset) in addition to the events and alerts that match the search query terms. UDM Search query conditions can include both UDM fields (for example, principal.hostname="alice"
) and grouped fields (for example, hostname="alice"
). When a search query includes a condition that identifies a specific entity, the search results include details about that entity in addition to UDM events that match the entire search query.
January 04, 2024
Additional support for trimming large alerts
In order to prevent performance issues, when an alert contains over 500 entities, the alert is ingested with the key entities retained and the additional entities are removed.
This trimming support works in parallel with the current trimming mechanism as defined in Handle large alerts .
New placeholders added
A new category of placeholders have been added to the SOAR side of the platform which focus on the current state of the session, such as logged-in user and the platform. These can be used in a variety of scenarios. For example, you can use them in an HTML widget to create customized information specifically for logged-in users as opposed to the users assigned to the case.
A new section called General has been added to the placeholders. It contains the following placeholders
- HostUrl
- CurrentUserEmail
- CurrentUserID
- CurrentUserFullName
- CurrentUserRole
Note that the Current User placeholders cannot be used in playbooks or jobs.
December 13, 2023
Duet AI in Security Operations
The following Duet AI features are now available to Chronicle Security Operations customers:
You can now use Duet AI to search your event data using natural language. Duet AI can translate natural language into Chronicle's unified data model, letting you search your event data without having to know YARA-L to craft custom queries.
You can now use the AI Investigation widget to look at the whole case (alerts, events, and entities). The AI Investigation widget also provides an AI-generated case summary of how much attention the case might require, summarizes the alerts data to better understand the threat, and recommends next steps to be taken for effective remediation. The AI Investigation widget is available in the United States only.
September 19, 2023
Welcome to Chronicle Security Operations (SecOps), a Google Cloud service built as a specialized layer on top of Google's core infrastructure, designed for enterprises to privately retain, analyze, and search petabytes of security and network telemetry.
The SecOps platform provides instant context about suspicious and malicious activity. It can be used to detect threats, investigate the scope and cause of those threats, and provide remediation using pre-built integrations with enterprise workflow, response, and orchestration platforms.
The SecOps platform fuses key capabilities of Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR) and Threat Intelligence from Google Cloud, VirusTotal, and Mandiant.
The Chronicle SecOps platform enables security analysts to analyze and mitigate a security threat throughout its lifecycle by employing the following capabilities:
Collection: Data is ingested into the platform using software forwarders, parsers, connectors, and webhooks.
Detection: This data is aggregated, normalized using the Universal Data Model (UDM), and linked to detections and threat intelligence.
Investigation: Threats are investigated through case management, search, collaboration, and contextual mapping.
Response: Security analysts can respond quickly and provide resolutions using automated playbooks, incident management, and closed-loop feedback.