Supported data sets

Chronicle can ingest raw logs from different companies, protocols, systems, and equipment. This document describes the currently supported data sets and is updated regularly.

To generate the most current list of supported ingestion labels use the Ingestion API method:

APIKEY="[[My_ApiKey]]"; curl --header "Content-Type: application/json" \
--request GET "https://malachiteingestion-pa.googleapis.com/v1/logtypes?key=${APIKEY}"

For information about how data is ingested and normalized, see Data ingestion to Chronicle overview

For a list of supported default parsers, see Supported default parsers

Access management

  • OpenAM

Advanced threat protection

  • Microsoft Defender for Endpoint

Alerts

  • AlphaSOC
  • Carbon Black Defense
  • Cisco ASA
  • Crowdstrike
  • FireEye
  • Microsoft Advanced Threat Analytics
  • Microsoft Windows Graph API Alerts
  • Netskope
  • Palo Alto Networks
  • Snort
  • Suricata
  • Zscaler

Amazon Web Services (AWS)

  • AWS Cloudtrail
  • AWS VPN Flow

Antivirus

  • Bitdefender
  • Cisco AMP
  • ClamAV
  • Cylance Protect
  • Sophos Antivirus
  • Trend Micro AV

Application

  • Microsoft Office 365
  • Salesforce
  • Workday

Audit

  • ManageEngine ADAudit Plus

Authentication

  • Aruba ClearPass
  • Azure AD
  • Centrify
  • Cisco Access Control Server (ACS)
  • Cisco ISE
  • Duo
  • OKTA
  • Preempt
  • RSA Authentication Manager version 8.1
  • SecureAuth
  • SiteMinder Web Access Management
  • Symantec SiteMinder
  • Thycotic

Badging

  • Honeywell Pro-Watch

Cloud Access Security Broker (CASB)

  • Microsoft CASB

Cloud

  • AWS Virtual Private Cloud (VPC) Flow
  • Google Cloud Cloud Audit Logs
  • Google Cloud VPC Flow Logs
  • Google Cloud Compute Context
  • Microsoft Cloud Access Security Broker (CASB)
  • Salesforce

Collaboration

  • Box

Data transfer

  • IPswitch SFTP

Deception

  • Acalvio

DHCP

  • ASSET_STATIC_IP
  • Bro DHCP (JSON)
  • BT IP Control
  • Cisco DHCP
  • DHCP (PCAP)
  • Elastic Packetbeat
  • Infoblox DHCP
  • Linux DHCP Server
  • Microsoft DHCP
  • Nokia VitalQIP
  • Sophos DHCP

DNS

  • BIND
  • Bro DNS (JSON)
  • BT IP Control
  • Cisco Umbrella
  • DNS (PCAP)
  • Elastic Packetbeat
  • ExtraHop
  • F5 DNS
  • Google Cloud Cloud DNS
  • Infoblox DNS
  • Microsoft DNS
  • Nokia VitalQIP
  • Umbrella DNS
  • Unbound
  • ZScaler DNS

EDR

  • Carbon Black Defense
  • Carbon Black Response
  • Check Point SandBlast
  • Cisco AMP
  • Crowd Strike
  • Digital Guardian
  • Endgame
  • ESET
  • FireEye HX
  • LimaCharlie
  • McAfee Endpoint Security
  • Microsoft Defender for Endpoint
  • Microsoft Sysmon
  • Palo Alto Networks Traps
  • SentinelOne DV
  • SentinelOne EDR
  • Symantec Endpoint Protection
  • Tanium
  • VMRay Analyzer

Email

  • Avanan Email Security
  • Barracuda Email

Encryption

  • Vormetric

Endpoint

  • McAfee ePolicy Orchestrator

File analyzer

  • Bro Files (JSON)

Firewall

  • Barracuda Web Application Firewall
  • Bro CONN (JSON)
  • Check Point (syslog)
  • Cisco ASA
  • Cisco Firepower
  • Cisco Umbrella Intelligent Proxy
  • Fortinet
  • Google Cloud Firewall logs
  • Imperva WAF
  • Juniper Networks SRX
  • Palo Alto Networks
  • SonicWall
  • Zscaler

Global

  • WhoisXML API

Honeypot

  • Thinkst Canary

Hypervisor

  • VMware ESXi JSON

Identity and Access Management (IAM)

  • ForgeRock OpenAM
  • Okta User Context
  • Preempt Auth

Identity Management (IDM) and Privileged Access Management (PAM)

  • Bomgar
  • CyberArk

Indicators of Compromise (IoC)

  • Anomali
  • COVID-19 Cyber Threat Coalition
  • Crowd Strike IOC
  • CSV Custom IOC
  • Department of Homeland Security (DHS)
  • Emerging Threats Pro
  • ESET IOC
  • Google SafeBrowsing
  • OSINT
  • Proofpoint ET Pro
  • Recorded Future
  • RH ISAC
  • ThreatConnect

Intrusion detection and intrusion prevention

  • AWS GuardDuty
  • Juniper Intrusion Prevention System (IPS)
  • Microsoft Advanced Threat Analytics (ATA)
  • Sourcefire
  • Snort
  • Suricata

Load balancer

  • Citrix Netscaler
  • F5 BigIP LTM

Log aggregation and SIEM

  • McAfee ESM
  • Wazuh

Mail

  • Gmail
  • Mimecast
  • PostFix Mail

Mail gateway

  • Microsoft Exchange
  • Proofpoint Mail
  • Proofpoint TAP

Mainframe

  • CA ACF2
  • IBM z/OS

Microsoft Windows miscellaneous

  • Microsoft Powershell

Mobile device management

  • Absolute Mobile Device Management

Network Access Control (NAC)

  • Forescout

Netflow

  • Cisco Stealthwatch
  • Google Cloud VPC Flow

Network Detection and Response (NDR)

  • Vectra Cognito Detect
  • Vectra Cognito Stream

Operating systems

  • ManageEngine ADAudit Plus
  • Microsoft Active Directory
  • Microsoft Windows
  • Nimble
  • Unix

Physical security

  • DMP Entre

Policy

  • AlgoSec Security Management

Privileged account monitoring

  • Beyond Trust (Bomgar)

Remote access

  • SecureLink

Router

  • Cisco

SAAS

  • Cloud Passage
  • Cloudflare
  • Google Workspace Audit
  • McAfee Web Protection

Server

  • Microsoft Internet Information Services (IIS)
  • Microsoft SQL Server

Single Sign-On (SSO)

  • OneLogin SSO

Switch

  • Cisco
  • CloudGenix SD-WAN

Traffic management

  • F5 Big-IP Local Traffic Manager (LTM)

Unified threat management

  • Cisco Meraki

VPN

  • Cisco VPN
  • F5 VPN
  • Pulse Connect Secure
  • Zscaler VPN

Vulnerability scanner

  • Qualys

Web Application Firewall (WAF)

  • Citrix Netscaler
  • F5 ASM
  • Imperva WAF

Web proxy

  • Blue Coat Proxy SG
  • Bro HTTP (JSON)
  • Cisco Umbrella
  • Forcepoint
  • McAfee Webproxy
  • McAfee Webproxy (MTC)
  • Netscope Web Proxy
  • Squid Webproxy
  • Trend Micro Web Proxy
  • Zscaler

Web server

  • Microsoft IIS

Wireless

  • Aruba Wireless
  • Cisco WLC (Wireless)
  • VMware AirWatch