Supported data sets

Chronicle can ingest raw logs from different companies, protocols, systems, and equipment. This document describes the currently supported data sets and is updated regularly.

To generate the most current list of supported ingestion labels use the Ingestion API method:

APIKEY="[[My_ApiKey]]"; curl --header "Content-Type: application/json" \
--request GET "https://malachiteingestion-pa.googleapis.com/v1/logtypes?key=${APIKEY}"

For information about how data is ingested and normalized, see Data ingestion to Chronicle overview

For a list of supported default parsers, see Supported default parsers

Alert logs

  • Active Countermeasures
  • AlphaSOC
  • CIS Albert Alerts
  • CrowdStrike Falcon Stream
  • Customer Alerts
  • Cylance Protect
  • FireEye
  • IBM zSecure Alert
  • Microsoft Graph API Alerts
  • Microsoft Security Center
  • Netskope

Application server logs

  • Apache Tomcat

Application Whitelisting

  • Windows Applocker

Authentication logs

  • Auth0
  • Authx
  • Barracuda CloudGen Access
  • CA LDAP
  • Cisco ACS
  • Cisco TACACS+
  • Cyolo Zero Trust
  • Duo Auth
  • Duo Network Gateway
  • FreeRADIUS
  • IBM Security Verify
  • Quest Active Directory
  • RSA RADIUS
  • Thales MFA
  • Yubico OTP

Automation and DevOps Tools

  • Ansible AWX
  • Automation Anywhere
  • GitHub
  • Gitlab
  • Jenkins

AV and endpoint logs

  • Apple MacOS
  • Automox
  • Azure ATP
  • Bitdefender
  • Cisco AMP
  • ClamAV
  • Comodo
  • Dell OpenManage
  • ESET AV
  • FireEye HX
  • Fortinet FortiSandbox
  • Kaspersky AV
  • Microsoft System Center Endpoint Protection
  • Minerva AV
  • Sophos AV
  • Superna Eyeglass
  • Symantec Endpoint Protection
  • Trend Micro AV
  • Windows Defender ATP
  • Windows Defender AV

AWS-specific logs

  • AWS CloudFront
  • AWS Cloudtrail
  • AWS CloudWatch
  • AWS Config
  • AWS Elastic Load Balancer
  • AWS Key Management Service
  • AWS Macie
  • AWS Redshift
  • AWS S3 Server Access
  • AWS Security Hub
  • AWS Session Manager

Backup software

  • Code42 CrashPlan
  • Cohesity
  • CommVault
  • Rubrik
  • Veeam

Bot Protection

  • Cequence Bot Defense
  • Cloudflare Bot Management
  • F5 Bot
  • PerimeterX Bot Protection

CASB

  • Cisco CloudLock
  • Duo Access Gateway
  • McAfee MVISION CASB
  • McAfee Skyhigh CASB
  • Microsoft CASB
  • Palo Alto Prisma Access
  • Palo Alto Prisma Cloud
  • Proofpoint CASB
  • Symantec CloudSOC CASB

CMDB logs

  • CSV Custom CMDB
  • JAMF CMDB
  • Medigate CMDB
  • ServiceNow CMDB
  • Windows Network Policy Server

Collaboration logs

  • Appian Cloud
  • Atlassian Confluence
  • Box
  • Design Profit Central Server
  • Dropbox
  • iManage Cloud Platform
  • Kibana audit logs
  • Mango Apps
  • Microsoft SharePoint
  • Puppet
  • Slack Audit

Content Management Software

  • OnBase CMS
  • WordPress

Data Security

  • Datadog
  • DataLocker SafeConsole
  • Dell EMC Data Domain
  • Fortanix Data Security Manager
  • Imperva Database
  • Rubrik Polaris
  • Thales Vormetric
  • Varonis

Data Transfer

  • FileZilla
  • Globalscape SFTP
  • IBM MQ File Transfer
  • Ipswitch MOVEit Automation
  • Ipswitch MOVEit Transfer
  • Ipswitch SFTP
  • Nasuni File Services Platform
  • SolarWinds Serv-U
  • VanDyke SFTP
  • VSFTPD Audit

Database logs

  • Azure Cosmos DB
  • Azure SQL
  • IBM DB2
  • IBM Informix
  • IBM JDE
  • Maria Database
  • Microsoft SQL Server
  • Mongo Database
  • MySQL
  • Oracle
  • SAP HANA
  • SAP Insurance
  • Snowflake

DDI logs (DNS, DHCP, IPAM)

  • Bluecat DDI
  • EfficientIP DDI

DDOS Mitigation

  • Akamai Prolexic

Deception software

  • Acalvio
  • Estar

DHCP logs

  • Akamai DHCP
  • Cisco DHCP
  • ExtraHop DHCP
  • Fortinet
  • Infoblox DHCP
  • ISC DHCP
  • Kea DHCP
  • Linux DHCP
  • Sophos DHCP
  • Static IP
  • Windows DHCP
  • Zeek DHCP

DLP

  • Accellion
  • Code42 Incydr
  • CoSoSys Protector
  • F5 Shape
  • Forcepoint DLP
  • IBM Guardium
  • McAfee DLP
  • Preveil Enterprise
  • Proofpoint Observeit
  • Protegrity Defiance
  • Symantec DLP
  • Tripwire

DNS logs

  • Akamai DNS
  • AWS Route 53 DNS
  • BIND
  • Bluecat Edge DNS Resolver
  • Cisco DNS
  • Cisco Umbrella DNS
  • ExtraHop DNS
  • F5 DNS
  • Infoblox DNS
  • Infoblox RPZ
  • Men and Mice DNS
  • Passive DNS
  • Power DNS
  • Splunk DNS
  • UltraDNS
  • Unbound DNS
  • Windows DNS

EDR logs

  • Carbon Black
  • Carbon Black App Control
  • Check Point Sandblast
  • CrowdStrike Falcon
  • CrowdStrike Falcon CEF
  • Cybereason EDR
  • Deep Instinct EDR
  • Digital Guardian
  • eCAR
  • eCAR Bro
  • EclecticIQ EDR
  • Endgame
  • ESET
  • Fidelis Endpoint
  • Fortinet FortiEDR
  • JAMF Protect
  • LimaCharlie
  • Malwarebytes
  • McAfee MVISION EDR
  • Microsoft Defender for Endpoint
  • OSQuery
  • Palo Alto Networks Traps
  • Rapid7 Insight
  • Red Canary
  • SentinelOne Deep Visibility
  • SentinelOne EDR
  • Sophos Capsule8
  • Sophos Intercept EDR
  • Symantec EDR
  • Sysdig
  • TrendMicro EDR
  • Uptycs EDR
  • VMRay Analyzer
  • White Cloud
  • Windows Event
  • Windows Sysmon

Email server logs

  • Abnormal Security
  • Apache SpamAssassin
  • Area1 Security
  • Avanan Email Security
  • Barracuda Email
  • Check Point Email
  • Cisco Email Security
  • Cofense
  • Cofense Vision
  • Fireeye eMPS
  • Fireeye ETP
  • GMAIL Logs
  • GreatHorn Email Security
  • KnowBe4 PhishER
  • MailScanner
  • Material Security
  • Microsoft Exchange
  • Mimecast
  • PostFix Mail
  • Proofpoint Email Filter
  • Proofpoint On Demand
  • Proofpoint Tap Alerts
  • Proofpoint Threat Response
  • Proofpoint Web Browser Isolation
  • Sendmail
  • Symantec Messaging Gateway
  • Symantec VIP Gateway
  • Trend Micro Cloud App Security
  • Voltage

Financial Services logs

  • D3 Banking
  • GMV Checker ATM Security
  • GMV Checker User Context
  • Swift Alliance Messaging Hub

Firewall logs

  • Azure Firewall
  • Check Point
  • Cisco ASA
  • Cisco Firepower NGFW
  • Cisco Umbrella Cloud Firewall
  • Cisco Umbrella IP
  • FireMon Firewall
  • Forcepoint NGFW
  • FortiGate
  • Juniper
  • Netfilter IPtables
  • Palo Alto Networks Firewall
  • Radware Web Application Firewall
  • Silver Peak Firewall
  • SonicWall
  • Sophos Firewall (Next Gen)
  • Sophos UTM
  • Windows Firewall
  • ZScaler NGFW

Format specific logs

  • BT IPControl
  • Cisco Meraki
  • Cisco WSA
  • Cylance
  • Infoblox
  • Kubernetes audit logs
  • Kubernetes auth proxy logs
  • Zeek JSON
  • Zeek TSV

GCP-specific logs

  • Forseti Open Source
  • GCP Apigee
  • GCP Cloud Identity Device Users
  • GCP Cloud IOT
  • GCP Cloud NAT
  • GCP Cloud Run
  • GCP Cloud SQL
  • GCP Compute
  • GCP DNS
  • GCP Firewall Rules
  • GCP Load Balancing
  • GCP Threat Detection
  • Workspace Activities
  • Workspace Alerts
  • Workspace ChromeOS Devices
  • Workspace Groups
  • Workspace Mobile Devices
  • Workspace Privileges
  • Workspace Users

Hardware Security Modules

  • Futurex HSM
  • Thales Luna Hardware Security Module

Healthcare

  • EPIC Systems
  • Oscar Claims

Honeypots

  • Attivo Networks
  • Guardicore Centra
  • Honeyd
  • Thinkst Canary

HTTP logs

  • Zeek HTTP

Hypervisor and Application Virtualization

  • Cameyo Bring Your Own Cloud
  • Docker
  • VMware ESXi
  • VMware HCX
  • VMware Horizon
  • VMware NSX
  • VMware Tanzu Kubernetes Grid
  • VMware vCenter
  • VMware vRealize Suite
  • VMware vShield
  • VMware Workspace ONE

IaaS Applications

  • Aqua Security
  • AT&T Netbond
  • GlusterFS

Identity and Access Management

  • Avatier Password Management
  • AWS Control Tower
  • Cisco ISE
  • CloudM
  • Duo Administrator Logs
  • Duo Telephony Logs
  • Google Cloud Identity Context
  • HP Aruba(Clearpass)

IDS/IPS logs

  • Amazon Guardduty
  • Aruba IPS
  • Cisco Wireless IPS
  • Cloud Passage (LIDS)
  • Deepfence Network Monitoring
  • Falco IDS
  • Juniper IPS
  • Lacework Cloud Security
  • LookingGlass Aenoik IDPS
  • McAfee IPS
  • Microsoft ATA
  • Orca Cloud Security Platform
  • OSSEC
  • Snort
  • Sourcefire
  • Suricata EVE
  • Suricata IDS
  • Trend Micro

IoC logs

  • Anomali
  • Centripetal Networks IOC
  • COVID-19 Cyber Threat Coalition
  • Crowdstrike IOC
  • CSV Custom IOC
  • Department of Homeland Security
  • Digital Shadows Indicators
  • Digital Shadows SearchLight
  • Emerging Threats Pro
  • ESET Threat Intelligence
  • Looking Glass
  • MISP Threat Intelligence
  • Open Source Intelligence
  • PAN Autofocus
  • Recorded Future
  • RH-ISAC
  • ThreatConnect

IoT

  • Medigate IoT
  • Ordr IoT

IT infrastructure

  • HPE ILO
  • Nutanix Frame
  • Nutanix Prism

K8s cluster audit logs only

  • Kubernetes Node logs
  • McAfee ePolicy Orchestrator
  • Nokia VitalQIP
  • pfSense
  • Red Hat OpenShift
  • WatchGuard
  • Windows Event (XML)

LDAP software

  • ForgeRock OpenDJ
  • JumpCloud Directory as a Service
  • Open LDAP
  • Red Hat Directory Server LDAP
  • Semperis ADFR
  • Semperis DSP

Load balancers, traffic shapers, and ADC logs

  • Akamai Cloud Monitor
  • Allot NetEnforcer
  • Brocade ServerIron ADX
  • Cisco Application Control Engine
  • Citrix Netscaler
  • F5 BIGIP LTM
  • HaProxy LoadBalancer
  • Infoblox Loadbalancer
  • Kemp Load Balancer
  • Peplink Loadbalancer
  • VMware Avi Vantage Platform

Log Aggregation and SIEM Systems

  • Arcsight CEF
  • Cisco FireSIGHT Management Center
  • Clearsense Healthcare Analytics
  • Confluent Audit
  • Custom Security Data Analytics
  • Dynatrace
  • Elastic Audit Beats
  • Elastic File Beats
  • Elastic Metric Beats
  • Elastic Packet Beats
  • Elastic Search
  • Elastic Windows Event Log Beats
  • Exabeam Fusion XDR
  • Fluentd Logs
  • McAfee Enterprise Security Manager
  • Microsoft Sentinel
  • NCR Digital Insight Global Logging
  • NXLog Manager
  • Snare System Diagnostic Logs
  • Splunk Platform
  • Wazuh
  • ZeroFox Platform

Mainframe logs

  • BMC AMI Defender
  • CA ACF2
  • IBM AS/400
  • IBM z/OS

Miscellaneous Windows-specific logs

  • Azure AD
  • Azure AD Directory Audit
  • Azure AD Organizational Context
  • ManageEngine ADAudit Plus
  • ManageEngine ADManager Plus
  • ManageEngine ADSelfService Plus
  • Microsoft AD
  • Microsoft AD FS
  • Microsoft Powershell

Mobile Device Management

  • Absolute Mobile Device Management
  • Microsoft ActiveSync
  • Microsoft Intune
  • Mobileiron

NAC logs

  • Forescout NAC
  • Fortinet FortiNAC
  • SafeConnect NAC

NDR logs

  • Bricata NDR
  • Cato Networks
  • Corelight
  • Darktrace
  • ExtraHop RevealX
  • Fidelis Network
  • FireEye NX
  • Gigamon
  • Netscout
  • Palo Alto Cortex XDR
  • Plixer Scrutinizer
  • Vectra Detect
  • Vectra Stream
  • Verizon Network Detection and Response

Netflow logs

  • Cisco Stealthwatch

Network infrastructure

  • APC Smart-UPS
  • APC StruxureWare Portal
  • Eaton UPS

Network Management and Optimization software

  • Axonius Cybersecurity Asset Management
  • Cisco Prime
  • Cradlepoint NetCloud
  • Entrust NTP Server
  • HCL BigFix
  • Infoblox NetMRI
  • Kaseya IT Management
  • MicroSemi NTP
  • NetDisco
  • Riverbed Steelhead
  • Western Telematic Inc Console Servers

Network Monitoring

  • Nagios Infrastructure Monitoring

Nucleus Security Unified Vulnerability Management

  • Nucleus Asset Metadata
  • Nucleus Unified Vulnerability Management
  • Nucleus Vulnerability Scan Delta

OS Logs

  • Cisco Internetwork Operating System
  • Cisco NX-OS
  • Cisco UCS
  • Juniper Junos
  • Linux Auditing System (AuditD)
  • NIMBLE OS
  • Plaso Super Timeline
  • Red Canary Cloud Protection
  • TGDetect

IdP

  • 1Password
  • Duo Entity context data
  • Duo User Context
  • ForgeRock OpenAM
  • FreeIPA
  • IBM DataPower Gateway
  • IBM Tivoli
  • Imprivata Confirm ID
  • Imprivata Identity Governance
  • Imprivata OneSign
  • Keeper Enterprise Security
  • LastPass Password Management
  • Liaison NuBridges Platform
  • ManageEngine AD360
  • ManageEngine Password Manager Pro
  • Microsoft Defender for Identity
  • NCR Digital Insight FSG
  • Okta
  • Okta Access Gateway
  • Okta RADIUS
  • Okta User Context
  • Ping Identity
  • Preempt Alert
  • Preempt Auth
  • ProofID
  • Red Hat Identity Management
  • Red Hat Keycloak
  • RSA
  • SailPoint IAM
  • Shibboleth IDP
  • Silverfort Authentication Platform
  • Thycotic
  • Thycotic devops secret vault
  • Venafi

Packet Capture

  • Arkime Packet Capture

Physical Security logs

  • BRIVO
  • Datawatch
  • DMP
  • Honeywell Pro-Watch
  • Kisi Access Management
  • Lenel Onguard Badge Management
  • LSI Badge Management System
  • Matrix Frontier Badge Management
  • Openpath
  • Siemens SiPass
  • Thales Digital Identity and Security

Policy Management

  • AlgoSec Security Management
  • Cisco Content Security Management Appliance
  • Cloud Passage (CSM)
  • Cloud Passage (FIM)
  • Secberus Cloud Security Governance

Printer logs

  • HP Printer logs
  • Lexmark Printer logs

Privileged Account Activity

  • BeyondTrust
  • BeyondTrust BeyondInsight
  • BeyondTrust Cloud Privilege Broker
  • BeyondTrust Endpoint Privilege Management
  • CA Access Control
  • CyberArk
  • Hashicorp Vault
  • Hitachi PAM
  • One Identity Active Role Service
  • One Identity Change Auditor
  • One Identity Defender
  • One Identity TPAM
  • OneIdentity Balabit
  • Remediant SecureONE
  • SpyCloud

Remote Access Tools

  • Check Point Harmony
  • Citrix Storefront
  • Dell iDRAC
  • Opengear Remote Management
  • OpenSSH
  • SecureLink
  • TeamViewer

SaaS Applications

  • AppOmni
  • Aptos Enterprise Order Management
  • Archer Integrated Risk Management
  • Armor Anywhere
  • Azure Security Center
  • Cloud Passage
  • Cloudflare
  • Code Worldwide
  • CWT SatoTravel
  • ETQ Reliance
  • IBM MaaS360
  • Kyriba Treasury Management
  • Logic Monitor
  • ManageEngine Reporter Plus
  • McAfee Unified Cloud Edge
  • McAfee Web Protection
  • Microsoft Azure
  • Microsoft Azure Activity
  • Microsoft Azure Resource
  • NCC Scout Suite
  • Obsidian
  • Office 365
  • OpenText Fax2Mail
  • Oracle Cloud Infrastructure
  • PeopleSoft
  • Pivotal
  • Salesforce
  • Salesforce Context
  • ServiceNow Audit
  • ServiceNow Roles
  • ServiceNow Security
  • Snipe-IT
  • Sophos Central
  • Symantec Event export
  • Workday
  • Workday Audit Logs
  • WP Engine

Sandbox Technologies

  • Authentic8 Silo
  • File Scanning Framework
  • Symantec Web Isolation

Search Engine

  • shodan.io

Service Bus

  • IBM CICS
  • Mulesoft

SOAR Tools

  • D3 Security
  • Splunk Phantom
  • Swimlane Platform

Software-defined Networking (SDN)

  • Cisco APIC
  • Cisco Application Centric Infrastructure

SSL Handshake type

  • SSL pcap

SSO logs

  • Centrify
  • Citrix Workspace
  • Layer7 SiteMinder
  • OneLogin
  • OneLogin User Context
  • SecureAuth
  • SiteMinder Web Access Management

STIX providers

  • Fox-IT

Storage solutions

  • Cloudian hyperstore
  • Dell EMC Avamar
  • Dell EMC Cloudlink
  • Dell EMC Isilon NAS
  • Dremio Data Lakehouse
  • IBM Spectrum Protect
  • NetApp SAN
  • Pure Storage

Switches and Routers logs

  • Arista Switch
  • Big Switch BigCloudFabric
  • Brocade Switch
  • CATO SD-WAN
  • Cisco Router
  • Cisco Switch
  • Citrix SD-WAN
  • CloudGenix SD-WAN
  • Dell Switch
  • Extreme Networks Switch
  • HP Procurve Switch
  • IBM Switch
  • Juniper MX Router
  • Peplink Router
  • Peplink Switch
  • Ubiquiti UniFi Switch
  • Unifi AP
  • Unifi Switch

TANIUM Logs

  • Tanium Asset
  • Tanium Audit
  • Tanium Comply
  • Tanium Deploy
  • Tanium Discover
  • Tanium Insight
  • Tanium Integrity Monitor
  • Tanium Patch
  • Tanium Question
  • Tanium Reveal
  • Tanium Stream
  • Tanium Threat Response

TASK Based Access Management

  • Armis
  • Stealthbits Audit
  • Stealthbits Defend

Telephone software

  • Cisco CTS
  • Cisco UCM
  • Kamailio
  • Ribbon Analytics Platform
  • Ribbon Session Border Controller
  • Ring Central
  • Zoom Operation Logs

Ticketing Applications

  • Atlassian Jira

Unified Data Model

  • UDM

Unix specific logs

  • AIX system
  • cmd.com
  • Solaris system
  • Unix system

VPN logs

  • Array Networks SSL VPN
  • Cisco VPN
  • F5 VPN
  • Fortinet FortiClient
  • Microsoft SSTP VPN
  • Netmotion
  • OpenVPN
  • Palo Alto Networks Global Protect
  • Pulse Secure
  • Strong Swan VPN
  • ZScaler VPN

Vulnerability scanners

  • Arxan Threat Analytics
  • Cisco Secure Malware Analytics
  • Cloud Passage (SVM)
  • Digital Defense Frontline VM
  • Qualys Continuous Monitoring
  • Qualys VM
  • Rapid7
  • RedHat StackRox
  • RiskIQ Digital Footprint
  • SonarQube
  • Tenable Security Center
  • tenable.io
  • VirusTotal Threat Hunter
  • wiz.io

WAF

  • Akamai WAF
  • AWS WAF
  • Barracuda
  • Cloudflare WAF
  • F5 ASM
  • Fastly WAF
  • Imperva
  • Imperva SecureSphere Management
  • Signal Sciences WAF
  • Vmware Avinetworks iWAF

Web Proxy logs

  • Akamai Enterprise Threat Protector
  • Blue Coat Proxy
  • Cisco Umbrella Web Proxy
  • Citrix Netscaler Web Logs
  • Citrix Web Gateway
  • Forcepoint Proxy
  • Fortinet Proxy
  • iBoss Proxy
  • McAfee Web Gateway
  • Menlo Security
  • Mimecast Web Security
  • Netskope Web Proxy
  • Squid Web Proxy
  • Symantec Web Security Service
  • TrendMicro Web Proxy
  • Zscaler

Web server logs

  • Apache
  • Apache Cassandra
  • Apache Hadoop
  • Apache Kafka Audit
  • HAProxy
  • IBM Websphere Application Server
  • Kong API Gateway
  • Microsoft IIS
  • NGINX

Wireless logs

  • Aruba
  • Aruba Airwave
  • Avaya Wireless
  • Cisco WLC/WCS
  • Extreme Networks AirDefense
  • Ruckus Networks
  • VMware AirWatch
  • Domain Tools Phisheye
  • Stream Alert
  • ZScaler DNS