Parsers normalize the raw log data that received from the different sources and convert the data into Unified Data Model format (UDM). A set default parsers is supported by Chronicle as long as the device's raw logs are received in the required format. Chronicle enable parsers to maintain versions if there any changes done.
Chronicle normalizes the raw log data by following the UDM data model. Data representation varies depending on the different vendors. For example, in Palo-Alto and in Fortigate firewalls, data field is represented as 'close' and 'allow' respectively. Parser normalizes these data fields to a UDM format - "ALLOW".
The following are the different formats that are normalized by the Parsers.
- CSV: Comma Separated Values
- JSON: JavaScript Object Notation
- SYSLOG: syslog formatted message
- KV: key-value pair
- XML: Extensible Markup Language
- SYSLOG + KV: syslog header with key-value body
- SYSLOG + JSON: syslog header with key-value body
- SYSLOG + XML: syslog header with XML body
- LEEF: Log Event Extended Format
- CEF: Common Event Format
Resolution Intelligence Cloud supports these Parsers in order to parse the log data.
Configuring Parsers
User Permissions Required: A Creator from these categories such as Domain, Organization, and Tenant can configure parsers.
Note: When a new tenant is onboarding, the default parsers are sent in the reviewed state, but for domain and organization, they are sent in the published state.
To configure a Parser,
- Login to Rule Management UI and navigate to the Parsers page.
- Click+ Add Parser in the top right corner.
A New Parser editable page appears on the screen. - Select Log Type from the dropdown menu.
- Click Load Default Config in the top right corner.
- Log Format is filled automatically based on the Log Type that you selected.
- Add sample file in the Log Sample File field.
- Company is a default field that is filled automatically based on the type of user that logged on.
- Click Save in the top right corner.
It will be saved as a Draft and verified automatically. - After saving as draft, select Send for Review in the top right corner.
The Parser goes to the Publisher for review.
Publishing Parsers
User Permissions Required: A Publisher from these categories such as Domain, Organization, and Tenant can publish parsers.
To publish a Parser,
- Login to Rule management UI and navigate to Parsers listing page.
- In the Parsers listing page, click on the Parser that tagged as Under Review.
- Verify the Parser and click Actions in the top right corner of screen.
- From the dropdown list, click Approve if the Parser is appropriate. The Parser will be moved to Reviewed state once it is approved. Click Reject, if the Parser is not correct. The parser will be sent back to the Creator for changes and moved to the Draft state
- After approving a parser, Publish option is enabled in the top right corner of screen.
- Click Publish. A Parser will be published successfully.
Knowing the status of a published Parser
Once the parser is published, it goes to the review state at Chronicle end. Google Chronicle may reject or accept based on the details provided in your Parser.
Note: Tenants can directly know status of parsers they published. Domain and Organization users have to select their tenants from the dropdown list first, and then know the status of their respective tenant's parsers.
To know the status of your parser,
- From the Parsers listing UI, open your published parser.
- Click Get Status at the top right corner of your screen. A pop up appears on the screen with ACCEPT or REJECT message.
Finding Parsers
The free text search filters Parsers by text in the Parser Name and/or Log Type. There is no Search button.
Filtering Parsers
The parsers can be filtered using the following entities such as:
| Filter | Description |
|---|---|
|
Tags |
Keywords that are added to a parser. This includes tactics, techniques, malwares etc.info associated to a parser |
|
Company |
An organization that the user belongs to |
|
Assigned To |
The user who assigned to a parser |
|
Comments |
Notes added by the users |
|
Created On |
The Date and Time on which the parser is created for the first time |
|
Created By |
The user who creates the parser |
|
Log Type |
A name of a device that sends log |
|
Log Format |
Format of a log that a device sends (JSON, |
|
Company Level |
The level of an organization that the parser is filtered (Tenant - 3, Organization - 2 etc) |
|
Parser Status |
Current state of a parser (Draft/under review/reviewed/publishing/ published) |
|
Last Updated By |
The user who updated a parser recently. |
|
Last Updated On |
The time at which the last update is done to a parser |
|
Last Updated (By Source) |
Name of source on which the parser is filtered. A list of sources is shown in the filter. |
|
Last Updated (By Platform) |
Name of platform on which the parser is filtered. A list of platforms is shown in the filter. |
You can add multiple filters and click Apply to filter your chosen entities.
You may remove specific filters by clicking and then clicking the X to the right of the filter. To reset the Parsers page to its default filters, click Filter --> Clear Filters.
Sorting Parsers
The parsers feed lists all parsers (Published, Publishing and Draft) in the listing page after creating or publishing them. You can sort the parsers based on the following list of options.
| Item |
Description |
|---|---|
|
Last Modified On |
Date and Time of last change done to a parser |
|
Log Type |
A type of log file that is fed into the parser |
|
Name |
A name that is given to a parser |
|
Most Used |
Highly used parser |
|
Created On |
Date and Time when a parser is created first time |
To rearrange parsers in descending or ascending order, click or
For viewing left side menu, click three dots at the top right corner of screen and select Toggle Sidebar.
For sharing a URL, click three dots at the top right corner of screen and select Share URL.
Comments
0 comments
Please sign in to leave a comment.