Google Chronicle normalizes, indexes, correlates, and analyzes the data to provide instant analysis and context on risky activity.
Crest Data Systems helped Google to adopt Chronicle GOLD parser to standardize data onboarding for all log sources and the parsing approaches for massive amounts of data.
Google is considered one of the Big Five companies in the information technology industry that specializes in Internet-related services and products. Chronicle is a cybersecurity telemetry platform for threat hunting, threat intelligence and is part of Google Cloud Platform.
Logs ingested to Chronicle are normalized to Chronicle’s UDM (Unified Data Model) format by in-built parsers.
Google faced challenges with in-built parsers having a low parsing rate because not every event type was supported for all the log sources. Also current CBN parsers were customer specific and multiple versions of parser built for different customers and leading to more maintenance efforts for Chronicle partners.
Hence, there was a need to develop a GOLD parser which covers such log sources in both breadth and depth. This means, both a high level of coverage is required for the types of events a log source produces and also the fields present in them.
The goal is to develop a parser which captures maximum amount of information and map it to UDM from the raw logs of different data sources ingested by Chronicle partners so that further use cases of Chronicle are utilized to its maximum, for eg. rules and threat detection.
Crest Data Systems built various GOLD parsers for different types of log sources such as Windows, Zeek, PAN, Cisco, Office 365, and more, which are used by Chronicle partners and customers.
The following are the key steps:
Crest Data Systems actively involved at every stage of the demands of product release life cycles and rolled out various quality GOLD parsers to meet the requirements.
The following is an example of raw log ingested from Windows Sysmon log source and its corresponding normalized UDM event which is extracted using the GOLD parser: