Crest Data Systems Logo
Contact Us

Google Chronicle GOLD Parser

Crest Data Systems helped Google to adopt Chronicle GOLD parser to standardize data onboarding for all log sources and the parsing approaches for massive amounts of data.

  1. Home
  2. Case Studies
  3. Google Chronicle GOLD Parser​

Executive Summary

Google Chronicle normalizes, indexes, correlates, and analyzes the data to provide instant analysis and context on risky activity.

Crest Data Systems helped Google to adopt Chronicle GOLD parser to standardize data onboarding for all log sources and the parsing approaches for massive amounts of data.

About Customer

Google is considered one of the Big Five companies in the information technology industry that specializes in Internet-related services and products. Chronicle is a cybersecurity telemetry platform for threat hunting, threat intelligence and is part of Google Cloud Platform.

  • Chronicle ingest numerous security telemetry types through a variety of methods.
  • Chronicle gives analysts a way, when they see a potential threat, to determine what it is, what it’s doing, whether it matters, and how best to respond.
Google Chronicle

Business Challenge

Logs ingested to Chronicle are normalized to Chronicle’s UDM (Unified Data Model) format by in-built parsers.

Google faced challenges with in-built parsers having a low parsing rate because not every event type was supported for all the log sources. Also current CBN parsers were customer specific and multiple versions of parser built for different customers and leading to more maintenance efforts for Chronicle partners.

Hence, there was a need to develop a GOLD parser which covers such log sources in both breadth and depth. This means, both a high level of coverage is required for the types of events a log source produces and also the fields present in them.

The goal is to develop a parser which captures maximum amount of information and map it to UDM from the raw logs of different data sources ingested by Chronicle partners so that further use cases of Chronicle are utilized to its maximum, for eg. rules and threat detection.

Customer Solution

Crest Data Systems built various GOLD parsers for different types of log sources such as Windows, Zeek, PAN, Cisco, Office 365, and more, which are used by Chronicle partners and customers.

The following are the key steps:

  • Analyze various security telemetry and log sources
  • Design ingestion mechanism for collecting the data (e.g. syslog via Chronicle Forwarder, Ingestion APIs, third-party tools)
  • Normalize and map user context/information from raw logs with UDM
  • Define detection rules and parsing scripts with the UDM fields

Crest Data Systems actively involved at every stage of the demands of product release life cycles and rolled out various quality GOLD parsers to meet the requirements.

The following is an example of raw log ingested from Windows Sysmon log source and its corresponding normalized UDM event which is extracted using the GOLD parser:

Google Chronicle Gold Parser Customer Solution

The Crest Difference

GOLD parsers developed by Crest helped :

  • Faster onboarding of all security telemetry to Chronicle
  • Increase parsing rate of different log sources for 150+ Chronicle customers
  • Define better detection rules with greater number of UDM fields mapping
  • Improved search, view and threat detection with the more security telemetry coverage
  • Benefited Google Chronicle in scalability, cost, and coverage
CONTACT OUR EXPERTS

We’d love to hear about your project and help you get started.

Contact our sales team to discuss your business requirements.


    See what Crest Data Systems can do for you

    Get in Touch

    Our Services

    Product Engineering Services

    Managed Services

    Professional Services

    DevOps

    Site Reliability Engineering

    Company Information

    About Us

    Blogs

    Partnerships

    Careers

    Contact Us

    Social Media

    Linkedin Twitter Facebook

    Copyright © 2023 Crest Data Systems. | Privacy Policy

    arrow