Hi all,
I was wondering if anyone who is ingesting AUTH_ZERO logs into secops has had the same issue I am having when it comes to ingesting.
I followed the documentation here to get them into Secops → https://cloud.google.com/chronicle/docs/ingestion/default-parsers/auth-zero
However, when I look into secops I can see Auth Zero events coming in batches - what I mean is that the raw log and UDM log is not a 1 to 1 match. Instead the raw log often contains 20+ raw events. I understand that it might be the case that the logs are batch shipped together and then are split up by secops.
The issue I am having is that when I look at the event fields in the “extracted UDM” section I have over 2000+ extra event details. They often look like this “fields["logs[0].data.details.accessedSecrets[0]"]:” It can go from log[0] to log[20] - which slows down searching.
Is it possible to create a parser extension to correctly pull just the matching data.details for the specific event and not pull all of the details from the events within the raw log?
Thanks.
