Skip to main content

Hi all, 

 

I was wondering if anyone who is ingesting AUTH_ZERO logs into secops has had the same issue I am having when it comes to ingesting. 

I followed the documentation here to get them into Secops → https://cloud.google.com/chronicle/docs/ingestion/default-parsers/auth-zero 

However, when I look into secops I can see Auth Zero events coming in batches - what I mean is that the raw log and UDM log is not a 1 to 1 match. Instead the raw log often contains 20+ raw events. I understand that it might be the case that the logs are batch shipped together and then are split up by secops. 

The issue I am having is that when I look at the event fields in the “extracted UDM” section I have over 2000+ extra event details. They often look like this “fields["logs[0].data.details.accessedSecrets[0]"]:” It can go from log[0] to log[20] - which slows down searching. 

 

Is it possible to create a parser extension to correctly pull just the matching data.details for the specific event and not pull all of the details from the events within the raw log? 

 

Thanks.

 

 

Have you tried disabling the extracted fields from the parser > Edit Extracted Fields  and remove this field from the list ?

The parser extension can definitely help by overriding any UDM fields in the main ones, but for extracted fields specifically they should be removed from the Auto Extractor.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.