Skip to main content

Community,

Lets say I bring in logs from an endpoint management tool, where the logs will be from an API call which returns the entities of a host (hostname, username, mac, IP, agents installed, etc...).

https://github.com/goog-cmmartin/thatsiemguy/blob/main/misp/chronicle_parser/misp_ioc.conf 
By using the above github repo as reference, I will parse all the entities which is required.

Will this help me in enriching other missing entities in other log sources ? for example I have a firewall log, where only the hostname and username is present in the log. Will it enrich the remaining entites associated to the host and username like mac and its associated IP ?

If this doesn't work, is there any possible method that I can use to add my own enrichment ?

You could use some other parsers as a reference, most notable the CMDB for Asset Context and Microsoft AD for users context.
The relationships graph here https://cloud.google.com/chronicle/docs/event-processing/udm-overview is very useful as well.
There are some additional resources you could use like that indicate some important fields and how some default enrichments are done ; 
https://cloud.google.com/chronicle/docs/event-processing/data-enrichment#enrich_entities_merging
https://cloud.google.com/chronicle/docs/reference/important-udm-fields

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.