Does DMARC report data belong in Google SecOps?

Question

I’m the maintainer of ParseDMARC, an open source parser for DMARC and TLS-RPT reports. It has outputs for Elasticsearch, OpenSearch, Splunk, JSON, CSV, and email, with dashboards for Graphana, Kibana, OpenSearch Dashboards, and Splunk. I’m thinking about adding an output for Google SecOps, but I don’t currently have an instance of SecOps to test with.

I started using GitHub Copilot to craft an output for SecOps, I’m wondering if that data even belongs in SecOps.

I looked at the list of available default parsers, and I noticed that popular DMARC analytics services Dmarcian and Valimail are listed under “Supported log types without a default parser”. is that because DMARC data isn’t suitable for the SecOps UDM, or simply because a parser has not been made for those services? I’m on the fence.

If DMARC data is suitable for SecOps, please have a look at the PR. I’m sure AI got some things wrong.

kentphelps · Answer

DMARC data is suitable for SecOps but we have not built any parser as there has not been enough of a demand. In discussing this with some colleagues they came up with a different approach. If we just map the DEMARC data points to UDM fields you can feed DEMARC to SecOps directly via the Chronicle API events.import method.

For example
Sender IP > principal.ip
Header From Domain >   network.email.from
Disposition (Reject/Quarantine) >   security_result.action

This approach avoids the overhead of building and maintaining a parser.  If you can provide an example of the raw JSON/XML structure that ParseDMARC currently generates, we can look at helping you define the exact UDM field mappings.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded